xccdf-results.xml

Download xccdf-results.xml

    1: <?xml version="1.0" encoding="UTF-8"?>
    2: <Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="scap-fedora14-xccdf.xml" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 xccdf-1.1.4.xsd" resolved="1" xml:lang="en">
    3:   <status date="2010-09-11">draft</status>
    4:   <title xml:lang="en">Guide to the Secure Configuration of Fedora Linux</title>
    5:   <description xml:lang="en">This guide has been created to assist IT professionals, in effectively securing systems with Fedora Linux.</description>
    6:   <version>0.6.3</version>
    7:   <model system="urn:xccdf:scoring:default"/>
    8:   <model system="urn:xccdf:scoring:flat"/>
    9:   <Profile id="F14-Desktop">
   10:     <title xml:lang="en">Fedora 14 desktop settings</title>
   11:     <description xml:lang="en">This profile selects security controls that conform to default Fedora 14 configuration.</description>
   12:     <select idref="rule-2.1.1.1.1.a" selected="false"/>
   13:     <select idref="rule-2.1.1.1.1.b" selected="false"/>
   14:     <select idref="rule-2.1.1.1.2.a" selected="false"/>
   15:     <select idref="rule-2.1.1.1.2.b" selected="false"/>
   16:     <select idref="rule-2.1.1.1.3.a" selected="false"/>
   17:     <select idref="rule-2.1.1.1.4.a" selected="false"/>
   18:     <select idref="rule-2.1.1.1.5.a" selected="false"/>
   19:     <select idref="rule-2.1.2.1.1.a" selected="true"/>
   20:     <select idref="rule-2.1.2.3.2.a" selected="false"/>
   21:     <select idref="rule-2.1.2.3.2.b" selected="false"/>
   22:     <select idref="rule-2.1.2.3.3.a" selected="true"/>
   23:     <select idref="rule-2.1.2.3.4.a" selected="true"/>
   24:     <select idref="rule-2.1.2.3.5.a" selected="false"/>
   25:     <select idref="rule-2.1.2.3.6.a" selected="true"/>
   26:     <select idref="rule-2.1.3.1.1.a" selected="false"/>
   27:     <select idref="rule-2.1.3.1.4.a" selected="false"/>
   28:     <select idref="rule-2.1.3.2.a" selected="false"/>
   29:     <select idref="rule-2.2.1.1.a" selected="false"/>
   30:     <select idref="rule-2.2.1.2.a" selected="false"/>
   31:     <select idref="rule-2.2.1.2.b" selected="false"/>
   32:     <select idref="rule-2.2.1.2.c" selected="false"/>
   33:     <select idref="rule-2.2.2.1.1.a" selected="false"/>
   34:     <select idref="rule-2.2.2.1.2.a" selected="false"/>
   35:     <select idref="rule-2.2.2.1.3.a" selected="false"/>
   36:     <select idref="rule-2.2.2.1.4.a" selected="false"/>
   37:     <select idref="rule-2.2.2.2.a" selected="false"/>
   38:     <select idref="rule-2.2.2.3.a" selected="false"/>
   39:     <select idref="rule-2.2.2.4.a" selected="false"/>
   40:     <select idref="rule-2.2.2.4.b" selected="false"/>
   41:     <select idref="rule-2.2.2.4.c" selected="false"/>
   42:     <select idref="rule-2.2.2.4.d" selected="false"/>
   43:     <select idref="rule-2.2.2.4.e" selected="false"/>
   44:     <select idref="rule-2.2.2.4.f" selected="false"/>
   45:     <select idref="rule-2.2.2.4.g" selected="false"/>
   46:     <select idref="rule-2.2.3.1.a" selected="true"/>
   47:     <select idref="rule-2.2.3.1.b" selected="true"/>
   48:     <select idref="rule-2.2.3.1.c" selected="true"/>
   49:     <select idref="rule-2.2.3.1.d" selected="true"/>
   50:     <select idref="rule-2.2.3.1.e" selected="true"/>
   51:     <select idref="rule-2.2.3.1.f" selected="true"/>
   52:     <select idref="rule-2.2.3.1.g" selected="true"/>
   53:     <select idref="rule-2.2.3.1.h" selected="true"/>
   54:     <select idref="rule-2.2.3.1.i" selected="true"/>
   55:     <select idref="rule-2.2.3.1.j" selected="true"/>
   56:     <select idref="rule-2.2.3.1.k" selected="true"/>
   57:     <select idref="rule-2.2.3.1.l" selected="true"/>
   58:     <select idref="rule-2.2.3.2.a" selected="true"/>
   59:     <select idref="rule-2.2.3.3.a" selected="true"/>
   60:     <select idref="rule-2.2.3.4.a" selected="true"/>
   61:     <select idref="rule-2.2.3.4.b" selected="true"/>
   62:     <select idref="rule-2.2.3.5.a" selected="true"/>
   63:     <select idref="rule-2.2.3.5.b" selected="true"/>
   64:     <select idref="rule-2.2.3.6.a" selected="true"/>
   65:     <select idref="rule-2.2.4.1.a" selected="true"/>
   66:     <select idref="rule-2.2.4.2.a" selected="false"/>
   67:     <select idref="rule-2.2.4.2.b" selected="true"/>
   68:     <select idref="rule-2.2.4.3.a" selected="true"/>
   69:     <select idref="rule-2.2.4.3.b" selected="true"/>
   70:     <select idref="rule-2.2.4.4.2.a" selected="false"/>
   71:     <select idref="rule-2.3.1.1.a" selected="false"/>
   72:     <select idref="rule-2.3.1.1.b" selected="false"/>
   73:     <select idref="rule-2.3.1.1.c" selected="false"/>
   74:     <select idref="rule-2.3.1.1.d" selected="true"/>
   75:     <select idref="rule-2.3.1.2.a" selected="false"/>
   76:     <select idref="rule-2.3.1.2.b" selected="false"/>
   77:     <select idref="rule-2.3.1.3.a" selected="false"/>
   78:     <select idref="rule-2.3.1.4.a" selected="false"/>
   79:     <select idref="rule-2.3.1.5.1.a" selected="true"/>
   80:     <select idref="rule-2.3.1.5.2.a" selected="true"/>
   81:     <select idref="rule-2.3.1.6.a" selected="true"/>
   82:     <select idref="rule-2.3.1.7.a" selected="true"/>
   83:     <select idref="rule-2.3.1.7.b" selected="false"/>
   84:     <select idref="rule-2.3.1.7.c" selected="false"/>
   85:     <select idref="rule-2.3.1.7.d" selected="true"/>
   86:     <select idref="rule-2.3.1.8.a" selected="false"/>
   87:     <select idref="rule-2.3.1.8.b" selected="false"/>
   88:     <select idref="rule-2.3.1.8.c" selected="false"/>
   89:     <select idref="rule-2.3.3.1.1.a" selected="false"/>
   90:     <select idref="rule-2.3.3.1.2.a" selected="false"/>
   91:     <select idref="rule-2.3.3.2.a" selected="false"/>
   92:     <select idref="rule-2.3.3.2.b" selected="false"/>
   93:     <select idref="rule-2.3.3.4.a" selected="false"/>
   94:     <select idref="rule-2.3.3.4.b" selected="false"/>
   95:     <select idref="rule-2.3.3.5.a" selected="true"/>
   96:     <select idref="rule-2.3.3.6.a" selected="false"/>
   97:     <select idref="rule-2.3.4.1.a" selected="true"/>
   98:     <select idref="rule-2.3.4.1.b" selected="true"/>
   99:     <select idref="rule-2.3.4.2.a" selected="true"/>
  100:     <select idref="rule-2.3.4.4.a" selected="true"/>
  101:     <select idref="rule-2.3.4.4.b" selected="true"/>
  102:     <select idref="rule-2.3.4.5.a" selected="false"/>
  103:     <select idref="rule-2.3.5.2.a" selected="true"/>
  104:     <select idref="rule-2.3.5.2.b" selected="true"/>
  105:     <select idref="rule-2.3.5.2.c" selected="true"/>
  106:     <select idref="rule-2.3.5.2.d" selected="false"/>
  107:     <select idref="rule-2.3.5.3.a" selected="false"/>
  108:     <select idref="rule-2.3.5.4.a" selected="false"/>
  109:     <select idref="rule-2.3.5.5.a" selected="false"/>
  110:     <select idref="rule-2.3.5.5.b" selected="false"/>
  111:     <select idref="rule-2.3.5.6.1.a" selected="false"/>
  112:     <select idref="rule-2.3.5.6.1.b" selected="false"/>
  113:     <select idref="rule-2.3.5.6.1.c" selected="false"/>
  114:     <select idref="rule-2.3.5.6.1.d" selected="false"/>
  115:     <select idref="rule-2.3.5.6.2.a" selected="false"/>
  116:     <select idref="rule-2.3.7.1.a" selected="false"/>
  117:     <select idref="rule-2.3.7.2.a" selected="false"/>
  118:     <select idref="rule-2.4.2.a" selected="true"/>
  119:     <select idref="rule-2.4.2.b" selected="false"/>
  120:     <select idref="rule-2.4.2.c" selected="true"/>
  121:     <select idref="rule-2.4.2.d" selected="true"/>
  122:     <select idref="rule-2.4.2.1.a" selected="false"/>
  123:     <select idref="rule-2.4.3.2.a" selected="false"/>
  124:     <select idref="rule-2.4.3.3.a" selected="false"/>
  125:     <select idref="rule-2.4.5.a" selected="false"/>
  126:     <select idref="rule-2.5.1.1.a" selected="false"/>
  127:     <select idref="rule-2.5.1.1.b" selected="false"/>
  128:     <select idref="rule-2.5.1.1.c" selected="false"/>
  129:     <select idref="rule-2.5.1.2.a" selected="false"/>
  130:     <select idref="rule-2.5.1.2.b" selected="false"/>
  131:     <select idref="rule-2.5.1.2.c" selected="false"/>
  132:     <select idref="rule-2.5.1.2.d" selected="false"/>
  133:     <select idref="rule-2.5.1.2.e" selected="false"/>
  134:     <select idref="rule-2.5.1.2.f" selected="false"/>
  135:     <select idref="rule-2.5.1.2.g" selected="false"/>
  136:     <select idref="rule-2.5.1.2.h" selected="false"/>
  137:     <select idref="rule-2.5.1.2.i" selected="false"/>
  138:     <select idref="rule-2.5.1.2.j" selected="false"/>
  139:     <select idref="rule-2.5.1.2.k" selected="false"/>
  140:     <select idref="rule-2.5.1.2.l" selected="false"/>
  141:     <select idref="rule-2.5.2.2.1.a" selected="false"/>
  142:     <select idref="rule-2.5.2.2.2.a" selected="false"/>
  143:     <select idref="rule-2.5.2.2.3.a" selected="false"/>
  144:     <select idref="rule-2.5.3.1.1.a" selected="false"/>
  145:     <select idref="rule-2.5.3.1.2.a" selected="false"/>
  146:     <select idref="rule-2.5.3.1.2.b" selected="false"/>
  147:     <select idref="rule-2.5.3.1.2.c" selected="false"/>
  148:     <select idref="rule-2.5.3.2.1.a" selected="false"/>
  149:     <select idref="rule-2.5.3.2.1.b" selected="false"/>
  150:     <select idref="rule-2.5.3.2.1.c" selected="false"/>
  151:     <select idref="rule-2.5.3.2.1.d" selected="false"/>
  152:     <select idref="rule-2.5.3.2.3.a" selected="false"/>
  153:     <select idref="rule-2.5.3.2.5.a" selected="false"/>
  154:     <select idref="rule-2.5.3.2.5.b" selected="false"/>
  155:     <select idref="rule-2.5.3.2.5.c" selected="false"/>
  156:     <select idref="rule-2.5.3.2.5.d" selected="false"/>
  157:     <select idref="rule-2.5.3.2.5.e" selected="false"/>
  158:     <select idref="rule-2.5.3.2.5.f" selected="false"/>
  159:     <select idref="rule-2.5.3.2.5.g" selected="false"/>
  160:     <select idref="rule-2.5.5.1.a" selected="true"/>
  161:     <select idref="rule-2.5.5.1.b" selected="true"/>
  162:     <select idref="rule-2.5.5.3.1.a" selected="false"/>
  163:     <select idref="rule-2.5.5.3.1.b" selected="false"/>
  164:     <select idref="rule-2.5.7.1.a" selected="false"/>
  165:     <select idref="rule-2.5.7.2.a" selected="false"/>
  166:     <select idref="rule-2.5.7.3.a" selected="false"/>
  167:     <select idref="rule-2.5.7.4.a" selected="false"/>
  168:     <select idref="rule-2.6.1.a" selected="true"/>
  169:     <select idref="rule-2.6.1.2.a" selected="true"/>
  170:     <select idref="rule-2.6.1.2.b" selected="true"/>
  171:     <select idref="rule-2.6.1.2.c" selected="true"/>
  172:     <select idref="rule-2.6.1.3.a" selected="false"/>
  173:     <select idref="rule-2.6.1.4.a" selected="false"/>
  174:     <select idref="rule-2.6.1.5.a" selected="false"/>
  175:     <select idref="rule-2.6.1.6.a" selected="false"/>
  176:     <select idref="rule-2.6.2.1.a" selected="true"/>
  177:     <select idref="rule-2.6.2.3.a" selected="false"/>
  178:     <select idref="rule-2.6.2.4.1.a" selected="false"/>
  179:     <select idref="rule-2.6.2.4.2.a" selected="false"/>
  180:     <select idref="rule-2.6.2.4.3.a" selected="false"/>
  181:     <select idref="rule-2.6.2.4.4.a" selected="false"/>
  182:     <select idref="rule-2.6.2.4.5.a" selected="false"/>
  183:     <select idref="rule-2.6.2.4.6.a" selected="false"/>
  184:     <select idref="rule-2.6.2.4.7.a" selected="false"/>
  185:     <select idref="rule-2.6.2.4.8.a" selected="false"/>
  186:     <select idref="rule-2.6.2.4.9.a" selected="false"/>
  187:     <select idref="rule-2.6.2.4.10.a" selected="false"/>
  188:     <select idref="rule-2.6.2.4.11.a" selected="false"/>
  189:     <select idref="rule-2.6.2.4.12.a" selected="false"/>
  190:     <select idref="rule-2.6.2.4.13.a" selected="false"/>
  191:     <select idref="rule-2.6.2.4.14.a" selected="false"/>
  192:     <select idref="rule-3.2.1.a" selected="false"/>
  193:     <select idref="rule-3.2.1.b" selected="false"/>
  194:     <select idref="rule-3.2.1.c" selected="false"/>
  195:     <select idref="rule-3.2.1.d" selected="false"/>
  196:     <select idref="rule-3.2.2.a" selected="false"/>
  197:     <select idref="rule-3.2.2.b" selected="false"/>
  198:     <select idref="rule-3.2.2.1.a" selected="false"/>
  199:     <select idref="rule-3.2.2.1.b" selected="false"/>
  200:     <select idref="rule-3.2.3.1.a" selected="false"/>
  201:     <select idref="rule-3.2.3.1.b" selected="false"/>
  202:     <select idref="rule-3.2.3.1.c" selected="false"/>
  203:     <select idref="rule-3.2.3.1.d" selected="false"/>
  204:     <select idref="rule-3.2.3.2.a" selected="false"/>
  205:     <select idref="rule-3.2.3.3.a" selected="false"/>
  206:     <select idref="rule-3.2.4.a" selected="false"/>
  207:     <select idref="rule-3.2.4.b" selected="false"/>
  208:     <select idref="rule-3.2.5.a" selected="false"/>
  209:     <select idref="rule-3.2.5.b" selected="false"/>
  210:     <select idref="rule-3.3.1.a" selected="false"/>
  211:     <select idref="rule-3.3.2.a" selected="false"/>
  212:     <select idref="rule-3.3.3.a" selected="false"/>
  213:     <select idref="rule-3.3.4.a" selected="false"/>
  214:     <select idref="rule-3.3.5.a" selected="false"/>
  215:     <select idref="rule-3.3.6.a" selected="false"/>
  216:     <select idref="rule-3.3.7.a" selected="false"/>
  217:     <select idref="rule-3.3.8.a" selected="false"/>
  218:     <select idref="rule-3.3.9.1.a" selected="false"/>
  219:     <select idref="rule-3.3.9.2.a" selected="false"/>
  220:     <select idref="rule-3.3.9.3.a" selected="false"/>
  221:     <select idref="rule-3.3.10.a" selected="false"/>
  222:     <select idref="rule-3.3.11.a" selected="false"/>
  223:     <select idref="rule-3.3.12.a" selected="false"/>
  224:     <select idref="rule-3.3.12.b" selected="false"/>
  225:     <select idref="rule-3.3.13.1.a" selected="false"/>
  226:     <select idref="rule-3.3.13.2.a" selected="false"/>
  227:     <select idref="rule-3.3.14.1.a" selected="false"/>
  228:     <select idref="rule-3.3.14.2.a" selected="false"/>
  229:     <select idref="rule-3.3.14.3.a" selected="false"/>
  230:     <select idref="rule-3.3.15.1.a" selected="false"/>
  231:     <select idref="rule-3.3.15.2.a" selected="false"/>
  232:     <select idref="rule-3.3.15.3.a" selected="false"/>
  233:     <select idref="rule-3.4.a" selected="false"/>
  234:     <select idref="rule-3.4.1.a" selected="false"/>
  235:     <select idref="rule-3.4.1.b" selected="false"/>
  236:     <select idref="rule-3.4.2.1.a" selected="true"/>
  237:     <select idref="rule-3.4.2.1.b" selected="true"/>
  238:     <select idref="rule-3.4.2.1.c" selected="true"/>
  239:     <select idref="rule-3.4.2.2.a" selected="true"/>
  240:     <select idref="rule-3.4.2.2.b" selected="true"/>
  241:     <select idref="rule-3.4.2.2.c" selected="true"/>
  242:     <select idref="rule-3.4.2.3.a" selected="true"/>
  243:     <select idref="rule-3.4.2.3.b" selected="true"/>
  244:     <select idref="rule-3.4.2.3.c" selected="true"/>
  245:     <select idref="rule-3.4.2.3.d" selected="true"/>
  246:     <select idref="rule-3.4.2.3.e" selected="true"/>
  247:     <select idref="rule-3.4.2.3.f" selected="true"/>
  248:     <select idref="rule-3.4.2.3.g" selected="true"/>
  249:     <select idref="rule-3.4.2.3.h" selected="true"/>
  250:     <select idref="rule-3.4.2.3.i" selected="true"/>
  251:     <select idref="rule-3.4.2.3.j" selected="true"/>
  252:     <select idref="rule-3.4.2.3.k" selected="true"/>
  253:     <select idref="rule-3.4.2.3.l" selected="true"/>
  254:     <select idref="rule-3.4.2.3.m" selected="true"/>
  255:     <select idref="rule-3.4.2.3.n" selected="true"/>
  256:     <select idref="rule-3.4.2.3.o" selected="true"/>
  257:     <select idref="rule-3.4.2.4.a" selected="true"/>
  258:     <select idref="rule-3.4.2.4.b" selected="true"/>
  259:     <select idref="rule-3.4.2.4.c" selected="true"/>
  260:     <select idref="rule-3.4.3.a" selected="false"/>
  261:     <select idref="rule-3.4.3.b" selected="false"/>
  262:     <select idref="rule-3.4.4.a" selected="false"/>
  263:     <select idref="rule-3.4.4.b" selected="false"/>
  264:     <select idref="rule-3.5.1.1.a" selected="false"/>
  265:     <select idref="rule-3.5.1.1.b" selected="false"/>
  266:     <select idref="rule-3.5.1.2.a" selected="false"/>
  267:     <select idref="rule-3.5.1.2.b" selected="false"/>
  268:     <select idref="rule-3.5.2.1.a" selected="false"/>
  269:     <select idref="rule-3.5.2.3.a" selected="false"/>
  270:     <select idref="rule-3.5.2.3.b" selected="false"/>
  271:     <select idref="rule-3.5.2.4.a" selected="false"/>
  272:     <select idref="rule-3.5.2.5.a" selected="false"/>
  273:     <select idref="rule-3.5.2.6.a" selected="false"/>
  274:     <select idref="rule-3.5.2.7.a" selected="false"/>
  275:     <select idref="rule-3.5.2.8.a" selected="false"/>
  276:     <select idref="rule-3.5.2.9.a" selected="false"/>
  277:     <select idref="rule-3.5.2.10.a" selected="false"/>
  278:     <select idref="rule-3.6.1.1.a" selected="false"/>
  279:     <select idref="rule-3.6.1.2.a" selected="false"/>
  280:     <select idref="rule-3.6.1.3.2.a" selected="false"/>
  281:     <select idref="rule-3.6.2.1.a" selected="false"/>
  282:     <select idref="rule-3.7.1.1.a" selected="false"/>
  283:     <select idref="rule-3.7.2.1.a" selected="false"/>
  284:     <select idref="rule-3.7.2.1.b" selected="false"/>
  285:     <select idref="rule-3.7.2.2.a" selected="false"/>
  286:     <select idref="rule-3.7.2.3.a" selected="false"/>
  287:     <select idref="rule-3.7.2.4.a" selected="false"/>
  288:     <select idref="rule-3.7.2.5.a" selected="false"/>
  289:     <select idref="rule-3.7.2.5.b" selected="false"/>
  290:     <select idref="rule-3.7.2.5.c" selected="false"/>
  291:     <select idref="rule-3.7.2.5.d" selected="false"/>
  292:     <select idref="rule-3.7.2.5.e" selected="false"/>
  293:     <select idref="rule-3.8.1.a" selected="false"/>
  294:     <select idref="rule-3.8.2.a" selected="false"/>
  295:     <select idref="rule-3.8.2.b" selected="false"/>
  296:     <select idref="rule-3.8.3.1.1.a" selected="false"/>
  297:     <select idref="rule-3.8.3.1.1.b" selected="false"/>
  298:     <select idref="rule-3.8.4.1.a" selected="false"/>
  299:     <select idref="rule-3.9.1.a" selected="false"/>
  300:     <select idref="rule-3.9.3.a" selected="false"/>
  301:     <select idref="rule-3.9.3.b" selected="false"/>
  302:     <select idref="rule-3.9.4.1.a" selected="false"/>
  303:     <select idref="rule-3.9.4.2.a" selected="false"/>
  304:     <select idref="rule-3.9.4.3.a" selected="false"/>
  305:     <select idref="rule-3.9.4.4.a" selected="false"/>
  306:     <select idref="rule-3.9.4.4.b" selected="false"/>
  307:     <select idref="rule-3.9.4.4.c" selected="false"/>
  308:     <select idref="rule-3.9.4.4.d" selected="false"/>
  309:     <select idref="rule-3.9.4.4.e" selected="false"/>
  310:     <select idref="rule-3.9.4.4.f" selected="false"/>
  311:     <select idref="rule-3.9.4.4.g" selected="false"/>
  312:     <select idref="rule-3.9.4.5.a" selected="false"/>
  313:     <select idref="rule-3.10.2.2.1.a" selected="false"/>
  314:     <select idref="rule-3.10.2.2.2.a" selected="false"/>
  315:     <select idref="rule-3.10.2.2.3.a" selected="false"/>
  316:     <select idref="rule-3.10.3.1.a" selected="false"/>
  317:     <select idref="rule-3.10.3.2.1.a" selected="false"/>
  318:     <select idref="rule-3.10.3.2.2.a" selected="false"/>
  319:     <select idref="rule-3.11.2.1.a" selected="false"/>
  320:     <select idref="rule-3.12.2.2.a" selected="false"/>
  321:     <select idref="rule-3.12.3.1.a" selected="false"/>
  322:     <select idref="rule-3.13.1.1.a" selected="false"/>
  323:     <select idref="rule-3.13.1.1.b" selected="false"/>
  324:     <select idref="rule-3.13.1.1.c" selected="false"/>
  325:     <select idref="rule-3.13.1.2.a" selected="false"/>
  326:     <select idref="rule-3.13.2.3.a" selected="false"/>
  327:     <select idref="rule-3.13.2.3.b" selected="false"/>
  328:     <select idref="rule-3.13.2.3.c" selected="false"/>
  329:     <select idref="rule-3.13.2.3.d" selected="false"/>
  330:     <select idref="rule-3.13.2.3.e" selected="false"/>
  331:     <select idref="rule-3.13.2.3.f" selected="false"/>
  332:     <select idref="rule-3.13.3.1.a" selected="false"/>
  333:     <select idref="rule-3.13.3.1.b" selected="false"/>
  334:     <select idref="rule-3.13.3.2.a" selected="false"/>
  335:     <select idref="rule-3.13.3.2.b" selected="false"/>
  336:     <select idref="rule-3.13.3.2.c" selected="false"/>
  337:     <select idref="rule-3.13.4.1.2.a" selected="false"/>
  338:     <select idref="rule-3.13.4.1.3.a" selected="false"/>
  339:     <select idref="rule-3.13.4.1.4.a" selected="false"/>
  340:     <select idref="rule-3.14.1.a" selected="false"/>
  341:     <select idref="rule-3.14.1.b" selected="false"/>
  342:     <select idref="rule-3.14.3.2.a" selected="false"/>
  343:     <select idref="rule-3.14.3.2.b" selected="false"/>
  344:     <select idref="rule-3.14.3.2.c" selected="false"/>
  345:     <select idref="rule-3.14.4.5.a" selected="false"/>
  346:     <select idref="rule-3.15.1.a" selected="false"/>
  347:     <select idref="rule-3.15.1.b" selected="false"/>
  348:     <select idref="rule-3.15.3.1.a" selected="false"/>
  349:     <select idref="rule-3.15.3.2.a" selected="false"/>
  350:     <select idref="rule-3.15.3.3.1.a" selected="false"/>
  351:     <select idref="rule-3.15.3.4.a" selected="false"/>
  352:     <select idref="rule-3.16.1.a" selected="false"/>
  353:     <select idref="rule-3.16.1.b" selected="false"/>
  354:     <select idref="rule-3.16.3.1.a" selected="false"/>
  355:     <select idref="rule-3.16.3.1.b" selected="false"/>
  356:     <select idref="rule-3.16.5.1.a" selected="false"/>
  357:     <select idref="rule-3.16.5.1.b" selected="false"/>
  358:     <select idref="rule-3.16.5.1.c" selected="false"/>
  359:     <select idref="rule-3.16.5.1.d" selected="false"/>
  360:     <select idref="rule-3.16.5.1.e" selected="false"/>
  361:     <select idref="rule-3.17.1.a" selected="false"/>
  362:     <select idref="rule-3.17.1.b" selected="false"/>
  363:     <select idref="rule-3.17.2.1.a" selected="false"/>
  364:     <select idref="rule-3.17.2.1.b" selected="false"/>
  365:     <select idref="rule-3.17.2.1.c" selected="false"/>
  366:     <select idref="rule-3.17.2.1.d" selected="false"/>
  367:     <select idref="rule-3.17.2.2.4.a" selected="false"/>
  368:     <select idref="rule-3.17.2.3.a" selected="false"/>
  369:     <select idref="rule-3.17.2.3.b" selected="false"/>
  370:     <select idref="rule-3.18.1.a" selected="false"/>
  371:     <select idref="rule-3.18.2.3.a" selected="false"/>
  372:     <select idref="rule-3.18.2.10.a" selected="false"/>
  373:     <select idref="rule-3.18.2.11.a" selected="false"/>
  374:     <select idref="rule-3.19.1.a" selected="false"/>
  375:     <select idref="rule-3.19.1.b" selected="false"/>
  376:     <select idref="rule-3.19.2.2.a" selected="false"/>
  377:     <select idref="rule-3.19.2.2.b" selected="false"/>
  378:     <select idref="rule-3.19.2.2.c" selected="false"/>
  379:     <select idref="rule-3.19.2.2.d" selected="false"/>
  380:     <select idref="rule-3.19.2.2.e" selected="false"/>
  381:     <select idref="rule-3.19.2.2.f" selected="false"/>
  382:     <select idref="rule-3.19.2.2.g" selected="false"/>
  383:     <select idref="rule-3.19.2.2.h" selected="false"/>
  384:     <select idref="rule-3.19.2.3.a" selected="false"/>
  385:     <select idref="rule-3.19.2.3.b" selected="false"/>
  386:     <select idref="rule-3.19.2.3.c" selected="false"/>
  387:     <select idref="rule-3.19.2.3.d" selected="false"/>
  388:     <select idref="rule-3.19.2.5.a" selected="false"/>
  389:     <select idref="rule-3.19.2.5.b" selected="false"/>
  390:     <select idref="rule-3.19.2.5.c" selected="false"/>
  391:     <select idref="rule-3.19.2.5.d" selected="false"/>
  392:     <select idref="rule-3.19.2.5.e" selected="false"/>
  393:     <select idref="rule-3.19.2.5.f" selected="false"/>
  394:     <select idref="rule-3.19.2.5.g" selected="false"/>
  395:     <select idref="rule-3.19.2.5.h" selected="false"/>
  396:     <select idref="rule-3.19.2.5.i" selected="false"/>
  397:     <select idref="rule-3.19.2.5.j" selected="false"/>
  398:     <select idref="rule-3.20.1.a" selected="false"/>
  399:     <select idref="rule-3.20.1.b" selected="false"/>
  400:     <refine-value idref="var-2.2.3.1.i" selector="000"/>
  401:     <refine-value idref="var-2.2.3.1.j" selector="644"/>
  402:     <refine-value idref="var-2.2.3.1.k" selector="000"/>
  403:     <refine-value idref="var-2.2.3.1.l" selector="644"/>
  404:     <refine-value idref="var-2.2.4.1.a" selector="022"/>
  405:     <refine-value idref="var-2.3.1.7.a" selector="5"/>
  406:     <refine-value idref="var-2.3.1.7.b" selector="1_day"/>
  407:     <refine-value idref="var-2.3.1.7.c" selector="60_days"/>
  408:     <refine-value idref="var-2.3.1.7.d" selector="7_days"/>
  409:     <refine-value idref="var-2.3.3.1.1.a.retry" selector="3"/>
  410:     <refine-value idref="var-2.3.3.1.1.a.minlen" selector="14"/>
  411:     <refine-value idref="var-2.3.3.1.1.a.dcredit" selector="2"/>
  412:     <refine-value idref="var-2.3.3.1.1.a.ucredit" selector="2"/>
  413:     <refine-value idref="var-2.3.3.1.1.a.ocredit" selector="2"/>
  414:     <refine-value idref="var-2.3.3.1.1.a.lcredit" selector="2"/>
  415:     <refine-value idref="var-2.3.3.1.1.a.difok" selector="3"/>
  416:     <refine-value idref="var-2.3.3.2.a.deny" selector="3"/>
  417:     <refine-value idref="var-2.3.3.2.a.lock_time" selector="3"/>
  418:     <refine-value idref="var-2.3.3.2.a.unlock_time" selector="none"/>
  419:     <refine-value idref="var-2.3.3.4.a" selector="usergroup"/>
  420:     <refine-value idref="var-2.3.3.4.b" selector="4710"/>
  421:     <refine-value idref="var-2.3.3.5.a" selector="SHA-512"/>
  422:     <refine-value idref="var-2.3.3.6.a" selector="5"/>
  423:     <refine-value idref="var-2.3.4.4" selector="002"/>
  424:     <refine-value idref="var-2.3.5.2.a" selector="root"/>
  425:     <refine-value idref="var-2.3.5.2.b" selector="root"/>
  426:     <refine-value idref="var-2.3.5.2.c" selector="600"/>
  427:     <refine-value idref="var-2.3.5.5" selector="15_minutes"/>
  428:     <refine-value idref="var-2.3.7" selector="Empty_text"/>
  429:     <refine-value idref="var-2.4.2.c" selector="enforcing"/>
  430:     <refine-value idref="var-2.4.2.d" selector="targeted"/>
  431:     <refine-value idref="var-2.5.1.2.a" selector="disabled"/>
  432:     <refine-value idref="var-2.5.1.2.b" selector="disabled"/>
  433:     <refine-value idref="var-2.5.1.2.c" selector="disabled"/>
  434:     <refine-value idref="var-2.5.1.2.d" selector="enabled"/>
  435:     <refine-value idref="var-2.5.1.2.e" selector="disabled"/>
  436:     <refine-value idref="var-2.5.1.2.f" selector="disabled"/>
  437:     <refine-value idref="var-2.5.1.2.g" selector="disabled"/>
  438:     <refine-value idref="var-2.5.1.2.h" selector="enabled"/>
  439:     <refine-value idref="var-2.5.1.2.i" selector="enabled"/>
  440:     <refine-value idref="var-2.5.1.2.j" selector="enabled"/>
  441:     <refine-value idref="var-2.5.1.2.k" selector="enabled"/>
  442:     <refine-value idref="var-2.5.3.2.1.b" selector="disabled"/>
  443:     <refine-value idref="var-2.5.3.2.1.c" selector="disabled"/>
  444:     <refine-value idref="var-2.5.1.2.l" selector="enabled"/>
  445:     <refine-value idref="var-2.6.1.2.a" selector="root"/>
  446:     <refine-value idref="var-2.6.1.2.b" selector="root"/>
  447:     <refine-value idref="var-2.6.1.2.c" selector="600"/>
  448:     <refine-value idref="var-3.4.2.system.crontab.primary.group" selector="root"/>
  449:     <refine-value idref="var-3.4.2.system.crontab.primary.user" selector="root"/>
  450:     <refine-value idref="var-3.4.2.system.crontab.primary.permissions" selector="644"/>
  451:     <refine-value idref="var-3.4.2.system.anacrontab.group" selector="root"/>
  452:     <refine-value idref="var-3.4.2.system.anacrontab.user" selector="root"/>
  453:     <refine-value idref="var-3.4.2.system.anacrontab.permissions" selector="644"/>
  454:     <refine-value idref="var-3.4.2.system.crontab.directories.group" selector="root"/>
  455:     <refine-value idref="var-3.4.2.system.crontab.directories.user" selector="root"/>
  456:     <refine-value idref="var-3.4.2.system.crontab.directories.permissions" selector="755"/>
  457:     <refine-value idref="var-3.5.2.3.a" selector="5_minutes"/>
  458:     <refine-value idref="var-3.5.2.3.b" selector="0"/>
  459:     <refine-value idref="var-3.4.2.spool.directory.group" selector="root"/>
  460:     <refine-value idref="var-3.4.2.spool.directory.user" selector="root"/>
  461:     <refine-value idref="var-3.4.2.spool.directory.permissions" selector="700"/>
  462:   </Profile>
  463:   <Group id="group-1" hidden="false">
  464:     <title xml:lang="en">Introduction</title>
  465:     <description xml:lang="en">
  466:       The purpose of this guide is to provide security configuration
  467:       recommendations for Fedora Linux. Recommended settings for the basic
  468:       operating system are provided, as well as for many commonly-used services
  469:       that the system can host in a network environment.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  470:       <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  471:       The guide is intended for system administrators. Readers are
  472:       assumed to possess basic system administration skills for Unix-like systems, as well as some
  473:       familiarity with Red Hat's documentation and administration conventions. Some instructions
  474:       within this guide are complex. All directions should be followed completely and with
  475:       understanding of their effects in order to avoid serious adverse effects on the system and its
  476:       security.
  477:     </description>
  478:     <Group id="group-1.1" hidden="false">
  479:       <title xml:lang="en">General Principles</title>
  480:       <description xml:lang="en">
  481:         The following general principles motivate much of the advice in
  482:         this guide and should also influence any configuration decisions that are not explicitly
  483:         covered.</description>
  484:       <Group id="group-1.1.1" hidden="false" weight="1.000000">
  485:         <title xml:lang="en">Encrypt Transmitted Data Whenever Possible</title>
  486:         <description xml:lang="en">
  487:           Data transmitted over a network, whether wired or wireless, is
  488:           susceptible to passive monitoring. Whenever practical solutions for encrypting such data
  489:           exist, they should be applied. Even if data is expected to be transmitted only over a
  490:           local network, it should still be encrypted. Encrypting authentication data, such as
  491:           passwords, is particularly important. Networks of machines can and should be
  492:           configured so that no unencrypted authentication data is ever transmitted between
  493:           machines.</description>
  494:       </Group>
  495:       <Group id="group-1.1.2" hidden="false">
  496:         <title xml:lang="en">Minimize Software to Minimize Vulnerability</title>
  497:         <description xml:lang="en">
  498:           The simplest way to avoid vulnerabilities in software is to avoid
  499:           installing that software. The RPM Package Manager allows for careful management of the
  500:           set of software packages installed on a system. Installed software contributes to system
  501:           vulnerability in several ways. Packages that include setuid programs may provide local
  502:           attackers a potential path to privilege escalation. Packages that include network services
  503:           may give this opportunity to network-based attackers. Packages that include programs
  504:           which are predictably executed by local users (e.g. after graphical login) may provide
  505:           opportunities for trojan horses or other attack code to be run undetected. The number of
  506:           software packages installed on a system can almost always be significantly pruned to include only
  507:           the software for which there is an environmental or operational need.</description>
  508:       </Group>
  509:       <Group id="group-1.1.3" hidden="false">
  510:         <title xml:lang="en">Run Different Network Services on Separate Systems</title>
  511:         <description xml:lang="en">
  512:           Whenever possible, a server should be dedicated to serving
  513:           exactly one network service. This limits the number of other services that can be
  514:           compromised in the event that an attacker is able to successfully exploit a software flaw
  515:           in one network service.</description>
  516:       </Group>
  517:       <Group id="group-1.1.4" hidden="false">
  518:         <title xml:lang="en">Configure Security Tools to Improve System Robustness</title>
  519:         <description xml:lang="en">
  520:           Several tools exist which can be effectively used to improve a
  521:           system's resistance to and detection of unknown attacks. These tools can improve
  522:           robustness against attack at the cost of relatively little configuration effort. In
  523:           particular, this guide recommends and discusses the use of Iptables for host-based
  524:           firewalling, SELinux for protection against vulnerable services, and a logging and
  525:           auditing infrastructure for detection of problems.</description>
  526:       </Group>
  527:       <Group id="group-1.1.5" hidden="false">
  528:         <title xml:lang="en">Least Privilege</title>
  529:         <description xml:lang="en">
  530:           Grant the least privilege necessary for user accounts and
  531:           software to perform tasks. For example, do not allow users except those that need
  532:           administrator access to use sudo. Another example is to limit logins on server
  533:           systems to only those administrators who need to log into them in order to perform
  534:           administration tasks. Using SELinux also follows the principle of least privilege:
  535:           SELinux policy can confine software to perform only actions on the system that are
  536:           specifically allowed. This can be far more restrictive than the actions permissible
  537:           by the traditional Unix permissions model.</description>
  538:       </Group>
  539:     </Group>
  540:     <Group id="group-1.2" hidden="false">
  541:       <title xml:lang="en">How to Use This Guide</title>
  542:       <description xml:lang="en">Readers should heed the following points when using the guide.</description>
  543:       <Group id="group-1.2.1" hidden="false">
  544:         <title xml:lang="en">Read Sections Completely and in Order</title>
  545:         <description xml:lang="en">
  546:           Each section may build on information and recommendations
  547:           discussed in prior sections. Each section should be read and understood completely;
  548:           instructions should never be blindly applied. Relevant discussion will occur after
  549:           instructions for an action. The system-level configuration guidance in Chapter 2 must be
  550:           applied to all machines. The guidance for individual services in Chapter 3 must be
  551:           considered for all machines as well: apply the guidance if the machine is either a server
  552:           or a client for that service, and ensure that the service is disabled according to the
  553:           instructions provided if the machine is neither a server nor a client.</description>
  554:       </Group>
  555:       <Group id="group-1.2.2" hidden="false">
  556:         <title xml:lang="en">Test in Non-Production Environment</title>
  557:         <description xml:lang="en">
  558:           This guidance should always be tested in a non-production
  559:           environment before deployment. This test environment should simulate the setup in which
  560:           the system will be deployed as closely as possible.</description>
  561:       </Group>
  562:       <Group id="group-1.2.3" hidden="false">
  563:         <title xml:lang="en">Root Shell Environment Assumed</title>
  564:         <description xml:lang="en">
  565:           Most of the actions listed in this document are written with the
  566:           assumption that they will be executed by the root user running the /bin/bash shell. Any
  567:           commands preceded with a hash mark (#) assume that the administrator will execute the
  568:           commands as root, i.e. apply the command via sudo whenever possible, or use su to gain
  569:           root privileges if sudo cannot be used.</description>
  570:       </Group>
  571:       <Group id="group-1.2.4" hidden="false">
  572:         <title xml:lang="en">Formatting Conventions</title>
  573:         <description xml:lang="en">
  574:           Commands intended for shell execution, as well as configuration
  575:           file text, are featured in a monospace font. Italics are used to indicate instances where
  576:           the system administrator must substitute the appropriate information into a command or
  577:           configuration file.</description>
  578:       </Group>
  579:       <Group id="group-1.2.5" hidden="false">
  580:         <title xml:lang="en">Reboot Required</title>
  581:         <description xml:lang="en">
  582:           A system reboot is implicitly required after some actions in
  583:           order to complete the reconfiguration of the system. In many cases, the changes will not
  584:           take effect until a reboot is performed. In order to ensure that changes are applied
  585:           properly and to test functionality, always reboot the system after applying a set of
  586:           recommendations from this guide.</description>
  587:       </Group>
  588:     </Group>
  589:   </Group>
  590:   <Group id="group-2" hidden="false">
  591:     <title xml:lang="en">System-wide Configuration</title>
  592:     <Group id="group-2.1" hidden="false">
  593:       <title xml:lang="en">Installing and Maintaining Software</title>
  594:       <description xml:lang="en">
  595:         The following sections contain information on security-relevant
  596:         choices during the initial operating system installation process and the setup of software
  597:         updates.</description>
  598:       <Group id="group-2.1.1" hidden="false">
  599:         <title xml:lang="en">Initial Installation Recommendations</title>
  600:         <description xml:lang="en">
  601:           The recommendations here apply to a clean installation of the
  602:           system, where any previous installations are wiped out. The sections presented here are in
  603:           the same order that the installer presents, but only installation choices with security
  604:           implications are covered. Many of the configuration choices presented here can also be
  605:           applied after the system is installed. The choices can also be automatically applied via
  606:           Kickstart files.</description>
  607:         <Group id="group-2.1.1.1" hidden="false">
  608:           <title xml:lang="en">Disk Partitioning</title>
  609:           <description xml:lang="en">
  610:             Some system directories should be placed on their own partitions
  611:             (or logical volumes). This allows for better separation and protection of data.
  612:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  613:             The installer’s default partitioning scheme creates separate partitions (or logical volumes)
  614:             for /, /boot, and swap.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  615:             <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
  616:               <xhtml:li>If starting with any of the default layouts, check the box to “Review and modify
  617:             partitioning.” This allows for the easy creation of additional logical volumes inside
  618:             the volume group already created, though it may require making /’s logical volume smaller
  619:             to create space. In general, using logical volumes is preferable to using partitions
  620:             because they can be more easily adjusted later.</xhtml:li>
  621:               <xhtml:li>If creating a custom layout, create the partitions mentioned in the previous paragraph
  622:                 (which the installer will require anyway), as well as separate ones described in the
  623:                 following sections.</xhtml:li>
  624:             </xhtml:ul>
  625:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  626:             If a system has already been installed, and the default partitioning scheme was
  627:             used, it is possible but nontrivial to modify it to create separate logical volumes for the
  628:             directories listed above. The Logical Volume Manager (LVM) makes this possible. See the LVM
  629:             HOWTO at http://tldp.org/HOWTO/LVM-HOWTO/ for more detailed information on LVM.
  630:           </description>
  631:           <Group id="group-2.1.1.1.1" hidden="false">
  632:             <title xml:lang="en">Create Separate Partition or Logical Volume for /tmp</title>
  633:             <description xml:lang="en">
  634:               The /tmp directory is a world-writable directory used for
  635:               temporary file storage. Ensure that it has its own partition or logical volume.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  636:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  637:               Because software may need to use /tmp to temporarily store large files, ensure
  638:               that it is of adequate size.  For a modern, general-purpose system, 10GB should be adequate. Smaller or larger sizes could be used, depending on
  639:               the availability of space on the drive and the system’s operating requirements
  640:             </description>
  641:             <Value id="var-2.1.1.1.1.b" operator="equals" type="string">
  642:               <title xml:lang="en">Minimum size for /tmp</title>
  643:               <question xml:lang="en">Choose minimum size of /tmp</question>
  644:               <value>2G</value>
  645:               <value selector="125M">125M</value>
  646:               <value selector="500M">500M</value>
  647:               <value selector="2G">2G</value>
  648:               <value selector="10G">10G</value>
  649:               <value selector="40G">40G</value>
  650:               <match>^[\d]+[KMGkmg]?$</match>
  651:             </Value>
  652:             <Rule id="rule-2.1.1.1.1.a" selected="false" weight="10.000000">
  653:               <title xml:lang="en">Ensure that /tmp has its own partition or logical volume</title>
  654:               <description xml:lang="en">The /tmp directory is a world-writable directory used for temporary file storage.  Ensure that it has its own partition or logical volume.</description>
  655:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
  656:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20000" href="scap-fedora14-oval.xml"/>
  657:               </check>
  658:             </Rule>
  659:             <Rule id="rule-2.1.1.1.1.b" selected="false" weight="2.000000">
  660:               <title xml:lang="en">Ensure that /tmp is of adequate size</title>
  661:               <description xml:lang="en">Because software may need to use /tmp to temporarily store large files, ensure that it is of adequate size.</description>
  662:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
  663:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20001" href="scap-fedora14-oval.xml"/>
  664:               </check>
  665:             </Rule>
  666:           </Group>
  667:           <Group id="group-2.1.1.1.2" hidden="false">
  668:             <title xml:lang="en">Create Separate Partition or Logical Volume for /var</title>
  669:             <description xml:lang="en">
  670:               The /var directory is used by daemons and other system
  671:               services to store frequently-changing data. It is not uncommon for the /var directory
  672:               to contain world-writable directories, installed by other software packages.
  673:               Ensure that /var has its own partition or logical volume.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  674:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  675:               Because the yum package manager and other software uses /var to temporarily store
  676:               large files, ensure that it is of adequate size. For a modern, general-purpose system,
  677:               10GB should be adequate.
  678:             </description>
  679:             <Value id="var-2.1.1.1.2.b" operator="equals" type="string">
  680:               <title xml:lang="en">Minimum size of /var</title>
  681:               <description xml:lang="en">Choose minimum size of /var</description>
  682:               <question xml:lang="en">Choose minimum size of /var</question>
  683:               <value>5G</value>
  684:               <value selector="500k">500K</value>
  685:               <value selector="1G">1G</value>
  686:               <value selector="5G">5G</value>
  687:               <value selector="10G">10G</value>
  688:               <value selector="15G">15G</value>
  689:               <value selector="20G">20G</value>
  690:               <match>^[\d]+[KMGkmg]?$</match>
  691:             </Value>
  692:             <Rule id="rule-2.1.1.1.2.a" selected="false" weight="10.000000" severity="low">
  693:               <title xml:lang="en">Ensure that /var has its own partition or logical volume</title>
  694:               <description xml:lang="en">The /var directory is used by daemons and other system services to store frequently-changing data. It is not uncommon for the /var directory to contain world-writable directories, installed by other software packages. Ensure that /var has its own partition or logical volume.</description>
  695:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
  696:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20002" href="scap-fedora14-oval.xml"/>
  697:               </check>
  698:             </Rule>
  699:             <Rule id="rule-2.1.1.1.2.b" selected="false" weight="10.000000">
  700:               <title xml:lang="en">Ensure that /var is of adequate size</title>
  701:               <description xml:lang="en">Because the yum package manager and other software uses /var to temporarily store large files, ensure that it is of adequate size. For a modern, general-purpose system, 10GB should be adequate.</description>
  702:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
  703:                 <check-export export-name="oval:org.fedoraproject.f14:var:20003" value-id="var-2.1.1.1.2.b"/>
  704:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20003" href="scap-fedora14-oval.xml"/>
  705:               </check>
  706:             </Rule>
  707:           </Group>
  708:           <Group id="group-2.1.1.1.3" hidden="false">
  709:             <title xml:lang="en">Create Separate Partition or Logical Volume for /var/log</title>
  710:             <description xml:lang="en">
  711:               System logs are stored in the /var/log directory.
  712:               Ensure that it has its own partition or logical volume.
  713:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  714:               See 2.6 for more information about logging and auditing.</description>
  715:             <Rule id="rule-2.1.1.1.3.a" selected="false" weight="10.000000">
  716:               <title xml:lang="en">Ensure that /var/log has its own partition or logical volume</title>
  717:               <description xml:lang="en">
  718:                 System logs are stored in the /var/log directory.
  719:                 Ensure that it has its own partition or logical volume.</description>
  720:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
  721:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20004" href="scap-fedora14-oval.xml"/>
  722:               </check>
  723:             </Rule>
  724:           </Group>
  725:           <Group id="group-2.1.1.1.4" hidden="false">
  726:             <title xml:lang="en">Create Separate Partition or Logical Volume for /var/log/audit</title>
  727:             <description xml:lang="en">
  728:               Audit logs are stored in the /var/log/audit directory.
  729:               Ensure that it has its own partition or logical volume.  Make absolutely certain
  730:               that it is large enough to store all audit logs that will be created by the auditing
  731:               daemon.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  732:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  733:               See 2.6.2.2 for discussion on deciding on an appropriate size for the volume.</description>
  734:             <Rule id="rule-2.1.1.1.4.a" selected="false" weight="10.000000">
  735:               <title xml:lang="en">Ensure that /var/log/audit has its own partition or logical volume</title>
  736:               <description xml:lang="en">
  737:                 Audit logs are stored in the /var/log/audit directory.
  738:                 Ensure that it has its own partition or logical volume.
  739:                 Make absolutely certain that it is large enough to store
  740:                 all audit logs that will be created by the auditing daemon.</description>
  741:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
  742:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20005" href="scap-fedora14-oval.xml"/>
  743:               </check>
  744:             </Rule>
  745:           </Group>
  746:           <Group id="group-2.1.1.1.5" hidden="false">
  747:             <title xml:lang="en">Create Separate Partition or Logical Volume for /home if Using Local Home Directories</title>
  748:             <description xml:lang="en">
  749:               If user home directories will be stored locally, create a separate
  750:               partition for /home. If /home will be mounted from another system such as an NFS server, then
  751:               creating a separate partition is not necessary at this time, and the mountpoint can
  752:               instead be configured later.</description>
  753:             <Rule id="rule-2.1.1.1.5.a" selected="false" weight="10.000000" severity="low">
  754:               <title xml:lang="en">Ensure that /home has its own partition or logical volume</title>
  755:               <description xml:lang="en">
  756:                 If user home directories will be stored locally, create a separate partition for /home.
  757:                 If /home will be mounted from another system such as an NFS server, then creating a
  758:                 separate partition is not necessary at this time, and the mountpoint can instead be
  759:                 configured later.</description>
  760:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
  761:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20006" href="scap-fedora14-oval.xml"/>
  762:               </check>
  763:             </Rule>
  764:           </Group>
  765:         </Group>
  766:         <Group id="group-2.1.1.2" hidden="false">
  767:           <title xml:lang="en">Boot Loader Configuration</title>
  768:           <description xml:lang="en">
  769:             Check the box to "Use a boot loader password" and create a
  770:             password. Once this password is set, anyone who wishes to change the boot loader
  771:             configuration will need to enter it. More information is available in Section
  772:             2.3.5.2.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  773:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  774:             Assigning a boot loader password prevents a local user
  775:             with physical access from altering the boot loader configuration at system startup.
  776:           </description>
  777:         </Group>
  778:         <Group id="group-2.1.1.3" hidden="false">
  779:           <title xml:lang="en">Network Devices</title>
  780:           <description xml:lang="en">
  781:             The default network device configuration uses DHCP, which is
  782:             not recommended.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  783:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  784:             Unless use of DHCP is absolutely necessary, click
  785:             the "Edit" button and:
  786:             <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
  787:               <xhtml:li>
  788:               Uncheck "Use Dynamic IP configuration
  789:               (DHCP)".Uncheck "Enable IPv4 Support" if the system does not require IPv4. (This is
  790:               uncommon.)
  791:               </xhtml:li>
  792:               <xhtml:li>
  793:               Uncheck "Enable IPv6 Support" if the system does not require
  794:               IPv6.
  795:               </xhtml:li>
  796:               <xhtml:li>
  797:               Enter appropriate IPv4 and IPv6 addresses and prefixes as
  798:               required.
  799:               </xhtml:li>
  800:             </xhtml:ul>
  801:             With the DHCP setting disabled, the hostname, gateway, and DNS
  802:             servers should then be assigned on the main screen.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  803:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  804:             Sections 3.9.1
  805:             and 3.9.2 contain more information on network configuration and the use of DHCP.
  806:           </description>
  807:         </Group>
  808:         <Group id="group-2.1.1.4" hidden="false">
  809:           <title xml:lang="en">Root Password</title>
  810:           <description xml:lang="en">
  811:             The security of the entire system depends on the strength of
  812:             the root password. The password should be at least 12 characters long, and should
  813:             include a mix of capitalized and lowercase letters, special characters, and numbers. It
  814:             should also not be based on any dictionary word.</description>
  815:         </Group>
  816:         <Group id="group-2.1.1.5" hidden="false">
  817:           <title xml:lang="en">Software Packages</title>
  818:           <description xml:lang="en">
  819:             Uncheck all package groups, including the package groups
  820:             "Software Development" and "Web Server", unless there is a specific requirement to
  821:             install software using the system installer. If the machine will be used as a web
  822:             server, it is preferable to manually install the necessary RPMs instead of installing
  823:             the full "Web Server" package group. See Section 3.16 for installation and configuration
  824:             details.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  825:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  826:             Use the "Customize now" radio box to prune package groups
  827:             as much as possible. This brings up a two-column view of categories and package groups.
  828:             If appropriate, uncheck "X Window System" in the "Base System" category to avoid
  829:             installing X entirely. Any other package groups not necessary for system operation
  830:             should also be unchecked.
  831:           </description>
  832:         </Group>
  833:         <Group id="group-2.1.1.6" hidden="false">
  834:           <title xml:lang="en">First-boot Configuration</title>
  835:           <description xml:lang="en">
  836:             The system presents more configuration options during the first
  837:             boot after installation. For the screens listed, implement the security-related
  838:               recommendations:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  839:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  840:             <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
  841:               <xhtml:li>
  842:               Firewall - Leave set to
  843:               'Enabled.' Only check the 'Trusted Services' that this system needs to serve. Uncheck
  844:               the default selection of SSH if the system does not need to serve
  845:               SSH.
  846:               </xhtml:li>
  847:               <xhtml:li>
  848:               SELinux - Leave SELinux set to 'Enforcing' mode.
  849:               </xhtml:li>
  850:               <xhtml:li>
  851:               Kdump -
  852:               Leave Kdump off unless the feature is required, such as for kernel development and
  853:               testing.
  854:               </xhtml:li>
  855:               <xhtml:li>
  856:               Set Up Software Updates - If the system is connected to the
  857:               Internet now, click 'Yes, I'd like to register now.' This will require a connection to
  858:               either the Red Hat Network servers or their proxies or satellites. This can also be
  859:               configured later as described in Section 2.1.2.1.
  860:               </xhtml:li>
  861:               <xhtml:li>
  862:               Create User - If the
  863:               system will require a local user account, it can be created here. Even if the system
  864:               will be using a network-wide authentication system as described in Section 2.3.6, do
  865:               not click on the 'Use Network Login...' button. Manually applying configuration later
  866:               is preferable.
  867:               </xhtml:li>
  868:             </xhtml:ul>
  869:           </description>
  870:         </Group>
  871:       </Group>
  872:       <Group id="group-2.1.2" hidden="false">
  873:         <title xml:lang="en">Security Updates</title>
  874:         <description xml:lang="en">
  875:           As security vulnerabilities are discovered, the affected software must be updated in order
  876:           to limit any potential security risks. If the software is part of a package within a Fedora
  877:           distribution that is currently supported, Fedora is committed to releasing updated packages
  878:           that fix the vulnerability as soon as is possible. Often, announcements about a given
  879:           security exploit are accompanied with a patch (or source code that fixes the problem).
  880:           This patch is then applied to the Fedora package and tested and released as an errata update.
  881:           However, if an announcement does not include a patch, a developer first works with the maintainer
  882:           of the software to fix the problem. Once the problem is fixed, the package is tested
  883:           and released as an errata update.
  884:         </description>
  885:         <Group id="group-2.1.2.1" hidden="false">
  886:           <title xml:lang="en">Updating Software</title>
  887:           <description xml:lang="en">
  888:             The yum command line tool is used to install and update software
  889:             packages. The system also provides package management service called PackageKit
  890:             that allows the session users to manage packages in a secure way. There are several
  891:             graphical utilities designed for installing, updating and removing packages on your
  892:             system that use PackageKit API. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  893:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  894:             It is recommended to use these mechanisms to keep systems up to date with the latest
  895:             security patches.
  896:           </description>
  897:           <Group id="group-2.1.2.1.1" hidden="false">
  898:             <title xml:lang="en">Ensure Fedora GPG Key is Installed</title>
  899:             <description xml:lang="en">
  900:               To ensure that the system can cryptographically verify update packages run the following command to verify
  901:               that the system has the Fedora GPG properly installed:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  902:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  903:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  904:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  905:               The command should return the string:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  906:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  907:               gpg(Fedora (14) &lt;fedora@fedoraproject.org&gt;)</description>
  908:             <Rule id="rule-2.1.2.1.1.a" selected="false" weight="10.000000">
  909:               <title xml:lang="en">Ensure Fedora GPG Key is Installed</title>
  910:               <description xml:lang="en">The GPG key should be installed.</description>
  911:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
  912:                 <check-content-ref name="oval:org.fedoraproject.f14:def:200065" href="scap-fedora14-oval.xml"/>
  913:               </check>
  914:             </Rule>
  915:           </Group>
  916:         </Group>
  917:         <Group id="group-2.1.2.3" hidden="false">
  918:           <title xml:lang="en">Obtain Software Package Updates with yum</title>
  919:           <description xml:lang="en">
  920:             The yum update utility can be run by hand from the command
  921:             line, called through one of the provided front-end tools, or configured to run
  922:             automatically at specified intervals.</description>
  923:           <Group id="group-2.1.2.3.2" hidden="false">
  924:             <title xml:lang="en">Configure Automatic Update Retrieval and Installation with Cron</title>
  925:             <description xml:lang="en">
  926:               The yum-updatesd service is not mature enough for an
  927:               enterprise environment, and the service may introduce unnecessary overhead. When
  928:               possible, replace this service with a cron job that calls yum
  929:               directly.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  930:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  931:               Create the file yum.cron, make it executable, and place it in
  932:               /etc/cron.daily:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  933:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  934:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#!/bin/sh<xhtml:br/>
  935:               <xhtml:br/>
  936:               /usr/bin/yum -R 120 -e 0 -d 0 -y update yum
  937:               <xhtml:br/>
  938:               /usr/bin/yum -R 10 -e 0 -d 0 -y update<xhtml:br/></xhtml:code>
  939:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  940:               This particular script instructs yum to update any
  941:               packages it finds. Placing the script in /etc/cron.daily ensures its daily execution.
  942:               To only apply updates once a week, place the script in /etc/cron.weekly instead.
  943:             </description>
  944:             <Value id="var-2.1.2.3.2.b" operator="equals" type="string">
  945:               <title xml:lang="en">Schedule yum update using cron</title>
  946:               <description xml:lang="en">Enter frequency of with which to invoke yum update</description>
  947:               <question xml:lang="en">Select frequency of yum update</question>
  948:               <value>daily</value>
  949:               <value selector="hourly">hourly</value>
  950:               <value selector="daily">daily</value>
  951:               <value selector="weekly">weekly</value>
  952:               <value selector="monthly">monthly</value>
  953:               <match>hourly|daily|weekly|monthly</match>
  954:               <choices mustMatch="true">
  955:                 <choice>hourly</choice>
  956:                 <choice>daily</choice>
  957:                 <choice>weekly</choice>
  958:                 <choice>monthly</choice>
  959:               </choices>
  960:             </Value>
  961:             <Rule id="rule-2.1.2.3.2.a" selected="false" weight="10.000000" severity="low">
  962:               <title xml:lang="en">yum-updatesd service should be disabled</title>
  963:               <description xml:lang="en">The yum-updatesd service should be disabled</description>
  964:               <ident system="http://cce.mitre.org">CCE-4218-4</ident>
  965:               <fix># chkconfig yum-updatesd off</fix>
  966:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
  967:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20008" href="scap-fedora14-oval.xml"/>
  968:               </check>
  969:             </Rule>
  970:             <Rule id="rule-2.1.2.3.2.b" selected="false" weight="10.000000" severity="medium">
  971:               <title xml:lang="en">Automatic Update Retrieval should be scheduled with Cron</title>
  972:               <description xml:lang="en">Place the yum.cron script somewhere in /etc/cron.*/</description>
  973:               <fix>echo -e "/usr/bin/yum -R 120 -e 0 -d 0 -y update yum\n/usr/bin/yum -R 10 -e 0 -d 0 -y update" &gt; /etc/cron.weekly/yum.cron</fix>
  974:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
  975:                 <check-export export-name="oval:org.fedoraproject.f14.dcb:var:20009" value-id="var-2.1.2.3.2.b"/>
  976:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20009" href="scap-fedora14-oval.xml"/>
  977:               </check>
  978:             </Rule>
  979:           </Group>
  980:           <Group id="group-2.1.2.3.3" hidden="false">
  981:             <title xml:lang="en">Ensure Package Signature Checking is Globally Activated</title>
  982:             <description xml:lang="en">
  983:               The gpgcheck option should be used to ensure that checking of an RPM package’s signature always occurs prior
  984:               to its installation.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  985:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  986:               To force yum to check package signatures before installing them, ensure that the following line appears in
  987:               /etc/yum.conf in the [main] section:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  988:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  989:               gpgcheck=1
  990:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  991:             </description>
  992:             <Rule id="rule-2.1.2.3.3.a" selected="false" weight="10.000000">
  993:               <title xml:lang="en">Ensure gpgcheck is Globally Activated</title>
  994:               <description xml:lang="en">
  995:                 The gpgcheck option should be used to ensure that checking of an RPM package’s signature always occurs prior to its installation.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  996:                 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>To force yum to check package signatures before installing them, ensure that the following line appears in /etc/yum.conf in the [main] section: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  997:                 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
  998:                 gpgcheck=1</description>
  999:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1000:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20010" href="scap-fedora14-oval.xml"/>
 1001:               </check>
 1002:             </Rule>
 1003:           </Group>
 1004:           <Group id="group-2.1.2.3.4" hidden="false">
 1005:             <title xml:lang="en">Ensure Package Signature Checking is Not Disabled For Any Repos</title>
 1006:             <description xml:lang="en">
 1007:               To ensure that signature checking is not disabled for any repos, ensure that the following line DOES NOT
 1008:               appear in any repo configuration files in /etc/yum.repos.d or elsewhere:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1009:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1010:               gpgcheck=0
 1011:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1012:             </description>
 1013:             <Rule id="rule-2.1.2.3.4.a" selected="false" weight="10.000000">
 1014:               <title xml:lang="en">Ensure Package Signature Checking is Not Disabled For Any Repos</title>
 1015:               <description xml:lang="en">
 1016:                 To ensure that signature checking is not disabled for any repos, ensure that the following line DOES NOT appear in any repo configuration files in /etc/yum.repos.d or elsewhere:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1017:                 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>gpgcheck=0</description>
 1018:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1019:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20011" href="scap-fedora14-oval.xml"/>
 1020:               </check>
 1021:             </Rule>
 1022:           </Group>
 1023:           <Group id="group-2.1.2.3.5" hidden="false">
 1024:             <title xml:lang="en">Ensure Repodata Signature Checking is Globally Activated</title>
 1025:             <description xml:lang="en">
 1026:               The repo_gpgcheck option should be used to ensure that checking of a signature on repodata is performed prior
 1027:               to using it.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1028:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1029:               To force yum to check the signature on repodata sent by a repository prior to using it, ensure that the
 1030:               following line appears in /etc/yum.conf in the [main] section:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1031:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1032:               repo_gpgcheck=1
 1033:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1034:             </description>
 1035:             <Rule id="rule-2.1.2.3.5.a" selected="false" weight="10.000000">
 1036:               <title xml:lang="en">Ensure Repodata Signature Checking is Globally Activated</title>
 1037:               <description xml:lang="en">
 1038:                 The repo_gpgcheck option should be used to ensure that checking of a signature on repodata is performed prior to using it.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1039:                 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>To force yum to check the signature on repodata sent by a repository prior to using it, ensure that the following line appears in /etc/yum.conf in the [main] section:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1040:                 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>repo_gpgcheck=1</description>
 1041:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1042:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20012" href="scap-fedora14-oval.xml"/>
 1043:               </check>
 1044:             </Rule>
 1045:           </Group>
 1046:           <Group id="group-2.1.2.3.6" hidden="false">
 1047:             <title xml:lang="en">Ensure Repodata Signature Checking is Not Disabled For Any Repos</title>
 1048:             <description xml:lang="en">
 1049:               To ensure that signature checking is not disabled for any repos, ensure that the following line DOES NOT
 1050:               appear in any repo configuration files in /etc/yum.repos.d or elsewhere:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1051:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1052:               gpgcheck=0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1053:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1054:               Note: Red Hat’s repositories support signatures on repodata, but some public repositories do not. If a repository
 1055:               does not support signature checking on repodata, then this risk must be weighed against the value of using the
 1056:               repository.
 1057:             </description>
 1058:             <Rule id="rule-2.1.2.3.6.a" selected="false" weight="10.000000">
 1059:               <title xml:lang="en">Ensure Repodata Signature Checking is Not Disabled For Any Repos</title>
 1060:               <description xml:lang="en">
 1061:                 To ensure that signature checking is not disabled for any repos, ensure that the following line DOES NOT appear in any repo configuration files in /etc/yum.repos.d or elsewhere: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1062:                 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>gpgcheck=0</description>
 1063:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1064:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20013" href="scap-fedora14-oval.xml"/>
 1065:               </check>
 1066:             </Rule>
 1067:           </Group>
 1068:         </Group>
 1069:       </Group>
 1070:       <Group id="group-2.1.3" hidden="false">
 1071:         <title xml:lang="en">Software Integrity Checking</title>
 1072:         <description xml:lang="en">
 1073:           The AIDE (Advanced Intrusion Detection Environment) software is
 1074:           included with the system to provide software integrity checking. It is designed to be a
 1075:           replacement for the well-known Tripwire integrity checker. Integrity checking cannot
 1076:           <xhtml:em xmlns:xhtml="http://www.w3.org/1999/xhtml">prevent</xhtml:em>
 1077:           intrusions into your system, but can detect that they have occurred.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1078:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1079:           Any integrity checking software should be configured before
 1080:           the system is deployed and able to provides services to users. Ideally, the integrity
 1081:           checking database would be built before the system is connected to any network, though
 1082:           this may prove impractical due to registration and software updates.
 1083:         </description>
 1084:         <Group id="group-2.1.3.1" hidden="false">
 1085:           <title xml:lang="en">Configure AIDE</title>
 1086:           <description xml:lang="en">
 1087:             Requirements for software integrity checking should be defined
 1088:             by policy, and this is highly dependent on the environment in which the system will be
 1089:             used. As such, a general strategy for implementing integrity checking is provided, but
 1090:             precise recommendations (such as to check a particular file) cannot be. Documentation
 1091:             for AIDE, including the quick-start on which this advice is based, is available in
 1092:             /usr/share/doc/aide-0.12.</description>
 1093:           <Group id="group-2.1.3.1.1" hidden="false">
 1094:             <title xml:lang="en">Install AIDE</title>
 1095:             <description xml:lang="en">AIDE is not installed by default.</description>
 1096:             <Rule id="rule-2.1.3.1.1.a" selected="false" weight="10.000000" severity="medium">
 1097:               <title xml:lang="en">Install AIDE</title>
 1098:               <description xml:lang="en">The AIDE package should be installed</description>
 1099:               <ident system="http://cce.mitre.org">CCE-4209-3</ident>
 1100:               <fix>yum install aide</fix>
 1101:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1102:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20014" href="scap-fedora14-oval.xml"/>
 1103:               </check>
 1104:             </Rule>
 1105:           </Group>
 1106:           <Group id="group-2.1.3.1.2" hidden="false">
 1107:             <title xml:lang="en">Customize Configuration File</title>
 1108:             <description xml:lang="en">
 1109:               Customize /etc/aide.conf to meet your requirements. The
 1110:               default configuration is acceptable for many environments.
 1111:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1112:               The man page aide.conf(5)
 1113:               provides detailed information about the configuration file format.
 1114:             </description>
 1115:           </Group>
 1116:           <Group id="group-2.1.3.1.3" hidden="false">
 1117:             <title xml:lang="en">Build, Store, and Test Database</title>
 1118:             <description xml:lang="en">
 1119:               Generate a new database:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1120:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1121:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># /usr/sbin/aide --init<xhtml:br/></xhtml:code>
 1122:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1123:               By default, the database will be written to
 1124:               the file /var/lib/aide/aide.db.new.gz. The database, as well as the configuration file
 1125:               /etc/aide.conf and the binary /usr/sbin/aide (or hashes of these files) should be
 1126:               copied and stored in a secure location. Storing these copies or hashes on read-only
 1127:               media may provide further confidence that they will not be
 1128:               altered.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1129:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1130:               Install the newly-generated database:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1131:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1132:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz<xhtml:br/></xhtml:code>
 1133:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1134:               Run a manual check:
 1135:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1136:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1137:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># /usr/sbin/aide --check<xhtml:br/></xhtml:code>
 1138:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1139:               If this check produces any unexpected output, investigate.
 1140:             </description>
 1141:           </Group>
 1142:           <Group id="group-2.1.3.1.4" hidden="false">
 1143:             <title xml:lang="en">Implement Periodic Execution of Integrity Checking</title>
 1144:             <description xml:lang="en">
 1145:               By default, AIDE does not install itself for periodic execution.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1146:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1147:               Implement checking with whatever frequency is required
 1148:               by your security policy. A once-daily check may be suitable for many environments. For
 1149:               example, to implement a daily execution of AIDE at 4:05am, add the following line to
 1150:               /etc/crontab:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1151:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1152:               05 4 * * * root /usr/sbin/aide --check<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1153:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1154:               AIDE output may be an indication of an attack against
 1155:               your system, or it may be the result of something innocuous such as an administrator's
 1156:               configuration change or a software update. The steps in Section 2.1.3.1.3 should be
 1157:               repeated when configuration changes or software updates necessitate. This will
 1158:               certainly be necessary after applying guidance later in this guide.
 1159:             </description>
 1160:             <Value id="var-2.1.3.1.4.a" operator="equals" type="string">
 1161:               <title xml:lang="en">Schedule AIDE check using cron</title>
 1162:               <description xml:lang="en">Frequency with which to run AIDE check</description>
 1163:               <question xml:lang="en">Select frequency with which to run AIDE check</question>
 1164:               <value>daily</value>
 1165:               <value selector="hourly">hourly</value>
 1166:               <value selector="daily">daily</value>
 1167:               <value selector="weekly">weekly</value>
 1168:               <value selector="monthly">monthly</value>
 1169:               <match>hourly|daily|weekly|monthly</match>
 1170:               <choices mustMatch="true">
 1171:                 <choice>hourly</choice>
 1172:                 <choice>daily</choice>
 1173:                 <choice>weekly</choice>
 1174:                 <choice>monthly</choice>
 1175:               </choices>
 1176:             </Value>
 1177:             <Rule id="rule-2.1.3.1.4.a" selected="false" weight="10.000000" role="full" severity="medium">
 1178:               <title xml:lang="en">Run AIDE periodically</title>
 1179:               <description xml:lang="en">Setup cron to run AIDE periodically using cron.</description>
 1180:               <fix>echo -e "/usr/sbin/aide --check" &gt; /etc/cron.daily/aide.cron</fix>
 1181:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1182:                 <check-export export-name="oval:org.fedoraproject.f14:var:20015" value-id="var-2.1.3.1.4.a"/>
 1183:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20015" href="scap-fedora14-oval.xml"/>
 1184:               </check>
 1185:             </Rule>
 1186:           </Group>
 1187:           <Group id="group-2.1.3.1.5" hidden="false">
 1188:             <title xml:lang="en">Manually Verify Integrity of AIDE</title>
 1189:             <description xml:lang="en">
 1190:               Because integrity checking is a means of intrusion detection
 1191:               and not intrusion prevention, it cannot be guaranteed that the AIDE binaries,
 1192:               configuration files, or database have not been tampered with. An attacker could
 1193:               disable or alter these files after a successful intrusion. Because of this, manual and
 1194:               frequent checks on these files is recommended. The safely stored copies (or hashes) of
 1195:               the database, binary, and configuration file were created earlier for this
 1196:               purpose.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1197:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1198:               Manually verify the integrity of the AIDE binaries,
 1199:               configuration file, and database. Possibilities for doing so include:
 1200:               <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
 1201:                 <xhtml:li>Use sha1sum or md5sum to generate checksums on the
 1202:                 files and then visually compare them to those generated from the safely stored
 1203:                 versions. This does not, of course, preclude the possibility that such output could
 1204:                 also be faked.</xhtml:li>
 1205:                 <xhtml:li>Mount the stored versions on read-only media and run
 1206:                 /bin/diff to verify that there are no differences between the
 1207:                 files.</xhtml:li>
 1208:                 <xhtml:li>Copying the files to another system and performing the hash or file
 1209:                 comparisons there may impart additional confidence that the manual verification
 1210:                 process is not being interfered with.</xhtml:li>
 1211:               </xhtml:ol>
 1212:             </description>
 1213:           </Group>
 1214:         </Group>
 1215:         <Group id="group-2.1.3.2" hidden="false">
 1216:           <title xml:lang="en">Verify Package Integrity Using RPM</title>
 1217:           <description xml:lang="en">
 1218:               The RPM package management system includes the ability to
 1219:               verify the integrity of installed packages by comparing the installed files with
 1220:               information about the files taken from the package metadata stored in the RPM
 1221:               database. Although an attacker could corrupt the RPM database (analogous to
 1222:               attacking the AIDE database as described above), this check can still reveal
 1223:               modification of important files.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1224:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1225:               To determine which files on the system differ from what is expected by the RPM
 1226:               database:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1227:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1228:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># rpm -qVa<xhtml:br/></xhtml:code>
 1229:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1230:               A “c” in the second column indicates that a file is a configuration file (and may be
 1231:               expected to change). In order to exclude configuration files from this list, run:
 1232:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1233:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># rpm -qVa | awk '$2!="c" {print $0}'<xhtml:br/></xhtml:code>
 1234:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1235:               The man page rpm(8) describes the format of the output. Any files that do not
 1236:               match the expected output demand further investigation if the system is being
 1237:               seriously examined. This check could also be run as a cron job.
 1238:             </description>
 1239:           <Rule id="rule-2.1.3.2.a" selected="false" weight="10.000000">
 1240:             <title xml:lang="en">Verify Package Integrity Using RPM</title>
 1241:             <description xml:lang="en">Verify the integrity of installed packages by comparing the installed files with information about the files taken from the package metadata stored in the RPM database.</description>
 1242:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1243:               <check-content-ref name="oval:org.fedoraproject.f14:def:200155" href="scap-fedora14-oval.xml"/>
 1244:             </check>
 1245:           </Rule>
 1246:         </Group>
 1247:       </Group>
 1248:     </Group>
 1249:     <Group id="group-2.2" hidden="false">
 1250:       <title xml:lang="en">File Permissions and Masks</title>
 1251:       <description xml:lang="en">
 1252:         Traditional Unix security relies heavily on file and directory
 1253:         permissions to prevent unauthorized users from reading or modifying files to which they
 1254:         should not have access. Adhere to the principle of least privilege — configure each file,
 1255:         directory, and filesystem to allow only the access needed in order for that file to serve
 1256:         its purpose.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1257:         <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1258:         However, Linux systems contain a large number of files, so
 1259:         it is often prohibitively time-consuming to ensure that every file on a machine has exactly
 1260:         the permissions needed. This section introduces several permission restrictions which are
 1261:         almost always appropriate for system security, and which are easy to test and
 1262:         correct. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1263:         <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1264:         Note: Several of the commands in this section search
 1265:         filesystems for files or directories with certain characteristics, and are intended to be
 1266:         run on every local ext2, ext3 and ext4 partition on a given machine. When the variable
 1267:         <xhtml:em xmlns:xhtml="http://www.w3.org/1999/xhtml">PART</xhtml:em>
 1268:         appears in one of the commands below, it means that the command
 1269:         is intended to be run repeatedly, with the name of each local partition substituted for
 1270:         <xhtml:em xmlns:xhtml="http://www.w3.org/1999/xhtml">PART</xhtml:em>
 1271:         in turn.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1272:         <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1273:         The following command prints a
 1274:         list of ext2, ext3 and ext4 partitions on a given machine:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1275:         <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1276:         <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ mount -t ext2,ext3,ext4 | awk '{print $3}'<xhtml:br/></xhtml:code>
 1277:         <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1278:         If your site uses a local filesystem type other than ext{234}, you will need to modify
 1279:         this command.
 1280:       </description>
 1281:       <Group id="group-2.2.1" hidden="false">
 1282:         <title xml:lang="en">Restrict Partition Mount Options</title>
 1283:         <description xml:lang="en">
 1284:           System partitions can be mounted with certain options which limit
 1285:           what files on those partitions can do. These options are set in the file /etc/fstab, and
 1286:           can be used to make certain types of malicious behavior more difficult.</description>
 1287:         <Group id="group-2.2.1.1" hidden="false" weight="1.000000">
 1288:           <title xml:lang="en">Add nodev Option to Non-Root Local Partitions</title>
 1289:           <description xml:lang="en">
 1290:             The nodev option prevents users from mounting unauthorized
 1291:             devices on any partition which is known not to contain any authorized devices. The root
 1292:             partition typically contains the /dev partition, which is the primary location for
 1293:             authorized devices, so this option should not be set on /. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1294:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1295:             However, if system programs are being run in chroot jails, this advice may need to be
 1296:             modified further, since it is often necessary to create device files inside the chroot
 1297:             directory for use by the restricted program.
 1298:           </description>
 1299:           <Rule id="rule-2.2.1.1.a" selected="false" weight="10.000000" role="full" severity="unknown">
 1300:             <title xml:lang="en">Add nodev Option to Non-Root Local Partitions</title>
 1301:             <description xml:lang="en">The nodev option should be disabled as appropriate for all non-root partitions.</description>
 1302:             <ident system="http://cce.mitre.org">CCE-4249-9</ident>
 1303:             <fixtext xml:lang="en">
 1304:               Edit the file /etc/fstab. The important columns for purposes of
 1305:               this section are column 2 (mount point), column 3 (filesystem type), and column 4 (mount
 1306:               options). For any line which satisfies all of the conditions:
 1307:               <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
 1308:                 <xhtml:li>The filesystem type is ext2, ext3 or ext4</xhtml:li>
 1309:                 <xhtml:li>The mount point is not /</xhtml:li>
 1310:               </xhtml:ul>
 1311:               add the text “,nodev” to the list of mount options in column 4. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1312:             </fixtext>
 1313:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1314:               <check-content-ref name="oval:org.fedoraproject.f14:def:20016" href="scap-fedora14-oval.xml"/>
 1315:             </check>
 1316:           </Rule>
 1317:         </Group>
 1318:         <Group id="group-2.2.1.2" hidden="false">
 1319:           <title xml:lang="en">Add nodev, nosuid, and noexec Options to Removable Media Partitions</title>
 1320:           <description xml:lang="en">
 1321:             Users should not be allowed to introduce arbitrary devices or
 1322:             setuid programs to a system. These options are used to prevent that. In addition, while
 1323:             users are usually allowed to add executable programs to a system, the noexec option
 1324:             prevents code from being executed directly from the media itself, and may therefore
 1325:             provide a line of defense against certain types of worms or malicious code.</description>
 1326:           <Rule id="rule-2.2.1.2.a" selected="false" weight="10.000000">
 1327:             <title xml:lang="en">Add nodev Option to Removable Media Partitions</title>
 1328:             <description xml:lang="en">The nodev option should be disabled for all removable media.</description>
 1329:             <ident system="http://cce.mitre.org">CCE-3522-0</ident>
 1330:             <fixtext xml:lang="en">Edit the file /etc/fstab. Filesystems which represent removable media can be
 1331:               located by finding lines whose mount points contain strings like floppy or cdrom, or
 1332:               whose types are iso9660, vfat, or msdos. For each line representing a removable media
 1333:               mountpoint, add the text ',nodev' to the list of mount options in column 4.</fixtext>
 1334:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1335:               <check-content-ref name="oval:org.fedoraproject.f14:def:20017" href="scap-fedora14-oval.xml"/>
 1336:             </check>
 1337:           </Rule>
 1338:           <Rule id="rule-2.2.1.2.b" selected="false" weight="10.000000">
 1339:             <title xml:lang="en">Add noexec Option to Removable Media Partitions</title>
 1340:             <description xml:lang="en">The noexec option should be disabled for all removable media.</description>
 1341:             <ident system="http://cce.mitre.org">CCE-4275-4</ident>
 1342:             <fixtext xml:lang="en">Edit the file /etc/fstab. Filesystems which represent removable media can be
 1343:               located by finding lines whose mount points contain strings like floppy or cdrom, or
 1344:               whose types are iso9660, vfat, or msdos. For each line representing a removable media
 1345:               mountpoint, add the text ',noexec' to the list of mount options in column 4.</fixtext>
 1346:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1347:               <check-content-ref name="oval:org.fedoraproject.f14:def:20018" href="scap-fedora14-oval.xml"/>
 1348:             </check>
 1349:           </Rule>
 1350:           <Rule id="rule-2.2.1.2.c" selected="false" weight="10.000000" severity="medium">
 1351:             <title xml:lang="en">Add nosuid Option to Removable Media Partitions</title>
 1352:             <description xml:lang="en">The nosuid option should be disabled for all removable media.</description>
 1353:             <ident system="http://cce.mitre.org">CCE-4042-8</ident>
 1354:             <fixtext xml:lang="en">Edit the file /etc/fstab. Filesystems which represent removable media can be
 1355:               located by finding lines whose mount points contain strings like floppy or cdrom, or
 1356:               whose types are iso9660, vfat, or msdos. For each line representing a removable media
 1357:               mountpoint, add the text ',nosuid' to the list of mount options in column 4.</fixtext>
 1358:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1359:               <check-content-ref name="oval:org.fedoraproject.f14:def:20019" href="scap-fedora14-oval.xml"/>
 1360:             </check>
 1361:           </Rule>
 1362:         </Group>
 1363:       </Group>
 1364:       <Group id="group-2.2.2" hidden="false">
 1365:         <title xml:lang="en">Restrict Dynamic Mounting and Unmounting of Filesystems</title>
 1366:         <description xml:lang="en">
 1367:           Linux includes a number of facilities for the automated addition
 1368:           and removal of filesystems on a running system. These facilities may increase convenience,
 1369:           but they all bring some risk, whether direct risk from allowing unprivileged users to
 1370:           introduce arbitrary filesystems to a machine, or risk that software flaws in the automated
 1371:           mount facility itself will allow an attacker to compromise the
 1372:           system. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1373:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1374:           Use caution when enabling any such facility, and find out
 1375:           whether better configuration management or user education might solve the same problem
 1376:           with less risk.
 1377:         </description>
 1378:         <Group id="group-2.2.2.1" hidden="false">
 1379:           <title xml:lang="en">Disable USB Device Support</title>
 1380:           <description xml:lang="en">USB flash or hard drives allow an attacker with physical access to a system to quickly copy an enormous amount of data from it.</description>
 1381:           <Group id="group-2.2.2.1.1" hidden="false">
 1382:             <title xml:lang="en">Disable Modprobe Loading of USB Storage Driver</title>
 1383:             <description xml:lang="en">
 1384:               If USB storage devices should not be used, the modprobe
 1385:               program used for automatic kernel module loading should be configured to not load the
 1386:               USB storage driver upon demand. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1387:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1388:               This will prevent the modprobe program from loading the usb-storage module, but will
 1389:               not prevent an administrator (or another program) from using the insmod program to
 1390:               load the module manually.
 1391:             </description>
 1392:             <Rule id="rule-2.2.2.1.1.a" selected="false" weight="10.000000">
 1393:               <title xml:lang="en">Disable Modprobe Loading of USB Storage Driver</title>
 1394:               <description xml:lang="en">The USB device support module should not be loaded</description>
 1395:               <ident system="http://cce.mitre.org">CCE-4187-1</ident>
 1396:               <fix>echo -e "\nblacklist usb_storage" &gt;&gt; /etc/modprobe.d/blacklist.conf</fix>
 1397:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1398:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20021" href="scap-fedora14-oval.xml"/>
 1399:               </check>
 1400:             </Rule>
 1401:           </Group>
 1402:           <Group id="group-2.2.2.1.2" hidden="false">
 1403:             <title xml:lang="en">Remove USB Storage Driver</title>
 1404:             <description xml:lang="en">
 1405:               If your system never requires the use of USB storage devices,
 1406:               then the supporting driver can be removed. Though more effective (as USB storage
 1407:               certainly cannot be used if the driver is not available at all), this is less elegant
 1408:               than the method described in Section 2.2.2.1.1. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1409:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1410:               Note that this guidance will not prevent USB storage devices from being mounted if a
 1411:               custom kernel (i.e., not the one supplied with the system) with built-in USB support
 1412:               is used.
 1413:             </description>
 1414:             <Rule id="rule-2.2.2.1.2.a" selected="false" weight="10.000000">
 1415:               <title xml:lang="en">Remove USB Storage Driver</title>
 1416:               <description xml:lang="en">
 1417:                 The USB device support module should not be installed.  The command in
 1418:                 the FIX will need to be repeated every time the kernel is updated. This command
 1419:                 will also cause the command rpm -q --verify kernel to fail, which may be an
 1420:                 undesirable side effect.</description>
 1421:               <ident system="http://cce.mitre.org">CCE-4006-3</ident>
 1422:               <fix>rm /lib/modules/2.6.*/kernel/drivers/usb/storage/usb-storage.ko</fix>
 1423:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1424:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20022" href="scap-fedora14-oval.xml"/>
 1425:               </check>
 1426:             </Rule>
 1427:           </Group>
 1428:           <Group id="group-2.2.2.1.3" hidden="false">
 1429:             <title xml:lang="en">Disable Kernel Support for USB via Bootloader Configuration</title>
 1430:             <description xml:lang="en">
 1431:               Another means of disabling USB storage is to disable all USB
 1432:               support provided by the operating system. This can be accomplished by adding the
 1433:               'nousb' argument to the kernel's boot loader configuration. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1434:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1435:               NOTE
 1436:               - Disabling all kernel support for USB will cause problems for systems with USB-based
 1437:               keyboards, mice, or printers. This guidance is inappropriate for systems which require
 1438:               USB connectivity.
 1439:             </description>
 1440:             <Rule id="rule-2.2.2.1.3.a" selected="false" weight="10.000000">
 1441:               <title xml:lang="en">Disable Kernel Support for USB via Bootloader Configuration</title>
 1442:               <description xml:lang="en">USB kernel support should be disabled.</description>
 1443:               <ident system="http://cce.mitre.org">CCE-4173-1</ident>
 1444:               <fixtext xml:lang="en">To disable kernel support for USB, append 'nousb' to the kernel line in
 1445:                 /etc/grub.conf as follows: kernel /vmlinuz-version ro vga=ext
 1446:                 root=/dev/VolGroup00/LogVol00 rhgb quiet nousb</fixtext>
 1447:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1448:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20023" href="scap-fedora14-oval.xml"/>
 1449:               </check>
 1450:             </Rule>
 1451:           </Group>
 1452:           <Group id="group-2.2.2.1.4" hidden="false">
 1453:             <title xml:lang="en">Disable Booting from USB Devices</title>
 1454:             <description xml:lang="en">
 1455:               An attacker with physical access could try to boot the system
 1456:               from a USB flash drive and then access any data on the system's hard drive,
 1457:               circumventing the normal operating system's access controls. To prevent this,
 1458:               configure the BIOS to disallow booting from USB drives. Also configure the BIOS or
 1459:               firmware password as described in Section 2.3.5.1 to prevent unauthorized
 1460:               configuration changes.</description>
 1461:             <Rule id="rule-2.2.2.1.4.a" selected="false" weight="10.000000" severity="high">
 1462:               <title xml:lang="en">Disable Booting from USB Devices in the BIOS</title>
 1463:               <description xml:lang="en">The ability to boot from USB devices should be disabled</description>
 1464:               <ident system="http://cce.mitre.org">CCE-3944-6</ident>
 1465:               <fixtext xml:lang="en">BIOS settings</fixtext>
 1466:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1467:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20024" href="scap-fedora14-oval.xml"/>
 1468:               </check>
 1469:             </Rule>
 1470:           </Group>
 1471:         </Group>
 1472:         <Group id="group-2.2.2.2" hidden="false">
 1473:           <title xml:lang="en">Disable the Automounter if Possible</title>
 1474:           <description xml:lang="en">
 1475:             If the autofs service is not needed to dynamically mount NFS
 1476:             filesystems or removable media, disable the service. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1477:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1478:             The autofs daemon mounts and unmounts filesystems, such as user home directories shared
 1479:             via NFS, on demand. In addition, autofs can be used to handle removable media, and the
 1480:             default configuration provides the cdrom device as /misc/cd. However, this method of
 1481:             providing access to removable media is not common, so autofs can almost always be
 1482:             disabled if NFS is not in use. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1483:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1484:             Even if NFS is required, it is almost always
 1485:             possible to configure filesystem mounts statically by editing /etc/fstab rather than
 1486:             relying on the automounter.
 1487:           </description>
 1488:           <Rule id="rule-2.2.2.2.a" selected="false" weight="10.000000" severity="medium">
 1489:             <title xml:lang="en">Disable the Automounter if Possible</title>
 1490:             <description xml:lang="en">The autofs service should be disabled.</description>
 1491:             <ident system="http://cce.mitre.org">CCE-4072-5</ident>
 1492:             <fix>chkconfig autofs off</fix>
 1493:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1494:               <check-content-ref name="oval:org.fedoraproject.f14:def:20025" href="scap-fedora14-oval.xml"/>
 1495:             </check>
 1496:           </Rule>
 1497:         </Group>
 1498:         <Group id="group-2.2.2.3" hidden="false">
 1499:           <title xml:lang="en">Disable GNOME Automounting if Possible</title>
 1500:           <description xml:lang="en">
 1501:             The system's default desktop environment, GNOME, runs the
 1502:             program gnome-volume-manager to mount devices and removable media (such as DVDs, CDs and
 1503:             USB flash drives) whenever they are inserted into the system. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1504:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1505:             The system's capabilities for automatic mounting should be configured to match whatever
 1506:             is defined by security policy. Disabling USB storage as described in Section 2.2.2.2.1
 1507:             will prevent the use of USB storage devices, but this step can also be taken as an
 1508:             additional layer of prevention and to prevent automatic mounting of CDs and DVDs if
 1509:             required. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1510:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1511:             Particularly for kiosk-style systems, where users should
 1512:             have extremely limited access to the system, more detailed information can be found in
 1513:             Red Hat Desktop: Deployment Guide. The gconf-editor program, available in an RPM of the
 1514:             same name, can be used to explore other settings available in the GNOME environment.
 1515:           </description>
 1516:           <Rule id="rule-2.2.2.3.a" selected="false" weight="10.000000" severity="medium">
 1517:             <title xml:lang="en">Disable GNOME Automounting if Possible</title>
 1518:             <description xml:lang="en">The GNOME automounter (gnome-volume-manager) should be disabled if possible</description>
 1519:             <ident system="http://cce.mitre.org">CCE-4231-7</ident>
 1520:             <fixtext xml:lang="en">Execute the following commands to prevent gnome-volume-manager from automatically
 1521:               mounting devices and media: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1522:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1523:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
 1524:               # gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory
 1525:                             --type bool --set /desktop/gnome/volume_manager/automount_media false
 1526:               <xhtml:br/> <xhtml:br/>
 1527:               # gconftool-2 --direct
 1528:                             --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory
 1529:                             --type bool
 1530:                             --set /desktop/gnome/volume_manager/automount_drives false
 1531:               </xhtml:code> <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1532:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1533:               Verify the changes by executing
 1534:               the following command, which should return a list of settings: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1535:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1536:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># gconftool-2 -R /desktop/gnome/volume_manager <xhtml:br/></xhtml:code>
 1537:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1538:               The automount drives and automount media settings should
 1539:               be set to false. Survey the list for any other options that should be adjusted.</fixtext>
 1540:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1541:               <check-content-ref name="oval:org.fedoraproject.f14:def:20026" href="scap-fedora14-oval.xml"/>
 1542:             </check>
 1543:           </Rule>
 1544:         </Group>
 1545:         <Group id="group-2.2.2.4" hidden="false">
 1546:           <title xml:lang="en">Disable Mounting of Uncommon Filesystem Types</title>
 1547:           <description xml:lang="en">
 1548:             Specifying kernel module in /etc/modprobe.d/blacklist.conf will prevent
 1549:             kernel module loading system from inserting the modele into the kernel.
 1550:             This mechanism effectively prevents usage of these uncommon filesystems.</description>
 1551:           <Rule id="rule-2.2.2.4.a" selected="false" weight="10.000000">
 1552:             <title xml:lang="en">Disable Mounting of cramfs</title>
 1553:             <description xml:lang="en">cramfs is uncommon filesystems</description>
 1554:             <fix>echo "blacklist cramfs" &gt;&gt; /etc/modprobe.d/blacklist.conf</fix>
 1555:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1556:               <check-content-ref name="oval:org.fedoraproject.f14:def:20027" href="scap-fedora14-oval.xml"/>
 1557:             </check>
 1558:           </Rule>
 1559:           <Rule id="rule-2.2.2.4.b" selected="false" weight="10.000000">
 1560:             <title xml:lang="en">Disable Mounting of freevxfs</title>
 1561:             <description xml:lang="en">freevxfs is uncommon filesystems</description>
 1562:             <fix>echo "blacklist freevxfs" &gt;&gt; /etc/modprobe.d/blacklist.conf</fix>
 1563:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1564:               <check-content-ref name="oval:org.fedoraproject.f14:def:20028" href="scap-fedora14-oval.xml"/>
 1565:             </check>
 1566:           </Rule>
 1567:           <Rule id="rule-2.2.2.4.c" selected="false" weight="10.000000">
 1568:             <title xml:lang="en">Disable Mounting of jffs2</title>
 1569:             <description xml:lang="en">jffs2 is uncommon filesystems</description>
 1570:             <fix>echo "blacklist jffs2" &gt;&gt; /etc/modprobe.d/blacklist.conf</fix>
 1571:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1572:               <check-content-ref name="oval:org.fedoraproject.f14:def:20029" href="scap-fedora14-oval.xml"/>
 1573:             </check>
 1574:           </Rule>
 1575:           <Rule id="rule-2.2.2.4.d" selected="false" weight="10.000000">
 1576:             <title xml:lang="en">Disable Mounting of hfs</title>
 1577:             <description xml:lang="en">hfs is uncommon filesystems</description>
 1578:             <fix>echo "blacklist hfs" &gt;&gt; /etc/modprobe.d/blacklist.conf</fix>
 1579:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1580:               <check-content-ref name="oval:org.fedoraproject.f14:def:20030" href="scap-fedora14-oval.xml"/>
 1581:             </check>
 1582:           </Rule>
 1583:           <Rule id="rule-2.2.2.4.e" selected="false" weight="10.000000">
 1584:             <title xml:lang="en">Disable Mounting of hfsplus</title>
 1585:             <description xml:lang="en">hfsplus is uncommon filesystems</description>
 1586:             <fix>echo "blacklist hfsplus" &gt;&gt; /etc/modprobe.d/blacklist.conf</fix>
 1587:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1588:               <check-content-ref name="oval:org.fedoraproject.f14:def:20031" href="scap-fedora14-oval.xml"/>
 1589:             </check>
 1590:           </Rule>
 1591:           <Rule id="rule-2.2.2.4.f" selected="false" weight="10.000000">
 1592:             <title xml:lang="en">Disable Mounting of squashfs</title>
 1593:             <description xml:lang="en">squashfs is uncommon filesystems</description>
 1594:             <fix>echo "blacklist squashfs" &gt;&gt; /etc/modprobe.d/blacklist.conf</fix>
 1595:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1596:               <check-content-ref name="oval:org.fedoraproject.f14:def:20032" href="scap-fedora14-oval.xml"/>
 1597:             </check>
 1598:           </Rule>
 1599:           <Rule id="rule-2.2.2.4.g" selected="false" weight="10.000000">
 1600:             <title xml:lang="en">Disable Mounting of udf</title>
 1601:             <description xml:lang="en">udf is uncommon filesystems</description>
 1602:             <fix>echo "blacklist udf" &gt;&gt; /etc/modprobe.d/blacklist.conf</fix>
 1603:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1604:               <check-content-ref name="oval:org.fedoraproject.f14:def:20033" href="scap-fedora14-oval.xml"/>
 1605:             </check>
 1606:           </Rule>
 1607:         </Group>
 1608:       </Group>
 1609:       <Group id="group-2.2.3" hidden="false">
 1610:         <title xml:lang="en">Verify Permissions on Important Files and Directories</title>
 1611:         <description xml:lang="en">
 1612:           Permissions for many files on a system should be set to conform
 1613:           to system policy. This section discusses important permission restrictions which
 1614:           should be checked on a regular basis to ensure that no harmful discrepancies have arisen.
 1615:         </description>
 1616:         <Group id="group-2.2.3.1" hidden="false">
 1617:           <title xml:lang="en">Verify Permissions on passwd, shadow, group and gshadow Files</title>
 1618:           <description xml:lang="en">
 1619:             These are the default permissions for these files. Many
 1620:             utilities need read access to the passwd file in order to function properly, but read
 1621:             access to the shadow file allows malicious attacks against system passwords, and should
 1622:             never be enabled.</description>
 1623:           <Value id="var-2.2.3.1.i" operator="equals" type="string">
 1624:             <title xml:lang="en">Permissions for shadow</title>
 1625:             <description xml:lang="en">File permissions for /etc/shadow</description>
 1626:             <question xml:lang="en">Select permissions for /etc/shadow</question>
 1627:             <value>000000000</value>
 1628:             <value selector="000">000000000</value>
 1629:             <value selector="400">100000000</value>
 1630:             <value selector="644">110100100</value>
 1631:             <match>^[10]+$</match>
 1632:           </Value>
 1633:           <Value id="var-2.2.3.1.j" operator="equals" type="string">
 1634:             <title xml:lang="en">Permissions for group</title>
 1635:             <description xml:lang="en">File permissions for /etc/group</description>
 1636:             <question xml:lang="en">Select permissions for /etc/group</question>
 1637:             <value>110100100</value>
 1638:             <value selector="400">100000000</value>
 1639:             <value selector="644">110100100</value>
 1640:             <value selector="700">111000000</value>
 1641:             <match>^[10]+$</match>
 1642:           </Value>
 1643:           <Value id="var-2.2.3.1.k" operator="equals" type="string">
 1644:             <title xml:lang="en">Permissions for gshadow</title>
 1645:             <description xml:lang="en">File permissions for /etc/gshadow</description>
 1646:             <question xml:lang="en">Select permissions for /etc/gshadow</question>
 1647:             <value>000000000</value>
 1648:             <value selector="000">000000000</value>
 1649:             <value selector="400">100000000</value>
 1650:             <value selector="644">110100100</value>
 1651:             <match>^[10]+$</match>
 1652:           </Value>
 1653:           <Value id="var-2.2.3.1.l" operator="equals" type="string">
 1654:             <title xml:lang="en">Permissions for passwd</title>
 1655:             <description xml:lang="en">File permissions for /etc/password</description>
 1656:             <question xml:lang="en">Select permissions for /etc/password</question>
 1657:             <value>110100100</value>
 1658:             <value selector="400">100000000</value>
 1659:             <value selector="644">110100100</value>
 1660:             <value selector="700">111000000</value>
 1661:             <match>^[10]+$</match>
 1662:           </Value>
 1663:           <Rule id="rule-2.2.3.1.a" selected="false" weight="10.000000" severity="medium">
 1664:             <title xml:lang="en">Verify user who owns 'shadow' file</title>
 1665:             <description xml:lang="en">The /etc/shadow file should be owned by root.</description>
 1666:             <ident system="http://cce.mitre.org">CCE-3918-0</ident>
 1667:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1668:               <check-content-ref name="oval:org.fedoraproject.f14:def:20034" href="scap-fedora14-oval.xml"/>
 1669:             </check>
 1670:           </Rule>
 1671:           <Rule id="rule-2.2.3.1.b" selected="false" weight="10.000000" severity="medium">
 1672:             <title xml:lang="en">Verify group who owns 'shadow' file</title>
 1673:             <description xml:lang="en">The /etc/shadow file should be owned by root.</description>
 1674:             <ident system="http://cce.mitre.org">CCE-3988-3</ident>
 1675:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1676:               <check-content-ref name="oval:org.fedoraproject.f14:def:20035" href="scap-fedora14-oval.xml"/>
 1677:             </check>
 1678:           </Rule>
 1679:           <Rule id="rule-2.2.3.1.c" selected="false" weight="10.000000" severity="medium">
 1680:             <title xml:lang="en">Verify user who owns 'group' file</title>
 1681:             <description xml:lang="en">The /etc/group file should be owned by root.</description>
 1682:             <ident system="http://cce.mitre.org">CCE-3276-3</ident>
 1683:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1684:               <check-content-ref name="oval:org.fedoraproject.f14:def:20036" href="scap-fedora14-oval.xml"/>
 1685:             </check>
 1686:           </Rule>
 1687:           <Rule id="rule-2.2.3.1.d" selected="false" weight="10.000000" severity="medium">
 1688:             <title xml:lang="en">Verify group who owns 'group' file</title>
 1689:             <description xml:lang="en">The /etc/group file should be owned by root.</description>
 1690:             <ident system="http://cce.mitre.org">CCE-3883-6</ident>
 1691:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1692:               <check-content-ref name="oval:org.fedoraproject.f14:def:20037" href="scap-fedora14-oval.xml"/>
 1693:             </check>
 1694:           </Rule>
 1695:           <Rule id="rule-2.2.3.1.e" selected="false" weight="10.000000" severity="medium">
 1696:             <title xml:lang="en">Verify user who owns 'gshadow' file</title>
 1697:             <description xml:lang="en">The /etc/gshadow file should be owned by root.</description>
 1698:             <ident system="http://cce.mitre.org">CCE-4210-1</ident>
 1699:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1700:               <check-content-ref name="oval:org.fedoraproject.f14:def:20038" href="scap-fedora14-oval.xml"/>
 1701:             </check>
 1702:           </Rule>
 1703:           <Rule id="rule-2.2.3.1.f" selected="false" weight="10.000000" severity="medium">
 1704:             <title xml:lang="en">Verify group who owns 'gshadow' file</title>
 1705:             <description xml:lang="en">The /etc/gshadow file should be owned by root.</description>
 1706:             <ident system="http://cce.mitre.org">CCE-4064-2</ident>
 1707:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1708:               <check-content-ref name="oval:org.fedoraproject.f14:def:20039" href="scap-fedora14-oval.xml"/>
 1709:             </check>
 1710:           </Rule>
 1711:           <Rule id="rule-2.2.3.1.g" selected="false" weight="10.000000" severity="medium">
 1712:             <title xml:lang="en">Verify user who owns 'passwd' file</title>
 1713:             <description xml:lang="en">The /etc/passwd file should be owned by root.</description>
 1714:             <ident system="http://cce.mitre.org">CCE-3958-6</ident>
 1715:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1716:               <check-content-ref name="oval:org.fedoraproject.f14:def:20040" href="scap-fedora14-oval.xml"/>
 1717:             </check>
 1718:           </Rule>
 1719:           <Rule id="rule-2.2.3.1.h" selected="false" weight="10.000000" severity="medium">
 1720:             <title xml:lang="en">Verify group who owns 'passwd' file</title>
 1721:             <description xml:lang="en">The /etc/passwd file should be owned by root.</description>
 1722:             <ident system="http://cce.mitre.org">CCE-3495-9</ident>
 1723:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1724:               <check-content-ref name="oval:org.fedoraproject.f14:def:20041" href="scap-fedora14-oval.xml"/>
 1725:             </check>
 1726:           </Rule>
 1727:           <Rule id="rule-2.2.3.1.i" selected="false" weight="10.000000" severity="medium">
 1728:             <title xml:lang="en">Verify permissions on 'shadow' file</title>
 1729:             <description xml:lang="en">File permissions for /etc/shadow should be set correctly.</description>
 1730:             <ident system="http://cce.mitre.org">CCE-4130-1</ident>
 1731:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1732:               <check-export export-name="oval:org.fedoraproject.f14:var:20042" value-id="var-2.2.3.1.i"/>
 1733:               <check-content-ref name="oval:org.fedoraproject.f14:def:20042" href="scap-fedora14-oval.xml"/>
 1734:             </check>
 1735:           </Rule>
 1736:           <Rule id="rule-2.2.3.1.j" selected="false" weight="10.000000" severity="medium">
 1737:             <title xml:lang="en">Verify permissions on 'group' file</title>
 1738:             <description xml:lang="en">File permissions for /etc/group should be set correctly.</description>
 1739:             <ident system="http://cce.mitre.org">CCE-3967-7</ident>
 1740:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1741:               <check-export export-name="oval:org.fedoraproject.f14:var:20043" value-id="var-2.2.3.1.j"/>
 1742:               <check-content-ref name="oval:org.fedoraproject.f14:def:20043" href="scap-fedora14-oval.xml"/>
 1743:             </check>
 1744:           </Rule>
 1745:           <Rule id="rule-2.2.3.1.k" selected="false" weight="10.000000" severity="medium">
 1746:             <title xml:lang="en">Verify permissions on 'gshadow' file</title>
 1747:             <description xml:lang="en">File permissions for /etc/gshadow should be set correctly.</description>
 1748:             <ident system="http://cce.mitre.org">CCE-3932-1</ident>
 1749:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1750:               <check-export export-name="oval:org.fedoraproject.f14:var:20044" value-id="var-2.2.3.1.k"/>
 1751:               <check-content-ref name="oval:org.fedoraproject.f14:def:20044" href="scap-fedora14-oval.xml"/>
 1752:             </check>
 1753:           </Rule>
 1754:           <Rule id="rule-2.2.3.1.l" selected="false" weight="10.000000" severity="medium">
 1755:             <title xml:lang="en">Verify permissions on 'passwd' file</title>
 1756:             <description xml:lang="en">File permissions for /etc/passwd should be set correctly.</description>
 1757:             <ident system="http://cce.mitre.org">CCE-3566-7</ident>
 1758:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1759:               <check-export export-name="oval:org.fedoraproject.f14:var:20045" value-id="var-2.2.3.1.l"/>
 1760:               <check-content-ref name="oval:org.fedoraproject.f14:def:20045" href="scap-fedora14-oval.xml"/>
 1761:             </check>
 1762:           </Rule>
 1763:         </Group>
 1764:         <Group id="group-2.2.3.2" hidden="false">
 1765:           <title xml:lang="en">Verify that All World-Writable Directories Have Sticky Bits Set</title>
 1766:           <description xml:lang="en">
 1767:             When the so-called 'sticky bit' is set on a directory, only the
 1768:             owner of a given file may remove that file from the directory. Without the sticky bit,
 1769:             any user with write access to a directory may remove any file in the directory. Setting
 1770:             the sticky bit prevents users from removing each other's files. In cases where there is
 1771:             no reason for a directory to be world-writable, a better solution is to remove that
 1772:             permission rather than to set the sticky bit. However, if a directory is used by a
 1773:             particular application, consult that application's documentation instead of blindly
 1774:             changing modes.</description>
 1775:           <Rule id="rule-2.2.3.2.a" selected="false" weight="10.000000" severity="low">
 1776:             <title xml:lang="en">Verify that All World-Writable Directories Have Sticky Bits Set</title>
 1777:             <description xml:lang="en">The sticky bit should be set for all world-writable directories.</description>
 1778:             <ident system="http://cce.mitre.org">CCE-3399-3</ident>
 1779:             <fixtext xml:lang="en">Locate any directories in local partitions which are world-writable and do not have
 1780:               their sticky bits set. The following command will discover and print these. Run it
 1781:               once for each local partition PART: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1782:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># find PART -xdev -type d \( -perm -0002 -a !
 1783:               -perm -1000 \) -print </xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1784:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1785: 	      If this command produces any output, fix each reported directory
 1786:               /dir using the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1787:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1788:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chmod +t /dir</xhtml:code></fixtext>
 1789:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1790:               <check-content-ref name="oval:org.fedoraproject.f14:def:20046" href="scap-fedora14-oval.xml"/>
 1791:             </check>
 1792:           </Rule>
 1793:         </Group>
 1794:         <Group id="group-2.2.3.3" hidden="false">
 1795:           <title xml:lang="en">Find Unauthorized World-Writable Files</title>
 1796:           <description xml:lang="en">
 1797:             Data in world-writable files can be modified by any user on the
 1798:             system. In almost all circumstances, files can be configured using a combination of user
 1799:             and group permissions to support whatever legitimate access is needed without the risk
 1800:             caused by world-writable files. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1801:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1802:             It is generally a good idea to
 1803:             remove global (other) write access to a file when it is discovered. However, check with
 1804:             documentation for specific applications before making changes. Also, monitor for
 1805:             recurring world-writable files, as these may be symptoms of a misconfigured application
 1806:             or user account.
 1807:           </description>
 1808:           <Rule id="rule-2.2.3.3.a" selected="false" weight="10.000000" severity="medium">
 1809:             <title xml:lang="en">Find Unauthorized World-Writable Files</title>
 1810:             <description xml:lang="en">The world-write permission should be disabled for all files.</description>
 1811:             <ident system="http://cce.mitre.org">CCE-3795-2</ident>
 1812:             <fixtext xml:lang="en">The following command discovers and prints any world-writable files in local
 1813:               partitions. Run it once for each local partition PART: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1814:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1815:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">find PART -xdev -type f -perm -0002 -print | xargs chmod o-w</xhtml:code></fixtext>
 1816:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 1817:               <check-content-ref name="oval:org.fedoraproject.f14:def:20047" href="scap-fedora14-oval.xml"/>
 1818:             </check>
 1819:           </Rule>
 1820:         </Group>
 1821:         <Group id="group-2.2.3.4" hidden="false">
 1822:           <title xml:lang="en">Find Unauthorized SUID/SGID System Executables</title>
 1823:           <description xml:lang="en">
 1824:             The following command discovers and prints any setuid or setgid
 1825:             files on local partitions. Run it once for each local partition : <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1826:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1827:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"> # for PART in `mount -t ext2,ext3,ext4 | awk '{print $3}'`;
 1828:             do find $PART  -xdev \( -perm -4000 -o -perm -2000 \) -type f -print;
 1829:             done </xhtml:code> <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1830:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1831:             If the file does not require a setuid or
 1832:             setgid bit as discussed below, then these bits can be removed with the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1833:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1834:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"> # chmod -s file </xhtml:code> <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1835:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1836:             The following table contains all setuid and setgid files which are expected to
 1837:             be on a stock system. The setuid or setgid bit on these files may be disabled to reduce
 1838:             system risk if only an administrator requires their functionality. The table indicates
 1839:             those files which may not be needed. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1840:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1841:             Note: Several of these files are used for applications which are unlikely to be
 1842:             relevant to most production environments, such as ISDN networking, SSH hostbased
 1843:             authentication, or modification of network interfaces by unprivileged users. It is
 1844:             extremely likely that your site can disable a subset of these files with no loss of
 1845:             functionality. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1846:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1847:             Any files found by the above command which are not in the table should be examined.
 1848:             If the files are not authorized, they should have permissions removed, and further
 1849:             investigation may be warranted.
 1850:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 1851:             <xhtml:table xmlns:xhtml="http://www.w3.org/1999/xhtml">
 1852:               <xhtml:tr>
 1853:                 <xhtml:td>File</xhtml:td><xhtml:td>Set-ID</xhtml:td><xhtml:td>Package</xhtml:td>
 1854:               </xhtml:tr>
 1855:               <xhtml:tr>
 1856:                 <xhtml:td>/bin/mount</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>util-linux-ng</xhtml:td>
 1857:               </xhtml:tr>
 1858:               <xhtml:tr>
 1859:                 <xhtml:td>/bin/ping</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>iputils</xhtml:td>
 1860:               </xhtml:tr>
 1861:               <xhtml:tr>
 1862:                 <xhtml:td>/bin/ping6</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>iputils</xhtml:td>
 1863:               </xhtml:tr>
 1864:               <xhtml:tr>
 1865:                 <xhtml:td>/bin/su</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>coreutils</xhtml:td>
 1866:               </xhtml:tr>
 1867:               <xhtml:tr>
 1868:                 <xhtml:td>/bin/umount</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>util-linux-ng</xhtml:td>
 1869:               </xhtml:tr>
 1870:               <xhtml:tr>
 1871:                 <xhtml:td>/bin/fusermount</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>fuse</xhtml:td>
 1872:               </xhtml:tr>
 1873:               <xhtml:tr>
 1874:                 <xhtml:td>/bin/cgexec</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>libcgroup</xhtml:td>
 1875:               </xhtml:tr>
 1876:               <xhtml:tr>
 1877:                 <xhtml:td>/sbin/mount.nfs</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>nfs-utils</xhtml:td>
 1878:               </xhtml:tr>
 1879:               <xhtml:tr>
 1880:                 <xhtml:td>/sbin/umount.nfs</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>nfs-utils</xhtml:td>
 1881:               </xhtml:tr>
 1882:               <xhtml:tr>
 1883:                 <xhtml:td>/sbin/netreport</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>initscripts</xhtml:td>
 1884:               </xhtml:tr>
 1885:               <xhtml:tr>
 1886:                 <xhtml:td>/sbin/pam_timestamp_check</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>pam</xhtml:td>
 1887:               </xhtml:tr>
 1888:               <xhtml:tr>
 1889:                 <xhtml:td>/sbin/unix_chkpwd</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>pam</xhtml:td>
 1890:               </xhtml:tr>
 1891:               <xhtml:tr>
 1892:                 <xhtml:td>/usr/bin/at</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>at</xhtml:td>
 1893:               </xhtml:tr>
 1894:               <xhtml:tr>
 1895:                 <xhtml:td>/usr/bin/chage</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>shadow-utils</xhtml:td>
 1896:               </xhtml:tr>
 1897:               <xhtml:tr>
 1898:                 <xhtml:td>/usr/bin/chfn</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>util-linux-ng</xhtml:td>
 1899:               </xhtml:tr>
 1900:               <xhtml:tr>
 1901:                 <xhtml:td>/usr/bin/chsh</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>util-linux-ng</xhtml:td>
 1902:               </xhtml:tr>
 1903:               <xhtml:tr>
 1904:                 <xhtml:td>/usr/bin/crontab</xhtml:td><xhtml:td>uid/gid root</xhtml:td><xhtml:td>cronie</xhtml:td>
 1905:               </xhtml:tr>
 1906:               <xhtml:tr>
 1907:                 <xhtml:td>/usr/bin/gpasswd</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>shadow-utils</xhtml:td>
 1908:               </xhtml:tr>
 1909:               <xhtml:tr>
 1910:                 <xhtml:td>/usr/bin/locate</xhtml:td><xhtml:td>gid slocate</xhtml:td><xhtml:td>mlocate</xhtml:td>
 1911:               </xhtml:tr>
 1912:               <xhtml:tr>
 1913:                 <xhtml:td>/usr/bin/lockfile</xhtml:td><xhtml:td>gid mail</xhtml:td><xhtml:td>procmail</xhtml:td>
 1914:               </xhtml:tr>
 1915:               <xhtml:tr>
 1916:                 <xhtml:td>/usr/bin/gnomine</xhtml:td><xhtml:td>gid games</xhtml:td><xhtml:td>gnome-games</xhtml:td>
 1917:               </xhtml:tr>
 1918:               <xhtml:tr>
 1919:                 <xhtml:td>/usr/bin/iagno</xhtml:td><xhtml:td>gid games</xhtml:td><xhtml:td>gnome-games</xhtml:td>
 1920:               </xhtml:tr>
 1921:               <xhtml:tr>
 1922:                 <xhtml:td>/usr/bin/newgrp</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>shadow-utils</xhtml:td>
 1923:               </xhtml:tr>
 1924:               <xhtml:tr>
 1925:                 <xhtml:td>/usr/bin/passwd</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>passwd</xhtml:td>
 1926:               </xhtml:tr>
 1927:               <xhtml:tr>
 1928:                 <xhtml:td>/usr/bin/pkexec</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>polkit</xhtml:td>
 1929:               </xhtml:tr>
 1930:               <xhtml:tr>
 1931:                 <xhtml:td>/usr/bin/rcp</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>rsh</xhtml:td>
 1932:               </xhtml:tr>
 1933:               <xhtml:tr>
 1934:                 <xhtml:td>/usr/bin/rlogin</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>rsh</xhtml:td>
 1935:               </xhtml:tr>
 1936:               <xhtml:tr>
 1937:                 <xhtml:td>/usr/bin/rsh</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>rsh</xhtml:td>
 1938:               </xhtml:tr>
 1939:               <xhtml:tr>
 1940:                 <xhtml:td>/usr/bin/staprun</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>systemtap-runtime</xhtml:td>
 1941:               </xhtml:tr>
 1942:               <xhtml:tr>
 1943:                 <xhtml:td>/usr/bin/ssh-agent</xhtml:td><xhtml:td>gid nobody</xhtml:td><xhtml:td>openssh-clients</xhtml:td>
 1944:               </xhtml:tr>
 1945:               <xhtml:tr>
 1946:                 <xhtml:td>/usr/bin/sudo</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>sudo</xhtml:td>
 1947:               </xhtml:tr>
 1948:               <xhtml:tr>
 1949:                 <xhtml:td>/usr/bin/sudoedit</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>sudo</xhtml:td>
 1950:               </xhtml:tr>
 1951:               <xhtml:tr>
 1952:                 <xhtml:td>/usr/bin/wall</xhtml:td><xhtml:td>gid tty</xhtml:td><xhtml:td>sysvinit-tools</xhtml:td>
 1953:               </xhtml:tr>
 1954:               <xhtml:tr>
 1955:                 <xhtml:td>/usr/bin/write</xhtml:td><xhtml:td>gid tty</xhtml:td><xhtml:td>util-linux-ng</xhtml:td>
 1956:               </xhtml:tr>
 1957:               <xhtml:tr>
 1958:                 <xhtml:td>/usr/bin/screen</xhtml:td><xhtml:td>gid screen</xhtml:td><xhtml:td>screen</xhtml:td>
 1959:               </xhtml:tr>
 1960:               <xhtml:tr>
 1961:                 <xhtml:td>/usr/bin/jwhois</xhtml:td><xhtml:td>gid jwhois</xhtml:td><xhtml:td>jwhois</xhtml:td>
 1962:               </xhtml:tr>
 1963:               <xhtml:tr>
 1964:                 <xhtml:td>/usr/bin/Xorg</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>xorg-x11-server-Xorg</xhtml:td>
 1965:               </xhtml:tr>
 1966:               <xhtml:tr>
 1967:                 <xhtml:td>/usr/bin/ksu</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>krb5-workstation</xhtml:td>
 1968:               </xhtml:tr>
 1969:               <xhtml:tr>
 1970:                 <xhtml:td>/usr/sbin/lockdev</xhtml:td><xhtml:td>gid lock</xhtml:td><xhtml:td>lockdev</xhtml:td>
 1971:               </xhtml:tr>
 1972:               <xhtml:tr>
 1973:                 <xhtml:td>/usr/sbin/sendmail.sendmail</xhtml:td><xhtml:td>gid smmsp</xhtml:td><xhtml:td>sendmail</xhtml:td>
 1974:               </xhtml:tr>
 1975:               <xhtml:tr>
 1976:                 <xhtml:td>/usr/sbin/suexec</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>httpd</xhtml:td>
 1977:               </xhtml:tr>
 1978:               <xhtml:tr>
 1979:                 <xhtml:td>/usr/sbin/seunshare</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>policycoreutils</xhtml:td>
 1980:               </xhtml:tr>
 1981:               <xhtml:tr>
 1982:                 <xhtml:td>/usr/sbin/userhelper</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>usermode</xhtml:td>
 1983:               </xhtml:tr>
 1984:               <xhtml:tr>
 1985:                 <xhtml:td>/usr/sbin/userisdnctl</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>isdn4k-utils</xhtml:td>
 1986:               </xhtml:tr>
 1987:               <xhtml:tr>
 1988:                 <xhtml:td>/usr/sbin/mtr</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>mtr</xhtml:td>
 1989:               </xhtml:tr>
 1990:               <xhtml:tr>
 1991:                 <xhtml:td>/usr/sbin/usernetctl</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>initscripts</xhtml:td>
 1992:               </xhtml:tr>
 1993:               <xhtml:tr>
 1994:                 <xhtml:td>/usr/sbin/ccreds_chkpwd</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>pam_ccreds</xhtml:td>
 1995:               </xhtml:tr>
 1996:               <xhtml:tr>
 1997:                 <xhtml:td>/usr/libexec/openssh/ssh-keysign</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>ssh</xhtml:td>
 1998:               </xhtml:tr>
 1999:               <xhtml:tr>
 2000:                 <xhtml:td>/usr/libexec/kde4/kpac_dhcp_helper</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>kdelibs</xhtml:td>
 2001:               </xhtml:tr>
 2002:               <xhtml:tr>
 2003:                 <xhtml:td>/usr/libexec/polkit-1/polkit-agent-helper-1</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>polkit</xhtml:td>
 2004:               </xhtml:tr>
 2005:               <xhtml:tr>
 2006:                 <xhtml:td>/usr/libexec/pt_chown</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>glibc-common</xhtml:td>
 2007:               </xhtml:tr>
 2008:               <xhtml:tr>
 2009:                 <xhtml:td>/usr/libexec/pulse/proximity-helper</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>pulseaudio-module-bluetooth</xhtml:td>
 2010:               </xhtml:tr>
 2011:               <xhtml:tr>
 2012:                 <xhtml:td>/usr/libexec/news/innbind</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>inn</xhtml:td>
 2013:               </xhtml:tr>
 2014:               <xhtml:tr>
 2015:                 <xhtml:td>/usr/libexec/news/rnews</xhtml:td><xhtml:td>uid uucp</xhtml:td><xhtml:td>inn</xhtml:td>
 2016:               </xhtml:tr>
 2017:               <xhtml:tr>
 2018:                 <xhtml:td>/usr/libexec/utempter/utempter</xhtml:td><xhtml:td>gid utmp</xhtml:td><xhtml:td>libutempter</xhtml:td>
 2019:               </xhtml:tr>
 2020:               <xhtml:tr>
 2021:                 <xhtml:td>/usr/lib/nspluginwrapper/plugin-config</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>nspluginwrapper</xhtml:td>
 2022:               </xhtml:tr>
 2023:               <xhtml:tr>
 2024:                 <xhtml:td>/usr/lib/vte/gnome-pty-helper</xhtml:td><xhtml:td>gid utmp</xhtml:td><xhtml:td>vte</xhtml:td>
 2025:               </xhtml:tr>
 2026:               <xhtml:tr>
 2027:                 <xhtml:td>/usr/share/BackupPC/sbin/BackupPC_Admin</xhtml:td><xhtml:td>uid backuppc</xhtml:td><xhtml:td>BackupPC</xhtml:td>
 2028:               </xhtml:tr>
 2029:               <xhtml:tr>
 2030:                 <xhtml:td>/var/cache/jwhois/jwhois.db</xhtml:td><xhtml:td>gid jwhois</xhtml:td><xhtml:td>jwhois</xhtml:td>
 2031:               </xhtml:tr>
 2032:               <xhtml:tr>
 2033:                 <xhtml:td>/lib/dbus-1/dbus-daemon-launch-helper</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>dbus</xhtml:td>
 2034:               </xhtml:tr>
 2035:             </xhtml:table>
 2036:           </description>
 2037:           <Rule id="rule-2.2.3.4.a" selected="false" weight="10.000000" severity="medium">
 2038:             <title xml:lang="en">Find Unauthorized SGID System Executables</title>
 2039:             <description xml:lang="en">The sgid bit should not be set for all files.</description>
 2040:             <ident system="http://cce.mitre.org">CCE-4178-0</ident>
 2041:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 2042:               <check-content-ref name="oval:org.fedoraproject.f14:def:20048" href="scap-fedora14-oval.xml"/>
 2043:             </check>
 2044:           </Rule>
 2045:           <Rule id="rule-2.2.3.4.b" selected="false" weight="10.000000" severity="high">
 2046:             <title xml:lang="en">Find Unauthorized SUID System Executables</title>
 2047:             <description xml:lang="en">The suid bit should not be set for all files.</description>
 2048:             <ident system="http://cce.mitre.org">CCE-3324-1</ident>
 2049:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 2050:               <check-content-ref name="oval:org.fedoraproject.f14:def:20049" href="scap-fedora14-oval.xml"/>
 2051:             </check>
 2052:           </Rule>
 2053:         </Group>
 2054:         <Group id="group-2.2.3.5" hidden="false">
 2055:           <title xml:lang="en">Find and Repair Unowned Files</title>
 2056:           <description xml:lang="en">
 2057:             The following command will discover and print any files on
 2058:             local partitions which do not belong to a valid user and a valid group. Run it once for
 2059:             each local partition PART: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2060:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2061:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># find PART -xdev \( -nouser -o -nogroup \) -print </xhtml:code> <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2062:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2063:             If this command prints any results, investigate each reported file and either assign it to an
 2064:             appropriate user and group or remove it. Unowned files are not directly exploitable, but
 2065:             they are generally a sign that something is wrong with some system process. They may be
 2066:             caused by an intruder, by incorrect software installation or incomplete software
 2067:             removal, or by failure to remove all files belonging to a deleted account. The files
 2068:             should be repaired so that they will not cause problems when accounts are created in the
 2069:             future, and the problem which led to unowned files should be discovered and addressed.</description>
 2070:           <Rule id="rule-2.2.3.5.a" selected="false" weight="10.000000" severity="medium">
 2071:             <title xml:lang="en">Find files unowned by a user</title>
 2072:             <description xml:lang="en">All files should be owned by a user</description>
 2073:             <ident system="http://cce.mitre.org">CCE-4223-4</ident>
 2074:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 2075:               <check-content-ref name="oval:org.fedoraproject.f14:def:20050" href="scap-fedora14-oval.xml"/>
 2076:             </check>
 2077:           </Rule>
 2078:           <Rule id="rule-2.2.3.5.b" selected="false" weight="10.000000" severity="medium">
 2079:             <title xml:lang="en">Find files unowned by a group</title>
 2080:             <description xml:lang="en">All files should be owned by a group</description>
 2081:             <ident system="http://cce.mitre.org">CCE-3573-3</ident>
 2082:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 2083:               <check-content-ref name="oval:org.fedoraproject.f14:def:20051" href="scap-fedora14-oval.xml"/>
 2084:             </check>
 2085:           </Rule>
 2086:         </Group>
 2087:         <Group id="group-2.2.3.6" hidden="false">
 2088:           <title xml:lang="en">Verify that All World-Writable Directories Have Proper Ownership</title>
 2089:           <description xml:lang="en">
 2090:             Locate any directories in local partitions which are world-writable and
 2091:             ensure that they are owned by root or another system account. The following command will discover
 2092:             and print these (assuming only system accounts have a uid lower than 500). Run it once for each
 2093:             local partition PART:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2094:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2095:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># find PART -xdev -type d -perm -0002 -uid +500 -print<xhtml:br/></xhtml:code>
 2096:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2097:             If this command produces any output, investigate why the current owner is not root or another
 2098:             system account.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2099:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2100:             Allowing a user account to own a world-writeable directory is undesirable because it allows the
 2101:             owner of that directory to remove or replace any files that may be placed in the directory by
 2102:             other users.</description>
 2103:           <Rule id="rule-2.2.3.6.a" selected="false" weight="10.000000" severity="medium">
 2104:             <title xml:lang="en">Find world writable directories not owned by a system account</title>
 2105:             <description xml:lang="en">All world writable directories should be owned by a system user</description>
 2106:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 2107:               <check-content-ref name="oval:org.fedoraproject.f14:def:20052" href="scap-fedora14-oval.xml"/>
 2108:             </check>
 2109:           </Rule>
 2110:         </Group>
 2111:       </Group>
 2112:       <Group id="group-2.2.4" hidden="false">
 2113:         <title xml:lang="en">Restrict Programs from Dangerous Execution Patterns</title>
 2114:         <description xml:lang="en">
 2115:           The recommendations in this section provide broad protection
 2116:           against information disclosure or other misbehavior. These protections are applied at the
 2117:           system initialization or kernel level, and defend against certain types of
 2118:           badly-configured or compromised programs.</description>
 2119:         <Group id="group-2.2.4.1" hidden="false">
 2120:           <title xml:lang="en">Set Daemon umask</title>
 2121:           <description xml:lang="en">
 2122:             The system umask for scripts in /etc/init.d must be set to at least 022, or daemon
 2123:             processes may create world-writable files. The more restrictive setting
 2124:             027 protects files, including temporary files and log files, from unauthorized reading
 2125:             by unprivileged users on the system. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2126:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2127:             If a particular daemon needs a
 2128:             less restrictive umask, consider editing the startup script or sysconfig file of that
 2129:             daemon to make a specific exception.
 2130:           </description>
 2131:           <Value id="var-2.2.4.1.a" operator="equals" type="string">
 2132:             <title xml:lang="en">daemon umask</title>
 2133:             <description xml:lang="en">Enter umask for daemons</description>
 2134:             <question xml:lang="en">Enter umask which will be used for new files created by daemons</question>
 2135:             <value>022</value>
 2136:             <value selector="022">022</value>
 2137:             <value selector="027">027</value>
 2138:             <match>^0?[0-7][0-7][0-7]?$</match>
 2139:           </Value>
 2140:           <Rule id="rule-2.2.4.1.a" selected="false" weight="10.000000" severity="medium">
 2141:             <title xml:lang="en">Set Daemon umask</title>
 2142:             <description xml:lang="en">The daemon umask should be set to profile value</description>
 2143:             <ident system="http://cce.mitre.org">CCE-4220-0</ident>
 2144:             <fixtext xml:lang="en">Edit the file /etc/rc.d/init.d/functions, and add or correct the following line: umask
 2145:               <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.2.4.1.a"/></fixtext>
 2146:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 2147:               <check-export export-name="oval:org.fedoraproject.f14:var:20053" value-id="var-2.2.4.1.a"/>
 2148:               <check-content-ref name="oval:org.fedoraproject.f14:def:20053" href="scap-fedora14-oval.xml"/>
 2149:             </check>
 2150:           </Rule>
 2151:         </Group>
 2152:         <Group id="group-2.2.4.2" hidden="false">
 2153:           <title xml:lang="en">Disable Core Dumps</title>
 2154:           <description xml:lang="en">
 2155:             A core dump file is the memory image of an executable program
 2156:             when it was terminated by the operating system due to errant behavior. In most cases,
 2157:             only software developers would legitimately need to access these files. The core dump
 2158:             files may also contain sensitive information, or unnecessarily occupy large amounts of
 2159:             disk space. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2160:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2161:             By default, the system sets a soft limit to stop the
 2162:             creation of core dump files for all users. This is accomplished in /etc/profile with the
 2163:             line: ulimit -S -c 0 &gt; /dev/null 2&gt;&amp;1 However, compliance with this
 2164:             limit is voluntary; it is a default intended only to protect users from the annoyance of
 2165:             generating unwanted core files. Users can increase the allowed core file size up to the
 2166:             hard limit, which is unlimited by default. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2167:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2168:             Once a hard limit is set
 2169:             in /etc/security/limits.conf, the user cannot increase that limit within his own
 2170:             session. If access to core dumps is required, consider restricting them to only certain
 2171:             users or groups. See the limits.conf man page for more
 2172:             information. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2173:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2174:             The core dumps of setuid programs are further
 2175:             protected. The sysctl variable fs.suid_dumpable controls whether the kernel allows core
 2176:             dumps from these programs at all. The default value of 0 is recommended.
 2177:           </description>
 2178:           <Rule id="rule-2.2.4.2.a" selected="false" weight="10.000000" severity="low">
 2179:             <title xml:lang="en">Disable Core Dumps for all users</title>
 2180:             <description xml:lang="en">Core dumps for all users should be disabled</description>
 2181:             <ident system="http://cce.mitre.org">CCE-4225-9</ident>
 2182:             <fixtext xml:lang="en">To disable core dumps for all users, add or correct the following line in
 2183:               /etc/security/limits.conf: * hard core 0</fixtext>
 2184:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 2185:               <check-content-ref name="oval:org.fedoraproject.f14:def:20055" href="scap-fedora14-oval.xml"/>
 2186:             </check>
 2187:           </Rule>
 2188:           <Rule id="rule-2.2.4.2.b" selected="false" weight="10.000000" severity="low">
 2189:             <title xml:lang="en">Disable Core Dumps for SUID programs</title>
 2190:             <description xml:lang="en">Core dumps for setuid programs should be disabled</description>
 2191:             <ident system="http://cce.mitre.org">CCE-4247-3</ident>
 2192:             <fixtext xml:lang="en">To ensure that core dumps can never be made by setuid programs, edit
 2193:               /etc/sysctl.conf and add or correct the line: fs.suid_dumpable = 0</fixtext>
 2194:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 2195:               <check-content-ref name="oval:org.fedoraproject.f14:def:20056" href="scap-fedora14-oval.xml"/>
 2196:             </check>
 2197:           </Rule>
 2198:         </Group>
 2199:         <Group id="group-2.2.4.3" hidden="false">
 2200:           <title xml:lang="en">Enable ExecShield</title>
 2201:           <description xml:lang="en">
 2202:             ExecShield comprises a number of kernel features to provide
 2203:             protection against buffer overflows. These features include random placement of the
 2204:             stack and other memory regions, prevention of execution in memory that should only hold
 2205:             data, and special handling of text buffers. This protection is enabled by default, but
 2206:             the sysctl variables kernel.exec-shield and kernel.randomize va space should be checked
 2207:             to ensure that it has not been disabled. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2208:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2209:             ExecShield uses the
 2210:             segmentation feature on all x86 systems to prevent execution in memory higher than a
 2211:             certain address. It writes an address as a limit in the code segment descriptor, to
 2212:             control where code can be executed, on a per-process basis. When the kernel places a
 2213:             process's memory regions such as the stack and heap higher than this address, the
 2214:             hardware prevents execution there. However, this cannot always be done for all memory
 2215:             regions in which execution should not occur, so follow guidance in Section 2.2.4.4 to
 2216:             further protect the system.
 2217:           </description>
 2218:           <Rule id="rule-2.2.4.3.a" selected="false" weight="10.000000">
 2219:             <title xml:lang="en">Enable ExecShield</title>
 2220:             <description xml:lang="en">ExecShield should be enabled</description>
 2221:             <ident system="http://cce.mitre.org">CCE-4168-1</ident>
 2222:             <fixtext xml:lang="en">To ensure ExecShield (including random placement of virtual memory regions) is
 2223:               activated at boot, add or correct the following settings in /etc/sysctl.conf:
 2224:               kernel.exec-shield = 1</fixtext>
 2225:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 2226:               <check-content-ref name="oval:org.fedoraproject.f14:def:20057" href="scap-fedora14-oval.xml"/>
 2227:             </check>
 2228:           </Rule>
 2229:           <Rule id="rule-2.2.4.3.b" selected="false" weight="10.000000">
 2230:             <title xml:lang="en">Enable ExecShield randomized placement of virtual memory regions</title>
 2231:             <description xml:lang="en">ExecShield randomized placement of virtual memory regions should be enabled</description>
 2232:             <ident system="http://cce.mitre.org">CCE-4146-7</ident>
 2233:             <fixtext xml:lang="en">To ensure ExecShield (including random placement of virtual memory regions) is
 2234:               activated at boot, add or correct the following settings in /etc/sysctl.conf:
 2235:               kernel.randomize_va_space = 2</fixtext>
 2236:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 2237:               <check-content-ref name="oval:org.fedoraproject.f14:def:20058" href="scap-fedora14-oval.xml"/>
 2238:             </check>
 2239:           </Rule>
 2240:         </Group>
 2241:         <Group id="group-2.2.4.4" hidden="false">
 2242:           <title xml:lang="en">Enable Execute Disable (XD) or No Execute (NX) Support on x86 Systems</title>
 2243:           <description xml:lang="en">
 2244:             Recent processors in the x86 family support the ability to
 2245:             prevent code execution on a per memory page basis. Generically and on AMD processors,
 2246:             this ability is called No Execute (NX), while on Intel processors it is called Execute
 2247:             Disable (XD). This ability can help prevent exploitation of buffer overflow
 2248:             vulnerabilities and should be activated whenever possible. Extra steps must be taken to
 2249:             ensure that this protection is enabled, particularly on 32-bit x86 systems. Other
 2250:             processors, such as Itanium and POWER, have included such support since inception and
 2251:             the standard kernel for those platforms supports the feature.</description>
 2252:           <Group id="group-2.2.4.4.1" hidden="false">
 2253:             <title xml:lang="en">Check for Processor Support on x86 Systems</title>
 2254:             <description xml:lang="en">
 2255:               Check to see if the processor supports the PAE and NX
 2256:               features: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ cat /proc/cpuinfo</xhtml:code> If supported, the flags field will contain pae and nx.</description>
 2257:           </Group>
 2258:           <Group id="group-2.2.4.4.2" hidden="false">
 2259:             <title xml:lang="en">Enable NX or XD Support in the BIOS</title>
 2260:             <description xml:lang="en">
 2261:               Computers with the ability to prevent this type of code
 2262:               execution frequently put an option in the BIOS that will allow users to turn the
 2263:               feature on or off at will. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2264:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2265:               See Section 2.3.5.1 for information on protecting this and
 2266:               other BIOS settings.</description>
 2267:             <Rule id="rule-2.2.4.4.2.a" selected="false" weight="10.000000">
 2268:               <title xml:lang="en">Enable NX or XD Support in the BIOS</title>
 2269:               <description xml:lang="en">The XD/NX processor feature should be enabled in the BIOS</description>
 2270:               <ident system="http://cce.mitre.org">CCE-4177-2</ident>
 2271:               <fixtext xml:lang="en">Reboot the system and enter the BIOS or 'Setup' configuration menu. Navigate the
 2272:                 BIOS configuration menu and make sure that the option is enabled. The setting may be
 2273:                 located under a 'Security' section. Look for Execute Disable (XD) on Intel-based
 2274:                 systems and No Execute (NX) on AMD-based systems.</fixtext>
 2275:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 2276:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20060" href="scap-fedora14-oval.xml"/>
 2277:               </check>
 2278:             </Rule>
 2279:           </Group>
 2280:         </Group>
 2281:       </Group>
 2282:     </Group>
 2283:     <Group id="group-2.3" hidden="false">
 2284:       <title xml:lang="en">Account and Access Control</title>
 2285:       <description xml:lang="en">
 2286:         In traditional Unix security, if an attacker gains shell access to
 2287:         a certain login account, he can perform any action or access any file to which that account
 2288:         has access. Therefore, making it more difficult for unauthorized people to gain shell access
 2289:         to accounts, particularly to privileged accounts, is a necessary part of securing a system.
 2290:         This section introduces mechanisms for restricting access to login accounts.</description>
 2291:       <Group id="group-2.3.1" hidden="false">
 2292:         <title xml:lang="en">Protect Accounts by Restricting Password-Based Login</title>
 2293:         <description xml:lang="en">
 2294:           Conventionally, Unix shell accounts are accessed by providing a
 2295:           username and password to a login program, which tests these values for correctness using
 2296:           the /etc/passwd and /etc/shadow files. Password-based login is vulnerable to guessing of
 2297:           weak passwords, and to sniffing and man-in-the-middle attacks against passwords entered
 2298:           over a network or at an insecure console. Therefore, mechanisms for accessing accounts by
 2299:           entering usernames and passwords should be restricted to those which are operationally
 2300:           necessary.</description>
 2301:         <Group id="group-2.3.1.1" hidden="false">
 2302:           <title xml:lang="en">Restrict Root Logins to System Console</title>
 2303:           <description xml:lang="en">
 2304:             Edit the file /etc/securetty. Ensure that the file contains
 2305:             only the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2306:             <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
 2307:               <xhtml:li>The primary system console device: <xhtml:br/>console</xhtml:li>
 2308:               <xhtml:li>The virtual console devices: <xhtml:br/>tty1 tty2 tty3 tty4 tty5
 2309:                 tty6 ... </xhtml:li>
 2310:               <xhtml:li>If required by your organization, the deprecated virtual console interface
 2311:                 may be retained for backwards compatibility:<xhtml:br/>vc/1 vc/2 vc/3 vc/4 vc/5
 2312:                 vc/6 ...</xhtml:li>
 2313:               <xhtml:li>If required by your organization, the serial consoles may be added:<xhtml:br/>
 2314:                 ttyS0 ttyS1</xhtml:li>
 2315:             </xhtml:ul>
 2316:             Direct root logins should be allowed only for
 2317:             emergency use. In normal situations, the administrator should access the system via a
 2318:             unique unprivileged account, and use su or sudo to execute privileged commands.
 2319:             Discouraging administrators from accessing the root account directly ensures an audit
 2320:             trail in organizations with multiple administrators. Locking down the channels through
 2321:             which root can connect directly reduces opportunities for password-guessing against the
 2322:             root account. The login program uses the file /etc/securetty to determine which
 2323:             interfaces should allow root logins. The virtual devices /dev/console and /dev/tty*
 2324:             represent the system consoles (accessible via the Ctrl-Alt-F1 through Ctrl-Alt-F6
 2325:             keyboard sequences on a default installation). The default securetty file also contains
 2326:             /dev/vc/*. These are likely to be deprecated in most environments, but may be retained
 2327:             for compatibility. Root should also be prohibited from connecting via network protocols.
 2328:             See Section 3.5 for instructions on preventing root from logging in via SSH.</description>
 2329:           <Rule id="rule-2.3.1.1.a" selected="false" weight="10.000000" severity="medium">
 2330:             <title xml:lang="en">Restrict Root Logins to System Console</title>
 2331:             <description xml:lang="en">Logins through the specified virtual console interface should be disabled
 2332:             </description>
 2333:             <ident system="http://cce.mitre.org">CCE-3820-8</ident>
 2334:             <fixtext xml:lang="en">Edit /etc/securetty</fixtext>
 2335:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 2336:               <check-content-ref name="oval:org.fedoraproject.f14:def:20061" href="scap-fedora14-oval.xml"/>
 2337:             </check>
 2338:           </Rule>
 2339:           <Rule id="rule-2.3.1.1.b" selected="false" weight="10.000000" severity="medium">
 2340:             <title xml:lang="en">Restrict Root Logins to System Console</title>
 2341:             <description xml:lang="en">Logins through the specified virtual console device should be disabled</description>
 2342:             <ident system="http://cce.mitre.org">CCE-3485-0</ident>
 2343:             <fixtext xml:lang="en"> Edit /etc/securetty</fixtext>
 2344:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 2345:               <check-content-ref name="oval:org.fedoraproject.f14:def:20062" href="scap-fedora14-oval.xml"/>
 2346:             </check>
 2347:           </Rule>
 2348:           <Rule id="rule-2.3.1.1.c" selected="false" weight="10.000000" severity="medium">
 2349:             <title xml:lang="en">Restrict virtual console Root Logins</title>
 2350:             <description xml:lang="en">Logins through the virtual console devices should be disabled</description>
 2351:             <ident system="http://cce.mitre.org">CCE-4111-1</ident>
 2352:             <fixtext xml:lang="en"> Edit /etc/securetty</fixtext>
 2353:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 2354:               <check-content-ref name="oval:org.fedoraproject.f14:def:20063" href="scap-fedora14-oval.xml"/>
 2355:             </check>
 2356:           </Rule>
 2357:           <Rule id="rule-2.3.1.1.d" selected="false" weight="10.000000" severity="medium">
 2358:             <title xml:lang="en">Restrict serial port Root Logins</title>
 2359:             <description xml:lang="en">Login prompts on serial ports should be disabled.</description>
 2360:             <ident system="http://cce.mitre.org">CCE-4256-4</ident>
 2361:             <fixtext xml:lang="en">Edit /etc/securetty</fixtext>
 2362:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 2363:               <check-content-ref name="oval:org.fedoraproject.f14:def:20064" href="scap-fedora14-oval.xml"/>
 2364:             </check>
 2365:           </Rule>
 2366:         </Group>
 2367:         <Group id="group-2.3.1.2" hidden="false">
 2368:           <title xml:lang="en">Limit su Access to the Root Account</title>
 2369:           <description xml:lang="en">
 2370:             The su command allows a user to gain the privileges of another user by entering the
 2371:             password for that user's account. It is desirable to restrict the root user so that only
 2372:             known administrators are ever allowed to access the root account. This restricts
 2373:             password-guessing against the root account by unauthorized users or by accounts which
 2374:             have been compromised. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2375:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2376:             By convention, the group wheel contains all users who are allowed to run privileged
 2377:             commands. The PAM module pam_wheel.so is used to restrict root access to this set of
 2378:             users.</description>
 2379:           <Rule id="rule-2.3.1.2.a" selected="false" weight="10.000000" severity="medium">
 2380:             <title xml:lang="en">Limit su Access to the Root Account</title>
 2381:             <description xml:lang="en">The wheel group should exist</description>
 2382:             <fixtext xml:lang="en"> Ensure that the group wheel exists, and that the usernames of all administrators
 2383:               who should be allowed to execute commands as root are members of that group.
 2384:             </fixtext>
 2385:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 2386:               <check-content-ref name="oval:org.fedoraproject.f14:def:20065" href="scap-fedora14-oval.xml"/>
 2387:             </check>
 2388:           </Rule>
 2389:           <Rule id="rule-2.3.1.2.b" selected="false" weight="10.000000" severity="medium">
 2390:             <title xml:lang="en">Limit su Access to the wheel group</title>
 2391:             <description xml:lang="en">Command access to the root account should be restricted to the wheel group.</description>
 2392:             <fixtext xml:lang="en"> Edit the file /etc/pam.d/su. Add, uncomment, or correct the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2393:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2394:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">auth required pam_wheel.so use_uid</xhtml:code>
 2395:             </fixtext>
 2396:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 2397:               <check-content-ref name="oval:org.fedoraproject.f14:def:20066" href="scap-fedora14-oval.xml"/>
 2398:             </check>
 2399:           </Rule>
 2400:         </Group>
 2401:         <Group id="group-2.3.1.3" hidden="false">
 2402:           <title xml:lang="en">Configure sudo to Improve Auditing of Root Access</title>
 2403:           <description xml:lang="en">
 2404:             <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
 2405:               <xhtml:li>Ensure that the group wheel exists, and that the usernames
 2406:             of all administrators who should be allowed to execute commands as root are members of
 2407:             that group. <xhtml:br/>
 2408:                 <xhtml:br/>
 2409:                 <xhtml:code># grep ^wheel /etc/group</xhtml:code></xhtml:li>
 2410:             <xhtml:li>Edit the file /etc/sudoers. Add, uncomment, or
 2411:               correct the line: <xhtml:br/>
 2412:               <xhtml:br/>
 2413:               %wheel ALL=(ALL) ALL</xhtml:li>
 2414:             </xhtml:ol>
 2415:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2416:             The sudo command allows fine-grained control over
 2417:             which users can execute commands using other accounts. The primary benefit of sudo when
 2418:             configured as above is that it provides an audit trail of every command run by a
 2419:             privileged user. It is possible for a malicious administrator to circumvent this
 2420:             restriction, but, if there is an established procedure that all root commands are run
 2421:             using sudo, then it is easy for an auditor to detect unusual behavior when this
 2422:             procedure is not followed. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2423:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2424:             Editing /etc/sudoers by hand can be dangerous, since a configuration error may make it
 2425:             impossible to access the root account remotely. The recommended means of editing this
 2426:             file is using the visudo command, which checks the file's syntax for correctness before
 2427:             allowing it to be saved.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2428:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2429:             Note that sudo allows any attacker who gains access to the password of an administrator
 2430:             account to run commands as root. This is a downside which must be weighed against the
 2431:             benefits of increased audit capability and of being able to heavily restrict the use of
 2432:             the high-value root password (which can be logistically difficult to change often). As
 2433:             a basic precaution, never use the NOPASSWD directive, which would allow anyone with
 2434:             access to an administrator account to execute commands as root without knowing the
 2435:             administrator's password. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2436:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2437:             The sudo command has many options which can be used to further customize its behavior.
 2438:             See the sudoers(5) man page for details.</description>
 2439:           <Rule id="rule-2.3.1.3.a" selected="false" weight="10.000000" severity="medium">
 2440:             <title xml:lang="en">Configure sudo to Improve Auditing of Root Access</title>
 2441:             <description xml:lang="en">Sudo privileges should granted to the wheel group</description>
 2442:             <ident system="http://cce.mitre.org">CCE-4044-4</ident>
 2443:             <fix>echo "%wheel ALL=(ALL) ALL" &gt;&gt; /etc/sudoers</fix>
 2444:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 2445:               <check-content-ref name="oval:org.fedoraproject.f14:def:20067" href="scap-fedora14-oval.xml"/>
 2446:             </check>
 2447:           </Rule>
 2448:         </Group>
 2449:         <Group id="group-2.3.1.4" hidden="false">
 2450:           <title xml:lang="en">Block Shell and Login Access for Non-Root System Accounts</title>
 2451:           <description xml:lang="en">
 2452:             Using /etc/passwd, obtain a listing of all users, their UIDs,
 2453:             and their shells, for instance by running: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2454:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2455:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd<xhtml:br/></xhtml:code>
 2456:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2457:             Identify the system accounts from this listing.  These will primarily be the accounts
 2458:             with UID numbers less than 500, other than root.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2459:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2460:             For each identified system account SYSACCT , lock the account: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2461:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2462:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># usermod -L SYSACCT <xhtml:br/></xhtml:code> <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2463:             and disable its shell: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2464:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2465:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># usermod -s /sbin/nologin SYSACCT <xhtml:br/></xhtml:code>
 2466:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2467:             These are the accounts which are
 2468:             not associated with a human user of the system, but which exist to perform some
 2469:             administrative function. Make it more difficult for an attacker to use these accounts by
 2470:             locking their passwords and by setting their shells to some non-valid shell. The Fedora
 2471:             default non-valid shell is /sbin/nologin, but any command which will exit with a failure
 2472:             status and disallow execution of any further commands, such as /bin/false or /dev/null,
 2473:             will work.</description>
 2474:           <warning xml:lang="en" override="false" category="functionality">Do not perform the steps in this section on the root account.
 2475:             Doing so might cause the system to become inaccessible.</warning>
 2476:           <Rule id="rule-2.3.1.4.a" selected="false" weight="10.000000" severity="medium">
 2477:             <title xml:lang="en">Block Shell and Login Access for Non-Root System Accounts</title>
 2478:             <description xml:lang="en">Login access to non-root system accounts should be disabled</description>
 2479:             <ident system="http://cce.mitre.org">CCE-3987-5</ident>
 2480:             <fixtext xml:lang="en">Edit /etc/passwd</fixtext>
 2481:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 2482:               <check-content-ref name="oval:org.fedoraproject.f14:def:20068" href="scap-fedora14-oval.xml"/>
 2483:             </check>
 2484:           </Rule>
 2485:         </Group>
 2486:         <Group id="group-2.3.1.5" hidden="false">
 2487:           <title xml:lang="en">Verify Proper Storage and Existence of Password Hashes</title>
 2488:           <Group id="group-2.3.1.5.1" hidden="false">
 2489:             <title xml:lang="en">Verify that No Accounts Have Empty Password Fields</title>
 2490:             <description xml:lang="en">
 2491:               Run the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2492:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2493:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># awk -F: '($2 == "") {print}' /etc/shadow <xhtml:br/></xhtml:code>
 2494:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2495:               If this produces any output, fix the problem by locking each account
 2496:               (see Section 2.3.1.4 above) or by setting a password. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2497:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2498:               If an account has an empty password, anybody may log in and run commands with the
 2499:               privileges of that account. Accounts with empty passwords should never be used in
 2500:               operational environments.</description>
 2501:             <Rule id="rule-2.3.1.5.1.a" selected="false" weight="10.000000" severity="medium">
 2502:               <title xml:lang="en">Verify that No Accounts Have Empty Password Fields</title>
 2503:               <description xml:lang="en">Login access to accounts without passwords should be disabled</description>
 2504:               <ident system="http://cce.mitre.org">CCE-4238-2</ident>
 2505:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 2506:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20069" href="scap-fedora14-oval.xml"/>
 2507:               </check>
 2508:             </Rule>
 2509:           </Group>
 2510:           <Group id="group-2.3.1.5.2" hidden="false">
 2511:             <title xml:lang="en">Verify that All Account Password Hashes are Shadowed</title>
 2512:             <description xml:lang="en">
 2513:               To ensure that no password hashes are stored in /etc/passwd, the following command should have no output:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2514:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2515:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># awk -F: '($2 != "x") {print}' /etc/passwd<xhtml:br/></xhtml:code>
 2516:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2517:               The hashes for all user account passwords should be stored in the file /etc/shadow and never in /etc/passwd,
 2518:               which is readable by all users.
 2519:              </description>
 2520:             <Rule id="rule-2.3.1.5.2.a" selected="false" weight="10.000000" severity="medium">
 2521:               <title xml:lang="en">Verify that All Account Password Hashes are Shadowed</title>
 2522:               <description xml:lang="en">Check that passwords are shadowed</description>
 2523:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 2524:                 <check-content-ref name="oval:org.fedoraproject.f14:def:200695" href="scap-fedora14-oval.xml"/>
 2525:               </check>
 2526:             </Rule>
 2527:           </Group>
 2528:         </Group>
 2529:         <Group id="group-2.3.1.6" hidden="false">
 2530:           <title xml:lang="en">Verify that No Non-Root Accounts Have UID 0</title>
 2531:           <description xml:lang="en">
 2532:             This command will print all password file entries for accounts
 2533:             with UID 0: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2534:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2535:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># awk -F: '($3 == "0") {print}' /etc/passwd <xhtml:br/></xhtml:code>
 2536:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2537:             This should print only one line, for the user root. If any other lines appear, ensure
 2538:             that these additional UID-0 accounts are authorized, and that there is a good reason for
 2539:             them to exist. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2540:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2541:             In general, the best practice solution for auditing use of the root account is to restrict
 2542:             the set of cases in which root must be accessed anonymously by requiring use of su or sudo
 2543:             in almost all cases. Some sites choose to have more than one account with UID 0 in order
 2544:             to differentiate between administrators, but this practice may have unexpected side
 2545:             effects, and is therefore not recommended.</description>
 2546:           <Rule id="rule-2.3.1.6.a" selected="false" weight="10.000000" severity="medium">
 2547:             <title xml:lang="en">Verify that No Non-Root Accounts Have UID 0</title>
 2548:             <description xml:lang="en">Anonymous root logins should be disabled</description>
 2549:             <ident system="http://cce.mitre.org">CCE-4009-7</ident>
 2550:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 2551:               <check-content-ref name="oval:org.fedoraproject.f14:def:20070" href="scap-fedora14-oval.xml"/>
 2552:             </check>
 2553:           </Rule>
 2554:         </Group>
 2555:         <Group id="group-2.3.1.7" hidden="false">
 2556:           <title xml:lang="en">Set Password Expiration Parameters</title>
 2557:           <description xml:lang="en">
 2558:             Edit the file /etc/login.defs to specify password expiration
 2559:             settings for new accounts. Add or correct the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2560:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
 2561:             PASS_MAX_DAYS=180<xhtml:br/>
 2562:             PASS_MIN_DAYS=7 <xhtml:br/>
 2563:             PASS_MIN_LEN=8 <xhtml:br/>
 2564:             PASS_WARN_AGE=7 <xhtml:br/></xhtml:code>
 2565:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2566:             For each existing human user USER , modify the current expiration settings to match
 2567:             these: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2568:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chage -M 180 -m 7 -W 7 USER<xhtml:br/></xhtml:code>
 2569:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2570:             Users should be forced to change their passwords, in order to decrease the utility of
 2571:             compromised passwords. However, the need to change passwords often should be balanced
 2572:             against the risk that users will reuse or write down passwords if forced to change them
 2573:             too often. Forcing password changes every 90-360 days, depending on the environment, is
 2574:             recommended. Set the appropriate value as PASS_MAX_DAYS and apply it to existing
 2575:             accounts with the -M flag. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2576:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2577:             The PASS_MIN_DAYS (-m) setting prevents password changes for 7 days after the first
 2578:             change, to discourage password cycling. If you use this setting, train users to contact
 2579:             an administrator for an emergency password change in case a new password becomes
 2580:             compromised. The PASS_WARN_AGE (-W) setting gives users 7 days of warnings at login time
 2581:             that their passwords are about to expire.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2582:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2583:             The PASS_MIN_LEN setting, which controls minimum password length, should be set to
 2584:             whatever is required by your site or organization security policy. The example value of
 2585:             8 provided here may be inadequate for many environments. See Section 2.3.3 for
 2586:             information on how to enforce more sophisticated requirements on password length and
 2587:             quality
 2588:           </description>
 2589:           <Value id="var-2.3.1.7.a" operator="equals" type="string">
 2590:             <title xml:lang="en">minimum password length</title>
 2591:             <description xml:lang="en">Minimum number of characters in password</description>
 2592:             <warning xml:lang="en">This will only check new passwords</warning>
 2593:             <question xml:lang="en">Select minimum number of characters in password</question>
 2594:             <value>14</value>
 2595:             <value selector="5">5</value>
 2596:             <value selector="6">6</value>
 2597:             <value selector="8">8</value>
 2598:             <value selector="10">10</value>
 2599:             <value selector="14">14</value>
 2600:             <match>^[\d]+$</match>
 2601:           </Value>
 2602:           <Value id="var-2.3.1.7.b" operator="equals" type="string">
 2603:             <title xml:lang="en">minimum password age</title>
 2604:             <description xml:lang="en">Enter minimum duration before allowing a password change</description>
 2605:             <question xml:lang="en">Select minimum duration (in days) before allowing a password change</question>
 2606:             <value>1</value>
 2607:             <value selector="1_day">1</value>
 2608:             <value selector="7_days">7</value>
 2609:             <match>^[\d]+$</match>
 2610:           </Value>
 2611:           <Value id="var-2.3.1.7.c" operator="equals" type="string">
 2612:             <title xml:lang="en">maximum password age</title>
 2613:             <description xml:lang="en">Enter age before which a password must be changed</description>
 2614:             <question xml:lang="en">Select age (in days) before which a password must be changed</question>
 2615:             <value>60</value>
 2616:             <value selector="0_days">0</value>
 2617:             <value selector="30_days">30</value>
 2618:             <value selector="60_days">60</value>
 2619:             <value selector="90_days">90</value>
 2620:             <value selector="120_days">120</value>
 2621:             <value selector="150_days">150</value>
 2622:             <value selector="180_days">180</value>
 2623:             <match>^[\d]+$</match>
 2624:           </Value>
 2625:           <Value id="var-2.3.1.7.d" operator="equals" type="string">
 2626:             <title xml:lang="en">password warn age</title>
 2627:             <description xml:lang="en">
 2628:               The number of days warning given before a password expires. A zero
 2629:               means warning is given only upon the day of expiration, a negative
 2630:               value means no warning is given. If not specified, no warning will
 2631:               be provided.</description>
 2632:             <question xml:lang="en">Select number of days warning is given before a password expires</question>
 2633:             <value>14</value>
 2634:             <value selector="7_days">7</value>
 2635:             <value selector="8_days">8</value>
 2636:             <value selector="14_days">14</value>
 2637:             <match>^[\d]+$</match>
 2638:           </Value>
 2639:           <Rule id="rule-2.3.1.7.a" selected="false" weight="10.000000" severity="medium">
 2640:             <title xml:lang="en">Set password minimum length</title>
 2641:             <description xml:lang="en">The password minimum length should be set to:
 2642:               <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.3.1.7.a"/></description>
 2643:             <ident system="http://cce.mitre.org">CCE-4154-1</ident>
 2644:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 2645:               <check-export export-name="oval:org.fedoraproject.f14:var:20071" value-id="var-2.3.1.7.a"/>
 2646:               <check-content-ref name="oval:org.fedoraproject.f14:def:20071" href="scap-fedora14-oval.xml"/>
 2647:             </check>
 2648:           </Rule>
 2649:           <Rule id="rule-2.3.1.7.b" selected="false" weight="10.000000" severity="medium">
 2650:             <title xml:lang="en">Set minimum password age</title>
 2651:             <description xml:lang="en">The minimum password age should be set to:
 2652:               <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.3.1.7.b"/></description>
 2653:             <ident system="http://cce.mitre.org">CCE-4180-6</ident>
 2654:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 2655:               <check-export export-name="oval:org.fedoraproject.f14:var:20072" value-id="var-2.3.1.7.b"/>
 2656:               <check-content-ref name="oval:org.fedoraproject.f14:def:20072" href="scap-fedora14-oval.xml"/>
 2657:             </check>
 2658:           </Rule>
 2659:           <Rule id="rule-2.3.1.7.c" selected="false" weight="10.000000" severity="medium">
 2660:             <title xml:lang="en">Set maximum password age</title>
 2661:             <description xml:lang="en">The maximum password age should be set to:
 2662:               <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.3.1.7.c"/></description>
 2663:             <ident system="http://cce.mitre.org">CCE-4092-3</ident>
 2664:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 2665:               <check-export export-name="oval:org.fedoraproject.f14:var:20073" value-id="var-2.3.1.7.c"/>
 2666:               <check-content-ref name="oval:org.fedoraproject.f14:def:20073" href="scap-fedora14-oval.xml"/>
 2667:             </check>
 2668:           </Rule>
 2669:           <Rule id="rule-2.3.1.7.d" selected="false" weight="10.000000" severity="medium">
 2670:             <title xml:lang="en">Set password warn age</title>
 2671:             <description xml:lang="en">The password warn age should be set to:
 2672:               <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.3.1.7.d"/></description>
 2673:             <ident system="http://cce.mitre.org">CCE-4097-2</ident>
 2674:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 2675:               <check-export export-name="oval:org.fedoraproject.f14:var:20074" value-id="var-2.3.1.7.d"/>
 2676:               <check-content-ref name="oval:org.fedoraproject.f14:def:20074" href="scap-fedora14-oval.xml"/>
 2677:             </check>
 2678:           </Rule>
 2679:         </Group>
 2680:         <Group id="group-2.3.1.8" hidden="false">
 2681:           <title xml:lang="en">Remove Legacy + Entries from Password Files</title>
 2682:           <description xml:lang="en">
 2683:             The command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2684:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2685:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># grep "^+:" /etc/passwd /etc/shadow /etc/group<xhtml:br/></xhtml:code>
 2686:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2687:             should produce no output. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2688:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2689:             The + symbol was used by systems to include data from NIS maps
 2690:             into existing files. However, a certain configuration error in which a NIS inclusion
 2691:             line appears in /etc/passwd, but NIS is not running, could lead to anyone being able to
 2692:             access the system with the username + and no password. Therefore, it is important to
 2693:             verify that no such line appears in any of the relevant system files. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2694:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2695:             The correct way to
 2696:             tell the local system to consult network databases such as LDAP or NIS for user
 2697:             information is to make appropriate modifications to /etc/nsswitch.conf.</description>
 2698:           <Rule id="rule-2.3.1.8.a" selected="false" weight="10.000000" severity="medium">
 2699:             <title xml:lang="en">Remove Legacy + Entries from /etc/shadow</title>
 2700:             <description xml:lang="en">NIS file inclusions should be set appropriately in the /etc/shadow file</description>
 2701:             <fixtext xml:lang="en">(1) via /etc/shadow</fixtext>
 2702:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 2703:               <check-content-ref name="oval:org.fedoraproject.f14:def:20075" href="scap-fedora14-oval.xml"/>
 2704:             </check>
 2705:           </Rule>
 2706:           <Rule id="rule-2.3.1.8.b" selected="false" weight="10.000000" severity="medium">
 2707:             <title xml:lang="en">Remove Legacy + Entries from /etc/group</title>
 2708:             <description xml:lang="en">NIS file inclusions should be set appropriately in the /etc/group file</description>
 2709:             <fixtext xml:lang="en">(1) via /etc/group</fixtext>
 2710:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 2711:               <check-content-ref name="oval:org.fedoraproject.f14:def:20076" href="scap-fedora14-oval.xml"/>
 2712:             </check>
 2713:           </Rule>
 2714:           <Rule id="rule-2.3.1.8.c" selected="false" weight="10.000000" severity="medium">
 2715:             <title xml:lang="en">Remove Legacy + Entries from /etc/passwd</title>
 2716:             <description xml:lang="en">NIS file inclusions should be set appropriately in the /etc/passwd file</description>
 2717:             <ident system="http://cce.mitre.org">CCE-4114-5</ident>
 2718:             <fixtext xml:lang="en">(1) via /etc/passwd</fixtext>
 2719:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 2720:               <check-content-ref name="oval:org.fedoraproject.f14:def:20077" href="scap-fedora14-oval.xml"/>
 2721:             </check>
 2722:           </Rule>
 2723:         </Group>
 2724:       </Group>
 2725:       <Group id="group-2.3.2" hidden="false">
 2726:         <title xml:lang="en">Use Unix Groups to Enhance Security</title>
 2727:         <description xml:lang="en">
 2728:           The access control policies which can be enforced by standard
 2729:           Unix permissions are limited, and configuring SELinux (Section 2.4) is frequently a better
 2730:           choice. However, this guide recommends that security be enhanced to the extent possible by
 2731:           enforcing the Unix group policies outlined in this section.</description>
 2732:         <Group id="group-2.3.2.1" hidden="false" weight="1.000000">
 2733:           <title xml:lang="en">Create a Unique Default Group for Each User</title>
 2734:           <description xml:lang="en">
 2735:             When running useradd, do not use the -g flag or otherwise
 2736:             override the default group. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2737:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2738:             The Red Hat default is that each new user account should
 2739:             have a unique primary group whose name is the same as that of the account. This default
 2740:             is recommended, in order to provide additional protection against files which are
 2741:             created with group write permission enabled.</description>
 2742:         </Group>
 2743:         <Group id="group-2.3.2.2" hidden="false">
 2744:           <title xml:lang="en">Create and Maintain a Group Containing All Human Users</title>
 2745:           <description xml:lang="en">
 2746:             Identify all user accounts on the system which correspond to
 2747:             human users. Depending on your system configuration, this may be all entries in
 2748:             /etc/passwd with UID values of at least 500. Once, you have identified such a set of
 2749:             users, create a group named usergroup (substitute some name appropriate to your
 2750:             environment) and populate it with each human user: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2751:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2752:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># groupadd usergroup <xhtml:br/>
 2753:             # usermod -G usergroup human1 <xhtml:br/>
 2754:             # usermod -G usergroup human2 ... <xhtml:br/>
 2755:             # usermod -G usergroup humanN <xhtml:br/></xhtml:code>
 2756:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2757:             Then modify your procedure for creating new user accounts by adding -G usergroup to the
 2758:             set of flags with which useradd is invoked, so that new human users will be placed in
 2759:             the correct group by default. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2760:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2761:             Creating a group of human users does not, by itself, enhance
 2762:             system security. However, as you work on securing your system, you will often find
 2763:             commands which never need to be run by system accounts, or which are only ever needed by
 2764:             users logged into the graphical console (which should only ever be available to human
 2765:             users, even on workstations). Once a group of users has been created, it is easy to
 2766:             restrict access to a given command, for instance /path/to/graphical/command , to
 2767:             authorized users: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2768:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2769:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chgrp usergroup /path/to/graphical/command <xhtml:br/>
 2770:             # chmod 750 /path/graphical/command <xhtml:br/></xhtml:code>
 2771:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2772:             Without a group of human users, it is necessary to restrict
 2773:             access by somehow preventing each system account from running the command, which is an
 2774:             error-prone process even when it is possible at all.</description>
 2775:         </Group>
 2776:       </Group>
 2777:       <Group id="group-2.3.3" hidden="false">
 2778:         <title xml:lang="en">Protect Accounts by Configuring PAM</title>
 2779:         <description xml:lang="en">
 2780:           PAM, or Pluggable Authentication Modules, is a system which
 2781:           implements modular authentication for Linux programs. PAM is well-integrated into Linux's
 2782:           authentication architecture, making it difficult to remove, but it can be configured to
 2783:           minimize your system's exposure to unnecessary risk. This section contains guidance on how
 2784:           to accomplish that, and how to ensure that the modules used by your PAM configuration do
 2785:           what they are supposed to do. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2786:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2787:           PAM is implemented as a set of shared objects which are
 2788:           loaded and invoked whenever an application wishes to authenticate a user. Typically, the
 2789:           application must be running as root in order to take advantage of PAM. Traditional
 2790:           privileged network listeners (e.g. sshd) or SUID programs (e.g. sudo) already meet this
 2791:           requirement. An SUID root application, userhelper, is provided so that programs which are
 2792:           not SUID or privileged themselves can still take advantage of PAM. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2793:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2794:           PAM looks in the
 2795:           directory /etc/pam.d for application-specific configuration information. For instance, if
 2796:           the program login attempts to authenticate a user, then PAM's libraries follow the
 2797:           instructions in the file /etc/ pam.d/login to determine what actions should be taken.
 2798:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2799:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>One
 2800:           very important file in /etc/pam.d is /etc/pam.d/system-auth. This file, which is included
 2801:           by many other PAM configuration files, defines 'default' system authentication measures.
 2802:           Modifying this file is a good way to make far-reaching authentication changes, for
 2803:           instance when implementing a centralized authentication service.
 2804:         </description>
 2805:         <warning xml:lang="en">
 2806:           Be careful when making changes to PAM's configuration files. The syntax for these files
 2807:           is complex, and modifications can have unexpected consequences.1 The default
 2808:           configurations shipped with applications should be sufficient for most users.
 2809:         </warning>
 2810:         <warning xml:lang="en">
 2811:           Running authconfig or system-config-authentication will re-write the PAM configuration
 2812:           files, destroying any manually made changes and replacing them with a series of system
 2813:           defaults. 1One reference to the configuration file syntax can be found at
 2814:           http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/ sag-configuration-file.html.
 2815:         </warning>
 2816:         <Group id="group-2.3.3.1" hidden="false">
 2817:           <title xml:lang="en">Set Password Quality Requirements</title>
 2818:           <description xml:lang="en">
 2819:             The default pam_cracklib PAM module provides strength checking
 2820:             for passwords. It performs a number of checks, such as making sure passwords are not
 2821:             similar to dictionary words, are of at least a certain length, are not the previous
 2822:             password reversed, and are not simply a change of case from the previous password.  It
 2823:             can also require passwords to be in certain character classes.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2824:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2825:             The pam_passwdqc PAM module provides the ability to enforce even more stringent
 2826:             password strength requirements. It is provided in an RPM of the same name. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2827:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2828:             The man pages pam_cracklib(8) and pam_passwdqc(8) provide information on the
 2829:             capabilities and configuration of each.
 2830:           </description>
 2831:           <Group id="group-2.3.3.1.1" hidden="false">
 2832:             <title xml:lang="en">Set Password Quality Requirements, if using pam_cracklib</title>
 2833:             <description xml:lang="en">
 2834:               The pam_cracklib PAM module can be configured to meet
 2835:               recommendations for DoD systems as stated in [12].<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2836:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2837:               To configure pam_cracklib to require at least one uppercase character, lowercase
 2838:               character, digit, and other (special) character, locate the following line in
 2839:               /etc/pam.d/system-auth:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2840:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2841:               password requisite pam_cracklib.so try_first_pass retry=3<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2842:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2843:               and then alter it to read:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2844:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2845:               password required pam_cracklib.so try_first_pass retry=3 minlen=14 dcredit=-1 /
 2846:               ucredit=-1 ocredit=-1 lcredit=0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2847:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2848:               If necessary, modify the arguments to ensure compliance with your organization’s
 2849:               security policy.
 2850:             </description>
 2851:             <warning xml:lang="en">Note that the password quality requirements are not enforced
 2852:               for the root account for some reason.
 2853:             </warning>
 2854:             <Value id="var-2.3.3.1.1.a.retry" type="string">
 2855:               <title xml:lang="en">retry</title>
 2856:               <description xml:lang="en">Number of retry attempts before erroring out</description>
 2857:               <question xml:lang="en">Select number of password retry attempts before erroring out</question>
 2858:               <value>3</value>
 2859:               <value selector="1">1</value>
 2860:               <value selector="2">2</value>
 2861:               <value selector="3">3</value>
 2862:               <match>^[\d]+$</match>
 2863:             </Value>
 2864:             <Value id="var-2.3.3.1.1.a.difok" type="string">
 2865:               <title xml:lang="en">difok</title>
 2866:               <description xml:lang="en">Mininum number of characters not present in old password</description>
 2867:               <warning xml:lang="en">Keep this high for short passwords</warning>
 2868:               <question xml:lang="en">Select minimum number of characters not present in old password</question>
 2869:               <value>5</value>
 2870:               <value selector="2">2</value>
 2871:               <value selector="3">3</value>
 2872:               <value selector="4">4</value>
 2873:               <value selector="5">5</value>
 2874:               <match>^[\d]+$</match>
 2875:             </Value>
 2876:             <Value id="var-2.3.3.1.1.a.minlen" type="string">
 2877:               <title xml:lang="en">minlen</title>
 2878:               <description xml:lang="en">Minimum number of characters in password</description>
 2879:               <question xml:lang="en">Select minimum number of characters in pasword</question>
 2880:               <value>14</value>
 2881:               <value selector="6">6</value>
 2882:               <value selector="8">8</value>
 2883:               <value selector="10">10</value>
 2884:               <value selector="14">14</value>
 2885:               <value selector="15">15</value>
 2886:               <match>^[\d]+$</match>
 2887:             </Value>
 2888:             <Value id="var-2.3.3.1.1.a.dcredit" type="string">
 2889:               <title xml:lang="en">dcredit</title>
 2890:               <description xml:lang="en">Mininum number of digits in password</description>
 2891:               <question xml:lang="en">Select number of digits in password</question>
 2892:               <value>-2</value>
 2893:               <value selector="2">-2</value>
 2894:               <value selector="1">-1</value>
 2895:               <value selector="0">0</value>
 2896:               <match>^-?[\d]+$</match>
 2897:             </Value>
 2898:             <Value id="var-2.3.3.1.1.a.ocredit" type="string">
 2899:               <title xml:lang="en">ocredit</title>
 2900:               <description xml:lang="en">Mininum number of other (special characters) in password</description>
 2901:               <question xml:lang="en">Select number of special characters in password</question>
 2902:               <value>-2</value>
 2903:               <value selector="2">-2</value>
 2904:               <value selector="1">-1</value>
 2905:               <value selector="0">0</value>
 2906:               <match>^-?[\d]+$</match>
 2907:             </Value>
 2908:             <Value id="var-2.3.3.1.1.a.lcredit" type="string">
 2909:               <title xml:lang="en">lcredit</title>
 2910:               <description xml:lang="en">Mininum number of lower case in password</description>
 2911:               <question xml:lang="en">Select minimum number of lower case in password</question>
 2912:               <value>-2</value>
 2913:               <value selector="2">-2</value>
 2914:               <value selector="1">-1</value>
 2915:               <value selector="0">0</value>
 2916:               <match>^-?[\d]+$</match>
 2917:             </Value>
 2918:             <Value id="var-2.3.3.1.1.a.ucredit" type="string">
 2919:               <title xml:lang="en">ucredit</title>
 2920:               <description xml:lang="en">Mininum number of upper case in password</description>
 2921:               <question xml:lang="en">Select minimum number of upper case in password</question>
 2922:               <value>-2</value>
 2923:               <value selector="2">-2</value>
 2924:               <value selector="1">-1</value>
 2925:               <value selector="0">0</value>
 2926:               <match>^-?[\d]+$</match>
 2927:             </Value>
 2928:             <Rule id="rule-2.3.3.1.1.a" selected="false" weight="10.000000" severity="medium">
 2929:               <title xml:lang="en">Set Password Quality Requirements</title>
 2930:               <description xml:lang="en">The password strength should meet minimum requirements</description>
 2931:               <ident system="http://cce.mitre.org">CCE-3762-2</ident>
 2932:               <fixtext xml:lang="en">(1) via PAM</fixtext>
 2933:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 2934:                 <check-export export-name="oval:org.fedoraproject.f14:var:200781" value-id="var-2.3.3.1.1.a.retry"/>
 2935:                 <check-export export-name="oval:org.fedoraproject.f14:var:200782" value-id="var-2.3.3.1.1.a.minlen"/>
 2936:                 <check-export export-name="oval:org.fedoraproject.f14:var:200783" value-id="var-2.3.3.1.1.a.dcredit"/>
 2937:                 <check-export export-name="oval:org.fedoraproject.f14:var:200784" value-id="var-2.3.3.1.1.a.ucredit"/>
 2938:                 <check-export export-name="oval:org.fedoraproject.f14:var:200785" value-id="var-2.3.3.1.1.a.ocredit"/>
 2939:                 <check-export export-name="oval:org.fedoraproject.f14:var:200786" value-id="var-2.3.3.1.1.a.lcredit"/>
 2940:                 <check-export export-name="oval:org.fedoraproject.f14:var:200787" value-id="var-2.3.3.1.1.a.difok"/>
 2941:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20078" href="scap-fedora14-oval.xml"/>
 2942:               </check>
 2943:             </Rule>
 2944:           </Group>
 2945:           <Group id="group-2.3.3.1.2" hidden="false">
 2946:             <title xml:lang="en">Set Password Quality Requirements, if using pam_passwdqc</title>
 2947:             <description xml:lang="en">
 2948:               If password strength stronger than that guaranteed by
 2949:               pam_cracklib is required, configure PAM to use pam_passwdqc.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2950:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2951:               To activate pam_passwdqc, locate the following line in /etc/pam.d/system-auth:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2952:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2953:               password requisite pam_cracklib.so try_first_pass retry=3<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2954:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2955:               and then replace it with the line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2956:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2957:               password requisite pam_passwdqc.so min=disabled,disabled,16,12,8<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2958:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2959:               If necessary, modify the arguments (min=disabled,disabled,16,12,8) to ensure
 2960:               compliance with your organization’s security policy. Configuration options are
 2961:               described in the man page pam_passwdqc(8) and also in /usr/share/doc/pam_passwdqc-version.
 2962: 	      		  The minimum lengths provided here supercede that specified
 2963:               by the argument PASS MIN LEN as described in Section 2.3.1.7.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2964:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 2965:               The options given in the example above set a minimum length for each of the
 2966:               password “classes” that pam_passwdqc recognizes. Setting a particular minimum
 2967:               value to disabled will stop users from choosing a password that falls into
 2968:               that category alone.
 2969:             </description>
 2970:             <Value id="var-2.3.3.1.2.a.N0" type="string">
 2971:               <title xml:lang="en">N0</title>
 2972:               <description xml:lang="en">
 2973:                 N0 is used for passwords consisting of characters
 2974:                 from one character class only. The character classes are: digits,
 2975:                 lower-case letters, upper-case letters, and other characters. There is
 2976:                 also a special class for non-ASCII characters which could not be
 2977:                 classified, but are assumed to be non-digits. </description>
 2978:               <value>24</value>
 2979:               <value selector="disabled">disabled</value>
 2980:               <value selector="24">24</value>
 2981:               <value selector="30">30</value>
 2982:             </Value>
 2983:             <Value id="var-2.3.3.1.2.a.N1" type="string">
 2984:               <title xml:lang="en">N1</title>
 2985:               <description xml:lang="en">
 2986:                 N1 is used for passwords consisting of characters
 2987:                 from two character classes which do not meet the requirements for a
 2988:                 passphrase.</description>
 2989:               <value>16</value>
 2990:               <value selector="disabled">disabled</value>
 2991:               <value selector="18">18</value>
 2992:               <value selector="24">24</value>
 2993:             </Value>
 2994:             <Value id="var-2.3.3.1.2.a.N2" type="string">
 2995:               <title xml:lang="en">N2</title>
 2996:               <description xml:lang="en">
 2997:                 N2 is used for passphrases. Note that besides
 2998:                 meeting this length requirement, a passphrase must also consist of a
 2999:                 sufficient number of words (see the "passphrase" option below). </description>
 3000:               <value>16</value>
 3001:               <value selector="disabled">disabled</value>
 3002:               <value selector="16">16</value>
 3003:               <value selector="17">17</value>
 3004:               <value selector="18">18</value>
 3005:             </Value>
 3006:             <Value id="var-2.3.3.1.2.a.N3" type="string">
 3007:               <title xml:lang="en">N3</title>
 3008:               <description xml:lang="en">N3 is the number of characters required for a password that uses characters from 3 character classes.</description>
 3009:               <question xml:lang="en">Select the number of characters required for a password that uses characters from 3 character classes</question>
 3010:               <value>16</value>
 3011:               <value selector="disabled">disabled</value>
 3012:               <value selector="14">14</value>
 3013:               <value selector="15">15</value>
 3014:               <value selector="16">16</value>
 3015:             </Value>
 3016:             <Value id="var-2.3.3.1.2.a.N4" type="string">
 3017:               <title xml:lang="en">N4</title>
 3018:               <description xml:lang="en">N4 is the number of characters required for a password that uses characters from 4 character classes.</description>
 3019:               <question xml:lang="en">Select the number of characters required for a password that uses characters from 4 character classes</question>
 3020:               <value>14</value>
 3021:               <value selector="10">10</value>
 3022:               <value selector="12">12</value>
 3023:               <value selector="14">14</value>
 3024:             </Value>
 3025:             <Value id="var-2.3.3.1.2.a.passphrase" type="string">
 3026:               <title xml:lang="en">passphrase</title>
 3027:               <description xml:lang="en">The number of words required for a passphrase, or 0 to disable the support for user-chosen passphrases. </description>
 3028:               <question xml:lang="en">Select the number of words required for a passphrase</question>
 3029:               <value>3</value>
 3030:               <value selector="disabled">0</value>
 3031:               <value selector="3">3</value>
 3032:               <value selector="5">5</value>
 3033:               <match>^[\d]+$</match>
 3034:             </Value>
 3035:             <Value id="var-2.3.3.1.2.a.match" type="string">
 3036:               <title xml:lang="en">match</title>
 3037:               <description xml:lang="en">
 3038:                 The length of common substring required to
 3039:                 conclude that a password is at least partially based on information
 3040:                 found in a character string, or 0 to disable the substring search.
 3041:                 Note that the password will not be rejected once a weak substring is
 3042:                 found; it will instead be subjected to the usual strength requirements
 3043:                 with the weak substring removed.</description>
 3044:               <question xml:lang="en">Enter the length of common substring required to conclude that a password is at least partially based on information found in a character string</question>
 3045:               <value>5</value>
 3046:               <value selector="disable">0</value>
 3047:               <value selector="3">3</value>
 3048:               <value selector="4">4</value>
 3049:               <value selector="5">5</value>
 3050:               <match>^[\d]+$</match>
 3051:             </Value>
 3052:             <Value id="var-2.3.3.1.2.a.retry" type="string">
 3053:               <title xml:lang="en">retry</title>
 3054:               <description xml:lang="en">
 3055:                 The number of times the module will ask for a
 3056:                 new password if the user fails to provide a sufficiently strong
 3057:                 password and enter it twice the first time. </description>
 3058:               <question xml:lang="en">Enter the number of times the module will ask for a new password if user fail to provide a sufficiently strong password</question>
 3059:               <value>3</value>
 3060:               <value selector="2">2</value>
 3061:               <value selector="3">3</value>
 3062:               <value selector="4">4</value>
 3063:               <match>^[\d]+$</match>
 3064:             </Value>
 3065:             <Rule id="rule-2.3.3.1.2.a" selected="false" weight="10.000000">
 3066:               <title xml:lang="en">Set Password Quality Requirements using pam_passwdqc</title>
 3067:               <description xml:lang="en">The password strength should meet minimum requirements</description>
 3068:               <ident system="http://cce.mitre.org">CCE-3762-2</ident>
 3069:               <fixtext xml:lang="en">(1) via PAM</fixtext>
 3070:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 3071:                 <check-export export-name="oval:org.fedoraproject.f14:var:200790" value-id="var-2.3.3.1.2.a.N0"/>
 3072:                 <check-export export-name="oval:org.fedoraproject.f14:var:200791" value-id="var-2.3.3.1.2.a.N1"/>
 3073:                 <check-export export-name="oval:org.fedoraproject.f14:var:200792" value-id="var-2.3.3.1.2.a.N2"/>
 3074:                 <check-export export-name="oval:org.fedoraproject.f14:var:200793" value-id="var-2.3.3.1.2.a.N3"/>
 3075:                 <check-export export-name="oval:org.fedoraproject.f14:var:200794" value-id="var-2.3.3.1.2.a.N4"/>
 3076:                 <check-export export-name="oval:org.fedoraproject.f14:var:200795" value-id="var-2.3.3.1.2.a.passphrase"/>
 3077:                 <check-export export-name="oval:org.fedoraproject.f14:var:200796" value-id="var-2.3.3.1.2.a.match"/>
 3078:                 <check-export export-name="oval:org.fedoraproject.f14:var:200797" value-id="var-2.3.3.1.2.a.retry"/>
 3079:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20079" href="scap-fedora14-oval.xml"/>
 3080:               </check>
 3081:             </Rule>
 3082:           </Group>
 3083:         </Group>
 3084:         <Group id="group-2.3.3.2" hidden="false">
 3085:           <title xml:lang="en">Set Lockouts for Failed Password Attempts</title>
 3086:           <description xml:lang="en">
 3087:             The pam_tally2 PAM module provides the capability to lock out
 3088:             user accounts after a number of failed login attempts. Its documentation is available in
 3089:             /usr/share/doc/pam-version/txts/README.pam_tally2. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3090:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3091:             If locking out accounts after a number of incorrect login attempts is required by your
 3092:             security policy, implement use of pam_tally2.so for the relevant PAM-aware programs
 3093:             such as login, sshd, and vsftpd. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3094:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3095:             Find the following line in /etc/pam.d/system-auth: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3096:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3097:             auth sufficient pam_unix.so nullok try_first_pass <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3098:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3099:             and then change it so that it reads as follows: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3100:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3101:             auth required pam_unix.so nullok try_first_pass <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3102:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3103:             In the same file, comment out or delete the lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3104:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3105:             auth requisite pam_succeed_if.so uid &gt;= 500 quiet <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3106:             auth required pam_deny.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3107:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3108:             To enforce password lockout, add the following to the individual programs'
 3109:             configuration files in /etc/pam.d. First, add to end of the auth lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3110:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3111:             auth required pam_tally2.so deny=5 onerr=fail <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3112:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3113:             Second, add to the end of the account lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3114:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3115:             account required pam_tally2.so<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3116:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3117:             Adjust the deny argument to conform to your system security policy. The pam_tally2
 3118:             utility can be used to unlock user accounts as follows: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3119:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3120:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># /sbin/pam_tally2 --user username --reset <xhtml:br/></xhtml:code>
 3121:           </description>
 3122:           <warning xml:lang="en">
 3123:             Locking out user accounts presents the risk of a denial-of-service attack. The security
 3124:             policy regarding system lockout must weigh whether the risk of such a denial-of-service
 3125:             attack outweighs the benefits of thwarting password guessing attacks. The pam_tally2
 3126:             utility can be run from a cron job on a hourly or daily basis to try and offset this
 3127:             risk.
 3128:           </warning>
 3129:           <Value id="var-2.3.3.2.a.deny" type="string">
 3130:             <title xml:lang="en">deny</title>
 3131:             <description xml:lang="en">Deny access if tally for this user exceeds n.</description>
 3132:             <value>3</value>
 3133:             <value selector="1">1</value>
 3134:             <value selector="3">3</value>
 3135:             <value selector="5">5</value>
 3136:             <value selector="10">10</value>
 3137:             <match>^[\d]+$</match>
 3138:           </Value>
 3139:           <Value id="var-2.3.3.2.a.lock_time" type="string">
 3140:             <title xml:lang="en">lock_time</title>
 3141:             <description xml:lang="en">Always deny for n seconds after failed attempt.</description>
 3142:             <value>5</value>
 3143:             <value selector="1">1</value>
 3144:             <value selector="3">3</value>
 3145:             <value selector="5">5</value>
 3146:             <value selector="10">10</value>
 3147:             <match>^[\d]+$</match>
 3148:           </Value>
 3149:           <Value id="var-2.3.3.2.a.unlock_time" type="string">
 3150:             <title xml:lang="en">unlock_time</title>
 3151:             <description xml:lang="en">
 3152:               Allow access after n seconds after failed attempt. If this
 3153:               option is used the user will be locked out for the specified amount of time after
 3154:               he exceeded his maximum allowed attempts. Otherwise the account is locked until the
 3155:               lock is removed by a manual intervention of the system administrator.</description>
 3156:             <question xml:lang="en">Select time (in seconds) user will be locked out after he exceeded his maximum allowed attempts</question>
 3157:             <value>0</value>
 3158:             <value selector="none">1</value>
 3159:             <value selector="15_minutes">900</value>
 3160:             <value selector="30_minutes">1800</value>
 3161:             <value selector="1_hour">3600</value>
 3162:             <match>^[\d]+$</match>
 3163:           </Value>
 3164:           <Rule id="rule-2.3.3.2.a" selected="false" weight="10.000000" severity="medium">
 3165:             <title xml:lang="en">Set Lockouts for Failed Password Attempts</title>
 3166:             <description xml:lang="en">The "account lockout threshold" policy should meet minimum requirements.</description>
 3167:             <ident system="http://cce.mitre.org">CCE-3410-8</ident>
 3168:             <fixtext xml:lang="en">(1) via PAM</fixtext>
 3169:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 3170:               <check-export export-name="oval:org.fedoraproject.f14:var:200801" value-id="var-2.3.3.2.a.deny"/>
 3171:               <check-export export-name="oval:org.fedoraproject.f14:var:200802" value-id="var-2.3.3.2.a.lock_time"/>
 3172:               <check-export export-name="oval:org.fedoraproject.f14:var:200803" value-id="var-2.3.3.2.a.unlock_time"/>
 3173:               <check-content-ref name="oval:org.fedoraproject.f14:def:20080" href="scap-fedora14-oval.xml"/>
 3174:             </check>
 3175:           </Rule>
 3176:           <Rule id="rule-2.3.3.2.b" selected="false" weight="10.000000">
 3177:             <title xml:lang="en">Do not leak information on authorization failure</title>
 3178:             <description xml:lang="en">Authorization failures should not alert attackers as to what went wrong.</description>
 3179:             <fixtext xml:lang="en">(1) via /etc/pam.d/system-auth</fixtext>
 3180:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 3181:               <check-content-ref name="oval:org.fedoraproject.f14:def:200805" href="scap-fedora14-oval.xml"/>
 3182:             </check>
 3183:           </Rule>
 3184:           <Rule id="rule-2.3.3.2.c" selected="false" weight="10.000000" severity="medium">
 3185:             <title xml:lang="en">Do not log authorization failures and successes</title>
 3186:             <description xml:lang="en">Remove pam_succeed_if module with quiet option and remove auth pam_deny line.</description>
 3187:             <fixtext xml:lang="en">(1) via /etc/pam.d/system-auth</fixtext>
 3188:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 3189:               <check-content-ref name="oval:org.fedoraproject.f14:def:200806" href="scap-fedora14-oval.xml"/>
 3190:             </check>
 3191:           </Rule>
 3192:         </Group>
 3193:         <Group id="group-2.3.3.3" hidden="false">
 3194:           <title xml:lang="en">Use pam_deny.so to Quickly Deny Access to a Service</title>
 3195:           <description xml:lang="en">
 3196:             In order to deny access to a service SVCNAME via PAM, edit the
 3197:             file /etc/pam.d/SVCNAME . Prepend this line to the beginning of the file: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3198:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3199:             auth requisite pam_deny.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3200:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3201:             Under most circumstances, there are better ways to disable a service than to
 3202:             deny access via PAM. However, this should suffice as a way to quickly make a service
 3203:             unavailable to future users (existing sessions which have already been authenticated,
 3204:             are not affected). The requisite tag tells PAM that, if the named module returns
 3205:             failure, authentication should fail, and PAM should immediately stop processing the
 3206:             configuration file. The pam_deny.so module always returns failure regardless of its
 3207:             input.</description>
 3208:         </Group>
 3209:         <Group id="group-2.3.3.4" hidden="false">
 3210:           <title xml:lang="en">Restrict Execution of userhelper to Console Users</title>
 3211:           <description xml:lang="en">
 3212:             If your environment has defined a group, usergroup containing
 3213:             all the human users of your system, restrict execution of the userhelper program to only
 3214:             that group: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3215:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3216:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chgrp usergroup /usr/sbin/userhelper <xhtml:br/>
 3217:             # chmod 4710 /usr/sbin/userhelper <xhtml:br/></xhtml:code>
 3218:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3219:             The userhelper program provides authentication for graphical services which must run
 3220:             with root privileges, such as the system-config- family of graphical configuration
 3221:             utilities. Only human users logged into the system console are likely to ever have a
 3222:             legitimate need to run these utilities. This step provides some protection against
 3223:             possible flaws in userhelper's implementation, and against further privilege escalation
 3224:             when system accounts are compromised. See Section 2.3.2.2 for more information on
 3225:             creating a group of human users. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3226:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3227:             The userhelper program is configured by the files in /etc/security/console.apps/. Each
 3228:             file specifies, for some program, what user the program should run as, and what program
 3229:             should be executed after successful authentication. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3230:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3231:             Note: The configuration in /etc/security/console.apps/ is applied in
 3232:             combination with the PAM configuration of the service defined in /etc/pam.d/. First,
 3233:             userhelper determines what user the service should run as. (Typically, this will be
 3234:             root.) Next, userhelper uses the PAM API to allow the user who ran the program to
 3235:             attempt to authenticate as the desired user. The PAM API exchange is wrapped in a GUI if
 3236:             the application's configuration requests one.</description>
 3237:           <Value id="var-2.3.3.4.a" operator="equals" type="string">
 3238:             <title xml:lang="en">Name of group containing human users</title>
 3239:             <description xml:lang="en">Enter group to aggregate human users</description>
 3240:             <value>usergroup</value>
 3241:             <value selector="usergroup">usergroup</value>
 3242:           </Value>
 3243:           <Value id="var-2.3.3.4.b" operator="equals" type="string">
 3244:             <title xml:lang="en">userhelper file permissions</title>
 3245:             <description xml:lang="en">Enter file permissions for /usr/sbin/userhelper</description>
 3246:             <question xml:lang="en">Enter file permission for /usr/bin/userhelper</question>
 3247:             <value>100111001000</value>
 3248:             <value selector="4710">100111001000</value>
 3249:             <match>^[10]+$</match>
 3250:           </Value>
 3251:           <Rule id="rule-2.3.3.4.a" selected="false" weight="10.000000">
 3252:             <title xml:lang="en">Restrict Execution of userhelper to Console Users</title>
 3253:             <description xml:lang="en">The /usr/sbin/userhelper file should be owned by the appropriate group.</description>
 3254:             <ident system="http://cce.mitre.org">CCE-4185-5</ident>
 3255:             <fix># chgrp usergroup /usr/sbin/userhelper</fix>
 3256:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 3257:               <check-export export-name="oval:org.fedoraproject.f14:var:20081" value-id="var-2.3.3.4.a"/>
 3258:               <check-content-ref name="oval:org.fedoraproject.f14:def:20081" href="scap-fedora14-oval.xml"/>
 3259:             </check>
 3260:           </Rule>
 3261:           <Rule id="rule-2.3.3.4.b" selected="false" weight="10.000000">
 3262:             <title xml:lang="en">Restrict File permissions of userhelper</title>
 3263:             <description xml:lang="en">File permissions for /usr/sbin/userhelper should be set correctly.</description>
 3264:             <ident system="http://cce.mitre.org">CCE-3952-9</ident>
 3265:             <fix># chmod 4710 /usr/sbin/userhelper</fix>
 3266:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 3267:               <check-export export-name="oval:org.fedoraproject.f14:var:20082" value-id="var-2.3.3.4.b"/>
 3268:               <check-content-ref name="oval:org.fedoraproject.f14:def:20082" href="scap-fedora14-oval.xml"/>
 3269:             </check>
 3270:           </Rule>
 3271:         </Group>
 3272:         <Group id="group-2.3.3.5" hidden="false">
 3273:           <title xml:lang="en">Password Hashing Algorithm</title>
 3274:           <description xml:lang="en">
 3275:             The default algorithm for storing password hashes should be SHA-512.
 3276:           </description>
 3277:           <Value id="var-2.3.3.5.a" operator="equals" type="string">
 3278:             <title xml:lang="en">Password hashing algorithm</title>
 3279:             <description xml:lang="en">Enter /etc/shadow password hashing algorithm</description>
 3280:             <question xml:lang="en">Enter /etc/shadow password hashing algorithm</question>
 3281:             <value>sha512</value>
 3282:             <value selector="MD5">md5</value>
 3283:             <value selector="SHA-256">sha256</value>
 3284:             <value selector="SHA-512">sha512</value>
 3285:             <choices>
 3286:               <choice>md5</choice>
 3287:               <choice>sha256</choice>
 3288:               <choice>sha512</choice>
 3289:             </choices>
 3290:           </Value>
 3291:           <Rule id="rule-2.3.3.5.a" selected="false" weight="10.000000" severity="medium">
 3292:             <title xml:lang="en">Password hashing algorithm</title>
 3293:             <description xml:lang="en">The password hashing algorithm should be set to SHA-512</description>
 3294:             <fix>/usr/sbin/authconfig --passalgo=sha512 --update</fix>
 3295:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 3296:               <check-export export-name="oval:org.fedoraproject.f14:var:20083" value-id="var-2.3.3.5.a"/>
 3297:               <check-content-ref name="oval:org.fedoraproject.f14:def:20083" href="scap-fedora14-oval.xml"/>
 3298:             </check>
 3299:           </Rule>
 3300:         </Group>
 3301:         <Group id="group-2.3.3.6" hidden="false">
 3302:           <title xml:lang="en">Limit Password Reuse</title>
 3303:           <description xml:lang="en">
 3304:             Do not allow users to reuse recent passwords. This can be
 3305:             accomplished by using the remember option for the pam_unix PAM module. In order to
 3306:             prevent a user from re-using any of his or her last <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.3.3.6.a"/> passwords,
 3307:             append remember=<sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.3.3.6.a"/> to the password line which uses the
 3308:             pam_unix module in the file /etc/pam.d/system-auth, as shown:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3309:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3310:             password sufficient pam_unix.so existing_options remember=<sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.3.3.6.a"/><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3311:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3312:             Old (and thus no longer valid) passwords are stored in the file /etc/security/opasswd.
 3313:           </description>
 3314:           <Value id="var-2.3.3.6.a" operator="equals" type="string">
 3315:             <title xml:lang="en">remember</title>
 3316:             <description xml:lang="en">
 3317:               The last n passwords for each user are saved in
 3318:               /etc/security/opasswd in order to force password change history and keep the user from
 3319:               alternating between the same password too frequently. </description>
 3320:             <question xml:lang="en">Enter how many last passwords will be saved to keep the user from alternating between the same password too frequently</question>
 3321:             <value>5</value>
 3322:             <value selector="5">5</value>
 3323:             <value selector="10">10</value>
 3324:             <match>^[\d]+$</match>
 3325:           </Value>
 3326:           <Rule id="rule-2.3.3.6.a" selected="false" weight="10.000000" severity="medium">
 3327:             <title xml:lang="en">Limit password reuse</title>
 3328:             <description xml:lang="en">The passwords to remember should be set to: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.3.3.6.a"/></description>
 3329:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 3330:               <check-export export-name="oval:org.fedoraproject.f14:var:20084" value-id="var-2.3.3.6.a"/>
 3331:               <check-content-ref name="oval:org.fedoraproject.f14:def:20084" href="scap-fedora14-oval.xml"/>
 3332:             </check>
 3333:           </Rule>
 3334:         </Group>
 3335:       </Group>
 3336:       <Group id="group-2.3.4" hidden="false">
 3337:         <title xml:lang="en">Secure Session Configuration Files for Login Accounts</title>
 3338:         <description xml:lang="en">
 3339:           When a user logs into a Unix account, the system configures the
 3340:           user's session by reading a number of files. Many of these files are located in the user's
 3341:           home directory, and may have weak permissions as a result of user error or
 3342:           misconfiguration. If an attacker can modify or even read certain types of account
 3343:           configuration information, he can often gain full access to the affected user's account.
 3344:           Therefore, it is important to test and correct configuration file permissions for
 3345:           interactive accounts, particularly those of privileged users such as root or system
 3346:           administrators.</description>
 3347:         <Group id="group-2.3.4.1" hidden="false">
 3348:           <title xml:lang="en">Ensure that No Dangerous Directories Exist in Roots Path '</title>
 3349:           <description xml:lang="en">
 3350:             The active path of the root account can be obtained by starting
 3351:             a new root shell and running: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3352:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3353:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># echo $PATH <xhtml:br/></xhtml:code>
 3354:             This will produce a colon-separated list of directories in the path. For each directory
 3355:             DIR in the path, ensure that DIR is not equal to a single . character. Also ensure that
 3356:             there are no 'empty' elements in the path, such as in these examples: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3357:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3358:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PATH=:/bin <xhtml:br/>
 3359:             PATH=/bin: <xhtml:br/>
 3360:             PATH=/bin::/sbin <xhtml:br/></xhtml:code>
 3361:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3362:             These empty elements have the same effect as a single . character. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3363:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3364:             For each element in the path, run: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3365:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3366:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -ld DIR <xhtml:br/></xhtml:code>
 3367:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3368:             and ensure that write permissions are disabled for group and other. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3369:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3370:             It is important to prevent root from executing unknown or untrusted programs, since such
 3371:             programs could contain malicious code. Therefore, root should not run programs installed
 3372:             by unprivileged users. Since root may often be working inside untrusted directories, the
 3373:             . character, which represents the current directory, should never be in the root path,
 3374:             nor should any directory which can be written to by an unprivileged or semi-privileged
 3375:             (system) user. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3376:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3377:             It is a good practice for administrators to always execute privileged
 3378:             commands by typing the full path to the command.</description>
 3379:           <Rule id="rule-2.3.4.1.a" selected="false" weight="10.000000" severity="medium">
 3380:             <title xml:lang="en">Ensure that No Dangerous Directories Exist in Root's Path</title>
 3381:             <description xml:lang="en">The PATH variable should be set correctly for user root</description>
 3382:             <ident system="http://cce.mitre.org">CCE-3301-9</ident>
 3383:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 3384:               <check-content-ref name="oval:org.fedoraproject.f14:def:20085" href="scap-fedora14-oval.xml"/>
 3385:             </check>
 3386:           </Rule>
 3387:           <Rule id="rule-2.3.4.1.b" selected="false" weight="10.000000" severity="medium">
 3388:             <title xml:lang="en">Write permissions are disabled for group and other in all directories in Root's Path</title>
 3389:             <description xml:lang="en">Check each directory in root's path and make use it does not grant write permission to group and other</description>
 3390:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 3391:               <check-content-ref name="oval:org.fedoraproject.f14:def:200855" href="scap-fedora14-oval.xml"/>
 3392:             </check>
 3393:           </Rule>
 3394:         </Group>
 3395:         <Group id="group-2.3.4.2" hidden="false">
 3396:           <title xml:lang="en">Ensure that User Home Directories are not Group-Writable or
 3397:             World-Readable</title>
 3398:           <description xml:lang="en">
 3399:             For each human user USER of the system, view the permissions of the
 3400:             user's home directory: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3401:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3402:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -ld /home/USER <xhtml:br/></xhtml:code>
 3403:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3404:             Ensure that the directory is not group-writable and that it is not world-readable. If
 3405:             necessary, repair the permissions:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3406:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3407:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chmod g-w /home/USER <xhtml:br/>
 3408:             # chmod o-rwx /home/USER <xhtml:br/></xhtml:code>
 3409:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3410:             User home directories contain many
 3411:             configuration files which affect the behavior of a user's account. No user should ever
 3412:             have write permission to another user's home directory. Group shared directories can be
 3413:             configured in subdirectories or elsewhere in the filesystem if they are needed.
 3414:             Typically, user home directories should not be world-readable. If a subset of users need
 3415:             read access to one another's home directories, this can be provided using groups.</description>
 3416:           <warning xml:lang="en">Sections 2.3.4.2–2.3.4.5 recommend modifying user home
 3417:             directories. Notify your user community, and solicit input if appropriate, before making
 3418:             this type of change. </warning>
 3419:           <Rule id="rule-2.3.4.2.a" selected="false" weight="10.000000" severity="medium">
 3420:             <title xml:lang="en">Ensure that User Home Directories are not Group-Writable or World-Readable</title>
 3421:             <description xml:lang="en">File permissions should be set correctly for the home directories for all user accounts.</description>
 3422:             <ident system="http://cce.mitre.org">CCE-4090-7</ident>
 3423:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 3424:               <check-content-ref name="oval:org.fedoraproject.f14:def:20086" href="scap-fedora14-oval.xml"/>
 3425:             </check>
 3426:           </Rule>
 3427:         </Group>
 3428:         <Group id="group-2.3.4.3" hidden="false">
 3429:           <title xml:lang="en">Ensure that User Dot-Files are not World-writable</title>
 3430:           <description xml:lang="en">
 3431:             For each human user USER of the system, view the permissions of
 3432:             all dot-files in the user's home directory: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3433:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3434:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -ld /home/USER /.[A-Za-z0-9]* <xhtml:br/></xhtml:code>
 3435:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3436:             Ensure that none of these files are group- or world-writable. Correct each misconfigured file
 3437:             FILE by executing: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3438:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3439:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chmod go-w /home/USER /FILE <xhtml:br/></xhtml:code>
 3440:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3441:             A user who can modify another user's configuration files can likely execute commands
 3442:             with the other user's privileges, including stealing data, destroying files, or
 3443:             launching further attacks on the system.</description>
 3444:         </Group>
 3445:         <Group id="group-2.3.4.4" hidden="false">
 3446:           <title xml:lang="en">Ensure that Users Have Sensible Umask Values</title>
 3447:           <description xml:lang="en">
 3448:             <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns="http://checklists.nist.gov/xccdf/1.1">
 3449:               <xhtml:li>Edit the global configuration files /etc/bashrc and /etc/csh.cshrc.
 3450:               Add or correct the line: umask <sub idref="var-2.3.4.4"/></xhtml:li>
 3451:               <xhtml:li>View the additional configuration files /etc/csh.login and /etc/profile.d/*,
 3452:                 and ensure that none of these files redefine the umask to a more permissive value
 3453:                 unless there is a good reason for it.</xhtml:li>
 3454:             </xhtml:ol>
 3455:             With a default umask setting of 077, files and directories created by users will not be
 3456:             readable by any other user on the system. Users who wish to make specific files group-
 3457:             or world-readable can accomplish this using the chmod command. Additionally, users can
 3458:             make all their files readable to their group by default by setting a umask of 027 in
 3459:             their shell configuration files. If default per-user groups exist (that is, if every
 3460:             user has a default group whose name is the same as that user's username and whose only
 3461:             member is the user), then it may even be safe for users to select a umask of 007, making
 3462:             it very easy to intentionally share files with group s of which the user is a member. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3463:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3464:             In addition, it may be necessary to change root's umask temporarily in order to install
 3465:             software or files which must be readable by other users, or to change the default umasks
 3466:             of certain service accounts such as the FTP user. However, setting a restrictive default
 3467:             protects the files of users who have not taken steps to make their files more available,
 3468:             and preventing files from being inadvertently shared.</description>
 3469:           <Value id="var-2.3.4.4" operator="equals" type="string">
 3470:             <title xml:lang="en">Sensible umask</title>
 3471:             <description xml:lang="en">Enter default user umask</description>
 3472:             <question xml:lang="en">Enter default user umask</question>
 3473:             <value>002</value>
 3474:             <value selector="002">002</value>
 3475:             <value selector="007">007</value>
 3476:             <value selector="022">022</value>
 3477:             <value selector="027">027</value>
 3478:             <value selector="077">077</value>
 3479:             <match>^0?[0-7][0-7][0-7]?$</match>
 3480:           </Value>
 3481:           <Rule id="rule-2.3.4.4.a" selected="false" weight="10.000000" severity="medium">
 3482:             <title xml:lang="en">Ensure that Users Have Sensible Umask Values in /etc/bashrc</title>
 3483:             <description xml:lang="en">The default umask for all users for the bash shell should be set to:
 3484:                 <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.3.4.4"/></description>
 3485:             <ident system="http://cce.mitre.org">CCE-3844-8</ident>
 3486:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 3487:               <check-export export-name="oval:org.fedoraproject.f14:var:20087" value-id="var-2.3.4.4"/>
 3488:               <check-content-ref name="oval:org.fedoraproject.f14:def:20087" href="scap-fedora14-oval.xml"/>
 3489:             </check>
 3490:           </Rule>
 3491:           <Rule id="rule-2.3.4.4.b" selected="false" weight="10.000000" severity="medium">
 3492:             <title xml:lang="en">Ensure that Users Have Sensible Umask Values in /etc/csh.cshrc</title>
 3493:             <description xml:lang="en">The default umask for all users for the csh shell should be set to:
 3494:               <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.3.4.4"/></description>
 3495:             <ident system="http://cce.mitre.org">CCE-4227-5</ident>
 3496:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 3497:               <check-export export-name="oval:org.fedoraproject.f14:var:20087" value-id="var-2.3.4.4"/>
 3498:               <check-content-ref name="oval:org.fedoraproject.f14:def:20088" href="scap-fedora14-oval.xml"/>
 3499:             </check>
 3500:           </Rule>
 3501:         </Group>
 3502:         <Group id="group-2.3.4.5" hidden="false">
 3503:           <title xml:lang="en">Ensure that Users do not Have .netrc Files</title>
 3504:           <description xml:lang="en">
 3505:             For each human user USER of the system, ensure that the user
 3506:             has no .netrc file. The command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3507:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3508:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -l /home/USER /.netrc <xhtml:br/></xhtml:code>
 3509:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3510:             should return the error 'No such file or directory'. If any user has such a file,
 3511:             approach that user to discuss removing this file. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3512:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3513:             The .netrc file is a configuration file used to make unattended
 3514:             logins to other systems via FTP. When this file exists, it frequently contains
 3515:             unencrypted passwords which may be used to attack other systems.</description>
 3516:           <Rule id="rule-2.3.4.5.a" selected="false" weight="10.000000" severity="medium">
 3517:             <title xml:lang="en">Check for existance of .netrc file</title>
 3518:             <description xml:lang="en">No user directory should contain file .netrc</description>
 3519:             <fix>rm .netrc</fix>
 3520:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 3521:               <check-content-ref name="oval:org.fedoraproject.f14:def:20091" href="scap-fedora14-oval.xml"/>
 3522:             </check>
 3523:           </Rule>
 3524:         </Group>
 3525:       </Group>
 3526:       <Group id="group-2.3.5" hidden="false">
 3527:         <title xml:lang="en">Protect Physical Console Access</title>
 3528:         <description xml:lang="en">
 3529:           It is impossible to fully protect a system from an attacker with
 3530:           physical access, so securing the space in which the system is located should be considered
 3531:           a necessary step. However, there are some steps which, if taken, make it more difficult
 3532:           for an attacker to quickly or undetectably modify a system from its console.</description>
 3533:         <Group id="group-2.3.5.1" hidden="false">
 3534:           <title xml:lang="en">Set BIOS Password</title>
 3535:           <description xml:lang="en">
 3536:             The BIOS (on x86 systems) is the first code to execute during
 3537:             system startup and controls many important system parameters, including which devices
 3538:             the system will try to boot from, and in which order. Assign a password to prevent any
 3539:             unauthorized changes to the BIOS configuration. The exact steps will vary depending on
 3540:             your machine, but are likely to include:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3541:             <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
 3542:               <xhtml:li>Reboot the machine.</xhtml:li>
 3543:               <xhtml:li>Press the appropriate key during the initial boot screen (F2 is typical)</xhtml:li>
 3544:               <xhtml:li>Navigate the BIOS configuration menu to add a password.</xhtml:li>
 3545:             </xhtml:ol>
 3546:             The exact process will be system-specific and the system's
 3547:             hardware manual may provide detailed instructions. This password should prevent
 3548:             attackers with physical access from attempting to change important parameters, such as
 3549:             those described in Sections 2.5.2.2.1 and 2.2.2.2.4. However, an attacker with physical
 3550:             access can usually clear the BIOS password. The password should be written down and
 3551:             stored in a physically-secure location, such as a safe, in the event that it is
 3552:             forgotten and must be retrieved.</description>
 3553:         </Group>
 3554:         <Group id="group-2.3.5.2" hidden="false">
 3555:           <title xml:lang="en">Set Boot Loader Password</title>
 3556:           <description xml:lang="en">
 3557:             During the boot process, the boot loader is responsible for
 3558:             starting the execution of the kernel and passing options to it. The boot loader allows
 3559:             for the selection of different kernels – possibly on different partitions or media.
 3560:             Options it can pass to the kernel include 'single-user mode,' which provides root access
 3561:             without any authentication, and the ability to disable SELinux. To prevent local users
 3562:             from modifying the boot parameters and endangering security, the boot loader
 3563:             configuration should be protected with a password. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3564:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3565:             The default Fedora boot loader for x86 systems is called GRUB. To protect its
 3566:             configuration: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3567:             <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
 3568:               <xhtml:li>Select a password and then generate a hash from it by running: <xhtml:br/>
 3569:                 <xhtml:br/>
 3570:                 <xhtml:code># grub-md5-crypt </xhtml:code> <xhtml:br/> <xhtml:br/> </xhtml:li>
 3571:               <xhtml:li>Insert the following line into /etc/grub.conf immediately after the header
 3572:                 comments. (Use the output from grub-md5-crypt as the value of password-hash ): <xhtml:br/>
 3573:                 <xhtml:br/>
 3574:                 <xhtml:code>password --md5 password-hash </xhtml:code> <xhtml:br/> <xhtml:br/> </xhtml:li>
 3575:               <xhtml:li>Verify the permissions on /etc/grub.conf (which is a symlink to ../boot/grub/grub.conf):
 3576:                 <xhtml:br/>
 3577:                 <xhtml:br/>
 3578:                 <xhtml:code># chown root:root /boot/grub/grub.conf <xhtml:br/>
 3579:                 # chmod 600 /boot/grub/grub.conf</xhtml:code></xhtml:li>
 3580:             </xhtml:ol>
 3581:               Boot loaders for other platforms should offer a similar password protection feature.</description>
 3582:           <Value id="var-2.3.5.2.a" operator="equals" type="string">
 3583:             <title xml:lang="en">User that owns /boot/grub/grub.conf</title>
 3584:             <description xml:lang="en">Choose user that should own /boot/grub/grub.conf</description>
 3585:             <value>root</value>
 3586:             <value selector="root">root</value>
 3587:           </Value>
 3588:           <Value id="var-2.3.5.2.b" operator="equals" type="string">
 3589:             <title xml:lang="en">Group that owns /boot/grub/grub.conf</title>
 3590:             <description xml:lang="en">Choose group that should own /boot/grub/grub.conf</description>
 3591:             <value>root</value>
 3592:             <value selector="root">root</value>
 3593:           </Value>
 3594:           <Value id="var-2.3.5.2.c" operator="equals" type="string">
 3595:             <title xml:lang="en">permissions on /boot/grub/grub.conf</title>
 3596:             <description xml:lang="en">Choose file permissions on /boot/grub/grub.conf</description>
 3597:             <value>110000000</value>
 3598:             <value selector="600">110000000</value>
 3599:             <match>^[01]+$</match>
 3600:           </Value>
 3601:           <Rule id="rule-2.3.5.2.a" selected="false" weight="10.000000" severity="medium">
 3602:             <title xml:lang="en">Set Boot Loader user owner</title>
 3603:             <description xml:lang="en">The /boot/grub/grub.conf file should be owned by root.</description>
 3604:             <ident system="http://cce.mitre.org">CCE-4144-2</ident>
 3605:             <fix>chown root /boot/grub/grub.conf</fix>
 3606:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 3607:               <check-export export-name="oval:org.fedoraproject.f14:var:20092" value-id="var-2.3.5.2.a"/>
 3608:               <check-content-ref name="oval:org.fedoraproject.f14:def:20092" href="scap-fedora14-oval.xml"/>
 3609:             </check>
 3610:           </Rule>
 3611:           <Rule id="rule-2.3.5.2.b" selected="false" weight="10.000000" severity="medium">
 3612:             <title xml:lang="en">Set Boot Loader group owner</title>
 3613:             <description xml:lang="en">The /boot/grub/grub.conf file should be owned by group root.</description>
 3614:             <ident system="http://cce.mitre.org">CCE-4197-0</ident>
 3615:             <fix>chown :root /boot/grub/grub.conf</fix>
 3616:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 3617:               <check-export export-name="oval:org.fedoraproject.f14:var:20093" value-id="var-2.3.5.2.b"/>
 3618:               <check-content-ref name="oval:org.fedoraproject.f14:def:20093" href="scap-fedora14-oval.xml"/>
 3619:             </check>
 3620:           </Rule>
 3621:           <Rule id="rule-2.3.5.2.c" selected="false" weight="10.000000" severity="medium">
 3622:             <title xml:lang="en">Set permission on /boot/grub/grub.conf</title>
 3623:             <description xml:lang="en">File permissions for /boot/grub/grub.conf should be set correctly.</description>
 3624:             <ident system="http://cce.mitre.org">CCE-3923-0</ident>
 3625:             <fix>chmod 600 /boot/grub/grub.conf</fix>
 3626:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 3627:               <check-export export-name="oval:org.fedoraproject.f14:var:20094" value-id="var-2.3.5.2.c"/>
 3628:               <check-content-ref name="oval:org.fedoraproject.f14:def:20094" href="scap-fedora14-oval.xml"/>
 3629:             </check>
 3630:           </Rule>
 3631:           <Rule id="rule-2.3.5.2.d" selected="false" weight="10.000000" severity="high">
 3632:             <title xml:lang="en">Set Boot Loader Password</title>
 3633:             <description xml:lang="en">The grub boot loader should have password protection enabled</description>
 3634:             <ident system="http://cce.mitre.org">CCE-3818-2</ident>
 3635:             <fixtext xml:lang="en">Edit /boot/grub/grub.conf</fixtext>
 3636:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 3637:               <check-content-ref name="oval:org.fedoraproject.f14:def:20095" href="scap-fedora14-oval.xml"/>
 3638:             </check>
 3639:           </Rule>
 3640:         </Group>
 3641:         <Group id="group-2.3.5.3" hidden="false">
 3642:           <title xml:lang="en">Require Authentication for Single-User Mode</title>
 3643:           <description xml:lang="en">
 3644:             Single-user mode is intended as a system recovery method,
 3645:             providing a single user root access to the system by providing a boot option at startup.
 3646:             By default, no authentication is performed if single-user mode is selected. This
 3647:             provides a trivial mechanism of bypassing security on the machine and gaining root
 3648:             access. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3649:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3650:             To require entry of the root password even if the system is started in
 3651:             single-user mode, add the following line to the /etc/inittab file:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3652:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3653:             ~~:S:wait:/sbin/sulogin</description>
 3654:           <Rule id="rule-2.3.5.3.a" selected="false" weight="10.000000" severity="medium">
 3655:             <title xml:lang="en">Require Authentication for Single-User Mode</title>
 3656:             <description xml:lang="en">The requirement for a password to boot into single-user mode should be enabled.</description>
 3657:             <ident system="http://cce.mitre.org">CCE-4241-6</ident>
 3658:             <fixtext xml:lang="en">(1) via /etc/inittab</fixtext>
 3659:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 3660:               <check-content-ref name="oval:org.fedoraproject.f14:def:20096" href="scap-fedora14-oval.xml"/>
 3661:             </check>
 3662:           </Rule>
 3663:         </Group>
 3664:         <Group id="group-2.3.5.4" hidden="false">
 3665:           <title xml:lang="en">Disable Interactive Boot</title>
 3666:           <description xml:lang="en">
 3667:             Edit the file /etc/sysconfig/init. Add or correct the setting:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3668:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3669:             PROMPT=no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3670:             The PROMPT option allows the console user to perform an interactive system
 3671:             startup, in which it is possible to select the set of services which are started on
 3672:             boot. Using interactive boot, the console user could disable auditing, firewalls, or
 3673:             other services, weakening system security.</description>
 3674:           <Rule id="rule-2.3.5.4.a" selected="false" weight="10.000000" severity="medium">
 3675:             <title xml:lang="en">Disable Interactive Boot</title>
 3676:             <description xml:lang="en">The ability for users to perform interactive startups should be disabled.</description>
 3677:             <ident system="http://cce.mitre.org">CCE-4245-7</ident>
 3678:             <fixtext xml:lang="en">(1) via /etc/sysconfig/init</fixtext>
 3679:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 3680:               <check-content-ref name="oval:org.fedoraproject.f14:def:20097" href="scap-fedora14-oval.xml"/>
 3681:             </check>
 3682:           </Rule>
 3683:         </Group>
 3684:         <Group id="group-2.3.5.5" hidden="false">
 3685:           <title xml:lang="en">Implement Inactivity Time-out for Login Shells</title>
 3686:           <description xml:lang="en">
 3687:             If the system does not run X Windows, then the login shells can
 3688:             be configured to automatically log users out after a period of inactivity. The following
 3689:             instructions are not practical for systems which run X Windows, as they will close
 3690:             terminal windows in the X environment. For information on how to automatically lock
 3691:             those systems, see Section 2.3.5.6. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3692:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3693:             To implement a 15-minute idle time-out for the
 3694:             default /bin/bash shell, create a new file tmout.sh in the directory /etc/profile.d with
 3695:             the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3696:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3697:             TMOUT=900 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3698:             readonly TMOUT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3699:             export TMOUT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3700:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3701:             To implement a 15-minute idle
 3702:             time-out for the tcsh shell, create a new file autologout.csh in the directory
 3703:             /etc/profile.d with the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3704:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3705:             set -r autologout 15 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3706:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3707:             Similar actions should be taken for any other login shells used. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3708:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3709:             The example time-out here of 15 minutes should be
 3710:             adjusted to whatever your security policy requires. The readonly line for bash and the
 3711:             -r option for tcsh can be omitted if policy allows users to override the value. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3712:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3713:             The automatic shell logout only occurs when the shell is the foreground process. If, for
 3714:             example, a vi session is left idle, then automatic logout would not occur. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3715:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3716:             When logging in through a remote connection, as with SSH, it may be more effective to set
 3717:             the timeout value directly through that service. To learn how to set automatic timeout
 3718:             intervals for SSH, see Section 3.5.2.3.</description>
 3719:           <Value id="var-2.3.5.5" operator="equals" type="string">
 3720:             <title xml:lang="en">Inactivity timout</title>
 3721:             <description xml:lang="en">Choose allowed duration of inactive SSH connections, shells, and X sessions</description>
 3722:             <question xml:lang="en">Choose allowed duration of inactive SSH connections, shells and X sessions in minutes</question>
 3723:             <value>15</value>
 3724:             <value selector="0_minutes">0</value>
 3725:             <value selector="10_minutes">10</value>
 3726:             <value selector="15_minutes">15</value>
 3727:             <match>^[\d]+$</match>
 3728:           </Value>
 3729:           <Rule id="rule-2.3.5.5.a" selected="false" weight="10.000000" severity="medium">
 3730:             <title xml:lang="en">Implement Inactivity Time-out for Login Shells</title>
 3731:             <description xml:lang="en">The idle time-out value for the default /bin/tcsh shell should be:
 3732:               <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.3.5.5"/></description>
 3733:             <ident system="http://cce.mitre.org">CCE-3689-7</ident>
 3734:             <fixtext xml:lang="en">(1) via /etc/profile.d/autologout.csh</fixtext>
 3735:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 3736:               <check-export export-name="oval:org.fedoraproject.f14:var:20098" value-id="var-2.3.5.5"/>
 3737:               <check-content-ref name="oval:org.fedoraproject.f14:def:20098" href="scap-fedora14-oval.xml"/>
 3738:             </check>
 3739:           </Rule>
 3740:           <Rule id="rule-2.3.5.5.b" selected="false" weight="10.000000" severity="medium">
 3741:             <title xml:lang="en">Implement Inactivity Time-out for Login Shells</title>
 3742:             <description xml:lang="en">The idle time-out value for the default /bin/bash shell should be:
 3743:               <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.3.5.5"/></description>
 3744:             <warning xml:lang="en">Time out is in seconds</warning>
 3745:             <ident system="http://cce.mitre.org">CCE-3707-7</ident>
 3746:             <fixtext xml:lang="en">(1) via /etc/profile.d/tmout.sh</fixtext>
 3747:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 3748:               <check-export export-name="oval:org.fedoraproject.f14:var:20099" value-id="var-2.3.5.5"/>
 3749:               <check-content-ref name="oval:org.fedoraproject.f14:def:20099" href="scap-fedora14-oval.xml"/>
 3750:             </check>
 3751:           </Rule>
 3752:         </Group>
 3753:         <Group id="group-2.3.5.6" hidden="false">
 3754:           <title xml:lang="en">Configure Screen Locking</title>
 3755:           <description xml:lang="en">
 3756:             When a user must temporarily leave an account logged-in, screen
 3757:             locking should be employed to prevent passersby from abusing the account. User education
 3758:             and training is particularly important for screen locking to be effective. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3759:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3760:             A policy should be implemented that trains all users to lock the screen when they plan to
 3761:             temporarily step away from a logged-in account. Automatic screen locking is only meant
 3762:             as a safeguard for those cases where a user forgot to lock the screen.</description>
 3763:           <Group id="group-2.3.5.6.1" hidden="false">
 3764:             <title xml:lang="en">Configure GUI Screen Locking</title>
 3765:             <description xml:lang="en">
 3766:               In the default GNOME desktop, the screen can be locked by
 3767:               choosing Lock Screen from the System menu. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3768:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3769:               The gconftool-2 program can be used to
 3770:               enforce mandatory screen locking settings for the default GNOME environment. Run the
 3771:               following commands to enforce idle activation of the screen saver, screen locking, a
 3772:               blank-screen screensaver, and 15-minute idle activation time: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3773:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:code>
 3774:               # gconftool-2 --direct \
 3775:                             --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
 3776:                             --type bool \
 3777:                             --set /apps/gnome-screensaver/idle_activation_enabled true
 3778:               # gconftool-2 --direct \
 3779:                             --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
 3780:                             --type bool \
 3781:                             --set /apps/gnome-screensaver/lock_enabled true
 3782:               # gconftool-2 --direct \
 3783:                             --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
 3784:                             --type string \
 3785:                             --set /apps/gnome-screensaver/mode blank-only
 3786:               # gconftool-2 --direct \
 3787:                             --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
 3788:                             --type int \
 3789:                             --set /apps/gnome-screensaver/idle_delay 15
 3790:               </xhtml:code></xhtml:pre>
 3791:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3792:               The default setting of 15 minutes for idle
 3793:               activation is reasonable for many office environments, but the setting should conform
 3794:               to whatever policy is defined. The screensaver mode blank-only is selected to conceal
 3795:               the contents of the display from passersby. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3796:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3797:               Because users should be trained to lock
 3798:               the screen when they step away from the computer, the automatic locking feature is
 3799:               only meant as a backup. The Lock Screen icon from the System menu can also be dragged
 3800:               to the taskbar in order to facilitate even more convenient screen-locking. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3801:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3802:               The root
 3803:               account cannot be screen-locked, but this should have no practical effect as the root
 3804:               account should never be used to log into an X Windows environment, and should only be
 3805:               used to for direct login via console in emergency circumstances. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3806:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3807:               For more information
 3808:               about configuring GNOME screensaver, see http://live.gnome.org/GnomeScreensaver. For
 3809:               more information about enforcing preferences in the GNOME environment using the GConf
 3810:               configuration system, see http://www.gnome.org/projects/gconf and the man page
 3811:               gconftool-2(1).</description>
 3812:             <Rule id="rule-2.3.5.6.1.a" selected="false" weight="10.000000" severity="medium">
 3813:               <title xml:lang="en">Implement Inactivity Time-out for Login Shells</title>
 3814:               <description xml:lang="en">The idle time-out value for period of inactivity gnome desktop lockout should be 15 minutes</description>
 3815:               <ident system="http://cce.mitre.org">CCE-3315-9</ident>
 3816:               <fixtext xml:lang="en">(1) via gconftool-2</fixtext>
 3817:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 3818:                 <check-export export-name="oval:org.fedoraproject.f14:var:20098" value-id="var-2.3.5.5"/>
 3819:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20100" href="scap-fedora14-oval.xml"/>
 3820:               </check>
 3821:             </Rule>
 3822:             <Rule id="rule-2.3.5.6.1.b" selected="false" weight="10.000000" severity="medium">
 3823:               <title xml:lang="en">Implement idle activation of screen saver</title>
 3824:               <description xml:lang="en">Idle activation of the screen saver should be enabled</description>
 3825:               <fixtext xml:lang="en">(1) via gconftool-2</fixtext>
 3826:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 3827:                 <check-content-ref name="oval:org.fedoraproject.f14:def:201005" href="scap-fedora14-oval.xml"/>
 3828:               </check>
 3829:             </Rule>
 3830:             <Rule id="rule-2.3.5.6.1.c" selected="false" weight="10.000000" severity="medium">
 3831:               <title xml:lang="en">Implement idle activation of screen lock</title>
 3832:               <description xml:lang="en">Idle activation of the screen lock should be enabled</description>
 3833:               <fixtext xml:lang="en">(1) via gconftool-2</fixtext>
 3834:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 3835:                 <check-content-ref name="oval:org.fedoraproject.f14:def:201006" href="scap-fedora14-oval.xml"/>
 3836:               </check>
 3837:             </Rule>
 3838:             <Rule id="rule-2.3.5.6.1.d" selected="false" weight="10.000000" severity="medium">
 3839:               <title xml:lang="en">Implement blank screen saver</title>
 3840:               <description xml:lang="en">The screen saver should be blank</description>
 3841:               <fixtext xml:lang="en">(1) via gconftool-2</fixtext>
 3842:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 3843:                 <check-content-ref name="oval:org.fedoraproject.f14:def:201007" href="scap-fedora14-oval.xml"/>
 3844:               </check>
 3845:             </Rule>
 3846:           </Group>
 3847:           <Group id="group-2.3.5.6.2" hidden="false">
 3848:             <title xml:lang="en">Configure Console Screen Locking</title>
 3849:             <description xml:lang="en">
 3850:               A console screen locking mechanism is provided in the vlock
 3851:               package, which is not installed by default. If the ability to lock console screens is
 3852:               necessary, install the vlock package: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3853:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3854:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum install vlock <xhtml:br/></xhtml:code>
 3855:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3856:               Instruct users to invoke the
 3857:               program when necessary, in order to prevent passersby from abusing their login: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3858:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ vlock <xhtml:br/></xhtml:code>
 3859:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3860:               The -a option can be used to prevent switching to other virtual consoles.</description>
 3861:             <Rule id="rule-2.3.5.6.2.a" selected="false" weight="10.000000" severity="medium">
 3862:               <title xml:lang="en">Configure console screen locking</title>
 3863:               <description xml:lang="en">The vlock package should be installed</description>
 3864:               <ident system="http://cce.mitre.org">CCE-3910-7</ident>
 3865:               <fix>yum install vlock</fix>
 3866:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 3867:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20101" href="scap-fedora14-oval.xml"/>
 3868:               </check>
 3869:             </Rule>
 3870:           </Group>
 3871:         </Group>
 3872:         <Group id="group-2.3.5.7" hidden="false">
 3873:           <title xml:lang="en">Disable Unnecessary Ports</title>
 3874:           <description xml:lang="en">
 3875:             Though unusual, some systems may be managed only remotely and yet
 3876:             also exposed to risk from attackers with direct physical access to them. In these cases,
 3877:             reduce an attacker’s access to the system by disabling unnecessary external ports (e.g.
 3878:             USB, FireWire, NIC) in the system’s BIOS.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3879:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3880:             Disable ports on the system which are not necessary for normal system operation. The exact
 3881:             steps will vary depending on your machine, but are likely to include:
 3882:             <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
 3883:               <xhtml:li>Reboot the machine.</xhtml:li>
 3884:               <xhtml:li>Press the appropriate key during the initial boot screen (F2 is typical). </xhtml:li>
 3885:               <xhtml:li>Navigate the BIOS conguration menu to disable ports, such as USB, FireWire, and NIC.</xhtml:li>
 3886:             </xhtml:ol>
 3887:           </description>
 3888:           <warning xml:lang="en">Disabling USB ports is particularly unusual and will cause problems
 3889:             for important input devices such as keyboards or mice attached to the system.</warning>
 3890:         </Group>
 3891:       </Group>
 3892:       <Group id="group-2.3.6" hidden="false">
 3893:         <title xml:lang="en">Use a Centralized Authentication Service</title>
 3894:         <description xml:lang="en">
 3895:           A centralized authentication service is any method of maintaining
 3896:           central control over account and authentication data and of keeping this data synchronized
 3897:           between machines. Such services can range in complexity from a script which pushes
 3898:           centrally-generated password files out to all machines, to a managed scheme such as LDAP
 3899:           or Kerberos. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3900:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3901:           If authentication information is not centrally managed, it quickly becomes
 3902:           inconsistent, leading to out-of-date credentials and forgotten accounts which should have
 3903:           been deleted. In addition, many older protocols (such as NFS) make use of the UID to
 3904:           identify users over a network. This is not a good practice, and these protocols should be
 3905:           avoided if possible. However, since most sites must still make use of some older
 3906:           protocols, having consistent UIDs and GIDs site-wide is a significant benefit. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3907:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3908:           Centralized
 3909:           authentication services do have the disadvantage that authentication information must be
 3910:           transmitted over a network, leading to a risk that credentials may be intercepted or
 3911:           manipulated. Therefore, these services must be deployed carefully. The following
 3912:           precautions should be taken when configuring any authentication service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3913:           <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
 3914:             <xhtml:li>Ensure that authentication information and any sensitive account information
 3915:               are never sent over the network unencrypted.</xhtml:li>
 3916:             <xhtml:li>Ensure that the root account has a local password, to allow recovery in case
 3917:               of network outage or authentication server failure.</xhtml:li>
 3918:           </xhtml:ul>
 3919:            This guide recommends
 3920:           the use of LDAP. Secure configuration of OpenLDAP for clients and servers is described in
 3921:           Section 3.12. Kerberos is also a good choice for a centralized authentication service, but
 3922:           a description of its configuration is beyond the scope of this guide. The NIS service is
 3923:           not recommended, and should be considered obsolete. (See Section 3.2.4.)</description>
 3924:       </Group>
 3925:       <Group id="group-2.3.7" hidden="false">
 3926:         <title xml:lang="en">Warning Banners for System Accesses</title>
 3927:         <description xml:lang="en">
 3928:           Each system should expose as little information about itself as
 3929:           possible. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3930:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3931:           System banners, which are typically displayed just before a login prompt, give
 3932:           out information about the service or the host's operating system. This might include the
 3933:           distribution name and the system kernel version, and the particular version of a network
 3934:           service. This information can assist intruders in gaining access to the system as it can
 3935:           reveal whether the system is running vulnerable software. Most network services can be
 3936:           configured to limit what information is displayed. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3937:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3938:           Many organizations implement security
 3939:           policies that require a system banner provide notice of the system's ownership, provide
 3940:           warning to unauthorized users, and remind authorized users of their consent to monitoring.</description>
 3941:         <Value id="var-2.3.7" operator="equals" type="string">
 3942:           <title xml:lang="en">login banner verbiage</title>
 3943:           <description xml:lang="en">Enter an appropriate login banner for your organization</description>
 3944:           <question xml:lang="en">Enter an appropriate login banner for your organization</question>
 3945:           <value/>
 3946:           <value selector="Empty_text"/>
 3947:         </Value>
 3948:         <Group id="group-2.3.7.1" hidden="false">
 3949:           <title xml:lang="en">Modify the System Login Banner</title>
 3950:           <description xml:lang="en">
 3951:             The contents of the file /etc/issue are displayed on the screen
 3952:             just above the login prompt for users logging directly into a terminal. Remote login
 3953:             programs such as SSH or FTP can be configured to display /etc/issue as well.
 3954:             Instructions for configuring each server daemon to show this file can be found in the
 3955:             relevant sections of Chapter 3. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3956:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3957:             By default, the system will display the version of the
 3958:             OS, the kernel version, and the host name. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3959:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3960:             Edit /etc/issue. Replace the default text
 3961:             with a message compliant with the local site policy or a legal disclaimer.</description>
 3962:           <Rule id="rule-2.3.7.1.a" selected="false" weight="10.000000" severity="medium">
 3963:             <title xml:lang="en">Modify the System Login Banner</title>
 3964:             <description xml:lang="en">The system login banner text should be: "<sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.3.7"/>"</description>
 3965:             <ident system="http://cce.mitre.org">CCE-4060-0</ident>
 3966:             <fixtext xml:lang="en">Take value of DOD_text and put it in /etc/issue</fixtext>
 3967:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 3968:               <check-export export-name="oval:org.fedoraproject.f14:var:20102" value-id="var-2.3.7"/>
 3969:               <check-content-ref name="oval:org.fedoraproject.f14:def:20102" href="scap-fedora14-oval.xml"/>
 3970:             </check>
 3971:           </Rule>
 3972:         </Group>
 3973:         <Group id="group-2.3.7.2" hidden="false">
 3974:           <title xml:lang="en">Implement a GUI Warning Banner</title>
 3975:           <description xml:lang="en">
 3976:             In the default graphical environment, users logging directly
 3977:             into the system are greeted with a login screen provided by the GNOME display manager.
 3978:             The warning banner should be displayed in this graphical environment for these
 3979:             users.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3980:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3981:             The files for the default RHEL theme can be found in
 3982:             /usr/share/gdm/themes/RHEL. Add the following sample block of XML to
 3983:             /usr/share/gdm/themes/RHEL/RHEL.xml after the first two "pixmap"
 3984:             entries:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3985:             <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml">
 3986:             &lt;item type="rect"&gt;
 3987:               &lt;pos anchor="n" x="50%" y="10" width="box" height="box"/&gt;
 3988:               &lt;box&gt;
 3989:                 &lt;item type="label"&gt;
 3990:                   &lt;normal font="Sans 14" color="#ffffff"/&gt;
 3991:                     &lt;text&gt;Insert the text of your warning banner here.&lt;/text&gt;
 3992:                 &lt;/item&gt;
 3993:               &lt;/box&gt;
 3994:             &lt;/item&gt;
 3995:             </xhtml:pre>
 3996:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 3997:             The
 3998:             full syntax that GDM theme files expect is documented elsewhere, but the above XML will
 3999:             create a text box centered at the top of the screen. The font, text color, and exact
 4000:             positioning can all be easily modified by editing the appropriate values. The latest
 4001:             current GDM theme manual can be found at http://www.gnome.org/
 4002:             projects/gdm/docs/thememanual.html.
 4003:           </description>
 4004:           <Rule id="rule-2.3.7.2.a" selected="false" weight="10.000000" severity="medium">
 4005:             <title xml:lang="en">Implement a GUI Warning Banner</title>
 4006:             <description xml:lang="en">The direct gnome login warning banner text should be: "<sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.3.7"/>"</description>
 4007:             <ident system="http://cce.mitre.org">CCE-4188-9</ident>
 4008:             <fixtext xml:lang="en">(1) via RHEL.xml</fixtext>
 4009:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 4010:               <check-export export-name="oval:org.fedoraproject.f14:var:20102" value-id="var-2.3.7"/>
 4011:               <check-content-ref name="oval:org.fedoraproject.f14:def:20103" href="scap-fedora14-oval.xml"/>
 4012:             </check>
 4013:           </Rule>
 4014:         </Group>
 4015:       </Group>
 4016:     </Group>
 4017:     <Group id="group-2.4" hidden="false">
 4018:       <title xml:lang="en">SELinux</title>
 4019:       <description xml:lang="en">
 4020:         SELinux is a feature of the Linux kernel which can be used to guard
 4021:         against misconfigured or compromised programs. SELinux enforces the idea that programs
 4022:         should be limited in what files they can access and what actions they can take. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4023:         <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4024:         The default
 4025:         SELinux policy, as configured on RHEL5, has been sufficiently developed and debugged that it
 4026:         should be usable on almost any Red Hat machine with minimal configuration and a small amount
 4027:         of system administrator training. This policy prevents system services — including most of
 4028:         the common network-visible services such as mail servers, ftp servers, and DNS servers —
 4029:         from accessing files which those services have no valid reason to access. This action alone
 4030:         prevents a huge amount of possible damage from network attacks against services, from
 4031:         trojaned software, and so forth. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4032:         <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4033:         This guide recommends that SELinux be enabled using the
 4034:         default (targeted) policy on every Red Hat system, unless that system has requirements which
 4035:         make a stronger policy appropriate.</description>
 4036:       <reference href="">Frank Mayer, K. M., and Caplan, D. SELinux by Example: Using Security Enhanced Linux</reference>
 4037:       <Group id="group-2.4.1" hidden="false">
 4038:         <title xml:lang="en">How SELinux Works</title>
 4039:         <description xml:lang="en">
 4040:           In the traditional Linux/Unix security model, known as
 4041:           Discretionary Access Control (DAC), processes run under a user and group identity, and
 4042:           enjoy that user and group's access rights to all files and other objects on the system.
 4043:           This system brings with it a number of security problems, most notably: that processes
 4044:           frequently do not need and should not have the full rights of the user who ran them; that
 4045:           user and group access rights are not very granular, and may require administrators to
 4046:           allow too much access in order to allow the access that is needed; that the Unix
 4047:           filesystem contains many resources (such as temporary directories and world-readable
 4048:           files) which are accessible to users who have no legitimate reason to access them; and
 4049:           that legitimate users can easily provide open access to their own resources through
 4050:           confusion or carelessness. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4051:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4052:           SELinux provides a Mandatory Access Control (MAC) system that
 4053:           greatly augments the DAC model. Under SELinux, every process and every object (e.g. file,
 4054:           socket, pipe) on the system is given a security context, a label which include detailed
 4055:           type information about the object. The kernel allows processes to access objects only if
 4056:           that access is explicitly allowed by the policy in effect. The policy defines transitions,
 4057:           so that a user can be allowed to run software, but the software can run under a different
 4058:           context than the user's default. This automatically limits the damage that the software
 4059:           can do to files accessible by the calling user — the user does not need to take any action
 4060:           to gain this benefit. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4061:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4062:           For an action to occur, both the traditional DAC permissions must be
 4063:           satisifed as well as SELinux's MAC rules. If either do not permit the action, then it will
 4064:           not be allowed. In this way, SELinux rules can only make a system's permissions more
 4065:           restrictive and secure. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4066:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4067:           SELinux requires a complex policy in order to allow all the
 4068:           actions required of a system under normal operation. Three such policies have been
 4069:           designed for use with RHEL5, and are included with the system. In increasing order of
 4070:           power and complexity, they are: targeted, strict, and mls. The targeted SELinux policy
 4071:           consists mostly of Type Enforcement (TE) rules, and a small number of Role-Based Access
 4072:           Control (RBAC) rules. It restricts the actions of many types of programs, but leaves
 4073:           interactive users largely unaffected. The strict policy also uses TE and RBAC rules, but
 4074:           on more programs and more aggressively. The mls policy implements Multi-Level Security
 4075:           (MLS), which introduces even more kinds of labels — sensitivity and category — and rules
 4076:           that govern access based on these. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4077:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4078:           The remainder of this section provides guidance for the
 4079:           configuration of the targeted policy and the administration of systems under this policy.
 4080:           Some pointers will be provided for readers who are interested in further strengthening
 4081:           their systems by using one of the stricter policies provided with RHEL5 or in writing
 4082:           their own policy.</description>
 4083:       </Group>
 4084:       <Group id="group-2.4.2" hidden="false">
 4085:         <title xml:lang="en">Enable SELinux</title>
 4086:         <description xml:lang="en">
 4087:           Edit the file /etc/selinux/config. Add or correct the following
 4088:           lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4089:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4090:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">SELINUX=enforcing <xhtml:br/>
 4091:           SELINUXTYPE=targeted <xhtml:br/></xhtml:code>
 4092:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4093:           Edit the file /etc/grub.conf. Ensure that
 4094:           the following arguments DO NOT appear on any kernel command line in the file: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4095:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4096:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">selinux=0 <xhtml:br/>
 4097:           enforcing=0 <xhtml:br/></xhtml:code>
 4098:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4099:           The directive SELINUX=enforcing enables SELinux at boot time. If SELinux is
 4100:           causing a lot of problems or preventing the system from booting, it is possible to boot
 4101:           into the warning-only mode SELINUX=permissive for debugging purposes. Make certain to
 4102:           change the mode back to enforcing after debugging, set the filesystems to be relabelled
 4103:           for consistency using the command touch /.autorelabel, and reboot. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4104:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4105:           However, the RHEL5
 4106:           default SELinux configuration should be sufficiently reasonable that most systems will
 4107:           boot without serious problems. Some applications that require deep or unusual system
 4108:           privileges, such as virtual machine software, may not be compatible with SELinux in its
 4109:           default configuration. However, this should be uncommon, and SELinux's application support
 4110:           continues to improve. In other cases, SELinux may reveal unusual or insecure program
 4111:           behavior by design. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4112:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4113:           The directive SELINUXTYPE=targeted configures SELinux to use the
 4114:           default targeted policy. See Section 2.4.6 if a stricter policy is appropriate for your
 4115:           site. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4116:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4117:           The SELinux boot mode specified in /etc/selinux/config can be overridden by
 4118:           command-line arguments passed to the kernel. It is necessary to check grub.conf to ensure
 4119:           that this has not been done and to protect the bootloader as described in Section 2.3.5.2.</description>
 4120:         <Value id="var-2.4.2.c" operator="equals" type="string">
 4121:           <title xml:lang="en">SELinux state</title>
 4122:           <description xml:lang="en">
 4123:             enforcing - SELinux security policy is enforced. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4124:             permissive - SELinux prints warnings instead of enforcing.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4125:             disabled - SELinux is fully disabled.
 4126:           </description>
 4127:           <question xml:lang="en">Set the SELinux state</question>
 4128:           <value>enforcing</value>
 4129:           <value selector="enforcing">enforcing</value>
 4130:           <value selector="permissive">permissive</value>
 4131:           <value selector="disabled">disabled</value>
 4132:           <match>enforcing|permissive|disabled</match>
 4133:           <choices mustMatch="true">
 4134:             <choice>enforcing</choice>
 4135:             <choice>permissive</choice>
 4136:             <choice>disabled</choice>
 4137:           </choices>
 4138:         </Value>
 4139:         <Value id="var-2.4.2.d" operator="equals" type="string">
 4140:           <title xml:lang="en">SELinux policy</title>
 4141:           <description xml:lang="en">
 4142:             Type of policy in use. Possible values are:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4143:             targeted - Only targeted network daemons are protected.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4144:             strict - Full SELinux protection.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4145:             mls - Multiple levels of security</description>
 4146:           <question xml:lang="en">Set the SELinux policy</question>
 4147:           <value>targeted</value>
 4148:           <value selector="targeted">targeted</value>
 4149:           <value selector="strict">strict</value>
 4150:           <value selector="mls">mls</value>
 4151:           <match>targeted|strict|mls</match>
 4152:           <choices mustMatch="true">
 4153:             <choice>targeted</choice>
 4154:             <choice>strict</choice>
 4155:             <choice>mls</choice>
 4156:           </choices>
 4157:         </Value>
 4158:         <Group id="group-2.4.2.1" hidden="false">
 4159:           <title xml:lang="en">Ensure SELinux is Properly Enabled</title>
 4160:           <description xml:lang="en">
 4161:             Run the command:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4162:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4163:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ /usr/sbin/sestatus<xhtml:br/></xhtml:code>
 4164:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4165:             If the system is properly configured, the output should indicate:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4166:             <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
 4167:               <xhtml:li>SELinux status: enabled</xhtml:li>
 4168:               <xhtml:li>Current mode: enforcing</xhtml:li>
 4169:               <xhtml:li>Mode from config file: enforcing</xhtml:li>
 4170:               <xhtml:li>Policy from config file: targeted</xhtml:li>
 4171:             </xhtml:ul></description>
 4172:           <Rule id="rule-2.4.2.1.a" selected="false" weight="10.000000" severity="medium">
 4173:             <title xml:lang="en">Ensure SELinux is Properly Enabled</title>
 4174:             <description xml:lang="en">Check output of /usr/sbin/sestatus</description>
 4175:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 4176:               <check-content-ref name="oval:org.fedoraproject.f14:def:201035" href="scap-fedora14-oval.xml"/>
 4177:             </check>
 4178:           </Rule>
 4179:         </Group>
 4180:         <Rule id="rule-2.4.2.a" selected="false" weight="10.000000" severity="medium">
 4181:           <title xml:lang="en">Enable SELinux in /etc/grub.conf</title>
 4182:           <description xml:lang="en">SELinux should NOT be disabled in /etc/grub.conf.  Check that selinux=0 is not found</description>
 4183:           <ident system="http://cce.mitre.org">CCE-3977-6</ident>
 4184:           <fixtext xml:lang="en">Remove offending line from /etc/grub.conf</fixtext>
 4185:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 4186:             <check-content-ref name="oval:org.fedoraproject.f14:def:20104" href="scap-fedora14-oval.xml"/>
 4187:           </check>
 4188:         </Rule>
 4189:         <Rule id="rule-2.4.2.b" selected="false" weight="10.000000" severity="medium">
 4190:           <title xml:lang="en">Enable SELinux enforcement in /etc/grub.conf</title>
 4191:           <description xml:lang="en">SELinux enforcement should NOT be disabled in /etc/grub.conf.  Check that enforcing=0 is not found.</description>
 4192:           <fixtext xml:lang="en">Remove offending line from /etc/grub.conf</fixtext>
 4193:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 4194:             <check-content-ref name="oval:org.fedoraproject.f14:def:20105" href="scap-fedora14-oval.xml"/>
 4195:           </check>
 4196:         </Rule>
 4197:         <Rule id="rule-2.4.2.c" selected="false" weight="10.000000" severity="medium">
 4198:           <title xml:lang="en">Set the SELinux state</title>
 4199:           <description xml:lang="en">The SELinux state should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.4.2.c"/></description>
 4200:           <fixtext xml:lang="en">Edit /etc/selinux/config</fixtext>
 4201:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 4202:             <check-export export-name="oval:org.fedoraproject.f14:var:20106" value-id="var-2.4.2.c"/>
 4203:             <check-content-ref name="oval:org.fedoraproject.f14:def:20106" href="scap-fedora14-oval.xml"/>
 4204:           </check>
 4205:         </Rule>
 4206:         <Rule id="rule-2.4.2.d" selected="false" weight="10.000000" severity="medium">
 4207:           <title xml:lang="en">Set the SELinux policy</title>
 4208:           <description xml:lang="en">The SELinux policy should be set appropriately.</description>
 4209:           <ident system="http://cce.mitre.org">CCE-3624-4</ident>
 4210:           <fixtext xml:lang="en">Edit /etc/selinux/config</fixtext>
 4211:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 4212:             <check-export export-name="oval:org.fedoraproject.f14:var:20107" value-id="var-2.4.2.d"/>
 4213:             <check-content-ref name="oval:org.fedoraproject.f14:def:20107" href="scap-fedora14-oval.xml"/>
 4214:           </check>
 4215:         </Rule>
 4216:       </Group>
 4217:       <Group id="group-2.4.3" hidden="false">
 4218:         <title xml:lang="en">Disable Unnecessary SELinux Daemons</title>
 4219:         <description xml:lang="en">
 4220:           Several daemons are installed by default as part of the RHEL5
 4221:           SELinux support mechanism. These daemons may improve the system's ability to enforce
 4222:           SELinux policy in a useful fashion, but may also represent unnecessary code running on the
 4223:           machine, increasing system risk. If these daemons are not needed on your system, they
 4224:           should be disabled.</description>
 4225:         <Group id="group-2.4.3.1" hidden="false">
 4226:           <title xml:lang="en">Disable and Remove SETroubleshoot if Possible</title>
 4227:           <description xml:lang="en">
 4228:             Is there a mission-critical reason to allow users to view
 4229:             SELinux denial information using the sealert GUI? If not, disable the service and remove
 4230:             the RPM: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4231:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4232:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig setroubleshoot off <xhtml:br/>
 4233:             # yum erase setroubleshoot <xhtml:br/></xhtml:code>
 4234:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4235:             The setroubleshoot
 4236:             service is a facility for notifying the desktop user of SELinux denials in a
 4237:             user-friendly fashion. SELinux errors may provide important information about intrusion
 4238:             attempts in progress, or may give information about SELinux configuration problems which
 4239:             are preventing correct system operation. In order to maintain a secure and usable
 4240:             SELinux installation, error logging and notification is necessary. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4241:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4242:             However,
 4243:             setroubleshoot is a service which has complex functionality, which runs a daemon and
 4244:             uses IPC to distribute information which may be sensitive, or even to allow users to
 4245:             modify SELinux settings, and which does not yet implement real authentication
 4246:             mechanisms. This guide recommends disabling setroubleshoot and using the kernel audit
 4247:             functionality to monitor SELinux's behavior. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4248:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4249:             In addition, since setroubleshoot
 4250:             automatically runs client-side code whenever a denial occurs, regardless of whether the
 4251:             setroubleshootd daemon is running, it is recommended that the program be removed
 4252:             entirely unless it is needed.</description>
 4253:           <Rule id="rule-2.4.3.1.a" selected="false" weight="10.000000">
 4254:             <title xml:lang="en">Remove SETroubleshoot if Possible</title>
 4255:             <description xml:lang="en">The setroubleshoot package should be uninstalled.</description>
 4256:             <ident system="http://cce.mitre.org">CCE-4148-3</ident>
 4257:             <fixtext xml:lang="en">(1) via yum</fixtext>
 4258:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 4259:               <check-content-ref name="oval:org.fedoraproject.f14:def:20108" href="scap-fedora14-oval.xml"/>
 4260:             </check>
 4261:           </Rule>
 4262:           <Rule id="rule-2.4.3.1.b" selected="false" weight="10.000000" severity="low">
 4263:             <title xml:lang="en">Disable SETroubleshoot if Possible</title>
 4264:             <description xml:lang="en">The setroubleshoot service should be disabled.</description>
 4265:             <ident system="http://cce.mitre.org">CCE-4254-9</ident>
 4266:             <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 4267:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 4268:               <check-content-ref name="oval:org.fedoraproject.f14:def:20109" href="scap-fedora14-oval.xml"/>
 4269:             </check>
 4270:           </Rule>
 4271:         </Group>
 4272:         <Group id="group-2.4.3.2" hidden="false">
 4273:           <title xml:lang="en">Disable MCS Translation Service (mcstrans) if Possible</title>
 4274:           <description xml:lang="en">
 4275:             Unless there is some overriding need for the convenience of
 4276:             category label translation, disable the MCS translation service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4277:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4278:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig mcstrans off <xhtml:br/></xhtml:code>
 4279:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4280:             The mcstransd daemon provides the category label translation information defined in
 4281:             /etc/selinux/targeted/ setrans.conf to client processes which request this information.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4282:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4283:             Category labelling is unlikely to be used except in sites with special requirements.
 4284:             Therefore, it should be disabled in order to reduce the amount of potentially vulnerable
 4285:             code running on the system. See Section 2.4.6 for more information about systems which
 4286:             use category labelling.</description>
 4287:           <Rule id="rule-2.4.3.2.a" selected="false" weight="10.000000" severity="low">
 4288:             <title xml:lang="en">Disable MCS Translation Service (mcstrans) if Possible</title>
 4289:             <description xml:lang="en">The mcstrans service should be disabled.</description>
 4290:             <ident system="http://cce.mitre.org">CCE-3668-1</ident>
 4291:             <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 4292:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 4293:               <check-content-ref name="oval:org.fedoraproject.f14:def:20110" href="scap-fedora14-oval.xml"/>
 4294:             </check>
 4295:           </Rule>
 4296:         </Group>
 4297:         <Group id="group-2.4.3.3" hidden="false">
 4298:           <title xml:lang="en">Restorecon Service (restorecond)</title>
 4299:           <description xml:lang="en">
 4300:             The restorecond daemon monitors a list of files which are
 4301:             frequently created or modified on running systems, and whose SELinux contexts are not
 4302:             set correctly. It looks for creation events related to files listed in /etc/
 4303:             selinux/restorecond.conf, and sets the contexts of those files when they are discovered.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4304:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4305:             The restorecond program is fairly simple, so it brings low risk, but, in its default
 4306:             configuration, does not add much value to a system. An automated program such as
 4307:             restorecond may be used to monitor problematic files for context problems, or system
 4308:             administrators may be trained to check file contexts of newly-created files using the
 4309:             command ls -lZ, and to repair contexts manually using the restorecon command. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4310:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4311:             This guide
 4312:             makes no recommendation either for or against the use of restorecond.</description>
 4313:           <Rule id="rule-2.4.3.3.a" selected="false" weight="10.000000" severity="low">
 4314:             <title xml:lang="en">Disable restorecon Service (restorecond)</title>
 4315:             <description xml:lang="en">The restorecond service should be disabled.</description>
 4316:             <ident system="http://cce.mitre.org">CCE-4129-3</ident>
 4317:             <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 4318:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 4319:               <check-content-ref name="oval:org.fedoraproject.f14:def:20111" href="scap-fedora14-oval.xml"/>
 4320:             </check>
 4321:           </Rule>
 4322:         </Group>
 4323:       </Group>
 4324:       <Group id="group-2.4.4" hidden="false">
 4325:         <title xml:lang="en">Check for Unconfined Daemons</title>
 4326:         <description xml:lang="en">
 4327:           Daemons that SELinux policy does not know about will inherit the
 4328:           context of the parent process. Because daemons are launched during startup and descend
 4329:           from the init process, they inherit the initrc t context. This is a problem because it may
 4330:           cause AVC denials, or it could allow privileges that the daemon does not require. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4331:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4332:           To check for unconfined daemons, run the following command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4333:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4334:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'<xhtml:br/></xhtml:code>
 4335:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4336:           It should produce no output in a well-configured system.</description>
 4337:       </Group>
 4338:       <Group id="group-2.4.5" hidden="false">
 4339:         <title xml:lang="en">Check for Unconfined Daemons</title>
 4340:         <description xml:lang="en">
 4341:           Device files are used for communication with important system
 4342:           resources. SELinux contexts should exist for these. If a device file is not labeled, then
 4343:           misconfiguration is likely.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4344:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4345:           To check for unlabeled device files, run the following command:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4346:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -Z | grep unlabeled_t<xhtml:br/></xhtml:code>
 4347:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4348:           It should produce no output in a well-configured system.</description>
 4349:         <Rule id="rule-2.4.5.a" selected="false" weight="10.000000" severity="medium">
 4350:           <title xml:lang="en">Check for Unconfined Daemons</title>
 4351:           <description xml:lang="en">Check for device file that is not labeled.</description>
 4352:           <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 4353:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 4354:             <check-content-ref name="oval:org.fedoraproject.f14:def:201115" href="scap-fedora14-oval.xml"/>
 4355:           </check>
 4356:         </Rule>
 4357:       </Group>
 4358:       <Group id="group-2.4.6" hidden="false">
 4359:         <title xml:lang="en">Debugging SELinux Policy Errors</title>
 4360:         <description xml:lang="en">
 4361:           SELinux's default policies have improved significantly over time,
 4362:           and most systems should have few problems using the targeted SELinux policy. However,
 4363:           policy problems may still occasionally prevent accesses which should be allowed. This is
 4364:           especially true if your site runs any custom or heavily modified applications. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4365:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4366:           This section gives some brief guidance on discovering and repairing SELinux-related access
 4367:           problems. Guidance given here is necessarily incomplete, but should provide a starting
 4368:           point for debugging. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4369:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4370:           If you suspect that a permission error or other failure may be caused
 4371:           by SELinux (and are certain that misconfiguration of the traditional Unix permissions are
 4372:           not the cause of the problem), search the audit logs for AVC events: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4373:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4374:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ausearch -m AVC,USER_AVC -sv no <xhtml:br/></xhtml:code>
 4375:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4376:           The output of this command will be a set of events. The timestamp,
 4377:           along with the comm and pid fields, should indicate which line describes the problem. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4378:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4379:           Look
 4380:           up the context under which the process is running. Assuming the process ID is PID , find
 4381:           the context by running: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4382:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4383:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ps -p PID -Z <xhtml:br/></xhtml:code>
 4384:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4385:           The AVC denial message should identify the
 4386:           offending file or directory. The name field should contain the filename (not the full
 4387:           pathname by default), and the ino field can be used to search by inode, if necessary.
 4388:           Assuming the file is FILE , find its SELinux context: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4389:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4390:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -Z FILE <xhtml:br/></xhtml:code>
 4391:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4392:           An administrator should
 4393:           suspect an SELinux misconfiguration whenever a program gets a 'permission denied' error
 4394:           but the standard Unix permissions appear to be correct, or a program fails mysteriously on
 4395:           a task which seems to involve file access or network communication. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4396:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4397:           As described in
 4398:           Section 2.4.1, SELinux augments each process with a context providing detailed type
 4399:           information about that process. The contexts under which processes run may be referred to
 4400:           as subject contexts. Similarly, each filesystem object is given a context. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4401:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4402:           The targeted
 4403:           policy consists of a set of rules, each of which allows a subject type to perform some
 4404:           operation on a given object type. The kernel stores information about these access
 4405:           decisions in an structure known as an Access Vector Cache (AVC), so authorization
 4406:           decisions made by the system are audited with the type AVC. It is also possible for
 4407:           userspace modules to implement their own policies based on SELinux, and these decisions
 4408:           are audited with the type USER_AVC. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4409:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4410:           AVC denials are logged by the kernel audit facility
 4411:           (see Section 2.6.2 for configuration guidance on this subsystem) and may also be visible
 4412:           via setroubleshoot. This guide recommends the use of the audit userspace utilities to find
 4413:           AVC errors. It is possible to manually locate these errors by looking in the file
 4414:           /var/log/audit/audit.log or in /var/log/messages (depending on the syslog configuration in
 4415:           effect), but the ausearch tool allows finegrained searching on audit event types, which
 4416:           may be necessary if system call auditing is enabled as well. The command line above tells
 4417:           ausearch to look for kernel or userspace AVC messages (-m AVC,USER AVC) where the access
 4418:           attempt did not succeed (-sv no). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4419:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4420:           If an AVC denial occurs when it should not have, the
 4421:           problem is generally one of the following: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4422:           <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
 4423:             <xhtml:li>The program is running with the wrong subject
 4424:               context. This could happen as a result of an incorrect context on the program's executable
 4425:               file, which could happen if 3rd party software is installed and not given appropriate
 4426:               SELinux file contexts. </xhtml:li>
 4427:             <xhtml:li>The file has the wrong object context because the current file's
 4428:               context does not match the specification. This can occur when files are created or
 4429:               modified in certain ways. It is not atypical for configuration files to get the wrong
 4430:               contexts after a system configuration change performed by an administrator. To repair the
 4431:               file, use the command: <xhtml:br/>
 4432:               <xhtml:br/>
 4433:               <xhtml:code># restorecon -v FILE <xhtml:br/></xhtml:code>
 4434:               <xhtml:br/>
 4435:               This should produce output indicating that the
 4436:               file's context has been changed. The /usr/bin/chcon program can be used to manually change
 4437:               a file's context, but this is problematic because the change will not persist if it does
 4438:               not agree with the policy-defined contexts applied by restorecon.</xhtml:li>
 4439:             <xhtml:li>The file has the wrong
 4440:               object context because the specification is either incorrect or does not match the way the
 4441:               file is being used on this system. In this case, it will be necessary to change the system
 4442:               file contexts. <xhtml:br/>
 4443:               <xhtml:br/>
 4444:               Run the system-config-selinux tool, and go to the 'File Labeling' menu.
 4445:               This will give a list of files and wildcards corresponding to file labelling rules on the
 4446:               system. Add a rule which maps the file in question to the desired context. As an
 4447:               alternative, file contexts can be modified from the command line using the semanage(8)
 4448:               tool.</xhtml:li>
 4449:             <xhtml:li>The program and file have the correct contexts, but the policy should allow some
 4450:               operation between those two contexts which is currently not allowed. In this case, it will
 4451:               be necessary to modify the SELinux policy. <xhtml:br/>
 4452:               <xhtml:br/>
 4453:               Run the system-config-selinux tool, and go to
 4454:               the 'Boolean' menu. If your configuration is supported, but is not the Red Hat default,
 4455:               then there will be a boolean allowing real-time modification of the SELinux policy to fix
 4456:               the problem. Browse through the items in this menu, looking for one which is related to
 4457:               the service which is not working. As an alternative, SELinux booleans can be modified from
 4458:               the command line using the getsebool(8) and setsebool(8) tools. <xhtml:br/>
 4459:               <xhtml:br/>
 4460:               If there is no boolean, it
 4461:               will be necessary to create and load a policy module. A simple way to build a policy
 4462:               module is to use the audit2allow tool. This tool can take input in the format of AVC
 4463:               denial messages, and generate syntactically correct Type Enforcement rules which would be
 4464:               sufficient to prevent those denials. For example, to generate and display rules which
 4465:               would allow all kernel denials seen in the past five minutes, run: <xhtml:br/>
 4466:               <xhtml:br/>
 4467:               <xhtml:code># ausearch -m AVC -sv no -ts recent | audit2allow <xhtml:br/></xhtml:code>
 4468:               <xhtml:br/>
 4469:               It is possible to use audit2allow to directly create a module
 4470:               package suitable for loading into the kernel policy. To do this, invoke audit2allow with
 4471:               the -M flag: <xhtml:br/>
 4472:               <xhtml:br/>
 4473:               <xhtml:code># ausearch -m AVC -sv no -ts recent | audit2allow -M localmodule <xhtml:br/></xhtml:code>
 4474:               <xhtml:br/>
 4475:               If this is
 4476:               successful, several lines of output should appear. Review the generated TE rules in the
 4477:               file localmodule .te and ensure that they express what you wish to allow. <xhtml:br/>
 4478:               <xhtml:br/>
 4479:               The file
 4480:               localmodule .pp should also have been created. This file is a policy module package that
 4481:               can be loaded into the kernel. To do so, use system-config-selinux, go to the 'Policy
 4482:               Module' menu and use the 'Add' button to enable your module package in SELinux, or load it
 4483:               from the command line using semodule(8): <xhtml:br/>
 4484:               <xhtml:br/>
 4485:               <xhtml:code># semodule -i localmodule .pp <xhtml:br/></xhtml:code>
 4486:               <xhtml:br/>
 4487:               Section 45.2 of [9] covers this procedure in detail.</xhtml:li>
 4488:           </xhtml:ul></description>
 4489:       </Group>
 4490:       <Group id="group-2.4.7" hidden="false">
 4491:         <title xml:lang="en">Further Strengthening</title>
 4492:         <description xml:lang="en">
 4493:           The recommendations up to this point have discussed how to
 4494:           configure and maintain a system under the default configuration of the targeted policy,
 4495:           which constrains only the actions of daemons and system software. This guide strongly
 4496:           recommends that any site which is not currently using SELinux at all transition to the
 4497:           targeted policy, to gain the substantial security benefits provided by that policy.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4498:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4499:           However, the default policy provides only a subset of the full security gains available
 4500:           from using SELinux. In particular, the SELinux policy is also capable of constraining the
 4501:           actions of interactive users, of providing compartmented access by sensitivity level (MLS)
 4502:           and/or category (MCS), and of restricting certain types of system actions using booleans
 4503:           beyond the RHEL5 defaults. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4504:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4505:           This section introduces other uses of SELinux which may be
 4506:           possible, and provides links to some outside resources about their use. Detailed
 4507:           description of how to implement these steps is beyond the scope of this guide.</description>
 4508:         <Group id="group-2.4.7.1" hidden="false">
 4509:           <title xml:lang="en">Strengthen the Default SELinux Boolean Configuration</title>
 4510:           <description xml:lang="en">
 4511:             SELinux booleans are used to enable or disable segments of
 4512:             policy to comply with site policy. Booleans may apply to the entire system or to an
 4513:             individual daemon. For instance, the boolean allow execstack, if enabled, allows
 4514:             programs to make part of their stack memory region executable. This would apply to all
 4515:             programs on the system. The boolean ftp home dir allows ftpd processes to access user
 4516:             home directories, and applies only to daemons which implement FTP. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4517:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4518:             The command <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4519:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4520:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ getsebool -a <xhtml:br/></xhtml:code>
 4521:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4522:             lists the values of all SELinux booleans on the system. Section 2.4.5
 4523:             discussed loosening boolean values in order to debug functionality problems which occur
 4524:             under more restrictive defaults. It is also useful to examine and strengthen the boolean
 4525:             settings, to disable functionality which is not required by legitimate programs on your
 4526:             system, but which might be symptomatic of an attack. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4527:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4528:             See the manpages booleans(8),
 4529:             getsebool(8), and setsebool(8) for general information about booleans. There are also
 4530:             manual pages for several subsystems which discuss the use of SELinux with those systems.
 4531:             Examples include ftpd selinux(8), httpd selinux(8), and nfs selinux(8). Another good
 4532:             reference is the html documentation distributed with the selinux-policy RPM. This
 4533:             documentation is stored under <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4534:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4535:             /usr/share/doc/selinux-policy-version/html/ <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4536:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4537:             The pages
 4538:             global tunables.html and global booleans.html may be useful when examining booleans.</description>
 4539:         </Group>
 4540:         <Group id="group-2.4.7.2" hidden="false">
 4541:           <title xml:lang="en">Use a Stronger Policy</title>
 4542:           <description xml:lang="en">
 4543:             Using a stronger policy can greatly enhance security, but will
 4544:             generally require customization to be compatible with the particular system's purpose,
 4545:             and this may be costly or time consuming. Under the targeted policy, interactive
 4546:             processes are given the type unconfined t, so interactive users are not constrained by
 4547:             SELinux even if they attempt to take strange or malicious actions. The first alternative
 4548:             policy available with RHEL5's SELinux distribution, called strict, extends the
 4549:             protections offered by the default policy from daemons and system processes to all
 4550:             processes. To use the strict policy, first ensure that the policy module is installed: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4551:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4552:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum install selinux-policy-strict <xhtml:br/></xhtml:code>
 4553:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4554:             Then edit /etc/selinux/config and correct the line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4555:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4556:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">SELINUXTYPE=strict <xhtml:br/></xhtml:code>
 4557:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4558:             The mls policy type can be used to enforce sensitivity or category
 4559:             labelling, and requires site-specific configuration of these labels in order to be
 4560:             useful. To use this policy, install the appropriate policy module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4561:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4562:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum install selinux-policy-mls <xhtml:br/></xhtml:code>
 4563:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4564:             Then edit /etc/selinux/config and correct the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4565:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4566:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">SELINUXTYPE=mls</xhtml:code></description>
 4567:           <warning xml:lang="en">
 4568:             Note: Switching between policies typically requires the entire disk to be relabelled, so
 4569:             that files get the appropriate SELinux contexts under the new policy. Boot with the
 4570:             additional grub command-line options <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4571:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4572:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">enforcing=0 single autorelabel </xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4573:             to relabel the disk in single-user mode, then reboot normally.</warning>
 4574:         </Group>
 4575:       </Group>
 4576:       <Group id="group-2.4.8" hidden="false">
 4577:         <title xml:lang="en">SELinux References</title>
 4578:         <description xml:lang="en">
 4579:           <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
 4580:             <xhtml:li>NSA SELinux resources:<xhtml:br/>
 4581:               <xhtml:ul>
 4582:                 <xhtml:li>Web page: http://www.nsa.gov/selinux/</xhtml:li>
 4583:                 <xhtml:li>Mailing list: selinux@tycho.nsa.gov <xhtml:br/>
 4584:                   List information at: http://www.nsa.gov/selinux/info/list.cfm</xhtml:li>
 4585:               </xhtml:ul>
 4586:             </xhtml:li>
 4587:             <xhtml:li>Fedora SELinux resources:<xhtml:br/>
 4588:               <xhtml:ul>
 4589:                 <xhtml:li>FAQ: http://docs.fedoraproject.org/selinux-faq/</xhtml:li>
 4590:                 <xhtml:li>Wiki: http://fedoraproject.org/wiki/SELinux/</xhtml:li>
 4591:                 <xhtml:li>Mailing list: fedora-selinux-list@redhat.com <xhtml:br/>
 4592:                   List information at:
 4593:                   https://www.redhat.com/mailman/listinfo/fedora-selinux-list</xhtml:li>
 4594:               </xhtml:ul>
 4595:             </xhtml:li>
 4596:             <xhtml:li>Chapters 43–45 of Red Hat Enterprise Linux 5: Deployment Guide [9]</xhtml:li>
 4597:             <xhtml:li>The book SELinux by Example: Using Security Enhanced Linux [13]</xhtml:li>
 4598:           </xhtml:ul></description>
 4599:       </Group>
 4600:     </Group>
 4601:     <Group id="group-2.5" hidden="false">
 4602:       <title xml:lang="en">Network Configuration and Firewalls</title>
 4603:       <description xml:lang="en">
 4604:         Most machines must be connected to a network of some sort, and this
 4605:         brings with it the substantial risk of network attack. This section discusses the security
 4606:         impact of decisions about networking which must be made when configuring a system. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4607:         <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4608:         This section also discusses firewalls, network access controls, and other network security
 4609:         frameworks, which allow system-level rules to be written that can limit attackers' ability
 4610:         to connect to your system. These rules can specify that network traffic should be allowed or
 4611:         denied from certain IP addresses, hosts, and networks. The rules can also specify which of
 4612:         the system's network services are available to particular hosts or networks.</description>
 4613:       <Group id="group-2.5.1" hidden="false">
 4614:         <title xml:lang="en">Kernel Parameters which Affect Networking</title>
 4615:         <description xml:lang="en">
 4616:           The sysctl utility is used to set a number of parameters which
 4617:           affect the operation of the Linux kernel. Several of these parameters are specific to
 4618:           networking, and the configuration options in this section are recommended.</description>
 4619:         <Group id="group-2.5.1.1" hidden="false">
 4620:           <title xml:lang="en">Network Parameters for Hosts Only</title>
 4621:           <description xml:lang="en">
 4622:             Is this system going to be used as a firewall or gateway to
 4623:             pass IP traffic between different networks? <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4624:             If not, edit the file /etc/sysctl.conf and add or correct the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4625:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4626:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">net.ipv4.ip_forward = 0 <xhtml:br/>
 4627:             net.ipv4.conf.all.send_redirects = 0 <xhtml:br/>
 4628:             net.ipv4.conf.default.send_redirects = 0 <xhtml:br/></xhtml:code>
 4629:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4630:             These settings disable hosts from
 4631:             performing network functionality which is only appropriate for routers.</description>
 4632:           <Rule id="rule-2.5.1.1.a" selected="false" weight="10.000000" severity="medium">
 4633:             <title xml:lang="en">Disable net.ipv4.conf.default.send_redirects for Hosts Only</title>
 4634:             <description xml:lang="en">The default setting for sending ICMP redirects should be disabled for network interfaces.</description>
 4635:             <ident system="http://cce.mitre.org">CCE-4151-7</ident>
 4636:             <fixtext xml:lang="en">(1) via sysctl - net.ipv4.conf.default.send_redirects</fixtext>
 4637:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 4638:               <check-content-ref name="oval:org.fedoraproject.f14:def:20112" href="scap-fedora14-oval.xml"/>
 4639:             </check>
 4640:           </Rule>
 4641:           <Rule id="rule-2.5.1.1.b" selected="false" weight="10.000000" severity="medium">
 4642:             <title xml:lang="en">Disable net.ipv4.conf.all.send_redirects for Hosts Only</title>
 4643:             <description xml:lang="en">Sending ICMP redirects should be disabled for all interfaces.</description>
 4644:             <ident system="http://cce.mitre.org">CCE-4155-8</ident>
 4645:             <fixtext xml:lang="en">(1) via sysctl - net.ipv4.conf.all.send_redirects</fixtext>
 4646:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 4647:               <check-content-ref name="oval:org.fedoraproject.f14:def:20113" href="scap-fedora14-oval.xml"/>
 4648:             </check>
 4649:           </Rule>
 4650:           <Rule id="rule-2.5.1.1.c" selected="false" weight="10.000000" severity="medium">
 4651:             <title xml:lang="en">Disable net.ipv4.ip forward for Hosts Only</title>
 4652:             <description xml:lang="en">IP forwarding should be disabled.</description>
 4653:             <ident system="http://cce.mitre.org">CCE-3561-8</ident>
 4654:             <fixtext xml:lang="en">(1) via sysctl - net.ipv4.ip_forward</fixtext>
 4655:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 4656:               <check-content-ref name="oval:org.fedoraproject.f14:def:20114" href="scap-fedora14-oval.xml"/>
 4657:             </check>
 4658:           </Rule>
 4659:         </Group>
 4660:         <Group id="group-2.5.1.2" hidden="false">
 4661:           <title xml:lang="en">Network Parameters for Hosts and Routers</title>
 4662:           <description xml:lang="en">
 4663:             Edit the file /etc/sysctl.conf and add or correct the following
 4664:             lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4665:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4666:             net.ipv4.conf.all.accept_source_route = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4667:             net.ipv4.conf.all.accept_redirects = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4668:             net.ipv4.conf.all.secure_redirects = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4669:             net.ipv4.conf.all.log_martians = 1<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4670:             net.ipv4.conf.default.accept_source_route = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4671:             net.ipv4.conf.default.accept_redirects = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4672:             net.ipv4.conf.default.secure_redirects = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4673:             net.ipv4.icmp_echo_ignore_broadcasts = 1<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4674:             net.ipv4.icmp_ignore_bogus_error_messages = 1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4675:             net.ipv4.tcp_syncookies = 1<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4676:             net.ipv4.conf.all.rp_filter = 1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4677:             net.ipv4.conf.default.rp_filter = 1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4678:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4679:             These options
 4680:             improve Linux's ability to defend against certain types of IPv4 protocol attacks. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4681:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4682:             The
 4683:             accept source route, accept redirects, and secure redirects options are turned off to
 4684:             disable IPv4 protocol features which are considered to have few legitimate uses and to
 4685:             be easy to abuse. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4686:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4687:             The net.ipv4.conf.all.log martians option logs several types of
 4688:             suspicious packets, such as spoofed packets, source-routed packets, and redirects. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4689:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4690:             The icmp echo ignore broadcasts icmp ignore bogus error messages options protect against
 4691:             ICMP attacks. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4692:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4693:             The tcp syncookies option uses a cryptographic feature called SYN cookies
 4694:             to allow machines to continue to accept legitimate connections when faced with a SYN
 4695:             flood attack. See [12] for further information on this option. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4696:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4697:             The rp filter option
 4698:             enables RFC-recommended source validation. It should not be used on machines which are
 4699:             routers for very complicated networks, but is helpful for end hosts and routers serving
 4700:             small networks. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4701:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4702:             For more information on any of these, see the kernel source
 4703:             documentation file /Documentation/networking/ip-sysctl.txt.2</description>
 4704:           <Value id="var-2.5.1.2.a" operator="equals" type="boolean">
 4705:             <title xml:lang="en">Deactivating "source routed packets"</title>
 4706:             <description xml:lang="en">Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected.</description>
 4707:             <question xml:lang="en">Enable/Disable source routed packets</question>
 4708:             <value>0</value>
 4709:             <value selector="enabled">1</value>
 4710:             <value selector="disabled">0</value>
 4711:           </Value>
 4712:           <Value id="var-2.5.1.2.b" operator="equals" type="boolean">
 4713:             <title xml:lang="en">ICMP redirect messages</title>
 4714:             <description xml:lang="en">Disable ICMP Redirect Acceptance?</description>
 4715:             <question xml:lang="en">Enable/Disable ICMP redirect messages</question>
 4716:             <value>0</value>
 4717:             <value selector="enabled">1</value>
 4718:             <value selector="disabled">0</value>
 4719:           </Value>
 4720:           <Value id="var-2.5.1.2.c" operator="equals" type="boolean">
 4721:             <title xml:lang="en">net.ipv4.conf.all.secure_redirects</title>
 4722:             <description xml:lang="en">Enable to prevent hijacking of routing path by only allowing redirects from gateways known in routing table. </description>
 4723:             <question xml:lang="en">Enable/Disable IPv4 prevent hijacking of routing paths</question>
 4724:             <value>1</value>
 4725:             <value selector="enabled">1</value>
 4726:             <value selector="disabled">0</value>
 4727:           </Value>
 4728:           <Value id="var-2.5.1.2.d" operator="equals" type="boolean">
 4729:             <title xml:lang="en">net.ipv4.conf.all.log_martians</title>
 4730:             <description xml:lang="en">Disable so you don't Log Spoofed Packets, Source Routed Packets, Redirect Packets </description>
 4731:             <question xml:lang="en">Enable/Disable IPv4 logging Spoofed packets, source routed packets and redirect packets</question>
 4732:             <value>0</value>
 4733:             <value selector="enabled">1</value>
 4734:             <value selector="disabled">0</value>
 4735:           </Value>
 4736:           <Value id="var-2.5.1.2.e" operator="equals" type="boolean">
 4737:             <title xml:lang="en">net.ipv4.conf.default.accept_source_route</title>
 4738:             <description xml:lang="en">Disable IP source routing?</description>
 4739:             <question xml:lang="en">Enable/Disable IPv4 source routing</question>
 4740:             <value>0</value>
 4741:             <value selector="enabled">1</value>
 4742:             <value selector="disabled">0</value>
 4743:           </Value>
 4744:           <Value id="var-2.5.1.2.f" operator="equals" type="boolean">
 4745:             <title xml:lang="en">net.ipv4.conf.default.accept_redirects</title>
 4746:             <description xml:lang="en">Disable ICMP Redirect Acceptance?</description>
 4747:             <question xml:lang="en">Enable/Disable default IPv4 ICMP Redirect Acceptance</question>
 4748:             <value>0</value>
 4749:             <value selector="enabled">1</value>
 4750:             <value selector="disabled">0</value>
 4751:           </Value>
 4752:           <Value id="var-2.5.1.2.g" operator="equals" type="boolean">
 4753:             <title xml:lang="en">net.ipv4.conf.default.secure_redirects</title>
 4754:             <description xml:lang="en">Log packets with impossible addresses to kernel log?</description>
 4755:             <question xml:lang="en">Enable/Disable IPv4 logging packets with impossible addresses to kernel log</question>
 4756:             <value>1</value>
 4757:             <value selector="enabled">1</value>
 4758:             <value selector="disabled">0</value>
 4759:           </Value>
 4760:           <Value id="var-2.5.1.2.h" operator="equals" type="boolean">
 4761:             <title xml:lang="en">net.ipv4.icmp_echo_ignore_broadcast</title>
 4762:             <description xml:lang="en">Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast</description>
 4763:             <question xml:lang="en">Enable/Disable IPv4 ignoring ICMP ECHO and TIMESTAMP requests from broadcast/multicast</question>
 4764:             <value>1</value>
 4765:             <value selector="enabled">1</value>
 4766:             <value selector="disabled">0</value>
 4767:           </Value>
 4768:           <Value id="var-2.5.1.2.i" operator="equals" type="boolean">
 4769:             <title xml:lang="en">net.ipv4.icmp_ignore_bogus_error_messages</title>
 4770:             <description xml:lang="en">Enable to prevent certain types of attacks</description>
 4771:             <value>1</value>
 4772:             <value selector="enabled">1</value>
 4773:             <value selector="disabled">0</value>
 4774:           </Value>
 4775:           <Value id="var-2.5.1.2.j" operator="equals" type="boolean">
 4776:             <title xml:lang="en">net.ipv4.tcp_syncookie</title>
 4777:             <description xml:lang="en">Enable to turn on TCP SYN Cookie Protection</description>
 4778:             <question xml:lang="en">Enable/Disable TCP SYN Cookie Protection</question>
 4779:             <value>1</value>
 4780:             <value selector="enabled">1</value>
 4781:             <value selector="disabled">0</value>
 4782:           </Value>
 4783:           <Value id="var-2.5.1.2.k" operator="equals" type="boolean">
 4784:             <title xml:lang="en">net.ipv4.conf.all.rp_filter</title>
 4785:             <description xml:lang="en">Enable to enforce sanity checking, also called ingress filtering or egress filtering.  The point is to drop a packet if the source and destination IP addresses in the IP header do not make sense when considered in light of the physical interface on which it arrived. </description>
 4786:             <question xml:lang="en">Enable/Disable all enforcing sanity checks</question>
 4787:             <value>1</value>
 4788:             <value selector="enabled">1</value>
 4789:             <value selector="disabled">0</value>
 4790:           </Value>
 4791:           <Value id="var-2.5.1.2.l" operator="equals" type="boolean">
 4792:             <title xml:lang="en">net.ipv4.conf.default.rp_filter</title>
 4793:             <description xml:lang="en">Enables source route verification</description>
 4794:             <question xml:lang="en">Enable/Disable default source route verification</question>
 4795:             <value>1</value>
 4796:             <value selector="enabled">1</value>
 4797:             <value selector="disabled">0</value>
 4798:           </Value>
 4799:           <Rule id="rule-2.5.1.2.a" selected="false" weight="10.000000" severity="medium">
 4800:             <title xml:lang="en">Set net.ipv4.conf.all.accept_source_route for Hosts and Routers</title>
 4801:             <description xml:lang="en">Accepting source routed packets should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.1.2.a"/> for all interfaces as appropriate.</description>
 4802:             <ident system="http://cce.mitre.org">CCE-4236-6</ident>
 4803:             <fixtext xml:lang="en">(1) via sysctl - net.ipv4.conf.all.accept_source_route</fixtext>
 4804:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 4805:               <check-export export-name="oval:org.fedoraproject.f14:var:20115" value-id="var-2.5.1.2.a"/>
 4806:               <check-content-ref name="oval:org.fedoraproject.f14:def:20115" href="scap-fedora14-oval.xml"/>
 4807:             </check>
 4808:           </Rule>
 4809:           <Rule id="rule-2.5.1.2.b" selected="false" weight="10.000000" severity="medium">
 4810:             <title xml:lang="en">Set net.ipv4.conf.all.accept_redirects for Hosts and Routers</title>
 4811:             <description xml:lang="en">Accepting ICMP redirects should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.1.2.b"/> for all interfaces as appropriate.</description>
 4812:             <ident system="http://cce.mitre.org">CCE-4217-6</ident>
 4813:             <fixtext xml:lang="en">(1) via sysctl - net.ipv4.conf.all.accept_redirects</fixtext>
 4814:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 4815:               <check-export export-name="oval:org.fedoraproject.f14:var:20116" value-id="var-2.5.1.2.b"/>
 4816:               <check-content-ref name="oval:org.fedoraproject.f14:def:20116" href="scap-fedora14-oval.xml"/>
 4817:             </check>
 4818:           </Rule>
 4819:           <Rule id="rule-2.5.1.2.c" selected="false" weight="10.000000" severity="medium">
 4820:             <title xml:lang="en">Set net.ipv4.conf.all.secure_redirects for Hosts and Routers</title>
 4821:             <description xml:lang="en">Accepting "secure" ICMP redirects (those from gateways listed in the default gateways list) should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.1.2.c"/> for all interfaces as appropriate.</description>
 4822:             <ident system="http://cce.mitre.org">CCE-3472-8</ident>
 4823:             <fixtext xml:lang="en">(1) via sysctl - net.ipv4.conf.all.secure_redirects</fixtext>
 4824:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 4825:               <check-export export-name="oval:org.fedoraproject.f14:var:20117" value-id="var-2.5.1.2.c"/>
 4826:               <check-content-ref name="oval:org.fedoraproject.f14:def:20117" href="scap-fedora14-oval.xml"/>
 4827:             </check>
 4828:           </Rule>
 4829:           <Rule id="rule-2.5.1.2.d" selected="false" weight="10.000000" severity="medium">
 4830:             <title xml:lang="en">Set net.ipv4.conf.all.log_martians for Hosts and Routers</title>
 4831:             <description xml:lang="en">Logging of "martian" packets (those with impossible addresses) should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.1.2.d"/> for all interfaces as appropriate.</description>
 4832:             <ident system="http://cce.mitre.org">CCE-4320-8</ident>
 4833:             <fixtext xml:lang="en">(1) via sysctl - net.ipv4.conf.all.log_martians</fixtext>
 4834:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 4835:               <check-export export-name="oval:org.fedoraproject.f14:var:20118" value-id="var-2.5.1.2.d"/>
 4836:               <check-content-ref name="oval:org.fedoraproject.f14:def:20118" href="scap-fedora14-oval.xml"/>
 4837:             </check>
 4838:           </Rule>
 4839:           <Rule id="rule-2.5.1.2.e" selected="false" weight="10.000000" severity="medium">
 4840:             <title xml:lang="en">Set net.ipv4.conf.default.accept_source_route for Hosts and Routers</title>
 4841:             <description xml:lang="en">The default setting for accepting source routed packets should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.1.2.e"/> for all interfaces as appropriate.</description>
 4842:             <ident system="http://cce.mitre.org">CCE-4091-5</ident>
 4843:             <fixtext xml:lang="en">(1) via sysctl - net.ipv4.conf.default.accept_source_route</fixtext>
 4844:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 4845:               <check-export export-name="oval:org.fedoraproject.f14:var:20119" value-id="var-2.5.1.2.e"/>
 4846:               <check-content-ref name="oval:org.fedoraproject.f14:def:20119" href="scap-fedora14-oval.xml"/>
 4847:             </check>
 4848:           </Rule>
 4849:           <Rule id="rule-2.5.1.2.f" selected="false" weight="10.000000" severity="medium">
 4850:             <title xml:lang="en">Set net.ipv4.conf.default.accept_redirects for Hosts and Routers</title>
 4851:             <description xml:lang="en">The default setting for accepting ICMP redirects should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.1.2.f"/> for all interfaces as appropriate.</description>
 4852:             <ident system="http://cce.mitre.org">CCE-4186-3</ident>
 4853:             <fixtext xml:lang="en">(1) via sysctl - net.ipv4.conf.default.accept_redirects</fixtext>
 4854:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 4855:               <check-export export-name="oval:org.fedoraproject.f14:var:20120" value-id="var-2.5.1.2.f"/>
 4856:               <check-content-ref name="oval:org.fedoraproject.f14:def:20120" href="scap-fedora14-oval.xml"/>
 4857:             </check>
 4858:           </Rule>
 4859:           <Rule id="rule-2.5.1.2.g" selected="false" weight="10.000000" severity="medium">
 4860:             <title xml:lang="en">Set net.ipv4.conf.default.secure_redirects for Hosts and Routers</title>
 4861:             <description xml:lang="en">The default setting for accepting "secure" ICMP redirects (those from gateways listed in the default gateways list) should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.1.2.g"/> for all interfaces as appropriate.</description>
 4862:             <ident system="http://cce.mitre.org">CCE-3339-9</ident>
 4863:             <fixtext xml:lang="en">(1) via sysctl - net.ipv4.conf.default.secure_redirects</fixtext>
 4864:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 4865:               <check-export export-name="oval:org.fedoraproject.f14:var:20121" value-id="var-2.5.1.2.g"/>
 4866:               <check-content-ref name="oval:org.fedoraproject.f14:def:20121" href="scap-fedora14-oval.xml"/>
 4867:             </check>
 4868:           </Rule>
 4869:           <Rule id="rule-2.5.1.2.h" selected="false" weight="10.000000" severity="medium">
 4870:             <title xml:lang="en">Set net.ipv4.icmp_echo_ignore_broadcasts for Hosts and Routers</title>
 4871:             <description xml:lang="en">Ignoring ICMP echo requests (pings) sent to broadcast / multicast addresses should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.1.2.h"/> for all interfaces as appropriate.</description>
 4872:             <ident system="http://cce.mitre.org">CCE-3644-2</ident>
 4873:             <fixtext xml:lang="en">(1) via sysctl - net.ipv4.icmp_echo_ignore_broadcasts</fixtext>
 4874:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 4875:               <check-export export-name="oval:org.fedoraproject.f14:var:20122" value-id="var-2.5.1.2.h"/>
 4876:               <check-content-ref name="oval:org.fedoraproject.f14:def:20122" href="scap-fedora14-oval.xml"/>
 4877:             </check>
 4878:           </Rule>
 4879:           <Rule id="rule-2.5.1.2.i" selected="false" weight="10.000000" severity="medium">
 4880:             <title xml:lang="en">Set net.ipv4.icmp_ignore_bogus_error_messages for Hosts and Routers</title>
 4881:             <description xml:lang="en">Ignoring bogus ICMP responses to broadcasts should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.1.2.i"/> for all interfaces as appropriate.</description>
 4882:             <ident system="http://cce.mitre.org">CCE-4133-5</ident>
 4883:             <fixtext xml:lang="en">(1) via sysctl - net.ipv4.icmp_ignore_bogus_error_messages</fixtext>
 4884:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 4885:               <check-export export-name="oval:org.fedoraproject.f14:var:20123" value-id="var-2.5.1.2.i"/>
 4886:               <check-content-ref name="oval:org.fedoraproject.f14:def:20123" href="scap-fedora14-oval.xml"/>
 4887:             </check>
 4888:           </Rule>
 4889:           <Rule id="rule-2.5.1.2.j" selected="false" weight="10.000000" severity="medium">
 4890:             <title xml:lang="en">Set net.ipv4.tcp_syncookies for Hosts and Routers</title>
 4891:             <description xml:lang="en">Sending TCP syncookies should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.1.2.j"/> for all interfaces as appropriate.</description>
 4892:             <ident system="http://cce.mitre.org">CCE-4265-5</ident>
 4893:             <fixtext xml:lang="en">(1) via sysctl - net.ipv4.tcp_syncookies</fixtext>
 4894:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 4895:               <check-export export-name="oval:org.fedoraproject.f14:var:20124" value-id="var-2.5.1.2.j"/>
 4896:               <check-content-ref name="oval:org.fedoraproject.f14:def:20124" href="scap-fedora14-oval.xml"/>
 4897:             </check>
 4898:           </Rule>
 4899:           <Rule id="rule-2.5.1.2.k" selected="false" weight="10.000000" severity="medium">
 4900:             <title xml:lang="en">Set net.ipv4.conf.all.rp_filter for Hosts and Routers</title>
 4901:             <description xml:lang="en">Performing source validation by reverse path should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.1.2.k"/> for all interfaces as appropriate.</description>
 4902:             <ident system="http://cce.mitre.org">CCE-4080-8</ident>
 4903:             <fixtext xml:lang="en">(1) via sysctl - net.ipv4.conf.all.rp_filter</fixtext>
 4904:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 4905:               <check-export export-name="oval:org.fedoraproject.f14:var:20125" value-id="var-2.5.1.2.k"/>
 4906:               <check-content-ref name="oval:org.fedoraproject.f14:def:20125" href="scap-fedora14-oval.xml"/>
 4907:             </check>
 4908:           </Rule>
 4909:           <Rule id="rule-2.5.1.2.l" selected="false" weight="10.000000" severity="medium">
 4910:             <title xml:lang="en">Set net.ipv4.conf.default.rp_filter for Hosts and Routers</title>
 4911:             <description xml:lang="en">The default setting for performing source validation by reverse path should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.1.2.l"/> for all interfaces as appropriate.</description>
 4912:             <ident system="http://cce.mitre.org">CCE-3840-6</ident>
 4913:             <fixtext xml:lang="en">(1) via sysctl - net.ipv4.conf.default.rp_filter</fixtext>
 4914:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 4915:               <check-export export-name="oval:org.fedoraproject.f14:var:20126" value-id="var-2.5.1.2.l"/>
 4916:               <check-content-ref name="oval:org.fedoraproject.f14:def:20126" href="scap-fedora14-oval.xml"/>
 4917:             </check>
 4918:           </Rule>
 4919:         </Group>
 4920:       </Group>
 4921:       <Group id="group-2.5.2" hidden="false">
 4922:         <title xml:lang="en">Wireless Networking</title>
 4923:         <description xml:lang="en">
 4924:           Wireless networking (sometimes referred to as 802.11 or Wi-Fi)
 4925:           presents a serious security risk to sensitive or classified systems and networks. Wireless
 4926:           networking hardware is much more likely to be included in laptop or portable systems than
 4927:           desktops or servers. See Section 3.3.14 for information on Bluetooth wireless support.
 4928:           Bluetooth serves a different purpose and possesses a much shorter range, but it still
 4929:           presents serious security risks. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4930:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4931:           Removal of hardware is the only way to absolutely ensure
 4932:           that the wireless capability remains disabled. If it is completely impractical to remove
 4933:           the wireless hardware, and site policy still allows the device to enter sensitive spaces,
 4934:           every effort to disable the capability via software should be made. In general,
 4935:           acquisition policy should include provisions to prevent the purchase of equipment that
 4936:           will be used in sensitive spaces and includes wireless capabilities.</description>
 4937:         <Group id="group-2.5.2.1" hidden="false">
 4938:           <title xml:lang="en">Remove Wireless Hardware if Possible</title>
 4939:           <description xml:lang="en">
 4940:             Identifying the wireless hardware is the first step in removing
 4941:             it. The system's hardware manual should contain information on its wireless
 4942:             capabilities. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4943:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4944:             Wireless hardware included with a laptop typically takes the form of a
 4945:             mini-PCI card or PC card. Other forms include devices which plug into USB or Ethernet
 4946:             ports, but these should be readily apparent and easy to remove from the base system. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4947:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4948:             A PC Card (originally called a PCMCIA card) is designed to be easy to remove, though it
 4949:             may be hidden when inserted into the system. Frequently, there will be one or more
 4950:             buttons near the card slot that, when pressed, eject the card from the system. If no
 4951:             card is ejected, the slot is empty. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4952:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4953:             A mini-PCI card is approximately credit-card sized
 4954:             and typically accessible via a removable panel on the underside of the laptop. Removing
 4955:             the panel may require simple tools. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4956:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4957:             In addition to manually inspecting the hardware, it
 4958:             is also possible to query the system for its installed hardware devices. The commands
 4959:             /sbin/lspci and /sbin/lsusb will show a list of all recognized devices on their
 4960:             respective buses, and this may indicate the presence of a wireless device.</description>
 4961:         </Group>
 4962:         <Group id="group-2.5.2.2" hidden="false">
 4963:           <title xml:lang="en">Disable Wireless Through Software Configuration</title>
 4964:           <description xml:lang="en">
 4965:             If it is impossible to remove the wireless hardware from the
 4966:             device in question, disable as much of it as possible through software. The following
 4967:             methods can disable software support for wireless networking, but note that these
 4968:             methods do not prevent malicious software or careless users from re-activating the
 4969:             devices.</description>
 4970:           <Group id="group-2.5.2.2.1" hidden="false">
 4971:             <title xml:lang="en">Disable Wireless in BIOS</title>
 4972:             <description xml:lang="en">
 4973:               Some laptops that include built-in wireless support offer the
 4974:               ability to disable the device through the BIOS. This is system-specific; consult your
 4975:               hardware manual or explore the BIOS setup during boot. 2A recent version of this file
 4976:               can be found online at
 4977:               http://lxr.linux.no/source/Documentation/networking/ip-sysctl.txt.</description>
 4978:             <Rule id="rule-2.5.2.2.1.a" selected="false" weight="10.000000" severity="medium">
 4979:               <title xml:lang="en">Disable Wireless in BIOS</title>
 4980:               <description xml:lang="en">All wireless devices should be disabled in the BIOS.</description>
 4981:               <ident system="http://cce.mitre.org">CCE-3628-5</ident>
 4982:               <fixtext xml:lang="en">(1) via BIOS menus</fixtext>
 4983:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 4984:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20127" href="scap-fedora14-oval.xml"/>
 4985:               </check>
 4986:             </Rule>
 4987:           </Group>
 4988:           <Group id="group-2.5.2.2.2" hidden="false">
 4989:             <title xml:lang="en">Deactivate Wireless Interfaces</title>
 4990:             <description xml:lang="en">
 4991:               Deactivating the wireless interfaces should prevent normal
 4992:               usage of the wireless capability. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4993:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4994:               First, identify the interfaces available with the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4995:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4996:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ifconfig -a <xhtml:br/></xhtml:code>
 4997:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 4998:               Additionally,the following command may also be used to
 4999:               determine whether wireless support ('extensions') is included for a particular
 5000:               interface, though this may not always be a clear indicator: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5001:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5002:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># iwconfig <xhtml:br/></xhtml:code>
 5003:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5004:               After
 5005:               identifying any wireless interfaces (which may have names like wlan0, ath0, wifi0, or
 5006:               eth0), deactivate the interface with the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5007:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5008:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ifdown interface <xhtml:br/></xhtml:code>
 5009:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5010:               These changes
 5011:               will only last until the next reboot. To disable the interface for future boots,
 5012:               remove the appropriate interface file from /etc/sysconfig/network-scripts: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5013:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5014:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># rm /etc/sysconfig/network-scripts/ifcfg-interface</xhtml:code></description>
 5015:             <Rule id="rule-2.5.2.2.2.a" selected="false" weight="10.000000" severity="medium">
 5016:               <title xml:lang="en">Deactivate Wireless Interfaces</title>
 5017:               <description xml:lang="en">All wireless interfaces should be disabled.</description>
 5018:               <ident system="http://cce.mitre.org">CCE-4276-2</ident>
 5019:               <fixtext xml:lang="en">rm /etc/sysconfig/network-scripts/ifcfg-interface</fixtext>
 5020:               <fixtext xml:lang="en">ifdown interface</fixtext>
 5021:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 5022:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20128" href="scap-fedora14-oval.xml"/>
 5023:               </check>
 5024:             </Rule>
 5025:           </Group>
 5026:           <Group id="group-2.5.2.2.3" hidden="false">
 5027:             <title xml:lang="en">Disable Wireless Drivers</title>
 5028:             <description xml:lang="en">
 5029:               Removing the kernel drivers that provide support for wireless
 5030:               Ethernet devices will prevent users from easily activating the devices. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5031:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5032:               To remove the wireless drivers from the system: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5033:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5034:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># rm -r /lib/modules/kernelversion(s)/kernel/drivers/net/wireless <xhtml:br/></xhtml:code>
 5035:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5036:               This command must also be repeated every time the kernel is upgraded.</description>
 5037:             <Rule id="rule-2.5.2.2.3.a" selected="false" weight="10.000000" severity="medium">
 5038:               <title xml:lang="en">Disable Wireless Drivers</title>
 5039:               <description xml:lang="en">Device drivers for wireless devices should be excluded from the kernel.</description>
 5040:               <ident system="http://cce.mitre.org">CCE-4170-7</ident>
 5041:               <fixtext xml:lang="en">(1) via modprobe</fixtext>
 5042:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 5043:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20129" href="scap-fedora14-oval.xml"/>
 5044:               </check>
 5045:             </Rule>
 5046:           </Group>
 5047:         </Group>
 5048:       </Group>
 5049:       <Group id="group-2.5.3" hidden="false">
 5050:         <title xml:lang="en">IPv6</title>
 5051:         <description xml:lang="en">
 5052:           The system includes support for Internet Protocol version 6. A
 5053:           major and often-mentioned improvement over IPv4 is its enormous increase in the number of
 5054:           available addresses. Another important feature is its support for automatic configuration
 5055:           of many network settings.</description>
 5056:         <Group id="group-2.5.3.1" hidden="false">
 5057:           <title xml:lang="en">Disable Support for IPv6 unless Needed</title>
 5058:           <description xml:lang="en">
 5059:             Because the IPv6 networking code is relatively new and complex,
 5060:             it is particularly important that it be disabled unless needed. Despite configuration
 5061:             that suggests support for IPv6 has been disabled, link-local IPv6 address
 5062:             autoconfiguration occurs even when only an IPv4 address is assigned. The only way to
 5063:             effectively prevent execution of the IPv6 networking stack is to prevent the kernel from
 5064:             loading the IPv6 kernel module.</description>
 5065:           <reference href="">MO3:S0-C1-1</reference>
 5066:           <Group id="group-2.5.3.1.1" hidden="false">
 5067:             <title xml:lang="en">Disable Automatic Loading of IPv6 Kernel Module</title>
 5068:             <description xml:lang="en">
 5069:               To prevent the IPv6 kernel module (ipv6) from being loaded,
 5070:               add the following line to /etc/modprobe.conf: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5071:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5072:               install ipv6 /bin/true <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5073:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5074:               When the kernel requests the ipv6 module, this line will direct the system to run the
 5075:               program /bin/true instead.</description>
 5076:             <Rule id="rule-2.5.3.1.1.a" selected="false" weight="10.000000" severity="medium">
 5077:               <title xml:lang="en">Disable Automatic Loading of IPv6 Kernel Module</title>
 5078:               <description xml:lang="en">Automatic loading of the IPv6 kernel module should be disabled.</description>
 5079:               <reference href="">MO3:S0-C1-1 MO3:S0-C1-2</reference>
 5080:               <ident system="http://cce.mitre.org">CCE-3562-6</ident>
 5081:               <fixtext xml:lang="en">(1) via /etc/modprobe.conf</fixtext>
 5082:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 5083:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20130" href="scap-fedora14-oval.xml"/>
 5084:               </check>
 5085:             </Rule>
 5086:           </Group>
 5087:           <Group id="group-2.5.3.1.2" hidden="false">
 5088:             <title xml:lang="en">Disable Interface Usage of IPv6</title>
 5089:             <description xml:lang="en">
 5090:               To prevent configuration of IPv6 for all interfaces, add or
 5091:               correct the following lines in /etc/sysconfig/network: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5092:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5093:               NETWORKING_IPV6=no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5094:               IPV6INIT=no<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5095:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5096:               For each network interface IFACE , add or correct the following lines in
 5097:               /etc/sysconfig/network-scripts/ifcfg-IFACE as an additional prevention mechanism:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5098:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5099:               IPV6INIT=no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5100:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5101:               If it becomes necessary later to configure IPv6, only the interfaces
 5102:               requiring it should be enabled.</description>
 5103:             <Rule id="rule-2.5.3.1.2.a" selected="false" weight="10.000000" severity="medium">
 5104:               <title xml:lang="en">Disable NETWORKING_IPV6 in /etc/sysconfig/network</title>
 5105:               <description xml:lang="en">The default setting for IPv6 configuration should be disabled</description>
 5106:               <ident system="http://cce.mitre.org">CCE-3381-1</ident>
 5107:               <fixtext xml:lang="en">(1) via /etc/sysconfig/network</fixtext>
 5108:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 5109:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20131" href="scap-fedora14-oval.xml"/>
 5110:               </check>
 5111:             </Rule>
 5112:             <Rule id="rule-2.5.3.1.2.b" selected="false" weight="10.000000" severity="medium">
 5113:               <title xml:lang="en">Disable IPV6INIT in /etc/sysconfig/network</title>
 5114:               <description xml:lang="en">Global IPv6 initialization should be disabled</description>
 5115:               <ident system="http://cce.mitre.org">CCE-3377-9</ident>
 5116:               <fixtext xml:lang="en">(1) via /etc/sysconfig/network</fixtext>
 5117:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 5118:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20132" href="scap-fedora14-oval.xml"/>
 5119:               </check>
 5120:             </Rule>
 5121:             <Rule id="rule-2.5.3.1.2.c" selected="false" weight="10.000000" severity="medium">
 5122:               <title xml:lang="en">Disable IPV6INIT in /etc/sysconfig/network-scripts/ifcfg-*</title>
 5123:               <description xml:lang="en">IPv6 configuration should be disabled for all interfaces.</description>
 5124:               <ident system="http://cce.mitre.org">CCE-4296-0</ident>
 5125:               <fixtext xml:lang="en">(1) via /etc/sysconfig/network-scripts/ifcfg-*</fixtext>
 5126:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 5127:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20133" href="scap-fedora14-oval.xml"/>
 5128:               </check>
 5129:             </Rule>
 5130:           </Group>
 5131:         </Group>
 5132:         <Group id="group-2.5.3.2" hidden="false">
 5133:           <title xml:lang="en">Configure IPv6 Settings if Necessary</title>
 5134:           <description xml:lang="en">
 5135:             A major feature of IPv6 is the extent to which systems
 5136:             implementing it can automatically configure their networking devices using information
 5137:             from the network. From a security perspective, manually configuring important
 5138:             configuration information is always preferable to accepting it from the network in an
 5139:             unauthenticated fashion.</description>
 5140:           <Group id="group-2.5.3.2.1" hidden="false">
 5141:             <title xml:lang="en">Disable Automatic Configuration</title>
 5142:             <description xml:lang="en">
 5143:               Disable the system's acceptance of router advertisements and
 5144:               redirects by adding or correcting the following line in /etc/sysconfig/network (note
 5145:               that this does not disable sending router solicitations): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5146:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5147:               IPV6_AUTOCONF=no</description>
 5148:             <Value id="var-2.5.3.2.1.a" operator="equals" type="string">
 5149:               <title xml:lang="en">IPV6_AUTOCONF</title>
 5150:               <description xml:lang="en">Toggle global IPv6 autoconfiguration (only, if global forwarding is disabled)</description>
 5151:               <question xml:lang="en">Enable/Disable global IPv6 autoconfiguration</question>
 5152:               <value>disabled</value>
 5153:               <value selector="enabled">enabled</value>
 5154:               <value selector="disabled">disabled</value>
 5155:               <match>enabled|disabled</match>
 5156:             </Value>
 5157:             <Value id="var-2.5.3.2.1.b" operator="equals" type="string">
 5158:               <title xml:lang="en">net.ipv6.conf.default.accept_ra</title>
 5159:               <description xml:lang="en">accept default router advertisements</description>
 5160:               <question xml:lang="en">Enable/Disable IPv6 accepting default router advertisements</question>
 5161:               <value>no</value>
 5162:               <value selector="enabled">yes</value>
 5163:               <value selector="disabled">no</value>
 5164:               <match>yes|no</match>
 5165:             </Value>
 5166:             <Value id="var-2.5.3.2.1.c" operator="equals" type="string">
 5167:               <title xml:lang="en">net.ipv6.conf.default.accept_redirects</title>
 5168:               <description xml:lang="en">Toggle ICMP Redirect Acceptance</description>
 5169:               <question xml:lang="en">Enable/Disable IPv6 default ICMP Redirect Acceptance</question>
 5170:               <value>disabled</value>
 5171:               <value selector="enabled">enabled</value>
 5172:               <value selector="disabled">disabled</value>
 5173:               <match>enabled|disabled</match>
 5174:             </Value>
 5175:             <Value id="var-2.5.3.2.1.d" operator="equals" type="string">
 5176:               <title xml:lang="en">net.ipv6.conf.all.accept_redirects</title>
 5177:               <description xml:lang="en">Toggle ICMP Redirect Acceptance</description>
 5178:               <question xml:lang="en">Enable/Disable all IPv6 ICMP Redirect Acceptance</question>
 5179:               <value>disabled</value>
 5180:               <value selector="enabled">enabled</value>
 5181:               <value selector="disabled">disabled</value>
 5182:               <match>enabled|disabled</match>
 5183:             </Value>
 5184:             <Rule id="rule-2.5.3.2.1.a" selected="false" weight="10.000000" severity="medium">
 5185:               <title xml:lang="en">Disable IPV6_AUTOCONF in /etc/sysconfig/network</title>
 5186:               <description xml:lang="en">Accepting IPv6 router advertisements should be disabled for all interfaces.</description>
 5187:               <ident system="http://cce.mitre.org">CCE-4269-7</ident>
 5188:               <fixtext xml:lang="en">(1) via /etc/sysconfig/network</fixtext>
 5189:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 5190:                 <check-export export-name="oval:org.fedoraproject.f14:var:20134" value-id="var-2.5.3.2.1.a"/>
 5191:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20134" href="scap-fedora14-oval.xml"/>
 5192:               </check>
 5193:             </Rule>
 5194:             <Rule id="rule-2.5.3.2.1.b" selected="false" weight="10.000000" severity="medium">
 5195:               <title xml:lang="en">Disable accepting IPv6 router advertisements (net.ipv6.conf.default.accept_ra)</title>
 5196:               <description xml:lang="en">The default setting for accepting IPv6 router advertisements should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.3.2.b"/> for all interfaces.</description>
 5197:               <ident system="http://cce.mitre.org">CCE-4291-1</ident>
 5198:               <fixtext xml:lang="en">(1) via sysctl (2) via IPV6_AUTOCONF in /etc/sysconfig/network</fixtext>
 5199:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 5200:                 <check-export export-name="oval:org.fedoraproject.f14:var:20135" value-id="var-2.5.3.2.1.b"/>
 5201:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20135" href="scap-fedora14-oval.xml"/>
 5202:               </check>
 5203:             </Rule>
 5204:             <Rule id="rule-2.5.3.2.1.c" selected="false" weight="10.000000" severity="medium">
 5205:               <title xml:lang="en">Disable accepting redirects from IPv6 routers (net.ipv6.conf.default.accept_redirects)</title>
 5206:               <description xml:lang="en">Accepting redirects from IPv6 routers should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.3.2.c"/> for all interfaces.</description>
 5207:               <ident system="http://cce.mitre.org">CCE-4313-3</ident>
 5208:               <fixtext xml:lang="en">(1) via sysctl (2) via IPV6_AUTOCONF in /etc/sysconfig/network</fixtext>
 5209:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 5210:                 <check-export export-name="oval:org.fedoraproject.f14:var:20136" value-id="var-2.5.3.2.1.c"/>
 5211:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20136" href="scap-fedora14-oval.xml"/>
 5212:               </check>
 5213:             </Rule>
 5214:             <Rule id="rule-2.5.3.2.1.d" selected="false" weight="10.000000" severity="medium">
 5215:               <title xml:lang="en">Disable accepting redirects from IPv6 routers (net.ipv6.conf.all.accept_redirects)</title>
 5216:               <description xml:lang="en">The default setting for accepting redirects from IPv6 routers should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.3.2.d"/> for all interfaces.</description>
 5217:               <ident system="http://cce.mitre.org">CCE-4198-8</ident>
 5218:               <fixtext xml:lang="en">(1) via sysctl (2) via IPV6_AUTOCONF in /etc/sysconfig/network</fixtext>
 5219:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 5220:                 <check-export export-name="oval:org.fedoraproject.f14:var:20137" value-id="var-2.5.3.2.1.d"/>
 5221:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20137" href="scap-fedora14-oval.xml"/>
 5222:               </check>
 5223:             </Rule>
 5224:           </Group>
 5225:           <Group id="group-2.5.3.2.2" hidden="false">
 5226:             <title xml:lang="en">Manually Assign Global IPv6 Address</title>
 5227:             <description xml:lang="en">
 5228:               To manually assign an IP address for an interface IFACE, edit
 5229:               the file /etc/sysconfig/network-scripts/ ifcfg-IFACE. Add or correct the following
 5230:               line (substituting the correct IPv6 address): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5231:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5232:               IPV6ADDR=2001:0DB8::ABCD/64 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5233:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5234:               Manually
 5235:               assigning an IP address is preferable to accepting one from routers or from the
 5236:               network otherwise. The example address here is an IPv6 address reserved for
 5237:               documentation purposes, as defined by RFC3849.</description>
 5238:           </Group>
 5239:           <Group id="group-2.5.3.2.3" hidden="false">
 5240:             <title xml:lang="en">Use Privacy Extensions for Address if Necessary</title>
 5241:             <description xml:lang="en">
 5242:               To introduce randomness into the automatic generation of IPv6
 5243:               addresses, add or correct the following line in
 5244:               /etc/sysconfig/network-scripts/ifcfg-IFACE: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5245:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5246:               IPV6_PRIVACY=rfc3041<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5247:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5248:               Automatically-generated IPv6 addresses are based on the underlying hardware (e.g.
 5249:               Ethernet) address, and so it becomes possible to track a piece of hardware over its
 5250:               lifetime using its traffic. If it is important for a system's IP address to not
 5251:               trivially reveal its hardware address, this setting should be applied.</description>
 5252:             <Value id="var-2.5.3.2.3.a" operator="equals" type="string">
 5253:               <title xml:lang="en">IPV6_PRIVACY in /etc/sysconfig/network-scripts/ifcfg-IFACE</title>
 5254:               <description xml:lang="en">Control IPv6 privacy.</description>
 5255:               <question xml:lang="en">Select control of IPv6 address creation privacy</question>
 5256:               <value>rfc3041</value>
 5257:               <value selector="disabled">disabled</value>
 5258:               <value selector="lightweight">lightweight</value>
 5259:               <value selector="rfc3041">rfc3041</value>
 5260:             </Value>
 5261:             <Rule id="rule-2.5.3.2.3.a" selected="false" weight="10.000000">
 5262:               <title xml:lang="en">Use Privacy Extensions for Address if Necessary</title>
 5263:               <description xml:lang="en">IPv6 privacy extensions should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.3.2.3.a"/> for all interfaces.</description>
 5264:               <ident system="http://cce.mitre.org">CCE-3842-2</ident>
 5265:               <fixtext xml:lang="en">(1) via IPV6_PRIVACY in
 5266:                 /etc/sysconfig/network-scripts/ifcfg-&lt;interface&gt;</fixtext>
 5267:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 5268:                 <check-export export-name="oval:org.fedoraproject.f14:var:20138" value-id="var-2.5.3.2.3.a"/>
 5269:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20138" href="scap-fedora14-oval.xml"/>
 5270:               </check>
 5271:             </Rule>
 5272:           </Group>
 5273:           <Group id="group-2.5.3.2.4" hidden="false">
 5274:             <title xml:lang="en">Manually Assign IPv6 Router Address</title>
 5275:             <description xml:lang="en">
 5276:               Edit the file /etc/sysconfig/network-scripts/ifcfg-IFACE ,
 5277:               and add or correct the following line (substituting your gateway IP as appropriate):<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5278:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5279:               IPV6_DEFAULTGW=2001:0DB8::0001 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5280:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5281:               Router addresses should be manually set and not
 5282:               accepted via any autoconfiguration or router advertisement.</description>
 5283:           </Group>
 5284:           <Group id="group-2.5.3.2.5" hidden="false">
 5285:             <title xml:lang="en">Limit Network-Transmitted Configuration</title>
 5286:             <description xml:lang="en">
 5287:               Add the following lines to /etc/sysctl.conf to limit the
 5288:               configuration information requested from other systems, and accepted from the network:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5289:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5290:               net.ipv6.conf.default.router_solicitations = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5291:               net.ipv6.conf.default.accept_ra_rtr_pref = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5292:               net.ipv6.conf.default.accept_ra_pinfo = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5293:               net.ipv6.conf.default.accept_ra_defrtr = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5294:               net.ipv6.conf.default.autoconf = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5295:               net.ipv6.conf.default.dad_transmits = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5296:               net.ipv6.conf.default.max_addresses = 1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5297:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5298:               The router solicitations setting determines how many router solicitations are sent
 5299:               when bringing up the interface. If addresses are statically assigned, there is no need
 5300:               to send any solicitations. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5301:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5302:               The accept_ra_pinfo setting controls whether the system will
 5303:               accept prefix info from the router. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5304:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5305:               The accept_ra_defrtr setting controls whether the
 5306:               system will accept Hop Limit settings from a router advertisement. Setting it to 0
 5307:               prevents a router from changing your default IPv6 Hop Limit for outgoing packets. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5308:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5309:               The autoconf setting controls whether router advertisements can cause the system to
 5310:               assign a global unicast address to an interface. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5311:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5312:               The dad_transmits setting determines how
 5313:               many neighbor solicitations to send out per address (global and link-local) when
 5314:               bringing up an interface to ensure the desired address is unique on the network. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5315:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5316:               The max_addresses setting determines how many global unicast IPv6 addresses can be
 5317:               assigned to each interface. The default is 16, but it should be set to exactly the
 5318:               number of statically configured global addresses required.</description>
 5319:             <Value id="var-2.5.3.2.5.a" operator="equals" type="number">
 5320:               <title xml:lang="en"> net.ipv6.conf.default.router_solicitations</title>
 5321:               <description xml:lang="en">
 5322:                 Setting determines how many router solicitations are
 5323:                 sent when bringing up the interface. If addresses are statically assigned, there
 5324:                 is no need to send any solicitation</description>
 5325:               <question xml:lang="en">Select how many router solicitations are sent when bringing up the interface</question>
 5326:               <value>0</value>
 5327:               <value selector="0">0</value>
 5328:               <value selector="1">1</value>
 5329:             </Value>
 5330:             <Value id="var-2.5.3.2.5.b" operator="equals" type="boolean">
 5331:               <title xml:lang="en">Accept Router Preference in Router Advertisements?</title>
 5332:               <description xml:lang="en">Control IPv6 privacy.</description>
 5333:               <question xml:lang="en">Enable/Disable IPv6 router advertisements</question>
 5334:               <value>0</value>
 5335:               <value selector="enabled">1</value>
 5336:               <value selector="disabled">0</value>
 5337:             </Value>
 5338:             <Value id="var-2.5.3.2.5.c" operator="equals" type="boolean">
 5339:               <title xml:lang="en">net.ipv6.conf.default.accept_ra_pinfo</title>
 5340:               <description xml:lang="en">Setting controls whether the system will accept prefix info from the router</description>
 5341:               <question xml:lang="en">Enable/Disable IPv6 acceptance of router prefix info</question>
 5342:               <value>0</value>
 5343:               <value selector="enabled">1</value>
 5344:               <value selector="disabled">0</value>
 5345:             </Value>
 5346:             <Value id="var-2.5.3.2.5.d" operator="equals" type="boolean">
 5347:               <title xml:lang="en">net.ipv6.conf.default.accept_ra_defrtr</title>
 5348:               <description xml:lang="en">
 5349:                 Setting controls whether the system will accept Hop Limit
 5350:                 settings from a router advertisement. Setting it to 0 prevents a router from
 5351:                 changing your default IPv6 Hop Limit for outgoing packets.</description>
 5352:               <question xml:lang="en">Enable/Disable IPv6 acceptance of Hop limits from router advertisement</question>
 5353:               <value>0</value>
 5354:               <value selector="enabled">1</value>
 5355:               <value selector="disabled">0</value>
 5356:             </Value>
 5357:             <Value id="var-2.5.3.2.5.e" operator="equals" type="boolean">
 5358:               <title xml:lang="en">net.ipv6.conf.default.autoconf</title>
 5359:               <description xml:lang="en">Setting controls whether router advertisements can cause the system to assign a global unicast address to an interface.</description>
 5360:               <question xml:lang="en">Enable/Disable IPv6 acceptance of global unicast address from router advertisement</question>
 5361:               <value>0</value>
 5362:               <value selector="enabled">1</value>
 5363:               <value selector="disabled">0</value>
 5364:             </Value>
 5365:             <Value id="var-2.5.3.2.5.f" operator="equals" type="number">
 5366:               <title xml:lang="en">net.ipv6.conf.default.dad_transmits</title>
 5367:               <description xml:lang="en">
 5368:                 Setting determines how many neighbor solicitations to
 5369:                 send out per address (global and link-local) when bringing up an interface to
 5370:                 ensure the desired address is unique on the network</description>
 5371:               <question xml:lang="en">Select how many neighbor solicitations send out per address to ensure uniqueness of desired address for IPv6</question>
 5372:               <value>0</value>
 5373:               <value selector="0">0</value>
 5374:               <value selector="1">1</value>
 5375:             </Value>
 5376:             <Value id="var-2.5.3.2.5.g" operator="equals" type="number">
 5377:               <title xml:lang="en">net.ipv6.conf.default.max_addresses</title>
 5378:               <description xml:lang="en">
 5379:                 Setting determines how many global unicast IPv6 addresses can be
 5380:                 assigned to each interface. The default is 16, but it should be set to exactly
 5381:                 the number of statically configured global addresses required.</description>
 5382:               <question xml:lang="en">Select how many global unicast IPv6 addresses can be assigned to each interface</question>
 5383:               <value>16</value>
 5384:               <value selector="0">0</value>
 5385:               <value selector="1">1</value>
 5386:               <value selector="2">2</value>
 5387:               <value selector="4">4</value>
 5388:               <value selector="8">8</value>
 5389:               <value selector="16">16</value>
 5390:             </Value>
 5391:             <Rule id="rule-2.5.3.2.5.a" selected="false" weight="10.000000">
 5392:               <title xml:lang="en">Limit Network-Transmitted Configuration via net.ipv6.conf.default.router_solicitations</title>
 5393:               <description xml:lang="en">The default number of IPv6 router solicitations for network interfaces to send should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.3.2.5.a"/></description>
 5394:               <ident system="http://cce.mitre.org">CCE-4159-0</ident>
 5395:               <fixtext xml:lang="en">(1) via sysctl - net.ipv6.conf.default.router_solicitations</fixtext>
 5396:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 5397:                 <check-export export-name="oval:org.fedoraproject.f14:var:20139" value-id="var-2.5.3.2.5.a"/>
 5398:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20139" href="scap-fedora14-oval.xml"/>
 5399:               </check>
 5400:             </Rule>
 5401:             <Rule id="rule-2.5.3.2.5.b" selected="false" weight="10.000000">
 5402:               <title xml:lang="en">Limit Network-Transmitted Configuration via net.ipv6.conf.default.accept_ra_rtr_pref</title>
 5403:               <description xml:lang="en">The default setting for accepting router preference via IPv6 router advertisement should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.3.2.5.b"/> for interfaces.</description>
 5404:               <ident system="http://cce.mitre.org">CCE-4221-8</ident>
 5405:               <fixtext xml:lang="en">(1) via sysctl - net.ipv6.conf.default.accept_ra_rtr_pref</fixtext>
 5406:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 5407:                 <check-export export-name="oval:org.fedoraproject.f14:var:20140" value-id="var-2.5.3.2.5.b"/>
 5408:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20140" href="scap-fedora14-oval.xml"/>
 5409:               </check>
 5410:             </Rule>
 5411:             <Rule id="rule-2.5.3.2.5.c" selected="false" weight="10.000000">
 5412:               <title xml:lang="en">Limit Network-Transmitted Configuration via net.ipv6.conf.default.accept_ra_pinfo</title>
 5413:               <description xml:lang="en">The default setting for accepting prefix information via IPv6 router advertisement should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.3.2.5.c"/> for interfaces.</description>
 5414:               <ident system="http://cce.mitre.org">CCE-4058-4</ident>
 5415:               <fixtext xml:lang="en">(1) via sysctl - net.ipv6.conf.default.accept_ra_pinfo</fixtext>
 5416:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 5417:                 <check-export export-name="oval:org.fedoraproject.f14:var:20141" value-id="var-2.5.3.2.5.c"/>
 5418:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20141" href="scap-fedora14-oval.xml"/>
 5419:               </check>
 5420:             </Rule>
 5421:             <Rule id="rule-2.5.3.2.5.d" selected="false" weight="10.000000">
 5422:               <title xml:lang="en">Limit Network-Transmitted Configuration via net.ipv6.conf.default.accept_ra_defrtr</title>
 5423:               <description xml:lang="en">The default setting for accepting a default router via IPv6 router advertisement should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.3.2.5.d"/> for interfaces.</description>
 5424:               <ident system="http://cce.mitre.org">CCE-4128-5</ident>
 5425:               <fixtext xml:lang="en">(1) via sysctl - net.ipv6.conf.default.accept_ra_defrtr</fixtext>
 5426:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 5427:                 <check-export export-name="oval:org.fedoraproject.f14:var:20142" value-id="var-2.5.3.2.5.d"/>
 5428:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20142" href="scap-fedora14-oval.xml"/>
 5429:               </check>
 5430:             </Rule>
 5431:             <Rule id="rule-2.5.3.2.5.e" selected="false" weight="10.000000">
 5432:               <title xml:lang="en">Limit Network-Transmitted Configuration via net.ipv6.conf.default.autoconf</title>
 5433:               <description xml:lang="en">The default setting for autoconfiguring network interfaces using prefix information in IPv6 router advertisements should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.3.2.5.e"/>.</description>
 5434:               <ident system="http://cce.mitre.org">CCE-4287-9</ident>
 5435:               <fixtext xml:lang="en">(1) via sysctl - net.ipv6.conf.default.autoconf</fixtext>
 5436:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 5437:                 <check-export export-name="oval:org.fedoraproject.f14:var:20143" value-id="var-2.5.3.2.5.e"/>
 5438:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20143" href="scap-fedora14-oval.xml"/>
 5439:               </check>
 5440:             </Rule>
 5441:             <Rule id="rule-2.5.3.2.5.f" selected="false" weight="10.000000">
 5442:               <title xml:lang="en">Limit Network-Transmitted Configuration via net.ipv6.conf.default.dad_transmits</title>
 5443:               <description xml:lang="en">The default number of IPv6 duplicate address detection solicitations for network interfaces to send per configured address should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.3.2.5.f"/>.</description>
 5444:               <ident system="http://cce.mitre.org">CCE-3895-0</ident>
 5445:               <fixtext xml:lang="en">(1) via sysctl - net.ipv6.conf.default.dad_transmits</fixtext>
 5446:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 5447:                 <check-export export-name="oval:org.fedoraproject.f14:var:20144" value-id="var-2.5.3.2.5.f"/>
 5448:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20144" href="scap-fedora14-oval.xml"/>
 5449:               </check>
 5450:             </Rule>
 5451:             <Rule id="rule-2.5.3.2.5.g" selected="false" weight="10.000000">
 5452:               <title xml:lang="en">Limit Network-Transmitted Configuration via net.ipv6.conf.default.max_addresses</title>
 5453:               <description xml:lang="en">The default number of global unicast IPv6 addresses allowed per network interface should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.3.2.5.g"/>.</description>
 5454:               <ident system="http://cce.mitre.org">CCE-4137-6</ident>
 5455:               <fixtext xml:lang="en">(1) via sysctl - net.ipv6.conf.default.max_addresses</fixtext>
 5456:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 5457:                 <check-export export-name="oval:org.fedoraproject.f14:var:20145" value-id="var-2.5.3.2.5.g"/>
 5458:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20145" href="scap-fedora14-oval.xml"/>
 5459:               </check>
 5460:             </Rule>
 5461:           </Group>
 5462:         </Group>
 5463:       </Group>
 5464:       <Group id="group-2.5.4" hidden="false">
 5465:         <title xml:lang="en">TCP Wrapper</title>
 5466:         <description xml:lang="en">
 5467:           TCP Wrapper is a library which provides simple access control and
 5468:           standardized logging for supported applications which accept connections over a network.
 5469:           Historically, TCP Wrapper was used to support inetd services. Now that inetd is deprecated
 5470:           (see Section 3.2.1), TCP Wrapper supports only services which were built to make use of
 5471:           the libwrap library. To determine whether a given executable daemon /path/to/daemon
 5472:           supports TCP Wrapper, check the documentation, or run: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5473:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5474:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ ldd /path/to/daemon | grep libwrap.so <xhtml:br/></xhtml:code>
 5475:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5476:           If this command returns any output, then the daemon probably supports TCP Wrapper. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5477:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5478:           An alternative to TCP Wrapper support is packet filtering using iptables. Note
 5479:           that iptables works at the network level, while TCP Wrapper works at the application
 5480:           level. This means that iptables filtering is more efficient and more resistant to flaws in
 5481:           the software being protected, but TCP Wrapper provides support for logging, banners, and
 5482:           other application-level tricks which iptables cannot provide.</description>
 5483:         <Group id="group-2.5.4.1" hidden="false">
 5484:           <title xml:lang="en">How TCP Wrapper Protects Services</title>
 5485:           <description xml:lang="en">
 5486:             TCP Wrapper provides access control for the system's network
 5487:             services using two configuration files. When a connection is attempted: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5488:             <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
 5489:               <xhtml:li>The file
 5490:                 /etc/hosts.allow is searched for a rule matching the connection. If one is found, the
 5491:                 connection is allowed. </xhtml:li>
 5492:               <xhtml:li>Otherwise, the file /etc/hosts.deny is searched for a rule
 5493:                 matching the connection. If one is found, the connection is rejected. </xhtml:li>
 5494:               <xhtml:li>If no matching
 5495:                 rules are found in either file, then the connection is allowed. By default, TCP Wrapper
 5496:                 does not block access to any services. </xhtml:li>
 5497:             </xhtml:ol>
 5498:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5499:             In the simplest case, each rule in /etc/hosts.allow and /etc/hosts.deny takes the form: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5500:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5501:             daemon : client <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5502:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5503:             where daemon is the
 5504:             name of the server process for which the connection is destined, and client is the
 5505:             partial or full hostname or IP address of the client. It is valid for daemon and client
 5506:             to contain one item, a comma-separated list of items, or a special keyword like ALL,
 5507:             which matches any service or client. (See the hosts access(5) manpage for a list of
 5508:             other keywords.) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5509:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5510:             Note: Partial hostnames start at the root domain and are delimited by
 5511:             the . character. So the client machine host03.dev.example.com, with IP address 10.7.2.3,
 5512:             could be matched by any of the specifications: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5513:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5514:             .example.com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5515:             .dev.example.com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5516:             10.7.2.</description>
 5517:         </Group>
 5518:         <Group id="group-2.5.4.2" hidden="false">
 5519:           <title xml:lang="en">Reject All Connections From Other Hosts if Appropriate</title>
 5520:           <description xml:lang="en">
 5521:             Restrict all connections to non-public services to localhost
 5522:             only. Suppose pubsrv1 and pubsrv2 are the names of daemons which must be accessed
 5523:             remotely. Configure TCP Wrapper as follows. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5524:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5525:             Edit /etc/hosts.allow. Add the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5526:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5527:             pubsrv1 ,pubsrv2 : ALL<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5528:             ALL: localhost <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5529:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5530:             Edit /etc/hosts.deny. Add the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5531:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5532:             ALL: ALL <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5533:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5534:             These rules deny connections to all TCP Wrapper enabled services from any
 5535:             host other than localhost, but allow connections from anywhere to the services which
 5536:             must be publicly accessible. (If no public services exist, the first line in
 5537:             /etc/hosts.allow may be omitted.)</description>
 5538:         </Group>
 5539:         <Group id="group-2.5.4.3" hidden="false">
 5540:           <title xml:lang="en">Allow Connections Only From Hosts in This Domain if Appropriate</title>
 5541:           <description xml:lang="en">
 5542:             For each daemon, domainsrv , which only needs to be contacted
 5543:             from inside the local domain, example.com , configure TCP Wrapper to deny remote
 5544:             connections. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5545:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5546:             Edit /etc/hosts.allow. Add the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5547:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5548:             domainsrv : .example.com<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5549:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5550:             Edit /etc/hosts.deny. Add the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5551:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5552:             domainsrv : ALL <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5553:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5554:             There are many possible
 5555:             examples of services which need to communicate only within the local domain. If a
 5556:             machine is a local compute server, it may be necessary for users to connect via SSH from
 5557:             their desktop workstations, but not from outside the domain. In that case, you should
 5558:             protect the daemon sshd using this method. As another example, RPC-based services such
 5559:             as NFS might be enabled within the domain only, in which case the daemon portmap should
 5560:             be protected. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5561:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5562:           </description>
 5563:           <warning xml:lang="en">Note: This example protects only the service domainsrv . No filtering is
 5564:             done on other services unless a line is entered into /etc/hosts.deny which refers to
 5565:             those services by name, or which restricts the special service ALL.</warning>
 5566:         </Group>
 5567:         <Group id="group-2.5.4.4" hidden="false">
 5568:           <title xml:lang="en">Monitor Syslog for Relevant Connections and Failures</title>
 5569:           <description xml:lang="en">
 5570:             Ensure that the following line exists in /etc/syslog.conf.
 5571:             (This is the default, so it is likely to be correct if the configuration has not been
 5572:             modified): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5573:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5574:             authpriv.* /var/log/secure <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5575:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5576:             Configure logwatch or other log monitoring tools
 5577:             to periodically summarize failed connections reported by TCP Wrapper at the facility
 5578:             authpriv.info. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5579:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5580:             By default, TCP Wrapper audits all rejected connections at the facility
 5581:             authpriv, level info. In the log file, TCP Wrapper rejections will contain the
 5582:             substring: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5583:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5584:             daemon [pid ]: refused connect from ipaddr <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5585:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5586:             These lines can be used to detect
 5587:             malicious scans, and to debug failures resulting from an incorrect TCP Wrapper
 5588:             configuration. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5589:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5590:             If appropriate, it is possible to change the syslog facility and level
 5591:             used by a given TCP Wrapper rule by adding the severity option to each desired
 5592:             configuration line in /etc/hosts.deny: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5593:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5594:             daemon : client : severity facility .level <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5595:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5596:             By default, successful connections are not logged by TCP Wrapper. See Section 2.6 for
 5597:             more information about system auditing.</description>
 5598:         </Group>
 5599:         <Group id="group-2.5.4.5" hidden="false">
 5600:           <title xml:lang="en">Further Resources</title>
 5601:           <description xml:lang="en">
 5602:             For more information about TCP Wrapper, see the tcpd(8) and
 5603:             hosts access(5) manpages and the documentation directory /usr/share/doc/tcp
 5604:             wrappers-version. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5605:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5606:             Some information may be available from the Tools section of the
 5607:             author's website, http://www.porcupine.org, and from the RHEL4 Reference Guide [6].</description>
 5608:         </Group>
 5609:       </Group>
 5610:       <Group id="group-2.5.5" hidden="false">
 5611:         <title xml:lang="en">Iptables and Ip6tables</title>
 5612:         <description xml:lang="en">
 5613:           A host-based firewall called Netfilter is included as part of the
 5614:           Linux kernel distributed with the system. It is activated by default. This firewall is
 5615:           controlled by the program iptables, and the entire capability is frequently referred to by
 5616:           this name. An analogous program called ip6tables handles filtering for IPv6. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5617:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5618:           Unlike TCP
 5619:           Wrappers, which depends on the network server program to support and respect the rules
 5620:           written, Netfilter filtering occurs at the kernel level, before a program can even process
 5621:           the data from the network packet. As such, any program on the system is affected by the
 5622:           rules written. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5623:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5624:           This section provides basic information about strengthening the iptables
 5625:           and ip6tables configurations included with the system. For more complete information that
 5626:           may allow the construction of a sophisticated ruleset tailored to your environment, please
 5627:           consult the references at the end of this section.</description>
 5628:         <Group id="group-2.5.5.1" hidden="false">
 5629:           <title xml:lang="en">Inspect and Activate Default Rules</title>
 5630:           <description xml:lang="en">
 5631:             View the currently-enforced iptables rules by running the
 5632:             command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5633:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5634:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># iptables -nL --line-numbers <xhtml:br/></xhtml:code>
 5635:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5636:             The command is analogous for the ip6tables program. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5637:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5638:             If the firewall does not appear to be active (i.e., no rules appear), activate
 5639:             it and ensure that it starts at boot by issuing the following commands (and analogously
 5640:             for ip6tables): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5641:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5642:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># service iptables restart <xhtml:br/>
 5643:             # chkconfig iptables on <xhtml:br/></xhtml:code>
 5644:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5645:             The default iptables rules are: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5646:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5647:             Chain INPUT (policy ACCEPT) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5648:             num target prot opt source destination <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5649:             1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5650:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5651:             Chain FORWARD (policy ACCEPT) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5652:             num target prot opt source destination <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5653:             1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5654:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5655:             Chain OUTPUT (policy ACCEPT) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5656:             num target prot opt source destination <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5657:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5658:             Chain RH-Firewall-1-INPUT (2 references) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5659:             num target prot opt source destination <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5660:             1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5661:             2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5662:             3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5663:             4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5664:             5 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5665:             6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5666:             7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5667:             8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5668:             9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5669:             10 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5670:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5671:             The ip6tables default rules are similar, with
 5672:             its rules 2 and 10 reflecting protocol naming and addressing differences. Instead of
 5673:             rule 8, however, ip6tables includes two rules that accept all incoming udp and tcp
 5674:             packets with a particular destination port range. This is because the current Netfilter
 5675:             implementation for IPv6 lacks reliable connection-tracking functionality.</description>
 5676:           <Rule id="rule-2.5.5.1.a" selected="false" weight="10.000000" severity="high">
 5677:             <title xml:lang="en">Verify ip6tables is enabled</title>
 5678:             <description xml:lang="en">The ip6tables service should be enabled.</description>
 5679:             <ident system="http://cce.mitre.org">CCE-4167-3</ident>
 5680:             <fix>chkconfig ip6tables on</fix>
 5681:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 5682:               <check-content-ref name="oval:org.fedoraproject.f14:def:20146" href="scap-fedora14-oval.xml"/>
 5683:             </check>
 5684:           </Rule>
 5685:           <Rule id="rule-2.5.5.1.b" selected="false" weight="10.000000" severity="high">
 5686:             <title xml:lang="en">Verify iptables is enabled</title>
 5687:             <description xml:lang="en">The iptables service should be enabled.</description>
 5688:             <ident system="http://cce.mitre.org">CCE-4189-7</ident>
 5689:             <fix>chkconfig iptables on</fix>
 5690:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 5691:               <check-content-ref name="oval:org.fedoraproject.f14:def:20147" href="scap-fedora14-oval.xml"/>
 5692:             </check>
 5693:           </Rule>
 5694:         </Group>
 5695:         <Group id="group-2.5.5.2" hidden="false">
 5696:           <title xml:lang="en">Understand the Default Ruleset</title>
 5697:           <description xml:lang="en">
 5698:             Understanding and creating firewall rules can be a challenging
 5699:             activity, filled with corner cases and difficult-todebug problems. Because of this,
 5700:             administrators should develop a thorough understanding of the default ruleset before
 5701:             carefully modifying it. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5702:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5703:             The default ruleset is divided into four sections, each of which
 5704:             is called a chain: INPUT, FORWARD, OUTPUT, and RH-Firewall-1-INPUT. INPUT, OUTPUT, and
 5705:             FORWARD are built-in chains. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5706:             <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
 5707:               <xhtml:li>The INPUT chain is activated on packets destined for
 5708:                 (i.e., addressed to) the system. </xhtml:li>
 5709:               <xhtml:li>The OUTPUT chain is activated on packets which are
 5710:                 originating from the system. </xhtml:li>
 5711:               <xhtml:li>The FORWARD chain is activated for packets that the
 5712:                 system will process and send through another interface, if so configured. </xhtml:li>
 5713:               <xhtml:li>The
 5714:                 RH-Firewall-1-INPUT chain is a custom (or user-defined) chain, which is used by the
 5715:                 INPUT and FORWARD chains. </xhtml:li>
 5716:             </xhtml:ul>
 5717:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5718:             A packet starts at the first rule in the appropriate chain and
 5719:             proceeds until it matches a rule. If a match occurs, then control will jump to the
 5720:             specified target. The default ruleset uses the built-in targets ACCEPT and REJECT, and
 5721:             also the user-defined target/chain RH-Firewall-1-INPUT. Jumping to the target ACCEPT
 5722:             means to allow the packet through, while REJECT means to drop the packet and send an
 5723:             error message to the sending host. A related target called DROP means to drop the packet
 5724:             on the floor without even sending an error message. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5725:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5726:             The default policy for all of the
 5727:             built-in chains (shown after their names in the rule output above) is set to ACCEPT.
 5728:             This means that if no rules in the chain match the packets, they are allowed through.
 5729:             Because no rules at all are written for the OUTPUT chain, this means that iptables does
 5730:             not stop any packets originating from the system. The INPUT and FORWARD chains jump to
 5731:             the user-defined target RH-Firewall-1-INPUT for all packets. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5732:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5733:             RH-Firewall-1-INPUT tries
 5734:             to match, in order, the following rules for both iptables and ip6tables: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5735:             <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
 5736:               <xhtml:li>Rule 1
 5737:                 appears to accept all packets. However, this appears true only because the rules are not
 5738:                 presented in verbose mode. Executing the command <xhtml:br/>
 5739:                 <xhtml:br/>
 5740:                 <xhtml:code># iptables -vnL --line-numbers <xhtml:br/></xhtml:code>
 5741:                 <xhtml:br/>
 5742:                 reveals
 5743:                 that this rule applies only to the loopback (lo) interface (see column in), while all
 5744:                 other rules apply to all interfaces. Thus, packets not coming from the loopback
 5745:                 interface do not match and proceed to the next rule. </xhtml:li>
 5746:               <xhtml:li>Rule 2 explicitly allows all icmp
 5747:                 packet types; iptables uses the code 255 to mean all icmp types. </xhtml:li>
 5748:               <xhtml:li>Rule 3 explicitly
 5749:                 allows all esp packets; these are packets which contain IPsec ESP headers.</xhtml:li>
 5750:               <xhtml:li>Rule 4
 5751:                 explicitly allows all ah packets; these are packets which contain an IPsec
 5752:                 authentication header SPI. </xhtml:li>
 5753:               <xhtml:li>Rule 5 allows inbound communication on udp port 5353
 5754:                 (mDNS), which the avahi daemon uses. </xhtml:li>
 5755:               <xhtml:li>Rules 6 and 7 allows inbound communication on
 5756:                 both tcp and udp port 631, which the cups daemon uses. </xhtml:li>
 5757:               <xhtml:li>Rule 8, in the iptables rules,
 5758:                 allows inbound packets that are part of a session initiated by the system. In ip6tables,
 5759:                 rules 8 and 9 allow any inbound packets with a destination port address between 32768
 5760:                 and 61000. </xhtml:li>
 5761:               <xhtml:li>Rule 9 (10, for ip6tables) allows inbound connections in tcp port 22, which
 5762:                 is the SSH protocol. </xhtml:li>
 5763:               <xhtml:li>Rule 10 (11, for ip6tables) rejects all other packets and sends
 5764:                 an error message to the sender. Because this is the last rule and matches any packet, it
 5765:                 effectively prevents any packet from reaching the chain's default ACCEPT target.
 5766:                 Preventing the acceptance of any packet that is not explicitly allowed is proper design
 5767:                 for a firewall.</xhtml:li>
 5768:             </xhtml:ul></description>
 5769:         </Group>
 5770:         <Group id="group-2.5.5.3" hidden="false">
 5771:           <title xml:lang="en">Strengthen the Default Ruleset</title>
 5772:           <description xml:lang="en">
 5773:             The default rules can be strengthened. The system scripts that
 5774:             activate the firewall rules expect them to be defined in the configuration files
 5775:             iptables and ip6tables in the directory /etc/sysconfig. Many of the lines in these files
 5776:             are similar to the command line arguments that would be provided to the programs
 5777:             /sbin/iptables or /sbin/ip6tables – but some are quite different. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5778:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5779:             The following recommendations describe how to strengthen the default
 5780:             ruleset configuration file. An alternative to editing this configuration file is to
 5781:             create a shell script that makes calls to the iptables program to load in rules, and
 5782:             then invokes service iptables save to write those loaded rules to
 5783:             /etc/sysconfig/iptables. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5784:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5785:             The following alterations can be made directly to
 5786:             /etc/sysconfig/iptables and /etc/sysconfig/ip6tables. Instructions apply to both unless
 5787:             otherwise noted. Language and address conventions for regular iptables are used
 5788:             throughout this section; configuration for ip6tables will be either analogous or
 5789:             explicitly covered.</description>
 5790:           <warning xml:lang="en">The program
 5791:             system-config-securitylevel allows additional services to penetrate the default firewall
 5792:             rules and automatically adjusts /etc/ sysconfig/ iptables . This program is only useful
 5793:             if the default ruleset meets your security requirements. Otherwise, this program should
 5794:             not be used to make changes to the firewall configuration because it re-writes the saved
 5795:             configuration file. </warning>
 5796:           <Group id="group-2.5.5.3.1" hidden="false">
 5797:             <title xml:lang="en">Change the Default Policies</title>
 5798:             <description xml:lang="en">
 5799:               Change the default policy to DROP (from ACCEPT) for the INPUT
 5800:               and FORWARD built-in chains: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5801:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5802:               *filter <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5803:               :INPUT DROP [0:0] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5804:               :FORWARD DROP [0:0] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5805:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5806:               Changing
 5807:               the default policy in this way implements proper design for a firewall, i.e. any
 5808:               packets which are not explicitly permitted should not be accepted.</description>
 5809:             <Rule id="rule-2.5.5.3.1.a" selected="false" weight="10.000000" severity="high">
 5810:               <title xml:lang="en">Change the default policy to DROP (from ACCEPT) for the INPUT built-in chain</title>
 5811:               <description xml:lang="en">Change the default policy to DROP (from ACCEPT) for the INPUT built-in chain.</description>
 5812:               <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 5813:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 5814:                 <check-content-ref name="oval:org.fedoraproject.f14:def:201474" href="scap-fedora14-oval.xml"/>
 5815:               </check>
 5816:             </Rule>
 5817:             <Rule id="rule-2.5.5.3.1.b" selected="false" weight="10.000000" severity="high">
 5818:               <title xml:lang="en">Change the default policy to DROP (from ACCEPT) for the FORWARD built-in chain</title>
 5819:               <description xml:lang="en">Change the default policy to DROP (from ACCEPT) for the FORWARD built-in chain.</description>
 5820:               <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 5821:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 5822:                 <check-content-ref name="oval:org.fedoraproject.f14:def:201475" href="scap-fedora14-oval.xml"/>
 5823:               </check>
 5824:             </Rule>
 5825:           </Group>
 5826:           <Group id="group-2.5.5.3.2" hidden="false">
 5827:             <title xml:lang="en">Restrict ICMP Message Types</title>
 5828:             <description xml:lang="en">
 5829:               In /etc/sysconfig/iptables, the accepted ICMP messages types
 5830:               can be restricted. To accept only ICMP echo reply, destination unreachable, and time
 5831:               exceeded messages, remove the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5832:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5833:               -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5834:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5835:               and insert the lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5836:               -A RH-Firewall-1-INPUT -p icmp --icmp-type echo-reply -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5837:               -A RH-Firewall-1-INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5838:               -A RH-Firewall-1-INPUT -p icmp --icmp-type time-exceeded -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5839:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5840:               To allow the system to respond to pings, also insert the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5841:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5842:               -A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5843:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5844:               Ping responses can also be limited to certain
 5845:               networks or hosts by using the -s option in the previous rule. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5846:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5847:               Because IPv6 depends so
 5848:               heavily on ICMPv6, it is preferable to deny the ICMPv6 packets you know you don't need
 5849:               (e.g. ping requests) in /etc/sysconfig/ip6tables, while letting everything else
 5850:               through: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5851:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5852:               -A RH-Firewall-1-INPUT -p icmpv6 --icmpv6-type echo-request -j DROP <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5853:               If you
 5854:               are going to statically configure the machine's address, it should ignore Router
 5855:               Advertisements which could add another IPv6 address to the interface or alter
 5856:               important network settings: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5857:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5858:               -A RH-Firewall-1-INPUT -p icmpv6 --icmpv6-type router-advertisement -j DROP <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5859:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5860:               Restricting other ICMPv6 message types in
 5861:               /etc/sysconfig/ip6tables is not recommended because the operation of IPv6 depends
 5862:               heavily on ICMPv6. Thus, more care must be taken when blocking ICMPv6 types.</description>
 5863:           </Group>
 5864:           <Group id="group-2.5.5.3.3" hidden="false">
 5865:             <title xml:lang="en">Remove IPsec Rules</title>
 5866:             <description xml:lang="en">
 5867:               If the system will not process IPsec traffic, then remove the
 5868:               following rules: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5869:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5870:               -A RH-Firewall-1-INPUT -p 50 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5871:               -A RH-Firewall-1-INPUT -p 51 -j ACCEPT<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/></description>
 5872:           </Group>
 5873:           <Group id="group-2.5.5.3.4" hidden="false">
 5874:             <title xml:lang="en">Log and Drop Packets with Suspicious Source Addresses</title>
 5875:             <description xml:lang="en">
 5876:               Packets with non-routable source addresses should be
 5877:               rejected, as they may indicate spoofing. Because the modified policy will reject
 5878:               non-matching packets, you only need to add these rules if you are interested in also
 5879:               logging these spoofing or suspicious attempts before they are dropped. If you do
 5880:               choose to log various suspicious traffic, add identical rules with a target of DROP
 5881:               after each LOG. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5882:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5883:               To log and then drop these IPv4 packets, insert the following rules in
 5884:               /etc/sysconfig/iptables (excepting any that are intentionally used): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5885:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5886:               -A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF A: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5887:               -A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF B: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5888:               -A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF C: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5889:               -A INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST D: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5890:               -A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF E: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5891:               -A INPUT -i eth0 -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5892:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5893:               Similarly, you might wish to log packets containing some IPv6
 5894:               reserved addresses if they are not expected on your network: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5895:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5896:               -A INPUT -i eth0 -s ::1 -j LOG --log-prefix "IPv6 DROP LOOPBACK: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5897:               -A INPUT -s 2002:E000::/20 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5898:               -A INPUT -s 2002:7F00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5899:               -A INPUT -s 2002:0000::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5900:               -A INPUT -s 2002:FF00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5901:               -A INPUT -s 2002:0A00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5902:               -A INPUT -s 2002:AC10::/28 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5903:               -A INPUT -s 2002:C0A8::/32 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5904:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5905:               If you are not expecting to see site-local multicast or auto-tunneled traffic, you
 5906:               can log those: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5907:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5908:               -A INPUT -s FF05::/16 -j LOG --log-prefix "IPv6 SITE-LOCAL MULTICAST: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5909:               -A INPUT -s ::0.0.0.0/96 -j LOG --log-prefix "IPv4 COMPATIBLE IPv6 ADDR: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5910:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5911:               If you wish to block multicasts to all
 5912:               link-local nodes (e.g. if you are not using router autoconfiguration and do not plan
 5913:               to have any services that multicast to the entire local network), you can block the
 5914:               link-local all-nodes multicast address (before accepting incoming ICMPv6): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5915:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5916:               -A INPUT -d FF02::1 -j LOG --log-prefix "Link-local All-Nodes Multicast: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5917:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5918:               However, if you're
 5919:               going to allow IPv4 compatible IPv6 addresses (of the form ::0.0.0.0/96), you should
 5920:               then consider logging the non-routable IPv4-compatible addresses: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5921:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5922:               -A INPUT -s ::0.0.0.0/104 -j LOG --log-prefix "IP NON-ROUTABLE ADDR: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5923:               -A INPUT -s ::127.0.0.0/104 -j LOG --log-prefix "IP DROP LOOPBACK: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5924:               -A INPUT -s ::224.0.0.0.0/100 -j LOG --log-prefix "IP DROP MULTICAST D: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5925:               -A INPUT -s ::255.0.0.0/104 -j LOG --log-prefix "IP BROADCAST: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5926:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5927:               If you are not expecting to see any IPv4 (or IPv4-compatible) traffic
 5928:               on your network, consider logging it before it gets dropped: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5929:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5930:               -A INPUT -s ::FFFF:0.0.0.0/96 -j LOG --log-prefix "IPv4 MAPPED IPv6 ADDR: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5931:               -A INPUT -s 2002::/16 -j LOG --log-prefix "IPv6 6to4 ADDR: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5932:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5933:               The following rule will log all traffic
 5934:               originating from a site-local address, which is deprecated address space: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5935:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5936:               -A INPUT -s FEC0::/10 -j LOG --log-prefix "SITE-LOCAL ADDRESS TRAFFIC: "</description>
 5937:           </Group>
 5938:           <Group id="group-2.5.5.3.5" hidden="false">
 5939:             <title xml:lang="en">Log and Drop All Other Packets</title>
 5940:             <description xml:lang="en">
 5941:               To log before dropping all packets that are not explicitly
 5942:               accepted by previous rules, change the final lines from <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5943:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5944:               -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5945:               COMMIT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5946:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5947:               to <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5948:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5949:               -A RH-Firewall-1-INPUT -j LOG <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5950:               -A RH-Firewall-1-INPUT -j DROP <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5951:               COMMIT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5952:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5953:               The rule to log all dropped packets must be used
 5954:               with care. Chatty but otherwise non-malicious network protocols (e.g. NetBIOS) may
 5955:               result in voluminous logs; insertion of earlier rules to explicitly drop their packets
 5956:               without logging may be appropriate.</description>
 5957:           </Group>
 5958:         </Group>
 5959:         <Group id="group-2.5.5.4" hidden="false">
 5960:           <title xml:lang="en">Further Strengthening</title>
 5961:           <description xml:lang="en">
 5962:             Further strengthening, particularly as a result of
 5963:             customization to a particular environment, is possible for the iptables rules. Consider
 5964:             the following options, though their practicality depends on the network environment and
 5965:             usage scenario: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5966:             <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
 5967:               <xhtml:li>Restrict outgoing traffic. As shown above, the OUTPUT chain's default
 5968:                 policy can be changed to DROP, and rules can be written to specifically allow only
 5969:                 certain types of outbound traffic. Such a policy could prevent casual usage of insecure
 5970:                 protocols such as ftp and telnet, or even disrupt spyware. However, it would still not
 5971:                 prevent a sophisticated user or program from using a proxy to circumvent the intended
 5972:                 effects, and many client programs even try to automatically tunnel through port 80 to
 5973:                 avoid such restrictions.</xhtml:li>
 5974:               <xhtml:li>SYN flood protection. SYN flood protection can be provided by
 5975:                 iptables, but might run into limiting issues for servers. For example, the iplimit match
 5976:                 can be used to limit simultaneous connections from a given host or class. Similarly, the
 5977:                 recent match allows the firewall to deny additional connections from any host within a
 5978:                 given period of time (e.g. more than 3 –state NEW connections on port 22 within a minute
 5979:                 to prevent dictionary login attacks). <xhtml:br/>
 5980:                 <xhtml:br/>
 5981:                 A more precise option for DoS protection is using
 5982:                 TCP SYN cookies. (See Section 2.5.1.2 for more information.)</xhtml:li>
 5983:             </xhtml:ul></description>
 5984:         </Group>
 5985:         <Group id="group-2.5.5.5" hidden="false">
 5986:           <title xml:lang="en">Further Resources</title>
 5987:           <description xml:lang="en">
 5988:             More complex, restrictive, and powerful rulesets can be
 5989:             created, but this requires careful customization that relies on knowledge of the
 5990:             particular environment. The following resources provide more detailed information: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 5991:             <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
 5992:               <xhtml:li>The iptables(8) man page </xhtml:li>
 5993:               <xhtml:li>The Netfilter Project's documentation at http://www.netfilter.org</xhtml:li>
 5994:               <xhtml:li>The Red Hat Enterprise Linux Reference Guide</xhtml:li>
 5995:             </xhtml:ul></description>
 5996:         </Group>
 5997:       </Group>
 5998:       <Group id="group-2.5.6" hidden="false">
 5999:         <title xml:lang="en">Secure Sockets Layer Support</title>
 6000:         <description xml:lang="en">
 6001:           The Secure Sockets Layer (SSL) protocol provides encrypted and
 6002:           authenticated network communications, and many network services include support for it.
 6003:           Using SSL is recommended, especially to avoid any plaintext transmission of sensitive
 6004:           data, even over a local network. The SSL implementation included with the system is called
 6005:           OpenSSL. Recent implementations of SSL may also be referred to as Transport Layer Security
 6006:           (TLS). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6007:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6008:           SSL uses public key cryptography to provide authentication and encryption. Public
 6009:           key cryptography involves two keys, one called the public key and the other called the
 6010:           private key. These keys are mathematically related such that data encrypted with one key
 6011:           can only be decrypted by the other, and vice versa. As their names suggest, public keys
 6012:           can be distributed to anyone while a private key must remain known only to its owner. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6013:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6014:           SSL uses certificates, which are files that hold cryptographic data: a public key, and a
 6015:           signature of that public key. In SSL authentication, a server presents a client with its
 6016:           certificate as a means of demonstrating that it is who it claims it is. If everything goes
 6017:           correctly, the client can verify the server's certificate by determining that the
 6018:           signature inside the certificate could only have been generated by a third party whom the
 6019:           client trusts. This third party is called a Certificate Authority (CA). Each client system
 6020:           should also have certificates from trusted CAs, and the client uses these CA certificates
 6021:           to verify the authenticity of the server's certificate. After authenticating a server
 6022:           using its certificate and a CA certificate, SSL provides encryption by using the server
 6023:           certificate to securely negotiate a shared secret key. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6024:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6025:           If your server must communicate
 6026:           using SSL with systems that might not be able to securely accept a new CA certificate
 6027:           prior to any SSL communication, then paying an established CA (whose certificates your
 6028:           clients already have) to sign your server certificates is recommended. The steps for doing
 6029:           this vary by vendor. Once the signed certificates have been obtained, configuration of the
 6030:           services is the same whether they were purchased from a vendor or signed by your own CA.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6031:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6032:           For setting up an internal network and encrypting local traffic, creating your own CA to
 6033:           sign SSL certificates can be appropriate. The major steps in this process are: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6034:           <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
 6035:             <xhtml:li>Create a CA to sign certificates </xhtml:li>
 6036:             <xhtml:li>Create SSL certificates for servers using that CA</xhtml:li>
 6037:             <xhtml:li>Enableclient support by distributing the CA's certificate</xhtml:li>
 6038:           </xhtml:ol></description>
 6039:         <Group id="group-2.5.6.1" hidden="false">
 6040:           <title xml:lang="en">Create a CA to Sign Certificates</title>
 6041:           <description xml:lang="en">
 6042:             The following instructions apply to OpenSSL since it is
 6043:             included with the system, but creating a CA is possible with any standards-compliant SSL
 6044:             toolkit. The security of certificates depends on the security of the CA that signed
 6045:             them, so performing these steps on a secure machine is critical. The system used as a CA
 6046:             should be physically secure and not connected to any network. It should receive any
 6047:             certificate signing requests (CSRs) via removable media and output certificates onto
 6048:             removable media. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6049:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6050:             The script /etc/pki/tls/misc/CA is included to assist in the process of
 6051:             setting up a CA. This script uses many settings in /etc/pki/tls/openssl.cnf. The
 6052:             settings in this file can be changed to suit your needs and allow easier selection of
 6053:             default settings, particularly in the [req distinguished name] section. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6054:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6055:             To create the CA: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6056:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6057:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cd /etc/pki/tls/misc <xhtml:br/>
 6058:             # ./CA -newca <xhtml:br/></xhtml:code>
 6059:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6060:             <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
 6061:               <xhtml:li>When prompted, press enter to create a new CA key with the default name cakey.pem.</xhtml:li>
 6062:               <xhtml:li>When prompted, enter a password that will protect the private key, then enter the same password
 6063:                 again to verify it.</xhtml:li>
 6064:               <xhtml:li>At the prompts, fill out as much of the CA information as is relevant for your site. You must specify
 6065:                 a common name, or generation of the CA certificate will fail. </xhtml:li>
 6066:               <xhtml:li>Next, you will be prompted for the password, so that the script can re-open the private key in order
 6067:                 to write the certificate.</xhtml:li>
 6068:             </xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6069:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6070:             This step performs the following actions:
 6071:             <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
 6072:               <xhtml:li>creates the directory
 6073:                 /etc/pki/CA (by default), which contains files necessary for the operation of a
 6074:                 certificate authority. These are:</xhtml:li>
 6075:               <xhtml:ul>
 6076:                 <xhtml:li>serial, which contains the current serial number for certificates signed by the CA</xhtml:li>
 6077:                 <xhtml:li>index.txt, which is a text database file that contains information about certificates signed</xhtml:li>
 6078:                 <xhtml:li>crl, which is a directory for holding revoked certificates</xhtml:li>
 6079:                 <xhtml:li>private, a directory which stores the CA's private key</xhtml:li>
 6080:               </xhtml:ul>
 6081:               <xhtml:li>creates a public-private key pair for the CA in the file /etc/pki/CA/private/cakey.pem. The
 6082:                 private key must be kept private in order to ensure the security of the certificates the CA will later sign.</xhtml:li>
 6083:               <xhtml:li>signs the public key (using the corresponding private key, in a process called self-signing) to create the CA
 6084:                 certificate, which is then stored in /etc/pki/CA/cacert.pem. </xhtml:li>
 6085:               <xhtml:li/>
 6086:             </xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6087:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6088:             When the CA later signs a server certificate using its private
 6089:             key, it means that it is vouching for the authenticity of that server. A client can then
 6090:             use the CA's certificate (which contains its public key) to verify the authenticity of
 6091:             the server certificate. To accomplish this, it is necessary to distribute the CA
 6092:             certificate to any clients as covered in Section 2.5.6.3.</description>
 6093:         </Group>
 6094:         <Group id="group-2.5.6.2" hidden="false">
 6095:           <title xml:lang="en">Create SSL Certificates for Servers</title>
 6096:           <description xml:lang="en">
 6097:             Creating an SSL certificate for a server involves the following steps: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6098:             <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
 6099:               <xhtml:li>A public-private key pair for the server must be generated.</xhtml:li>
 6100:               <xhtml:li>A certificate signing request (CSR) must be created from the key pair.</xhtml:li>
 6101:               <xhtml:li>The CSR must be signed by a
 6102:                 certificate authority (CA) to create the server certificate. If a CA has been set up as
 6103:                 described in Section 2.5.6.1, it can sign the CSR.</xhtml:li>
 6104:               <xhtml:li>The server certificate and keys must be installed on the server. </xhtml:li>
 6105:             </xhtml:ol>
 6106:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6107:             Instructions on how to generate and sign SSL certificates are provided for the following
 6108:             common services:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6109:             <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
 6110:               <xhtml:li>Mail server, in Section 3.11.4.6.</xhtml:li>
 6111:               <xhtml:li>Dovecot, in Section 3.17.2.2. </xhtml:li>
 6112:               <xhtml:li>Apache, in Section 3.16.4.1.</xhtml:li>
 6113:             </xhtml:ul></description>
 6114:         </Group>
 6115:         <Group id="group-2.5.6.3" hidden="false">
 6116:           <title xml:lang="en">Enable Client Support</title>
 6117:           <description xml:lang="en">
 6118:             The system ships with certificates from well-known commercial
 6119:             CAs. If your server certificates were signed by one of these established CAs, then this
 6120:             step is not necessary since the clients should include the CA certificate already. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6121:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6122:             If your servers use certificates signed by your own CA, some user applications will warn
 6123:             that the server's certificate cannot be verified because the CA is not recognized. Other
 6124:             applications may simply fail to accept the certificate and refuse to operate, or
 6125:             continue operating without ever having properly verified the server certificate. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6126:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6127:             To avoid this warning, and properly authenticate the servers, your CA certificate must be
 6128:             exported to every application on every client system that will be connecting to an
 6129:             SSL-enabled server.</description>
 6130:           <Group id="group-2.5.6.3.1" hidden="false">
 6131:             <title xml:lang="en">Adding a Trusted CA for Firefox</title>
 6132:             <description xml:lang="en">
 6133:               Firefox needs to have a certificate from the CA that signed
 6134:               the web server's certificate, so that it can authenticate the web server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6135:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6136:               To import a new CA certificate into Firefox 1.5:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6137:               <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
 6138:                 <xhtml:li>Launch Firefox and choose Preferences from the Edit menu. </xhtml:li>
 6139:                 <xhtml:li>Click the Advanced button.</xhtml:li>
 6140:                 <xhtml:li>Select the Security pane.</xhtml:li>
 6141:                 <xhtml:li>Click the View Certificates button.</xhtml:li>
 6142:                 <xhtml:li>Click the Authorities tab. </xhtml:li>
 6143:                 <xhtml:li>Click the Import button at the bottom of the screen.</xhtml:li>
 6144:                 <xhtml:li>Navigate to the CA certificate and import it.</xhtml:li>
 6145:               </xhtml:ol></description>
 6146:           </Group>
 6147:           <Group id="group-2.5.6.3.2" hidden="false">
 6148:             <title xml:lang="en">Adding a Trusted CA for Thunderbird</title>
 6149:             <description xml:lang="en">
 6150:               Thunderbird needs to have a certificate from the CA that
 6151:               signed the mail server's certificates, so that it can authenticate the mail server(s).<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6152:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6153:               To import a new CA certificate into Thunderbird 2: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6154:               <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
 6155:                 <xhtml:li>Launch Thunderbird and choose Account Settings from the Edit menu.</xhtml:li>
 6156:                 <xhtml:li>Click the Advanced button.</xhtml:li>
 6157:                 <xhtml:li>Select the Certificates tab</xhtml:li>
 6158:                 <xhtml:li>Click the View Certificates button.</xhtml:li>
 6159:                 <xhtml:li>Select the Authorities tab.</xhtml:li>
 6160:                 <xhtml:li>Click the Import button at the bottom of the screen.</xhtml:li>
 6161:                 <xhtml:li>Navigate to the CA certificate and import it. Determine whether the CA should
 6162:                   be used to identify web sites, e-mail users, and software developers and trust it for
 6163:                   each accordingly.</xhtml:li>
 6164:               </xhtml:ol></description>
 6165:           </Group>
 6166:           <Group id="group-2.5.6.3.3" hidden="false">
 6167:             <title xml:lang="en">Adding a Trusted CA for Evolution</title>
 6168:             <description xml:lang="en">
 6169:               The Evolution e-mail client needs to have a certificate from
 6170:               the CA that signed the mail server's certificates, so that it can authenticate the
 6171:               mail server(s). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6172:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6173:               To import a new CA certificate into Evolution: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6174:               <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
 6175:                 <xhtml:li>Launch Evolution and choose Preferences from the Edit menu.</xhtml:li>
 6176:                 <xhtml:li>Select Certificates from the icon list on the left.</xhtml:li>
 6177:                 <xhtml:li>Select the Authorities tab.</xhtml:li>
 6178:                 <xhtml:li>Click the Import button.</xhtml:li>
 6179:                 <xhtml:li/>
 6180:                 <xhtml:li/>
 6181:                 <xhtml:li>Navigate to the CA certificate and import it.</xhtml:li>
 6182:               </xhtml:ol></description>
 6183:           </Group>
 6184:         </Group>
 6185:         <Group id="group-2.5.6.4" hidden="false">
 6186:           <title xml:lang="en">Further Resources</title>
 6187:           <description xml:lang="en">
 6188:             <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
 6189:               <xhtml:li>The OpenSSL Project home page at http://www.openssl.org</xhtml:li>
 6190:               <xhtml:li>The openssl(1) man page</xhtml:li>
 6191:               <xhtml:li>Jeremy Mates's how-to: http://sial.org/howto/openssl</xhtml:li>
 6192:             </xhtml:ul></description>
 6193:         </Group>
 6194:       </Group>
 6195:       <Group id="group-2.5.7" hidden="false">
 6196:         <title xml:lang="en">Uncommon Network Protocols</title>
 6197:         <description xml:lang="en">
 6198:           The system includes support for several network protocols which are not commonly used. Although security vul-
 6199:           nerabilities in kernel networking code are not frequently discovered, the consequences can be dramatic. Ensuring
 6200:           uncommon network protocols are disabled reduces the system’s risk to attacks targeted at its implementation of
 6201:           those protocols.</description>
 6202:         <Group id="group-2.5.7.1" hidden="false">
 6203:           <title xml:lang="en">Disable Support for DCCP</title>
 6204:           <description xml:lang="en">
 6205:             To prevent the DCCP kernel module from being loaded, add the following line to /etc/modprobe.conf:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6206:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6207:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">install dccp /bin/true<xhtml:br/></xhtml:code>
 6208:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6209:             The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to
 6210:             support streaming media and telephony.</description>
 6211:           <Rule id="rule-2.5.7.1.a" selected="false" weight="10.000000" severity="medium">
 6212:             <title xml:lang="en">Disable Support for DCCP</title>
 6213:             <description xml:lang="en">Support for DCCP should be disabled.</description>
 6214:             <fixtext xml:lang="en">(1) via /etc/modprobe.conf</fixtext>
 6215:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 6216:               <check-content-ref name="oval:org.fedoraproject.f14:def:201476" href="scap-fedora14-oval.xml"/>
 6217:             </check>
 6218:           </Rule>
 6219:         </Group>
 6220:         <Group id="group-2.5.7.2" hidden="false">
 6221:           <title xml:lang="en">Disable Support for SCTP</title>
 6222:           <description xml:lang="en">
 6223:             To prevent the SCTP kernel module from being loaded, add the following line to /etc/modprobe.conf:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6224:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6225:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">install sctp /bin/true<xhtml:br/></xhtml:code>
 6226:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6227:             The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea
 6228:             of message-oriented communication, with several streams of messages within one connection.</description>
 6229:           <Rule id="rule-2.5.7.2.a" selected="false" weight="10.000000" severity="medium">
 6230:             <title xml:lang="en">Disable Support for SCTP</title>
 6231:             <description xml:lang="en">Support for SCTP should be disabled.</description>
 6232:             <fixtext xml:lang="en">(1) via /etc/modprobe.conf</fixtext>
 6233:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 6234:               <check-content-ref name="oval:org.fedoraproject.f14:def:201477" href="scap-fedora14-oval.xml"/>
 6235:             </check>
 6236:           </Rule>
 6237:         </Group>
 6238:         <Group id="group-2.5.7.3" hidden="false">
 6239:           <title xml:lang="en">Disable Support for RDS</title>
 6240:           <description xml:lang="en">
 6241:             To prevent the RDS kernel module from being loaded, add the following line to /etc/modprobe.conf:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6242:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6243:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">install rds /bin/true<xhtml:br/></xhtml:code>
 6244:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6245:             The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high-
 6246:             bandwidth, low-latency communications between nodes in a cluster.</description>
 6247:           <Rule id="rule-2.5.7.3.a" selected="false" weight="10.000000" severity="medium">
 6248:             <title xml:lang="en">Disable Support for RDS</title>
 6249:             <description xml:lang="en">Support for RDS should be disabled.</description>
 6250:             <fixtext xml:lang="en">(1) via /etc/modprobe.conf</fixtext>
 6251:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 6252:               <check-content-ref name="oval:org.fedoraproject.f14:def:201478" href="scap-fedora14-oval.xml"/>
 6253:             </check>
 6254:           </Rule>
 6255:         </Group>
 6256:         <Group id="group-2.5.7.4" hidden="false">
 6257:           <title xml:lang="en">Disable Support for TIPC</title>
 6258:           <description xml:lang="en">
 6259:             To prevent the TIPC kernel module from being loaded, add the following line to /etc/modprobe.conf:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6260:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6261:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">install rds /bin/true<xhtml:br/></xhtml:code>
 6262:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6263:             The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between
 6264:             nodes in a cluster..</description>
 6265:           <Rule id="rule-2.5.7.4.a" selected="false" weight="10.000000" severity="medium">
 6266:             <title xml:lang="en">Disable Support for TIPC</title>
 6267:             <description xml:lang="en">Support for TIPC should be disabled.</description>
 6268:             <fixtext xml:lang="en">(1) via /etc/modprobe.conf</fixtext>
 6269:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 6270:               <check-content-ref name="oval:org.fedoraproject.f14:def:201479" href="scap-fedora14-oval.xml"/>
 6271:             </check>
 6272:           </Rule>
 6273:         </Group>
 6274:       </Group>
 6275:     </Group>
 6276:     <Group id="group-2.6" hidden="false">
 6277:       <title xml:lang="en">Logging and Auditing</title>
 6278:       <description xml:lang="en">
 6279:         Successful local or network attacks on systems do not necessarily
 6280:         leave clear evidence of what happened. It is necessary to build a configuration in advance
 6281:         that collects this evidence, both in order to determine that something anomalous has
 6282:         occurred, and in order to respond appropriately. In addition, a well-configured logging and
 6283:         audit infrastructure will show evidence of any misconfiguration which might leave the system
 6284:         vulnerable to attack. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6285:         <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6286:         Logging and auditing take different approaches to collecting data. A
 6287:         logging infrastructure provides a framework for individual programs running on the system to
 6288:         report whatever events are considered interesting: the sshd program may report each
 6289:         successful or failed login attempt, while the sendmail program may report each time it sends
 6290:         an e-mail on behalf of a local or remote user. An auditing infrastructure, on the other
 6291:         hand, reports each instance of certain low-level events, such as entry to the setuid system
 6292:         call, regardless of which program caused the event to occur. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6293:         <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6294:         Auditing has the advantage of
 6295:         being more comprehensive, but the disadvantage of reporting a large amount of information,
 6296:         most of which is uninteresting. Logging (particularly using a standard framework like
 6297:         syslog) has the advantage of being compatible with a wide variety of client applications,
 6298:         and of reporting only information considered important by each application, but the
 6299:         disadvantage that the information reported is not consistent between applications. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6300:         <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6301:         A robust
 6302:         infrastructure will perform both logging and auditing, and will use configurable automated
 6303:         methods of summarizing the reported data, so that system administrators can remove or
 6304:         compress reports of events known to be uninteresting in favor of alert monitoring for events
 6305:         known to be interesting. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6306:         <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6307:         This section discusses how to configure logging, log monitoring,
 6308:         and auditing, using tools included with RHEL5. It is recommended that syslog be used for
 6309:         logging, with logwatch providing summarization, and that auditd be used for auditing, with
 6310:         aureport providing summarization.</description>
 6311:       <Group id="group-2.6.1" hidden="false">
 6312:         <title xml:lang="en">Configure Syslog</title>
 6313:         <description xml:lang="en">
 6314:           Syslog has been the default Unix logging mechanism for many years. This section
 6315:           discusses how to configure syslog for best effect, and how to use tools provided with the
 6316:           system to maintain and monitor your logs.</description>
 6317:         <Rule id="rule-2.6.1.a" selected="false" weight="10.000000" severity="medium">
 6318:           <title xml:lang="en">Configure Rsyslog</title>
 6319:           <description xml:lang="en">The rsyslog service should be enabled.</description>
 6320:           <ident system="http://cce.mitre.org">CCE-3679-8</ident>
 6321:           <fix>chkconfig rsyslog on</fix>
 6322:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 6323:             <check-content-ref name="oval:org.fedoraproject.f14:def:20148" href="scap-fedora14-oval.xml"/>
 6324:           </check>
 6325:         </Rule>
 6326:         <Group id="group-2.6.1.1" hidden="false">
 6327:           <title xml:lang="en">Ensure All Important Messages are Captured</title>
 6328:           <description xml:lang="en"><xhtml:span xmlns:xhtml="http://www.w3.org/1999/xhtml">Edit the file /etc/syslog.conf. Add or correct whichever of the
 6329:             following lines are appropriate for your environment: <xhtml:br/>
 6330:             <xhtml:br/>
 6331:             auth,info.* /var/log/messages<xhtml:br/>
 6332:             kern.* /var/log/kern.log <xhtml:br/>
 6333:             daemon.* /var/log/daemon.log <xhtml:br/>
 6334:             syslog.* /var/log/syslog<xhtml:br/>
 6335:             lpr,news,uucp,local0,local1,local2,local3,local4,local5,local6.* /var/log/unused.log<xhtml:br/></xhtml:span>
 6336:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6337:             When a message is sent to syslog for logging, it is sent with a facility name (such as
 6338:             mail, auth, or local2), and a priority (such as debug, notice, or emerg). Each line of
 6339:             syslog's configuration file is a directive which specifies a set of facility/priority
 6340:             pairs, and then gives a filename or host to which log messages of matching types should
 6341:             be sent. In order for a message to match a type, the facility must match, and the
 6342:             priority must be the priority named in the rule or any higher priority. (See
 6343:             syslog.conf(5) for an ordered list of priorities.) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6344:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6345:             Older versions of syslog mandated a
 6346:             very restrictive format for the syslog.conf file. However, the version of syslog shipped
 6347:             with RHEL5 allows any sort of whitespace (spaces or tabs, not just tabs) to separate the
 6348:             selection criteria from the message disposition, and allows the use of facility.* as a
 6349:             wildcard matching a given facility at any priority. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6350:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6351:             The default RHEL5 syslog
 6352:             configuration stores the facilities authpriv, cron, and mail in named logs. This guide
 6353:             describes the implementation of the following configuration, but any configuration which
 6354:             stores the important facilities and is usable by the administrators will suffice:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6355:             <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
 6356:               <xhtml:li>Store each of the facilities kern, daemon, and syslog in its own log, so that it will be
 6357:                 easy to access information about messages from those facilities. </xhtml:li>
 6358:               <xhtml:li>Restrict the
 6359:                 information stored in /var/log/messages to only the facilities auth and user, and store
 6360:                 all messages from those facilities. Messages can easily become cluttered otherwise. </xhtml:li>
 6361:               <xhtml:li>Store information about all facilities which should not be in use at this site in a file
 6362:                 called /var/log/ unused.log. If any messages are logged to this file at some future
 6363:                 point, this may be an indication that an unknown service is running, and should be
 6364:                 investigated. In addition, if news and uucp are not in use at this site, remove the
 6365:                 directive from the default syslog.conf which stores those facilities. </xhtml:li>
 6366:             </xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6367:             Making use of the
 6368:             local facilities is also recommended. Specific configuration is beyond the scope of this
 6369:             guide, but applications such as SSH can easily be configured to log to a local facility
 6370:             which is not being used for anything else. If this is done, reconfigure /etc/syslog.conf
 6371:             to store this facility in an appropriate named log or in /var/log/messages, rather than
 6372:             in /var/log/unused.log.</description>
 6373:         </Group>
 6374:         <Group id="group-2.6.1.2" hidden="false">
 6375:           <title xml:lang="en">Confirm Existence and Permissions of System Log Files</title>
 6376:           <description xml:lang="en">
 6377:             For each log file LOGFILE referenced in /etc/syslog.conf, run
 6378:             the commands: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6379:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6380:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># touch LOGFILE<xhtml:br/>
 6381:             # chown root:root LOGFILE <xhtml:br/>
 6382:             # chmod 0600 LOGFILE <xhtml:br/></xhtml:code>
 6383:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6384:             Syslog will
 6385:             refuse to log to a file which does not exist. All messages intended for that file will
 6386:             be silently discarded, so it is important to verify that all log files exist. Some logs
 6387:             may contain sensitive information, so it is better to restrict permissions so that only
 6388:             administrative users can read or write logfiles.</description>
 6389:           <Value id="var-2.6.1.2.a" operator="equals" type="string">
 6390:             <title xml:lang="en">User who owns log files</title>
 6391:             <description xml:lang="en">Specify user owner of all logfiles specified in /etc/syslog.conf.</description>
 6392:             <question xml:lang="en">Specify user owner of all logfiles specified in /etc/syslog.conf</question>
 6393:             <value>root</value>
 6394:             <value selector="root">root</value>
 6395:           </Value>
 6396:           <Value id="var-2.6.1.2.b" operator="equals" type="string">
 6397:             <title xml:lang="en">group who owns log files</title>
 6398:             <description xml:lang="en">Specify group owner of all logfiles specified in /etc/syslog.conf.</description>
 6399:             <question xml:lang="en">Specify group owner of all logfiles specified in /etc/syslog.conf</question>
 6400:             <value>root</value>
 6401:             <value selector="root">root</value>
 6402:           </Value>
 6403:           <Value id="var-2.6.1.2.c" operator="equals" type="string">
 6404:             <title xml:lang="en">File permissions on logfiles</title>
 6405:             <description xml:lang="en">Specify file permissions of all logfiles specified in /etc/syslog.conf.</description>
 6406:             <question xml:lang="en">Specify permissions of all logfiles specified in /etc/syslog.conf</question>
 6407:             <value>110000000</value>
 6408:             <value selector="400">100000000</value>
 6409:             <value selector="600">110000000</value>
 6410:             <value selector="700">111000000</value>
 6411:           </Value>
 6412:           <Rule id="rule-2.6.1.2.a" selected="false" weight="10.000000" severity="medium">
 6413:             <title xml:lang="en">Confirm user that owns System Log Files</title>
 6414:             <description xml:lang="en">All syslog log files should be owned by root.</description>
 6415:             <ident system="http://cce.mitre.org">CCE-4366-1</ident>
 6416:             <fixtext xml:lang="en">(1) via chown</fixtext>
 6417:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 6418:               <check-export export-name="oval:org.fedoraproject.f14:var:20149" value-id="var-2.6.1.2.a"/>
 6419:               <check-content-ref name="oval:org.fedoraproject.f14:def:20149" href="scap-fedora14-oval.xml"/>
 6420:             </check>
 6421:           </Rule>
 6422:           <Rule id="rule-2.6.1.2.b" selected="false" weight="10.000000" severity="medium">
 6423:             <title xml:lang="en">Confirm group that owns System Log Files</title>
 6424:             <description xml:lang="en">All syslog log files should be group owned by root.</description>
 6425:             <ident system="http://cce.mitre.org">CCE-3701-0</ident>
 6426:             <fixtext xml:lang="en">(1) via chown</fixtext>
 6427:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 6428:               <check-export export-name="oval:org.fedoraproject.f14:var:20150" value-id="var-2.6.1.2.b"/>
 6429:               <check-content-ref name="oval:org.fedoraproject.f14:def:20150" href="scap-fedora14-oval.xml"/>
 6430:             </check>
 6431:           </Rule>
 6432:           <Rule id="rule-2.6.1.2.c" selected="false" weight="10.000000" severity="medium">
 6433:             <title xml:lang="en">Confirm Permissions of System Log Files</title>
 6434:             <description xml:lang="en">File permissions for all syslog log files should be set correctly.</description>
 6435:             <ident system="http://cce.mitre.org">CCE-4233-3</ident>
 6436:             <fixtext xml:lang="en">(1) via chmod</fixtext>
 6437:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 6438:               <check-export export-name="oval:org.fedoraproject.f14:var:20151" value-id="var-2.6.1.2.c"/>
 6439:               <check-content-ref name="oval:org.fedoraproject.f14:def:20151" href="scap-fedora14-oval.xml"/>
 6440:             </check>
 6441:           </Rule>
 6442:         </Group>
 6443:         <Group id="group-2.6.1.3" hidden="false">
 6444:           <title xml:lang="en">Send Logs to a Remote Loghost</title>
 6445:           <description xml:lang="en">
 6446:             Edit /etc/syslog.conf. Add or correct the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6447:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6448:             *.* @loghost.example.com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6449:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6450:             where loghost.example.com is the name of your central log server.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6451:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6452:             If system logs are to be useful in detecting malicious activities, it is necessary to
 6453:             send logs to a remote server. An intruder who has compromised the root account on a
 6454:             machine may delete the log entries which indicate that the system was attacked before
 6455:             they are seen by an administrator. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6456:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6457:             However, it is recommended that logs be stored on the
 6458:             local host in addition to being sent to the loghost, because syslog uses the UDP
 6459:             protocol to send messages over a network. UDP does not guarantee reliable delivery, and
 6460:             moderately busy sites will lose log messages occasionally, especially in periods of high
 6461:             traffic which may be the result of an attack. In addition, remote syslog messages are
 6462:             not authenticated in any way, so it is easy for an attacker to introduce spurious
 6463:             messages to the central log server. Also, some problems cause loss of network
 6464:             connectivity, which will prevent the sending of messages to the central server. For all
 6465:             of these reasons, it is better to store log messages both centrally and on each host, so
 6466:             that they can be correlated if necessary.</description>
 6467:           <Rule id="rule-2.6.1.3.a" selected="false" weight="10.000000" severity="medium">
 6468:             <title xml:lang="en">Send Logs to a Remote Loghost</title>
 6469:             <description xml:lang="en">Syslog logs should be sent to a remote loghost</description>
 6470:             <ident system="http://cce.mitre.org">CCE-4260-6</ident>
 6471:             <fixtext xml:lang="en">(1) via /etc/syslog.conf</fixtext>
 6472:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 6473:               <check-content-ref name="oval:org.fedoraproject.f14:def:20152" href="scap-fedora14-oval.xml"/>
 6474:             </check>
 6475:           </Rule>
 6476:         </Group>
 6477:         <Group id="group-2.6.1.4" hidden="false">
 6478:           <title xml:lang="en">Enable syslogd to Accept Remote Messages on Loghosts Only</title>
 6479:           <description xml:lang="en">
 6480:             Is this machine the central log server for your organization?
 6481:             If so, edit the file /etc/sysconfig/syslog. Add or correct the following line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6482:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6483:             SYSLOGD_OPTIONS="-m 0 -r -s example.com " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6484:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6485:             where example.com is the name of your domain.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6486:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6487:             If the machine is not a log server, edit /etc/sysconfig/syslog, and instead add or
 6488:             correct the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6489:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6490:             SYSLOGD_OPTIONS="-m 0" <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6491:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6492:             By default, RHEL5's syslog does not listen over
 6493:             the network for log messages. The -r flag enables syslogd to listen over a network, and
 6494:             should be used only if necessary. The -s example.com flag strips the domain name
 6495:             example.com from each sending machine's hostname before logging messages from that host,
 6496:             to reduce the amount of redundant information placed in log files. See the syslogd(8)
 6497:             man page for further information.</description>
 6498:           <Rule id="rule-2.6.1.4.a" selected="false" weight="10.000000" severity="medium">
 6499:             <title xml:lang="en">Disable syslogd from Accepting Remote Messages on Loghosts Only</title>
 6500:             <description xml:lang="en">Syslogd should reject remote messages</description>
 6501:             <ident system="http://cce.mitre.org">CCE-3382-9</ident>
 6502:             <fixtext xml:lang="en">(1) via /etc/sysconfig/syslog</fixtext>
 6503:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 6504:               <check-content-ref name="oval:org.fedoraproject.f14:def:20153" href="scap-fedora14-oval.xml"/>
 6505:             </check>
 6506:           </Rule>
 6507:         </Group>
 6508:         <Group id="group-2.6.1.5" hidden="false">
 6509:           <title xml:lang="en">Ensure All Logs are Rotated by logrotate</title>
 6510:           <description xml:lang="en">
 6511:             Edit the file /etc/logrotate.d/syslog. Find the first line,
 6512:             which should look like this (wrapped for clarity): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6513:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6514:             /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler \
 6515:             /var/log/boot.log /var/log/cron { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6516:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6517:             Edit this line so
 6518:             that it contains a one-space-separated listing of each log file referenced in
 6519:             /etc/syslog.conf. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6520:             All logs in use on a system must be rotated regularly, or the log
 6521:             files will consume disk space over time, eventually interfering with system operation.
 6522:             The file /etc/logrotate.d/syslog is the configuration file used by the logrotate program
 6523:             to maintain all log files written by syslog. By default, it rotates logs weekly and
 6524:             stores four archival copies of each log. These settings can be modified by editing
 6525:             /etc/logrotate.conf, but the defaults are sufficient for purposes of this guide. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6526:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6527:             Note
 6528:             that logrotate is run nightly by the cron job /etc/cron.daily/logrotate. If particularly
 6529:             active logs need to be rotated more often than once a day, some other mechanism must be
 6530:             used.</description>
 6531:           <Rule id="rule-2.6.1.5.a" selected="false" weight="10.000000" severity="medium">
 6532:             <title xml:lang="en">Ensure All Logs are Rotated by logrotate</title>
 6533:             <description xml:lang="en">The logrotate (syslog rotater) service should be enabled.</description>
 6534:             <ident system="http://cce.mitre.org">CCE-4182-2</ident>
 6535:             <fixtext xml:lang="en">(1) via cron</fixtext>
 6536:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 6537:               <check-content-ref name="oval:org.fedoraproject.f14:def:20154" href="scap-fedora14-oval.xml"/>
 6538:             </check>
 6539:           </Rule>
 6540:         </Group>
 6541:         <Group id="group-2.6.1.6" hidden="false">
 6542:           <title xml:lang="en">Monitor Suspicious Log Messages using Logwatch</title>
 6543:           <description xml:lang="en">
 6544:             The system includes an extensible program called Logwatch for
 6545:             reporting on unusual items in syslog. Logwatch is valuable because it provides a parser
 6546:             for the syslog entry format and a number of signatures for types of lines which are
 6547:             considered to be mundane or noteworthy. Logwatch has a number of downsides: the
 6548:             signatures can be inaccurate and are not always categorized consistently, and you must
 6549:             be able to program in Perl in order to customize the signature database. However, it is
 6550:             recommended that all Linux sites which do not have time to deploy a third-party log
 6551:             monitoring application run Logwatch in its default configuration. This provides some
 6552:             useful information about system activity in exchange for very little administrator
 6553:             effort. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6554:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6555:             This guide recommends that Logwatch be run only on the central logserver, if
 6556:             your site has one, in order to focus administrator attention by sending all daily logs
 6557:             in a single e-mail.</description>
 6558:           <Rule id="rule-2.6.1.6.a" selected="false" weight="10.000000" severity="medium">
 6559:             <title xml:lang="en">Monitor Suspicious Log Messages using Logwatch</title>
 6560:             <description xml:lang="en">The logwatch service should be enabled</description>
 6561:             <ident system="http://cce.mitre.org">CCE-4323-2</ident>
 6562:             <fixtext xml:lang="en">(1) via cron</fixtext>
 6563:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 6564:               <check-content-ref name="oval:org.fedoraproject.f14:def:20155" href="scap-fedora14-oval.xml"/>
 6565:             </check>
 6566:           </Rule>
 6567:           <Group id="group-2.6.1.6.1" hidden="false">
 6568:             <title xml:lang="en">Configure Logwatch on the Central Log Server</title>
 6569:             <description xml:lang="en">
 6570:               Is this machine the central log server? If so, edit the file
 6571:               /etc/logwatch/conf/logwatch.conf. Add or correct the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6572:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6573:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">HostLimit = no<xhtml:br/>
 6574:               SplitHosts = yes <xhtml:br/>
 6575:               MultiEmail = no <xhtml:br/></xhtml:code>
 6576:               Service = -zz-disk_space <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6577:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6578:               Ensure that logwatch.pl is run nightly from cron. (This is the default): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6579:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6580:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cd /etc/cron.daily <xhtml:br/>
 6581:               # ln -s /usr/share/logwatch/scripts/logwatch.pl 0logwatch <xhtml:br/></xhtml:code>
 6582:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6583:               On a central logserver, you want
 6584:               Logwatch to summarize all syslog entries, including those which did not originate on
 6585:               the logserver itself. The HostLimit setting tells Logwatch to report on all hosts, not
 6586:               just the one on which it is running. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6587:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6588:               If SplitHosts is set, Logwatch will separate
 6589:               entries by hostname. This makes the report longer but significantly more usable. If it
 6590:               is not set, then Logwatch will not report which host generated a given log entry, and
 6591:               that information is almost always necessary. If MultiEmail is set, then each host's
 6592:               information will be sent in a separate e-mail message. This is a matter of preference.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6593:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6594:               The Service directive -zz-disk space tells Logwatch not to run the zz-disk space
 6595:               report, which reports on free disk space. Since all log monitoring is being done on
 6596:               the central logserver, the disk space listing will always be that of the logserver,
 6597:               regardless of which host is being monitored. This is confusing, so disable that
 6598:               service. Note that this does mean that Logwatch will not monitor disk usage
 6599:               information. Many workarounds are possible, such as running df on each host daily via
 6600:               cron and sending the output to syslog so that it will be reported to the logserver.</description>
 6601:           </Group>
 6602:           <Group id="group-2.6.1.6.2" hidden="false">
 6603:             <title xml:lang="en">Disable Logwatch on Clients if a Logserver Exists</title>
 6604:             <description xml:lang="en">
 6605:               Does your site have a central logserver which has been
 6606:               configured to report on logs received from all systems? If so: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6607:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6608:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># rm /etc/cron.daily/0logwatch <xhtml:br/></xhtml:code>
 6609:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6610:               If no logserver exists, it will be necessary for each
 6611:               machine to run Logwatch individually. Using a central logserver provides the security
 6612:               and reliability benefits discussed earlier, and also makes monitoring logs easier and
 6613:               less time-intensive for administrators.</description>
 6614:           </Group>
 6615:         </Group>
 6616:       </Group>
 6617:       <Group id="group-2.6.2" hidden="false">
 6618:         <title xml:lang="en">System Accounting with auditd</title>
 6619:         <description xml:lang="en">
 6620:           The audit service is the current Linux recommendation for
 6621:           kernel-level auditing. By default, the service audits about SELinux AVC denials and
 6622:           certain types of security-relevant events such as system logins, account modifications,
 6623:           and authentication events performed by programs such as sudo. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6624:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6625:           Under its default
 6626:           configuration, auditd has modest disk space requirements, and should not noticeably impact
 6627:           system performance. The audit service, in its default configuration, is strongly
 6628:           recommended for all sites, regardless of whether they are running SELinux. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6629:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6630:           DoD or federal networks often have substantial auditing requirements and auditd can be
 6631:           configured to meet these requirements.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6632:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6633:           Typical DoD requirements include:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6634:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6635:           <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
 6636:             <xhtml:li>Ensure Auditing is Configured to Collect Certain System Events
 6637:               <xhtml:ul>
 6638:                 <xhtml:li>Information on the Use of Print Command (unsuccessful and successful)</xhtml:li>
 6639:                 <xhtml:li>Startup and Shutdown Events (unsuccessful and successful)</xhtml:li>
 6640:               </xhtml:ul>
 6641:             </xhtml:li>
 6642:             <xhtml:li>Ensure the auditing software can record the following for each audit event:
 6643:               <xhtml:ul>
 6644:                 <xhtml:li>Date and time of the event</xhtml:li>
 6645:                 <xhtml:li>Userid that initiated the event</xhtml:li>
 6646:                 <xhtml:li>Type of event</xhtml:li>
 6647:                 <xhtml:li>Success or failure of the event</xhtml:li>
 6648:                 <xhtml:li>For I&amp;A events, the origin of the request (e.g., terminal ID)</xhtml:li>
 6649:                 <xhtml:li>For events that introduce an object into a user’s address space, and for object deletion events, the
 6650:                   name of the object, and in MLS systems, the objects security level.</xhtml:li>
 6651:               </xhtml:ul>
 6652:             </xhtml:li>
 6653:             <xhtml:li>Ensure files are backed up no less than weekly onto a different system than the system being audited or
 6654:               backup media.</xhtml:li>
 6655:             <xhtml:li>Ensure old logs are closed out and new audit logs are started daily</xhtml:li>
 6656:             <xhtml:li>Ensure the configuration is immutable. With the -e 2 setting a reboot will be required to change any audit
 6657:               rules.</xhtml:li>
 6658:             <xhtml:li>Ensure that the audit data files have permissions of 640, or more restrictive.</xhtml:li>
 6659:             </xhtml:ul>
 6660:           </description>
 6661:         <Group id="group-2.6.2.1" hidden="false">
 6662:           <title xml:lang="en">Enable the auditd Service</title>
 6663:           <description xml:lang="en">
 6664:             Ensure that the auditd service is enabled (this is the default): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6665:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6666:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig auditd on <xhtml:br/></xhtml:code>
 6667:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6668:             By default, auditd logs only SELinux denials, which are
 6669:             helpful for debugging SELinux and discovering intrusion attempts, and certain types of
 6670:             security events, such as modifications to user accounts (useradd, passwd, etc), login
 6671:             events, and calls to sudo. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6672:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6673:             Data is stored in /var/log/audit/audit.log. By default,
 6674:             auditd rotates 4 logs by size (5MB), retaining a maximum of 20MB of data in total, and
 6675:             refuses to write entries when the disk is too full. This minimizes the risk of audit
 6676:             data filling its partition and impacting other services. However, it is possible to lose
 6677:             audit data if the system is busy.</description>
 6678:           <Rule id="rule-2.6.2.1.a" selected="false" weight="10.000000" severity="medium">
 6679:             <title xml:lang="en">Enable the auditd Service</title>
 6680:             <description xml:lang="en">The auditd service should be enabled.</description>
 6681:             <ident system="http://cce.mitre.org">CCE-4292-9</ident>
 6682:             <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 6683:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 6684:               <check-content-ref name="oval:org.fedoraproject.f14:def:20156" href="scap-fedora14-oval.xml"/>
 6685:             </check>
 6686:           </Rule>
 6687:         </Group>
 6688:         <Group id="group-2.6.2.2" hidden="false">
 6689:           <title xml:lang="en">Configure auditd Data Retention</title>
 6690:           <description xml:lang="en">
 6691:             <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
 6692:               <xhtml:li>Determine STOREMB , the amount of audit data (in megabytes) which should be retained in each log
 6693:                 file. Edit the file /etc/audit/auditd.conf. Add or modify the following line:<xhtml:br/>
 6694:                 <xhtml:br/>
 6695:                 max_log_file = STOREMB</xhtml:li>
 6696:               <xhtml:li>Use a dedicated partition (or logical volume) for log files. It is straightforward to create such a partition
 6697:                 or logical volume during system installation time. The partition should be larger than the maximum
 6698:                 space which auditd will ever use, which is the maximum size of each log file (max log file) multiplied
 6699:                 by the number of log files (num logs). Ensure the partition is mounted on /var/log/audit.</xhtml:li>
 6700:               <xhtml:li>If your site requires that the machine be disabled when auditing cannot be performed, configure auditd
 6701:                 to halt the system when disk space for auditing runs low. Edit /etc/audit/auditd.conf, and add or
 6702:                 correct the following lines:<xhtml:br/>
 6703:                 <xhtml:br/>
 6704:                 space_left_action = email<xhtml:br/>
 6705:                 action_mail_acct = root<xhtml:br/>
 6706:                 admin_space_left_action = halt<xhtml:br/></xhtml:li>
 6707:             </xhtml:ul>
 6708:             The default action to take when the logs reach their maximum size is to rotate the log files, discarding the
 6709:             oldest one. If it is more important to retain all possible auditing information, even if that opens the possibility
 6710:             of running out of space and taking the action defined by admin space left action, add or correct the line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6711:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6712:             max_log_file_action = keep_logs<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6713:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6714:             By default, auditd retains 4 log files of size 5Mb apiece. For a busy system or a system which is thoroughly
 6715:             auditing system activity, this is likely to be insufficient.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6716:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6717:             The log file size needed will depend heavily on what types of events are being audited. First configure auditing
 6718:             to log all the events of interest. Then monitor the log size manually for awhile to determine what file size will
 6719:             allow you to keep the required data for the correct time period.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6720:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6721:             Using a dedicated partition for /var/log/audit prevents the auditd logs from disrupting system functionality if
 6722:             they fill, and, more importantly, prevents other activity in /var from filling the partition and stopping the audit
 6723:             trail. (The audit logs are size-limited and therefore unlikely to grow without bound unless configured to do so.)
 6724:             Some machines may have requirements that no actions occur which cannot be audited. If this is the case, then
 6725:             auditd can be configured to halt the machine if it runs out of space.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6726:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6727:             Note: Since older logs are rotated, configuring auditd this way does not prevent older logs from being rotated
 6728:             away before they can be viewed.
 6729:           </description>
 6730:           <warning xml:lang="en">If your system is configured to halt when logging cannot be performed, make sure this can never
 6731:             happen under normal circumstances! Ensure that /var/ log/ audit is on its own partition, and
 6732:             that this partition is larger than the maximum amount of data auditd will retain normally.</warning>
 6733:         </Group>
 6734:         <Group id="group-2.6.2.3" hidden="false">
 6735:           <title xml:lang="en">Enable Auditing for Processes Which Start Prior to the Audit Daemon</title>
 6736:           <description xml:lang="en">
 6737:             To ensure that all processes can be audited, even those which start prior to the audit daemon, add the
 6738:             argument audit=1 to the kernel line in /etc/grub.conf, in the manner below:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6739:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6740:             kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6741:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6742:             Each process on the system carries an ”auditable” flag which indicates whether its activities can be audited.
 6743:             Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel
 6744:             argument ensures that it is set for every process during boot.
 6745:           </description>
 6746:           <Rule id="rule-2.6.2.3.a" selected="false" weight="10.000000" severity="medium">
 6747:             <title xml:lang="en">Enable Auditing for Processes Which Start Prior to the Audit Daemon</title>
 6748:             <description xml:lang="en">
 6749:               To ensure that all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1
 6750:               to the kernel line in /etc/grub.conf, in the manner below:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6751:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1</description>
 6752:             <fixtext xml:lang="en">(1) via /etc/grub.conf add audit=1 to kernel line</fixtext>
 6753:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 6754:               <check-content-ref name="oval:org.fedoraproject.f14:def:20157" href="scap-fedora14-oval.xml"/>
 6755:             </check>
 6756:           </Rule>
 6757:         </Group>
 6758:         <Group id="group-2.6.2.4" hidden="false">
 6759:           <title xml:lang="en">Configure auditd Rules for Comprehensive Auditing</title>
 6760:           <description xml:lang="en">
 6761:             The auditd program can perform comprehensive monitoring of system activity. This section describes rec-
 6762:             ommended configuration settings for comprehensive auditing, but a full description of the auditing system’s
 6763:             capabilities is beyond the scope of this guide. The mailing list linux-audit@redhat.com may be a good source
 6764:             of further information.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6765:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6766:             The audit subsystem supports extensive collection of events, including:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6767:             <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
 6768:               <xhtml:li>Tracing of arbitrary system calls (identified by name or number) on entry or exit.</xhtml:li>
 6769:               <xhtml:li>Filtering by PID, UID, call success, system call argument (with some limitations), etc.</xhtml:li>
 6770:               <xhtml:li>Monitoring of specific files for modifications to the file’s contents or metadata.</xhtml:li>
 6771:             </xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6772:             Auditing rules are controlled in the file /etc/audit/audit.rules. Add rules to it to meet the auditing re-
 6773:             quirements for your organization. Each line in /etc/audit/audit.rules represents a series of arguments that
 6774:             can be passed to auditctl and can be individually tested as such. See documentation in /usr/share/doc/
 6775:             audit-version and in the related man pages for more details.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6776:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6777:             Recommended audit rules are provided in /usr/share/doc/audit-version /stig.rules. In order to activate
 6778:             those rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6779:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6780:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cp /usr/share/doc/audit-version /stig.rules /etc/audit/audit.rules<xhtml:br/></xhtml:code>
 6781:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6782:             and then edit /etc/audit/audit.rules and comment out the lines containing arch= which are not appropriate
 6783:             for your system’s architecture. Then review and understand the following rules, ensuring rules are activated as
 6784:             needed for the appropriate architecture.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6785:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6786:             After reviewing all the rules, reading the following sections, and editing as needed, activate the new rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6787:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6788:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># service auditd restart</xhtml:code></description>
 6789:           <Group id="group-2.6.2.4.1" hidden="false">
 6790:             <title xml:lang="en">Records Events that Modify Date and Time Information</title>
 6791:             <description xml:lang="en">
 6792:               Add the following to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your
 6793:               system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6794:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6795:               -a always,exit -F arch=ARCH -S adjtimex -S settimeofday -S stime -k time-change<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6796:               -a always,exit -F arch=ARCH -S clock_settime -k time-change<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6797:               -w /etc/localtime -p wa -k time-change
 6798:             </description>
 6799:             <Rule id="rule-2.6.2.4.1.a" selected="false" weight="10.000000" severity="medium">
 6800:               <title xml:lang="en">Records Events that Modify Date and Time Information</title>
 6801:               <description xml:lang="en">Audit rules about time</description>
 6802:               <fixtext xml:lang="en">(1) via /etc/audit/audit.rules</fixtext>
 6803:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 6804:                 <check-content-ref name="oval:org.fedoraproject.f14:def:201575" href="scap-fedora14-oval.xml"/>
 6805:               </check>
 6806:             </Rule>
 6807:           </Group>
 6808:           <Group id="group-2.6.2.4.2" hidden="false">
 6809:             <title xml:lang="en">Record Events that Modify User/Group Information</title>
 6810:             <description xml:lang="en">
 6811:               Add the following to /etc/audit/audit.rules, in order to capture events that modify account changes:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6812:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6813:               -w /etc/group -p wa -k identity<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6814:               -w /etc/passwd -p wa -k identity<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6815:               -w /etc/gshadow -p wa -k identity<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6816:               -w /etc/shadow -p wa -k identity<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6817:               -w /etc/security/opasswd -p wa -k identity
 6818:             </description>
 6819:             <Rule id="rule-2.6.2.4.2.a" selected="false" weight="10.000000" severity="medium">
 6820:               <title xml:lang="en">Record Events that Modify User/Group Information</title>
 6821:               <description xml:lang="en">Audit rules about User/Group Information</description>
 6822:               <fixtext xml:lang="en">(1) via /etc/audit/audit.rules</fixtext>
 6823:               <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
 6824:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 6825:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20158" href="scap-fedora14-oval.xml"/>
 6826:               </check>
 6827:             </Rule>
 6828:           </Group>
 6829:           <Group id="group-2.6.2.4.3" hidden="false">
 6830:             <title xml:lang="en">Record Events that Modify the System’s Network Environment</title>
 6831:             <description xml:lang="en">
 6832:               Add the following to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your
 6833:               system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6834:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6835:               -a exit,always -F arch=ARCH -S sethostname -S setdomainname -k system-locale<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6836:               -w /etc/issue -p wa -k system-locale<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6837:               -w /etc/issue.net -p wa -k system-locale<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6838:               -w /etc/hosts -p wa -k system-locale<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6839:               -w /etc/sysconfig/network -p wa -k system-locale<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6840:             </description>
 6841:             <Rule id="rule-2.6.2.4.3.a" selected="false" weight="10.000000" severity="medium">
 6842:               <title xml:lang="en">Record Events that Modify the System’s Network Environment</title>
 6843:               <description xml:lang="en">Audit rules about the System’s Network Environment</description>
 6844:               <fixtext xml:lang="en">(1) via /etc/audit/audit.rules</fixtext>
 6845:               <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
 6846:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 6847:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20159" href="scap-fedora14-oval.xml"/>
 6848:               </check>
 6849:             </Rule>
 6850:           </Group>
 6851:           <Group id="group-2.6.2.4.4" hidden="false">
 6852:             <title xml:lang="en">Record Events that Modify the System’s Mandatory Access Controls</title>
 6853:             <description xml:lang="en">
 6854:               Add the following to /etc/audit/audit.rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6855:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6856:               -w /etc/selinux/ -p wa -k MAC-policy
 6857:             </description>
 6858:             <Rule id="rule-2.6.2.4.4.a" selected="false" weight="10.000000" severity="medium">
 6859:               <title xml:lang="en">Record Events that Modify the System’s Mandatory Access Controls</title>
 6860:               <description xml:lang="en">Audit rules about the System’s Mandatory Access Controls</description>
 6861:               <fixtext xml:lang="en">(1) via /etc/audit/audit.rules</fixtext>
 6862:               <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
 6863:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 6864:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20160" href="scap-fedora14-oval.xml"/>
 6865:               </check>
 6866:             </Rule>
 6867:           </Group>
 6868:           <Group id="group-2.6.2.4.5" hidden="false">
 6869:             <title xml:lang="en">Ensure auditd Collects Logon and Logout Events</title>
 6870:             <description xml:lang="en">
 6871:               At a minimum the audit system should collect login info for all users and root. Add the following to
 6872:               /etc/audit/audit.rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6873:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6874:               -w /var/log/faillog -p wa -k logins<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6875:               -w /var/log/lastlog -p wa -k logins
 6876:             </description>
 6877:             <Rule id="rule-2.6.2.4.5.a" selected="false" weight="10.000000" severity="medium">
 6878:               <title xml:lang="en">Ensure auditd Collects Logon and Logout Events</title>
 6879:               <description xml:lang="en">Audit rules about the Logon and Logout Events</description>
 6880:               <fixtext xml:lang="en">(1) via /etc/audit/audit.rules</fixtext>
 6881:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 6882:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20161" href="scap-fedora14-oval.xml"/>
 6883:               </check>
 6884:             </Rule>
 6885:           </Group>
 6886:           <Group id="group-2.6.2.4.6" hidden="false">
 6887:             <title xml:lang="en">Ensure auditd Collects Process and Session Initiation Information</title>
 6888:             <description xml:lang="en">
 6889:               At a minimum the audit system should collect process information for all users and root. Add the following
 6890:               to /etc/audit/audit.rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6891:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6892:               -w /var/run/utmp -p wa -k session<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6893:               -w /var/log/btmp -p wa -k session<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6894:               -w /var/log/wtmp -p wa -k session
 6895:             </description>
 6896:             <Rule id="rule-2.6.2.4.6.a" selected="false" weight="10.000000" severity="medium">
 6897:               <title xml:lang="en">Ensure auditd Collects Process and Session Initiation Information</title>
 6898:               <description xml:lang="en">Audit rules about the Process and Session Initiation Information</description>
 6899:               <fixtext xml:lang="en">(1) via /etc/audit/audit.rules</fixtext>
 6900:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 6901:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20162" href="scap-fedora14-oval.xml"/>
 6902:               </check>
 6903:             </Rule>
 6904:           </Group>
 6905:           <Group id="group-2.6.2.4.7" hidden="false">
 6906:             <title xml:lang="en">Ensure auditd Collects Discretionary Access Control Permission Modification Events</title>
 6907:             <description xml:lang="en">
 6908:               At a minimum the audit system should collect file permission changes for all users and root. Add the
 6909:               following to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6910:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6911:               -a always,exit -F arch=ARCH -S chmod -S fchmod -S fchmodat -F auid&gt;=500 \<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6912:               -F auid!=4294967295 -k perm_mod<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6913:               -a always,exit -F arch=ARCH -S chown -S fchown -S fchownat -S lchown -F auid&gt;=500 \<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6914:               -F auid!=4294967295 -k perm_mod<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6915:               -a always,exit -F arch=ARCH -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6916:               lremovexattr -S fremovexattr -F auid&gt;=500 -F auid!=4294967295 -k perm_mod
 6917:             </description>
 6918:             <Rule id="rule-2.6.2.4.7.a" selected="false" weight="10.000000" severity="medium">
 6919:               <title xml:lang="en">Ensure auditd Collects Discretionary Access Control Permission Modification Events</title>
 6920:               <description xml:lang="en">Audit rules about the Discretionary Access Control Permission Modification Events</description>
 6921:               <fixtext xml:lang="en">(1) via /etc/audit/audit.rules</fixtext>
 6922:               <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
 6923:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 6924:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20163" href="scap-fedora14-oval.xml"/>
 6925:               </check>
 6926:             </Rule>
 6927:           </Group>
 6928:           <Group id="group-2.6.2.4.8" hidden="false">
 6929:             <title xml:lang="en">Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)</title>
 6930:             <description xml:lang="en">
 6931:               At a minimum the audit system should collect unauthorized file accesses for all users and root. Add the
 6932:               following to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6933:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6934:               -a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate \<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6935:               -F exit=-EACCES -F auid&gt;=500 -F auid!=4294967295 -k access<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6936:               -a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate \<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6937:               -F exit=-EPERM -F auid&gt;=500 -F auid!=4294967295 -k access
 6938:             </description>
 6939:             <Rule id="rule-2.6.2.4.8.a" selected="false" weight="10.000000" severity="medium">
 6940:               <title xml:lang="en">Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)</title>
 6941:               <description xml:lang="en">Audit rules about the Unauthorized Access Attempts to Files (unsuccessful)</description>
 6942:               <fixtext xml:lang="en">(1) via /etc/audit/audit.rules</fixtext>
 6943:               <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
 6944:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 6945:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20164" href="scap-fedora14-oval.xml"/>
 6946:               </check>
 6947:             </Rule>
 6948:           </Group>
 6949:           <Group id="group-2.6.2.4.9" hidden="false">
 6950:             <title xml:lang="en">Ensure auditd Collects Information on the Use of Privileged Commands</title>
 6951:             <description xml:lang="en">
 6952:               At a minimum the audit system should collect the execution of privileged commands for all users and root.
 6953:               Add the following to /etc/audit/audit.rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6954:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6955:               -a always,exit -F path=/bin/ping -F perm=x -F auid&gt;=500 -F auid!=4294967295 \<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6956:               -k privileged
 6957:             </description>
 6958:             <Rule id="rule-2.6.2.4.9.a" selected="false" weight="10.000000" severity="medium">
 6959:               <title xml:lang="en">Ensure auditd Collects Information on the Use of Privileged Commands</title>
 6960:               <description xml:lang="en">Audit rules about the Information on the Use of Privileged Commands</description>
 6961:               <fixtext xml:lang="en">(1) via /etc/audit/audit.rules</fixtext>
 6962:               <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
 6963:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 6964:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20165" href="scap-fedora14-oval.xml"/>
 6965:               </check>
 6966:             </Rule>
 6967:           </Group>
 6968:           <Group id="group-2.6.2.4.10" hidden="false">
 6969:             <title xml:lang="en">Ensure auditd Collects Information on Exporting to Media (successful)</title>
 6970:             <description xml:lang="en">
 6971:               At a minimum the audit system should collect media exportation events for all users and root. Add the
 6972:               following to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6973:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6974:               -a always,exit -F arch=ARCH -S mount -F auid&gt;=500 -F auid!=4294967295 -k export
 6975:             </description>
 6976:             <Rule id="rule-2.6.2.4.10.a" selected="false" weight="10.000000" severity="medium">
 6977:               <title xml:lang="en">Ensure auditd Collects Information on Exporting to Media (successful)</title>
 6978:               <description xml:lang="en">Audit rules about the Information on Exporting to Media (successful)</description>
 6979:               <fixtext xml:lang="en">(1) via /etc/audit/audit.rules</fixtext>
 6980:               <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
 6981:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 6982:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20166" href="scap-fedora14-oval.xml"/>
 6983:               </check>
 6984:             </Rule>
 6985:           </Group>
 6986:           <Group id="group-2.6.2.4.11" hidden="false">
 6987:             <title xml:lang="en">Ensure auditd Collects Files Deletion Events by User (successful and unsuccessful)</title>
 6988:             <description xml:lang="en">
 6989:               At a minimum the audit system should collect file deletion events for all users and root. Add the following
 6990:               to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6991:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6992:               -a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename -S renameat -F auid&gt;=500 \<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 6993:               -F auid!=4294967295 -k delete
 6994:             </description>
 6995:             <Rule id="rule-2.6.2.4.11.a" selected="false" weight="10.000000" severity="medium">
 6996:               <title xml:lang="en">Ensure auditd Collects Files Deletion Events by User (successful and unsuccessful)</title>
 6997:               <description xml:lang="en">Audit rules about the Files Deletion Events by User (successful and unsuccessful)</description>
 6998:               <fixtext xml:lang="en">(1) via /etc/audit/audit.rules</fixtext>
 6999:               <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
 7000:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7001:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20167" href="scap-fedora14-oval.xml"/>
 7002:               </check>
 7003:             </Rule>
 7004:           </Group>
 7005:           <Group id="group-2.6.2.4.12" hidden="false">
 7006:             <title xml:lang="en">Ensure auditd Collects System Administrator Actions</title>
 7007:             <description xml:lang="en">
 7008:               At a minimum the audit system should collect administrator actions for all users and root. Add the following
 7009:               to /etc/audit/audit.rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7010:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7011:               -w /etc/sudoers -p wa -k actions</description>
 7012:             <Rule id="rule-2.6.2.4.12.a" selected="false" weight="10.000000" severity="medium">
 7013:               <title xml:lang="en">Ensure auditd Collects System Administrator Actions</title>
 7014:               <description xml:lang="en">Audit rules about the System Administrator Actions</description>
 7015:               <fixtext xml:lang="en">(1) via /etc/audit/audit.rules</fixtext>
 7016:               <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
 7017:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7018:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20168" href="scap-fedora14-oval.xml"/>
 7019:               </check>
 7020:             </Rule>
 7021:           </Group>
 7022:           <Group id="group-2.6.2.4.13" hidden="false">
 7023:             <title xml:lang="en">Ensure auditd Collects Information on Kernel Module Loading and Unloading</title>
 7024:             <description xml:lang="en">
 7025:               Add the following to /etc/audit/audit.rules in order to capture kernel module loading and unloading
 7026:               events:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7027:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7028:               -w /sbin/insmod -p x -k modules<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7029:               -w /sbin/rmmod -p x -k modules<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7030:               -w /sbin/modprobe -p x -k modules<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7031:               -a always,exit -S init_module -S delete_module -k modules<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7032:             </description>
 7033:             <Rule id="rule-2.6.2.4.13.a" selected="false" weight="10.000000" severity="medium">
 7034:               <title xml:lang="en">Ensure auditd Collects Information on Kernel Module Loading and Unloading</title>
 7035:               <description xml:lang="en">Audit rules about the Information on Kernel Module Loading and Unloading</description>
 7036:               <fixtext xml:lang="en">(1) via /etc/audit/audit.rules</fixtext>
 7037:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7038:                 <check-content-ref name="oval:org.fedoraproject.f14:def:201685" href="scap-fedora14-oval.xml"/>
 7039:               </check>
 7040:             </Rule>
 7041:           </Group>
 7042:           <Group id="group-2.6.2.4.14" hidden="false">
 7043:             <title xml:lang="en">Make the auditd Configuration Immutable</title>
 7044:             <description xml:lang="en">
 7045:               Add the following to /etc/audit/audit.rules in order to make the configuration immutable:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7046:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7047:               -e 2<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7048:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7049:               With this setting, a reboot will be required to change any audit rules.
 7050:             </description>
 7051:             <Rule id="rule-2.6.2.4.14.a" selected="false" weight="10.000000" severity="medium">
 7052:               <title xml:lang="en">Make the auditd Configuration Immutable</title>
 7053:               <description xml:lang="en">Force a reboot to change audit rules</description>
 7054:               <fixtext xml:lang="en">(1) via /etc/audit/audit.rules</fixtext>
 7055:               <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
 7056:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7057:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20169" href="scap-fedora14-oval.xml"/>
 7058:               </check>
 7059:             </Rule>
 7060:           </Group>
 7061:         </Group>
 7062:         <Group id="group-2.6.2.5" hidden="false">
 7063:           <title xml:lang="en">Summarize and Review Audit Logs using aureport</title>
 7064:           <description xml:lang="en">
 7065:             Familiarize yourself with the aureport(8) man page, then design a short series of audit reporting commands
 7066:             suitable for exploring the audit logs on a daily (or more frequent) basis. These commands can be added as a cron
 7067:             job by placing an appropriately named file in /etc/cron.daily. See the next section for information on how to
 7068:             ensure that the audit system collects all events needed.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7069:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7070:             For example, to generate a daily report of every user to login to the machine, the following command could be
 7071:             run from cron:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7072:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7073:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># aureport -l -i -ts yesterday -te today<xhtml:br/></xhtml:code>
 7074:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7075:             To review all audited activity for unusual behavior, a good place to start is to see a summary of which audit
 7076:             rules have been triggering:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7077:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7078:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">aureport --key --summary<xhtml:br/></xhtml:code>
 7079:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7080:             If access violations stand out, review them with:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7081:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7082:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ausearch --key access --raw | aureport --file --summary<xhtml:br/></xhtml:code>
 7083:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7084:             To review what executables are doing:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7085:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7086:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ausearch --key access --raw | aureport -x --summary<xhtml:br/></xhtml:code>
 7087:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7088:             If access violations have been occurring on a particular file (such as /etc/shadow) and you want to determine
 7089:             which user is doing this:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7090:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7091:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ausearch --key access --file /etc/shadow --raw | aureport --user --summary -i<xhtml:br/></xhtml:code>
 7092:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7093:             Check for anomalous activity (such as device changing to promiscuous mode, processes ending abnormally, login
 7094:             failure limits being reached) using:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7095:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7096:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># aureport --anomaly<xhtml:br/></xhtml:code>
 7097:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7098:             The foundation to audit analysis is using keys to classify the events. Information about using ausearch to find
 7099:             an SELinux problem can be found in Section 2.4.6.
 7100:             </description>
 7101:         </Group>
 7102:       </Group>
 7103:     </Group>
 7104:   </Group>
 7105:   <Group id="group-3" hidden="false">
 7106:     <title xml:lang="en">Services</title>
 7107:     <Group id="group-3.1" hidden="false">
 7108:       <title xml:lang="en">Disable All Unneeded Services at Boot Time</title>
 7109:       <description xml:lang="en">
 7110:         The best protection against vulnerable software is running less
 7111:         software. This section describes how to review the software which Red Hat Enterprise Linux
 7112:         installs on a system and disable software which is not needed. It then enumerates the
 7113:         software packages installed on a default RHEL5 system and provides guidance about which ones
 7114:         can be safely disabled.</description>
 7115:       <Group id="group-3.1.1" hidden="false">
 7116:         <title xml:lang="en">Determine which Services are Enabled at Boot</title>
 7117:         <description xml:lang="en">
 7118:           Run the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7119:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7120:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig --list | grep :on <xhtml:br/></xhtml:code>
 7121:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7122:           The first column
 7123:           of this output is the name of a service which is currently enabled at boot. Review each
 7124:           listed service to determine whether it can be disabled. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7125:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7126:           If it is appropriate to disable
 7127:           some service srvname , do so using the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7128:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7129:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig srvname off <xhtml:br/></xhtml:code>
 7130:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7131:           Use the guidance below for information about unfamiliar services.</description>
 7132:       </Group>
 7133:       <Group id="group-3.1.2" hidden="false">
 7134:         <title xml:lang="en">Guidance on Default Services</title>
 7135:         <description xml:lang="en">
 7136:           The table in this section contains a list of all services which
 7137:           are enabled at boot by a default RHEL5 installation. For each service, one of the
 7138:           following recommendations is made: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7139:           <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
 7140:             <xhtml:li>Enable: The service provides a significant capability
 7141:               with limited risk exposure. Leave the service enabled. </xhtml:li>
 7142:             <xhtml:li>Configure: The service either is
 7143:               required for most systems to function properly or provides an important security function.
 7144:               It should be left enabled by most environments. However, it must be configured securely on
 7145:               all machines, and different options may be needed for workstations than for servers. See
 7146:               the referenced section for recommended configuration of this service.</xhtml:li>
 7147:             <xhtml:li>Disable if
 7148:               possible: The service opens the system to some risk, but may be required by some
 7149:               environments. See the appropriate section of the guide, and disable the service if at all
 7150:               possible.</xhtml:li>
 7151:             <xhtml:li>Servers only: The service provides some function to other machines over the
 7152:               network. If that function is needed in the target environment, the service should remain
 7153:               enabled only on a small number of dedicated servers, and should be disabled on all other
 7154:               machines on the network. </xhtml:li>
 7155:           </xhtml:ul>
 7156:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7157:           <xhtml:table xmlns:xhtml="http://www.w3.org/1999/xhtml">
 7158:             <xhtml:thead>
 7159:               <xhtml:tr>
 7160:                 <xhtml:td>Service name</xhtml:td>
 7161:                 <xhtml:td>Action</xhtml:td>
 7162:                 <xhtml:td>Reference</xhtml:td>
 7163:               </xhtml:tr>
 7164:             </xhtml:thead>
 7165:             <xhtml:tbody>
 7166:               <xhtml:tr><xhtml:td>acpid</xhtml:td><xhtml:td>Enable</xhtml:td><xhtml:td>3.3.15.2</xhtml:td></xhtml:tr>
 7167:               <xhtml:tr><xhtml:td>anacron</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.4</xhtml:td></xhtml:tr>
 7168:               <xhtml:tr><xhtml:td>apmd</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.15.1</xhtml:td></xhtml:tr>
 7169:               <xhtml:tr><xhtml:td>atd</xhtml:td><xhtml:td>Configure</xhtml:td><xhtml:td>3.4</xhtml:td></xhtml:tr>
 7170:               <xhtml:tr><xhtml:td>auditd</xhtml:td><xhtml:td>Configure</xhtml:td><xhtml:td>2.6.2</xhtml:td></xhtml:tr>
 7171:               <xhtml:tr><xhtml:td>autofs</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>2.2.2.3</xhtml:td></xhtml:tr>
 7172:               <xhtml:tr><xhtml:td>avahi-daemon</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.7</xhtml:td></xhtml:tr>
 7173:               <xhtml:tr><xhtml:td>bluetooth</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.14</xhtml:td></xhtml:tr>
 7174:               <xhtml:tr><xhtml:td>cpuspeed</xhtml:td><xhtml:td>Enable</xhtml:td><xhtml:td>3.3.15.3 </xhtml:td></xhtml:tr>
 7175:               <xhtml:tr><xhtml:td>crond</xhtml:td><xhtml:td>Configure</xhtml:td><xhtml:td>3.4</xhtml:td></xhtml:tr>
 7176:               <xhtml:tr><xhtml:td>cups</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.8</xhtml:td></xhtml:tr>
 7177:               <xhtml:tr><xhtml:td>firstboot</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.1</xhtml:td></xhtml:tr>
 7178:               <xhtml:tr><xhtml:td>gpm</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.2</xhtml:td></xhtml:tr>
 7179:               <xhtml:tr><xhtml:td>haldaemon</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.13.2</xhtml:td></xhtml:tr>
 7180:               <xhtml:tr><xhtml:td>hidd</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.14.2</xhtml:td></xhtml:tr>
 7181:               <xhtml:tr><xhtml:td>hplip</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.8.4.1</xhtml:td></xhtml:tr>
 7182:               <xhtml:tr><xhtml:td>ip6tables</xhtml:td><xhtml:td>Configure</xhtml:td><xhtml:td>2.5.5</xhtml:td></xhtml:tr>
 7183:               <xhtml:tr><xhtml:td>iptables</xhtml:td><xhtml:td>Configure</xhtml:td><xhtml:td>2.5.5</xhtml:td></xhtml:tr>
 7184:               <xhtml:tr><xhtml:td>irqbalance</xhtml:td><xhtml:td>Enable</xhtml:td><xhtml:td>3.3.3</xhtml:td></xhtml:tr>
 7185:               <xhtml:tr><xhtml:td>isdn</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.4</xhtml:td></xhtml:tr>
 7186:               <xhtml:tr><xhtml:td>kdump</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.5</xhtml:td></xhtml:tr>
 7187:               <xhtml:tr><xhtml:td>kudzu</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.6 </xhtml:td></xhtml:tr>
 7188:               <xhtml:tr><xhtml:td>mcstrans</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>2.4.3.2 (SELinux) </xhtml:td></xhtml:tr>
 7189:               <xhtml:tr><xhtml:td>mdmonitor</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.7 </xhtml:td></xhtml:tr>
 7190:               <xhtml:tr><xhtml:td>messagebus</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.13.1</xhtml:td></xhtml:tr>
 7191:               <xhtml:tr><xhtml:td>microcode</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.8</xhtml:td></xhtml:tr>
 7192:               <xhtml:tr><xhtml:td>netfs</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.13 (NFS)</xhtml:td></xhtml:tr>
 7193:               <xhtml:tr><xhtml:td>network</xhtml:td><xhtml:td>Enable</xhtml:td><xhtml:td>3.3.9</xhtml:td></xhtml:tr>
 7194:               <xhtml:tr><xhtml:td>nfslock</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.13 (NFS)</xhtml:td></xhtml:tr>
 7195:               <xhtml:tr><xhtml:td>pcscd</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.10</xhtml:td></xhtml:tr>
 7196:               <xhtml:tr><xhtml:td>portmap</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.13 (NFS) </xhtml:td></xhtml:tr>
 7197:               <xhtml:tr><xhtml:td>readahead_early</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.12</xhtml:td></xhtml:tr>
 7198:               <xhtml:tr><xhtml:td>readahead_later</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.12</xhtml:td></xhtml:tr>
 7199:               <xhtml:tr><xhtml:td>restorecond</xhtml:td><xhtml:td>Enable</xhtml:td><xhtml:td>2.4.3.3 (SELinux)</xhtml:td></xhtml:tr>
 7200:               <xhtml:tr><xhtml:td>rhnsd</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>2.1.2.2 </xhtml:td></xhtml:tr>
 7201:               <xhtml:tr><xhtml:td>rpcgssd</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.13 (NFS) </xhtml:td></xhtml:tr>
 7202:               <xhtml:tr><xhtml:td>rpcidmapd</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.13 (NFS) </xhtml:td></xhtml:tr>
 7203:               <xhtml:tr><xhtml:td>sendmail</xhtml:td><xhtml:td>Configure</xhtml:td><xhtml:td>3.11</xhtml:td></xhtml:tr>
 7204:               <xhtml:tr><xhtml:td>setroubleshoot</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>2.4.3.1 (SELinux)</xhtml:td></xhtml:tr>
 7205:               <xhtml:tr><xhtml:td>smartd</xhtml:td><xhtml:td>Enable</xhtml:td><xhtml:td>3.3.11 </xhtml:td></xhtml:tr>
 7206:               <xhtml:tr><xhtml:td>sshd</xhtml:td><xhtml:td>Servers only</xhtml:td><xhtml:td>3.5</xhtml:td></xhtml:tr>
 7207:               <xhtml:tr><xhtml:td>syslog</xhtml:td><xhtml:td>Configure</xhtml:td><xhtml:td>2.6.1</xhtml:td></xhtml:tr>
 7208:               <xhtml:tr><xhtml:td>xfs</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.6 (X11) </xhtml:td></xhtml:tr>
 7209:               <xhtml:tr><xhtml:td>yum-updatesd</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>2.1.2.3.2</xhtml:td></xhtml:tr>
 7210:             </xhtml:tbody>
 7211:           </xhtml:table>
 7212:         </description>
 7213:       </Group>
 7214:       <Group id="group-3.1.3" hidden="false">
 7215:         <title xml:lang="en">Guidance for Unfamiliar Services</title>
 7216:         <description xml:lang="en">
 7217:           If the system is running any services which have not been
 7218:           covered, determine what these services do, and disable them if they are not needed or if
 7219:           they pose a high risk. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7220:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7221:           If a service srvname is unknown, try running: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7222:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7223:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ rpm -qf /etc/init.d/srvname <xhtml:br/></xhtml:code>
 7224:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7225:           to discover which RPM package installed the service. Then, run: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7226:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7227:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ rpm -qi rpmname <xhtml:br/></xhtml:code>
 7228:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7229:           for a brief description of what that RPM does.</description>
 7230:       </Group>
 7231:     </Group>
 7232:     <Group id="group-3.2" hidden="false">
 7233:       <title xml:lang="en">Obsolete Services</title>
 7234:       <description xml:lang="en">
 7235:         This section discusses a number of network-visible services which
 7236:         have historically caused problems for system security, and for which disabling or severely
 7237:         limiting the service has been the best available guidance for some time. As a result of this
 7238:         consensus, these services are not installed as part of RHEL5 by default. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7239:         <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7240:         Organizations which
 7241:         are running these services should prioritize switching to more secure services which provide
 7242:         the needed functionality. If it is absolutely necessary to run one of these services for
 7243:         legacy reasons, care should be taken to restrict the service as much as possible, for
 7244:         instance by configuring host firewall software (see Section 2.5.5) to restrict access to the
 7245:         vulnerable service to only those remote hosts which have a known need to use it.</description>
 7246:       <Group id="group-3.2.1" hidden="false">
 7247:         <title xml:lang="en">Inetd and Xinetd</title>
 7248:         <description xml:lang="en">
 7249:           Is there an operational need to run the deprecated inetd or
 7250:           xinetd software packages? If not, ensure that they are removed from the system: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7251:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7252:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase inetd xinetd <xhtml:br/></xhtml:code>
 7253:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7254:           Beginning with Red Hat Enterprise Linux 5, the xinetd service is no
 7255:           longer installed by default. This change represents increased awareness that the dedicated
 7256:           network listener model does not improve security or reliability of services, and that
 7257:           restriction of network listeners is better handled using a granular model such as SELinux
 7258:           than using xinetd's limited security options.</description>
 7259:         <Rule id="rule-3.2.1.a" selected="false" weight="10.000000" severity="medium">
 7260:           <title xml:lang="en">Disable Inetd</title>
 7261:           <description xml:lang="en">The inetd service should be disabled.</description>
 7262:           <ident system="http://cce.mitre.org">CCE-4234-1</ident>
 7263:           <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 7264:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7265:             <check-content-ref name="oval:org.fedoraproject.f14:def:20170" href="scap-fedora14-oval.xml"/>
 7266:           </check>
 7267:         </Rule>
 7268:         <Rule id="rule-3.2.1.b" selected="false" weight="10.000000" severity="medium">
 7269:           <title xml:lang="en">Disable Xinetd</title>
 7270:           <description xml:lang="en">The xinetd service should be disabled.</description>
 7271:           <ident system="http://cce.mitre.org">CCE-4252-3</ident>
 7272:           <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 7273:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7274:             <check-content-ref name="oval:org.fedoraproject.f14:def:20171" href="scap-fedora14-oval.xml"/>
 7275:           </check>
 7276:         </Rule>
 7277:         <Rule id="rule-3.2.1.c" selected="false" weight="10.000000">
 7278:           <title xml:lang="en">Uninstall Inetd</title>
 7279:           <description xml:lang="en">The inetd package should be uninstalled.</description>
 7280:           <ident system="http://cce.mitre.org">CCE-4023-8</ident>
 7281:           <fixtext xml:lang="en">(1) via yum</fixtext>
 7282:           <fix># yum erase inetd</fix>
 7283:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7284:             <check-content-ref name="oval:org.fedoraproject.f14:def:20172" href="scap-fedora14-oval.xml"/>
 7285:           </check>
 7286:         </Rule>
 7287:         <Rule id="rule-3.2.1.d" selected="false" weight="10.000000">
 7288:           <title xml:lang="en">Uninstall Xinetd</title>
 7289:           <description xml:lang="en">The xinetd package should be uninstalled.</description>
 7290:           <ident system="http://cce.mitre.org">CCE-4164-0</ident>
 7291:           <fixtext xml:lang="en">(1) via yum</fixtext>
 7292:           <fix># yum erase xinetd</fix>
 7293:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7294:             <check-content-ref name="oval:org.fedoraproject.f14:def:20173" href="scap-fedora14-oval.xml"/>
 7295:           </check>
 7296:         </Rule>
 7297:       </Group>
 7298:       <Group id="group-3.2.2" hidden="false">
 7299:         <title xml:lang="en">Telnet</title>
 7300:         <description xml:lang="en">
 7301:           Is there a mission-critical reason for users to access the system
 7302:           via the insecure telnet protocol, rather than the more secure SSH protocol? If not, ensure
 7303:           that the telnet server is removed from the system: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7304:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7305:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase telnet-server <xhtml:br/></xhtml:code>
 7306:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7307:           The telnet
 7308:           protocol uses unencrypted network communication, which means that data from the login
 7309:           session, including passwords and all other information transmitted during the session, can
 7310:           be stolen by eavesdroppers on the network, and also that outsiders can easily hijack the
 7311:           session to gain authenticated access to the telnet server. Organizations which use telnet
 7312:           should be actively working to migrate to a more secure protocol. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7313:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7314:           See Section 3.5 for information about the SSH service.</description>
 7315:         <Group id="group-3.2.2.1" hidden="false">
 7316:           <title xml:lang="en">Remove Telnet Clients</title>
 7317:           <description xml:lang="en">
 7318:             In order to prevent users from casually attempting to use a telnet server, and thus exposing their credentials
 7319:             over the network, remove the telnet package, which contains a telnet client program:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7320:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7321:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase telnet<xhtml:br/></xhtml:code>
 7322:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7323:             If Kerberos is not used, remove the krb5-workstation package, which also includes a telnet client:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7324:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7325:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase krb5-workstation<xhtml:br/></xhtml:code>
 7326:           </description>
 7327:           <Rule id="rule-3.2.2.1.a" selected="false" weight="10.000000" severity="high">
 7328:             <title xml:lang="en">Remove the telnet client command from the System</title>
 7329:             <description xml:lang="en">The telnet package should be uninstalled.</description>
 7330:             <fixtext xml:lang="en">(1) via yum</fixtext>
 7331:             <fix># yum erase telnet</fix>
 7332:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7333:               <check-content-ref name="oval:org.fedoraproject.f14:def:20175" href="scap-fedora14-oval.xml"/>
 7334:             </check>
 7335:           </Rule>
 7336:           <Rule id="rule-3.2.2.1.b" selected="false" weight="10.000000">
 7337:             <title xml:lang="en">Remove the kerberos telnet client from the System</title>
 7338:             <description xml:lang="en">The krb5-workstation package should be uninstalled.</description>
 7339:             <fixtext xml:lang="en">(1) via yum</fixtext>
 7340:             <fix># yum erase rsh-server</fix>
 7341:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7342:               <check-content-ref name="oval:org.fedoraproject.f14:def:20176" href="scap-fedora14-oval.xml"/>
 7343:             </check>
 7344:           </Rule>
 7345:         </Group>
 7346:         <Rule id="rule-3.2.2.a" selected="false" weight="10.000000" severity="high">
 7347:           <title xml:lang="en">Uninstall Telnet server</title>
 7348:           <description xml:lang="en">The telnet-server package should be uninstalled.</description>
 7349:           <ident system="http://cce.mitre.org">CCE-4330-7</ident>
 7350:           <fixtext xml:lang="en">(1) via yum</fixtext>
 7351:           <fix># yum erase telnet-server</fix>
 7352:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7353:             <check-content-ref name="oval:org.fedoraproject.f14:def:20174" href="scap-fedora14-oval.xml"/>
 7354:           </check>
 7355:         </Rule>
 7356:         <Rule id="rule-3.2.2.b" selected="false" weight="10.000000" severity="high">
 7357:           <title xml:lang="en">Disable telnet service</title>
 7358:           <description xml:lang="en">telnet service should be disabled.</description>
 7359:           <ident system="http://cce.mitre.org">CCE-3390-2</ident>
 7360:           <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 7361:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7362:             <check-content-ref name="oval:org.fedoraproject.f14:def:201745" href="scap-fedora14-oval.xml"/>
 7363:           </check>
 7364:         </Rule>
 7365:       </Group>
 7366:       <Group id="group-3.2.3" hidden="false">
 7367:         <title xml:lang="en">Rlogin, Rsh, and Rcp</title>
 7368:         <description xml:lang="en">The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.</description>
 7369:         <Group id="group-3.2.3.1" hidden="false">
 7370:           <title xml:lang="en">Remove the Rsh Server Commands from the System</title>
 7371:           <description xml:lang="en">
 7372:             Is there a mission-critical reason for users to access the
 7373:             system via the insecure rlogin, rsh, or rcp commands rather than the more secure ssh and
 7374:             scp? If not, ensure that the rsh server is removed from the system: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7375:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7376:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase rsh-server <xhtml:br/></xhtml:code>
 7377:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7378:             SSH was designed to be a drop-in replacement for the r-commands, which suffer
 7379:             from the same hijacking and eavesdropping problems as telnet. There is unlikely to be a
 7380:             case in which these commands cannot be replaced with SSH.</description>
 7381:           <Rule id="rule-3.2.3.1.a" selected="false" weight="10.000000" severity="high">
 7382:             <title xml:lang="en">Remove the Rsh Server Commands from the System</title>
 7383:             <description xml:lang="en">The rsh-server package should be uninstalled.</description>
 7384:             <ident system="http://cce.mitre.org">CCE-4308-3</ident>
 7385:             <fixtext xml:lang="en">(1) via yum</fixtext>
 7386:             <fix># yum erase rsh-server</fix>
 7387:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7388:               <check-content-ref name="oval:org.fedoraproject.f14:def:20177" href="scap-fedora14-oval.xml"/>
 7389:             </check>
 7390:           </Rule>
 7391:           <Rule id="rule-3.2.3.1.b" selected="false" weight="10.000000" severity="high">
 7392:             <title xml:lang="en">disable rcp</title>
 7393:             <description xml:lang="en">The rcp service should be disabled.</description>
 7394:             <ident system="http://cce.mitre.org">CCE-3974-3</ident>
 7395:             <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 7396:             <fix># chkconfig rcp off</fix>
 7397:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7398:               <check-content-ref name="oval:org.fedoraproject.f14:def:201774" href="scap-fedora14-oval.xml"/>
 7399:             </check>
 7400:           </Rule>
 7401:           <Rule id="rule-3.2.3.1.c" selected="false" weight="10.000000" severity="high">
 7402:             <title xml:lang="en">disable rsh</title>
 7403:             <description xml:lang="en">The rsh service should be disabled.</description>
 7404:             <ident system="http://cce.mitre.org">CCE-4141-8</ident>
 7405:             <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 7406:             <fix># chkconfig rsh off</fix>
 7407:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7408:               <check-content-ref name="oval:org.fedoraproject.f14:def:201775" href="scap-fedora14-oval.xml"/>
 7409:             </check>
 7410:           </Rule>
 7411:           <Rule id="rule-3.2.3.1.d" selected="false" weight="10.000000" severity="high">
 7412:             <title xml:lang="en">disable rlogin</title>
 7413:             <description xml:lang="en">The rlogin service should be disabled.</description>
 7414:             <ident system="http://cce.mitre.org">CCE-3537-8</ident>
 7415:             <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 7416:             <fix># chkconfig rlogin off</fix>
 7417:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7418:               <check-content-ref name="oval:org.fedoraproject.f14:def:201776" href="scap-fedora14-oval.xml"/>
 7419:             </check>
 7420:           </Rule>
 7421:         </Group>
 7422:         <Group id="group-3.2.3.2" hidden="false">
 7423:           <title xml:lang="en">Remove .rhosts Support from PAM Configuration Files</title>
 7424:           <description xml:lang="en">
 7425:             Check that pam_rhosts authentication is not used by any PAM
 7426:             services. Run the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7427:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7428:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># grep -l pam_rhosts /etc/pam.d/* <xhtml:br/></xhtml:code>
 7429:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7430:             This command should return no output. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7431:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7432:             The RHEL5 default is not to rely on .rhosts or /etc/hosts.equiv for any
 7433:             PAM-based services, so, on an uncustomized system, this command should return no output.
 7434:             If any files do use pam_rhosts, modify them to make use of a more secure authentication
 7435:             method instead. For more information about PAM, see Section 2.3.3.</description>
 7436:           <Rule id="rule-3.2.3.2.a" selected="false" weight="10.000000" severity="medium">
 7437:             <title xml:lang="en">Remove .rhosts Support from PAM Configuration Files</title>
 7438:             <description xml:lang="en">Check that pam_rhosts authentication is not used by any PAM services.</description>
 7439:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7440:               <check-content-ref name="oval:org.fedoraproject.f14:def:20178" href="scap-fedora14-oval.xml"/>
 7441:             </check>
 7442:           </Rule>
 7443:         </Group>
 7444:         <Group id="group-3.2.3.3" hidden="false">
 7445:           <title xml:lang="en">Remove the Rsh Client Commands from the System</title>
 7446:           <description xml:lang="en">
 7447:           In order to prevent users from casually attempting to make use of an rsh server and thus exposing their
 7448:           credentials over the network, remove the rsh package, which contains client programs for many of r-commands
 7449:           described above:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7450:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7451:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase rsh<xhtml:br/></xhtml:code>
 7452:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7453:           Users should be trained to use the SSH client, and never attempt to connect to an rsh or telnet server. The
 7454:           krb5-workstation package also contains r-command client programs and should be removed as described in
 7455:           Section 3.2.2.1, if Kerberos is not in use.
 7456:         </description>
 7457:           <Rule id="rule-3.2.3.3.a" selected="false" weight="10.000000" severity="high">
 7458:             <title xml:lang="en">Remove the Rsh Client Commands from the System</title>
 7459:             <description xml:lang="en">The rsh package, which contains client programs for many of r-commands should be uninstalled.</description>
 7460:             <fixtext xml:lang="en">(1) via yum</fixtext>
 7461:             <fix># yum erase rsh</fix>
 7462:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7463:               <check-content-ref name="oval:org.fedoraproject.f14:def:20179" href="scap-fedora14-oval.xml"/>
 7464:             </check>
 7465:           </Rule>
 7466:         </Group>
 7467:       </Group>
 7468:       <Group id="group-3.2.4" hidden="false">
 7469:         <title xml:lang="en">NIS</title>
 7470:         <description xml:lang="en">
 7471:           The NIS client service ypbind is not activated by default. In the
 7472:           event that it was activated at some point, disable it by executing the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7473:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7474:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig ypbind off <xhtml:br/></xhtml:code>
 7475:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7476:           The NIS server package is not installed by default. In the event that
 7477:           it was installed at some point, remove it from the system by executing the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7478:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7479:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase ypserv <xhtml:br/></xhtml:code>
 7480:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7481:           The Network Information Service (NIS), also known as 'Yellow Pages' (YP), and
 7482:           its successor NIS+ have been made obsolete by Kerberos, LDAP, and other modern centralized
 7483:           authentication services. NIS should not be used because it suffers from security problems
 7484:           inherent in its design, such as inadequate protection of important authentication
 7485:           information.</description>
 7486:         <Rule id="rule-3.2.4.a" selected="false" weight="10.000000" severity="medium">
 7487:           <title xml:lang="en">Uninstall NIS</title>
 7488:           <description xml:lang="en">The ypserv package should be uninstalled.</description>
 7489:           <ident system="http://cce.mitre.org">CCE-4348-9</ident>
 7490:           <fixtext xml:lang="en">(1) via yum</fixtext>
 7491:           <fix># yum erase ypserv</fix>
 7492:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7493:             <check-content-ref name="oval:org.fedoraproject.f14:def:20180" href="scap-fedora14-oval.xml"/>
 7494:           </check>
 7495:         </Rule>
 7496:         <Rule id="rule-3.2.4.b" selected="false" weight="10.000000" severity="medium">
 7497:           <title xml:lang="en">Disable NIS</title>
 7498:           <description xml:lang="en">The ypbind service should be disabled.</description>
 7499:           <ident system="http://cce.mitre.org">CCE-3705-1</ident>
 7500:           <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 7501:           <fix># chkconfig ypbind off</fix>
 7502:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7503:             <check-content-ref name="oval:org.fedoraproject.f14:def:20181" href="scap-fedora14-oval.xml"/>
 7504:           </check>
 7505:         </Rule>
 7506:       </Group>
 7507:       <Group id="group-3.2.5" hidden="false">
 7508:         <title xml:lang="en">TFTP Server</title>
 7509:         <description xml:lang="en">
 7510:           Is there an operational need to run the deprecated TFTP server
 7511:           software? If not, ensure that it is removed from the system: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7512:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7513:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase tftp-server <xhtml:br/></xhtml:code>
 7514:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7515:           TFTP is a lightweight version of the FTP protocol which has traditionally been used to
 7516:           configure networking equipment. However, TFTP provides little security, and modern
 7517:           versions of networking operating systems frequently support configuration via SSH or
 7518:           other more secure protocols. A TFTP server should be run only if no more secure method of
 7519:           supporting existing equipment can be found.</description>
 7520:         <Rule id="rule-3.2.5.a" selected="false" weight="10.000000">
 7521:           <title xml:lang="en">Uninstall TFTP Server</title>
 7522:           <description xml:lang="en">The tftp-server package should be uninstalled.</description>
 7523:           <ident system="http://cce.mitre.org">CCE-3916-4</ident>
 7524:           <fixtext xml:lang="en">(1) via yum</fixtext>
 7525:           <fix># yum erase tftp-server</fix>
 7526:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7527:             <check-content-ref name="oval:org.fedoraproject.f14:def:20182" href="scap-fedora14-oval.xml"/>
 7528:           </check>
 7529:         </Rule>
 7530:         <Rule id="rule-3.2.5.b" selected="false" weight="10.000000" severity="low">
 7531:           <title xml:lang="en">Disable TFTP Server</title>
 7532:           <description xml:lang="en">The tftp service should be disabled.</description>
 7533:           <ident system="http://cce.mitre.org">CCE-4273-9</ident>
 7534:           <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 7535:           <fix># chkconfig tftp off</fix>
 7536:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7537:             <check-content-ref name="oval:org.fedoraproject.f14:def:201825" href="scap-fedora14-oval.xml"/>
 7538:           </check>
 7539:         </Rule>
 7540:       </Group>
 7541:     </Group>
 7542:     <Group id="group-3.3" hidden="false">
 7543:       <title xml:lang="en">BaseServices</title>
 7544:       <description xml:lang="en">
 7545:         This section addresses the base services that are configured to
 7546:         start up on boot in a RHEL5 default installation. Some of these services listen on the
 7547:         network and should be treated with particular discretion. The other services are local
 7548:         system utilities that may or may not be extraneous. Each of these services should be
 7549:         disabled if not required.</description>
 7550:       <Group id="group-3.3.1" hidden="false">
 7551:         <title xml:lang="en">Installation Helper Service (firstboot)</title>
 7552:         <description xml:lang="en">
 7553:           Firstboot is a daemon specific to the Red Hat installation
 7554:           process. It handles 'one-time' configuration following successful installation of the
 7555:           operating system. As such, there is no reason for this service to remain enabled. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7556:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7557:           Disable firstboot by issuing the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7558:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7559:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig firstboot off</xhtml:code></description>
 7560:         <Rule id="rule-3.3.1.a" selected="false" weight="10.000000" severity="low">
 7561:           <title xml:lang="en">Installation Helper Service (firstboot)</title>
 7562:           <description xml:lang="en">The firstboot service should be disabled.</description>
 7563:           <ident system="http://cce.mitre.org">CCE-3412-4</ident>
 7564:           <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 7565:           <fix># chkconfig firstboot off</fix>
 7566:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7567:             <check-content-ref name="oval:org.fedoraproject.f14:def:20183" href="scap-fedora14-oval.xml"/>
 7568:           </check>
 7569:         </Rule>
 7570:       </Group>
 7571:       <Group id="group-3.3.2" hidden="false">
 7572:         <title xml:lang="en">Console Mouse Service (gpm)</title>
 7573:         <description xml:lang="en">
 7574:           GPM is the service that controls the text console mouse pointer.
 7575:           (The X Windows mouse pointer is unaffected by this service.) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7576:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7577:           If mouse functionality in the console is not required, disable this service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7578:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7579:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig gpm off <xhtml:br/></xhtml:code>
 7580:           Although it is
 7581:           preferable to run as few services as possible, the console mouse pointer can be useful for
 7582:           preventing administrator mistakes in runlevel 3 by enabling copy-and-paste operations.</description>
 7583:         <Rule id="rule-3.3.2.a" selected="false" weight="10.000000" severity="low">
 7584:           <title xml:lang="en">Console Mouse Service (gpm)</title>
 7585:           <description xml:lang="en">The gpm service should be disabled.</description>
 7586:           <ident system="http://cce.mitre.org">CCE-4229-1</ident>
 7587:           <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 7588:           <fix># chkconfig gpm off</fix>
 7589:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7590:             <check-content-ref name="oval:org.fedoraproject.f14:def:20184" href="scap-fedora14-oval.xml"/>
 7591:           </check>
 7592:         </Rule>
 7593:       </Group>
 7594:       <Group id="group-3.3.3" hidden="false">
 7595:         <title xml:lang="en">Interrupt Distribution on Multiprocessor Systems (irqbalance)</title>
 7596:         <description xml:lang="en">
 7597:           The goal of the irqbalance service is to optimize the balance
 7598:           between power savings and performance through distribution of hardware interrupts across
 7599:           multiple processors. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7600:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7601:           In a server environment with multiple processors, this provides a
 7602:           useful service and should be left enabled. If a machine has only one processor, the
 7603:           service may be disabled: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7604:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7605:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig irqbalance off</xhtml:code></description>
 7606:         <Rule id="rule-3.3.3.a" selected="false" weight="10.000000" severity="low">
 7607:           <title xml:lang="en">Interrupt Distribution on Multiprocessor Systems (irqbalance)</title>
 7608:           <description xml:lang="en">The irqbalance service should be disabled.</description>
 7609:           <ident system="http://cce.mitre.org">CCE-4123-6</ident>
 7610:           <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 7611:           <fix># chkconfig irqbalance off</fix>
 7612:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7613:             <check-content-ref name="oval:org.fedoraproject.f14:def:20185" href="scap-fedora14-oval.xml"/>
 7614:           </check>
 7615:         </Rule>
 7616:       </Group>
 7617:       <Group id="group-3.3.4" hidden="false">
 7618:         <title xml:lang="en">ISDN Support (isdn)</title>
 7619:         <description xml:lang="en">
 7620:           The ISDN service facilitates Internet connectivity in the
 7621:           presence of an ISDN modem. If an ISDN modem is not being used, disable this service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7622:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7623:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig isdn off</xhtml:code></description>
 7624:         <Rule id="rule-3.3.4.a" selected="false" weight="10.000000" severity="low">
 7625:           <title xml:lang="en">ISDN Support (isdn)</title>
 7626:           <description xml:lang="en">The isdn service should be disabled.</description>
 7627:           <ident system="http://cce.mitre.org">CCE-4286-1</ident>
 7628:           <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 7629:           <fix># chkconfig isdn off</fix>
 7630:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7631:             <check-content-ref name="oval:org.fedoraproject.f14:def:20186" href="scap-fedora14-oval.xml"/>
 7632:           </check>
 7633:         </Rule>
 7634:       </Group>
 7635:       <Group id="group-3.3.5" hidden="false">
 7636:         <title xml:lang="en">Kdump Kernel Crash Analyzer (kdump)</title>
 7637:         <description xml:lang="en">
 7638:           Kdump is a new kernel crash dump analyzer. It uses kexec to boot
 7639:           a secondary kernel ('capture' kernel) following a system crash. The kernel dump from the
 7640:           system crash is loaded into the capture kernel for analysis. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7641:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7642:           Unless the system is used for kernel development or testing, disable the service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7643:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7644:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig kdump off</xhtml:code></description>
 7645:         <Rule id="rule-3.3.5.a" selected="false" weight="10.000000" severity="low">
 7646:           <title xml:lang="en">Kdump Kernel Crash Analyzer (kdump)</title>
 7647:           <description xml:lang="en">The kdump service should be disabled.</description>
 7648:           <ident system="http://cce.mitre.org">CCE-3425-6</ident>
 7649:           <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 7650:           <fix># chkconfig kdump off</fix>
 7651:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7652:             <check-content-ref name="oval:org.fedoraproject.f14:def:20187" href="scap-fedora14-oval.xml"/>
 7653:           </check>
 7654:         </Rule>
 7655:       </Group>
 7656:       <Group id="group-3.3.6" hidden="false">
 7657:         <title xml:lang="en">Kudzu Hardware Probing Utility (kudzu)</title>
 7658:         <description xml:lang="en">
 7659:           Is there a mission-critical reason for console users to add new
 7660:           hardware to the system? If not: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7661:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7662:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig kudzu off <xhtml:br/></xhtml:code>
 7663:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7664:           Kudzu, Red Hat's hardware detection
 7665:           program, represents an unnecessary security risk as it allows unprivileged users to
 7666:           perform hardware configuration without authorization. Unless this specific functionality
 7667:           is required, Kudzu should be disabled.</description>
 7668:         <Rule id="rule-3.3.6.a" selected="false" weight="10.000000" severity="low">
 7669:           <title xml:lang="en">Kudzu Hardware Probing Utility (kudzu)</title>
 7670:           <description xml:lang="en">The kudzu service should be disabled.</description>
 7671:           <ident system="http://cce.mitre.org">CCE-4211-9</ident>
 7672:           <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 7673:           <fix># chkconfig kudzu off</fix>
 7674:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7675:             <check-content-ref name="oval:org.fedoraproject.f14:def:20188" href="scap-fedora14-oval.xml"/>
 7676:           </check>
 7677:         </Rule>
 7678:       </Group>
 7679:       <Group id="group-3.3.7" hidden="false">
 7680:         <title xml:lang="en">Software RAID Monitor (mdmonitor)</title>
 7681:         <description xml:lang="en">
 7682:           The mdmonitor service is used for monitoring a software RAID
 7683:           (hardware RAID setups do not use this service). This service is extraneous unless software
 7684:           RAID is in use (which is not common). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7685:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7686:           If software RAID monitoring is not required, disable this service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7687:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7688:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig mdmonitor off</xhtml:code></description>
 7689:         <Rule id="rule-3.3.7.a" selected="false" weight="10.000000" severity="low">
 7690:           <title xml:lang="en">Software RAID Monitor (mdmonitor)</title>
 7691:           <description xml:lang="en">The mdmonitor service should be disabled.</description>
 7692:           <ident system="http://cce.mitre.org">CCE-3854-7</ident>
 7693:           <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 7694:           <fix># chkconfig mdmonitor off</fix>
 7695:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7696:             <check-content-ref name="oval:org.fedoraproject.f14:def:20189" href="scap-fedora14-oval.xml"/>
 7697:           </check>
 7698:         </Rule>
 7699:       </Group>
 7700:       <Group id="group-3.3.8" hidden="false">
 7701:         <title xml:lang="en">IA32 Microcode Utility(microcodectl)</title>
 7702:         <description xml:lang="en">
 7703:           microcode ctl is a microcode utility for use with Intel IA32
 7704:           processors (Pentium Pro, PII, Celeron, PIII, Xeon, Pentium 4, etc) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7705:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7706:           If the system is not running an Intel IA32 processor, disable this service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7707:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7708:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig microcode ctl off</xhtml:code></description>
 7709:         <Rule id="rule-3.3.8.a" selected="false" weight="10.000000" severity="low">
 7710:           <title xml:lang="en">IA32 Microcode Utility(microcodectl)</title>
 7711:           <description xml:lang="en">The microcode_ctl service should be disabled.</description>
 7712:           <ident system="http://cce.mitre.org">CCE-4356-2</ident>
 7713:           <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 7714:           <fix># chkconfig microcode ctl off</fix>
 7715:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7716:             <check-content-ref name="oval:org.fedoraproject.f14:def:20190" href="scap-fedora14-oval.xml"/>
 7717:           </check>
 7718:         </Rule>
 7719:       </Group>
 7720:       <Group id="group-3.3.9" hidden="false">
 7721:         <title xml:lang="en">Network Service (network)</title>
 7722:         <description xml:lang="en">
 7723:           The network service allows associated network interfaces to
 7724:           access the network. This section contains general guidance for controlling the operation
 7725:           of the service. For kernel parameters which affect networking, see Section</description>
 7726:         <Group id="group-3.3.9.1" hidden="false">
 7727:           <title xml:lang="en">Disable All Networking if Not Needed</title>
 7728:           <description xml:lang="en">
 7729:             If the system is a standalone machine with no need for network
 7730:             access or even communication over the loopback device, then disable this service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7731:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7732:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig network off</xhtml:code></description>
 7733:           <Rule id="rule-3.3.9.1.a" selected="false" weight="10.000000" severity="low">
 7734:             <title xml:lang="en">Disable All Networking if Not Needed)</title>
 7735:             <description xml:lang="en">The network service should be disabled.</description>
 7736:             <ident system="http://cce.mitre.org">CCE-4369-5</ident>
 7737:             <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 7738:             <fix># chkconfig network off</fix>
 7739:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7740:               <check-content-ref name="oval:org.fedoraproject.f14:def:20191" href="scap-fedora14-oval.xml"/>
 7741:             </check>
 7742:           </Rule>
 7743:         </Group>
 7744:         <Group id="group-3.3.9.2" hidden="false">
 7745:           <title xml:lang="en">Disable All External Network Interfaces if Not Needed</title>
 7746:           <description xml:lang="en">
 7747:             If the system does not require network communications but still
 7748:             needs to use the loopback interface, remove all files of the form ifcfg-interface except
 7749:             for ifcfg-lo from /etc/sysconfig/network-scripts: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7750:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7751:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># rm /etc/sysconfig/network-scripts/ifcfg-interface</xhtml:code></description>
 7752:           <Rule id="rule-3.3.9.2.a" selected="false" weight="10.000000" severity="medium">
 7753:             <title xml:lang="en">Disable All External Network Interfaces if Not Needed</title>
 7754:             <description xml:lang="en">All files of the form ifcfg-interface except for ifcfg-lo in /etc/sysconfig/network-scripts should be removed</description>
 7755:             <fixtext xml:lang="en">via /etc/sysconfig/network-scripts</fixtext>
 7756:             <fix># rm /etc/sysconfig/network-scripts/ifcfg-interface</fix>
 7757:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7758:               <check-content-ref name="oval:org.fedoraproject.f14:def:20192" href="scap-fedora14-oval.xml"/>
 7759:             </check>
 7760:           </Rule>
 7761:         </Group>
 7762:         <Group id="group-3.3.9.3" hidden="false">
 7763:           <title xml:lang="en">Disable Zeroconf Networking</title>
 7764:           <description xml:lang="en">
 7765:             Zeroconf networking allows the system to assign itself an IP
 7766:             address and engage in IP communication without a statically-assigned address or even a
 7767:             DHCP server. Automatic address assignment via Zeroconf (or DHCP) is not recommended. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7768:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7769:             To disable Zeroconf automatic route assignment in the 169.245.0.0 subnet, add or correct
 7770:             the following line in /etc/sysconfig/network: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7771:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7772:             NOZEROCONF=yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7773:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7774:             Zeroconf addresses are in
 7775:             the network 169.254.0.0. The networking scripts add entries to the system's routing
 7776:             table for these addresses. Zeroconf address assignment commonly occurs when the system
 7777:             is configured to use DHCP but fails to receive an address assignment from the DHCP
 7778:             server.</description>
 7779:           <Rule id="rule-3.3.9.3.a" selected="false" weight="10.000000" severity="medium">
 7780:             <title xml:lang="en">Disable Zeroconf Networking</title>
 7781:             <description xml:lang="en">Disable Zeroconf automatic route assignment in the 169.245.0.0 subnet.</description>
 7782:             <ident system="http://cce.mitre.org">CCE-4369-5</ident>
 7783:             <fixtext xml:lang="en">(1) via /etc/sysconfig/network</fixtext>
 7784:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7785:               <check-content-ref name="oval:org.fedoraproject.f14:def:20193" href="scap-fedora14-oval.xml"/>
 7786:             </check>
 7787:           </Rule>
 7788:         </Group>
 7789:       </Group>
 7790:       <Group id="group-3.3.10" hidden="false">
 7791:         <title xml:lang="en">Smart Card Support (pcscd)</title>
 7792:         <description xml:lang="en">
 7793:           The pcscd service provides support for Smart Cards and Smart Card
 7794:           Readers. If Smart Cards are not in use on the system, disable this service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7795:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7796:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig pcscd off</xhtml:code></description>
 7797:         <Rule id="rule-3.3.10.a" selected="false" weight="10.000000" severity="low">
 7798:           <title xml:lang="en">Smart Card Support (pcscd)</title>
 7799:           <description xml:lang="en">The pcscd service should be disabled.</description>
 7800:           <ident system="http://cce.mitre.org">CCE-4100-4</ident>
 7801:           <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 7802:           <fix># chkconfig pcscd off</fix>
 7803:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7804:             <check-content-ref name="oval:org.fedoraproject.f14:def:20194" href="scap-fedora14-oval.xml"/>
 7805:           </check>
 7806:         </Rule>
 7807:       </Group>
 7808:       <Group id="group-3.3.11" hidden="false">
 7809:         <title xml:lang="en">SMART Disk Monitoring Support (smartd)</title>
 7810:         <description xml:lang="en">
 7811:           SMART (Self-Monitoring, Analysis, and Reporting Technology) is a
 7812:           feature of hard drives that allows them to detect symptoms of disk failure and relay an
 7813:           appropriate warning. This technology is considered to bring relatively low security risk,
 7814:           and can be useful. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7815:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7816:           Leave this service running if the system's hard drives are
 7817:           SMART-capable. Otherwise, disable it: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7818:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7819:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig smartd off</xhtml:code></description>
 7820:         <Rule id="rule-3.3.11.a" selected="false" weight="10.000000" severity="low">
 7821:           <title xml:lang="en">SMART Disk Monitoring Support (smartd)</title>
 7822:           <description xml:lang="en">The smartd service should be disabled.</description>
 7823:           <ident system="http://cce.mitre.org">CCE-3455-3</ident>
 7824:           <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 7825:           <fix># chkconfig smartd off</fix>
 7826:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7827:             <check-content-ref name="oval:org.fedoraproject.f14:def:20195" href="scap-fedora14-oval.xml"/>
 7828:           </check>
 7829:         </Rule>
 7830:       </Group>
 7831:       <Group id="group-3.3.12" hidden="false">
 7832:         <title xml:lang="en">Boot Caching (readahead early/readahead later)</title>
 7833:         <description xml:lang="en">
 7834:           The following services provide one-time caching of files
 7835:           belonging to some boot services, with the goal of allowing the system to boot faster. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7836:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7837:           It is recommended that this service be disabled on most machines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7838:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7839:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig readahead_early off <xhtml:br/>
 7840:           # chkconfig readahead_later off <xhtml:br/></xhtml:code>
 7841:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7842:           The readahead services do not substantially increase a
 7843:           system's risk exposure, but they also do not provide great benefit. Unless the system is
 7844:           running a specialized application for which the file caching substantially improves system
 7845:           boot time, this guide recommends disabling the services.</description>
 7846:         <Rule id="rule-3.3.12.a" selected="false" weight="10.000000" severity="low">
 7847:           <title xml:lang="en">Boot Caching (readahead early/readahead later)</title>
 7848:           <description xml:lang="en">The readahead_early service should be disabled.</description>
 7849:           <ident system="http://cce.mitre.org">CCE-4421-4</ident>
 7850:           <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 7851:           <fix># chkconfig readahead early off</fix>
 7852:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7853:             <check-content-ref name="oval:org.fedoraproject.f14:def:20196" href="scap-fedora14-oval.xml"/>
 7854:           </check>
 7855:         </Rule>
 7856:         <Rule id="rule-3.3.12.b" selected="false" weight="10.000000" severity="low">
 7857:           <title xml:lang="en">Boot Caching (readahead early/readahead later)</title>
 7858:           <description xml:lang="en">The readahead_later service should be disabled.</description>
 7859:           <ident system="http://cce.mitre.org">CCE-4302-6</ident>
 7860:           <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 7861:           <fix># chkconfig readahead later off</fix>
 7862:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7863:             <check-content-ref name="oval:org.fedoraproject.f14:def:20197" href="scap-fedora14-oval.xml"/>
 7864:           </check>
 7865:         </Rule>
 7866:       </Group>
 7867:       <Group id="group-3.3.13" hidden="false">
 7868:         <title xml:lang="en">Application Support Services</title>
 7869:         <description xml:lang="en">
 7870:           The following services are software projects of freedesktop.org
 7871:           that are meant to provide system integration through a series of common APIs for
 7872:           applications. They are heavily integrated into the X Windows environment. If the system is
 7873:           not using X Windows, these services can typically be disabled.</description>
 7874:         <Group id="group-3.3.13.1" hidden="false">
 7875:           <title xml:lang="en">D-Bus IPC Service (messagebus)</title>
 7876:           <description xml:lang="en">
 7877:             D-Bus is an IPC mechanism that provides a common channel for
 7878:             inter-process communication. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7879:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7880:             If no services which require D-Bus are in use, disable this service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7881:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7882:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig messagebus off <xhtml:br/></xhtml:code>
 7883:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7884:             A number of default services make use of D-Bus,
 7885:             including X Windows (Section 3.6), Bluetooth (Section 3.3.14) and Avahi (Section 3.7).
 7886:             This guide recommends that D-Bus and all its dependencies be disabled unless there is a
 7887:             mission-critical need for them. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7888:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7889:             Stricter configuration of D-Bus is possible and
 7890:             documented in the man page dbus-daemon(1). D-Bus maintains two separate configuration
 7891:             files, located in /etc/dbus-1/, one for system-specific configuration and the other for
 7892:             session-specific configuration.</description>
 7893:           <Rule id="rule-3.3.13.1.a" selected="false" weight="10.000000" severity="low">
 7894:             <title xml:lang="en">D-Bus IPC Service (messagebus)</title>
 7895:             <description xml:lang="en">The messagebus service should be disabled.</description>
 7896:             <ident system="http://cce.mitre.org">CCE-3822-4</ident>
 7897:             <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 7898:             <fix># chkconfig messagebus off</fix>
 7899:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7900:               <check-content-ref name="oval:org.fedoraproject.f14:def:20198" href="scap-fedora14-oval.xml"/>
 7901:             </check>
 7902:           </Rule>
 7903:         </Group>
 7904:         <Group id="group-3.3.13.2" hidden="false">
 7905:           <title xml:lang="en">HAL Daemon (haldaemon)</title>
 7906:           <description xml:lang="en">
 7907:             The haldaemon service provides a dynamic way of managing device
 7908:             interfaces. It automates device configuration and provides an API for making devices
 7909:             accessible to applications through the D-Bus interface.</description>
 7910:           <Rule id="rule-3.3.13.2.a" selected="false" weight="10.000000" severity="low">
 7911:             <title xml:lang="en">HAL Daemon (haldaemon)</title>
 7912:             <description xml:lang="en">The haldaemon service should be disabled.</description>
 7913:             <ident system="http://cce.mitre.org">CCE-4364-6</ident>
 7914:             <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 7915:             <fix># chkconfig haldaemon off</fix>
 7916:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 7917:               <check-content-ref name="oval:org.fedoraproject.f14:def:20199" href="scap-fedora14-oval.xml"/>
 7918:             </check>
 7919:           </Rule>
 7920:           <Group id="group-3.3.13.2.1" hidden="false">
 7921:             <title xml:lang="en">Disable HAL Daemon if Possible</title>
 7922:             <description xml:lang="en">
 7923:               HAL provides valuable attack surfaces to attackers as an
 7924:               intermediary to privileged operations and should be disabled unless necessary: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7925:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7926:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig haldaemon off</xhtml:code></description>
 7927:           </Group>
 7928:           <Group id="group-3.3.13.2.2" hidden="false">
 7929:             <title xml:lang="en">Configure HAL Daemon if Necessary</title>
 7930:             <description xml:lang="en">
 7931:               HAL provides a limited user the ability to mount system
 7932:               devices. This is primarily used by X utilities such as gnome-volume-manager to perform
 7933:               automounting of removable media.
 7934:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7935:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7936:               HAL configuration is currently
 7937:               only possible through a series of fdi files located in
 7938:               /usr/share/hal/fdi/
 7939:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7940:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7941:               Note: The HAL future road map includes a
 7942:               mandatory framework for managing administrative privileges called
 7943:               PolicyKit.
 7944:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7945:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7946:               To prevent users from accessing devices through HAL,
 7947:               create the
 7948:               file
 7949:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7950:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7951:               /etc/hal/fdi/policy/99-policy-all-drives.fdi
 7952:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7953:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7954:               with the contents: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7955:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7956:               &lt;?xml version="1.0"
 7957:               encoding="UTF-8"?&gt;&lt;deviceinfo
 7958:               version="0.2"&gt;&lt;device&gt;&lt;match key="info.capabilities"
 7959:               contains="volume"&gt;&lt;merge key="volume.ignore"
 7960:               type="bool"&gt;true&lt;/merge&gt;&lt;/match&gt;&lt;/device&gt;&lt;/deviceinfo&gt;
 7961:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7962:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7963:               The
 7964:               above code matches any device labeled with the volume capability (any device capable
 7965:               of being mounted will be labeled this way) and sets the corresponding volume.ignore
 7966:               key to true, indicating that the volume should be ignored. This both makes the volume
 7967:               invisible to the UI, and denies mount attempts by unprivileged users.
 7968:             </description>
 7969:           </Group>
 7970:         </Group>
 7971:       </Group>
 7972:       <Group id="group-3.3.14" hidden="false">
 7973:         <title xml:lang="en">Bluetooth Support</title>
 7974:         <description xml:lang="en">
 7975:           Bluetooth provides a way to transfer information between devices
 7976:           such as mobile phones, laptops, PCs, printers, digital cameras, and video game consoles
 7977:           over a short-range wireless link. Any wireless communication presents a serious security
 7978:           risk to sensitive or classified systems. Section 2.5.2 contains information on the related
 7979:           topic of wireless networking. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7980:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7981:           Removal of hardware is the only way to ensure that the
 7982:           Bluetooth wireless capability remains disabled. If it is completely impractical to remove
 7983:           the Bluetooth hardware module, and site policy still allows the device to enter sensitive
 7984:           spaces, every effort to disable the capability via software should be made. In general,
 7985:           acquisition policy should include provisions to prevent the purchase of equipment that
 7986:           will be used in sensitive spaces and includes Bluetooth capabilities.</description>
 7987:         <Group id="group-3.3.14.1" hidden="false">
 7988:           <title xml:lang="en">Bluetooth Host Controller Interface Daemon (bluetooth)</title>
 7989:           <description xml:lang="en">
 7990:             The bluetooth service enables the system to use Bluetooth
 7991:             devices. If the system requires no Bluetooth devices, disable this service:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 7992:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig bluetooth off</xhtml:code></description>
 7993:           <Rule id="rule-3.3.14.1.a" selected="false" weight="10.000000" severity="medium">
 7994:             <title xml:lang="en">Bluetooth Host Controller Interface Daemon (bluetooth)</title>
 7995:             <description xml:lang="en">The bluetooth service should be disabled.</description>
 7996:             <ident system="http://cce.mitre.org">CCE-4355-4</ident>
 7997:             <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 7998:             <fix># chkconfig bluetooth off</fix>
 7999:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8000:               <check-content-ref name="oval:org.fedoraproject.f14:def:20200" href="scap-fedora14-oval.xml"/>
 8001:             </check>
 8002:           </Rule>
 8003:         </Group>
 8004:         <Group id="group-3.3.14.2" hidden="false">
 8005:           <title xml:lang="en">Bluetooth Input Devices (hidd)</title>
 8006:           <description xml:lang="en">
 8007:             The hidd service provides support for Bluetooth input devices.
 8008:             If the system has no Bluetooth input devices (e.g. keyboard or mouse), disable this
 8009:             service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8010:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8011:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig hidd off</xhtml:code></description>
 8012:           <Rule id="rule-3.3.14.2.a" selected="false" weight="10.000000" severity="low">
 8013:             <title xml:lang="en">Bluetooth Input Devices (hidd)</title>
 8014:             <description xml:lang="en">The hidd service should be disabled.</description>
 8015:             <ident system="http://cce.mitre.org">CCE-4377-8</ident>
 8016:             <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 8017:             <fix># chkconfig hidd off</fix>
 8018:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8019:               <check-content-ref name="oval:org.fedoraproject.f14:def:20201" href="scap-fedora14-oval.xml"/>
 8020:             </check>
 8021:           </Rule>
 8022:         </Group>
 8023:         <Group id="group-3.3.14.3" hidden="false">
 8024:           <title xml:lang="en">Disable Bluetooth Kernel Modules</title>
 8025:           <description xml:lang="en">
 8026:             The kernel's module loading system can be configured to prevent
 8027:             loading of the Bluetooth module. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8028:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8029:             Add the following to /etc/modprobe.conf to prevent the
 8030:             loading of the Bluetooth module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8031:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8032:             alias net-pf-31 off <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8033:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8034:             The unexpected name, net-pf-31, is
 8035:             a result of how the kernel requests modules for network protocol families; it is an
 8036:             alias for the bluetooth module.</description>
 8037:           <Rule id="rule-3.3.14.3.a" selected="false" weight="10.000000" severity="medium">
 8038:             <title xml:lang="en">Disable Bluetooth Kernel Modules</title>
 8039:             <description xml:lang="en">Prevent loading of the Bluetooth module.</description>
 8040:             <fixtext xml:lang="en">(1) via /etc/modprobe.conf</fixtext>
 8041:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8042:               <check-content-ref name="oval:org.fedoraproject.f14:def:202015" href="scap-fedora14-oval.xml"/>
 8043:             </check>
 8044:           </Rule>
 8045:         </Group>
 8046:       </Group>
 8047:       <Group id="group-3.3.15" hidden="false">
 8048:         <title xml:lang="en">Power Management Support</title>
 8049:         <description xml:lang="en">
 8050:           The following services provide an interface to power management
 8051:           functions. These functions include monitoring battery power, system hibernate/suspend, CPU
 8052:           throttling, and various power-save utilities.</description>
 8053:         <Group id="group-3.3.15.1" hidden="false">
 8054:           <title xml:lang="en">Advanced Power Management Subsystem (apmd)</title>
 8055:           <description xml:lang="en">
 8056:             The apmd service provides last generation power management
 8057:             support. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8058:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8059:             If the system is capable of ACPI support, or if power management is not
 8060:             necessary, disable this service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8061:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8062:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig apmd off <xhtml:br/></xhtml:code>
 8063:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8064:             APM is being replaced by ACPI and
 8065:             should be considered deprecated. As such, it can be disabled if ACPI is supported by
 8066:             your hardware and kernel. If the file /proc/acpi/info exists and contains ACPI version
 8067:             information, then APM can safely be disabled without loss of functionality.</description>
 8068:           <Rule id="rule-3.3.15.1.a" selected="false" weight="10.000000" severity="low">
 8069:             <title xml:lang="en">Advanced Power Management Subsystem (apmd)</title>
 8070:             <description xml:lang="en">The apmd service should be disabled.</description>
 8071:             <ident system="http://cce.mitre.org">CCE-4289-5</ident>
 8072:             <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 8073:             <fix># chkconfig apmd off</fix>
 8074:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8075:               <check-content-ref name="oval:org.fedoraproject.f14:def:20202" href="scap-fedora14-oval.xml"/>
 8076:             </check>
 8077:           </Rule>
 8078:         </Group>
 8079:         <Group id="group-3.3.15.2" hidden="false">
 8080:           <title xml:lang="en">Advanced Configuration and Power Interface (acpid)</title>
 8081:           <description xml:lang="en">
 8082:             The acpid service provides next generation power management
 8083:             support. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8084:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8085:             Unless power management features are not necessary, leave this service enabled.</description>
 8086:           <Rule id="rule-3.3.15.2.a" selected="false" weight="10.000000" severity="low">
 8087:             <title xml:lang="en">Advanced Configuration and Power Interface (acpid)</title>
 8088:             <description xml:lang="en">The acpid service should be disabled.</description>
 8089:             <ident system="http://cce.mitre.org">CCE-4298-6</ident>
 8090:             <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 8091:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8092:               <check-content-ref name="oval:org.fedoraproject.f14:def:20203" href="scap-fedora14-oval.xml"/>
 8093:             </check>
 8094:           </Rule>
 8095:         </Group>
 8096:         <Group id="group-3.3.15.3" hidden="false">
 8097:           <title xml:lang="en">CPU Throttling (cpuspeed)</title>
 8098:           <description xml:lang="en">
 8099:             The cpuspeed service uses hardware support to throttle the CPU
 8100:             when the system is idle. Unless CPU power optimization is unnecessary, leave this
 8101:             service enabled.</description>
 8102:           <Rule id="rule-3.3.15.3.a" selected="false" weight="10.000000" severity="low">
 8103:             <title xml:lang="en">CPU Throttling (cpuspeed)</title>
 8104:             <description xml:lang="en">The cpuspeed service should be disabled.</description>
 8105:             <ident system="http://cce.mitre.org">CCE-4051-9</ident>
 8106:             <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 8107:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8108:               <check-content-ref name="oval:org.fedoraproject.f14:def:20204" href="scap-fedora14-oval.xml"/>
 8109:             </check>
 8110:           </Rule>
 8111:         </Group>
 8112:       </Group>
 8113:     </Group>
 8114:     <Group id="group-3.4" hidden="false">
 8115:       <title xml:lang="en">Cron and At Daemons</title>
 8116:       <description xml:lang="en">
 8117:         The cron and at services are used to allow commands to be executed
 8118:         at a later time. The cron service is required by almost all systems to perform necessary
 8119:         maintenance tasks, while at may or may not be required on a given system. Both daemons
 8120:         should be configured defensively.</description>
 8121:       <Rule id="rule-3.4.a" selected="false" weight="10.000000" severity="high">
 8122:         <title xml:lang="en">Enable cron Daemon</title>
 8123:         <description xml:lang="en">The crond service should be enabled.</description>
 8124:         <ident system="http://cce.mitre.org">CCE-4324-0</ident>
 8125:         <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 8126:         <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8127:           <check-content-ref name="oval:org.fedoraproject.f14:def:20205" href="scap-fedora14-oval.xml"/>
 8128:         </check>
 8129:       </Rule>
 8130:       <Group id="group-3.4.1" hidden="false">
 8131:         <title xml:lang="en">Disable anacron if Possible</title>
 8132:         <description xml:lang="en">
 8133:           Is this a machine which is designed to run all the time, such as
 8134:           a server or a workstation which is left on at night? If so: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8135:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8136:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase anacron<xhtml:br/></xhtml:code>
 8137:           The
 8138:           anacron subsystem is designed to provide cron functionality for machines which may be shut
 8139:           down during the normal times that system cron jobs run, frequently in the middle of the
 8140:           night. Laptops and workstations which are shut down at night should keep anacron enabled,
 8141:           so that standard system cron jobs will run when the machine boots. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8142:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8143:           However, on machines
 8144:           which do not need this additional functionality, anacron represents another piece of
 8145:           privileged software which could contain vulnerabilities. Therefore, it should be removed
 8146:           when possible to reduce system risk.</description>
 8147:         <Rule id="rule-3.4.1.a" selected="false" weight="10.000000" severity="low">
 8148:           <title xml:lang="en">Disable anacron if Possible</title>
 8149:           <description xml:lang="en">The anacron service should be disabled.</description>
 8150:           <ident system="http://cce.mitre.org">CCE-4406-5</ident>
 8151:           <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 8152:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8153:             <check-content-ref name="oval:org.fedoraproject.f14:def:20206" href="scap-fedora14-oval.xml"/>
 8154:           </check>
 8155:         </Rule>
 8156:         <Rule id="rule-3.4.1.b" selected="false" weight="10.000000">
 8157:           <title xml:lang="en">Uninstall anacron if Possible</title>
 8158:           <description xml:lang="en">The anacron package should be uninstalled.</description>
 8159:           <ident system="http://cce.mitre.org">CCE-4428-9</ident>
 8160:           <fixtext xml:lang="en">(1) via yum</fixtext>
 8161:           <fix># yum erase anacron</fix>
 8162:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8163:             <check-content-ref name="oval:org.fedoraproject.f14:def:20207" href="scap-fedora14-oval.xml"/>
 8164:           </check>
 8165:         </Rule>
 8166:       </Group>
 8167:       <Group id="group-3.4.2" hidden="false">
 8168:         <title xml:lang="en">Restrict Permissions on Files Used by cron</title>
 8169:         <description xml:lang="en">
 8170:           <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
 8171:             <xhtml:li>Restrict the permissions on the primary system crontab file: <xhtml:br/>
 8172:               <xhtml:br/>
 8173:               <xhtml:code># chown root:root /etc/crontab <xhtml:br/>
 8174:               # chmod 600 /etc/crontab</xhtml:code></xhtml:li>
 8175:             <xhtml:li>If anacron has not been removed,
 8176:               restrict the permissions on its primary configuration file: <xhtml:br/>
 8177:               <xhtml:br/>
 8178:               <xhtml:code># chown root:root /etc/anacrontab <xhtml:br/>
 8179:               # chmod 600 /etc/anacrontab </xhtml:code></xhtml:li>
 8180:             <xhtml:li>Restrict the permission on all system
 8181:               crontab directories: <xhtml:br/>
 8182:               <xhtml:br/>
 8183:               <xhtml:code># cd /etc <xhtml:br/>
 8184:               # chown -R root:root cron.hourly cron.daily cron.weekly cron.monthly cron.d <xhtml:br/>
 8185:               # chmod -R go-rwx cron.hourly cron.daily cron.weekly cron.monthly cron.d </xhtml:code></xhtml:li>
 8186:             <xhtml:li>Restrict the permissions on the spool directory for user crontab files: <xhtml:br/>
 8187:               <xhtml:br/>
 8188:               <xhtml:code># chown root:root /var/spool/cron <xhtml:br/>
 8189:               # chmod -R go-rwx /var/spool/cron </xhtml:code></xhtml:li>
 8190:           </xhtml:ol> <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8191:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8192:           Cron and anacron make use of a
 8193:           number of configuration files and directories. The system crontabs need only be edited by
 8194:           root, and user crontabs are edited using the setuid root crontab command. If unprivileged
 8195:           users can modify system cron configuration files, they may be able to gain elevated
 8196:           privileges, so all unnecessary access to these files should be disabled.</description>
 8197:         <Value id="var-3.4.2.system.crontab.primary.group" operator="equals" type="string">
 8198:           <title xml:lang="en">group owner of /etc/crontab</title>
 8199:           <description xml:lang="en">Specify group owner of /etc/crontab.</description>
 8200:           <question xml:lang="en">Specify group owner of /etc/crontab</question>
 8201:           <value>root</value>
 8202:           <value selector="root">root</value>
 8203:         </Value>
 8204:         <Value id="var-3.4.2.system.crontab.primary.user" operator="equals" type="string">
 8205:           <title xml:lang="en">user owner of /etc/crontab</title>
 8206:           <description xml:lang="en">Specify user owner of /etc/crontab.</description>
 8207:           <question xml:lang="en">Specify user owner of /etc/crontab</question>
 8208:           <value>root</value>
 8209:           <value selector="root">root</value>
 8210:         </Value>
 8211:         <Value id="var-3.4.2.system.crontab.primary.permissions" operator="equals" type="string">
 8212:           <title xml:lang="en">permissions on /etc/crontab file</title>
 8213:           <description xml:lang="en">Specify file permissions on /etc/crontab.</description>
 8214:           <question xml:lang="en">Specify permissions of /etc/crontab</question>
 8215:           <value>110100100</value>
 8216:           <value selector="644">110100100</value>
 8217:           <value selector="400">100000000</value>
 8218:           <value selector="600">110000000</value>
 8219:           <value selector="700">111000000</value>
 8220:         </Value>
 8221:         <Value id="var-3.4.2.system.anacrontab.group" operator="equals" type="string">
 8222:           <title xml:lang="en">group owner of /etc/anacrontab</title>
 8223:           <description xml:lang="en">Specify group owner of /etc/ancrontab.</description>
 8224:           <question xml:lang="en">Specify group owner of /etc/anacrontab</question>
 8225:           <value>root</value>
 8226:           <value selector="root">root</value>
 8227:         </Value>
 8228:         <Value id="var-3.4.2.system.anacrontab.user" operator="equals" type="string">
 8229:           <title xml:lang="en">user owner of /etc/anacrontab</title>
 8230:           <description xml:lang="en">Specify user owner of /etc/anacrontab.</description>
 8231:           <question xml:lang="en">Specify user owner of /etc/anacrontab</question>
 8232:           <value>root</value>
 8233:           <value selector="root">root</value>
 8234:         </Value>
 8235:         <Value id="var-3.4.2.system.anacrontab.permissions" operator="equals" type="string">
 8236:           <title xml:lang="en">permissions on /etc/anacrontab file</title>
 8237:           <description xml:lang="en">Specify file permissions on /etc/crontab.</description>
 8238:           <question xml:lang="en">Specify permissions of /etc/anacrontab</question>
 8239:           <value>110100100</value>
 8240:           <value selector="644">110100100</value>
 8241:           <value selector="400">100000000</value>
 8242:           <value selector="600">110000000</value>
 8243:           <value selector="700">111000000</value>
 8244:         </Value>
 8245:         <Value id="var-3.4.2.system.crontab.directories.group" operator="equals" type="string">
 8246:           <title xml:lang="en">group owner of cron.hourly cron.daily cron.weekly cron.monthly cron.d</title>
 8247:           <description xml:lang="en">Specify group owner of /etc/cron.* files and directories.</description>
 8248:           <question xml:lang="en">Specify group owner of /etc/cron.* files and directories</question>
 8249:           <value>root</value>
 8250:           <value selector="root">root</value>
 8251:         </Value>
 8252:         <Value id="var-3.4.2.system.crontab.directories.user" operator="equals" type="string">
 8253:           <title xml:lang="en">user owner of cron.hourly cron.daily cron.weekly cron.monthly cron.d</title>
 8254:           <description xml:lang="en">Specify user owner of /etc/cron.* files and directories.</description>
 8255:           <question xml:lang="en">Specify user owner of /etc/cron.* files and directories</question>
 8256:           <value>root</value>
 8257:           <value selector="root">root</value>
 8258:         </Value>
 8259:         <Value id="var-3.4.2.system.crontab.directories.permissions" operator="equals" type="string">
 8260:           <title xml:lang="en">permissions on cron.hourly cron.daily cron.weekly cron.monthly cron.d</title>
 8261:           <description xml:lang="en">Specify file and directory permissions on /etc/cron.*.</description>
 8262:           <question xml:lang="en">Specify permissions of /etc/cron.* files and directories</question>
 8263:           <value>111101101</value>
 8264:           <value selector="755">111101101</value>
 8265:           <value selector="400">100000000</value>
 8266:           <value selector="600">110000000</value>
 8267:           <value selector="700">111000000</value>
 8268:         </Value>
 8269:         <Value id="var-3.4.2.spool.directory.group" operator="equals" type="string">
 8270:           <title xml:lang="en">group owner of /var/spool/cron</title>
 8271:           <description xml:lang="en">Specify group owner of /var/spool/cron.</description>
 8272:           <question xml:lang="en">Specify group owner of /var/spool/cron</question>
 8273:           <value>root</value>
 8274:           <value selector="root">root</value>
 8275:         </Value>
 8276:         <Value id="var-3.4.2.spool.directory.user" operator="equals" type="string">
 8277:           <title xml:lang="en">user owner of /var/spool/cron</title>
 8278:           <description xml:lang="en">Specify user owner of /var/spool/cron.</description>
 8279:           <value>root</value>
 8280:           <value selector="root">root</value>
 8281:         </Value>
 8282:         <Value id="var-3.4.2.spool.directory.permissions" operator="equals" type="string">
 8283:           <title xml:lang="en">permissions on /var/spool/cron file</title>
 8284:           <description xml:lang="en">Specify file permissions on /var/spool/cron.</description>
 8285:           <question xml:lang="en">Specify file permissions of /var/spool/cron</question>
 8286:           <value>111000000</value>
 8287:           <value selector="400">100000000</value>
 8288:           <value selector="600">110000000</value>
 8289:           <value selector="700">111000000</value>
 8290:         </Value>
 8291:         <Rule id="rule-3.4.2.1.a" selected="false" weight="10.000000" severity="medium">
 8292:           <title xml:lang="en">Set group owner on /etc/crontab</title>
 8293:           <description xml:lang="en">The /etc/crontab file should be owned by the appropriate group.</description>
 8294:           <ident system="http://cce.mitre.org">CCE-3626-9</ident>
 8295:           <fixtext xml:lang="en">(1) via chown</fixtext>
 8296:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8297:             <check-export export-name="oval:org.fedoraproject.f14:var:20208" value-id="var-3.4.2.system.crontab.primary.group"/>
 8298:             <check-content-ref name="oval:org.fedoraproject.f14:def:20208" href="scap-fedora14-oval.xml"/>
 8299:           </check>
 8300:         </Rule>
 8301:         <Rule id="rule-3.4.2.1.b" selected="false" weight="10.000000" severity="medium">
 8302:           <title xml:lang="en">Set user owner on /etc/crontab</title>
 8303:           <description xml:lang="en">The /etc/crontab file should be owned by the appropriate user.</description>
 8304:           <ident system="http://cce.mitre.org">CCE-3851-3</ident>
 8305:           <fixtext xml:lang="en">(1) via chown</fixtext>
 8306:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8307:             <check-export export-name="oval:org.fedoraproject.f14:var:20209" value-id="var-3.4.2.system.crontab.primary.user"/>
 8308:             <check-content-ref name="oval:org.fedoraproject.f14:def:20209" href="scap-fedora14-oval.xml"/>
 8309:           </check>
 8310:         </Rule>
 8311:         <Rule id="rule-3.4.2.1.c" selected="false" weight="10.000000" severity="medium">
 8312:           <title xml:lang="en">Set Permissions on /etc/crontab</title>
 8313:           <title xml:lang="en">Restrict Permissions on Files Used by cron</title>
 8314:           <description xml:lang="en">File permissions for /etc/crontab should be set correctly.</description>
 8315:           <ident system="http://cce.mitre.org">CCE-4388-5</ident>
 8316:           <fixtext xml:lang="en">(1) via chmod</fixtext>
 8317:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8318:             <check-export export-name="oval:org.fedoraproject.f14:var:20210" value-id="var-3.4.2.system.crontab.primary.permissions"/>
 8319:             <check-content-ref name="oval:org.fedoraproject.f14:def:20210" href="scap-fedora14-oval.xml"/>
 8320:           </check>
 8321:         </Rule>
 8322:         <Rule id="rule-3.4.2.2.a" selected="false" weight="10.000000" severity="medium">
 8323:           <title xml:lang="en">Set group owner on /etc/anacrontab</title>
 8324:           <description xml:lang="en">The /etc/anacrontab file should be owned by the appropriate group.</description>
 8325:           <ident system="http://cce.mitre.org">CCE-3604-6</ident>
 8326:           <fixtext xml:lang="en">(1) via chown</fixtext>
 8327:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8328:             <check-export export-name="oval:org.fedoraproject.f14:var:20211" value-id="var-3.4.2.system.anacrontab.group"/>
 8329:             <check-content-ref name="oval:org.fedoraproject.f14:def:20211" href="scap-fedora14-oval.xml"/>
 8330:           </check>
 8331:         </Rule>
 8332:         <Rule id="rule-3.4.2.2.b" selected="false" weight="10.000000" severity="medium">
 8333:           <title xml:lang="en">Set user owner on /etc/anacrontab</title>
 8334:           <description xml:lang="en">The /etc/anacrontab file should be owned by the appropriate user.</description>
 8335:           <ident system="http://cce.mitre.org">CCE-4379-4</ident>
 8336:           <fixtext xml:lang="en">(1) via chown</fixtext>
 8337:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8338:             <check-export export-name="oval:org.fedoraproject.f14:var:20212" value-id="var-3.4.2.system.anacrontab.user"/>
 8339:             <check-content-ref name="oval:org.fedoraproject.f14:def:20212" href="scap-fedora14-oval.xml"/>
 8340:           </check>
 8341:         </Rule>
 8342:         <Rule id="rule-3.4.2.2.c" selected="false" weight="10.000000" severity="medium">
 8343:           <title xml:lang="en">Set Permissions on /etc/anacrontab</title>
 8344:           <description xml:lang="en">File permissions for /etc/anacrontab should be set correctly.</description>
 8345:           <ident system="http://cce.mitre.org">CCE-4304-2</ident>
 8346:           <fixtext xml:lang="en">(1) via chmod</fixtext>
 8347:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8348:             <check-export export-name="oval:org.fedoraproject.f14:var:20213" value-id="var-3.4.2.system.anacrontab.permissions"/>
 8349:             <check-content-ref name="oval:org.fedoraproject.f14:def:20213" href="scap-fedora14-oval.xml"/>
 8350:           </check>
 8351:         </Rule>
 8352:         <Rule id="rule-3.4.2.3.a" selected="false" weight="10.000000" severity="medium">
 8353:           <title xml:lang="en">Set group owner on /etc/cron.hourly</title>
 8354:           <description xml:lang="en">The /etc/cron.hourly file should be owned by the appropriate group.</description>
 8355:           <ident system="http://cce.mitre.org">CCE-4054-3</ident>
 8356:           <fixtext xml:lang="en">(1) via chown</fixtext>
 8357:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8358:             <check-export export-name="oval:org.fedoraproject.f14:var:20214" value-id="var-3.4.2.system.crontab.directories.group"/>
 8359:             <check-content-ref name="oval:org.fedoraproject.f14:def:20214" href="scap-fedora14-oval.xml"/>
 8360:           </check>
 8361:         </Rule>
 8362:         <Rule id="rule-3.4.2.3.b" selected="false" weight="10.000000" severity="medium">
 8363:           <title xml:lang="en">Set group owner on /etc/cron.daily</title>
 8364:           <description xml:lang="en">The /etc/cron.daily file should be owned by the appropriate group.</description>
 8365:           <ident system="http://cce.mitre.org">CCE-3481-9</ident>
 8366:           <fixtext xml:lang="en">(1) via chown</fixtext>
 8367:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8368:             <check-export export-name="oval:org.fedoraproject.f14:var:20214" value-id="var-3.4.2.system.crontab.directories.group"/>
 8369:             <check-content-ref name="oval:org.fedoraproject.f14:def:20215" href="scap-fedora14-oval.xml"/>
 8370:           </check>
 8371:         </Rule>
 8372:         <Rule id="rule-3.4.2.3.c" selected="false" weight="10.000000" severity="medium">
 8373:           <title xml:lang="en">Set group owner on /etc/cron.weekly</title>
 8374:           <description xml:lang="en">The /etc/cron.weekly file should be owned by the appropriate group.</description>
 8375:           <ident system="http://cce.mitre.org">CCE-4331-5</ident>
 8376:           <fixtext xml:lang="en">(1) via chown</fixtext>
 8377:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8378:             <check-export export-name="oval:org.fedoraproject.f14:var:20214" value-id="var-3.4.2.system.crontab.directories.group"/>
 8379:             <check-content-ref name="oval:org.fedoraproject.f14:def:20216" href="scap-fedora14-oval.xml"/>
 8380:           </check>
 8381:         </Rule>
 8382:         <Rule id="rule-3.4.2.3.d" selected="false" weight="10.000000" severity="medium">
 8383:           <title xml:lang="en">Set group owner on /etc/cron.monthly</title>
 8384:           <description xml:lang="en">The /etc/cron.monthly file should be owned by the appropriate group.</description>
 8385:           <ident system="http://cce.mitre.org">CCE-4322-4</ident>
 8386:           <fixtext xml:lang="en">(1) via chown</fixtext>
 8387:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8388:             <check-export export-name="oval:org.fedoraproject.f14:var:20214" value-id="var-3.4.2.system.crontab.directories.group"/>
 8389:             <check-content-ref name="oval:org.fedoraproject.f14:def:20217" href="scap-fedora14-oval.xml"/>
 8390:           </check>
 8391:         </Rule>
 8392:         <Rule id="rule-3.4.2.3.e" selected="false" weight="10.000000" severity="medium">
 8393:           <title xml:lang="en">Set group owner on /etc/cron.d</title>
 8394:           <description xml:lang="en">The /etc/cron.d file should be owned by the appropriate group.</description>
 8395:           <ident system="http://cce.mitre.org">CCE-4212-7</ident>
 8396:           <fixtext xml:lang="en">(1) via chown</fixtext>
 8397:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8398:             <check-export export-name="oval:org.fedoraproject.f14:var:20214" value-id="var-3.4.2.system.crontab.directories.group"/>
 8399:             <check-content-ref name="oval:org.fedoraproject.f14:def:20218" href="scap-fedora14-oval.xml"/>
 8400:           </check>
 8401:         </Rule>
 8402:         <Rule id="rule-3.4.2.3.f" selected="false" weight="10.000000" severity="medium">
 8403:           <title xml:lang="en">Set user owner on /etc/cron.hourly</title>
 8404:           <description xml:lang="en">The /etc/cron.hourly file should be owned by the appropriate user.</description>
 8405:           <ident system="http://cce.mitre.org">CCE-3983-4</ident>
 8406:           <fixtext xml:lang="en">(1) via chown</fixtext>
 8407:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8408:             <check-export export-name="oval:org.fedoraproject.f14:var:20219" value-id="var-3.4.2.system.crontab.directories.user"/>
 8409:             <check-content-ref name="oval:org.fedoraproject.f14:def:20219" href="scap-fedora14-oval.xml"/>
 8410:           </check>
 8411:         </Rule>
 8412:         <Rule id="rule-3.4.2.3.g" selected="false" weight="10.000000" severity="medium">
 8413:           <title xml:lang="en">Set user owner on /etc/cron.daily</title>
 8414:           <description xml:lang="en">The /etc/cron.daily file should be owned by the appropriate user.</description>
 8415:           <ident system="http://cce.mitre.org">CCE-4022-0</ident>
 8416:           <fixtext xml:lang="en">(1) via chown</fixtext>
 8417:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8418:             <check-export export-name="oval:org.fedoraproject.f14:var:20219" value-id="var-3.4.2.system.crontab.directories.user"/>
 8419:             <check-content-ref name="oval:org.fedoraproject.f14:def:20220" href="scap-fedora14-oval.xml"/>
 8420:           </check>
 8421:         </Rule>
 8422:         <Rule id="rule-3.4.2.3.h" selected="false" weight="10.000000" severity="medium">
 8423:           <title xml:lang="en">Set user owner on /etc/cron.weekly</title>
 8424:           <description xml:lang="en">The /etc/cron.weekly file should be owned by the appropriate user.</description>
 8425:           <ident system="http://cce.mitre.org">CCE-3833-1</ident>
 8426:           <fixtext xml:lang="en">(1) via chown</fixtext>
 8427:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8428:             <check-export export-name="oval:org.fedoraproject.f14:var:20219" value-id="var-3.4.2.system.crontab.directories.user"/>
 8429:             <check-content-ref name="oval:org.fedoraproject.f14:def:20221" href="scap-fedora14-oval.xml"/>
 8430:           </check>
 8431:         </Rule>
 8432:         <Rule id="rule-3.4.2.3.i" selected="false" weight="10.000000" severity="medium">
 8433:           <title xml:lang="en">Set user owner on /etc/cron.monthly</title>
 8434:           <description xml:lang="en">The /etc/cron.monthly file should be owned by the appropriate user.</description>
 8435:           <ident system="http://cce.mitre.org">CCE-4441-2</ident>
 8436:           <fixtext xml:lang="en">(1) via chown</fixtext>
 8437:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8438:             <check-export export-name="oval:org.fedoraproject.f14:var:20219" value-id="var-3.4.2.system.crontab.directories.user"/>
 8439:             <check-content-ref name="oval:org.fedoraproject.f14:def:20222" href="scap-fedora14-oval.xml"/>
 8440:           </check>
 8441:         </Rule>
 8442:         <Rule id="rule-3.4.2.3.j" selected="false" weight="10.000000" severity="medium">
 8443:           <title xml:lang="en">Set user owner on /etc/cron.d</title>
 8444:           <description xml:lang="en">The /etc/cron.d file should be owned by the appropriate user.</description>
 8445:           <ident system="http://cce.mitre.org">CCE-4380-2</ident>
 8446:           <fixtext xml:lang="en">(1) via chown</fixtext>
 8447:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8448:             <check-export export-name="oval:org.fedoraproject.f14:var:20219" value-id="var-3.4.2.system.crontab.directories.user"/>
 8449:             <check-content-ref name="oval:org.fedoraproject.f14:def:20223" href="scap-fedora14-oval.xml"/>
 8450:           </check>
 8451:         </Rule>
 8452:         <Rule id="rule-3.4.2.3.k" selected="false" weight="10.000000" severity="medium">
 8453:           <title xml:lang="en">Set permissions on /etc/cron.hourly</title>
 8454:           <description xml:lang="en">File permissions for /etc/cron.hourly should be set correctly.</description>
 8455:           <ident system="http://cce.mitre.org">CCE-4106-1</ident>
 8456:           <fixtext xml:lang="en">(1) via chmod</fixtext>
 8457:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8458:             <check-export export-name="oval:org.fedoraproject.f14:var:20224" value-id="var-3.4.2.system.crontab.directories.permissions"/>
 8459:             <check-content-ref name="oval:org.fedoraproject.f14:def:20224" href="scap-fedora14-oval.xml"/>
 8460:           </check>
 8461:         </Rule>
 8462:         <Rule id="rule-3.4.2.3.l" selected="false" weight="10.000000" severity="medium">
 8463:           <title xml:lang="en">Set permissions on /etc/cron.daily</title>
 8464:           <description xml:lang="en">File permissions for /etc/cron.daily should be set correctly.</description>
 8465:           <ident system="http://cce.mitre.org">CCE-4450-3</ident>
 8466:           <fixtext xml:lang="en">(1) via chmod</fixtext>
 8467:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8468:             <check-export export-name="oval:org.fedoraproject.f14:var:20224" value-id="var-3.4.2.system.crontab.directories.permissions"/>
 8469:             <check-content-ref name="oval:org.fedoraproject.f14:def:20225" href="scap-fedora14-oval.xml"/>
 8470:           </check>
 8471:         </Rule>
 8472:         <Rule id="rule-3.4.2.3.m" selected="false" weight="10.000000" severity="medium">
 8473:           <title xml:lang="en">Set permissions on /etc/cron.weekly</title>
 8474:           <description xml:lang="en">File permissions for /etc/cron.weekly should be set correctly.</description>
 8475:           <ident system="http://cce.mitre.org">CCE-4203-6</ident>
 8476:           <fixtext xml:lang="en">(1) via chmod</fixtext>
 8477:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8478:             <check-export export-name="oval:org.fedoraproject.f14:var:20224" value-id="var-3.4.2.system.crontab.directories.permissions"/>
 8479:             <check-content-ref name="oval:org.fedoraproject.f14:def:20226" href="scap-fedora14-oval.xml"/>
 8480:           </check>
 8481:         </Rule>
 8482:         <Rule id="rule-3.4.2.3.n" selected="false" weight="10.000000" severity="medium">
 8483:           <title xml:lang="en">Set permissions on /etc/cron.monthly</title>
 8484:           <description xml:lang="en">File permissions for /etc/cron.monthly should be set correctly.</description>
 8485:           <ident system="http://cce.mitre.org">CCE-4251-5</ident>
 8486:           <fixtext xml:lang="en">(1) via chmod</fixtext>
 8487:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8488:             <check-export export-name="oval:org.fedoraproject.f14:var:20224" value-id="var-3.4.2.system.crontab.directories.permissions"/>
 8489:             <check-content-ref name="oval:org.fedoraproject.f14:def:20227" href="scap-fedora14-oval.xml"/>
 8490:           </check>
 8491:         </Rule>
 8492:         <Rule id="rule-3.4.2.3.o" selected="false" weight="10.000000" severity="medium">
 8493:           <title xml:lang="en">Set permissions on /etc/cron.d</title>
 8494:           <description xml:lang="en">File permissions for /etc/cron.d should be set correctly.</description>
 8495:           <ident system="http://cce.mitre.org">CCE-4250-7</ident>
 8496:           <fixtext xml:lang="en">(1) via chmod</fixtext>
 8497:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8498:             <check-export export-name="oval:org.fedoraproject.f14:var:20224" value-id="var-3.4.2.system.crontab.directories.permissions"/>
 8499:             <check-content-ref name="oval:org.fedoraproject.f14:def:20228" href="scap-fedora14-oval.xml"/>
 8500:           </check>
 8501:         </Rule>
 8502:         <Rule id="rule-3.4.2.4.a" selected="false" weight="10.000000" severity="medium">
 8503:           <title xml:lang="en">Restrict group owner on /var/spool/cron directory</title>
 8504:           <description xml:lang="en">The /var/spool/cron directory should be owned by the appropriate group.</description>
 8505:           <fixtext xml:lang="en">(1) via chown</fixtext>
 8506:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8507:             <check-export export-name="oval:org.fedoraproject.f14:var:20229" value-id="var-3.4.2.spool.directory.group"/>
 8508:             <check-content-ref name="oval:org.fedoraproject.f14:def:20229" href="scap-fedora14-oval.xml"/>
 8509:           </check>
 8510:         </Rule>
 8511:         <Rule id="rule-3.4.2.4.b" selected="false" weight="10.000000" severity="medium">
 8512:           <title xml:lang="en">Restrict user owner on /var/spool/cron directory</title>
 8513:           <description xml:lang="en">The /var/spool/cron directory should be owned by the appropriate user.</description>
 8514:           <fixtext xml:lang="en">(1) via chown</fixtext>
 8515:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8516:             <check-export export-name="oval:org.fedoraproject.f14:var:20230" value-id="var-3.4.2.spool.directory.user"/>
 8517:             <check-content-ref name="oval:org.fedoraproject.f14:def:20230" href="scap-fedora14-oval.xml"/>
 8518:           </check>
 8519:         </Rule>
 8520:         <Rule id="rule-3.4.2.4.c" selected="false" weight="10.000000" severity="medium">
 8521:           <title xml:lang="en">Restrict Permissions on /var/spool/cron directory</title>
 8522:           <description xml:lang="en">Directory permissions for /var/spool/cron should be set correctly.</description>
 8523:           <fixtext xml:lang="en">(1) via chmod</fixtext>
 8524:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8525:             <check-export export-name="oval:org.fedoraproject.f14:var:20231" value-id="var-3.4.2.spool.directory.permissions"/>
 8526:             <check-content-ref name="oval:org.fedoraproject.f14:def:20231" href="scap-fedora14-oval.xml"/>
 8527:           </check>
 8528:         </Rule>
 8529:       </Group>
 8530:       <Group id="group-3.4.3" hidden="false">
 8531:         <title xml:lang="en">Disable at if Possible</title>
 8532:         <description xml:lang="en">Unless the at daemon is required, disable it with the following command:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8533:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8534:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig atd off<xhtml:br/></xhtml:code>
 8535:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8536:           Many of the periodic or delayed execution features of the at daemon can be provided through the cron daemon
 8537:           instead.
 8538:         </description>
 8539:         <Rule id="rule-3.4.3.a" selected="false" weight="10.000000" severity="low">
 8540:           <title xml:lang="en">Disable at Daemon</title>
 8541:           <description xml:lang="en">The atd service should be disabled.</description>
 8542:           <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 8543:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8544:             <check-content-ref name="oval:org.fedoraproject.f14:def:202052" href="scap-fedora14-oval.xml"/>
 8545:           </check>
 8546:         </Rule>
 8547:         <Rule id="rule-3.4.3.b" selected="false" weight="10.000000">
 8548:           <title xml:lang="en">uninstall at Daemon</title>
 8549:           <description xml:lang="en">The at package should be removed.</description>
 8550:           <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 8551:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8552:             <check-content-ref name="oval:org.fedoraproject.f14:def:202053" href="scap-fedora14-oval.xml"/>
 8553:           </check>
 8554:         </Rule>
 8555:       </Group>
 8556:       <Group id="group-3.4.4" hidden="false">
 8557:         <title xml:lang="en">Restrict at and cron to Authorized Users</title>
 8558:         <description xml:lang="en">
 8559:           <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
 8560:             <xhtml:li>Remove the cron.deny file: <xhtml:br/>
 8561:               <xhtml:br/>
 8562:               <xhtml:code># rm /etc/cron.deny</xhtml:code></xhtml:li>
 8563:             <xhtml:li>Edit /etc/cron.allow, adding one line for each user allowed to use the crontab command to
 8564:               create cron jobs. </xhtml:li>
 8565:             <xhtml:li>Remove the at.deny file: <xhtml:br/>
 8566:               <xhtml:br/>
 8567:               <xhtml:code># rm /etc/at.deny </xhtml:code></xhtml:li>
 8568:             <xhtml:li>Edit /etc/at.allow, adding one line for each user allowed to use the at command to create at jobs. </xhtml:li>
 8569:           </xhtml:ol><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8570:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8571:           The
 8572:           /etc/cron.allow and /etc/at.allow files contain lists of users who are allowed to use cron
 8573:           and at to delay execution of processes. If these files exist and if the corresponding
 8574:           files /etc/cron.deny and /etc/at.deny do not exist, then only users listed in the relevant
 8575:           allow files can run the crontab and at commands to submit jobs to be run at scheduled
 8576:           intervals. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8577:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8578:           On many systems, only the system administrator needs the ability to schedule
 8579:           jobs. Note that even if a given user is not listed in cron.allow, cron jobs can still be
 8580:           run as that user. The cron.allow file controls only administrative access to the crontab
 8581:           command for scheduling and modifying cron jobs.</description>
 8582:         <Rule id="rule-3.4.4.a" selected="false" weight="10.000000" severity="medium">
 8583:           <title xml:lang="en">Remove /etc/cron.deny</title>
 8584:           <description xml:lang="en">/etc/cron.deny file should not exist.</description>
 8585:           <fix>rm /etc/cron.deny</fix>
 8586:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8587:             <check-content-ref name="oval:org.fedoraproject.f14:def:20232" href="scap-fedora14-oval.xml"/>
 8588:           </check>
 8589:         </Rule>
 8590:         <Rule id="rule-3.4.4.b" selected="false" weight="10.000000" severity="medium">
 8591:           <title xml:lang="en">Remove /etc/at.deny</title>
 8592:           <description xml:lang="en">/etc/at.deny file should not exist.</description>
 8593:           <fix>rm /etc/at.deny</fix>
 8594:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8595:             <check-content-ref name="oval:org.fedoraproject.f14:def:20233" href="scap-fedora14-oval.xml"/>
 8596:           </check>
 8597:         </Rule>
 8598:       </Group>
 8599:     </Group>
 8600:     <Group id="group-3.5" hidden="false">
 8601:       <title xml:lang="en">SSH Server</title>
 8602:       <description xml:lang="en">
 8603:         The SSH protocol is recommended for remote login and remote file
 8604:         transfer. SSH provides confidentiality and integrity for data exchanged between two systems,
 8605:         as well as server authentication, through the use of public key cryptography. The
 8606:         implementation included with the system is called OpenSSH, and more detailed documentation
 8607:         is available from its website, http://www.openssh.org. Its server program is called sshd and
 8608:         provided by the RPM package openssh-server.</description>
 8609:       <Group id="group-3.5.1" hidden="false">
 8610:         <title xml:lang="en">Disable OpenSSH Server if Possible</title>
 8611:         <description xml:lang="en">
 8612:           Unless the system needs to provide the remote login and file
 8613:           transfer capabilities of SSH, disable and remove the OpenSSH server and its configuration.</description>
 8614:         <Group id="group-3.5.1.1" hidden="false">
 8615:           <title xml:lang="en">Disable and Remove OpenSSH Software</title>
 8616:           <description xml:lang="en">
 8617:             Disable and remove openssh-server with the commands: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8618:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8619:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig sshd off <xhtml:br/>
 8620:             # yum erase openssh-server <xhtml:br/></xhtml:code>
 8621:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8622:             Users of the system will still be able to
 8623:             use the SSH client program /usr/bin/ssh to access SSH servers on other systems.</description>
 8624:           <Rule id="rule-3.5.1.1.a" selected="false" weight="10.000000" severity="low">
 8625:             <title xml:lang="en">Disable OpenSSH Software</title>
 8626:             <description xml:lang="en">The sshd service should be disabled.</description>
 8627:             <ident system="http://cce.mitre.org">CCE-4268-9</ident>
 8628:             <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 8629:             <fix># chkconfig sshd off</fix>
 8630:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8631:               <check-content-ref name="oval:org.fedoraproject.f14:def:20234" href="scap-fedora14-oval.xml"/>
 8632:             </check>
 8633:           </Rule>
 8634:           <Rule id="rule-3.5.1.1.b" selected="false" weight="10.000000">
 8635:             <title xml:lang="en">Remove OpenSSH Software</title>
 8636:             <description xml:lang="en">SSH should be uninstalled</description>
 8637:             <ident system="http://cce.mitre.org">CCE-4272-1</ident>
 8638:             <fixtext xml:lang="en">(1) via yum</fixtext>
 8639:             <fix># yum erase openssh-server</fix>
 8640:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8641:               <check-content-ref name="oval:org.fedoraproject.f14:def:20235" href="scap-fedora14-oval.xml"/>
 8642:             </check>
 8643:           </Rule>
 8644:         </Group>
 8645:         <Group id="group-3.5.1.2" hidden="false">
 8646:           <title xml:lang="en">Remove SSH Server iptables Firewall Exception</title>
 8647:           <description xml:lang="en">
 8648:             Edit the files /etc/sysconfig/iptables and
 8649:             /etc/sysconfig/ip6tables (if IPv6 is in use). In each file, locate and delete the line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8650:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8651:             -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8652:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8653:             By default, inbound connections to SSH's port are allowed. If the SSH server is not
 8654:             being used, this exception should be removed from the firewall configuration. See
 8655:             Section 2.5.5 for more information about Iptables.</description>
 8656:           <Rule id="rule-3.5.1.2.a" selected="false" weight="10.000000" severity="high">
 8657:             <title xml:lang="en">Remove SSH Server iptables Firewall Exception</title>
 8658:             <description xml:lang="en">Inbound connections to the ssh port should be denied</description>
 8659:             <ident system="http://cce.mitre.org">CCE-4295-2</ident>
 8660:             <fixtext xml:lang="en">(1) /etc/sysconfig/iptables</fixtext>
 8661:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8662:               <check-content-ref name="oval:org.fedoraproject.f14:def:20236" href="scap-fedora14-oval.xml"/>
 8663:             </check>
 8664:           </Rule>
 8665:           <Rule id="rule-3.5.1.2.b" selected="false" weight="10.000000" severity="high">
 8666:             <title xml:lang="en">Remove SSH Server ip6tables Firewall Exception</title>
 8667:             <description xml:lang="en">Inbound connections to the ssh port should be denied</description>
 8668:             <fixtext xml:lang="en">(1) /etc/sysconfig/ip6tables</fixtext>
 8669:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8670:               <check-content-ref name="oval:org.fedoraproject.f14:def:20237" href="scap-fedora14-oval.xml"/>
 8671:             </check>
 8672:           </Rule>
 8673:         </Group>
 8674:       </Group>
 8675:       <Group id="group-3.5.2" hidden="false">
 8676:         <title xml:lang="en">Configure OpenSSH Server if Necessary</title>
 8677:         <description xml:lang="en">
 8678:           If the system needs to act as an SSH server, then certain changes
 8679:           should be made to the OpenSSH daemon configuration file /etc/ssh/sshd config. The
 8680:           following recommendations can be applied to this file. See the sshd config(5) man page for
 8681:           more detailed information.</description>
 8682:         <Group id="group-3.5.2.1" hidden="false">
 8683:           <title xml:lang="en">Ensure Only Protocol 2 Connections Allowed</title>
 8684:           <description xml:lang="en">
 8685:             Only SSH protocol version 2 connections should be permitted.
 8686:             Version 1 of the protocol contains security vulnerabilities. The default setting shipped
 8687:             in the configuration file is correct, but it is important enough to check. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8688:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8689:             Verify that the following line appears: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8690:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8691:             Protocol 2</description>
 8692:           <Rule id="rule-3.5.2.1.a" selected="false" weight="10.000000" severity="high">
 8693:             <title xml:lang="en">Ensure Only Protocol 2 Connections Allowed</title>
 8694:             <description xml:lang="en">SSH version 1 protocol support should be disabled.</description>
 8695:             <ident system="http://cce.mitre.org">CCE-4325-7</ident>
 8696:             <fixtext xml:lang="en">(1) via /etc/ssh/sshd_config</fixtext>
 8697:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8698:               <check-content-ref name="oval:org.fedoraproject.f14:def:20238" href="scap-fedora14-oval.xml"/>
 8699:             </check>
 8700:           </Rule>
 8701:         </Group>
 8702:         <Group id="group-3.5.2.2" hidden="false">
 8703:           <title xml:lang="en">Limit Users SSH Access'</title>
 8704:           <description xml:lang="en">
 8705:             By default, the SSH configuration allows any user to access the
 8706:             system. In order to allow all users to login via SSH but deny only a few users, add or
 8707:             correct the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8708:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8709:             DenyUsers USER1 USER2 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8710:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8711:             Alternatively, if it is appropriate to allow only a few users access to the system via
 8712:             SSH, add or correct the following line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8713:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8714:             AllowUsers USER1 USER2</description>
 8715:         </Group>
 8716:         <Group id="group-3.5.2.3" hidden="false">
 8717:           <title xml:lang="en">Set Idle Timeout Interval for User Logins</title>
 8718:           <description xml:lang="en">
 8719:             SSH allows administrators to set an idle timeout interval.
 8720:             After this interval has passed, the idle user will be automatically logged out. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8721:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8722:             Find and edit the following lines in /etc/ssh/sshd config as follows: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8723:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8724:             ClientAliveInterval interval <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8725:             ClientAliveCountMax 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8726:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8727:             The timeout interval is given in seconds.
 8728:             To have a timeout of 5 minutes, set interval to 300. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8729:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8730:             If a shorter timeout has already been set for
 8731:             the login shell, as in Section 2.3.5.5, that value will preempt any SSH setting made
 8732:             here. Keep in mind that some processes may stop SSH from correctly detecting that the
 8733:             user is idle.</description>
 8734:           <Value id="var-3.5.2.3.a" operator="equals" type="number">
 8735:             <title xml:lang="en">SSH session Idle time</title>
 8736:             <description xml:lang="en">Specify duration of allowed idle time.</description>
 8737:             <question xml:lang="en">Specify duration of allowed idle time (in seconds) for SSH session</question>
 8738:             <value>300</value>
 8739:             <value selector="5_minutes">300</value>
 8740:             <value selector="10_minutes">600</value>
 8741:           </Value>
 8742:           <Value id="var-3.5.2.3.b" operator="equals" type="number">
 8743:             <title xml:lang="en">SSH session ClientAliveCountMax</title>
 8744:             <description xml:lang="en">Sets the number of client alive messages which may be sent without sshd receiving any messages back from the client.</description>
 8745:             <question xml:lang="en">Specify the number of clients alive messages which may be sent without sshd receiving any messages back from the client</question>
 8746:             <value>3</value>
 8747:             <value selector="0">0</value>
 8748:             <value selector="3">3</value>
 8749:           </Value>
 8750:           <Rule id="rule-3.5.2.3.a" selected="false" weight="10.000000" severity="medium">
 8751:             <title xml:lang="en">Set Idle Timeout Interval for User Logins</title>
 8752:             <description xml:lang="en">The SSH idle timout interval should be set to an appropriate
 8753:             value</description>
 8754:             <ident system="http://cce.mitre.org">CCE-3845-5</ident>
 8755:             <fixtext xml:lang="en">(1) via /etc/ssh/sshd_config</fixtext>
 8756:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8757:               <check-export export-name="oval:org.fedoraproject.f14:var:20239" value-id="var-3.5.2.3.a"/>
 8758:               <check-content-ref name="oval:org.fedoraproject.f14:def:20239" href="scap-fedora14-oval.xml"/>
 8759:             </check>
 8760:           </Rule>
 8761:           <Rule id="rule-3.5.2.3.b" selected="false" weight="10.000000">
 8762:             <title xml:lang="en">Set ClientAliveCountMax for User Logins</title>
 8763:             <description xml:lang="en">The ClientAliveCountMax should be set to an appropriate value</description>
 8764:             <fixtext xml:lang="en">(1) via /etc/ssh/sshd_config</fixtext>
 8765:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8766:               <check-export export-name="oval:org.fedoraproject.f14:var:20240" value-id="var-3.5.2.3.b"/>
 8767:               <check-content-ref name="oval:org.fedoraproject.f14:def:20240" href="scap-fedora14-oval.xml"/>
 8768:             </check>
 8769:           </Rule>
 8770:         </Group>
 8771:         <Group id="group-3.5.2.4" hidden="false">
 8772:           <title xml:lang="en">Disable .rhosts Files</title>
 8773:           <description xml:lang="en">
 8774:             SSH can emulate the behavior of the obsolete rsh command in
 8775:             allowing users to enable insecure access to their accounts via .rhosts files. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8776:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8777:             To ensure that this behavior is disabled, add or correct the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8778:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8779:             IgnoreRhosts yes</description>
 8780:           <Rule id="rule-3.5.2.4.a" selected="false" weight="10.000000" severity="high">
 8781:             <title xml:lang="en">Disable .rhosts Files</title>
 8782:             <description xml:lang="en">Emulation of the rsh command through the ssh server should be disabled</description>
 8783:             <ident system="http://cce.mitre.org">CCE-4475-0</ident>
 8784:             <fixtext xml:lang="en">(1) via /etc/ssh/sshd_config</fixtext>
 8785:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8786:               <check-content-ref name="oval:org.fedoraproject.f14:def:20241" href="scap-fedora14-oval.xml"/>
 8787:             </check>
 8788:           </Rule>
 8789:         </Group>
 8790:         <Group id="group-3.5.2.5" hidden="false">
 8791:           <title xml:lang="en">Disable Host-Based Authentication</title>
 8792:           <description xml:lang="en">
 8793:             SSH's cryptographic host-based authentication is slightly more
 8794:             secure than .rhosts authentication, since hosts are cryptographically authenticated.
 8795:             However, it is not recommended that hosts unilaterally trust one another, even within an
 8796:             organization. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8797:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8798:             To disable host-based authentication, add or correct the following line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8799:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8800:             HostbasedAuthentication no</description>
 8801:           <Rule id="rule-3.5.2.5.a" selected="false" weight="10.000000">
 8802:             <title xml:lang="en">Disable Host-Based Authentication</title>
 8803:             <description xml:lang="en">SSH host-based authentication should be disabled</description>
 8804:             <ident system="http://cce.mitre.org">CCE-4370-3</ident>
 8805:             <fixtext xml:lang="en">(1) via /etc/ssh/sshd_config</fixtext>
 8806:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8807:               <check-content-ref name="oval:org.fedoraproject.f14:def:20242" href="scap-fedora14-oval.xml"/>
 8808:             </check>
 8809:           </Rule>
 8810:         </Group>
 8811:         <Group id="group-3.5.2.6" hidden="false">
 8812:           <title xml:lang="en">Disable root Login via SSH</title>
 8813:           <description xml:lang="en">
 8814:             The root user should never be allowed to login directly over a
 8815:             network, as this both reduces auditable information about who ran privileged commands on
 8816:             the system and allows direct attack attempts on root's password. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8817:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8818:             To disable root login via SSH, add or correct the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8819:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8820:             PermitRootLogin no</description>
 8821:           <Rule id="rule-3.5.2.6.a" selected="false" weight="10.000000" severity="medium">
 8822:             <title xml:lang="en">Disable root Login via SSH</title>
 8823:             <description xml:lang="en">Root login via SSH should be disabled</description>
 8824:             <ident system="http://cce.mitre.org">CCE-4387-7</ident>
 8825:             <fixtext xml:lang="en">(1) via /etc/ssh/sshd_config</fixtext>
 8826:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8827:               <check-content-ref name="oval:org.fedoraproject.f14:def:20243" href="scap-fedora14-oval.xml"/>
 8828:             </check>
 8829:           </Rule>
 8830:         </Group>
 8831:         <Group id="group-3.5.2.7" hidden="false">
 8832:           <title xml:lang="en">Disable Empty Passwords</title>
 8833:           <description xml:lang="en">
 8834:             To explicitly disallow remote login from accounts with empty
 8835:             passwords, add or correct the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8836:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8837:             PermitEmptyPasswords no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8838:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8839:             Measures should also be taken to disable accounts with empty passwords system-wide,
 8840:             as described in Section 2.3.1.5.</description>
 8841:           <Rule id="rule-3.5.2.7.a" selected="false" weight="10.000000">
 8842:             <title xml:lang="en">Disable Empty Passwords</title>
 8843:             <description xml:lang="en">Remote connections from accounts with empty passwords should be disabled</description>
 8844:             <ident system="http://cce.mitre.org">CCE-3660-8</ident>
 8845:             <fixtext xml:lang="en">(1) via /etc/ssh/sshd_config</fixtext>
 8846:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8847:               <check-content-ref name="oval:org.fedoraproject.f14:def:20244" href="scap-fedora14-oval.xml"/>
 8848:             </check>
 8849:           </Rule>
 8850:         </Group>
 8851:         <Group id="group-3.5.2.8" hidden="false">
 8852:           <title xml:lang="en">Enable a Warning Banner</title>
 8853:           <description xml:lang="en">
 8854:             Section 2.3.7 contains information on how to create an
 8855:             appropriate warning banner. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8856:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8857:             To enable a warning banner, add or correct the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8858:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8859:             Banner /etc/issue</description>
 8860:           <Rule id="rule-3.5.2.8.a" selected="false" weight="10.000000" severity="medium">
 8861:             <title xml:lang="en">Enable a Warning Banner</title>
 8862:             <description xml:lang="en">SSH warning banner should be enabled</description>
 8863:             <ident system="http://cce.mitre.org">CCE-4431-3</ident>
 8864:             <fixtext xml:lang="en">(1) via /etc/ssh/sshd_config</fixtext>
 8865:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8866:               <check-content-ref name="oval:org.fedoraproject.f14:def:20245" href="scap-fedora14-oval.xml"/>
 8867:             </check>
 8868:           </Rule>
 8869:         </Group>
 8870:         <Group id="group-3.5.2.9" hidden="false">
 8871:           <title xml:lang="en">Do Not Allow Users to Set Environment Options</title>
 8872:           <description xml:lang="en">
 8873:             To prevent users from being able to present environment options to the SSH daemon and potentially bypass
 8874:             some access restrictions, add or correct the following line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8875:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8876:             PermitUserEnvironment no
 8877:           </description>
 8878:           <Rule id="rule-3.5.2.9.a" selected="false" weight="10.000000">
 8879:             <title xml:lang="en">Do Not Allow Users to Set Environment Options</title>
 8880:             <description xml:lang="en">PermitUserEnvironment should be disabled</description>
 8881:             <fixtext xml:lang="en">(1) via /etc/ssh/sshd_config</fixtext>
 8882:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8883:               <check-content-ref name="oval:org.fedoraproject.f14:def:202455" href="scap-fedora14-oval.xml"/>
 8884:             </check>
 8885:           </Rule>
 8886:         </Group>
 8887:         <Group id="group-3.5.2.10" hidden="false">
 8888:           <title xml:lang="en">Use Only Approved Ciphers</title>
 8889:           <description xml:lang="en">
 8890:             Limit the ciphers to those which are FIPS-approved and only use ciphers in counter (CTR) mode. The
 8891:             following line demonstrates use of FIPS-approved ciphers in CTR mode:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8892:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8893:             Ciphers aes128-ctr,aes192-ctr,aes256-ctr<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8894:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8895:             The man page sshd_config(5) contains a list of the ciphers supported for the current release of the SSH daemon.</description>
 8896:           <Rule id="rule-3.5.2.10.a" selected="false" weight="10.000000">
 8897:             <title xml:lang="en">Use Only Approved Ciphers</title>
 8898:             <description xml:lang="en">Use only FIPS approved ciphers not in CBC mode</description>
 8899:             <fixtext xml:lang="en">(1) via /etc/ssh/sshd_config</fixtext>
 8900:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8901:               <check-content-ref name="oval:org.fedoraproject.f14:def:202456" href="scap-fedora14-oval.xml"/>
 8902:             </check>
 8903:           </Rule>
 8904:         </Group>
 8905:         <Group id="group-3.5.2.11" hidden="false">
 8906:           <title xml:lang="en">Strengthen Firewall Configuration if Possible</title>
 8907:           <description xml:lang="en">
 8908:             If the SSH server must only accept connections from the local
 8909:             network, then strengthen the default firewall rule for the SSH service. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8910:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8911:             Determine an
 8912:             appropriate network block, netwk, and network mask, mask, representing the machines on
 8913:             your network which must be allowed to access this SSH server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8914:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8915:             Edit the files
 8916:             /etc/sysconfig/iptables and /etc/sysconfig/ip6tables (if IPv6 is in use). In each file,
 8917:             locate the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8918:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8919:             -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8920:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8921:             and replace it with: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8922:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8923:             -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 22 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8924:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8925:             If your site uses IPv6, and you are editing ip6tables, use the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8926:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8927:             -A RH-Firewall-1-INPUT -s ipv6netwk::/ipv6mask -m tcp -p tcp --dport 22 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8928:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8929:             instead because Netfilter does not yet reliably support stateful filtering for
 8930:             IPv6. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8931:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8932:             See Section 2.5.5 for more information about Iptables configuration.</description>
 8933:         </Group>
 8934:       </Group>
 8935:     </Group>
 8936:     <Group id="group-3.6" hidden="false">
 8937:       <title xml:lang="en">X Window System</title>
 8938:       <description xml:lang="en">The X Window System implementation included with the system is called X.org.</description>
 8939:       <Group id="group-3.6.1" hidden="false">
 8940:         <title xml:lang="en">Disable X Windows if Possible</title>
 8941:         <description xml:lang="en">
 8942:           Unless there is a mission-critical reason for the machine to run
 8943:           a GUI login screen, prevent X from starting automatically at boot. There is usually no
 8944:           reason to run X Windows on a dedicated server machine, since administrators can login via
 8945:           SSH or on the text console.</description>
 8946:         <Group id="group-3.6.1.1" hidden="false">
 8947:           <title xml:lang="en">Disable X Windows at System Boot</title>
 8948:           <description xml:lang="en">
 8949:             Edit the file /etc/inittab, and correct the line
 8950:             id:5:initdefault: to: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8951:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8952:             id:3:initdefault: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8953:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8954:             This action changes the default boot runlevel of
 8955:             the system from 5 to 3. These two runlevels should be identical except that runlevel 5
 8956:             starts X on boot, while runlevel 3 does not.</description>
 8957:           <Value id="var-3.6.1.1.a" operator="equals" type="number">
 8958:             <title xml:lang="en">default boot level</title>
 8959:             <description xml:lang="en">Specify whether to start in single user mode, text UI or graphical UI.</description>
 8960:             <question xml:lang="en">Specify whether to start in single user mode, text UI or graphical UI</question>
 8961:             <value>5</value>
 8962:             <value selector="multi-user-graphical">5</value>
 8963:             <value selector="multi-user-text">3</value>
 8964:             <value selector="single-user-text">1</value>
 8965:           </Value>
 8966:           <Rule id="rule-3.6.1.1.a" selected="false" weight="10.000000" severity="medium">
 8967:             <title xml:lang="en">Disable X Windows at System Boot</title>
 8968:             <description xml:lang="en">X Windows should be disabled at system boot</description>
 8969:             <ident system="http://cce.mitre.org">CCE-4462-8</ident>
 8970:             <fixtext xml:lang="en">(1) via /etc/inittab</fixtext>
 8971:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8972:               <check-export export-name="oval:org.fedoraproject.f14:var:20246" value-id="var-3.6.1.1.a"/>
 8973:               <check-content-ref name="oval:org.fedoraproject.f14:def:20246" href="scap-fedora14-oval.xml"/>
 8974:             </check>
 8975:           </Rule>
 8976:         </Group>
 8977:         <Group id="group-3.6.1.2" hidden="false">
 8978:           <title xml:lang="en">Remove X Windows from the System if Possible</title>
 8979:           <description xml:lang="en">
 8980:             Remove the X11 RPMs from the system: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8981:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8982:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum groupremove "X Window System" <xhtml:br/></xhtml:code>
 8983:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8984:             As long as X.org remains installed on the system, users can still run X
 8985:             Windows by typing startx at the shell prompt. This may run X Windows using configuration
 8986:             settings which are less secure than the system defaults. Therefore, if the machine is a
 8987:             dedicated server which does not need to provide graphical logins at all, it is safest to
 8988:             remove the X.org software entirely. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8989:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 8990:             The command given here will remove over 100
 8991:             packages. It should safely and effectively remove X from machines which do not need it.</description>
 8992:           <Rule id="rule-3.6.1.2.a" selected="false" weight="10.000000">
 8993:             <title xml:lang="en">Remove X Windows from the System if Possible</title>
 8994:             <description xml:lang="en">X Windows should be removed</description>
 8995:             <ident system="http://cce.mitre.org">CCE-4422-2</ident>
 8996:             <fixtext xml:lang="en">(1) via yum</fixtext>
 8997:             <fix># yum groupremove "X Window System"</fix>
 8998:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 8999:               <check-content-ref name="oval:org.fedoraproject.f14:def:20247" href="scap-fedora14-oval.xml"/>
 9000:             </check>
 9001:           </Rule>
 9002:         </Group>
 9003:         <Group id="group-3.6.1.3" hidden="false">
 9004:           <title xml:lang="en">Lock Down X Windows startx Configuration if Necessary</title>
 9005:           <description xml:lang="en">
 9006:             If X is not to be started at boot time but the software must
 9007:             remain installed, users will be able to run X manually using the startx command. In some
 9008:             cases, this runs X with a configuration which is less safe than the default. Follow
 9009:             these instructions to mitigate risk from this configuration.</description>
 9010:           <Group id="group-3.6.1.3.1" hidden="false">
 9011:             <title xml:lang="en">Disable X Font Server</title>
 9012:             <description xml:lang="en">
 9013:               Disable the xfs helper service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9014:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9015:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig xfs off <xhtml:br/></xhtml:code>
 9016:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9017:               The
 9018:               system's X.org requires the X Font Server service (xfs) to function. The xfs service
 9019:               will be started automatically if X.org is activated via startx. Therefore, it is safe
 9020:               to prevent xfs from starting at boot when X is disabled, even if users are allowed to
 9021:               run X manually.</description>
 9022:           </Group>
 9023:           <Group id="group-3.6.1.3.2" hidden="false">
 9024:             <title xml:lang="en">Disable X Window System Listening</title>
 9025:             <description xml:lang="en">
 9026:               To prevent X.org from listening for remote connections,
 9027:               create the file /etc/X11/xinit/xserverrc and fill it with the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9028:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9029:               exec X :0 -nolisten tcp $@ <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9030:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9031:               One of X.org's features is the ability to provide remote graphical
 9032:               display. This feature should be disabled unless it is required. If the system uses
 9033:               runlevel 5, which is the default, the GDM display manager starts X safely, with remote
 9034:               listening disabled. However, if X is started from the command line with the startx
 9035:               command, then the server will listen for new connections on X's default port, 6000.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9036:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9037:               See the xinit(1), startx(1), and Xserver(1) man pages for more information.</description>
 9038:             <Rule id="rule-3.6.1.3.2.a" selected="false" weight="10.000000" severity="medium">
 9039:               <title xml:lang="en">Disable X Window System Listening</title>
 9040:               <description xml:lang="en">Disable the ability to provide remote graphical display</description>
 9041:               <ident system="http://cce.mitre.org">CCE-4074-1</ident>
 9042:               <fixtext xml:lang="en">(1) via /etc/X11/xinit/xserverrc</fixtext>
 9043:               <fix>echo "exec X :0 -nolisten tcp $@" &gt; /etc/X11/xinit/xserverrc</fix>
 9044:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9045:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20248" href="scap-fedora14-oval.xml"/>
 9046:               </check>
 9047:             </Rule>
 9048:           </Group>
 9049:         </Group>
 9050:       </Group>
 9051:       <Group id="group-3.6.2" hidden="false">
 9052:         <title xml:lang="en">Configure X Windows if Necessary</title>
 9053:         <description xml:lang="en">
 9054:           If there is a mission-critical reason for this machine to run a
 9055:           GUI, improve the security of the default X configuration by following the guidance in this
 9056:           section.</description>
 9057:         <Group id="group-3.6.2.1" hidden="false">
 9058:           <title xml:lang="en">Create Warning Banners for GUI Login Users</title>
 9059:           <description xml:lang="en">
 9060:             Edit the file /etc/gdm/custom.conf. Locate the [greeter]
 9061:             section, and correct that section to contain the lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9062:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9063:             [greeter] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9064:             InfoMsgFile=/etc/issue<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9065:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9066:             See Section 2.3.7 for an explanation of banner file use. This setting will cause the
 9067:             system greeting banner to be displayed in a box prior to GUI login. If the default
 9068:             banner font is inappropriate, it can be changed by specifying the InfoMsgFont directive
 9069:             as well, for instance: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9070:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9071:             InfoMsgFont=Sans 12</description>
 9072:           <Rule id="rule-3.6.2.1.a" selected="false" weight="10.000000" severity="medium">
 9073:             <title xml:lang="en">Create Warning Banners for GUI Login Users</title>
 9074:             <description xml:lang="en">Enable warning banner for GUI login</description>
 9075:             <ident system="http://cce.mitre.org">CCE-3717-6</ident>
 9076:             <fixtext xml:lang="en">(1) via /etc/gdm/custom.conf</fixtext>
 9077:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9078:               <check-content-ref name="oval:org.fedoraproject.f14:def:20249" href="scap-fedora14-oval.xml"/>
 9079:             </check>
 9080:           </Rule>
 9081:         </Group>
 9082:       </Group>
 9083:     </Group>
 9084:     <Group id="group-3.7" hidden="false">
 9085:       <title xml:lang="en">Avahi Server</title>
 9086:       <description xml:lang="en">
 9087:         The Avahi daemon implements the DNS Service Discovery and Multicast
 9088:         DNS protocols, which provide service and host discovery on a network. It allows a system to
 9089:         automatically identify resources on the network, such as printers or web servers. This
 9090:         capability is also known as mDNSresponder and is a major part of Zeroconf networking. By
 9091:         default, it is enabled.</description>
 9092:       <Group id="group-3.7.1" hidden="false">
 9093:         <title xml:lang="en">Disable Avahi Server if Possible</title>
 9094:         <description xml:lang="en">
 9095:           Because the Avahi daemon service keeps an open network port, it
 9096:           is subject to network attacks. Disabling it is particularly important to reduce the
 9097:           system's vulnerability to such attacks.</description>
 9098:         <Group id="group-3.7.1.1" hidden="false">
 9099:           <title xml:lang="en">Disable Avahi Server Software</title>
 9100:           <description xml:lang="en">
 9101:             Issue the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9102:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9103:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig avahi-daemon off</xhtml:code></description>
 9104:           <Rule id="rule-3.7.1.1.a" selected="false" weight="10.000000" severity="low">
 9105:             <title xml:lang="en">Disable Avahi Server Software</title>
 9106:             <description xml:lang="en">The avahi-daemon service should be disabled.</description>
 9107:             <ident system="http://cce.mitre.org">CCE-4365-3</ident>
 9108:             <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 9109:             <fix># chkconfig avahi-daemon off</fix>
 9110:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9111:               <check-content-ref name="oval:org.fedoraproject.f14:def:20250" href="scap-fedora14-oval.xml"/>
 9112:             </check>
 9113:           </Rule>
 9114:         </Group>
 9115:         <Group id="group-3.7.1.2" hidden="false">
 9116:           <title xml:lang="en">Remove Avahi Server iptables Firewall Exception</title>
 9117:           <description xml:lang="en">
 9118:             Edit the files /etc/sysconfig/iptables and
 9119:             /etc/sysconfig/ip6tables (if IPv6 is in use). In each file, locate and delete the line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9120:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9121:             -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9122:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9123:             By default, inbound
 9124:             connections to Avahi's port are allowed. If the Avahi server is not being used, this
 9125:             exception should be removed from the firewall configuration. See Section 2.5.5 for more
 9126:             information about the Iptables firewall.</description>
 9127:         </Group>
 9128:       </Group>
 9129:       <Group id="group-3.7.2" hidden="false">
 9130:         <title xml:lang="en">Configure Avahi if Necessary</title>
 9131:         <description xml:lang="en">
 9132:           If your system requires the Avahi daemon, its configuration can
 9133:           be restricted to improve security. The Avahi daemon configuration file is
 9134:           /etc/avahi/avahi-daemon.conf. The following security recommendations should be applied to
 9135:           this file. See the avahi-daemon.conf(5) man page or documentation at http://www.avahi.org
 9136:           for more detailed information about the configuration options.</description>
 9137:         <Group id="group-3.7.2.1" hidden="false">
 9138:           <title xml:lang="en">Serve Only via Required Protocol</title>
 9139:           <description xml:lang="en">
 9140:             The default setting in the configuration file allows Avahi to
 9141:             use both IPv4 and IPv6 sockets. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9142:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9143:             If you are using only IPv4, edit
 9144:             /etc/avahi/avahi-daemon.conf and ensure the following line exists in the [server]
 9145:             section: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9146:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9147:             use-ipv6=no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9148:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9149:             Similarly, if you are using only IPv6, disable IPv4 sockets with the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9150:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9151:             use-ipv4=no</description>
 9152:           <Rule id="rule-3.7.2.1.a" selected="false" weight="10.000000" severity="medium">
 9153:             <title xml:lang="en">Serve Only via Required Protocol</title>
 9154:             <description xml:lang="en">The Avahi daemon should be configured not to serve via Ipv6</description>
 9155:             <ident system="http://cce.mitre.org">CCE-4136-8</ident>
 9156:             <fixtext xml:lang="en">(1) via /etc/avahi/avahi-daemon.conf</fixtext>
 9157:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9158:               <check-content-ref name="oval:org.fedoraproject.f14:def:20251" href="scap-fedora14-oval.xml"/>
 9159:             </check>
 9160:           </Rule>
 9161:           <Rule id="rule-3.7.2.1.b" selected="false" weight="10.000000" severity="medium">
 9162:             <title xml:lang="en">Serve Only via Required Protocol</title>
 9163:             <description xml:lang="en">The Avahi daemon should be configured not to serve via Ipv4</description>
 9164:             <ident system="http://cce.mitre.org">CCE-4409-9</ident>
 9165:             <fixtext xml:lang="en">(1) via /etc/avahi/avahi-daemon.conf</fixtext>
 9166:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9167:               <check-content-ref name="oval:org.fedoraproject.f14:def:20252" href="scap-fedora14-oval.xml"/>
 9168:             </check>
 9169:           </Rule>
 9170:         </Group>
 9171:         <Group id="group-3.7.2.2" hidden="false">
 9172:           <title xml:lang="en">Check Responses TTL Field '</title>
 9173:           <description xml:lang="en">
 9174:             Avahi can be set to ignore IP packets unless their TTL field is
 9175:             255. To make Avahi ignore packets unless the TTL field is 255, edit
 9176:             /etc/avahi/avahi-daemon.conf and ensure the following line appears in the [server]
 9177:             section: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9178:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9179:             check-response-ttl=yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9180:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9181:             This helps to ensure that only mDNS responses from the
 9182:             local network are processed, because the TTL field in a packet is decremented from its
 9183:             initial value of 255 whenever it is routed from one network to another. Although a
 9184:             properly-configured router or firewall should not allow mDNS packets into the local
 9185:             network at all, this option provides another check to ensure they are not trusted.</description>
 9186:           <Rule id="rule-3.7.2.2.a" selected="false" weight="10.000000">
 9187:             <title xml:lang="en">Check Responses' TTL Field</title>
 9188:             <description xml:lang="en">Avahi should be configured to reject packets with a TTL field not equal to 255</description>
 9189:             <ident system="http://cce.mitre.org">CCE-4426-3</ident>
 9190:             <fixtext xml:lang="en">(1) via /etc/avahi/avahi-daemon.conf</fixtext>
 9191:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9192:               <check-content-ref name="oval:org.fedoraproject.f14:def:20253" href="scap-fedora14-oval.xml"/>
 9193:             </check>
 9194:           </Rule>
 9195:         </Group>
 9196:         <Group id="group-3.7.2.3" hidden="false">
 9197:           <title xml:lang="en">Prevent Other Programs from Using Avahis Port '</title>
 9198:           <description xml:lang="en">
 9199:             Avahi can stop other mDNS stacks from running on the host by
 9200:             preventing other processes from binding to port 5353. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9201:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9202:             To prevent other mDNS stacks from
 9203:             running, edit /etc/avahi/avahi-daemon.conf and ensure the following line appears in the
 9204:             [server] section: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9205:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9206:             disallow-other-stacks=yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9207:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9208:             This is designed to help ensure that only
 9209:             Avahi is responsible for mDNS traffic coming from that port on the system.</description>
 9210:           <Rule id="rule-3.7.2.3.a" selected="false" weight="10.000000">
 9211:             <title xml:lang="en">Prevent Other Programs from Using Avahi's Port</title>
 9212:             <description xml:lang="en">Avahi should be configured to not allow other stacks from binding to port 5353</description>
 9213:             <ident system="http://cce.mitre.org">CCE-4193-9</ident>
 9214:             <fixtext xml:lang="en">(1) via /etc/avahi/avahi-daemon.conf</fixtext>
 9215:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9216:               <check-content-ref name="oval:org.fedoraproject.f14:def:20254" href="scap-fedora14-oval.xml"/>
 9217:             </check>
 9218:           </Rule>
 9219:         </Group>
 9220:         <Group id="group-3.7.2.4" hidden="false">
 9221:           <title xml:lang="en">Disable Publishing if Possible</title>
 9222:           <description xml:lang="en">
 9223:             The default setting in the configuration file allows the
 9224:             avahi-daemon to send information about the local host, such as its address records and
 9225:             the services it offers, to the local network. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9226:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9227:             To stop sending this information but still
 9228:             allow Avahi to query the network for services, ensure the configuration file includes
 9229:             the following line in the [publish] section: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9230:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9231:             disable-publishing=yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9232:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9233:             This line may be
 9234:             particularly useful if Avahi is needed for printer discovery, but not to advertise
 9235:             services. This configuration is highly recommended for client systems that should not
 9236:             advertise their services (or existence).</description>
 9237:           <Rule id="rule-3.7.2.4.a" selected="false" weight="10.000000">
 9238:             <title xml:lang="en">Disable Publishing if Possible</title>
 9239:             <description xml:lang="en">Avahi publishing of local information should be disabled</description>
 9240:             <ident system="http://cce.mitre.org">CCE-4444-6</ident>
 9241:             <fixtext xml:lang="en">(1) via /etc/avahi/avahi-daemon.conf</fixtext>
 9242:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9243:               <check-content-ref name="oval:org.fedoraproject.f14:def:20255" href="scap-fedora14-oval.xml"/>
 9244:             </check>
 9245:           </Rule>
 9246:         </Group>
 9247:         <Group id="group-3.7.2.5" hidden="false">
 9248:           <title xml:lang="en">Restrict Published Information</title>
 9249:           <description xml:lang="en">
 9250:             If it is necessary to publish some information to the network,
 9251:             it should not be joined by any extraneous information, or by information supplied by a
 9252:             non-trusted source on the system. Prevent user applications from using Avahi to publish
 9253:             services by adding or correcting the following line in the [publish] section:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9254:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9255:             disable-user-service-publishing=yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9256:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9257:             Implement as many of the following lines as
 9258:             possible, to restrict the information published by Avahi: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9259:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9260:             publish-addresses=no<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9261:             publish-hinfo=no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9262:             publish-workstation=no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9263:             publish-domain=no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9264:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9265:             Inspect the files in the
 9266:             directory /etc/avahi/services/. Unless there is an operational need to publish
 9267:             information about each of these services, delete the corresponding file. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9268:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9269:             These options
 9270:             should be used even if publishing is disabled entirely via disable-publishing, since
 9271:             that option prevents publishing attempts from succeeding, while these options prevent
 9272:             the attempts from being made in the first place. Using both approaches is recommended
 9273:             for completeness.</description>
 9274:           <Rule id="rule-3.7.2.5.a" selected="false" weight="10.000000">
 9275:             <title xml:lang="en">Restrict disable-user-service-publishing</title>
 9276:             <description xml:lang="en">Avahi publishing of local information by user applications should be disabled</description>
 9277:             <ident system="http://cce.mitre.org">CCE-4352-1</ident>
 9278:             <fixtext xml:lang="en">(1) via /etc/avahi/avahi-daemon.conf</fixtext>
 9279:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9280:               <check-content-ref name="oval:org.fedoraproject.f14:def:20256" href="scap-fedora14-oval.xml"/>
 9281:             </check>
 9282:           </Rule>
 9283:           <Rule id="rule-3.7.2.5.b" selected="false" weight="10.000000">
 9284:             <title xml:lang="en">Restrict publish-addresses</title>
 9285:             <description xml:lang="en">Avahi publishing of hardware information should be disabled</description>
 9286:             <ident system="http://cce.mitre.org">CCE-4433-9</ident>
 9287:             <fixtext xml:lang="en">(1) via /etc/avahi/avahi-daemon.conf</fixtext>
 9288:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9289:               <check-content-ref name="oval:org.fedoraproject.f14:def:20257" href="scap-fedora14-oval.xml"/>
 9290:             </check>
 9291:           </Rule>
 9292:           <Rule id="rule-3.7.2.5.c" selected="false" weight="10.000000">
 9293:             <title xml:lang="en">Restrict publish-hinfo</title>
 9294:             <description xml:lang="en">Avahi publishing of workstation name should be disabled</description>
 9295:             <ident system="http://cce.mitre.org">CCE-4451-1</ident>
 9296:             <fixtext xml:lang="en">(1) via /etc/avahi/avahi-daemon.conf</fixtext>
 9297:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9298:               <check-content-ref name="oval:org.fedoraproject.f14:def:20258" href="scap-fedora14-oval.xml"/>
 9299:             </check>
 9300:           </Rule>
 9301:           <Rule id="rule-3.7.2.5.d" selected="false" weight="10.000000">
 9302:             <title xml:lang="en">Restrict publish-workstation</title>
 9303:             <description xml:lang="en">Avahi publishing of IP addresses should be disabled</description>
 9304:             <ident system="http://cce.mitre.org">CCE-4341-4</ident>
 9305:             <fixtext xml:lang="en">(1) via /etc/avahi/avahi-daemon.conf</fixtext>
 9306:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9307:               <check-content-ref name="oval:org.fedoraproject.f14:def:20259" href="scap-fedora14-oval.xml"/>
 9308:             </check>
 9309:           </Rule>
 9310:           <Rule id="rule-3.7.2.5.e" selected="false" weight="10.000000">
 9311:             <title xml:lang="en">Restrict publish-domain</title>
 9312:             <description xml:lang="en">Avahi publishing of domain name should be disabled</description>
 9313:             <ident system="http://cce.mitre.org">CCE-4358-8</ident>
 9314:             <fixtext xml:lang="en">(1) via /etc/avahi/avahi-daemon.conf</fixtext>
 9315:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9316:               <check-content-ref name="oval:org.fedoraproject.f14:def:20260" href="scap-fedora14-oval.xml"/>
 9317:             </check>
 9318:           </Rule>
 9319:         </Group>
 9320:       </Group>
 9321:     </Group>
 9322:     <Group id="group-3.8" hidden="false">
 9323:       <title xml:lang="en">Print Support</title>
 9324:       <description xml:lang="en">
 9325:         The Common Unix Printing System (CUPS) service provides both local
 9326:         and network printing support. A system running the CUPS service can accept print jobs from
 9327:         other systems, process them, and send them to the appropriate printer. It also provides an
 9328:         interface for remote administration through a web browser. The CUPS service is installed and
 9329:         activated by default. The project homepage and more detailed documentation are available at
 9330:         http://www.cups.org. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9331:         <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9332:         The HP Linux Imaging and Printing service (HPLIP) is a separate package
 9333:         that provides support for some of the additional features that HP printers provide that CUPS
 9334:         may not necessarily support. It relies upon the CUPS service.</description>
 9335:       <Group id="group-3.8.1" hidden="false">
 9336:         <title xml:lang="en">Disable the CUPS Service if Possible</title>
 9337:         <description xml:lang="en">
 9338:           Do you need the ability to print from this machine or to allow
 9339:           others to print to it? If not: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9340:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9341:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig cups off</xhtml:code></description>
 9342:         <Rule id="rule-3.8.1.a" selected="false" weight="10.000000" severity="medium">
 9343:           <title xml:lang="en">Disable the CUPS Service if Possible</title>
 9344:           <description xml:lang="en">The cups service should be disabled.</description>
 9345:           <ident system="http://cce.mitre.org">CCE-4112-9</ident>
 9346:           <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 9347:           <fix># chkconfig cups off</fix>
 9348:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9349:             <check-content-ref name="oval:org.fedoraproject.f14:def:20261" href="scap-fedora14-oval.xml"/>
 9350:           </check>
 9351:         </Rule>
 9352:       </Group>
 9353:       <Group id="group-3.8.2" hidden="false">
 9354:         <title xml:lang="en">Disable Firewall Access to Printing Service if Possible</title>
 9355:         <description xml:lang="en">
 9356:           Does this system need to operate as a network print server? If
 9357:           not, edit the files /etc/sysconfig/iptables and /etc/sysconfig/ip6tables (if IPv6 is in
 9358:           use). In each file, locate and delete the lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9359:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9360:           -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9361:           -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9362:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9363:           By
 9364:           default, inbound connections to the Internet Printing Protocol port are allowed. If the
 9365:           print server does not need to be accessed, either because the machine is not running the
 9366:           print service at all or because the machine is not providing a remote network printer to
 9367:           other machines, this exception should be removed from the firewall configuration. See
 9368:           Section 2.5.5 for more information about the Iptables firewall.</description>
 9369:         <Value id="var-3.8.2.a" operator="equals" type="string">
 9370:           <title xml:lang="en">accept udp over IPv4</title>
 9371:           <description xml:lang="en">Open firewall to allow udp over IPv4.</description>
 9372:           <question xml:lang="en">Enable/Disable UDP over IPv4</question>
 9373:           <value>disabled</value>
 9374:           <value selector="enabled">enabled</value>
 9375:           <value selector="disabled">disabled</value>
 9376:           <match>enabled|disabled</match>
 9377:           <choices mustMatch="true">
 9378:             <choice>enabled</choice>
 9379:             <choice>disabled</choice>
 9380:           </choices>
 9381:         </Value>
 9382:         <Value id="var-3.8.2.b" operator="equals" type="string">
 9383:           <title xml:lang="en">accept udp over IPv6</title>
 9384:           <description xml:lang="en">Open firewall to allow udp over IPv6.</description>
 9385:           <question xml:lang="en">Enable/Disable UDP over IPv6</question>
 9386:           <value>disabled</value>
 9387:           <value selector="enabled">enabled</value>
 9388:           <value selector="disabled">disabled</value>
 9389:           <match>enabled|disabled</match>
 9390:           <choices mustMatch="true">
 9391:             <choice>enabled</choice>
 9392:             <choice>disabled</choice>
 9393:           </choices>
 9394:         </Value>
 9395:         <Rule id="rule-3.8.2.a" selected="false" weight="10.000000" severity="high">
 9396:           <title xml:lang="en">Disable Firewall Access to Printing Service over IPv4 if Possible</title>
 9397:           <description xml:lang="en">Firewall access to printing service should be disabled</description>
 9398:           <ident system="http://cce.mitre.org">CCE-3649-1</ident>
 9399:           <fixtext xml:lang="en">(1) via /etc/sysconfig/iptables</fixtext>
 9400:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9401:             <check-export export-name="oval:org.fedoraproject.f14:var:20262" value-id="var-3.8.2.a"/>
 9402:             <check-content-ref name="oval:org.fedoraproject.f14:def:20262" href="scap-fedora14-oval.xml"/>
 9403:           </check>
 9404:         </Rule>
 9405:         <Rule id="rule-3.8.2.b" selected="false" weight="10.000000" severity="high">
 9406:           <title xml:lang="en">Disable Firewall Access to Printing Service over IPv6 if Possible</title>
 9407:           <description xml:lang="en">Firewall access to printing service should be disabled</description>
 9408:           <fixtext xml:lang="en">(1) via /etc/sysconfig/ip6tables</fixtext>
 9409:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9410:             <check-export export-name="oval:org.fedoraproject.f14:var:20263" value-id="var-3.8.2.b"/>
 9411:             <check-content-ref name="oval:org.fedoraproject.f14:def:20263" href="scap-fedora14-oval.xml"/>
 9412:           </check>
 9413:         </Rule>
 9414:       </Group>
 9415:       <Group id="group-3.8.3" hidden="false">
 9416:         <title xml:lang="en">Configure the CUPS Service if Necessary</title>
 9417:         <description xml:lang="en">
 9418:           CUPS provides the ability to easily share local printers with
 9419:           other machines over the network. It does this by allowing machines to share lists of
 9420:           available printers. Additionally, each machine that runs the CUPS service can potentially
 9421:           act as a print server. Whenever possible, the printer sharing and print server
 9422:           capabilities of CUPS should be limited or disabled. The following recommendations should
 9423:           demonstrate how to do just that.</description>
 9424:         <Group id="group-3.8.3.1" hidden="false">
 9425:           <title xml:lang="en">Limit Printer Browsing</title>
 9426:           <description xml:lang="en">By default, CUPS listens on the network for printer list broadcasts on UDP port 631. This functionality is called printer browsing.</description>
 9427:           <Group id="group-3.8.3.1.1" hidden="false">
 9428:             <title xml:lang="en">Disable Printer Browsing Entirely if Possible</title>
 9429:             <description xml:lang="en">
 9430:               To disable printer browsing entirely, edit the CUPS
 9431:               configuration file, located at /etc/cups/cupsd.conf: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9432:       			  <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9433:       			  Browsing Off<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9434:       			  BrowseAllow none <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9435:       			  <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9436:       			  The
 9437:               CUPS print service can be configured to broadcast a list of available printers to the
 9438:               network. Other machines on the network, also running the CUPS print service, can be
 9439:               configured to listen to these broadcasts and add and configure these printers for
 9440:               immediate use. By disabling this browsing capability, the machine will no longer
 9441:               generate or receive such broadcasts.</description>
 9442:             <Rule id="rule-3.8.3.1.1.a" selected="false" weight="10.000000">
 9443:               <title xml:lang="en">Disable Printer Browsing Entirely if Possible</title>
 9444:               <description xml:lang="en">Remote print browsing should be disabled</description>
 9445:               <ident system="http://cce.mitre.org">CCE-4420-6</ident>
 9446:               <fixtext xml:lang="en">(1) via /etc/cups/cupsd.conf</fixtext>
 9447:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9448:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20264" href="scap-fedora14-oval.xml"/>
 9449:               </check>
 9450:             </Rule>
 9451:             <Rule id="rule-3.8.3.1.1.b" selected="false" weight="10.000000">
 9452:               <title xml:lang="en">Deny CUPS ability to listen for Incoming printer information</title>
 9453:               <description xml:lang="en">CUPS should be denied the ability to listen for Incoming printer information</description>
 9454:               <ident system="http://cce.mitre.org">CCE-4407-3</ident>
 9455:               <fixtext xml:lang="en">(1) via /etc/cups/cupsd.conf</fixtext>
 9456:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9457:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20265" href="scap-fedora14-oval.xml"/>
 9458:               </check>
 9459:             </Rule>
 9460:           </Group>
 9461:           <Group id="group-3.8.3.1.2" hidden="false">
 9462:             <title xml:lang="en">Limit Printer Browsing to a Particular Subnet if Necessary</title>
 9463:             <description xml:lang="en">
 9464:               It is possible to disable outgoing printer list broadcasts
 9465:               without affecting incoming broadcasts from other machines. To do so, open the CUPS
 9466:               configuration file, located at /etc/cups/cupsd.conf. Look for the line that begins
 9467:               with BrowseAddress and remove it. The line will look like the following: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9468:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9469:               BrowseAddress @LOCAL <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9470:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9471:               If the intent is not to block printer sharing, but to limit it to a particular
 9472:               set of machines, you can limit the UDP printer broadcasts to trusted network
 9473:               addresses. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9474:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9475:               BrowseAddress ip-address :631 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9476:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9477:               Likewise, to ignore incoming UDP printer list
 9478:               broadcasts, or to limit the set of machines to listen to, use the BrowseAllow and
 9479:               BrowseDeny directives. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9480:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9481:               BrowseDeny all <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9482:               BrowseAllow ip-address <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9483:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9484:               This combination will
 9485:               deny incoming broadcasts from any machine except those that are explicitly allowed
 9486:               with BrowseAllow. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9487:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9488:               By default, when printer sharing is enabled, CUPS will broadcast to
 9489:               every network that its host machine is connected to through all available network
 9490:               interfaces on port 631. It will also listen to incoming broadcasts from other machines
 9491:               on the network. Either list one BrowseAddress line for each client machine and one
 9492:               BrowseAllow line for each print server or use one of the supported shorthand notations
 9493:               that the CUPS service recognizes. Please see the cupsd.conf(5) man page or the
 9494:               documentation provided at http://www.cups.org for more information on other ways to
 9495:               format these directives.</description>
 9496:           </Group>
 9497:         </Group>
 9498:         <Group id="group-3.8.3.2" hidden="false">
 9499:           <title xml:lang="en">Disable Print Server Capabilities if Possible</title>
 9500:           <description xml:lang="en">
 9501:             To prevent remote users from potentially
 9502:             connecting to and using locally configured printers, disable the CUPS print server
 9503:             sharing capabilities. To do so, limit how the server will listen for print jobs by
 9504:             removing the more generic port directive from /etc/cups/cupsd.conf: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9505:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9506:             Port 631 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9507:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9508:             and replacing it with the Listen directive: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9509:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9510:             Listen localhost:631 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9511:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9512:             This will prevent remote
 9513:             users from printing to locally configured printers while still allowing local users on
 9514:             the machine to print normally. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9515:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9516:             By default, locally configured printers will not be
 9517:             shared over the network, but if this functionality has somehow been enabled, these
 9518:             recommendations will disable it again. Be sure to disable outgoing printer list
 9519:             broadcasts, or remote users will still be able to see the locally configured printers,
 9520:             even if they cannot actually print to them. To limit print serving to a particular set
 9521:             of users, use the Policy directive.</description>
 9522:           <warning xml:lang="en">Disabling the print server capabilities in this manner will
 9523:             also disable the Web Administration interface. </warning>
 9524:         </Group>
 9525:         <Group id="group-3.8.3.3" hidden="false">
 9526:           <title xml:lang="en">Limit Access to the Web Administration Interface</title>
 9527:           <description xml:lang="en">
 9528:             By default, access to the CUPS web administration interface is
 9529:             limited to the local machine. It is recommended that this not be changed, especially
 9530:             since the authentication mechanisms that CUPS provides are limited in their
 9531:             effectiveness. If it is absolutely necessary to allow remote users to administer locally
 9532:             installed printers, be sure to limit that access as much as possible by taking advantage
 9533:             of the Location and Policy directive blocks. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9534:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9535:             For example, to enable
 9536:             remote access for ip-address for user username, modify each of the Location and Policy
 9537:             directive blocks as follows: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9538:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9539:             &lt;Location /&gt; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9540:             AuthType Basic <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9541:             Require user username <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9542:             Order allow,deny <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9543:             Allow localhost <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9544:             Allow ip-address <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9545:             &lt;/Location&gt; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9546:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9547:             As with the
 9548:             BrowseAllow directive, use one Allow directive for each machine that needs access or use
 9549:             one of the available CUPS directive definition shortcuts to enable access from a class
 9550:             of machines at once. The Require user directive can take a list of individual users, a
 9551:             group of users (prefixed with @), or the shorthand valid-user. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9552:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9553:             Host-based authentication has known limitations,
 9554:             especially since IP addresses are easy to spoof. Requiring users to authenticate
 9555:             themselves can alleviate this problem, but it cannot eliminate it. Do not use the root
 9556:             account to manage and administer printers. Create a separate account for this purpose
 9557:             and limit access to valid users with Require valid-user or Require user printeradmin .
 9558:           </description>
 9559:         </Group>
 9560:         <Group id="group-3.8.3.4" hidden="false">
 9561:           <title xml:lang="en">Take Further Security Measures When Appropriate</title>
 9562:           <description xml:lang="en">
 9563:             Whenever possible, limit outside networks' access to port 631.
 9564:             Consider using CUPS directives that limit the number of incoming clients, such as
 9565:             MaxClients or MaxClientsPerHost. Additionally, there are a series of Policy and Location
 9566:             directives intended to limit which users can perform different printing tasks. When used
 9567:             together, these may help to mitigate the possibility of a denial of service attack. See
 9568:             cupsd.conf(5) for a full list of possible directives.</description>
 9569:         </Group>
 9570:       </Group>
 9571:       <Group id="group-3.8.4" hidden="false">
 9572:         <title xml:lang="en">The HP Linux Imaging and Printing (HPLIP) Toolkit</title>
 9573:         <description xml:lang="en">
 9574:           The HPLIP package is an HP printing support utility that is
 9575:           installed and enabled in a default installation. The HPLIP package is comprised of two
 9576:           separate components. The first is the main HPLIP service and the second is a smaller
 9577:           subcomponent called HPIJS. HPLIP is a feature-oriented network service that provides
 9578:           higher level printing support (such as bi-directional I/O, scanning, photo card, and
 9579:           toolbox functionality). HPIJS is a lower level basic printing driver that provides basic
 9580:           support for non-PostScript HP printers.</description>
 9581:         <Group id="group-3.8.4.1" hidden="false">
 9582:           <title xml:lang="en">Disable HPLIP Service if Possible</title>
 9583:           <description xml:lang="en">
 9584:             Since the HPIJS driver will still function without the added
 9585:             HPLIP service, HPLIP should be disabled unless the specific higher level functions that
 9586:             HPLIP provides are needed by a non-PostScript HP printer on the system. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9587:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9588:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig hplip off <xhtml:br/></xhtml:code>
 9589:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9590:             Note: If installing the HPLIP package from scratch, it should be noted that
 9591:             HPIJS can be installed directly without HPLIP. Please see the FAQ at the HPLIP web site
 9592:             at http://hplip.sourceforge.net/faqs.html for more information on how to do this.</description>
 9593:           <Rule id="rule-3.8.4.1.a" selected="false" weight="10.000000" severity="low">
 9594:             <title xml:lang="en">Disable HPLIP Service if Possible</title>
 9595:             <description xml:lang="en">The hplip service should be disabled.</description>
 9596:             <ident system="http://cce.mitre.org">CCE-4425-5</ident>
 9597:             <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 9598:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9599:               <check-content-ref name="oval:org.fedoraproject.f14:def:20266" href="scap-fedora14-oval.xml"/>
 9600:             </check>
 9601:           </Rule>
 9602:         </Group>
 9603:       </Group>
 9604:     </Group>
 9605:     <Group id="group-3.9" hidden="false">
 9606:       <title xml:lang="en">DHCP</title>
 9607:       <description xml:lang="en">
 9608:         The Dynamic Host Configuration Protocol (DHCP) allows systems to
 9609:         request and obtain an IP address and many other parameters from a server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9610:         <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9611:         In general, sites
 9612:         use DHCP either to allow a large pool of mobile or unknown machines to share a limited
 9613:         number of IP addresses, or to standardize installations by avoiding static, individual IP
 9614:         address configuration on hosts. It is recommended that sites avoid DHCP as much as possible.
 9615:         Since DHCP authentication is not well-supported, DHCP clients are open to attacks from rogue
 9616:         DHCP servers. Such servers can give clients incorrect information (e.g. malicious DNS server
 9617:         addresses) which could lead to their compromise. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9618:         <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9619:         If a machine must act as a DHCP client or
 9620:         server, configure it defensively using the guidance in this section. This guide recommends
 9621:         configuring networking on clients by manually editing the appropriate files under
 9622:         /etc/sysconfig. It is also possible to use the graphical front-end programs
 9623:         system-config-network and system-config-network-tui, but these programs rewrite
 9624:         configuration files from scratch based on their defaults – destroying any manual changes –
 9625:         and should therefore be used with caution.</description>
 9626:       <Group id="group-3.9.1" hidden="false">
 9627:         <title xml:lang="en">Disable DHCP Client if Possible</title>
 9628:         <description xml:lang="en">
 9629:           For each interface IFACE on the system (e.g. eth0), edit
 9630:           /etc/sysconfig/network-scripts/ifcfg-IFACE and make the following changes: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9631:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9632:           <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
 9633:             <xhtml:li>Correct the BOOTPROTO line to read: <xhtml:br/>
 9634:               <xhtml:br/>
 9635:               BOOTPROTO=static
 9636:             </xhtml:li>
 9637:             <xhtml:li>Add or correct the following lines,
 9638:               substituting the appropriate values based on your site's addressing scheme:<xhtml:br/>
 9639:               <xhtml:br/>
 9640:               NETMASK=255.255.255.0<xhtml:br/>
 9641:               IPADDR=192.168.1.2<xhtml:br/>
 9642:               GATEWAY=192.168.1.1 <xhtml:br/>
 9643:             </xhtml:li>
 9644:           </xhtml:ol>
 9645:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9646:           DHCP is the default network
 9647:           configuration method provided by the system installer, so it may be enabled on many
 9648:           systems.</description>
 9649:         <Value id="var-3.9.1.a" operator="equals" type="string">
 9650:           <title xml:lang="en">DHCP BOOTPROTO</title>
 9651:           <description xml:lang="en">If BOOTPROTO is not "static", then the only other item that must be set is the DEVICE item; all the rest will be determined by the boot protocol. No "dummy" entries need to be created.</description>
 9652:           <question xml:lang="en">Choose DHCP BOOTPROTO</question>
 9653:           <value>static</value>
 9654:           <value selector="bootp">bootp</value>
 9655:           <value selector="dhcp">dhcp</value>
 9656:           <value selector="static">static</value>
 9657:           <choices>
 9658:             <choice>bootp</choice>
 9659:             <choice>dhcp</choice>
 9660:             <choice>static</choice>
 9661:           </choices>
 9662:         </Value>
 9663:         <Rule id="rule-3.9.1.a" selected="false" weight="10.000000" severity="low">
 9664:           <title xml:lang="en">Disable DHCP Client if Possible</title>
 9665:           <description xml:lang="en">The dhcp client service should be disabled for each interface.</description>
 9666:           <ident system="http://cce.mitre.org">CCE-4191-3</ident>
 9667:           <fixtext xml:lang="en">(1) via /etc/sysconfig/network-scripts/ifcfg-eth*</fixtext>
 9668:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9669:             <check-export export-name="oval:org.fedoraproject.f14:var:20267" value-id="var-3.9.1.a"/>
 9670:             <check-content-ref name="oval:org.fedoraproject.f14:def:20267" href="scap-fedora14-oval.xml"/>
 9671:           </check>
 9672:         </Rule>
 9673:       </Group>
 9674:       <Group id="group-3.9.2" hidden="false">
 9675:         <title xml:lang="en">Configure DHCP Client if necessary</title>
 9676:         <description xml:lang="en">
 9677:           If DHCP must be used, then certain configuration changes can
 9678:           minimize the amount of information it receives and applies from the network, and thus the
 9679:           amount of incorrect information a rogue DHCP server could successfully distribute. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9680:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9681:           For more information on configuring dhclient, see the dhclient(8) and dhclient.conf(5)
 9682:           man pages.</description>
 9683:         <Group id="group-3.9.2.1" hidden="false">
 9684:           <title xml:lang="en">Minimize the DHCP-Configured Options</title>
 9685:           <description xml:lang="en">
 9686:             Create the file /etc/dhclient.conf, and add an appropriate
 9687:             setting for each of the ten configuration settings which can be obtained via DHCP. For
 9688:             each setting, setting , do one of the following: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9689:             <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
 9690:               <xhtml:li>If the setting should not be
 9691:                 configured remotely by the DHCP server, select an appropriate static value, and add the
 9692:                 line: <xhtml:br/>
 9693:                 <xhtml:br/>
 9694:                 supersede setting value ; </xhtml:li>
 9695:               <xhtml:li>If the setting should be configured remotely by the
 9696:                 DHCP server, add the lines: <xhtml:br/>
 9697:                 <xhtml:br/>
 9698:                 request setting ; <xhtml:br/>
 9699:                 require setting ; </xhtml:li>
 9700:             </xhtml:ul>
 9701:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9702:             For example, suppose the
 9703:             DHCP server should provide only the IP address itself and the subnet mask. Then the
 9704:             entire file should look like: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9705:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9706:             supersede domain-name "example.com "; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9707:             supersede domain-name-servers 192.168.1.2 ; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9708:             supersede nis-domain ""; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9709:             supersede nis-servers "";<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9710:             supersede ntp-servers "ntp.example.com "; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9711:             supersede routers 192.168.1.1 ; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9712:             supersede time-offset -18000 ; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9713:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9714:             request subnet-mask; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9715:             require subnet-mask; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9716:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9717:             By default, the DHCP
 9718:             client program, dhclient, requests and applies ten configuration options (in addition to
 9719:             the IP address) from the DHCP server: subnet-mask, broadcast-address, time-offset,
 9720:             routers, domain-name, domain-name-servers, host-name, nis-domain, nis-servers, and
 9721:             ntp-servers. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9722:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9723:             Many of the options requested and applied by dhclient may be the same for
 9724:             every system on a network. It is recommended that almost all configuration options be
 9725:             assigned statically, and only options which must vary on a host-by-host basis be
 9726:             assigned via DHCP. This limits the damage which can be done by a rogue DHCP server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9727:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9728:             If
 9729:             appropriate for your site, it is also possible to supersede the host-name directive in
 9730:             /etc/dhclient.conf, establishing a static hostname for the machine. However, dhclient
 9731:             does not use the host name option provided by the DHCP server (instead using the value
 9732:             provided by a reverse DNS lookup). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9733:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9734:             Note: In this example, the options nis-servers and
 9735:             nis-domain are set to empty strings, on the assumption that the deprecated NIS protocol
 9736:             is not in use. (See Section 3.2.4.) It is necessary to supersede settings for unused
 9737:             services so that they cannot be set by a hostile DHCP server. If an option is set to an
 9738:             empty string, dhclient will typically not attempt to configure the service.</description>
 9739:         </Group>
 9740:       </Group>
 9741:       <Group id="group-3.9.3" hidden="false">
 9742:         <title xml:lang="en">Disable DHCP Server if possible</title>
 9743:         <description xml:lang="en">
 9744:           If the dhcp package has been installed on a machine which does
 9745:           not need to operate as a DHCP server, disable the daemon: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9746:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9747:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig dhcpd off <xhtml:br/></xhtml:code>
 9748:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9749:           If possible, remove the software as well: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9750:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9751:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase dhcp <xhtml:br/></xhtml:code>
 9752:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9753:           The DHCP server dhcpd is not
 9754:           installed or activated by default. If the software was installed and activated, but the
 9755:           system does not need to act as a DHCP server, it should be disabled and removed. Unmanaged
 9756:           DHCP servers will provide faulty information to clients, interfering with the operation of
 9757:           a legitimate site DHCP server if there is one, or causing misconfigured machines to
 9758:           exhibit unpredictable behavior if there is not.</description>
 9759:         <Rule id="rule-3.9.3.a" selected="false" weight="10.000000" severity="low">
 9760:           <title xml:lang="en">Disable DHCP Server if possible</title>
 9761:           <description xml:lang="en">The dhcpd service should be disabled.</description>
 9762:           <ident system="http://cce.mitre.org">CCE-4336-4</ident>
 9763:           <fixtext xml:lang="en">(1) via chkconfig</fixtext>
 9764:           <fix># chkconfig dhcpd off</fix>
 9765:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9766:             <check-content-ref name="oval:org.fedoraproject.f14:def:20268" href="scap-fedora14-oval.xml"/>
 9767:           </check>
 9768:         </Rule>
 9769:         <Rule id="rule-3.9.3.b" selected="false" weight="10.000000">
 9770:           <title xml:lang="en">Uninstall DHCP Server if possible</title>
 9771:           <description xml:lang="en">The dhcp package should be uninstalled.</description>
 9772:           <ident system="http://cce.mitre.org">CCE-4464-4</ident>
 9773:           <fixtext xml:lang="en">(1) via yum</fixtext>
 9774:           <fix># yum erase dhcp</fix>
 9775:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9776:             <check-content-ref name="oval:org.fedoraproject.f14:def:20269" href="scap-fedora14-oval.xml"/>
 9777:           </check>
 9778:         </Rule>
 9779:       </Group>
 9780:       <Group id="group-3.9.4" hidden="false">
 9781:         <title xml:lang="en">Configure the DHCP Server if necessary</title>
 9782:         <description xml:lang="en">
 9783:           If the system must act as a DHCP server, the configuration
 9784:           information it serves should be minimized. Also, support for other protocols and
 9785:           DNS-updating schemes should be explicitly disabled unless needed. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9786:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9787:           The configuration file
 9788:           for dhcpd is called /etc/dhcpd.conf. The file begins with a number of global configuration
 9789:           options. The remainder of the file is divided into sections, one for each block of
 9790:           addresses offered by dhcpd, each of which contains configuration options specific to that
 9791:           address block.</description>
 9792:         <Group id="group-3.9.4.1" hidden="false">
 9793:           <title xml:lang="en">Do Not Use Dynamic DNS</title>
 9794:           <description xml:lang="en">
 9795:             To prevent the DHCP server from receiving DNS information from
 9796:             clients, edit /etc/dhcpd.conf, and add or correct the following global option:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9797:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9798:             ddns-update-style none; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9799:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9800:             The Dynamic DNS protocol is used to remotely update the data
 9801:             served by a DNS server. DHCP servers can use Dynamic DNS to publish information about
 9802:             their clients. This setup carries security risks, and its use is not recommended. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9803:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9804:             If Dynamic DNS must be used despite the risks it poses, it is critical that Dynamic DNS
 9805:             transactions be protected using TSIG or some other cryptographic authentication
 9806:             mechanism. See Section 3.14 for more information about DNS servers, including further
 9807:             information about TSIG and Dynamic DNS. Also see dhcpd.conf(5) for more information
 9808:             about protecting the DHCP server from passing along malicious DNS data from its clients.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9809:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9810:             Note: The ddns-update-style option controls only whether the DHCP server will attempt to
 9811:             act as a Dynamic DNS client. As long as the DNS server itself is correctly configured to
 9812:             reject DDNS attempts, an incorrect ddns-update-style setting on the client is harmless
 9813:             (but should be fixed as a best practice).</description>
 9814:           <Rule id="rule-3.9.4.1.a" selected="false" weight="10.000000">
 9815:             <title xml:lang="en">Do Not Use Dynamic DNS</title>
 9816:             <description xml:lang="en">The dynamic DNS feature of the DHCP server should be disabled</description>
 9817:             <ident system="http://cce.mitre.org">CCE-4257-2</ident>
 9818:             <fixtext xml:lang="en">(1) via /etc/dhcpd.conf</fixtext>
 9819:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9820:               <check-content-ref name="oval:org.fedoraproject.f14:def:20270" href="scap-fedora14-oval.xml"/>
 9821:             </check>
 9822:           </Rule>
 9823:         </Group>
 9824:         <Group id="group-3.9.4.2" hidden="false">
 9825:           <title xml:lang="en">Deny Decline Messages</title>
 9826:           <description xml:lang="en">
 9827:             Edit /etc/dhcpd.conf and add or correct the following global
 9828:             option to prevent the DHCP server from responding the DHCPDECLINE messages, if possible:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9829:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9830:             deny declines; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9831:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9832:             The DHCPDECLINE message can be sent by a DHCP client to indicate that it
 9833:             does not consider the lease offered by the server to be valid. By issuing many
 9834:             DHCPDECLINE messages, a malicious client can exhaust the DHCP server's pool of IP
 9835:             addresses, causing the DHCP server to forget old address allocations.</description>
 9836:           <Rule id="rule-3.9.4.2.a" selected="false" weight="10.000000">
 9837:             <title xml:lang="en">Deny Decline Messages</title>
 9838:             <description xml:lang="en">DHCPDECLINE messages should be denied by the DHCP server</description>
 9839:             <ident system="http://cce.mitre.org">CCE-4403-2</ident>
 9840:             <fixtext xml:lang="en">(1) via /etc/dhcpd.conf</fixtext>
 9841:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9842:               <check-content-ref name="oval:org.fedoraproject.f14:def:20271" href="scap-fedora14-oval.xml"/>
 9843:             </check>
 9844:           </Rule>
 9845:         </Group>
 9846:         <Group id="group-3.9.4.3" hidden="false">
 9847:           <title xml:lang="en">Deny BOOTP Queries</title>
 9848:           <description xml:lang="en">
 9849:             Unless your network needs to support older BOOTP clients,
 9850:             disable support for the bootp protocol by adding or correcting the global option: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9851:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9852:             deny bootp; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9853:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9854:             The bootp option tells dhcpd to respond to BOOTP queries. If support for this
 9855:             simpler protocol is not needed, it should be disabled to remove attack vectors against
 9856:             the DHCP server.</description>
 9857:           <Rule id="rule-3.9.4.3.a" selected="false" weight="10.000000">
 9858:             <title xml:lang="en">Deny BOOTP Queries</title>
 9859:             <description xml:lang="en">BOOTP queries should be denied by the DHCP server</description>
 9860:             <ident system="http://cce.mitre.org">CCE-4345-5</ident>
 9861:             <fixtext xml:lang="en">(1) via /etc/dhcpd.conf</fixtext>
 9862:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9863:               <check-content-ref name="oval:org.fedoraproject.f14:def:20272" href="scap-fedora14-oval.xml"/>
 9864:             </check>
 9865:           </Rule>
 9866:         </Group>
 9867:         <Group id="group-3.9.4.4" hidden="false">
 9868:           <title xml:lang="en">Minimize Served Information</title>
 9869:           <description xml:lang="en">
 9870:             Edit /etc/dhcpd.conf. Examine each address range section within
 9871:             the file, and ensure that the following options are not defined unless there is an
 9872:             operational need to provide this information via DHCP: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9873:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9874:             option domain-name <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9875:             option domain-name-servers <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9876:             option nis-domain <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9877:             option nis-servers <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9878:             option ntp-servers <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9879:             option routers <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9880:             option time-offset <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9881:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9882:             Because the configuration information provided by the DHCP
 9883:             server could be maliciously provided to clients by a rogue DHCP server, the amount of
 9884:             information provided via DHCP should be minimized. Remove these definitions from the
 9885:             DHCP server configuration to ensure that legitimate clients do not unnecessarily rely on
 9886:             DHCP for this information. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9887:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9888:             Note: By default, the RHEL5 client installation uses DHCP to
 9889:             request much of the above information from the DHCP server. In particular, domain-name,
 9890:             domain-name-servers, and routers are configured via DHCP. These settings are typically
 9891:             necessary for proper network functionality, but are also usually static across machines
 9892:             at a given site. See Section 3.9.2.1 for a description of how to configure static site
 9893:             information within the DHCP client configuration.</description>
 9894:           <Rule id="rule-3.9.4.4.a" selected="false" weight="10.000000">
 9895:             <title xml:lang="en">DHCP should not send domain-name</title>
 9896:             <description xml:lang="en">Domain name server information should not be sent by the DHCP server.</description>
 9897:             <ident system="http://cce.mitre.org">CCE-3724-2</ident>
 9898:             <fixtext xml:lang="en">(1) via /etc/dhcpd.conf</fixtext>
 9899:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9900:               <check-content-ref name="oval:org.fedoraproject.f14:def:20273" href="scap-fedora14-oval.xml"/>
 9901:             </check>
 9902:           </Rule>
 9903:           <Rule id="rule-3.9.4.4.b" selected="false" weight="10.000000">
 9904:             <title xml:lang="en">DHCP should not send domain-name-servers</title>
 9905:             <description xml:lang="en">Default routers should not be sent by the DHCP server.</description>
 9906:             <ident system="http://cce.mitre.org">CCE-4243-2</ident>
 9907:             <fixtext xml:lang="en">(1) via /etc/dhcpd.conf</fixtext>
 9908:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9909:               <check-content-ref name="oval:org.fedoraproject.f14:def:20274" href="scap-fedora14-oval.xml"/>
 9910:             </check>
 9911:           </Rule>
 9912:           <Rule id="rule-3.9.4.4.c" selected="false" weight="10.000000">
 9913:             <title xml:lang="en">DHCP should not send nis-domain</title>
 9914:             <description xml:lang="en">Domain name should not be sent by the DHCP server.</description>
 9915:             <ident system="http://cce.mitre.org">CCE-4389-3</ident>
 9916:             <fixtext xml:lang="en">(1) via /etc/dhcpd.conf</fixtext>
 9917:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9918:               <check-content-ref name="oval:org.fedoraproject.f14:def:20275" href="scap-fedora14-oval.xml"/>
 9919:             </check>
 9920:           </Rule>
 9921:           <Rule id="rule-3.9.4.4.d" selected="false" weight="10.000000">
 9922:             <title xml:lang="en">DHCP should not send nis-servers</title>
 9923:             <description xml:lang="en">NIS domain should not be sent by the DHCP server.</description>
 9924:             <ident system="http://cce.mitre.org">CCE-3913-1</ident>
 9925:             <fixtext xml:lang="en">(1) via /etc/dhcpd.conf</fixtext>
 9926:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9927:               <check-content-ref name="oval:org.fedoraproject.f14:def:20276" href="scap-fedora14-oval.xml"/>
 9928:             </check>
 9929:           </Rule>
 9930:           <Rule id="rule-3.9.4.4.e" selected="false" weight="10.000000">
 9931:             <title xml:lang="en">DHCP should not send ntp-servers</title>
 9932:             <description xml:lang="en">NIS servers should not be sent by the DHCP server.</description>
 9933:             <ident system="http://cce.mitre.org">CCE-4169-9</ident>
 9934:             <fixtext xml:lang="en">(1) via /etc/dhcpd.conf</fixtext>
 9935:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9936:               <check-content-ref name="oval:org.fedoraproject.f14:def:20277" href="scap-fedora14-oval.xml"/>
 9937:             </check>
 9938:           </Rule>
 9939:           <Rule id="rule-3.9.4.4.f" selected="false" weight="10.000000">
 9940:             <title xml:lang="en">DHCP should not send routers</title>
 9941:             <description xml:lang="en">Time offset should not be sent by the DHCP server.</description>
 9942:             <ident system="http://cce.mitre.org">CCE-4318-2</ident>
 9943:             <fixtext xml:lang="en">(1) via /etc/dhcpd.conf</fixtext>
 9944:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9945:               <check-content-ref name="oval:org.fedoraproject.f14:def:20278" href="scap-fedora14-oval.xml"/>
 9946:             </check>
 9947:           </Rule>
 9948:           <Rule id="rule-3.9.4.4.g" selected="false" weight="10.000000">
 9949:             <title xml:lang="en">DHCP should not send time-offset</title>
 9950:             <description xml:lang="en">NTP servers should not be sent by the DHCP server.</description>
 9951:             <ident system="http://cce.mitre.org">CCE-4319-0</ident>
 9952:             <fixtext xml:lang="en">(1) via /etc/dhcpd.conf</fixtext>
 9953:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9954:               <check-content-ref name="oval:org.fedoraproject.f14:def:20279" href="scap-fedora14-oval.xml"/>
 9955:             </check>
 9956:           </Rule>
 9957:         </Group>
 9958:         <Group id="group-3.9.4.5" hidden="false">
 9959:           <title xml:lang="en">Configure Logging</title>
 9960:           <description xml:lang="en">
 9961:             Ensure that the following line exists in /etc/syslog.conf:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9962:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9963:             daemon.* /var/log/daemon.log <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9964:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9965:             Configure logwatch or other log monitoring tools to
 9966:             summarize error conditions reported by the dhcpd process. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9967:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9968:             By default, dhcpd logs notices
 9969:             to the daemon facility. Sending all daemon messages to a dedicated log file is part of
 9970:             the syslog configuration outlined in Section 2.6.1.1.</description>
 9971:           <Rule id="rule-3.9.4.5.a" selected="false" weight="10.000000">
 9972:             <title xml:lang="en">Configure DHCP Logging</title>
 9973:             <description xml:lang="en">dhcpd logging should be enabled.</description>
 9974:             <ident system="http://cce.mitre.org">CCE-3733-3</ident>
 9975:             <fixtext xml:lang="en">(1) via /etc/syslog.conf</fixtext>
 9976:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
 9977:               <check-content-ref name="oval:org.fedoraproject.f14:def:20280" href="scap-fedora14-oval.xml"/>
 9978:             </check>
 9979:           </Rule>
 9980:         </Group>
 9981:         <Group id="group-3.9.4.6" hidden="false">
 9982:           <title xml:lang="en">Further Resources</title>
 9983:           <description xml:lang="en">* The man pages dhcpd.conf(5) and dhcpd(8) * ISC web page http://isc.org/products/DHCP</description>
 9984:         </Group>
 9985:       </Group>
 9986:     </Group>
 9987:     <Group id="group-3.10" hidden="false">
 9988:       <title xml:lang="en">Network Time Protocol</title>
 9989:       <description xml:lang="en">
 9990:         The Network Time Protocol is used to manage the system clock over a
 9991:         network. Computer clocks are not very accurate, so time will drift unpredictably on
 9992:         unmanaged systems. Central time protocols can be used both to ensure that time is consistent
 9993:         among a network of machines, and that their time is consistent with the outside world. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9994:         <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
 9995:         Local time synchronization is recommended for all networks. If every machine on your network
 9996:         reliably reports the same time as every other machine, then it is much easier to correlate
 9997:         log messages in case of an attack. In addition, a number of cryptographic protocols (such as
 9998:         Kerberos) use timestamps to prevent certain types of attacks. If your network does not have
 9999:         synchronized time, these protocols may be unreliable or even unusable. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10000:         <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10001:         Depending on the specifics of the network, global time accuracy may be just as important as
10002:         local synchronization, or not very important at all. If your network is connected to the
10003:         Internet, it is recommended that you make use of a public timeserver, since globally
10004:         accurate timestamps may be necessary if you need to investigate or respond to an attack
10005:         which originated outside of your network. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10006:         <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10007:         Whether or not you use an outside timeserver, configure
10008:         the network to have a small number of machines operating as NTP servers, and the remainder
10009:         obtaining time information from those internal servers.</description>
10010:       <Group id="group-3.10.1" hidden="false">
10011:         <title xml:lang="en">Select NTP Software</title>
10012:         <description xml:lang="en">
10013:           The Network Time Protocol (RFC 1305) is designed to synchronize
10014:           time with a very high degree of accuracy even on an unreliable network. NTP is therefore a
10015:           complex protocol. The Simple Network Time Protocol (RFC 4330) implements a subset of NTP
10016:           which is intended to be good enough to meet the time requirements of most networks. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10017:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10018:           The primary implementation of NTP comes from ntp.org, and is shipped with RHEL5 as the ntp
10019:           RPM. An alternative is OpenNTPD, which is an implementation of SNTP, and which can be
10020:           obtained as source code from http://www.openntpd.org. OpenNTPD may be simpler to configure
10021:           than the reference NTP implementation, at the cost of the need to install and maintain
10022:           third-party software. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10023:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10024:           This guide does not recommend the use of a particular NTP/SNTP
10025:           software package, but does recommend that some NTP software be selected and installed on
10026:           all machines. The remainder of this section describes how to securely configure NTP
10027:           clients and servers, and discusses both the reference NTP implementation and OpenNTPD.</description>
10028:       </Group>
10029:       <Group id="group-3.10.2" hidden="false">
10030:         <title xml:lang="en">Configure Reference NTP if Appropriate</title>
10031:         <description xml:lang="en">The ntp RPM implements the reference NTP server.</description>
10032:         <Group id="group-3.10.2.1" hidden="false">
10033:           <title xml:lang="en">Configure an NTP Client</title>
10034:           <description xml:lang="en">
10035:             There are a number of options for configuring clients to work with the reference NTP server. It is possible to run
10036:             ntpd as a service (i.e., continuously) on each host, configuring clients so that the ntp protocol ignores all network
10037:             access. This still introduces an additional network listener on client machines, and is therefore not recommended.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10038:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10039:             This guide instead recommends running ntpd periodically via cron. It is also possible to run ntpdate via cron
10040:             with the -u option, but it is being obsoleted in favor of ntpd.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10041:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10042:             Alternately, even if the server is running the reference NTP implementation, it is possible for clients to access it
10043:             using SNTP. See Section 3.10.3.2 for information about configuring SNTP clients.</description>
10044:           <Group id="group-3.10.2.1.1" hidden="false">
10045:             <title xml:lang="en">Set Up Client NTP Configuration File</title>
10046:             <description xml:lang="en">
10047:               A valid configuration file for the client system’s ntpd must exist at /etc/ntp.conf. Ensure that /etc/ntp.conf
10048:               contains the following line, where ntp-server is the hostname or IP address of the site NTP server:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10049:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10050:               server ntp-server<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10051:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10052:               Note: The ntpd software also includes authentication and encryption support which allows for clients to verify the
10053:               identity of the server, and thus guarantee the integrity of time data with high probability. See ntpd documentation
10054:               at http://www.ntp.org for more details on implementing this recommended feature.
10055:             </description>
10056:           </Group>
10057:           <Group id="group-3.10.2.1.2" hidden="false">
10058:             <title xml:lang="en">Run ntpdate using Cron</title>
10059:             <description xml:lang="en">
10060:               Create a file /etc/cron.d/ntpd containing the following crontab:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10061:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10062:               15 * * * * root /usr/sbin/ntpd -q -u ntp:ntp<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10063:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10064:               The -q option instructs ntpd to exit just after setting the clock, and the -u option instructs it to run as the
10065:               specified user.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10066:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10067:               Note: When setting the clock for the first time, execute the above command with the -g option, as ntpd
10068:               will refuse to set the clock if it is significantly different from the source.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10069:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10070:               This crontab will execute ntpd to synchronize the time to the NTP server at 15 minutes past every hour. (It is
10071:               possible to choose a different minute, or to vary the minute between machines in order to avoid heavy traffic to
10072:               the NTP server.) Hourly synchronization should be sufficiently frequent that clock drift will not be noticeable.</description>
10073:           </Group>
10074:         </Group>
10075:         <Group id="group-3.10.2.2" hidden="false">
10076:           <title xml:lang="en">Configure an NTP Server</title>
10077:           <description xml:lang="en">
10078:             The site’s NTP server contacts a central NTP server, probably either one provided by your ISP or a public time
10079:             server, to obtain accurate time data. The server then allows other machines on your network to request the time
10080:             data.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10081:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10082:             The NTP server configuration file is located at /etc/ntp.conf.</description>
10083:           <Group id="group-3.10.2.2.1" hidden="false">
10084:             <title xml:lang="en">Enable the NTP Daemon</title>
10085:             <description xml:lang="en">
10086:               If this machine is an NTP server, ensure that ntpd is enabled
10087:               at boot time: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10088:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10089:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig ntpd on</xhtml:code></description>
10090:             <Rule id="rule-3.10.2.2.1.a" selected="false" weight="10.000000" severity="high">
10091:               <title xml:lang="en">Enable the NTP Daemon</title>
10092:               <description xml:lang="en">The ntpd service should be enabled.</description>
10093:               <ident system="http://cce.mitre.org">CCE-4376-0</ident>
10094:               <fixtext xml:lang="en">(1) via chkconfig</fixtext>
10095:               <fix># chkconfig ntpd on</fix>
10096:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
10097:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20281" href="scap-fedora14-oval.xml"/>
10098:               </check>
10099:             </Rule>
10100:           </Group>
10101:           <Group id="group-3.10.2.2.2" hidden="false">
10102:             <title xml:lang="en">Deny All Access to ntpd by Default</title>
10103:             <description xml:lang="en">
10104:               Edit the file /etc/ntp.conf. Prepend or correct the following
10105:               line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10106:               restrict default ignore <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10107:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10108:               Since ntpd is a complex software package which listens
10109:               for network connections and runs as root, it must be protected from network access by
10110:               unauthorized machines. This setting uses ntpd's internal authorization to deny all
10111:               access to any machine, server or client, which is not specifically authorized by other
10112:               policy settings.</description>
10113:             <Rule id="rule-3.10.2.2.2.a" selected="false" weight="10.000000">
10114:               <title xml:lang="en">Deny All Access to ntpd by Default</title>
10115:               <description xml:lang="en">Network access to ntpd should be denied</description>
10116:               <ident system="http://cce.mitre.org">CCE-4134-3</ident>
10117:               <fixtext xml:lang="en">(1) via /etc/ntp.conf</fixtext>
10118:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
10119:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20282" href="scap-fedora14-oval.xml"/>
10120:               </check>
10121:             </Rule>
10122:           </Group>
10123:           <Group id="group-3.10.2.2.3" hidden="false">
10124:             <title xml:lang="en">Specify a Remote NTP Server for Time Data</title>
10125:             <description xml:lang="en">
10126:               Find the IP address, server-ip , of an appropriate remote NTP
10127:               server. Edit the file /etc/ntp.conf, and add or correct the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10128:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10129:               restrict server-ip mask 255.255.255.255 nomodify notrap noquery <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10130:               server server-ip <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10131:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10132:               If your site
10133:               does not require time data to be accurate, but merely to be synchronized among local
10134:               machines, this step can be omitted, and the NTP server will default to providing time
10135:               data from the local clock. However, it is a good idea to periodically synchronize the
10136:               clock to some source of accurate time, even if it is not appropriate to do so
10137:               automatically. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10138:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10139:               The previous step disabled all remote access to this NTP server's state
10140:               data. This NTP server must contact a remote server to obtain accurate data, so NTP's
10141:               configuration must allow that remote data to be used to modify the system clock. The
10142:               restrict line changes the default access permissions for that remote server. The
10143:               server line specifies the remote server as the preferred NTP server for time data. If
10144:               you intend to synchronize to more than one server, specify restrict and server lines
10145:               for each server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10146:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10147:               Note: It would be possible to specify a hostname, rather than an IP
10148:               address, for the server field. However, the restrict setting applies only to network
10149:               blocks of IP addresses, so it is considered more maintainable to use the IP address in
10150:               both fields.</description>
10151:             <Rule id="rule-3.10.2.2.3.a" selected="false" weight="10.000000">
10152:               <title xml:lang="en">Specify a Remote NTP Server for Time Data</title>
10153:               <description xml:lang="en">A remote NTP Server for time synchronization should be specified</description>
10154:               <ident system="http://cce.mitre.org">CCE-4385-1</ident>
10155:               <fixtext xml:lang="en">(1) via /etc/ntp.conf</fixtext>
10156:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
10157:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20283" href="scap-fedora14-oval.xml"/>
10158:               </check>
10159:             </Rule>
10160:           </Group>
10161:           <Group id="group-3.10.2.2.4" hidden="false">
10162:             <title xml:lang="en">Allow Legitimate NTP Clients to Access the Server</title>
10163:             <description xml:lang="en">
10164:               Determine an appropriate network block, netwk , and network
10165:               mask, mask , representing the machines on your network which will synchronize to this
10166:               server. Edit /etc/ntp.conf and add the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10167:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10168:               restrict netwk mask mask nomodify notrap<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10169:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10170:               Edit /etc/sysconfig/iptables. Add the following line, ensuring that it appears before
10171:               the final LOG and DROP lines for the RH-Firewall-1-INPUT chain: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10172:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10173:               -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p udp --dport 123 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10174:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10175:               If the clients are
10176:               spread across more than one netblock, separate restrict and ACCEPT lines should be
10177:               added for each netblock. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10178:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10179:               The iptables configuration is needed because the default
10180:               iptables configuration does not allow inbound access to any services. See Section
10181:               2.5.5 for more information about iptables. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10182:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10183:               Note: The reference NTP implementation will
10184:               refuse to serve time data to clients until enough time has elapsed that the server
10185:               host's time can be assumed to have settled to an accurate value. While testing, wait
10186:               ten minutes after starting ntpd before attempting to synchronize clients.</description>
10187:           </Group>
10188:         </Group>
10189:       </Group>
10190:       <Group id="group-3.10.3" hidden="false">
10191:         <title xml:lang="en">Configure OpenNTPD if Appropriate</title>
10192:         <description xml:lang="en">
10193:           OpenNTPD is an implementation of the SNTP protocol which is
10194:           provided as a simple alternative to the reference NTP server. Advantages of OpenNTPD
10195:           include simplicity of configuration, built-in privilege separation and chroot jailing of
10196:           the NTP protocol code, and a small codebase which lacks many of the management and other
10197:           protocol features used by the reference NTP server. This simplicity comes at the cost of
10198:           degraded time accuracy, but SNTP is probably accurate enough for most sites with typical
10199:           monitoring requirements.</description>
10200:         <Group id="group-3.10.3.1" hidden="false">
10201:           <title xml:lang="en">Obtain NTP Software</title>
10202:           <description xml:lang="en">
10203:             If your site intends to use the OpenNTPD implementation, it is
10204:             necessary to compile and install the software. (If your site intends to use the
10205:             reference NTP implementation, no installation is necessary.) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10206:             <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
10207:               <xhtml:li>Obtain the software by
10208:                 downloading an appropriate source version, openntpd-version .tar.gz, from
10209:                 http://www.openntpd.org/portable.html. </xhtml:li>
10210:               <xhtml:li>Unpack the source code: <xhtml:br/>
10211:                 <xhtml:br/>
10212:                 <xhtml:code>$ tar xzf openntpd-version .tar.gz</xhtml:code> </xhtml:li>
10213:               <xhtml:li>Configure and compile the source. (By default, the code will
10214:                 be compiled for installation into /usr/ local): <xhtml:br/>
10215:                 <xhtml:br/>
10216:                 <xhtml:code>$ cd openntpd-version <xhtml:br/>
10217:                 $ ./configure --with-privsep-user=ntp <xhtml:br/>
10218:                 $ make </xhtml:code></xhtml:li>
10219:               <xhtml:li>As root, install the resulting program into
10220:                 /usr/local: <xhtml:br/>
10221:                 <xhtml:br/>
10222:                 <xhtml:code># make install </xhtml:code></xhtml:li>
10223:             </xhtml:ol>
10224:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10225:             The configuration option --with-privsep-user=ntp tells
10226:             OpenNTPD to use the existing system account ntp for the non-root portion of its
10227:             operation.</description>
10228:           <Rule id="rule-3.10.3.1.a" selected="false" weight="10.000000">
10229:             <title xml:lang="en">Obtain NTP Software</title>
10230:             <description xml:lang="en">OpenNTPD should be installed</description>
10231:             <ident system="http://cce.mitre.org">CCE-4032-9</ident>
10232:             <fixtext xml:lang="en">(1) via openntpd package</fixtext>
10233:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
10234:               <check-content-ref name="oval:org.fedoraproject.f14:def:20284" href="scap-fedora14-oval.xml"/>
10235:             </check>
10236:           </Rule>
10237:         </Group>
10238:         <Group id="group-3.10.3.2" hidden="false">
10239:           <title xml:lang="en">Configure an SNTP Client</title>
10240:           <description xml:lang="en">
10241:             OpenNTPD runs only in daemon mode — there is no command line
10242:             suitable to be run from cron. However, this is considered reasonably safe for client use
10243:             because the daemon does not listen on any network ports by default, and because OpenNTPD
10244:             is a small codebase with no remote management interface or other complex features.
10245:             However, it is possible to run a time-stepping program, such as rdate(1), from cron
10246:             instead of configuring the daemon as outlined in this section.</description>
10247:           <Group id="group-3.10.3.2.1" hidden="false">
10248:             <title xml:lang="en">Enable the NTP Daemon</title>
10249:             <description xml:lang="en">Edit the file /etc/rc.local. Add or correct the following line: /usr/local/sbin/ntpd -s</description>
10250:             <Rule id="rule-3.10.3.2.1.a" selected="false" weight="10.000000" severity="high">
10251:               <title xml:lang="en">Enable the NTP Daemon</title>
10252:               <description xml:lang="en">The ntp daemon should be enabled</description>
10253:               <ident system="http://cce.mitre.org">CCE-4424-8</ident>
10254:               <fixtext xml:lang="en">(1) via /etc/rc.local</fixtext>
10255:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
10256:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20285" href="scap-fedora14-oval.xml"/>
10257:               </check>
10258:             </Rule>
10259:           </Group>
10260:           <Group id="group-3.10.3.2.2" hidden="false">
10261:             <title xml:lang="en">Configure the Client NTP Daemon to Use the Local Server</title>
10262:             <description xml:lang="en">
10263:               Edit the file /usr/local/etc/ntpd.conf. Add or correct the
10264:               following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10265:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10266:               server local-server.example.com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10267:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10268:               where local-server.example.com is the
10269:               hostname of the site's local NTP or SNTP server.</description>
10270:             <Rule id="rule-3.10.3.2.2.a" selected="false" weight="10.000000" severity="high">
10271:               <title xml:lang="en">Configure the Client NTP Daemon to Use the Local Server</title>
10272:               <description xml:lang="en">The ntp daemon synchronization server should be set appropriately</description>
10273:               <ident system="http://cce.mitre.org">CCE-3487-6</ident>
10274:               <fixtext xml:lang="en">(1) via /usr/local/etc/ntpd.conf</fixtext>
10275:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
10276:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20286" href="scap-fedora14-oval.xml"/>
10277:               </check>
10278:             </Rule>
10279:           </Group>
10280:         </Group>
10281:         <Group id="group-3.10.3.3" hidden="false">
10282:           <title xml:lang="en">Configure an SNTP Server</title>
10283:           <description xml:lang="en">The SNTP server obtains time data from a remote server, and then listens on a network interface for time queries from local machines.</description>
10284:           <Group id="group-3.10.3.3.1" hidden="false">
10285:             <title xml:lang="en">Enable the NTP Daemon</title>
10286:             <description xml:lang="en">
10287:               Edit the file /etc/rc.local. Add or correct the following
10288:               line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10289:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10290:               /usr/local/sbin/ntpd -s <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10291:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10292:               Since OpenNTPD is third-party software, it does not have
10293:               a standard startup script, so the daemon is started at boot using the local facility.</description>
10294:           </Group>
10295:           <Group id="group-3.10.3.3.2" hidden="false">
10296:             <title xml:lang="en">Listen for Client Connections</title>
10297:             <description xml:lang="en">
10298:               Edit the file /usr/local/etc/ntpd.conf. Add or correct the
10299:               following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10300:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10301:               listen on ipaddr <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10302:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10303:               where ipaddr is the primary IP address of this server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10304:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10305:               By default, ntpd does not listen for any connections over a network. Listening
10306:               must be actively enabled on NTP servers so that clients may obtain time data.</description>
10307:           </Group>
10308:           <Group id="group-3.10.3.3.3" hidden="false">
10309:             <title xml:lang="en">Allow Legitimate NTP Clients to Access the Server</title>
10310:             <description xml:lang="en">
10311:               Determine an appropriate network block, netwk , and network
10312:               mask, mask , representing the machines on your network which will synchronize to this
10313:               server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10314:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10315:               Edit /etc/sysconfig/iptables. Add the following line, ensuring that it appears
10316:               before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10317:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10318:               -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p udp --dport 123 -j ACCEPT<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10319:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10320:               The iptables configuration is needed because the default iptables configuration does
10321:               not allow inbound access to any services. See Section 2.5.5 for more information about
10322:               iptables.</description>
10323:           </Group>
10324:           <Group id="group-3.10.3.3.4" hidden="false">
10325:             <title xml:lang="en">Specify a Remote NTP Server for Time Data</title>
10326:             <description xml:lang="en">
10327:               Find the hostname, server-host , of an appropriate remote NTP
10328:               server. Edit the file /usr/local/etc/ ntpd.conf, and add or correct the following
10329:               line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10330:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10331:               server server-host <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10332:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10333:               This setting configures ntpd to obtain time data from the
10334:               remote host. To use multiple time servers, add one line for each server.</description>
10335:           </Group>
10336:         </Group>
10337:       </Group>
10338:     </Group>
10339:     <Group id="group-3.11" hidden="false">
10340:       <title xml:lang="en">Mail Transfer Agent</title>
10341:       <description xml:lang="en">
10342:         Mail servers are used to send and receive mail over a network on
10343:         behalf of site users. Mail is a very common service, and MTAs are frequent targets of
10344:         network attack. Ensure that machines are not running MTAs unnecessarily, and configure
10345:         needed MTAs as defensively as possible.</description>
10346:       <Rule id="rule-3.11.a" selected="false" weight="10.000000" severity="low">
10347:         <title xml:lang="en">Mail Transfer Agent</title>
10348:         <description xml:lang="en">The sendmail service should be disabled.</description>
10349:         <ident system="http://cce.mitre.org">CCE-4416-4</ident>
10350:         <fixtext xml:lang="en">(1) via chkconfig</fixtext>
10351:         <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
10352:           <check-content-ref name="oval:org.fedoraproject.f14:def:20287" href="scap-fedora14-oval.xml"/>
10353:         </check>
10354:       </Rule>
10355:       <Group id="group-3.11.1" hidden="false">
10356:         <title xml:lang="en">Select Mail Server Software and Configuration</title>
10357:         <description xml:lang="en">
10358:           Select one of the following options for configuring e-mail on the
10359:           machine: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10360:           <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
10361:             <xhtml:li>If this machine does not need to operate as a mail server, follow the
10362:               instructions in Section 3.11.2 to run sendmail in submission-only mode.</xhtml:li>
10363:             <xhtml:li>If the machine
10364:               must operate as a mail server, read the strategies for MTA configuration in Section 3.11.3
10365:               for information about configuration options. Then apply both the MTA-independent operating
10366:               system configuration guidance in Section 3.11.4, and the specific guidance for your MTA:
10367:               <xhtml:ul>
10368:                 <xhtml:li>If the Sendmail MTA is preferred, see Section 3.11.5. </xhtml:li>
10369:                 <xhtml:li>If the Postfix MTA is preferred, see Section 3.11.6. </xhtml:li>
10370:                 <xhtml:li>If another MTA is preferred, use that MTA's documentation to
10371:                   implement the ideas in Section 3.11.3. </xhtml:li>
10372:               </xhtml:ul>
10373:             </xhtml:li>
10374:           </xhtml:ul>
10375:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10376:           It is recommended that very few machines at any
10377:           site be configured to receive mail over a network. However, it may be necessary for most
10378:           machines at a given site to send e-mail, for instance so that cron jobs can report output
10379:           to an administrator. Sendmail supports a submission-only mode in which mail can be sent
10380:           from the machine to a central site MTA, but the machine cannot receive mail over a
10381:           network. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10382:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10383:           If a Mail Transfer Agent (MTA) is needed, the system default is Sendmail.
10384:           Postfix, a popular alternative written with security in mind, is also available. Postfix
10385:           can be more effectively contained by SELinux as its modular design has resulted in
10386:           separate processes performing specific actions. More information on these MTAs is
10387:           available from their respective websites, http://www.sendmail.org and
10388:           http://www.postfix.org.</description>
10389:         <reference href="">Hildebrandt, R., and Koetter, P. The Book of Postfix. No Starch Press, 2005</reference>
10390:       </Group>
10391:       <Group id="group-3.11.2" hidden="false">
10392:         <title xml:lang="en">Configure SMTP For Mail Client</title>
10393:         <description xml:lang="en">
10394:           This guide discusses the use of Sendmail for submission-only
10395:         e-mail configuration. It is also possible to use Postfix.</description>
10396:         <reference href="">Hunt, C. Sendmail Cookbook. O’Reilly and Associates, 2003</reference>
10397:         <Group id="group-3.11.2.1" hidden="false">
10398:           <title xml:lang="en">Disable the Listening Sendmail Daemon</title>
10399:           <description xml:lang="en">
10400:             Edit the file /etc/sysconfig/sendmail. Add or modify the line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10401:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10402:             DAEMON=no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10403:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10404:             The MTA performs two functions: listening over a network for incoming SMTP
10405:             e-mail requests, and sending mail from the local machine. Since outbound mail may be
10406:             delayed due to network outages or other problems, the outbound MTA runs in a queue-only
10407:             mode, in which it periodically attempts to resend any delayed mail. Setting DAEMON=no
10408:             tells sendmail to execute only the queue runner on this machine, and never to receive
10409:             SMTP mail requests.</description>
10410:           <Rule id="rule-3.11.2.1.a" selected="false" weight="10.000000">
10411:             <title xml:lang="en">Disable the Listening Sendmail Daemon</title>
10412:             <description xml:lang="en">The listening sendmail daemon should be disabled.</description>
10413:             <ident system="http://cce.mitre.org">CCE-4293-7</ident>
10414:             <fixtext xml:lang="en">(1) via /etc/sysconfig/sendmail</fixtext>
10415:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
10416:               <check-content-ref name="oval:org.fedoraproject.f14:def:20288" href="scap-fedora14-oval.xml"/>
10417:             </check>
10418:           </Rule>
10419:         </Group>
10420:         <Group id="group-3.11.2.2" hidden="false">
10421:           <title xml:lang="en">Configure Mail Submission if Appropriate</title>
10422:           <description xml:lang="en">
10423:             If it is appropriate to configure mail submission with a
10424:             central MTA, edit /etc/mail/submit.cf. Locate the line beginning with D{MTAHost}, and
10425:             modify it to read: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10426:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10427:             D{MTAHost}mailserver <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10428:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10429:             where mailserver is the hostname of the server
10430:             to which this machine should forward its outgoing mail. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10431:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10432:             This suggestion is provided as a
10433:             simple way to migrate away from a configuration in which each machine at a site runs its
10434:             own MTA, to a configuration in which client machines do not run listening daemons. If
10435:             this modification is made to /etc/mail/submit.cf, then, when a local process on a
10436:             machine attempts to send mail, the message will be forwarded to the machine mailserver
10437:             for processing. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10438:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10439:             Modifying /etc/mail/submit.cf directly is only appropriate if your site
10440:             does not perform any other mailserver customization on clients. If other customization
10441:             is done, use your usual Sendmail change procedure to define the MTA host. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10442:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10443:             Note: In
10444:             addition to making this change on the client, it may also be necessary to reconfigure
10445:             the MTA on mailserver so that it will relay mail on behalf of this host.</description>
10446:         </Group>
10447:       </Group>
10448:       <Group id="group-3.11.3" hidden="false">
10449:         <title xml:lang="en">Strategies for MTA Security</title>
10450:         <description xml:lang="en">
10451:           This section discusses several types of MTA configuration which
10452:           should be performed in order to protect against attacks involving the mail system. Though
10453:           configuration syntax will differ depending on which MTA is in use (see Section 3.11.5 for
10454:           Sendmail configuration syntax and Section 3.11.6 for Postfix), these strategies are
10455:           generally advisable for any MTA, including ones not covered by this guide.</description>
10456:         <Group id="group-3.11.3.1" hidden="false">
10457:           <title xml:lang="en">Use Resource Limits to Mitigate Denial of Service</title>
10458:           <description xml:lang="en">
10459:             It is often desirable to constrain an attacker's ability to
10460:             consume a mail server's resources simply by sending otherwise valid mail at a high rate,
10461:             whether maliciously or accidentally. Relevant resource limits include con106 CHAPTER 3.
10462:             SERVICES straints on: the number of MTA daemons which may run at one time, the rate at
10463:             which incoming messages may be received, the size and complexity of each message, or the
10464:             amount of mail queue space which must remain free in order for mail to be delivered.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10465:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10466:             That last parameter deserves additional explanation. Most MTAs require queue space for
10467:             temporary files in order to process existing messages in their queues. Therefore, if the
10468:             queue filesystem is allowed to fill completely in a denial of service, the MTA will not
10469:             be able to clear its own queue even when the malicious traffic has stopped. This will
10470:             delay recovery from an attack.</description>
10471:         </Group>
10472:         <Group id="group-3.11.3.2" hidden="false">
10473:           <title xml:lang="en">Configure SMTP Greeting Banner</title>
10474:           <description xml:lang="en">
10475:             When remote mail senders connect to the MTA on port 25, they
10476:             are greeted by an initial banner as part of the SMTP dialogue. This banner is necessary,
10477:             but it frequently gives away too much information, including the MTA software which is
10478:             in use, and sometimes also its version number. Remote mail senders do not need this
10479:             information in order to send mail, so the banner should be changed to reveal only the
10480:             hostname (which is already known and may be useful) and the word ESMTP, to indicate that
10481:             the modern SMTP protocol variant is supported.</description>
10482:         </Group>
10483:         <Group id="group-3.11.3.3" hidden="false">
10484:           <title xml:lang="en">Control Mail Relaying</title>
10485:           <description xml:lang="en">
10486:             The sending of Unsolicited Bulk E-mail, referred to variously
10487:             as UBE, UCE, or spam, is a major problem on the Internet today. The security
10488:             implications of spam are that it operates as a Denial of Service attack on legitimate
10489:             e-mail use. Strategies for fighting spam receipt at your site are complex and quickly
10490:             evolving, and thus far beyond the scope of this guide. The problem of relaying
10491:             unauthorized e-mail, however, can and should be addressed by any network-connected site.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10492:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10493:             Most MTAs perform two functions: to accept mail from remote sites on behalf of local
10494:             users, and to allow local users to send mail to remote sites. The former function is
10495:             relatively easy — mail whose recipient address is local can be assumed to be destined
10496:             for a local user. The latter function is more complex. Since it is typically considered
10497:             neither secure nor desirable for users to log in to the MTA host itself to send mail,
10498:             the MTA must be able to remotely accept mail addressed to anyone from the user's
10499:             workstation. If the MTA is running very old software or is configured poorly, it can be
10500:             possible for attackers to take advantage of this feature, using your MTA to relay their
10501:             spam from one remote site to another. This is undesirable for many reasons, not least
10502:             that your site will quickly be blacklisted as a spam source, leaving you unable to send
10503:             legitimate e-mail to your correspondents. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10504:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10505:             The simplest solution described in this guide
10506:             is to configure the MTA to relay mail only from the local site's address range, and some
10507:             variant on this is the default for most modern MTAs. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10508:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10509:             That solution may be insufficient
10510:             for sites whose users need to send mail from remote machines, for instance while
10511:             travelling, as well as for sites where mail submission must be accepted from network
10512:             ranges which are not considered secure, either because authorized machines are unmanaged
10513:             or because it is possible to connect unauthorized machines to the network. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10514:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10515:             If remote or
10516:             mobile hosts are authorized to relay, or if local clients exist in insecure netblocks,
10517:             the SMTP AUTH protocol should be used to require mail senders to authenticate before
10518:             submitting messages. For better protection and to allow support for a wide range of
10519:             authentication mechanisms without sending passwords over a network in clear text, SMTP
10520:             AUTH transactions should be encrypted using SSL. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10521:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10522:             Another approach is to require mail to
10523:             be submitted on port 587, the designated Message Submission Port. Use of a separate port
10524:             allows the mail relay function to be entirely separated from the mail delivery function.
10525:             This may become a best practice in the future, but description of how to configure the
10526:             Message Submission Port is currently beyond the scope of this guide. See RFC 2476 for
10527:             information about this configuration.</description>
10528:         </Group>
10529:       </Group>
10530:       <Group id="group-3.11.4" hidden="false">
10531:         <title xml:lang="en">Configure Operating System to Protect Mail Server</title>
10532:         <description xml:lang="en">
10533:           The guidance in this section is appropriate for any host which is
10534:           operating as a site MTA, whether the mail server runs using Sendmail, Postfix, or some
10535:           other software.</description>
10536:         <Group id="group-3.11.4.1" hidden="false">
10537:           <title xml:lang="en">Use Separate Hosts for External and Internal Mail if Possible</title>
10538:           <description xml:lang="en">
10539:             The mail server is a frequent target of network attack from the
10540:             outside. However, since all site users receive mail, the mail server must be open to
10541:             some connection from each inside users. It is strongly recommended that these functions
10542:             be separated, by having an externally visible mail server which processes all incoming
10543:             and outgoing mail, then forwards internal mail to a separate machine from which users
10544:             can access it.</description>
10545:         </Group>
10546:         <Group id="group-3.11.4.2" hidden="false">
10547:           <title xml:lang="en">Protect the MTA Host from User Access</title>
10548:           <description xml:lang="en">
10549:             The mail server contains privileged data belonging to all users
10550:             and performs a vital network function. Preventing users from logging into this server is
10551:             a precaution against privilege escalation or denial of service attacks which might
10552:             compromise the mail service. Take steps to ensure that only system administrators are
10553:             allowed shell access to the MTA host.</description>
10554:         </Group>
10555:         <Group id="group-3.11.4.3" hidden="false">
10556:           <title xml:lang="en">Restrict Remote Access to the Mail Spool</title>
10557:           <description xml:lang="en">
10558:             If users directly connect to this machine to receive mail,
10559:             ensure that there is a single, well-secured mechanism for access to the directory
10560:             /var/spool/mail (the directory /var/mail is a symlink to this). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10561:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10562:             Allowing unrestricted
10563:             access to /var/spool/mail can be dangerous, since this directory contains sensitive
10564:             information belonging to all users. Protocols such as NFS, which have an insecure
10565:             authorization mechanism by default, should be considered insufficient for these
10566:             purposes. See Section 3.17 for details on secure configuration of POP3 or IMAP, which
10567:             are the preferred ways to provide user access to mail.</description>
10568:         </Group>
10569:         <Group id="group-3.11.4.4" hidden="false">
10570:           <title xml:lang="en">Configure iptables to Allow Access to the Mail Server</title>
10571:           <description xml:lang="en">
10572:             Edit /etc/sysconfig/iptables. Add the following line, ensuring
10573:             that it appears before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10574:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10575:             -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10576:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10577:             The default
10578:             Iptables configuration does not allow inbound access to the SMTP service. This
10579:             modification allows that access, while keeping other ports on the server in their
10580:             default protected state. See Section 2.5.5 for more information about Iptables.</description>
10581:         </Group>
10582:         <Group id="group-3.11.4.5" hidden="false">
10583:           <title xml:lang="en">Verify System Logging and Log Permissions for Mail</title>
10584:           <description xml:lang="en">
10585:             Edit the file /etc/syslog.conf. Add or correct the following
10586:             line if necessary (this is the default): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10587:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10588:             mail.* -/var/log/maillog <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10589:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10590:             Run the following commands to ensure correct permissions on the mail log: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10591:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10592:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chown root:root /var/log/maillog <xhtml:br/>
10593:             # chmod 600 /var/log/maillog <xhtml:br/></xhtml:code>
10594:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10595:             The mail server logs contain a record of
10596:             every e-mail which is sent or received on the system, which is considered sensitive
10597:             information by most sites. It is necessary that these logs be collected for purposes of
10598:             debugging and statistics, but their contents should be protected from unauthorized
10599:             access.</description>
10600:         </Group>
10601:         <Group id="group-3.11.4.6" hidden="false">
10602:           <title xml:lang="en">Configure SSL Certificates for Use with SMTP AUTH</title>
10603:           <description xml:lang="en">
10604:             If SMTP AUTH is to be used (see Section 3.11.3.3 for a
10605:             description of possible anti-relaying mechanisms), the use of SSL to protect credentials
10606:             in transit is strongly recommended. There are also configurations for which it may be
10607:             desirable to encrypt all mail in transit from one MTA to another, though such
10608:             configurations are beyond the scope of this guide. In either event, the steps for
10609:             creating and installing an SSL certificate are independent of the MTA in use, and are
10610:             described here.</description>
10611:           <Group id="group-3.11.4.6.1" hidden="false">
10612:             <title xml:lang="en">Create an SSL Certificate</title>
10613:             <description xml:lang="en">
10614:               Note: This step must be performed on your CA system, not on
10615:               the MTA host itself. If you will have a commercial CA sign certificates, then this
10616:               step should be performed on a separate, physically secure system devoted to that
10617:               purpose. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10618:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10619:               Change into the CA certificate directory: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10620:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10621:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cd /etc/pki/tls/certs <xhtml:br/></xhtml:code>
10622:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10623:               Generate a key pair for the mail server: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10624:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10625:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># openssl genrsa -out mailserverkey.pem 2048 <xhtml:br/></xhtml:code>
10626:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10627:               Next,
10628:               generate a certificate signing request (CSR) for the CA to sign, making sure to supply
10629:               your mail server's fully qualified domain name as the Common Name: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10630:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10631:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># openssl req -new -key mailserverkey.pem -out mailserver.csr <xhtml:br/></xhtml:code>
10632:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10633:               Next, the mail server CSR must be signed to
10634:               create the mail server certificate. You can either send the CSR to an established CA
10635:               or sign it with your CA. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10636:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10637:               To sign mailserver.csr using your CA: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10638:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10639:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># openssl ca -in mailserver.csr -out mailservercert.pem <xhtml:br/></xhtml:code>
10640:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10641:               This step creates a private key,
10642:               mailserverkey.pem, and a public certificate, mailservercert.pem. The mail server will
10643:               use these to prove its identity by demonstrating that it has a certificate which has
10644:               been signed by a CA. Mail clients at your site should be willing to send their mail
10645:               only to a server they can authenticate.</description>
10646:           </Group>
10647:           <Group id="group-3.11.4.6.2" hidden="false">
10648:             <title xml:lang="en">Install the SSL Certificate</title>
10649:             <description xml:lang="en">
10650:               Create the PKI directory for mail certificates, if it does
10651:               not already exist: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10652:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10653:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># mkdir /etc/pki/tls/mail <xhtml:br/>
10654:               # chown root:root /etc/pki/tls/mail <xhtml:br/>
10655:               # chmod 755 /etc/pki/tls/mail <xhtml:br/></xhtml:code>
10656:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10657:               Using removable media or some other secure transmission
10658:               format, install the files generated in the previous step onto the mail server: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10659:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10660:               <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
10661:                 <xhtml:li>/etc/pki/tls/mail/serverkey.pem: the private key mailserverkey.pem</xhtml:li>
10662:                 <xhtml:li>/etc/pki/tls/mail/servercert.pem: the certificate file mailservercert.pem</xhtml:li>
10663:               </xhtml:ul>
10664:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10665:               Verify the ownership and permissions of these files: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10666:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10667:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chown root:root /etc/pki/tls/mail/serverkey.pem <xhtml:br/>
10668:               # chown root:root /etc/pki/tls/mail/servercert.pem <xhtml:br/>
10669:               # chmod 600 /etc/pki/tls/mail/serverkey.pem <xhtml:br/>
10670:               # chmod 644 /etc/pki/tls/mail/servercert.pem<xhtml:br/></xhtml:code>
10671:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10672:               Verify that the CA's public certificate file has been installed as
10673:               /etc/pki/tls/CA/cacert.pem, and has the correct permissions: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10674:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10675:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chown root:root /etc/pki/tls/CA/cacert.pem <xhtml:br/>
10676:               # chmod 644 /etc/pki/tls/CA/cacert.pem</xhtml:code></description>
10677:           </Group>
10678:         </Group>
10679:       </Group>
10680:       <Group id="group-3.11.5" hidden="false">
10681:         <title xml:lang="en">Configure Sendmail Server if Necessary</title>
10682:         <description xml:lang="en">
10683:           When sendmail is configured to act as a server for incoming mail,
10684:           it listens on port 25 for connections, and responds to those connections using the
10685:           configuration in /etc/mail/sendmail.cf. This file has a somewhat opaque format, and
10686:           modifying it directly is generally not recommended. Instead, the following procedure
10687:           should be used to modify the sendmail configuration: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10688:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10689:           <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
10690:             <xhtml:li>Install the sendmail-cf RPM, which
10691:               is required in order to compile a new configuration file: <xhtml:br/>
10692:               <xhtml:br/>
10693:               <xhtml:code># yum install sendmail-cf<xhtml:br/></xhtml:code></xhtml:li>
10694:             <xhtml:li>Edit the M4 source file /etc/mail/sendmail.mc as directed by the configuration step you
10695:               are applying. </xhtml:li>
10696:             <xhtml:li>Inside the directory /etc/mail/, use make to build the configuration
10697:               according to the Makefile provided by Sendmail: <xhtml:br/>
10698:               <xhtml:br/>
10699:               <xhtml:code># cd /etc/mail <xhtml:br/>
10700:               # make sendmail.cf</xhtml:code></xhtml:li>
10701:           </xhtml:ol></description>
10702:         <Group id="group-3.11.5.1" hidden="false">
10703:           <title xml:lang="en">Limit Denial of Service Attacks</title>
10704:           <description xml:lang="en">
10705:             Edit /etc/mail/sendmail.mc, and add or correct the following
10706:             options: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10707:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10708:             define(`confMAX_DAEMON_CHILDREN',`40')dnl
10709:             define(`confCONNECTION_RATE_THROTTLE', `3 ')dnl <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10710:             define(`confMIN_FREE_BLOCKS',`20971520')dnl <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10711:             define(`confMAX_HEADERS_LENGTH',`51200')dnl<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10712:             define(`confMAX_MESSAGE_SIZE',`10485760')dnl <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10713:             define(`confMAX_RCPTS_PER_MESSAGE',`100')dnl <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10714:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10715:             Note: The values given here are examples, and may need to be modified for any
10716:             particular site, especially one with high e-mail volume. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10717:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10718:             These configuration options
10719:             serve to make it more difficult for attackers to consume resources on the MTA host. (See
10720:             Section 3.11.3.1 for details on why this is done.) The MAX DAEMON CHILDREN option limits
10721:             the number of sendmail processes which may be deployed to handle incoming connections at
10722:             any one time, while CONNECTION RATE THROTTLE limits the number of connections per second
10723:             which each listener may receive. The MIN FREE BLOCKS option stops e-mail receipt when
10724:             the queue filesystem is close to full. The MAX HEADERS LENGTH (bytes), MAX MESSAGE SIZE
10725:             (bytes), and MAX RCPTS PER MESSAGE (distinct recipients) options place bounds on the
10726:             legal sizes of messages received via SMTP.</description>
10727:         </Group>
10728:         <Group id="group-3.11.5.2" hidden="false">
10729:           <title xml:lang="en">Configure SMTP Greeting Banner</title>
10730:           <description xml:lang="en">
10731:             Edit /etc/mail/sendmail.mc, and add or correct the following
10732:             line, substituting an appropriate greeting string for $j : <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10733:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10734:             define(`confSMTP_LOGIN_MSG', `$j ')dnl <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10735:             and recompile sendmail's configuration. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10736:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10737:             The default greeting banner discloses
10738:             that the listening mail process is Sendmail rather than some other MTA, and also
10739:             provides the version number. See Section 2.3.7 for more about warning banners, and
10740:             Section 3.11.3.2 for strategies regarding SMTP greeting banners in particular. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10741:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10742:             The Sendmail variable $j contains the hostname of the mail server, which may be an
10743:             appropriate greeting string for most environments.</description>
10744:         </Group>
10745:         <Group id="group-3.11.5.3" hidden="false">
10746:           <title xml:lang="en">Control Mail Relaying</title>
10747:           <description xml:lang="en">
10748:             This guide will discuss two mechanisms for controlling mail
10749:             relaying in Sendmail. The /etc/mail/relay-domains file contains a list of hostnames that
10750:             are allowed to relay mail. Follow the guidance in Section 3.11.5.3.1 to configure
10751:             relaying for trusted machines. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10752:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10753:             If there are machines which must be allowed to relay
10754:             mail, but which cannot be trusted to relay unconditionally, configure SMTP AUTH with TLS
10755:             support using the guidance in Sections 3.11.5.3.2 and following.</description>
10756:           <Group id="group-3.11.5.3.1" hidden="false">
10757:             <title xml:lang="en">Configure Trusted Networks and Hosts</title>
10758:             <description xml:lang="en">
10759:               <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
10760:                 <xhtml:li>If all machines which share a common domain or subdomain
10761:                   name may relay, then edit /etc/mail/ relay-domains, adding a line for each domain or
10762:                   subdomain, e.g.: <xhtml:br/>
10763:                   <xhtml:br/>
10764:                   example.com <xhtml:br/>
10765:                   trusted-subnet.school.edu <xhtml:br/>
10766:                   ... </xhtml:li>
10767:                 <xhtml:li>If the machines which are
10768:                   allowed to relay must be specified on a per-host basis, then edit /etc/mail/
10769:                   relay-domains, adding a line for each such host: <xhtml:br/>
10770:                   <xhtml:br/>
10771:                   host1.example.com<xhtml:br/>
10772:                   host5.subnet.example.com <xhtml:br/>
10773:                   smtp.trusted-subnet.school.edu <xhtml:br/>
10774:                   <xhtml:br/>
10775:                   Then edit /etc/mail/sendmail.mc, add or correct the line: <xhtml:br/>
10776:                   <xhtml:br/>
10777:                   FEATURE(`relay_hosts_only')dnl <xhtml:br/>
10778:                   <xhtml:br/>
10779:                   and recompile sendmail's configuration. </xhtml:li>
10780:               </xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10781:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10782:               The file /etc/mail/relay-domains must contain only
10783:               the set of machines for which this MTA should unconditionally relay mail. This
10784:               configures both inbound and outbound relaying, that is, hosts mentioned in
10785:               relay-domains may send mail through the MTA, and the MTA will also accept inbound mail
10786:               addressed to such hosts. This is a trust relationship — if spammers gain access to
10787:               these machines, your site will effectively become an open relay. It is recommended
10788:               that only machines which are managed by you or by another trusted organization be
10789:               placed in relay-domains, and that users of all other machines be required to use SMTP
10790:               AUTH to send mail. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10791:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10792:               Note: The relay-domains file must be configured to contain either a
10793:               list of domains (in which case every host in each of those domains will be allowed to
10794:               relay) or a list of hosts (in which case each individual relaying host must be listed
10795:               and the sendmail.cf must be reconfigured to interpret the relay-domains file in the
10796:               desired way).</description>
10797:           </Group>
10798:           <Group id="group-3.11.5.3.2" hidden="false">
10799:             <title xml:lang="en">Require SMTP AUTH Before Relaying from Untrusted Clients</title>
10800:             <description xml:lang="en">
10801:               By default, Sendmail uses the Cyrus-SASL library to provide
10802:               authentication. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10803:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10804:               To enable the use of SASL authentication for relaying, edit
10805:               /etc/mail/sendmail.mc and add or correct the following settings:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10806:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10807:               TRUST_AUTH_MECH(`LOGIN PLAIN') <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10808:               define(`confAUTH_MECHANISMS', `LOGIN PLAIN') <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10809:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10810:               and recompile sendmail.cf. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10811:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10812:               Then edit /usr/lib/sasl2/Sendmail.conf and add or correct the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10813:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10814:               pwcheck_method: saslauthd <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10815:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10816:               Enable the saslauthd daemon: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10817:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig saslauthd on <xhtml:br/></xhtml:code>
10818:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10819:               The AUTH MECHANISMS configuration option tells sendmail to allow the
10820:               specified authentication mechanisms to be used during the SMTP dialogue. The two
10821:               listed mechanisms use SASL to test a password provided by the user. Since these
10822:               mechanisms transmit plaintext passwords, they should be protected using TLS as
10823:               described in the next section. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10824:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10825:               The TRUST AUTH MECH command tells sendmail that senders
10826:               who successfully authenticate using the specified mechanism may relay mail through
10827:               this MTA even if their addresses are not in relay-domains. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10828:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10829:               The file
10830:               /usr/lib/sasl/Sendmail.conf is the Cyrus-SASL configuration file for Sendmail. The
10831:               pwcheck method directive tells SASL how to find passwords. The simplest method,
10832:               described here, is to run a separate authentication daemon, saslauthd, which is able
10833:               to communicate with the system authentication service. On Red Hat, saslauthd uses PAM
10834:               by default, which should work in most cases. If you have a centralized authentication
10835:               system which does not work via PAM, look at the saslauthd(8) manpage to determine how
10836:               to configure saslauthd for your environment.</description>
10837:           </Group>
10838:           <Group id="group-3.11.5.3.3" hidden="false">
10839:             <title xml:lang="en">Require TLS for SMTP AUTH</title>
10840:             <description xml:lang="en">
10841:               Edit /etc/mail/sendmail.mc, add or correct the following
10842:               lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10843:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10844:               define(`confAUTH_OPTIONS', `A p')dnl <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10845:               define(`confCACERT_PATH', `/etc/pki/tls/CA')dnl <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10846:               define(`confCACERT', `/etc/pki/tls/CA/cacert.pem')dnl<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10847:               define(`confSERVER_CERT', `/etc/pki/tls/mail/servercert.pem')dnl<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10848:               define(`confSERVER_KEY', `/etc/pki/tls/mail/serverkey.pem')dnl <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10849:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10850:               and recompile sendmail.cf. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10851:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10852:               These options, combined with the previous settings, tell Sendmail to
10853:               protect all SMTP AUTH transactions using TLS. The first four options describe the
10854:               location of the necessary TLS certificate and key files. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10855:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10856:               The AUTH OPTIONS parameter
10857:               configures the SMTP AUTH dialogue. The A option is enabled by default, and simply says
10858:               that authentication is allowed if an appropriate mechanism can be found. The p option
10859:               tells Sendmail to protect against passive attacks. The PLAIN and LOGIN authentication
10860:               mechanisms, recommended by this guide for compatibility with PAM, send passwords in
10861:               the clear. (Cleartext password transmissions are vulnerable to passive attack.)
10862:               Therefore, if p is set, the SMTP daemon will not make the AUTH command available until
10863:               after the client has used the STARTTLS command to encrypt the session. If other
10864:               authentication mechanisms were enabled which did not send passwords in the clear, then
10865:               TLS would not necessarily be required.</description>
10866:           </Group>
10867:         </Group>
10868:       </Group>
10869:       <Group id="group-3.11.6" hidden="false">
10870:         <title xml:lang="en">Configure Postfix if Necessary</title>
10871:         <description xml:lang="en">
10872:           Postfix stores its configuration files in the directory
10873:           /etc/postfix by default. The primary configuration file is /etc/postfix/main.cf. Other
10874:           files will be introduced as needed.</description>
10875:         <Group id="group-3.11.6.1" hidden="false">
10876:           <title xml:lang="en">Limit Denial of Service Attacks</title>
10877:           <description xml:lang="en">
10878:             Edit /etc/postfix/main.cf. Add or correct the following lines:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10879:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10880:             default_process_limit = 100 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10881:             smtpd_client_connection_count_limit = 10<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10882:             smtpd_client_connection_rate_limit = 30 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10883:             queue_minfree = 20971520 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10884:             header_size_limit = 51200 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10885:             message_size_limit = 10485760 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10886:             smtpd_recipient_limit = 100 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10887:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10888:             Note: The values given
10889:             here are examples, and may need to be modified for any particular site. By default, the
10890:             Postfix anvil process gathers mail receipt statistics. To get information about about
10891:             what connection rates are typical at your site, look in /var/log/maillog for lines with
10892:             the daemon name postfix/anvil. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10893:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10894:             These configuration options serve to make it more
10895:             difficult for attackers to consume resources on the MTA host. (See Section 3.11.3.1 for
10896:             details on why this is done.) The default process limit parameter controls how many
10897:             smtpd processes can exist at a time, while smtpd_client_connection_count_limit controls
10898:             the number of those which can be occupied by any one remote sender, and
10899:             smtpd_client_connection_rate_limit controls the number of connections any one client
10900:             can make per minute. By default, local hosts (those in mynetworks) are exempted from
10901:             per-client rate limiting. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10902:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10903:             The queue_minfree parameter establishes a free space threshold, in order to
10904:             stop e-mail receipt before the queue filesystem is entirely full. The header_size_limit,
10905:             message_size_limit, and smtpd recipient limit parameters place bounds on the legal sizes
10906:             of messages received via SMTP.</description>
10907:         </Group>
10908:         <Group id="group-3.11.6.2" hidden="false">
10909:           <title xml:lang="en">Configure SMTP Greeting Banner</title>
10910:           <description xml:lang="en">
10911:             Edit /etc/postfix/main.cf, and add or correct the following
10912:             line, substituting some other wording for the banner information if you prefer:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10913:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10914:             smtpd_banner = $myhostname ESMTP <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10915:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10916:             The default greeting banner discloses that the
10917:             listening mail process is Postfix. See Section 2.3.7 for more about warning banners, and
10918:             Section 3.11.3.2 for strategies regarding SMTP greeting banners in particular.</description>
10919:         </Group>
10920:         <Group id="group-3.11.6.3" hidden="false">
10921:           <title xml:lang="en">Control Mail Relaying</title>
10922:           <description xml:lang="en">
10923:             Postfix's mail relay controls are implemented with the help of
10924:             the smtpd recipient restrictions option, which controls the restrictions placed on the
10925:             SMTP dialogue once the sender and recipient envelope addresses are known. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10926:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10927:             The guidance
10928:             in Sections 3.11.6.3.1–3.11.6.3.2 should be applied to all machines. If there are
10929:             machines which must be allowed to relay mail, but which cannot be trusted to relay
10930:             unconditionally, configure SMTP AUTH with SSL support using the guidance in Sections
10931:             3.11.6.3.3 and following.</description>
10932:           <Group id="group-3.11.6.3.1" hidden="false">
10933:             <title xml:lang="en">Configure Trusted Networks and Hosts</title>
10934:             <description xml:lang="en">
10935:               Edit /etc/postfix/main.cf, and configure the contents of the
10936:               mynetworks variable in one of the following ways: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10937:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10938:               <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
10939:                 <xhtml:li>If any machine in the subnet
10940:                   containing the MTA may be trusted to relay messages, add or correct the line:<xhtml:br/>
10941:                   <xhtml:br/>
10942:                   mynetworks_style = subnet </xhtml:li>
10943:                 <xhtml:li>If only the MTA host itself is trusted to relay messages,
10944:                   add or correct: <xhtml:br/>
10945:                   <xhtml:br/>
10946:                   mynetworks_style = host </xhtml:li>
10947:                 <xhtml:li>If the set of machines which can relay is
10948:                   more complicated, manually specify an entry for each netblock or IP address which is
10949:                   trusted to relay by setting the mynetworks variable directly: <xhtml:br/>
10950:                   <xhtml:br/>
10951:                   mynetworks = 10.0.0.0/16 , 192.168.1.0/24 , 127.0.0.1 </xhtml:li>
10952:               </xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10953:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10954:               The mynetworks variable must contain only the set of
10955:               machines for which this MTA should unconditionally relay mail. This is a trust
10956:               relationship — if spammers gain access to these machines, your site will effectively
10957:               become an open relay. It is recommended that only machines which are managed by you or
10958:               by another trusted organization be placed in mynetworks, and users of all other
10959:               machines be required to use SMTP AUTH to send mail.</description>
10960:           </Group>
10961:           <Group id="group-3.11.6.3.2" hidden="false">
10962:             <title xml:lang="en">Allow Unlimited Relaying for Trusted Networks Only</title>
10963:             <description xml:lang="en">
10964:               Edit /etc/postfix/main.cf, and add or correct the smtpd
10965:               recipient restrictions definition so that it contains at least:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10966:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10967:               smtpd_recipient_restrictions = <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10968:               ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10969:               permit_mynetworks, <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10970:               reject_unauth_destination, <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10971:               ...<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10972:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10973:               The full contents of smtpd recipient restrictions will vary by site, since this is a
10974:               common place to put spam restrictions and other site-specific options. The permit
10975:               mynetworks option allows all mail to be relayed from the machines in mynetworks. Then,
10976:               the reject unauth destination option denies all mail whose destination address is not
10977:               local, preventing any other machines from relaying. These two options should always
10978:               appear in this order, and should usually follow one another immediately unless SMTP
10979:               AUTH is used.</description>
10980:           </Group>
10981:           <Group id="group-3.11.6.3.3" hidden="false">
10982:             <title xml:lang="en">Require SMTP AUTH Before Relaying from Untrusted Clients</title>
10983:             <description xml:lang="en">
10984:               SMTP authentication allows remote clients to relay mail
10985:               safely by requiring them to authenticate before submitting mail. Postfix's SMTP AUTH
10986:               uses an authentication library called SASL, which is not part of Postfix itself. This
10987:               section describes how to configure authentication using the Cyrus-SASL implementation.
10988:               See below for a discussion of other options. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10989:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10990:               To enable the use of SASL authentication,
10991:               edit /etc/postfix/main.cf and add or correct the following settings:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10992:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10993:               smtpd_sasl_auth_enable = yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10994:               smtpd_recipient_restrictions = <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10995:               ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10996:               permit_mynetworks,<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10997:               permit_sasl_authenticated, <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10998:               reject_unauth_destination, <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10999:               ...<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11000:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11001:               Then edit
11002:               /usr/lib/sasl/smtpd.conf and add or correct the following line with the correct
11003:               authentication mechanism for SASL to use: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11004:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11005:               pwcheck_method: saslauthd <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11006:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11007:               Enable the saslauthd daemon: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11008:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11009:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig saslauthd on <xhtml:br/></xhtml:code>
11010:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11011:               Postfix can use either the Cyrus library or
11012:               Dovecot as a source for SASL authentication. If this host is running Dovecot for some
11013:               other reason, it is recommended that Dovecot's SASL support be used instead of running
11014:               the Cyrus code as well. See http://www.postfix.org/SASL README.html for instructions
11015:               on implementing that configuration, which is not described in this guide. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11016:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11017:               In Postfix's
11018:               configuration, the directive smtpd sasl auth enable tells smtpd to allow the use of
11019:               the SMTP AUTH command during the SMTP dialogue, and to support that command by getting
11020:               authentication information from SASL. The smtpd recipient restrictions directive is
11021:               changed so that, if the client is not connecting from a trusted address, it is allowed
11022:               to attempt authentication (permit sasl authenticated) in order to relay mail. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11023:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11024:               The file
11025:               /usr/lib/sasl/smtpd.conf is the Cyrus-SASL configuration file. The pwcheck method
11026:               directive tells SASL how to find passwords. The simplest method, described above, is
11027:               to run a separate authentication daemon, saslauthd, which is able to communicate with
11028:               the system authentication system. On RHEL5, saslauthd uses PAM by default, which
11029:               should work in most cases. If you have a centralized authentication system which does
11030:               not work via PAM, look at the saslauthd(8) manpage to find out how to configure
11031:               saslauthd for your environment.</description>
11032:           </Group>
11033:         </Group>
11034:         <Group id="group-3.11.6.4" hidden="false">
11035:           <title xml:lang="en">Require TLS for SMTP AUTH</title>
11036:           <description xml:lang="en">
11037:             Edit /etc/postfix/main.cf, and add or correct the following
11038:             lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11039:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11040:             smtpd_tls_CApath = /etc/pki/tls/CA <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11041:             smtpd_tls_CAfile = /etc/pki/tls/CA/cacert.pem<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11042:             smtpd_tls_cert_file = /etc/pki/tls/mail/servercert.pem <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11043:             smtpd_tls_key_file = /etc/pki/tls/mail/serverkey.pem <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11044:             smtpd_tls_security_level = may <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11045:             smtpd_tls_auth_only = yes<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11046:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11047:             These options tell Postfix to protect all SMTP AUTH transactions using TLS. The first
11048:             four options describe the locations of the necessary TLS key files. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11049:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11050:             The smtpd_tls_security_level directive tells smtpd to allow the STARTTLS command during the SMTP
11051:             protocol exchange, but not to require it for mail senders. (Unless your site receives
11052:             mail only from other trusted sites whose sysadmins can be asked to maintain a copy of
11053:             your site certificate, you do not want to require TLS for all SMTP exchanges.) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11054:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11055:             The smtpd_tls_auth_only directive tells smtpd to require the STARTTLS command before allowing the
11056:             client to attempt to authenticate for relaying using SMTP AUTH. It may not be possible
11057:             to use this directive if you must allow relaying from non-TLS-capable client software.
11058:             If this is the case, simply omit that line.</description>
11059:         </Group>
11060:       </Group>
11061:     </Group>
11062:     <Group id="group-3.12" hidden="false">
11063:       <title xml:lang="en">LDAP</title>
11064:       <description xml:lang="en">
11065:         LDAP is a popular directory service, that is, a standardized way of
11066:         looking up information from a central database. It is relatively simple to configure a RHEL5
11067:         machine to obtain authentication information from an LDAP server. If your network uses LDAP
11068:         for authentication, be sure to configure both clients and servers securely.</description>
11069:       <Group id="group-3.12.1" hidden="false">
11070:         <title xml:lang="en">Use OpenLDAP to Provide LDAP Service if Possible</title>
11071:         <description xml:lang="en">
11072:           The system's default LDAP client/server program is called
11073:           OpenLDAP. Its documentation is available at the project web page: http://www.openldap.org.</description>
11074:       </Group>
11075:       <Group id="group-3.12.2" hidden="false">
11076:         <title xml:lang="en">Configure OpenLDAP Clients</title>
11077:         <description xml:lang="en">
11078:           This guide recommends configuring OpenLDAP clients by manually
11079:           editing the appropriate configuration files. RHEL5 provides an automated configuration
11080:           tool called authconfig and a graphical wrapper for authconfig called
11081:           system-config-authentication. However, these tools do not give sufficient flexibility over
11082:           configuration. The authconfig tools do not allow you to specify locations of SSL
11083:           certificate files, which is useful when trying to use SSL cleanly across several
11084:           protocols. They are also overly aggressive in placing services such as netgroups and
11085:           automounter maps under LDAP control, where it is safer to use LDAP only for services to
11086:           which it is relevant in your environment.</description>
11087:         <warning xml:lang="en">Before configuring any machine to be an LDAP client, ensure that
11088:           a working LDAP server is present on the network. See Section 3.12.3 for instructions on
11089:           configuring an LDAP server. </warning>
11090:         <Group id="group-3.12.2.1" hidden="false">
11091:           <title xml:lang="en">Configure the Appropriate LDAP Parameters for the Domain</title>
11092:           <description xml:lang="en">
11093:             Assume the fully qualified host name of your LDAP server is
11094:             ldap.example.com and the base DN of your domain is dc=example,dc=com (it is conventional
11095:             to use the domain name as a base DN). Edit /etc/ldap. conf, and add or correct the
11096:             following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11097:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11098:             base dc=example,dc=com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11099:             uri ldap://ldap.example.com/ <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11100:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11101:             Then edit /etc/openldap/ldap.conf, and add or correct the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11102:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11103:             BASE dc=example,dc=com<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11104:             URI ldap://ldap.example.com/ <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11105:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11106:             The machine whose hostname is given here must be
11107:             configured as an LDAP server, serving data identified by the base DN used here. See
11108:             Section 3.12.3 for details on configuring an LDAP server.</description>
11109:         </Group>
11110:         <Group id="group-3.12.2.2" hidden="false">
11111:           <title xml:lang="en">Configure LDAP to Use TLS for All Transactions</title>
11112:           <description xml:lang="en">
11113:             <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
11114:               <xhtml:li>Ensure a copy of the site's CA certificate has been placed
11115:                 in the file /etc/pki/tls/CA/cacert.pem. </xhtml:li>
11116:               <xhtml:li>Configure LDAP to enforce TLS use and to
11117:                 trust certificates signed by the site's CA. First, edit the file /etc/ldap.conf, and add
11118:                 or correct the following lines: <xhtml:br/>
11119:                 <xhtml:br/>
11120:                 ssl start_tls <xhtml:br/>
11121:                 tls_checkpeer yes <xhtml:br/>
11122:                 tls_cacertdir /etc/pki/tls/CA <xhtml:br/>
11123:                 tls_cacertfile /etc/pki/tls/CA/cacert.pem <xhtml:br/>
11124:                 <xhtml:br/>
11125:                 Then edit /etc/openldap/ldap.conf, and add or correct the following lines: <xhtml:br/>
11126:                 <xhtml:br/>
11127:                 TLS_CACERTDIR /etc/pki/tls/CA <xhtml:br/>
11128:                 TLS_CACERT /etc/pki/tls/CA/cacert.pem </xhtml:li>
11129:             </xhtml:ol><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11130:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11131:             Section 2.5.6 describes the
11132:             system-wide configuration of SSL for your enterprise. It is possible to place your
11133:             certificate information under some directory other than /etc/pki/tls, but using a
11134:             consistent directory structure across all SSL services at your site is recommended. The
11135:             LDAP server must be configured with a certificate signed by the CA certificate named
11136:             here.</description>
11137:           <Rule id="rule-3.12.2.2.a" selected="false" weight="10.000000">
11138:             <title xml:lang="en">Configure LDAP to Use TLS for All Transactions</title>
11139:             <description xml:lang="en">Clients require LDAP servers to provide valid certificates for SSL communications.</description>
11140:             <fixtext xml:lang="en">(1) via /etc/ldap.conf</fixtext>
11141:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11142:               <check-content-ref name="oval:org.fedoraproject.f14:def:202885" href="scap-fedora14-oval.xml"/>
11143:             </check>
11144:           </Rule>
11145:         </Group>
11146:         <Group id="group-3.12.2.3" hidden="false">
11147:           <title xml:lang="en">Configure Authentication Services to Use OpenLDAP</title>
11148:           <description xml:lang="en">
11149:             Edit the file /etc/ldap.conf, and add or correct the following
11150:             lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11151:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11152:             pam_password md5 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11153:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11154:             Edit the file /etc/nsswitch.conf, and add or correct the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11155:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11156:             passwd: files ldap <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11157:             shadow: files ldap <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11158:             group: files ldap <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11159:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11160:             Edit the file
11161:             /etc/pam.d/system-auth-ac. Make the following changes, which will add references to LDAP
11162:             in each of the four sections of the file: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11163:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11164:             <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
11165:               <xhtml:li>Immediately before the last line in the auth
11166:                 section (the one containing pam_deny.so), insert the line: <xhtml:br/>
11167:                 <xhtml:br/>
11168:                 auth sufficient pam_ldap.so use_first_pass </xhtml:li>
11169:               <xhtml:li>Modify the first line in the account section by adding the option
11170:                 broken shadow. The line should then read: <xhtml:br/>
11171:                 <xhtml:br/>
11172:                 account required pam_unix.so broken_shadow </xhtml:li>
11173:               <xhtml:li>Immediately before the last line in the account section (the one containing pam
11174:                 permit.so), insert the line: <xhtml:br/>
11175:                 <xhtml:br/>
11176:                 account [default=bad success=ok user_unknown=ignore] pam_ldap.so </xhtml:li>
11177:               <xhtml:li>Immediately before the last line in the password section (the one
11178:                 containing pam_deny.so), insert the line: <xhtml:br/>
11179:                 <xhtml:br/>
11180:                 password sufficient pam_ldap.so use_authtok</xhtml:li>
11181:               <xhtml:li>At the end of the file (after the last line in the session section), append the line:<xhtml:br/>
11182:                 <xhtml:br/>
11183:                 session optional pam_ldap.so </xhtml:li>
11184:             </xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11185:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11186:             The first modification tells LDAP to expect passwords in
11187:             MD5 hash format, rather than clear text. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11188:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11189:             Red Hat systems use the file /etc/nsswitch.conf
11190:             to determine the appropriate sources to search for certain kinds of data, such as
11191:             usernames, groups, hostnames, netgroups, or protocols. It is possible to manage many
11192:             other types of data using LDAP, but this guide recommends that only usernames (passwd
11193:             data), passwords (shadow data), and groups (group data) be managed using LDAP. If your
11194:             site uses netgroups, it may be appropriate to manage these via LDAP as well. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11195:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11196:             However,
11197:             data which almost never changes, such as the contents of the /etc/services file, is a
11198:             poor choice for central administration, since it introduces risk with little benefit. It
11199:             is recommended that the automounter not be used at all, so LDAP control of automounter
11200:             maps is unlikely to be appropriate. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11201:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11202:             The file /etc/pam.d/system-auth-ac is used by PAM to
11203:             control access to most authenticated services. The syntax of the PAM configuration file
11204:             is somewhat cryptic. The lines recommended here have the combined effect of using LDAP
11205:             to find authentication data for users who cannot be found in the local /etc/passwd file.
11206:             This means that, for instance, it is still possible to use a local root password. The
11207:             details of options such as broken_shadow, use_authtok, and use_first_pass may be looked
11208:             up in the man pages for the various PAM modules. Their basic effect is to attempt to
11209:             authenticate given a password against both the local /etc/shadow and the central LDAP
11210:             server, without forcing the user to type the password more than once. PAM configuration
11211:             is discussed further in Section 2.3.3.</description>
11212:         </Group>
11213:       </Group>
11214:       <Group id="group-3.12.3" hidden="false">
11215:         <title xml:lang="en">Configure OpenLDAP Server</title>
11216:         <description xml:lang="en">
11217:           This section contains guidance on how to configure an OpenLDAP
11218:           server to securely provide information for use in a centralized authentication service.
11219:           This is not a comprehensive guide to maintaining an OpenLDAP server, but may be helpful in
11220:           transitioning to an OpenLDAP infrastructure nonetheless.</description>
11221:         <Group id="group-3.12.3.1" hidden="false">
11222:           <title xml:lang="en">Install OpenLDAP Server RPM</title>
11223:           <description xml:lang="en">
11224:             Is this machine the OpenLDAP server? If so: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11225:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11226:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum install openldap-servers <xhtml:br/>
11227:             # chkconfig ldap on <xhtml:br/></xhtml:code>
11228:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11229:             The openldap-servers RPM is not installed by
11230:             default on RHEL5 machines. It is needed only by the OpenLDAP server, not by the clients
11231:             which use LDAP for authentication.</description>
11232:           <Rule id="rule-3.12.3.1.a" selected="false" weight="10.000000" severity="low">
11233:             <title xml:lang="en">Disable OpenLDAP service</title>
11234:             <description xml:lang="en">The ldap service should be disabled.</description>
11235:             <ident system="http://cce.mitre.org">CCE-3501-4</ident>
11236:             <fixtext xml:lang="en">(1) via chkconfig</fixtext>
11237:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11238:               <check-content-ref name="oval:org.fedoraproject.f14:def:20289" href="scap-fedora14-oval.xml"/>
11239:             </check>
11240:           </Rule>
11241:         </Group>
11242:         <Group id="group-3.12.3.2" hidden="false">
11243:           <title xml:lang="en">Configure Domain-Specific Parameters</title>
11244:           <description xml:lang="en">
11245:             Edit the file /etc/openldap/slapd.conf. Add or correct the
11246:             following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11247:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11248:             suffix "dc=example,dc=com " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11249:             rootdn "cn=Manager,dc=example,dc=com "<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11250:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11251:             where dc=example,dc=com is the same root you will use on the LDAP clients. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11252:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11253:             These are
11254:             basic LDAP configuration directives. The suffix parameter gives the root name of all
11255:             information served by this LDAP server, and should be some name related to your domain.
11256:             The rootdn parameter names LDAP's privileged user, who is allowed to read or write all
11257:             data managed by this LDAP server.</description>
11258:         </Group>
11259:         <Group id="group-3.12.3.3" hidden="false">
11260:           <title xml:lang="en">Configure an LDAP Root Password</title>
11261:           <description xml:lang="en">
11262:             Ensure that the configuration file has reasonable permissions
11263:             before putting the hashed root password in that file: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11264:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11265:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chown root:ldap /etc/openldap/slapd.conf <xhtml:br/>
11266:             # chmod 640 /etc/openldap/slapd.conf <xhtml:br/></xhtml:code>
11267:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11268:             Generate a hashed password using the slappasswd utility: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11269:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11270:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># slappasswd <xhtml:br/></xhtml:code>
11271:             New password: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11272:             Re-enter new password: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11273:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11274:             This
11275:             will output a hashed password string. Edit the file /etc/openldap/slapd.conf, and add or
11276:             correct the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11277:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11278:             rootpw {SSHA}hashed-password-string <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11279:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11280:             Be sure to select a secure
11281:             password for the LDAP root user, since this user has permission to read and write all
11282:             LDAP data, so a compromise of the LDAP root password will probably enable a full
11283:             compromise of your site. Protect configuration files containing the hashed password the
11284:             same way you would protect other files, such as /etc/shadow, which contain hashed
11285:             authentication data. In addition, be sure to use a reasonably strong hash function, such
11286:             as SHA-1, rather than an insecure scheme such as crypt.</description>
11287:           <description xml:lang="en">If you are using SHA-1, the hashed password string will begin with “{SHA}” or “{SSHA}”</description>
11288:         </Group>
11289:         <Group id="group-3.12.3.4" hidden="false">
11290:           <title xml:lang="en">Configure the LDAP Server to Require TLS for All Transactions</title>
11291:           <description xml:lang="en">
11292:             Because LDAP queries and responses, particularly those
11293:             containing authentication information or other sensitive data, must be protected from
11294:             disclosure or modification while in transit over the network, this guide recommends
11295:             using SSL to protect all transactions. In order to do this, it is necessary to have a
11296:             site-wide SSL infrastructure in which a CA certificate is used to verify that other
11297:             certificates, such as that presented by the LDAP server to its clients, are authentic.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11298:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11299:             Therefore, this procedure involves using the CA system to create a certificate for the
11300:             LDAP server, then installing that certificate on the LDAP server and configuring slapd
11301:             to require its use. See Section 2.5.6 for details about the process of creating SSL
11302:             certificates for use by servers at your site.</description>
11303:           <Group id="group-3.12.3.4.1" hidden="false">
11304:             <title xml:lang="en">Create the Certificate for the LDAP Server</title>
11305:             <description xml:lang="en">
11306:               Note: This step must be performed on the CA system, not on
11307:               the LDAP server itself. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11308:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11309:               Change into the CA certificate directory: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11310:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11311:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cd /etc/pki/tls/certs <xhtml:br/></xhtml:code>
11312:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11313:               Generate a key pair for the LDAP server: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11314:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11315:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># openssl genrsa -out ldapserverkey.pem 2048 <xhtml:br/></xhtml:code>
11316:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11317:               Next, generate a certificate signing request (CSR) for the CA to sign: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11318:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11319:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># openssl req -new -key ldapserverkey.pem -out ldapserver.csr <xhtml:br/></xhtml:code>
11320:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11321:               Sign the ldapserver.csr request: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11322:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11323:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># openssl ca -in ldapserver.csr -out ldapservercert.pem <xhtml:br/></xhtml:code>
11324:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11325:               This step creates a private key, ldapserverkey.pem, and a public certificate,
11326:               ldapservercert.pem. The LDAP server will use these to prove its identity by
11327:               demonstrating that it has a certificate which has been signed by the site CA. LDAP
11328:               clients at your site should only be willing to accept authentication data from a
11329:               verified LDAP server.</description>
11330:           </Group>
11331:           <Group id="group-3.12.3.4.2" hidden="false">
11332:             <title xml:lang="en">Install the Certificate on the LDAP Server</title>
11333:             <description xml:lang="en">
11334:               Create the PKI directory for LDAP certificates if it does not
11335:               already exist: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11336:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11337:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># mkdir /etc/pki/tls/ldap <xhtml:br/>
11338:               # chown root:root /etc/pki/tls/ldap <xhtml:br/>
11339:               # chmod 755 /etc/pki/tls/ldap <xhtml:br/></xhtml:code>
11340:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11341:               Using removable media or some other secure transmission format,
11342:               install the files generated in the previous step onto the LDAP server: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11343:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11344:               <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
11345:                 <xhtml:li>/etc/pki/tls/ldap/serverkey.pem: the private key ldapserverkey.pem</xhtml:li>
11346:                 <xhtml:li>/etc/pki/tls/ldap/servercert.pem: the certificate file ldapservercert.pem </xhtml:li>
11347:               </xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11348:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11349:               Verify the ownership and permissions of these files: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11350:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11351:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chown root:ldap /etc/pki/tls/ldap/serverkey.pem <xhtml:br/>
11352:               # chown root:ldap /etc/pki/tls/ldap/servercert.pem <xhtml:br/>
11353:               # chmod 640 /etc/pki/tls/ldap/serverkey.pem <xhtml:br/>
11354:               # chmod 640 /etc/pki/tls/ldap/servercert.pem<xhtml:br/></xhtml:code>
11355:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11356:               Verify that the CA's public certificate file has been installed as
11357:               /etc/pki/tls/CA/cacert.pem, and has the correct permissions: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11358:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11359:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># mkdir /etc/pki/tls/CA <xhtml:br/>
11360:               # chown root:root /etc/pki/tls/CA/cacert.pem <xhtml:br/>
11361:               # chmod 644 /etc/pki/tls/CA/cacert.pem <xhtml:br/></xhtml:code>
11362:               As a
11363:               result of these steps, the LDAP server will have access to its own private certificate
11364:               and the key with which that certificate is encrypted, and to the public certificate
11365:               file belonging to the CA. Note that it would be possible for the key to be protected
11366:               further, so that processes running as ldap could not read it. If this were done, the
11367:               LDAP server process would need to be restarted manually whenever the server rebooted.</description>
11368:           </Group>
11369:           <Group id="group-3.12.3.4.3" hidden="false">
11370:             <title xml:lang="en">Configure slapd to Use the Certificates</title>
11371:             <description xml:lang="en">
11372:               Edit the file /etc/openldap/slapd.conf. Add or correct the
11373:               following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11374:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11375:               TLSCACertificateFile /etc/pki/tls/CA/cacert.pem <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11376:               TLSCertificateFile /etc/pki/tls/ldap/servercert.pem <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11377:               TLSCertificateKeyFile /etc/pki/tls/ldap/serverkey.pem<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11378:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11379:               security simple_bind=128 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11380:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11381:               The first set of lines tell slapd where to find the
11382:               appropriate SSL certificates to present to clients when they request an encrypted
11383:               transaction. The last setting tells slapd never to allow clients to present
11384:               credentials (i.e. passwords) in an unencrypted session. It is a good security
11385:               principle never to allow unencrypted passwords to traverse a network, so ensure that
11386:               LDAP mandates this.</description>
11387:           </Group>
11388:         </Group>
11389:         <Group id="group-3.12.3.5" hidden="false">
11390:           <title xml:lang="en">Install Account Information into the LDAP Database</title>
11391:           <description xml:lang="en">
11392:             There are many ways to maintain an OpenLDAP database. Methods
11393:             include: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11394:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11395:             <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
11396:               <xhtml:li>Input entries in ldif(5) format into a file /path/to/new entries , and use
11397:                 slapadd to import those entries while slapd is not running: <xhtml:br/>
11398:                 <xhtml:br/>
11399:                 <xhtml:code># slapadd -l /path/to/new_entries </xhtml:code></xhtml:li>
11400:               <xhtml:li>Write a script to create and modify LDAP entries by connecting to the LDAP
11401:                 server normally. The Perl Net::LDAP module is appropriate for this, there is a Python
11402:                 API called python-ldap, and functionality is likely available for other scripting
11403:                 languages as well. </xhtml:li>
11404:               <xhtml:li>Use an LDAP front-end program which provides an interface for
11405:                 editing the database. If the front-end program is web-based or otherwise accessible over
11406:                 a network, ensure that authentication information is protected via SSL between the
11407:                 administrator's client and the program, as well as between the program and the LDAP
11408:                 database. </xhtml:li>
11409:             </xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11410:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11411:             Any of these methods or others may be appropriate for your site. This guide
11412:             does not provide a recommendation, and there will be no further discussion of the syntax
11413:             of entering LDAP data into the database.</description>
11414:           <Group id="group-3.12.3.5.1" hidden="false">
11415:             <title xml:lang="en">Create Top-level LDAP Structure for Domain</title>
11416:             <description xml:lang="en">
11417:               Create a structure for the domain itself with at least the
11418:               following attributes: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11419:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11420:               dn: dc=example,dc=com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11421:               objectClass: dcObject <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11422:               objectClass: organization <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11423:               dc: example <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11424:               o: Organization Description <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11425:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11426:               This is a placeholder for the
11427:               root of the domain's LDAP tree. Without this entry, LDAP will not be able to find any
11428:               other entries for the domain.</description>
11429:           </Group>
11430:           <Group id="group-3.12.3.5.2" hidden="false">
11431:             <title xml:lang="en">Create LDAP Structures for Users and Groups</title>
11432:             <description xml:lang="en">
11433:               Create LDAP structures for people (users) and for groups with
11434:               at least the following attributes: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11435:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11436:               dn: ou=people,dc=example,dc=com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11437:               ou: people<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11438:               structuralObjectClass: organizationalUnit <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11439:               objectClass: organizationalUnit <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11440:               dn: ou=groups,dc=example,dc=com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11441:               ou: groups <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11442:               structuralObjectClass: organizationalUnit<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11443:               objectClass: organizationalUnit <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11444:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11445:               Posix users and groups are the two top-level items
11446:               which will be needed in order to use LDAP for authentication. These organizational
11447:               units are used to identify the two categories within LDAP.</description>
11448:           </Group>
11449:           <Group id="group-3.12.3.5.3" hidden="false">
11450:             <title xml:lang="en">Create Unix Accounts</title>
11451:             <description xml:lang="en">
11452:               For each Unix user, create an LDAP entry with at least the
11453:               following attributes (others may be appropriate for your site as well), using variable
11454:               values appropriate to that user. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11455:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11456:               dn: uid=username ,ou=people,dc=example,dc=com<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11457:               structuralObjectClass: inetOrgPerson <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11458:               objectClass: inetOrgPerson <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11459:               objectClass: posixAccount <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11460:               objectClass: shadowAccount <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11461:               cn: fullname <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11462:               sn: surname <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11463:               gecos: fullname<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11464:               gidNumber: primary-group-id <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11465:               homeDirectory: /home/username <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11466:               loginShell: /path/to/shell<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11467:               uid: username <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11468:               uidNumber: uid <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11469:               userPassword: {MD5}md5-hashed-password <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11470:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11471:               If your site
11472:               implements password expiration in which passwords must be changed every N days (see
11473:               Section 2.3.1.7), then each entry should also have the attribute: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11474:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11475:               shadowMax: N <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11476:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11477:               In general, the LDAP schemas for users use uid to refer to the text username, and
11478:               uidNumber for the numeric UID. This usage may be slightly confusing when compared to
11479:               the standard Unix usage. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11480:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11481:               You should not create entries for the root account or for
11482:               system accounts which are unique to individual systems, but only for user accounts
11483:               which are to be shared across machines, and which have authentication information
11484:               (such as a password) associated with them.</description>
11485:           </Group>
11486:           <Group id="group-3.12.3.5.4" hidden="false">
11487:             <title xml:lang="en">Create Unix Groups</title>
11488:             <description xml:lang="en">
11489:               For each Unix group, create an LDAP entry with at least the
11490:               following attributes: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11491:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11492:               dn: cn=groupname ,ou=groups,dc=example,dc=com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11493:               cn: groupname<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11494:               structuralObjectClass: posixGroup <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11495:               objectClass: posixGroup <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11496:               gidNumber: gid <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11497:               memberUid: username1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11498:               memberUid: username2 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11499:               ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11500:               memberUid: usernameN <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11501:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11502:               Note that each user has a
11503:               primary group, identified by the gidNumber field in the user's account entry. That
11504:               group must be created, but it is not necessary to list the user as a memberUid of the
11505:               group. This behavior should be familiar to administrators, since it is identical to
11506:               the handling of the /etc/passwd and /etc/group files. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11507:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11508:               Do not create entries for the
11509:               root group or for system groups, but only for groups which contain human users or
11510:               which are shared across systems.</description>
11511:           </Group>
11512:           <Group id="group-3.12.3.5.5" hidden="false">
11513:             <title xml:lang="en">Create Groups to Administer LDAP</title>
11514:             <description xml:lang="en">
11515:               If a group of LDAP administrators, admins , is desired, that
11516:               group must be created somewhat differently. The specification should have these
11517:               attributes: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11518:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11519:               dn: cn=admins ,ou=groups,dc=example,dc=com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11520:               cn: admins<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11521:               structuralObjectClass: groupOfUniqueNames <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11522:               objectClass: groupOfUniqueNames<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11523:               uniqueMember: cn=Manager,dc=example,dc=com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11524:               uniqueMember: uid=admin1-username ,ou=people,dc=example,dc=com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11525:               uniqueMember: uid=admin2-username ,ou=people,dc=example,dc=com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11526:               ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11527:               uniqueMember: uid=adminN-username ,ou=people,dc=example,dc=com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11528:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11529:               LDAP cannot use Posix groups for its own internal
11530:               authentication — it needs to compare the username specified in an authenticated bind
11531:               to some internal groupOfUniqueNames. If you do not specify an LDAP administrators'
11532:               group, then all LDAP management will need to be done using the LDAP root user
11533:               (Manager). For reasons of auditing and error detection, it is recommended that LDAP
11534:               administrators have unique identities. (See Section 2.3.1.3 for similar reasoning
11535:               applied to the use of sudo for privileged system commands.)</description>
11536:           </Group>
11537:         </Group>
11538:         <Group id="group-3.12.3.6" hidden="false">
11539:           <title xml:lang="en">Configure slapd to Protect Authentication Information</title>
11540:           <description xml:lang="en">
11541:             Edit the file /etc/openldap/slapd.conf. Add or correct the
11542:             following access specifications: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11543:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11544:             <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
11545:               <xhtml:li>Protect the user's password by allowing the user
11546:                 himself or the LDAP administrators to change it, allowing the anonymous user to
11547:                 authenticate against it, and allowing no other access: <xhtml:br/>
11548:                 <xhtml:br/>
11549:                 access to attrs=userPassword <xhtml:br/>
11550:                 by self write <xhtml:br/>
11551:                 by group/groupOfUniqueNames/uniqueMember="cn=admins ,ou=groups,dc=example,dc=com " write <xhtml:br/>
11552:                 by anonymous auth <xhtml:br/>
11553:                 by * none <xhtml:br/>
11554:                 access to attrs=shadowLastChange <xhtml:br/>
11555:                 by self write <xhtml:br/>
11556:                 by group/groupOfUniqueNames/uniqueMember="cn=admins ,ou=groups,dc=example,dc=com " write <xhtml:br/>
11557:                 by * read</xhtml:li>
11558:               <xhtml:li>Allow anyone to read other
11559:                 information, and allow the administrators to change it: <xhtml:br/>
11560:                 <xhtml:br/>
11561:                 access to * by<xhtml:br/>
11562:                 group/groupOfUniqueNames/uniqueMember="cn=admins ,ou=groups,dc=example,dc=com " write <xhtml:br/>
11563:                 by * read </xhtml:li>
11564:             </xhtml:ol><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11565:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11566:             Access rules are applied in the order encountered, so more specific rules should
11567:             appear first. In particular, the rule restricting access to userPassword must appear
11568:             before the rule allowing access to all data. The shadowLastChange attribute is a
11569:             timestamp, and is only critical if your site implements password expiration. If your
11570:             site does not have an LDAP administrators group, the LDAP root user (called Manager in
11571:             this guide) will be able to change data without an explicit access statement.</description>
11572:         </Group>
11573:         <Group id="group-3.12.3.7" hidden="false">
11574:           <title xml:lang="en">Correct Permissions on LDAP Server Files</title>
11575:           <description xml:lang="en">
11576:             Correct the permissions on the ldap server's files: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11577:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11578:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chown ldap:root /var/lib/ldap/* <xhtml:br/></xhtml:code>
11579:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11580:             Some manual methods of inserting information into the LDAP
11581:             database may leave these files with incorrect permissions. This will prevent slapd from
11582:             starting correctly.</description>
11583:           <Value id="var-3.12.3.7.a" operator="equals" type="string">
11584:             <title xml:lang="en">group owner of ldap files</title>
11585:             <description xml:lang="en">Specify group owner of /var/lib/ldap/*.</description>
11586:             <question xml:lang="en">Specify group owner of  /var/lib/ldap/*</question>
11587:             <value>root</value>
11588:             <value selector="root">root</value>
11589:           </Value>
11590:           <Value id="var-3.12.3.7.b" operator="equals" type="string">
11591:             <title xml:lang="en">user owner of ldap files</title>
11592:             <description xml:lang="en">Specify user owner of /var/lib/ldap/*.</description>
11593:             <question xml:lang="en">Specify user owner of  /var/lib/ldap/*</question>
11594:             <value>ldap</value>
11595:             <value selector="ldap">ldap</value>
11596:           </Value>
11597:           <Rule id="rule-3.12.3.7.a" selected="false" weight="10.000000">
11598:             <title xml:lang="en">Correct Permissions on LDAP Server Files</title>
11599:             <description xml:lang="en">The /var/lib/ldap/* files should be owned by the appropriate group.</description>
11600:             <ident system="http://cce.mitre.org">CCE-4484-2</ident>
11601:             <fixtext xml:lang="en">(1) via chown</fixtext>
11602:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11603:               <check-export export-name="oval:org.fedoraproject.f14:var:20290" value-id="var-3.12.3.7.a"/>
11604:               <check-content-ref name="oval:org.fedoraproject.f14:def:20290" href="scap-fedora14-oval.xml"/>
11605:             </check>
11606:           </Rule>
11607:           <Rule id="rule-3.12.3.7.b" selected="false" weight="10.000000">
11608:             <title xml:lang="en">Correct Permissions on LDAP Server Files</title>
11609:             <description xml:lang="en">The /var/lib/ldap/* files should be owned by the appropriate user.</description>
11610:             <ident system="http://cce.mitre.org">CCE-4502-1</ident>
11611:             <fixtext xml:lang="en">(1) via chown</fixtext>
11612:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11613:               <check-export export-name="oval:org.fedoraproject.f14:var:20291" value-id="var-3.12.3.7.b"/>
11614:               <check-content-ref name="oval:org.fedoraproject.f14:def:20291" href="scap-fedora14-oval.xml"/>
11615:             </check>
11616:           </Rule>
11617:         </Group>
11618:         <Group id="group-3.12.3.8" hidden="false">
11619:           <title xml:lang="en">Configure iptables to Allow Access to the LDAP Server</title>
11620:           <description xml:lang="en">
11621:             Determine an appropriate network block, netwk , and network
11622:             mask, mask , representing the machines on your network which will synchronize to this
11623:             server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11624:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11625:             Edit /etc/sysconfig/iptables. Add the following lines, ensuring that they appear
11626:             before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11627:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11628:             -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 389 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11629:             -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 636 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11630:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11631:             The default Iptables configuration does not allow inbound access to any services. These
11632:             modifications allow access to the LDAP primary (389) and encrypted-only (636) ports,
11633:             while keeping all other ports on the server in their default protected state. See
11634:             Section 2.5.5 for more information about Iptables. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11635:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11636:             Note: Even if the LDAP server
11637:             restricts connections so that only encrypted queries are allowed, it will probably be
11638:             necessary to allow traffic to the default port 389. This is true because many LDAP
11639:             clients implement encryption by connecting to the primary port and issuing the STARTTLS
11640:             command.</description>
11641:         </Group>
11642:         <Group id="group-3.12.3.9" hidden="false">
11643:           <title xml:lang="en">Configure Logging for LDAP</title>
11644:           <description xml:lang="en">
11645:             <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
11646:               <xhtml:li>Edit the file /etc/syslog.conf. Add or correct the following line: <xhtml:br/>
11647:                 <xhtml:br/>
11648:                 local4.* /var/log/ldap.log </xhtml:li>
11649:               <xhtml:li>Create the log file with safe permissions: <xhtml:br/>
11650:                 <xhtml:br/>
11651:                 <xhtml:code># touch /var/log/ldap.log <xhtml:br/>
11652:                 # chown root:root /var/log/ldap.log <xhtml:br/>
11653:                 # chmod 0600 /var/log/ldap.log </xhtml:code></xhtml:li>
11654:               <xhtml:li>Edit the file /etc/logrotate.d/syslog and add the pathname <xhtml:br/>
11655:                 <xhtml:br/>
11656:                 /var/log/ldap.log <xhtml:br/>
11657:                 <xhtml:br/>
11658:                 to the space-separated list in the first line. </xhtml:li>
11659:               <xhtml:li>Edit the LDAP configuration file
11660:                 /etc/openldap/slapd.conf and set a reasonable set of default log parameters, such as:<xhtml:br/>
11661:                 <xhtml:br/>
11662:                 loglevel stats2 </xhtml:li>
11663:             </xhtml:ol><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11664:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11665:             OpenLDAP sends its log data to the syslog facility local4 at priority
11666:             debug. By default, RHEL5 does not store this facility at all. The syslog configuration
11667:             suggested here will store any output logged by slapd in the file /var/log/ldap.log, and
11668:             will include that file in the standard log rotation for syslog files. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11669:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11670:             By default, LDAP's
11671:             logging is quite verbose. The loglevel parameter is a space-separated list of items to
11672:             be logged. Specifying stats2 will reduce the log output somewhat, but this level will
11673:             still produce some logging every time an LDAP query is made. (This may be appropriate,
11674:             depending on your site's auditing requirements.) In order to capture only slapd startup
11675:             messages, specify loglevel none. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11676:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11677:             See slapd.conf(5) for detailed information about the
11678:             loglevel parameter. See Section 2.6.1 for more information about syslog.</description>
11679:         </Group>
11680:       </Group>
11681:     </Group>
11682:     <Group id="group-3.13" hidden="false">
11683:       <title xml:lang="en">NFS and RPC</title>
11684:       <description xml:lang="en">
11685:         The Network File System is the most popular distributed filesystem
11686:         for the Unix environment, and is very widely deployed. Unfortunately, NFS was not designed
11687:         with security in mind, and has a number of weaknesses, both in terms of the protocol itself
11688:         and because any NFS installation must expose several daemons, running on both servers and
11689:         clients, to network attack. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11690:         <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11691:         This section discusses the circumstances under which it is
11692:         possible to disable NFS and its dependencies, and then details steps which should be taken
11693:         to secure, as much as possible, NFS's configuration. This section is relevant to machines
11694:         operating as NFS clients, as well as to those operating as NFS servers.</description>
11695:       <Group id="group-3.13.1" hidden="false">
11696:         <title xml:lang="en">Disable All NFS Services if Possible</title>
11697:         <description xml:lang="en">
11698:           Is there a mission-critical reason for this machine to operate as
11699:           either an NFS client or an NFS server? <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11700:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11701:           If not, follow all instructions in the remainder of
11702:           Section 3.13.1 to disable subsystems required by NFS. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11703:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11704:           NFS is a commonly used mechanism for
11705:           sharing data between machines in an organization. However, its use opens many potential
11706:           security holes. If NFS is not universally needed in your organization, improve the
11707:           security posture of any machine which does not require NFS by disabling it entirely.</description>
11708:         <warning xml:lang="en">The steps in Section 3.13.1 will prevent a machine from operating
11709:           as either an NFS client or an NFS server. Only perform these steps on machines which do
11710:           not need NFS at all. </warning>
11711:         <Group id="group-3.13.1.1" hidden="false">
11712:           <title xml:lang="en">Disable Services Used Only by NFS</title>
11713:           <description xml:lang="en">
11714:             If NFS is not needed, perform the following steps to disable
11715:             NFS client daemons: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11716:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig nfslock off <xhtml:br/>
11717:             # chkconfig rpcgssd off <xhtml:br/>
11718:               # chkconfig rpcidmapd off <xhtml:br/></xhtml:code>
11719:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11720:             The nfslock, rpcgssd, and rpcidmapd daemons all perform NFS client functions. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11721:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11722:             All of these daemons run with elevated privileges, and many listen for
11723:             network connections. If they are not needed, they should be disabled to improve system
11724:             security posture.</description>
11725:           <Rule id="rule-3.13.1.1.a" selected="false" weight="10.000000" severity="low">
11726:             <title xml:lang="en">Disable nfslock</title>
11727:             <description xml:lang="en">The nfslock service should be disabled.</description>
11728:             <ident system="http://cce.mitre.org">CCE-4396-8</ident>
11729:             <fixtext xml:lang="en">(1) via chkconfig</fixtext>
11730:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11731:               <check-content-ref name="oval:org.fedoraproject.f14:def:20292" href="scap-fedora14-oval.xml"/>
11732:             </check>
11733:           </Rule>
11734:           <Rule id="rule-3.13.1.1.b" selected="false" weight="10.000000" severity="low">
11735:             <title xml:lang="en">Disable rpcgssd</title>
11736:             <description xml:lang="en">The rpcgssd service should be disabled.</description>
11737:             <ident system="http://cce.mitre.org">CCE-3535-2</ident>
11738:             <fixtext xml:lang="en">(1) via chkconfig</fixtext>
11739:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11740:               <check-content-ref name="oval:org.fedoraproject.f14:def:20293" href="scap-fedora14-oval.xml"/>
11741:             </check>
11742:           </Rule>
11743:           <Rule id="rule-3.13.1.1.c" selected="false" weight="10.000000" severity="low">
11744:             <title xml:lang="en">Disable rpcidmapd</title>
11745:             <description xml:lang="en">The rpcidmapd service should be disabled.</description>
11746:             <ident system="http://cce.mitre.org">CCE-3568-3</ident>
11747:             <fixtext xml:lang="en">(1) via chkconfig</fixtext>
11748:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11749:               <check-content-ref name="oval:org.fedoraproject.f14:def:20294" href="scap-fedora14-oval.xml"/>
11750:             </check>
11751:           </Rule>
11752:         </Group>
11753:         <Group id="group-3.13.1.2" hidden="false">
11754:           <title xml:lang="en">Disable netfs if Possible</title>
11755:           <description xml:lang="en">
11756:             Determine whether any network filesystems handled by netfs are
11757:             mounted on this system: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11758:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11759:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># mount -t nfs,nfs4,smbfs,cifs,ncpfs <xhtml:br/></xhtml:code>
11760:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11761:             If this command returns no output, disable netfs to improve system security: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11762:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11763:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig netfs off <xhtml:br/></xhtml:code>
11764:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11765:             The netfs script
11766:             manages the boot-time mounting of several types of networked filesystems, of which NFS
11767:             and Samba (see Section 3.18) are the most common. If these filesystem types are not in
11768:             use, the script can be disabled, protecting the system somewhat against accidental or
11769:             malicious changes to /etc/fstab and against flaws in the netfs script itself.</description>
11770:           <Rule id="rule-3.13.1.2.a" selected="false" weight="10.000000" severity="low">
11771:             <title xml:lang="en">Disable netfs if Possible</title>
11772:             <description xml:lang="en">The netfs service should be disabled.</description>
11773:             <ident system="http://cce.mitre.org">CCE-4533-6</ident>
11774:             <fixtext xml:lang="en">(1) via chkconfig</fixtext>
11775:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11776:               <check-content-ref name="oval:org.fedoraproject.f14:def:20295" href="scap-fedora14-oval.xml"/>
11777:             </check>
11778:           </Rule>
11779:         </Group>
11780:         <Group id="group-3.13.1.3" hidden="false">
11781:           <title xml:lang="en">Disable RPC Portmapper if Possible</title>
11782:           <description xml:lang="en">
11783:             If: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11784:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11785:             <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
11786:               <xhtml:li>NFS is not needed </xhtml:li>
11787:               <xhtml:li>The site does not rely on NIS for authentication information, and </xhtml:li>
11788:               <xhtml:li>The machine does not run any other RPC-based service</xhtml:li>
11789:             </xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11790:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11791:             then disable the RPC portmapper service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11792:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11793:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig portmap off <xhtml:br/></xhtml:code>
11794:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11795:             By design, the RPC
11796:             model does not require particular services to listen on fixed ports, but instead uses a
11797:             daemon, portmap, to tell prospective clients which ports to use to contact the services
11798:             they are trying to reach. This model weakens system security by introducing another
11799:             privileged daemon which may be directly attacked, and is unnecessary because RPC was
11800:             never adopted by enough services to risk using up all the ports on a system.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11801:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11802:             Unfortunately, the portmapper is central to RPC design, so it cannot be disabled if your
11803:             site is using any RPCbased services, including NFS, NIS (see Section 3.2.4 for
11804:             information about NIS, which is not recommended), or any third-party or custom RPC-based
11805:             program. If none of these programs are in use, however, portmap should be disabled to
11806:             improve system security. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11807:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11808:             In order to get more information about whether portmap may be
11809:             disabled on a given host, query the local portmapper using the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11810:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11811:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># rpcinfo -p <xhtml:br/></xhtml:code>
11812:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11813:             If the only services listed are portmapper and status, it is safe to disable the
11814:             portmapper. If other services are listed and your site is not running NFS or NIS,
11815:             investigate these services and disable them if possible.</description>
11816:           <Rule id="rule-3.13.1.3.a" selected="false" weight="10.000000" severity="low">
11817:             <title xml:lang="en">Disable RPC Portmapper if Possible</title>
11818:             <description xml:lang="en">The portmap service should be disabled.</description>
11819:             <ident system="http://cce.mitre.org">CCE-4550-0</ident>
11820:             <fixtext xml:lang="en">(1) via chkconfig</fixtext>
11821:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11822:               <check-content-ref name="oval:org.fedoraproject.f14:def:20296" href="scap-fedora14-oval.xml"/>
11823:             </check>
11824:           </Rule>
11825:         </Group>
11826:       </Group>
11827:       <Group id="group-3.13.2" hidden="false">
11828:         <title xml:lang="en">Configure All Machines which Use NFS</title>
11829:         <description xml:lang="en">The steps in this section are appropriate for all machines which run NFS, whether they operate as clients or as servers.</description>
11830:         <Group id="group-3.13.2.1" hidden="false">
11831:           <title xml:lang="en">Make Each Machine a Client or a Server, not Both</title>
11832:           <description xml:lang="en">
11833:             If NFS must be used, it should be deployed in the simplest
11834:             configuration possible to avoid maintainability problems which may lead to unnecessary
11835:             security exposure. Due to the reliability and security problems caused by NFS, it is not
11836:             a good idea for machines which act as NFS servers to also mount filesystems via NFS. At
11837:             the least, crossed mounts (the situation in which each of two servers mounts a
11838:             filesystem from the other) should never be used.</description>
11839:         </Group>
11840:         <Group id="group-3.13.2.2" hidden="false">
11841:           <title xml:lang="en">Restrict Access to the Portmapper</title>
11842:           <description xml:lang="en">
11843:             Edit the file /etc/hosts.deny. Add or correct the line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11844:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11845:             portmap: ALL <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11846:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11847:             Edit the file /etc/hosts.allow. Add or correct the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11848:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11849:             portmap: IPADDR1 , IPADDR2 , ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11850:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11851:             where each IPADDR is the IP address of a server or client with which this
11852:             machine shares NFS filesystems. If the machine is an NFS server, it may be simpler to
11853:             use an IP netblock specification, such as 10.3.2. (this is the TCP Wrappers syntax
11854:             representing the netblock 10.3.2.0/24), or a hostname specification, such as
11855:             .subdomain.example.com. The use of hostnames is not recommended. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11856:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11857:             The /etc/hosts.allow
11858:             and /etc/hosts.deny files are used by TCP Wrappers to determine whether specified remote
11859:             hosts are allowed to access certain services. The default portmapper shipped with RHEL5
11860:             has TCP Wrappers support built in, so this specification can be used to provide some
11861:             protection against network attacks on the portmapper. (See Section 2.5.4 for more
11862:             information about TCP Wrappers.) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11863:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11864:             Note: This step protects only the portmap service
11865:             itself. It is still possible for attackers to guess the port numbers of NFS services and
11866:             attack those services directly, even if they are denied access to the portmapper.</description>
11867:         </Group>
11868:         <Group id="group-3.13.2.3" hidden="false">
11869:           <title xml:lang="en">Configure NFS Services to Use Fixed Ports</title>
11870:           <description xml:lang="en">
11871:             Edit the file /etc/sysconfig/nfs. Add or correct the following
11872:             lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11873:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11874:             LOCKD_TCPPORT=lockd-port <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11875:             LOCKD_UDPPORT=lockd-port <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11876:             MOUNTD_PORT=mountd-port<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11877:             RQUOTAD_PORT=rquotad-port <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11878:             STATD_PORT=statd-port <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11879:             STATD_OUTGOING_PORT=statd-outgoing-port<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11880:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11881:             where each X-port is a port which is not used by any other service on your network.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11882:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11883:             Firewalling should be done at each host and at the border firewalls to protect the NFS
11884:             daemons from remote access, since NFS servers should never be accessible from outside
11885:             the organization. However, by default, the portmapper assigns each NFS service to a port
11886:             dynamically at service startup time. Dynamic ports cannot be protected by port filtering
11887:             firewalls such as iptables (Section 2.5.5). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11888:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11889:             Therefore, restrict each service to always
11890:             use a given port, so that firewalling can be done effectively. Note that, because of the
11891:             way RPC is implemented, it is not possible to disable the portmapper even if ports are
11892:             assigned statically to all RPC services.</description>
11893:           <Rule id="rule-3.13.2.3.a" selected="false" weight="10.000000">
11894:             <title xml:lang="en">Configure lockd to Use Fixed Ports for TCP</title>
11895:             <description xml:lang="en">The lockd service should be configured to use a static port for TCP</description>
11896:             <ident system="http://cce.mitre.org">CCE-4559-1</ident>
11897:             <fixtext xml:lang="en">(1) via /etc/sysconfig/nfs</fixtext>
11898:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11899:               <check-content-ref name="oval:org.fedoraproject.f14:def:20297" href="scap-fedora14-oval.xml"/>
11900:             </check>
11901:           </Rule>
11902:           <Rule id="rule-3.13.2.3.b" selected="false" weight="10.000000">
11903:             <title xml:lang="en">Configure statd to Use an outgoing static port</title>
11904:             <description xml:lang="en">The statd service should be configured to use an outgoing static port</description>
11905:             <ident system="http://cce.mitre.org">CCE-4015-4</ident>
11906:             <fixtext xml:lang="en">(1) via /etc/sysconfig/nfs</fixtext>
11907:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11908:               <check-content-ref name="oval:org.fedoraproject.f14:def:20298" href="scap-fedora14-oval.xml"/>
11909:             </check>
11910:           </Rule>
11911:           <Rule id="rule-3.13.2.3.c" selected="false" weight="10.000000">
11912:             <title xml:lang="en">Configure statd to Use a static port</title>
11913:             <description xml:lang="en">The statd service should be configured to use a static port</description>
11914:             <ident system="http://cce.mitre.org">CCE-3667-3</ident>
11915:             <fixtext xml:lang="en">(1) via /etc/sysconfig/nfs</fixtext>
11916:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11917:               <check-content-ref name="oval:org.fedoraproject.f14:def:20299" href="scap-fedora14-oval.xml"/>
11918:             </check>
11919:           </Rule>
11920:           <Rule id="rule-3.13.2.3.d" selected="false" weight="10.000000">
11921:             <title xml:lang="en">Configure lockd to Use a static port for UDP</title>
11922:             <description xml:lang="en">The lockd service should be configured to use a static port for UDP</description>
11923:             <ident system="http://cce.mitre.org">CCE-4310-9</ident>
11924:             <fixtext xml:lang="en">(1) via /etc/sysconfig/nfs</fixtext>
11925:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11926:               <check-content-ref name="oval:org.fedoraproject.f14:def:20300" href="scap-fedora14-oval.xml"/>
11927:             </check>
11928:           </Rule>
11929:           <Rule id="rule-3.13.2.3.e" selected="false" weight="10.000000">
11930:             <title xml:lang="en">Configure mountd to Use a static port</title>
11931:             <description xml:lang="en">The mountd service should be configured to use a static port</description>
11932:             <ident system="http://cce.mitre.org">CCE-4438-8</ident>
11933:             <fixtext xml:lang="en">(1) via /etc/sysconfig/nfs</fixtext>
11934:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11935:               <check-content-ref name="oval:org.fedoraproject.f14:def:20301" href="scap-fedora14-oval.xml"/>
11936:             </check>
11937:           </Rule>
11938:           <Rule id="rule-3.13.2.3.f" selected="false" weight="10.000000">
11939:             <title xml:lang="en">Configure rquotad to Use Fixed Ports</title>
11940:             <description xml:lang="en">The rquotad service should be configured to use a static port</description>
11941:             <ident system="http://cce.mitre.org">CCE-3579-0</ident>
11942:             <fixtext xml:lang="en">(1) via /etc/sysconfig/nfs</fixtext>
11943:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11944:               <check-content-ref name="oval:org.fedoraproject.f14:def:20302" href="scap-fedora14-oval.xml"/>
11945:             </check>
11946:           </Rule>
11947:         </Group>
11948:       </Group>
11949:       <Group id="group-3.13.3" hidden="false">
11950:         <title xml:lang="en">Configure NFS Clients</title>
11951:         <description xml:lang="en">The steps in this section are appropriate for machines which operate as NFS clients.</description>
11952:         <Group id="group-3.13.3.1" hidden="false">
11953:           <title xml:lang="en">Disable NFS Server Daemons</title>
11954:           <description xml:lang="en">
11955:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig nfs off <xhtml:br/>
11956:             # chkconfig rpcsvcgssd off <xhtml:br/></xhtml:code>
11957:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11958:             There is no need
11959:             to run the NFS server daemons except on a small number of properly secured machines
11960:             designated as NFS servers. Ensure that these daemons are turned off on clients.</description>
11961:           <Rule id="rule-3.13.3.1.a" selected="false" weight="10.000000" severity="low">
11962:             <title xml:lang="en">Disable nfs service</title>
11963:             <description xml:lang="en">The nfs service should be disabled</description>
11964:             <ident system="http://cce.mitre.org">CCE-4473-5</ident>
11965:             <fixtext xml:lang="en">(1) via chkconfig</fixtext>
11966:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11967:               <check-content-ref name="oval:org.fedoraproject.f14:def:20303" href="scap-fedora14-oval.xml"/>
11968:             </check>
11969:           </Rule>
11970:           <Rule id="rule-3.13.3.1.b" selected="false" weight="10.000000" severity="low">
11971:             <title xml:lang="en">Disable rpcsvcgssd service</title>
11972:             <description xml:lang="en">The rpcsvcgssd service should be disabled</description>
11973:             <ident system="http://cce.mitre.org">CCE-4491-7</ident>
11974:             <fixtext xml:lang="en">(1) via chkconfig</fixtext>
11975:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11976:               <check-content-ref name="oval:org.fedoraproject.f14:def:20304" href="scap-fedora14-oval.xml"/>
11977:             </check>
11978:           </Rule>
11979:         </Group>
11980:         <Group id="group-3.13.3.2" hidden="false">
11981:           <title xml:lang="en">Mount Remote Filesystems with Restrictive Options</title>
11982:           <description xml:lang="en">
11983:             Edit the file /etc/fstab. For each filesystem whose type
11984:             (column 3) is nfs or nfs4, add the text ,nodev,nosuid to the list of mount options in
11985:             column 4. If appropriate, also add ,noexec. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11986:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11987:             See Section 2.2.1.2 for a description of the
11988:             effects of these options. In general, execution of files mounted via NFS should be
11989:             considered risky because of the possibility that an adversary could intercept the
11990:             request and substitute a malicious file. Allowing setuid files to be executed from
11991:             remote servers is particularly risky, both for this reason and because it requires the
11992:             clients to extend root-level trust to the NFS server.</description>
11993:           <Rule id="rule-3.13.3.2.a" selected="false" weight="10.000000">
11994:             <title xml:lang="en">Mount Remote Filesystems with nodev</title>
11995:             <description xml:lang="en">The nodev option should be enabled for all NFS mounts</description>
11996:             <ident system="http://cce.mitre.org">CCE-4368-7</ident>
11997:             <fixtext xml:lang="en">(1) via /etc/fstab</fixtext>
11998:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11999:               <check-content-ref name="oval:org.fedoraproject.f14:def:20305" href="scap-fedora14-oval.xml"/>
12000:             </check>
12001:           </Rule>
12002:           <Rule id="rule-3.13.3.2.b" selected="false" weight="10.000000" severity="medium">
12003:             <title xml:lang="en">Mount Remote Filesystems with nosuid</title>
12004:             <description xml:lang="en">The nosuid option should be enabled for all NFS mounts</description>
12005:             <ident system="http://cce.mitre.org">CCE-4024-6</ident>
12006:             <fixtext xml:lang="en">(1) via /etc/fstab</fixtext>
12007:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12008:               <check-content-ref name="oval:org.fedoraproject.f14:def:20306" href="scap-fedora14-oval.xml"/>
12009:             </check>
12010:           </Rule>
12011:           <Rule id="rule-3.13.3.2.c" selected="false" weight="10.000000" severity="medium">
12012:             <title xml:lang="en">Mount Remote Filesystems with noexec</title>
12013:             <description xml:lang="en">The noexec option should be enabled for all NFS mounts</description>
12014:             <ident system="http://cce.mitre.org">CCE-4526-0</ident>
12015:             <fixtext xml:lang="en">(1) via /etc/fstab</fixtext>
12016:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12017:               <check-content-ref name="oval:org.fedoraproject.f14:def:20307" href="scap-fedora14-oval.xml"/>
12018:             </check>
12019:           </Rule>
12020:         </Group>
12021:       </Group>
12022:       <Group id="group-3.13.4" hidden="false">
12023:         <title xml:lang="en">Configure NFS Servers</title>
12024:         <description xml:lang="en">The steps in this section are appropriate for machines which operate as NFS servers.</description>
12025:         <Group id="group-3.13.4.1" hidden="false">
12026:           <title xml:lang="en">Configure the Exports File Restrictively</title>
12027:           <description xml:lang="en">
12028:             Linux's NFS implementation uses the file /etc/exports to
12029:             control what filesystems and directories may be accessed via NFS. (See the exports(5)
12030:             manpage for more information about the format of this file.) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12031:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12032:             The syntax of the exports
12033:             file is not necessarily checked fully on reload, and syntax errors can leave your NFS
12034:             configuration more open than intended. Therefore, exercise caution when modifying the
12035:             file. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12036:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12037:             The syntax of each line in /etc/exports is <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12038:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12039:             /DIR ipaddr1 (opt1 ,opt2 ) ipaddr2 (opt3 ) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12040:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12041:             where /DIR is a directory or filesystem to export, ipaddrN is an IP address,
12042:             netblock, hostname, domain, or netgroup to which to export, and optN is an option.</description>
12043:           <Group id="group-3.13.4.1.1" hidden="false">
12044:             <title xml:lang="en">Use Access Lists to Enforce Authorization Restrictions on Mounts</title>
12045:             <description xml:lang="en">
12046:               Edit /etc/exports. Ensure that each export line contains a
12047:               set of IP addresses or hosts which are allowed to access that export. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12048:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12049:               If no IP
12050:               addresses or hostnames are specified on an export line, then that export is available
12051:               to any remote host which requests it. All lines of the exports file should specify the
12052:               hosts (or subnets, if needed) which are allowed to access the exported directory, so
12053:               that unknown or remote hosts will be denied.</description>
12054:           </Group>
12055:           <Group id="group-3.13.4.1.2" hidden="false">
12056:             <title xml:lang="en">Use Root-Squashing on All Exports</title>
12057:             <description xml:lang="en">
12058:               Edit /etc/exports. Ensure that no line contains the option no_root_squash. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12059:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12060:               If a filesystem is exported using root squashing, requests from root on
12061:               the client are considered to be unprivileged (mapped to a user such as nobody). This
12062:               provides some mild protection against remote abuse of an NFS server. Root squashing is
12063:               enabled by default, and should not be disabled.</description>
12064:             <Rule id="rule-3.13.4.1.2.a" selected="false" weight="10.000000">
12065:               <title xml:lang="en">Use Root-Squashing on All Exports</title>
12066:               <description xml:lang="en">Root squashing should be enabled for all NFS shares</description>
12067:               <ident system="http://cce.mitre.org">CCE-4544-3</ident>
12068:               <fixtext xml:lang="en">(1) via /etc/exports</fixtext>
12069:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12070:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20308" href="scap-fedora14-oval.xml"/>
12071:               </check>
12072:             </Rule>
12073:           </Group>
12074:           <Group id="group-3.13.4.1.3" hidden="false">
12075:             <title xml:lang="en">Restrict NFS Clients to Privileged Ports</title>
12076:             <description xml:lang="en">
12077:               Edit /etc/exports. Ensure that no line contains the option insecure. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12078:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12079:               By default, Linux's NFS implementation requires that all client requests be
12080:               made from ports less than 1024. If your organization has control over machines
12081:               connected to its network, and if NFS requests are prohibited at the border firewall,
12082:               this offers some protection against malicious requests from unprivileged users.
12083:               Therefore, the default should not be changed.</description>
12084:             <Rule id="rule-3.13.4.1.3.a" selected="false" weight="10.000000">
12085:               <title xml:lang="en">Restrict NFS Clients to Privileged Ports</title>
12086:               <description xml:lang="en">Restriction of NFS clients to privileged ports should be enabled</description>
12087:               <ident system="http://cce.mitre.org">CCE-4465-1</ident>
12088:               <fixtext xml:lang="en">(1) via /etc/exports</fixtext>
12089:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12090:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20309" href="scap-fedora14-oval.xml"/>
12091:               </check>
12092:             </Rule>
12093:           </Group>
12094:           <Group id="group-3.13.4.1.4" hidden="false">
12095:             <title xml:lang="en">Export Filesystems Read-Only if Possible</title>
12096:             <description xml:lang="en">
12097:               Edit /etc/exports. Ensure that every line contains the option
12098:               ro and does not contain the option rw, unless there is an operational need for remote
12099:               clients to modify that filesystem. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12100:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12101:               If a filesystem is being exported so that users can
12102:               view the files in a convenient fashion, but there is no need for users to edit those
12103:               files, exporting the filesystem read-only removes an attack vector against the server.
12104:               The default filesystem export mode is ro, so do not specify rw without a good reason.</description>
12105:             <Rule id="rule-3.13.4.1.4.a" selected="false" weight="10.000000">
12106:               <title xml:lang="en">Export Filesystems Read-Only if Possible</title>
12107:               <description xml:lang="en">Write access to NFS shares should be disabled</description>
12108:               <ident system="http://cce.mitre.org">CCE-4350-5</ident>
12109:               <fixtext xml:lang="en">(1) via /etc/exports</fixtext>
12110:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12111:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20310" href="scap-fedora14-oval.xml"/>
12112:               </check>
12113:             </Rule>
12114:           </Group>
12115:         </Group>
12116:         <Group id="group-3.13.4.2" hidden="false">
12117:           <title xml:lang="en">Allow Legitimate NFS Clients to Access the Server</title>
12118:           <description xml:lang="en">
12119:             Determine an appropriate network block, netwk , and network
12120:             mask, mask , representing the machines on your network which must mount NFS filesystems
12121:             from this server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12122:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12123:             Edit /etc/sysconfig/iptables. Add the following lines, ensuring that
12124:             they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12125:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12126:             -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p udp --dport 111 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12127:             -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 111 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12128:             -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 2049 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12129:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12130:             -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport lockd-port -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12131:             -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p udp --dport lockd-port -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12132:             -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport mountd-port -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12133:             -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p udp --dport mountd-port -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12134:             -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport rquotad-port -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12135:             -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p udp --dport rquotad-port -j ACCEPT<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12136:             -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport statd-port -j ACCEPT<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12137:             -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p udp --dport statd-port -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12138:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12139:             where the variable port numbers match those selected in Section 3.13.2.3 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12140:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12141:             The default iptables configuration does not allow inbound access to any services. This
12142:             modification will allow the specified block of remote hosts to initiate connections to
12143:             the set of NFS daemons, while keeping all other ports on the server in their default
12144:             protected state. See Section 2.5.5 for more information about iptables.</description>
12145:         </Group>
12146:       </Group>
12147:     </Group>
12148:     <Group id="group-3.14" hidden="false">
12149:       <title xml:lang="en">DNS Server</title>
12150:       <description xml:lang="en">Most organizations have an operational need to run at least one nameserver. However, there are many common attacks involving DNS, be configured defensively.</description>
12151:       <reference href="">Liu, C. DNS &amp; BIND Cookbook. O’Reilly and Associates, Oct 2002</reference>
12152:       <Group id="group-3.14.1" hidden="false">
12153:         <title xml:lang="en">Disable DNS Server if Possible</title>
12154:         <description xml:lang="en">
12155:           Is there an operational need for this machine to act as a DNS
12156:           server for this site? <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12157:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12158:           If not, disable the software and remove it from the system: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12159:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12160:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig named off <xhtml:br/>
12161:           # yum erase bind <xhtml:br/></xhtml:code>
12162:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12163:           DNS software should be disabled on any machine which
12164:           does not need to be a nameserver. Note that the BIND DNS server software is not installed
12165:           on RHEL5 by default. The remainder of this section discusses secure configuration of
12166:           machines which must be nameservers.</description>
12167:         <Rule id="rule-3.14.1.a" selected="false" weight="10.000000" severity="low">
12168:           <title xml:lang="en">Disable DNS Server if Possible</title>
12169:           <description xml:lang="en">The named service should be disabled.</description>
12170:           <ident system="http://cce.mitre.org">CCE-3578-2</ident>
12171:           <fixtext xml:lang="en">(1) via chkconfig</fixtext>
12172:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12173:             <check-content-ref name="oval:org.fedoraproject.f14:def:20311" href="scap-fedora14-oval.xml"/>
12174:           </check>
12175:         </Rule>
12176:         <Rule id="rule-3.14.1.b" selected="false" weight="10.000000">
12177:           <title xml:lang="en">Uninstall bind if Possible</title>
12178:           <description xml:lang="en">The bind package should be uninstalled.</description>
12179:           <ident system="http://cce.mitre.org">CCE-4219-2</ident>
12180:           <fixtext xml:lang="en">(1) via yum</fixtext>
12181:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12182:             <check-content-ref name="oval:org.fedoraproject.f14:def:20312" href="scap-fedora14-oval.xml"/>
12183:           </check>
12184:         </Rule>
12185:       </Group>
12186:       <Group id="group-3.14.2" hidden="false">
12187:         <title xml:lang="en">Run the BIND9 Software if DNS Service is Needed</title>
12188:         <description xml:lang="en">
12189:           It is highly recommended that the BIND9 software be used to
12190:           provide DNS service. BIND is the Internet standard Unix nameserver, and, while it has had
12191:           security problems in the past, it is also well-maintained and Red Hat is likely to quickly
12192:           issue updates in response to any problems discovered in the future. In addition, BIND
12193:           version 9 has new security features and more secure default settings than earlier
12194:           versions. In particular, BIND version 4 is no longer recommended for production use, and
12195:           BIND4 servers should be upgraded to a newer version as soon as possible.</description>
12196:       </Group>
12197:       <Group id="group-3.14.3" hidden="false">
12198:         <title xml:lang="en">Isolate DNS from Other Services</title>
12199:         <description xml:lang="en">
12200:           This section discusses mechanisms for preventing the DNS server
12201:           from interfering with other services. This is done both to protect the remainder of the
12202:           network should a nameserver be compromised, and to make direct attacks on nameservers more
12203:           difficult.</description>
12204:         <Group id="group-3.14.3.1" hidden="false">
12205:           <title xml:lang="en">Run DNS Software on Dedicated Servers if Possible</title>
12206:           <description xml:lang="en">
12207:             Since DNS is a high-risk service which must frequently be made
12208:             available to the entire Internet, it is strongly recommended that no other services be
12209:             offered by machines which act as organizational DNS servers.</description>
12210:         </Group>
12211:         <Group id="group-3.14.3.2" hidden="false">
12212:           <title xml:lang="en">Run DNS Software in a chroot Jail</title>
12213:           <description xml:lang="en">
12214:             Install the bind-chroot package: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12215:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12216:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum install bind-chroot<xhtml:br/></xhtml:code>
12217:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12218:             Place a valid named.conf file inside the chroot jail: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12219:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cp /etc/named.conf /var/named/chroot/etc/named.conf <xhtml:br/>
12220:             # chown root:root /var/named/chroot/etc/named.conf <xhtml:br/>
12221:             # chmod 644 /var/named/chroot/etc/named.conf <xhtml:br/></xhtml:code>
12222:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12223:             Create and populate an appropriate zone
12224:             directory within the jail, based on the options directive. If your named.conf includes:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12225:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12226:             options { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12227:             directory "/path/to/DIRNAME "; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12228:             ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12229:             } <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12230:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12231:             then copy that directory and its contents from the original zone directory: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12232:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12233:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cp -r /path/to/DIRNAME /var/named/chroot/DIRNAME<xhtml:br/></xhtml:code>
12234:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12235:             Edit the file /etc/sysconfig/named. Add or correct the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12236:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12237:             ROOTDIR=/var/named/chroot<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12238:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12239:             Chroot jails are not foolproof. However, they serve to make it more difficult for a
12240:             compromised program to be used to attack the entire host. They do this by restricting a
12241:             program's ability to traverse the directory upward, so that files outside the jail are
12242:             not visible to the chrooted process. Since RHEL5 supports a standard mechanism for
12243:             placing BIND in a chroot jail, you should take advantage of this feature. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12244:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12245:             Note: If you
12246:             are running BIND in a chroot jail, then you should use the jailed named.conf as the
12247:             primary nameserver configuration file. That is, when this guide recommends editing
12248:             /etc/named.conf, you should instead edit /var/named/chroot/etc/named.conf.</description>
12249:           <Value id="var-3.14.3.2.a" operator="equals" type="string">
12250:             <title xml:lang="en">group owner of jail</title>
12251:             <description xml:lang="en">Specify group owner of /var/named/chroot/etc/named.conf</description>
12252:             <question xml:lang="en">Specify group owner of /var/named/chroot/etc/named.conf</question>
12253:             <value>root</value>
12254:             <value selector="root">root</value>
12255:           </Value>
12256:           <Value id="var-3.14.3.2.b" operator="equals" type="string">
12257:             <title xml:lang="en">user owner of jail</title>
12258:             <description xml:lang="en">Specify user owner of /var/named/chroot/etc/named.conf</description>
12259:             <question xml:lang="en">Specify user owner of /var/named/chroot/etc/named.conf</question>
12260:             <value>root</value>
12261:             <value selector="root">root</value>
12262:           </Value>
12263:           <Value id="var-3.14.3.2.c" operator="equals" type="string">
12264:             <title xml:lang="en">permisison of jail</title>
12265:             <description xml:lang="en">Specify file permissions on /var/named/chroot/etc/named.conf</description>
12266:             <question xml:lang="en">Specify permissions of /var/named/chroot/etc/named.conf</question>
12267:             <value>110100100</value>
12268:             <value selector="400">100000000</value>
12269:             <value selector="644">110100100</value>
12270:             <value selector="700">111000000</value>
12271:             <match>^[01]+$</match>
12272:           </Value>
12273:           <Rule id="rule-3.14.3.2.a" selected="false" weight="10.000000">
12274:             <title xml:lang="en">Run DNS Software in a chroot Jail owned by root group</title>
12275:             <description xml:lang="en">The /var/named/chroot/etc/named.conf file should be owned by the appropriate group.</description>
12276:             <ident system="http://cce.mitre.org">CCE-3985-9</ident>
12277:             <fixtext xml:lang="en">(1) via chown</fixtext>
12278:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12279:               <check-export export-name="oval:org.fedoraproject.f14:var:20313" value-id="var-3.14.3.2.a"/>
12280:               <check-content-ref name="oval:org.fedoraproject.f14:def:20313" href="scap-fedora14-oval.xml"/>
12281:             </check>
12282:           </Rule>
12283:           <Rule id="rule-3.14.3.2.b" selected="false" weight="10.000000">
12284:             <title xml:lang="en">Run DNS Software in a chroot Jail owned by root user</title>
12285:             <description xml:lang="en">The /var/named/chroot/etc/named.conf file should be owned by the appropriate user.</description>
12286:             <ident system="http://cce.mitre.org">CCE-4258-0</ident>
12287:             <fixtext xml:lang="en">(1) via chown</fixtext>
12288:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12289:               <check-export export-name="oval:org.fedoraproject.f14:var:20314" value-id="var-3.14.3.2.b"/>
12290:               <check-content-ref name="oval:org.fedoraproject.f14:def:20314" href="scap-fedora14-oval.xml"/>
12291:             </check>
12292:           </Rule>
12293:           <Rule id="rule-3.14.3.2.c" selected="false" weight="10.000000">
12294:             <title xml:lang="en">Set permissions on chroot Jail for DNS</title>
12295:             <description xml:lang="en">File permissions for /var/named/chroot/etc/named.conf should be set correctly.</description>
12296:             <ident system="http://cce.mitre.org">CCE-4487-5</ident>
12297:             <fixtext xml:lang="en">(1) via chmod</fixtext>
12298:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12299:               <check-export export-name="oval:org.fedoraproject.f14:var:20315" value-id="var-3.14.3.2.c"/>
12300:               <check-content-ref name="oval:org.fedoraproject.f14:def:20315" href="scap-fedora14-oval.xml"/>
12301:             </check>
12302:           </Rule>
12303:         </Group>
12304:         <Group id="group-3.14.3.3" hidden="false">
12305:           <title xml:lang="en">Configure Firewalls to Protect the DNS Server</title>
12306:           <description xml:lang="en">
12307:             Edit the file /etc/sysconfig/iptables. Add the following lines,
12308:             ensuring that they appear before the final LOG and DROP lines for the
12309:             RH-Firewall-1-INPUT chain: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12310:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12311:             -A RH-Firewall-1-INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12312:             -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12313:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12314:             These
12315:             lines are necessary in order to allow remote machines to contact the DNS server. If this
12316:             server is only available to the local network, it may be appropriate to insert a -s flag
12317:             into this rule to allow traffic only from packets on the local network. See Section
12318:             3.5.1.2 for an example of such a modification. See Section 2.5.5 for general information
12319:             about iptables.</description>
12320:         </Group>
12321:       </Group>
12322:       <Group id="group-3.14.4" hidden="false">
12323:         <title xml:lang="en">Protect DNS Data from Tampering or Attack</title>
12324:         <description xml:lang="en">This section discusses DNS configuration options which make it more difficult for attackers to gain access to private DNS data or to modify DNS data.</description>
12325:         <Group id="group-3.14.4.1" hidden="false">
12326:           <title xml:lang="en">Run Separate DNS Servers for External and Internal Queries if
12327:             Possible</title>
12328:           <description xml:lang="en">
12329:             Is it possible to run external and internal nameservers on
12330:             separate machines? If so, follow the configuration guidance in this section. If not, see
12331:             Section 3.14.4.2 for an alternate approach using BIND9. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12332:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12333:             On the external nameserver, edit /etc/named.conf. Add or correct the following
12334:             directives: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12335:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12336:             options { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12337:             allow-query { any; }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12338:             recursion no; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12339:             ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12340:             }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12341:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12342:             zone "example.com " IN { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12343:             ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12344:             }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12345:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12346:             On the internal nameserver, edit
12347:             /etc/named.conf. Add or correct the following directives, where SUBNET is the numerical
12348:             IP representation of your organization in the form xxx.xxx.xxx.xxx/xx: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12349:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12350:             acl internal {<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12351:             SUBNET ; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12352:             localhost; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12353:             }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12354:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12355:             options { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12356:             allow-query { internal; }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12357:             ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12358:             }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12359:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12360:             zone "internal.example.com " IN { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12361:             ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12362:             }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12363:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12364:             Enterprise nameservers generally serve two
12365:             functions. One is to provide public information about the machines in a domain for the
12366:             benefit of outside users who wish to contact those machines, for instance in order to
12367:             send mail to users in the enterprise, or to visit the enterprise's external web page.
12368:             The other is to provide nameservice to client machines within the enterprise. Client
12369:             machines require both private information about enterprise machines (which may be
12370:             different from the public information served to the rest of the world) and public
12371:             information about machines outside the enterprise, which is used to send mail or visit
12372:             websites outside of the organization. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12373:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12374:             In order to provide the public nameservice
12375:             function, it is necessary to share data with untrusted machines which request it —
12376:             otherwise, the enterprise cannot be conveniently contacted by outside users. However,
12377:             internal data should be protected from disclosure, and serving irrelevant public name
12378:             queries for outside domains leaves the DNS server open to cache poisoning and other
12379:             attacks. Therefore, local network nameservice functions should not be provided to
12380:             untrusted machines. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12381:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12382:             Separate machines should be used to fill these two functions whenever possible.</description>
12383:         </Group>
12384:         <Group id="group-3.14.4.2" hidden="false">
12385:           <title xml:lang="en">Use Views to Partition External and Internal Information if Necessary</title>
12386:           <description xml:lang="en">
12387:             If it is not possible to run external and internal nameservers
12388:             on separate physical machines, run BIND9 and simulate this feature using views. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12389:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12390:             Edit
12391:             /etc/named.conf. Add or correct the following directives (where SUBNET is the numerical
12392:             IP representation of your organization in the form xxx.xxx.xxx.xxx/xx): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12393:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12394:             acl internal {<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12395:             SUBNET ; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12396:             localhost; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12397:             }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12398:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12399:             view "internal-view" { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12400:             match-clients { internal; }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12401:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12402:             zone "." IN { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12403:             type hint; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12404:             file "db.cache"; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12405:             }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12406:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12407:             zone "internal.example.com " IN { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12408:             ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12409:             }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12410:             }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12411:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12412:             view "external-view" { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12413:             match-clients { any; }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12414:             recursion no; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12415:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12416:             zone "example.com " IN { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12417:             ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12418:             };<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12419:             }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12420:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12421:             The view feature is provided by BIND9 as a way to allow a single nameserver to make
12422:             different sets of data available to different sets of clients. If possible, it is always
12423:             better to run external and internal nameservers on separate machines, so that even
12424:             complete compromise of the external server cannot be used to obtain internal data or
12425:             confuse internal DNS clients. However, this is not always feasible, and use of a feature
12426:             like views is preferable to leaving internal DNS data entirely unprotected. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12427:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12428:             Note: As
12429:             shown in the example, database files which are required for recursion, such as the root
12430:             hints file, must be available to any clients which are allowed to make recursive
12431:             queries. Under typical circumstances, this includes only the internal clients which are
12432:             allowed to use this server as a general-purpose nameserver.</description>
12433:         </Group>
12434:         <Group id="group-3.14.4.3" hidden="false">
12435:           <title xml:lang="en">Disable Zone Transfers from the Nameserver if Possible</title>
12436:           <description xml:lang="en">
12437:             Is it necessary for a secondary nameserver to receive zone data
12438:             via zone transfer from the primary server? If not, follow the instructions in this
12439:             section. If so, see the next section for instructions on protecting zone transfers. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12440:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12441:             Edit /etc/named.conf. Add or correct the following directive: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12442:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12443:             options { allow-transfer { none; }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12444:             ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12445:             } <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12446:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12447:             If both the primary and secondary nameserver are under your control, or
12448:             if you have only one nameserver, it may be possible to use an external configuration
12449:             management mechanism to distribute zone updates. In that case, it is not necessary to
12450:             allow zone transfers within BIND itself, so they should be disabled to avoid the
12451:             potential for abuse.</description>
12452:         </Group>
12453:         <Group id="group-3.14.4.4" hidden="false">
12454:           <title xml:lang="en">Authenticate Zone Transfers if Necessary</title>
12455:           <description xml:lang="en">
12456:             If it is necessary for a secondary nameserver to receive zone
12457:             data via zone transfer from the primary server, follow the instructions here. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12458:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12459:             Use dnssec-keygen to create a symmetric key file in the current directory: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12460:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12461:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cd /tmp <xhtml:br/>
12462:             # dnssec-keygen -a HMAC-MD5 -b 128 -n HOST dns.example.com <xhtml:br/></xhtml:code>
12463:             Kdns.example.com .+aaa +iiiii<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12464:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12465:             This output is the name of a file containing the new key. Read the file to find the
12466:             base64-encoded key string: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12467:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12468:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cat Kdns.example.com.+NNN+MMMMM.key <xhtml:br/></xhtml:code>
12469:             dns.example.com IN KEY 512 3 157 base64-key-string <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12470:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12471:             Edit /etc/named.conf on the primary nameserver. Add the directives: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12472:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12473:             key zone-transfer-key { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12474:             algorithm hmac-md5; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12475:             secret "base64-key-string "; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12476:             };<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12477:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12478:             zone "example.com " IN { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12479:             type master; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12480:             allow-transfer { key zone-transfer-key; }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12481:             ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12482:             }<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12483:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12484:             Edit /etc/named.conf on the secondary nameserver. Add the directives: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12485:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12486:             key zone-transfer-key { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12487:             algorithm hmac-md5; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12488:             secret "base64-key-string "; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12489:             }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12490:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12491:             server IP-OF-MASTER { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12492:             keys { zone-transfer-key; }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12493:             }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12494:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12495:             zone "example.com " IN { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12496:             type slave;<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12497:             masters { IP-OF-MASTER ; }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12498:             ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12499:             }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12500:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12501:             The BIND transaction signature (TSIG) functionality
12502:             allows primary and secondary nameservers to use a shared secret to verify authorization
12503:             to perform zone transfers. This method is more secure than using IP-based limiting to
12504:             restrict nameserver access, since IP addresses can be easily spoofed. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12505:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12506:             However, if you
12507:             cannot configure TSIG between your servers because, for instance, the secondary
12508:             nameserver is not under your control and its administrators are unwilling to configure
12509:             TSIG, you can configure an allow-transfer directive with numerical IP addresses or ACLs
12510:             as a last resort. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12511:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12512:             Note: The purpose of the dnssec-keygen command is to create the shared
12513:             secret string base64-key-string . Once this secret has been obtained and inserted into
12514:             named.conf on the primary and secondary servers, the key files
12515:             Kdns.example.com.+NNN+MMMMM.key and Kdns.example.com.+NNN+MMMMM.private are no longer
12516:             needed, and may safely be deleted.</description>
12517:         </Group>
12518:         <Group id="group-3.14.4.5" hidden="false">
12519:           <title xml:lang="en">Disable Dynamic Updates if Possible</title>
12520:           <description xml:lang="en">
12521:             Is there a mission-critical reason to enable the risky dynamic
12522:             update functionality? If not: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12523:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12524:             Edit /etc/named.conf. For each zone specification, correct
12525:             the following directive if necessary: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12526:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12527:             zone "example.com " IN { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12528:             allow-update { none; };<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12529:             ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12530:             } <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12531:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12532:             Dynamic updates allow remote servers to add, delete, or modify any entries in your
12533:             zone file. Therefore, they should be considered highly risky, and disabled unless there
12534:             is a very good reason for their use. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12535:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12536:             If dynamic updates must be allowed, IP-based ACLs
12537:             are insufficient protection, since they are easily spoofed. Instead, use TSIG keys (see
12538:             the previous section for an example), and consider using the update-policy directive to
12539:             restrict changes to only the precise type of change needed.</description>
12540:           <Rule id="rule-3.14.4.5.a" selected="false" weight="10.000000">
12541:             <title xml:lang="en">Disable DNS Dynamic Updates if Possible</title>
12542:             <description xml:lang="en">LDAP's dynamic updates feature should be disabled</description>
12543:             <ident system="http://cce.mitre.org">CCE-4399-2</ident>
12544:             <fixtext xml:lang="en">(1) via /etc/named.conf</fixtext>
12545:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12546:               <check-content-ref name="oval:org.fedoraproject.f14:def:20316" href="scap-fedora14-oval.xml"/>
12547:             </check>
12548:           </Rule>
12549:         </Group>
12550:       </Group>
12551:     </Group>
12552:     <Group id="group-3.15" hidden="false">
12553:       <title xml:lang="en">FTPServer</title>
12554:       <description xml:lang="en">
12555:         FTP is a common method for allowing remote access to files. Like
12556:         telnet, the FTP protocol is unencrypted, which means that passwords and other data
12557:         transmitted during the session can be captured and that the session is vulnerable to
12558:         hijacking. Therefore, running the FTP server software is not recommended. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12559:         <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12560:         However, there are
12561:         some FTP server configurations which may be appropriate for some environments, particularly
12562:         those which allow only read-only anonymous access as a means of downloading data available
12563:         to the public.</description>
12564:       <Group id="group-3.15.1" hidden="false">
12565:         <title xml:lang="en">Disable vsftpd if Possible</title>
12566:         <description xml:lang="en">
12567:           Is there a mission-critical reason for the machine to act as an
12568:           FTP server? If not, disable vsftpd if it has been installed: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12569:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12570:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig vsftpd off</xhtml:code></description>
12571:         <Rule id="rule-3.15.1.a" selected="false" weight="10.000000" severity="low">
12572:           <title xml:lang="en">Disable vsftpd if Possible</title>
12573:           <description xml:lang="en">The vsftpd service should be disabled.</description>
12574:           <ident system="http://cce.mitre.org">CCE-3919-8</ident>
12575:           <fixtext xml:lang="en">(1) via chkconfig</fixtext>
12576:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12577:             <check-content-ref name="oval:org.fedoraproject.f14:def:20317" href="scap-fedora14-oval.xml"/>
12578:           </check>
12579:         </Rule>
12580:         <Rule id="rule-3.15.1.b" selected="false" weight="10.000000" severity="low">
12581:           <title xml:lang="en">Uninstall vsftpd if Possible</title>
12582:           <description xml:lang="en">The vsftpd service should be uninstalled.</description>
12583:           <ident system="http://cce.mitre.org">CCE-3919-8</ident>
12584:           <fixtext xml:lang="en">(1) via yum</fixtext>
12585:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12586:             <check-content-ref name="oval:org.fedoraproject.f14:def:203175" href="scap-fedora14-oval.xml"/>
12587:           </check>
12588:         </Rule>
12589:       </Group>
12590:       <Group id="group-3.15.2" hidden="false">
12591:         <title xml:lang="en">Use vsftpd to Provide FTP Service if Necessary</title>
12592:         <description xml:lang="en">
12593:           If this machine must operate as an FTP server, install the vsftpd
12594:           package via the standard channels: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum install vsftpd</xhtml:code> After RHEL 2.1, Red Hat switched
12595:           from distributing wu-ftpd with RHEL to distributing vsftpd. For security and for
12596:           consistency with future Red Hat releases, the use of vsftpd is recommended.</description>
12597:       </Group>
12598:       <Group id="group-3.15.3" hidden="false">
12599:         <title xml:lang="en">Configure vsftpd Securely</title>
12600:         <description xml:lang="en">
12601:           The primary vsftpd configuration file is /etc/vsftpd.conf, if
12602:           that file exists, or /etc/vsftpd/vsftpd.conf if it does not. For the remainder of this
12603:           section, the phrase 'the configuration file' will refer to whichever of those files is
12604:           appropriate for your environment.</description>
12605:         <Group id="group-3.15.3.1" hidden="false">
12606:           <title xml:lang="en">Enable Logging of All FTP Transactions</title>
12607:           <description xml:lang="en">
12608:             Edit the vsftpd configuration file. Add or correct the
12609:             following configuration options: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12610:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12611:             xferlog_std_format=NO <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12612:             log_ftp_protocol=YES <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12613:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12614:             The
12615:             modifications above ensure that all commands sent to the ftp server are logged using the
12616:             verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12617:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12618:             Note: If
12619:             verbose logging to vsftpd.log is done, sparse logging of downloads to /var/log/xferlog
12620:             will not also occur. However, the information about what files were downloaded is
12621:             included in the information logged to vsftpd.log.</description>
12622:           <Rule id="rule-3.15.3.1.a" selected="false" weight="10.000000" severity="low">
12623:             <title xml:lang="en">Enable Logging of All FTP Transactions</title>
12624:             <description xml:lang="en">Logging of vsftpd transactions should be enabled</description>
12625:             <ident system="http://cce.mitre.org">CCE-4549-2</ident>
12626:             <fixtext xml:lang="en">(1) via /etc/vsftpd.conf</fixtext>
12627:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12628:               <check-content-ref name="oval:org.fedoraproject.f14:def:20318" href="scap-fedora14-oval.xml"/>
12629:             </check>
12630:           </Rule>
12631:         </Group>
12632:         <Group id="group-3.15.3.2" hidden="false">
12633:           <title xml:lang="en">Create Warning Banners for All FTP Users</title>
12634:           <description xml:lang="en">
12635:             Edit the vsftpd configuration file. Add or correct the
12636:             following configuration options: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12637:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12638:             banner_file=/etc/issue <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12639:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12640:             See Section 2.3.7 for an
12641:             explanation of banner file use. This setting will cause the system greeting banner to be
12642:             used for FTP connections as well.</description>
12643:           <Rule id="rule-3.15.3.2.a" selected="false" weight="10.000000">
12644:             <title xml:lang="en">Create Warning Banners for All FTP Users</title>
12645:             <description xml:lang="en">A warning banner for all FTP users should be enabled</description>
12646:             <ident system="http://cce.mitre.org">CCE-4554-2</ident>
12647:             <fixtext xml:lang="en">(1) via /etc/vsftpd.conf</fixtext>
12648:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12649:               <check-content-ref name="oval:org.fedoraproject.f14:def:20319" href="scap-fedora14-oval.xml"/>
12650:             </check>
12651:           </Rule>
12652:         </Group>
12653:         <Group id="group-3.15.3.3" hidden="false">
12654:           <title xml:lang="en">Restrict the Set of Users Allowed to Access FTP</title>
12655:           <description xml:lang="en">
12656:             This section describes how to disable non-anonymous
12657:             (password-based) FTP logins, or, if it is not possible to do this entirely due to legacy
12658:             applications, how to restrict insecure FTP login to only those users who have an
12659:             identified need for this access.</description>
12660:           <Group id="group-3.15.3.3.1" hidden="false">
12661:             <title xml:lang="en">Restrict Access to Anonymous Users if Possible</title>
12662:             <description xml:lang="en">
12663:               Is there a mission-critical reason for users to transfer
12664:               files to/from their own accounts using FTP, rather than using a secure protocol like
12665:               SCP/SFTP? If not: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12666:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12667:               Edit the vsftpd configuration file. Add or correct the following
12668:               configuration option: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12669:               local_enable=NO <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12670:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12671:               If non-anonymous FTP logins are necessary,
12672:               follow the guidance in the remainder of this section to secure these logins as much as
12673:               possible. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12674:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12675:               The use of non-anonymous FTP logins is strongly discouraged. Since SSH
12676:               clients and servers are widely available, and since SSH provides support for a
12677:               transfer mode which resembles FTP in user interface, there is no good reason to allow
12678:               password-based FTP access. See Section 3.5 for more information about SSH.</description>
12679:             <Rule id="rule-3.15.3.3.1.a" selected="false" weight="10.000000" severity="high">
12680:               <title xml:lang="en">Restrict Access to Anonymous Users if Possible</title>
12681:               <description xml:lang="en">Local user login to the vsftpd service should be disabled</description>
12682:               <ident system="http://cce.mitre.org">CCE-4443-8</ident>
12683:               <fixtext xml:lang="en">(1) via /etc/vsftpd.conf</fixtext>
12684:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12685:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20320" href="scap-fedora14-oval.xml"/>
12686:               </check>
12687:             </Rule>
12688:           </Group>
12689:           <Group id="group-3.15.3.3.2" hidden="false">
12690:             <title xml:lang="en">Limit Users Allowed FTP Access if Necessary</title>
12691:             <description xml:lang="en">
12692:               If there is a mission-critical reason for users to access
12693:               their accounts via the insecure FTP protocol, limit the set of users who are allowed
12694:               this access. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12695:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12696:               Edit the vsftpd configuration file. Add or correct the following
12697:               configuration options: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12698:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12699:               userlist_enable=YES <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12700:               userlist_file=/etc/vsftp.ftpusers<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12701:               userlist_deny=NO <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12702:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12703:               Edit the file /etc/vsftp.ftpusers. For each user USERNAME who should
12704:               be allowed to access the system via ftp, add a line containing that user's name.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12705:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12706:               USERNAME <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12707:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12708:               If anonymous access is also required, add the anonymous usernames to
12709:               /etc/vsftp.ftpusers as well: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12710:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12711:               anonymous <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12712:               ftp <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12713:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12714:               Historically, the file /etc/ftpusers
12715:               contained a list of users who were not allowed to access the system via ftp. It was
12716:               used to prevent system users such as the root user from logging in via the insecure
12717:               ftp protocol. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12718:               However, when the configuration option userlist_deny=NO is set, vsftpd
12719:               interprets ftpusers as the set of users who are allowed to login via ftp. Since it
12720:               should be possible for most users to access their accounts via secure protocols, it is
12721:               recommended that this setting be used, so that non-anonymous ftp access can be limited
12722:               to legacy users who have been explicitly identified.</description>
12723:           </Group>
12724:         </Group>
12725:         <Group id="group-3.15.3.4" hidden="false">
12726:           <title xml:lang="en">Disable FTP Uploads if Possible</title>
12727:           <description xml:lang="en">
12728:             Is there a mission-critical reason for users to upload files
12729:             via FTP? If not: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12730:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12731:             Edit the vsftpd configuration file. Add or correct the following
12732:             configuration options: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12733:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12734:             write_enable=NO <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12735:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12736:             If FTP uploads are necessary, follow the guidance
12737:             in the remainder of this section to secure these transactions as much as possible.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12738:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12739:             Anonymous FTP can be a convenient way to make files available for universal download.
12740:             However, it is less common to have a need to allow unauthenticated users to place files
12741:             on the FTP server. If this must be done, it is necessary to ensure that files cannot be
12742:             uploaded and downloaded from the same directory.</description>
12743:           <Rule id="rule-3.15.3.4.a" selected="false" weight="10.000000" severity="medium">
12744:             <title xml:lang="en">Disable FTP Uploads if Possible</title>
12745:             <description xml:lang="en">File uploads via vsftpd should be disabled</description>
12746:             <ident system="http://cce.mitre.org">CCE-4461-0</ident>
12747:             <fixtext xml:lang="en">(1) via /etc/vsftpd.conf</fixtext>
12748:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12749:               <check-content-ref name="oval:org.fedoraproject.f14:def:20321" href="scap-fedora14-oval.xml"/>
12750:             </check>
12751:           </Rule>
12752:         </Group>
12753:         <Group id="group-3.15.3.5" hidden="false">
12754:           <title xml:lang="en">Place the FTP Home Directory on its Own Partition</title>
12755:           <description xml:lang="en">
12756:             By default, the anonymous FTP root is the home directory of the
12757:             ftp user account. The df command can be used to verify that this directory is on its own
12758:             partition. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12759:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12760:             If there is a mission-critical reason for anonymous users to upload files,
12761:             precautions must be taken to prevent these users from filling a disk used by other
12762:             services.</description>
12763:         </Group>
12764:         <Group id="group-3.15.3.6" hidden="false">
12765:           <title xml:lang="en">Configure Firewalls to Protect the FTP Server</title>
12766:           <description xml:lang="en">
12767:             Edit the file /etc/sysconfig/iptables. Add the following lines,
12768:             ensuring that they appear before the final LOG and DROP lines for the
12769:             RH-Firewall-1-INPUT chain: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12770:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12771:             -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12772:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12773:             Edit the file /etc/sysconfig/iptables-config. Ensure that the space-separated
12774:             list of modules contains the FTP connection tracking module:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12775:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12776:             IPTABLES_MODULES="ip_conntrack_ftp" <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12777:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12778:             These settings configure iptables to allow
12779:             connections to an FTP server. The first line allows initial connections to the FTP
12780:             server port. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12781:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12782:             FTP is an older protocol which is not very compatible with firewalls.
12783:             During the initial FTP dialogue, the client and server negotiate an arbitrary port to be
12784:             used for data transfer. The ip conntrack ftp module is used by iptables to listen to
12785:             that dialogue and allow connections to the data ports which FTP negotiates. This allows
12786:             an FTP server to operate on a machine which is running a firewall.</description>
12787:         </Group>
12788:       </Group>
12789:     </Group>
12790:     <Group id="group-3.16" hidden="false">
12791:       <title xml:lang="en">Web Server</title>
12792:       <description xml:lang="en">
12793:         The web server is responsible for providing access to content via
12794:         the HTTP protocol. Web servers represent a significant security risk because: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12795:         <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12796:         <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
12797:           <xhtml:li>The HTTP port is commonly probed by malicious sources </xhtml:li>
12798:           <xhtml:li>Web server software is very complex, and includes a long history of vulnerabilities </xhtml:li>
12799:           <xhtml:li>The HTTP protocol is unencrypted and vulnerable to passive monitoring </xhtml:li>
12800:         </xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12801:         <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12802:         The system's default web server software is Apache 2 and is provided
12803:         in the RPM package httpd.</description>
12804:       <reference href="">Ristic, I. Apache Security. O’Reilly and Associates, Mar 2005</reference>
12805:       <Group id="group-3.16.1" hidden="false">
12806:         <title xml:lang="en">Disable Apache if Possible</title>
12807:         <description xml:lang="en">
12808:           If Apache was installed and activated, but the system does not
12809:           need to act as a web server, then it should be disabled and removed from the system: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12810:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12811:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig httpd off <xhtml:br/>
12812:           # yum erase httpd</xhtml:code></description>
12813:         <Rule id="rule-3.16.1.a" selected="false" weight="10.000000" severity="low">
12814:           <title xml:lang="en">Disable Apache if Possible</title>
12815:           <description xml:lang="en">The httpd service should be disabled.</description>
12816:           <ident system="http://cce.mitre.org">CCE-4338-0</ident>
12817:           <fixtext xml:lang="en">(1) via chkconfig</fixtext>
12818:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12819:             <check-content-ref name="oval:org.fedoraproject.f14:def:20322" href="scap-fedora14-oval.xml"/>
12820:           </check>
12821:         </Rule>
12822:         <Rule id="rule-3.16.1.b" selected="false" weight="10.000000">
12823:           <title xml:lang="en">Uninstall Apache if Possible</title>
12824:           <description xml:lang="en">The httpd package should be uninstalled.</description>
12825:           <ident system="http://cce.mitre.org">CCE-4514-6</ident>
12826:           <fixtext xml:lang="en">(1) via yum</fixtext>
12827:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12828:             <check-content-ref name="oval:org.fedoraproject.f14:def:20323" href="scap-fedora14-oval.xml"/>
12829:           </check>
12830:         </Rule>
12831:       </Group>
12832:       <Group id="group-3.16.2" hidden="false">
12833:         <title xml:lang="en">Install Apache if Necessary</title>
12834:         <description xml:lang="en">
12835:           If the Apache web server must be run, follow these guidelines to
12836:           install it defensively. Then follow the guidelines in the remainder of Section 3.16 to
12837:           configure the web server machine and software as securely as possible.</description>
12838:         <Group id="group-3.16.2.1" hidden="false">
12839:           <title xml:lang="en">Install Apache Software Safely</title>
12840:           <description xml:lang="en">
12841:             Install the Apache 2 package from the standard Red Hat
12842:             distribution channel: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12843:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12844:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum install httpd <xhtml:br/></xhtml:code>
12845:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12846:             Note: This method of installation is
12847:             recommended over installing the 'Web Server' package group during the system
12848:             installation process. The Web Server package group includes many packages which are
12849:             likely extraneous, while the command-line method installs only the required httpd
12850:             package itself.</description>
12851:         </Group>
12852:         <Group id="group-3.16.2.2" hidden="false">
12853:           <title xml:lang="en">Confirm Minimal Built-in Modules</title>
12854:           <description xml:lang="en">
12855:             The default Apache installation minimizes the number of modules
12856:             that are compiled directly into the binary (core prefork http core mod so). This
12857:             minimizes risk by limiting the capabilities allowed by the webserver. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12858:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12859:             Query the set of compiled-in modules using the following command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12860:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12861:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ httpd -l <xhtml:br/></xhtml:code>
12862:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12863:             If the number of compiled-in
12864:             modules is significantly larger than the aforementioned set, this guide recommends
12865:             reinstallating Apache with a reduced configuration.</description>
12866:         </Group>
12867:       </Group>
12868:       <Group id="group-3.16.3" hidden="false">
12869:         <title xml:lang="en">Secure the Apache Configuration</title>
12870:         <description xml:lang="en">
12871:           The Apache configuration file is /etc/httpd/conf/httpd.conf.
12872:           Apply the recommendations in the remainder of this section to this file.</description>
12873:         <Group id="group-3.16.3.1" hidden="false">
12874:           <title xml:lang="en">Restrict Information Leakage</title>
12875:           <description xml:lang="en">
12876:             The ServerTokens and ServerSignature directives determine how
12877:             much information the web server discloses about the configuration of the system.
12878:             ServerTokens Prod restricts information in page headers, returning only the word
12879:             'Apache.' ServerSignature Off keeps Apache from displaying the server version on error
12880:             pages. It is a good security practice to limit the information provided to clients. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12881:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12882:             Add
12883:             or correct the following directives in /etc/httpd/conf/httpd.conf so that as little
12884:             information as possible is released: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12885:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12886:             ServerTokens Prod <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12887:             ServerSignature Off</description>
12888:           <Value id="var-3.16.3.1.a" operator="equals" type="string">
12889:             <title xml:lang="en">value of ServerTokens</title>
12890:             <description xml:lang="en">Tells apache to only return Apache in the Server header, returned on every page request.</description>
12891:             <question xml:lang="en">Specify restrictions of of provided information in page headers for web server</question>
12892:             <value>Prod</value>
12893:             <value selector="prod">Prod</value>
12894:           </Value>
12895:           <Value id="var-3.16.3.1.b" operator="equals" type="string">
12896:             <title xml:lang="en">value of ServerSignature</title>
12897:             <description xml:lang="en">Tells apache not to display the server version on error pages, or other pages it generates.</description>
12898:             <question xml:lang="en">Enable/Disable Apache displaying the server version on error pages</question>
12899:             <value>Off</value>
12900:             <value selector="off">Off</value>
12901:           </Value>
12902:           <Rule id="rule-3.16.3.1.a" selected="false" weight="10.000000">
12903:             <title xml:lang="en">Restrict Information Leakageusing ServerTokens</title>
12904:             <description xml:lang="en">The apache2 server's ServerTokens value should be set appropriately</description>
12905:             <ident system="http://cce.mitre.org">CCE-4474-3</ident>
12906:             <fixtext xml:lang="en">(1) via /etc/httpd/conf/httpd.conf</fixtext>
12907:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12908:               <check-export export-name="oval:org.fedoraproject.f14:var:20324" value-id="var-3.16.3.1.a"/>
12909:               <check-content-ref name="oval:org.fedoraproject.f14:def:20324" href="scap-fedora14-oval.xml"/>
12910:             </check>
12911:           </Rule>
12912:           <Rule id="rule-3.16.3.1.b" selected="false" weight="10.000000">
12913:             <title xml:lang="en">Restrict Information Leakage using ServerSignature</title>
12914:             <description xml:lang="en">The apache2 server's ServerSignature value should be set appropriately</description>
12915:             <ident system="http://cce.mitre.org">CCE-3756-4</ident>
12916:             <fixtext xml:lang="en">(1) via /etc/httpd/conf/httpd.conf</fixtext>
12917:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12918:               <check-export export-name="oval:org.fedoraproject.f14:var:20325" value-id="var-3.16.3.1.b"/>
12919:               <check-content-ref name="oval:org.fedoraproject.f14:def:20325" href="scap-fedora14-oval.xml"/>
12920:             </check>
12921:           </Rule>
12922:         </Group>
12923:         <Group id="group-3.16.3.2" hidden="false">
12924:           <title xml:lang="en">Minimize Loadable Modules</title>
12925:           <description xml:lang="en">
12926:             A default installation of Apache includes a plethora of
12927:             'dynamically shared objects' (DSO) that are loaded at run-time. Unlike the
12928:             aforementioned 'compiled-in' modules, a DSO can be disabled in the configuration file by
12929:             removing the corresponding LoadModule directive. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12930:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12931:             Note: A DSO only provides additional
12932:             functionality if associated directives are included in the Apache configuration file. It
12933:             should also be noted that removing a DSO will produce errors on Apache startup if the
12934:             configuration file contains directives that apply to that module. Refer to
12935:             http://httpd.apache.org/docs/ for details on which directives are associated with each
12936:             DSO. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12937:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12938:             Follow each DSO removal, the configuration can be tested with the following command
12939:             to check if everything still works: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12940:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12941:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># service httpd configtest <xhtml:br/></xhtml:code>
12942:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12943:             The purpose of each of
12944:             the modules loaded by default will now be addressed one at a time. If none of a module's
12945:             directives are being used, remove it.</description>
12946:           <Group id="group-3.16.3.2.1" hidden="false">
12947:             <title xml:lang="en">Apache Core Modules</title>
12948:             <description xml:lang="en">
12949:               These modules comprise a basic subset of modules that are
12950:               likely needed for base Apache functionality; ensure they are not commented out in
12951:               /etc/httpd/conf/httpd.conf: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12952:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12953:               LoadModule auth_basic_module modules/mod_auth_basic.so<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12954:               LoadModule authn_default_module modules/mod_authn_default.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12955:               LoadModule authz_host_module modules/mod_authz_host.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12956:               LoadModule authz_user_module modules/mod_authz_user.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12957:               LoadModule authz_groupfile_module modules/mod_authz_groupfile.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12958:               LoadModule authz_default_module modules/mod_authz_default.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12959:               LoadModule log_config_module modules/mod_log_config.so<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12960:               LoadModule logio_module modules/mod_logio.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12961:               LoadModule setenvif_module modules/mod_setenvif.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12962:               LoadModule mime_module modules/mod_mome.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12963:               LoadModule autoindex_module modules/mod_autoindex.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12964:               LoadModule negotiation_module modules/mod_negotiation.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12965:               LoadModule dir_module modules/mod_dir.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12966:               LoadModule alias_module modules/mod_alias.so</description>
12967:           </Group>
12968:           <Group id="group-3.16.3.2.2" hidden="false">
12969:             <title xml:lang="en">HTTP Basic Authentication</title>
12970:             <description xml:lang="en">
12971:               The following modules are necessary if this web server will
12972:               provide content that will be restricted by a password. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12973:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12974:               Authentication can be performed
12975:               using local plain text password files (authn file), local DBM password files (authn
12976:               dbm) or an LDAP directory (see Section 3.16.3.2.5). The only module required by the
12977:               web server depends on your choice of authentication. Comment out the modules you don't
12978:               need from the following: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12979:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12980:               LoadModule authn_file_module modules/mod_authn_file.so<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12981:               LoadModule authn_dbm_module modules/mod_authn_dbm.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12982:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12983:               authn_alias allows for
12984:               authentication based on aliases. authn_anon allows anonymous authentication similar to
12985:               that of anonymous ftp sites. authz owner allows authorization based on file ownership.
12986:               authz dbm allows for authorization based on group membership if the web server is
12987:               using DBM authentication. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12988:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12989:               If the above functionality is unnecessary, comment out the
12990:               related module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12991:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12992:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule authn_alias_module modules/mod_authn_alias.so <xhtml:br/>
12993:               #LoadModule authn_anon_module modules/mod_authn_anon.so <xhtml:br/>
12994:               #LoadModule authz_owner_module modules/mod_authz_owner.so <xhtml:br/>
12995:               #LoadModule authz_dbm_module modules/mod_authz_dbm.so</xhtml:code></description>
12996:           </Group>
12997:           <Group id="group-3.16.3.2.3" hidden="false">
12998:             <title xml:lang="en">HTTP Digest Authentication</title>
12999:             <description xml:lang="en">
13000:               This module provides encrypted authentication sessions.
13001:               However, this module is rarely used and considered experimental. Alternate methods of
13002:               encrypted authentication are recommended, such as SSL (Section 3.16.4.1) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13003:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13004:               If the above
13005:               functionality is unnecessary, comment out the related module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13006:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13007:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule auth_digest_module modules/mod_auth_digest.so</xhtml:code></description>
13008:           </Group>
13009:           <Group id="group-3.16.3.2.4" hidden="false">
13010:             <title xml:lang="en">mod rewrite</title>
13011:             <description xml:lang="en">
13012:               The mod rewrite module is very powerful and can protect
13013:               against certain classes of web attacks. However, it is also very complex and has a
13014:               significant history of vulnerabilities itself. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13015:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13016:               If the above functionality is
13017:               unnecessary, comment out the related module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13018:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13019:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule rewrite_module modules/mod_rewrite.so</xhtml:code></description>
13020:           </Group>
13021:           <Group id="group-3.16.3.2.5" hidden="false">
13022:             <title xml:lang="en">LDAP Support</title>
13023:             <description xml:lang="en">
13024:               This module provides HTTP authentication via an LDAP
13025:               directory. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13026:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13027:               If the above functionality is unnecessary, comment out the related modules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13028:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13029:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule ldap_module modules/mod_ldap.so <xhtml:br/>
13030:               #LoadModule authnz_ldap_module modules/mod_authnz_ldap.so <xhtml:br/></xhtml:code>
13031:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13032:               If LDAP is to be used, SSL encryption (Section 3.16.4.1)
13033:               should be used as well.</description>
13034:           </Group>
13035:           <Group id="group-3.16.3.2.6" hidden="false">
13036:             <title xml:lang="en">Server Side Includes</title>
13037:             <description xml:lang="en">
13038:               Server Side Includes provide a method of dynamically
13039:               generating web pages through the insertion of server-side code. However, the
13040:               technology is also deprecated and introduces significant security concerns. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13041:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13042:               If the above functionality is unnecessary, comment out the related module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13043:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13044:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule include_module modules/mod_include.so <xhtml:br/></xhtml:code>
13045:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13046:               If there is a critical need for Server Side
13047:               Includes, they should be enabled with the option IncludesNoExec to prevent arbitrary
13048:               code execution. Additionally, user supplied data should be encoded to prevent
13049:               cross-site scripting vulnerabilities.</description>
13050:           </Group>
13051:           <Group id="group-3.16.3.2.7" hidden="false">
13052:             <title xml:lang="en">MIME Magic</title>
13053:             <description xml:lang="en">
13054:               This module provides a second layer of MIME support that in
13055:               most configurations is likely extraneous. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13056:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13057:               If the above functionality is unnecessary, comment out the related module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13058:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13059:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule mime_magic_module modules/mod_mime_magic.so</xhtml:code></description>
13060:           </Group>
13061:           <Group id="group-3.16.3.2.8" hidden="false">
13062:             <title xml:lang="en">WebDAV (Distributed Authoring and Versioning)</title>
13063:             <description xml:lang="en">
13064:               WebDAV is an extension of the HTTP protocol that provides
13065:               distributed and collaborative access to web content. Due to a number of security
13066:               concerns with WebDAV, its use is not recommended. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13067:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13068:               If the above functionality is unnecessary, comment out the related modules: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13069:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13070:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule dav_module modules/mod_dav.so <xhtml:br/>
13071:               #LoadModule dav_fs_module modules/mod_dav_fs.so <xhtml:br/></xhtml:code>
13072:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13073:               If there is a
13074:               critical need for WebDAV, extra care should be taken in its configuration. Since DAV
13075:               access allows remote clients to manipulate server files, any location on the server
13076:               that is DAV enabled should be protected by encrypted authentication.</description>
13077:           </Group>
13078:           <Group id="group-3.16.3.2.9" hidden="false">
13079:             <title xml:lang="en">Server Activity Status</title>
13080:             <description xml:lang="en">
13081:               This module provides real-time access to statistics on the
13082:               internal operation of the web server. This is an unnecessary information leak and
13083:               should be disabled. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13084:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13085:               If the above functionality is unnecessary, comment out the related module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13086:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13087:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule status_module modules/mod_status.so <xhtml:br/></xhtml:code>
13088:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13089:               If there is a critical need
13090:               for this module, ensure that access to the status page is properly restricted to a
13091:               limited set of hosts in the status handler configuration.</description>
13092:           </Group>
13093:           <Group id="group-3.16.3.2.10" hidden="false">
13094:             <title xml:lang="en">Web Server Configuration Display</title>
13095:             <description xml:lang="en">
13096:               This module creates a web page illustrating the configuration
13097:               of the web server. This is an unnecessary security leak and should be disabled. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13098:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13099:               If the above functionality is unnecessary, comment out the related module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13100:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13101:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule info_module modules/mod_info.so <xhtml:br/></xhtml:code>
13102:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13103:               If there is a critical need for this module, use the
13104:               Location directive to provide an access control list to restrict access to the
13105:               information.</description>
13106:           </Group>
13107:           <Group id="group-3.16.3.2.11" hidden="false">
13108:             <title xml:lang="en">URL Correction on Misspelled Entries</title>
13109:             <description xml:lang="en">
13110:               This module attempts to find a document match by allowing one
13111:               misspelling in an otherwise failed request. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13112:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13113:               If the above functionality is unnecessary, comment out the related module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13114:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13115:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule speling_module modules/mod_speling.so <xhtml:br/></xhtml:code>
13116:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13117:               This functionality weakens server security by making site enumeration easier.</description>
13118:           </Group>
13119:           <Group id="group-3.16.3.2.12" hidden="false">
13120:             <title xml:lang="en">User-specific directories</title>
13121:             <description xml:lang="en">
13122:               The UserDir directive provides user-specific directory
13123:               translation, allowing URLs based on associated usernames. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13124:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13125:               If the above functionality is unnecessary, comment out the related module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13126:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13127:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule userdir_module modules/mod_userdir.so <xhtml:br/></xhtml:code>
13128:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13129:               If there is a critical need for this module, include the line
13130:               UserDir disabled root (at a minimum) in the configuration file. Ideally, UserDir
13131:               should be disabled, and then enabled on a case-by-case basis for specific users that
13132:               require this functionality. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13133:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13134:               Note: A web server's users can be trivially enumerated
13135:               using this module.</description>
13136:           </Group>
13137:           <Group id="group-3.16.3.2.13" hidden="false">
13138:             <title xml:lang="en">Proxy Support</title>
13139:             <description xml:lang="en">
13140:               This module provides proxying support, allowing Apache to
13141:               forward requests and serve as a gateway for other servers. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13142:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13143:               If the above functionality is unnecessary, comment out the related modules: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13144:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13145:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule proxy_module modules/mod_proxy.so <xhtml:br/>
13146:               #LoadModule proxy_balancer_module modules/mod_proxy_balancer.so<xhtml:br/>
13147:               #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so <xhtml:br/>
13148:               #LoadModule proxy_http_module modules/mod_proxy_http.so <xhtml:br/>
13149:               #LoadModule proxy_connect_module modules/mod_proxy_connect.so <xhtml:br/></xhtml:code>
13150:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13151:               If proxy support is needed, load proxy and the
13152:               appropriate proxy protocol handler module (one of proxy http, proxy ftp, or proxy
13153:               connect). Additionally, make certain that a server is secure before enabling proxying,
13154:               as open proxy servers are a security risk. proxy balancer enables load balancing, but
13155:               requires that mod status be enabled. Since mod status is not recommended, proxy
13156:               balancer should be avoided as well.</description>
13157:           </Group>
13158:           <Group id="group-3.16.3.2.14" hidden="false">
13159:             <title xml:lang="en">Cache Support</title>
13160:             <description xml:lang="en">
13161:               This module allows Apache to cache data, optimizing access to
13162:               frequently accessed content. However, not only is it an experimental module, but it
13163:               also introduces potential security flaws into the web server such as the possibility
13164:               of circumventing Allow and Deny directives. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13165:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13166:               If the above functionality is unnecessary, comment out the related modules: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13167:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13168:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule cache_module modules/mod_cache.so<xhtml:br/>
13169:               #LoadModule disk_cache_module modules/mod_disk_cache.so <xhtml:br/>
13170:               #LoadModule file_cache_module modules/mod_file_cache.so <xhtml:br/>
13171:               #LoadModule mem_cache_module modules/mod_mem_cache.so <xhtml:br/></xhtml:code>
13172:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13173:               If caching is required, it should not be enabled for any limited-access content.</description>
13174:           </Group>
13175:           <Group id="group-3.16.3.2.15" hidden="false">
13176:             <title xml:lang="en">CGI Support (and Related Modules)</title>
13177:             <description xml:lang="en">
13178:               This module allows HTML to interact with the CGI web
13179:               programming language. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13180:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13181:               If the above functionality is unnecessary, comment out the related modules: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13182:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule cgi_module modules/mod_cgi.so <xhtml:br/>
13183:               #LoadModule env_module modules/mod_env.so <xhtml:br/>
13184:               #LoadModule actions_module modules/mod_actions.so <xhtml:br/>
13185:               #LoadModule suexec_module modules/mod_suexec.so <xhtml:br/></xhtml:code>
13186:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13187:               If the web server requires the use of CGI, enable
13188:               the cgi module. If extended CGI functionality is required, include the appropriate
13189:               modules. env allows for control of the environment passed to CGI scripts. actions
13190:               allows CGI events to be triggered when files of a certain type are requested. su exec
13191:               allows CGI scripts to run as a specified user/group instead of as the server's
13192:               user/group.</description>
13193:           </Group>
13194:           <Group id="group-3.16.3.2.16" hidden="false">
13195:             <title xml:lang="en">Various Optional Components</title>
13196:             <description xml:lang="en">
13197:               The following modules perform very specific tasks, sometimes
13198:               providing access to just a few additional directives. If this functionality is not
13199:               required (or if you are not using these directives), comment out the associated
13200:               module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13201:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13202:               <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
13203:                 <xhtml:li>External filtering (response passed through external program prior to client delivery) <xhtml:br/>
13204:                   <xhtml:br/>
13205:                   <xhtml:code>#LoadModule ext_filter_module modules/mod_ext_filter.so </xhtml:code></xhtml:li>
13206:                 <xhtml:li>User-specified
13207:                   Cache Control and Expiration <xhtml:br/>
13208:                   <xhtml:br/>
13209:                   <xhtml:code>#LoadModule expires_module modules/mod_expires.so</xhtml:code> </xhtml:li>
13210:                 <xhtml:li>Compression Output Filter (provides content compression prior to client delivery)<xhtml:br/>
13211:                   <xhtml:br/>
13212:                   <xhtml:code>#LoadModule deflate_module modules/mod_deflate.so </xhtml:code></xhtml:li>
13213:                 <xhtml:li>HTTP Response/Request Header Customization <xhtml:br/>
13214:                   <xhtml:br/>
13215:                   <xhtml:code>#LoadModule headers_module modules/mod_headers.so</xhtml:code> </xhtml:li>
13216:                 <xhtml:li>User activity monitoring via cookies <xhtml:br/>
13217:                   <xhtml:br/>
13218:                   <xhtml:code>#LoadModule usertrack_module modules/mod_usertrack.so </xhtml:code></xhtml:li>
13219:                 <xhtml:li>Dynamically configured mass virtual hosting <xhtml:br/>
13220:                   <xhtml:br/>
13221:                   <xhtml:code>#LoadModule vhost_alias_module modules/mod_vhost_alias.so</xhtml:code></xhtml:li>
13222:               </xhtml:ul>
13223:               </description>
13224:           </Group>
13225:         </Group>
13226:         <Group id="group-3.16.3.3" hidden="false">
13227:           <title xml:lang="en">Minimize Configuration Files Included</title>
13228:           <description xml:lang="en">
13229:             The Include directive directs Apache to load supplementary
13230:             configuration files from a provided path. The default configuration loads all files that
13231:             end in .conf from the /etc/httpd/conf.d directory. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13232:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13233:             To restrict excess configuration, the
13234:             following line should be commented out and replaced with Include directives that only
13235:             reference required configuration files: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13236:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13237:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#Include conf.d/*.conf <xhtml:br/></xhtml:code>
13238:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13239:             If the above change was
13240:             made, ensure that the SSL encryption remains loaded by explicitly including the
13241:             corresponding configuration file: (see Section 3.16.4.1 for further details on SSL
13242:             configuration) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13243:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13244:             Include conf.d/ssl.conf <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13245:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13246:             If PHP is necessary, a similar alteration must be
13247:             made: (see Section 3.16.4.4.1 for further details on PHP configuration) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13248:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13249:             Include conf.d/php.conf</description>
13250:         </Group>
13251:         <Group id="group-3.16.3.4" hidden="false">
13252:           <title xml:lang="en">Directory Restrictions</title>
13253:           <description xml:lang="en">
13254:             The Directory tags in the web server configuration file allow
13255:             finer grained access control for a specified directory. All web directories should be
13256:             configured on a case-by-case basis, allowing access only where needed.</description>
13257:           <Group id="group-3.16.3.4.1" hidden="false">
13258:             <title xml:lang="en">Restrict Root Directory</title>
13259:             <description xml:lang="en">
13260:               The Apache root directory should always have the most
13261:               restrictive configuration enabled.
13262:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13263:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13264:               &lt;Directory
13265:               /&gt;
13266:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13267:               Options None
13268:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13269:               AllowOverride None
13270:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13271:               Order
13272:               allow,deny
13273:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13274:               &lt;/Directory&gt;
13275:             </description>
13276:           </Group>
13277:           <Group id="group-3.16.3.4.2" hidden="false">
13278:             <title xml:lang="en">Restrict Web Directory</title>
13279:             <description xml:lang="en">
13280:               The default configuration for the web (/var/www/html)
13281:               Directory allows directory indexing (Indexes)and the following of symbolic links
13282:               (FollowSymLinks). Neither of these is recommended.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13283:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13284:               The
13285:               /var/www/html directory hierarchy should not be viewable via the web, and symlinks
13286:               should only be followed if the owner of the symlink also owns the linked
13287:               file.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13288:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13289:               Ensure that this policy is adhered to by altering the
13290:               related section of the configuration:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13291:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13292:               &lt;Directory
13293:               "/var/www/html"&gt;
13294:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13295:               # ...
13296:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13297:               Options SymLinksIfOwnerMatch
13298:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13299:               # ...
13300:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13301:               &lt;/Directory&gt;
13302:             </description>
13303:           </Group>
13304:           <Group id="group-3.16.3.4.3" hidden="false">
13305:             <title xml:lang="en">Restrict Other Critical Directories</title>
13306:             <description xml:lang="en">
13307:               All accessible web directories should be configured with
13308:               similar restrictive settings. The Options directive should be limited to necessary
13309:               functionality and the AllowOverride directive should be used only if needed. The Order
13310:               and Deny access control tags should be used to deny access by default, allowing access
13311:               only where necessary.</description>
13312:           </Group>
13313:         </Group>
13314:         <Group id="group-3.16.3.5" hidden="false">
13315:           <title xml:lang="en">Configure Authentication if Applicable</title>
13316:           <description xml:lang="en">
13317:             <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
13318:               <xhtml:li>Set up a password file. <xhtml:br/>
13319:                 <xhtml:br/>
13320:                 If a password file doesn't yet exist, one must be generated with the following command: <xhtml:br/>
13321:                 <xhtml:br/>
13322:                 <xhtml:code># htpasswd -cs passwdfile user <xhtml:br/></xhtml:code>
13323:                 <xhtml:br/>
13324:                 <xhtml:em>WARNING: This command will overwrite an existing file at this location.</xhtml:em>
13325:                 <xhtml:br/>
13326:                 Once a password file has been generated, subsequent users can be added with the
13327:                 following command: <xhtml:br/>
13328:                 <xhtml:br/>
13329:                 <xhtml:code># htpasswd -s passwdfile user </xhtml:code></xhtml:li>
13330:               <xhtml:li>Optionally, set up a group file (if using group authentication). <xhtml:br/>
13331:                 <xhtml:br/>
13332:                 The group file is a plain text file of the following format
13333:                 (each group is on its own line, followed by a colon and a list of users that belong to
13334:                 that group, separated by spaces): <xhtml:br/>
13335:                 <xhtml:br/>
13336:                 group : user1 user2 <xhtml:br/>
13337:                 group2 : user3 </xhtml:li>
13338:               <xhtml:li>Modify file
13339:                 permissions so that Apache can read the group and passwd files: <xhtml:br/>
13340:                 <xhtml:br/>
13341:                 <xhtml:code># chgrp apache passwdfile groupfile <xhtml:br/>
13342:                 # chmod 640 passwdfile groupfile </xhtml:code></xhtml:li>
13343:               <xhtml:li>Turn on authentication for desired directories <xhtml:br/>
13344:                 <xhtml:br/>
13345:                 Add the following options inside the appropriate Directory tag: <xhtml:br/>
13346:                 <xhtml:br/>
13347:                 <xhtml:ul>
13348:                   <xhtml:li>For single-user authentication: <xhtml:br/>
13349:                     &lt;Directory "directory "&gt; <xhtml:br/>
13350:                     # ... AuthName "Private Data" <xhtml:br/>
13351:                     AuthType Basic <xhtml:br/>
13352:                     AuthUserFile passwdfile <xhtml:br/>
13353:                     require user user <xhtml:br/>
13354:                     # ...<xhtml:br/>
13355:                     &lt;/Directory&gt; </xhtml:li>
13356:                   <xhtml:li>For multiple-user authentication restricted by groups:<xhtml:br/>
13357:                     &lt;Directory "directory "&gt; <xhtml:br/>
13358:                     # ... <xhtml:br/>
13359:                     AuthName "Private Data" <xhtml:br/>
13360:                     AuthType Basic<xhtml:br/>
13361:                     <xhtml:br/>
13362:                     AuthUserFile passwdfile <xhtml:br/>
13363:                     AuthGroupFile groupfile <xhtml:br/>
13364:                     require group group <xhtml:br/>
13365:                     # ...<xhtml:br/>
13366:                     &lt;/Directory&gt; </xhtml:li>
13367:                   <xhtml:li>For multiple-user authentication restricted by valid user accounts: <xhtml:br/>
13368:                     <xhtml:br/>
13369:                     &lt;Directory "directory "&gt; <xhtml:br/>
13370:                     # ... <xhtml:br/>
13371:                     AuthName "Private Data" <xhtml:br/>
13372:                     AuthType Basic <xhtml:br/>
13373:                     AuthUserFile passwdfile <xhtml:br/>
13374:                     require valid-user <xhtml:br/>
13375:                     # ... <xhtml:br/>
13376:                     &lt;/Directory&gt; </xhtml:li>
13377:                 </xhtml:ul>
13378:                 </xhtml:li>
13379:             </xhtml:ol>
13380:             The AuthName directive specifies a label for the protected content. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13381:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13382:             The AuthType directive
13383:             specifies the kind of authentication (if using Digest authentication, this line would
13384:             instead read AuthType Digest) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13385:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13386:             The AuthUserFile and AuthGroupFile directives point to the
13387:             password and group files (if using Digest authentication, these directives would instead
13388:             be AuthDigestFile and AuthDigestGroupFile.)<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13389:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13390:             The require user directive restricts access
13391:             to a single user. The require group directive restricts access to multiple users in a
13392:             designated group. The short-hand require valid-user directive restricts access to any
13393:             user in the passwdfile <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13394:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13395:             Note: Make sure the AuthUserFile and AuthGroupFile locations are
13396:             outside the web server document tree to prevent remote clients from having access to
13397:             restricted usernames and passwords. This guide recommends /etc/httpd/conf as a location
13398:             for these files.</description>
13399:           <warning xml:lang="en">Basic authentication is handled in plaintext over the network.
13400:             Therefore, all login attempts are vulnerable to password sniffing. For increased
13401:             protection against passive monitoring, encrypted authentication over a secure channel
13402:             such as SSL (Section 3.16.4.1) is recommended. </warning>
13403:         </Group>
13404:         <Group id="group-3.16.3.6" hidden="false">
13405:           <title xml:lang="en">Limit Available Methods</title>
13406:           <description xml:lang="en">
13407:             Web server methods are defined in section 9 of RFC 2616
13408:             (http://www.ietf.org/rfc/rfc2616.txt). If a web server does not require the
13409:             implementation of all available methods, they should be disabled. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13410:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13411:             Note: GET and POST are
13412:             the most common methods. A majority of the others are limited to the WebDAV protocol.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13413:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13414:             &lt;Directory /var/www/html&gt; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13415:             # ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13416:             # Only allow specific methods (this command is case-sensitive!) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13417:             &lt;LimitExcept GET POST&gt; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13418:             Order allow,deny<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13419:             &lt;/LimitExcept&gt; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13420:             # ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13421:             &lt;/Directory&gt;</description>
13422:         </Group>
13423:       </Group>
13424:       <Group id="group-3.16.4" hidden="false">
13425:         <title xml:lang="en">Use Appropriate Modules to Improve Apaches Security'</title>
13426:         <description xml:lang="en">
13427:           Among the modules available for Apache are several whose use may
13428:           improve the security of the web server installation. This section recommends and discusses
13429:           the deployment of security-relevant modules.</description>
13430:         <Group id="group-3.16.4.1" hidden="false">
13431:           <title xml:lang="en">Deploy mod ssl</title>
13432:           <description xml:lang="en">
13433:             Because HTTP is a plain text protocol, all traffic is
13434:             susceptible to passive monitoring. If there is a need for confidentiality, SSL should be
13435:             configured and enabled to encrypt content. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13436:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13437:             Note: mod nss is a FIPS 140-2 certified
13438:             alternative to mod ssl. The modules share a considerable amount of code and should be
13439:             nearly identical in functionality. If FIPS 140-2 validation is required, then mod nss
13440:             should be used. If it provides some feature or its greater compatibility is required,
13441:             thenmod ssl should be used.</description>
13442:           <Group id="group-3.16.4.1.1" hidden="false">
13443:             <title xml:lang="en">Install mod ssl</title>
13444:             <description xml:lang="en">
13445:               Install mod ssl: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13446:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13447:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum install mod ssl</xhtml:code></description>
13448:           </Group>
13449:           <Group id="group-3.16.4.1.2" hidden="false">
13450:             <title xml:lang="en">Create an SSL Certificate</title>
13451:             <description xml:lang="en">
13452:               On your CA (if you are using your own) or on another
13453:               physically secure system, generate a key pair for the web server: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13454:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13455:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cd /etc/pki/tls/certs <xhtml:br/>
13456:               # openssl genrsa -des3 -out httpserverkey.pem 2048 <xhtml:br/></xhtml:code>
13457:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13458:               When prompted,
13459:               enter a strong, unique passphrase to protect the web server key pair. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13460:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13461:               Next, generate a Certificate Signing Request (CSR) from the key for the CA: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13462:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13463:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># openssl req -new -key httpserverkey.pem -out httpserver.csr <xhtml:br/></xhtml:code>
13464:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13465:               Enter the passphrase for the web server key pair
13466:               and then fill out the fields as completely as possible (or hit return to accept
13467:               defaults); the Common Name field is especially important. It must match the
13468:               fullyqualified domain name of your server exactly (e.g. www.example.com) or the
13469:               certificate will not work. The /etc/pki/tls/openssl.conf file will determine which
13470:               other fields (e.g. Country Name, Organization Name, etc) must match between the server
13471:               request and the CA. Leave the challenge password and an optional company name blank.
13472:               Next, the web server CSR must be signed to create the web server certificate. You can
13473:               either send the CSR to an established CA or sign it with your CA. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13474:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13475:               To sign httpserver.csr using your CA: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13476:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13477:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># openssl ca -in httpserver.csr -out httpservercert.pem<xhtml:br/></xhtml:code>
13478:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13479:               When prompted, enter the CA passphrase to continue and then complete the process. The
13480:               httpservercert. pem certificate needed to enable SSL on the web server is now in the
13481:               directory. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13482:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13483:               Finally, the web server key and certificate file need to be moved to the
13484:               web server. Use removable media if possible. Place the server key and certificate file
13485:               in /etc/pki/tls/http/, naming them serverkey.pem and servercert.pem, respectively.</description>
13486:           </Group>
13487:           <Group id="group-3.16.4.1.3" hidden="false">
13488:             <title xml:lang="en">Install SSL Certificate</title>
13489:             <description xml:lang="en">
13490:               Add or modify the configuration file
13491:               /etc/httpd/conf.d/ssl.conf to match the following: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13492:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13493:               # establish new listening port<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13494:               Listen 443 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13495:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13496:               # seed appropriately <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13497:               SSLRandomSeed startup file:/dev/urandom 1024<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13498:               SSLRandomSeed connect file:/dev/urandom 1024 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13499:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13500:               &lt;VirtualHost site-on-certificate.com:443&gt; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13501:               # Enable SSL <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13502:               SSLEngine On <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13503:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13504:               # Path to server certificate + private key <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13505:               SSLCertificateFile /etc/pki/tls/http/servercert.pem<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13506:               SSLCertificateKeyFile /etc/pki/tls/http/serverkey.pem <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13507:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13508:               SSLProtocol All -SSLv2 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13509:               # Weak ciphers and null authentication should be denied unless absolutely necessary <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13510:               # (and even then, such cipher weakening should occur within a Location enclosure)<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13511:               SSLCipherSuite HIGH:MEDIUM:!aNULL:+MD5 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13512:               &lt;/VirtualHost&gt; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13513:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13514:               Ensure that all
13515:               directories that house SSL content are restricted to SSL access only in
13516:               /etc/httpd/conf/ httpd.conf: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13517:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13518:               &lt;Directory /var/www/html/secure&gt; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13519:               # require SSL for access <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13520:               SSLRequireSSL <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13521:               SSLOptions +StrictRequire <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13522:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13523:               # require domain to match certificate domain <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13524:               SSLRequire %{HTTP HOST} eq "site-on-certificate.com" <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13525:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13526:               # rather than reply with 403 error, redirect user to appropriate site <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13527:               # this is OPTIONAL - uncomment to apply <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13528:               # ErrorDocument 403 https://site-on-certificate.com<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13529:               &lt;/Directory&gt;</description>
13530:           </Group>
13531:         </Group>
13532:         <Group id="group-3.16.4.2" hidden="false">
13533:           <title xml:lang="en">Deploy mod security</title>
13534:           <description xml:lang="en">
13535:             mod security provides an application level firewall for Apache.
13536:             Following the installation of mod security with the base ruleset, specific configuration
13537:             advice can be found at http://www.modsecurity.org/ to design a policy that best matches
13538:             the security needs of the web applications.</description>
13539:           <Group id="group-3.16.4.2.1" hidden="false">
13540:             <title xml:lang="en">Install mod security</title>
13541:             <description xml:lang="en">
13542:               Install mod security: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13543:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13544:               # yum install mod_security</description>
13545:           </Group>
13546:           <Group id="group-3.16.4.2.2" hidden="false">
13547:             <title xml:lang="en">Configure mod security Filtering</title>
13548:             <description xml:lang="en">
13549:               mod security supports a significant number of options, far
13550:               too many to be fully covered in this guide. However, the following list comprises a
13551:               smaller subset of suggested filters to be added to /etc/httpd/conf/ httpd.conf: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13552:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13553:               # enable mod_security <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13554:               SecFilterEngine On <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13555:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13556:               # enable POST filtering <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13557:               SecFilterScanPost On <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13558:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13559:               # Make sure that URL encoding is valid <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13560:               SecFilterCheckURLEncoding On <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13561:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13562:               # Accept almost all byte values <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13563:               SecFilterForceByteRange 1 255 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13564:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13565:               # Prevent directory traversal <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13566:               SecFilter "\.\./" <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13567:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13568:               # Filter on specific system specific paths <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13569:               SecFilter /etc/passwd <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13570:               SecFilter /bin/ <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13571:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13572:               # Prevent cross-site scripting <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13573:               SecFilter "&lt;[[:space:]]* script" <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13574:               # Prevent SQL injection <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13575:               SecFilter "delete[[:space:]]+from" <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13576:               SecFilter "insert[[:space:]]+into"<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13577:               SecFilter "select.+from"</description>
13578:           </Group>
13579:         </Group>
13580:         <Group id="group-3.16.4.3" hidden="false">
13581:           <title xml:lang="en">Use Denial-of-Service Protection Modules</title>
13582:           <description xml:lang="en">
13583:             Denial-of-service attacks are difficult to detect and prevent
13584:             while maintaining acceptable access to authorized users. However, there are a number of
13585:             traffic-shaping modules that attempt to address the problem. Well-known DoS protection
13586:             modules include: mod_throttle mod_bwshare mod_limitipconn mod_dosevasive It is
13587:             recommended that denial-of-service prevention be implemented for the web server.
13588:             However, this guide leaves specific configuration details to the discretion of the
13589:             reader.</description>
13590:         </Group>
13591:         <Group id="group-3.16.4.4" hidden="false">
13592:           <title xml:lang="en">Configure Supplemental Modules Appropriately</title>
13593:           <description xml:lang="en">Any required functionality added to the web server via additional modules should be configured appropriately.</description>
13594:           <Group id="group-3.16.4.4.1" hidden="false">
13595:             <title xml:lang="en">Configure PHP Securely</title>
13596:             <description xml:lang="en">
13597:               PHP is a widely used and often misconfigured server-side
13598:               scripting language. It should be used with caution, but configured appropriately when
13599:               needed. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13600:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13601:               Make the following changes to /etc/php.ini: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13602:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13603:               # Do not expose PHP error messages to external users <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13604:               display_errors = Off <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13605:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13606:               # Enable safe mode <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13607:               safe_mode = On <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13608:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13609:               # Only allow access to executables in isolated directory <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13610:               safe_mode_exec_dir = php-required-executables-path <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13611:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13612:               # Limit external access to PHP environment<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13613:               safe_mode_allowed_env_vars = PHP_ <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13614:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13615:               # Restrict PHP information leakage <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13616:               expose_php = Off<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13617:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13618:               # Log all errors <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13619:               log_errors = On <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13620:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13621:               # Do not register globals for input data<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13622:               register_globals = Off <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13623:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13624:               # Minimize allowable PHP post size <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13625:               post_max_size = 1K <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13626:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13627:               # Ensure PHP redirects appropriately <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13628:               cgi.force_redirect = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13629:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13630:               # Disallow uploading unless necessary <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13631:               file_uploads = Off <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13632:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13633:               # Disallow treatment of file requests as fopen calls<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13634:               allow_url_fopen = Off <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13635:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13636:               # Enable SQL safe mode <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13637:               sql.safe_mode = On</description>
13638:           </Group>
13639:         </Group>
13640:       </Group>
13641:       <Group id="group-3.16.5" hidden="false">
13642:         <title xml:lang="en">Configure Operating System to Protect Web Server</title>
13643:         <description xml:lang="en">
13644:           The following configuration steps should be taken on the machine
13645:           which hosts the web server, in order to provide as safe an environment as possible for the
13646:           web server.</description>
13647:         <Group id="group-3.16.5.1" hidden="false">
13648:           <title xml:lang="en">Restrict File and Directory Access</title>
13649:           <description xml:lang="en">
13650:             Minimize access to critical Apache files and directories: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13651:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13652:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chmod 511 /usr/sbin/httpd <xhtml:br/>
13653:             # chmod 750 /var/log/httpd/ <xhtml:br/>
13654:             # chmod 750 /etc/httpd/conf/ <xhtml:br/>
13655:             # chmod 640 /etc/httpd/conf/* <xhtml:br/>
13656:             # chgrp -R apache /etc/httpd/conf</xhtml:code></description>
13657:           <Value id="var-3.16.5.1.a" operator="equals" type="string">
13658:             <title xml:lang="en">Directory permissions on /etc/httpd/conf</title>
13659:             <description xml:lang="en">Specify directory permissions on /etc/httpd/conf</description>
13660:             <question xml:lang="en">Specify directory permissions of /etc/httpd/conf</question>
13661:             <value>111101000</value>
13662:             <value selector="750">111101000</value>
13663:             <match>^[01]+$</match>
13664:           </Value>
13665:           <Value id="var-3.16.5.1.b" operator="equals" type="string">
13666:             <title xml:lang="en">File permissions on /etc/httpd/conf/*</title>
13667:             <description xml:lang="en">Specify file permissions on /etc/httpd/conf/*</description>
13668:             <question xml:lang="en">Specify file permissions of /etc/httpd/conf/*</question>
13669:             <value>110100000</value>
13670:             <value selector="640">110100000</value>
13671:             <match>^[01]+$</match>
13672:           </Value>
13673:           <Value id="var-3.16.5.1.c" operator="equals" type="string">
13674:             <title xml:lang="en">File permissions on /usr/sbin/httpd</title>
13675:             <description xml:lang="en">Specify file permissions on /usr/sbin/httpd</description>
13676:             <question xml:lang="en">Specify file permissions of /etc/sbin/httpd</question>
13677:             <value>101001001</value>
13678:             <value selector="511">101001001</value>
13679:             <match>^[01]+$</match>
13680:           </Value>
13681:           <Value id="var-3.16.5.1.d" operator="equals" type="string">
13682:             <title xml:lang="en">group owner of /etc/httpd/conf/*</title>
13683:             <description xml:lang="en">Specify group owner of /etc/httpd/conf/*</description>
13684:             <question xml:lang="en">Specify group owner of /etc/httpd/conf/*</question>
13685:             <value>apache</value>
13686:             <value selector="apache">apache</value>
13687:           </Value>
13688:           <Value id="var-3.16.5.1.e" operator="equals" type="string">
13689:             <title xml:lang="en">File permissions on /var/log/httpd/</title>
13690:             <description xml:lang="en">Specify file permissions on /var/log/httpd/</description>
13691:             <question xml:lang="en">Specify file permissions of /var/log/httpd/</question>
13692:             <value>111101000</value>
13693:             <value selector="750">111101000</value>
13694:             <match>^[01]+$</match>
13695:           </Value>
13696:           <Rule id="rule-3.16.5.1.a" selected="false" weight="10.000000">
13697:             <title xml:lang="en">Restrict permissions on /etc/httpd/conf</title>
13698:             <description xml:lang="en">File permissions for /etc/httpd/conf should be set correctly.</description>
13699:             <ident system="http://cce.mitre.org">CCE-4509-6</ident>
13700:             <fixtext xml:lang="en">(1) via chmod</fixtext>
13701:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
13702:               <check-export export-name="oval:org.fedoraproject.f14:var:20326" value-id="var-3.16.5.1.a"/>
13703:               <check-content-ref name="oval:org.fedoraproject.f14:def:20326" href="scap-fedora14-oval.xml"/>
13704:             </check>
13705:           </Rule>
13706:           <Rule id="rule-3.16.5.1.b" selected="false" weight="10.000000">
13707:             <title xml:lang="en">Restrict permissions on /etc/httpd/conf/*</title>
13708:             <description xml:lang="en">File permissions for /etc/httpd/conf/* should be set correctly.</description>
13709:             <ident system="http://cce.mitre.org">CCE-4386-9</ident>
13710:             <fixtext xml:lang="en">(1) via chmod</fixtext>
13711:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
13712:               <check-export export-name="oval:org.fedoraproject.f14:var:20327" value-id="var-3.16.5.1.b"/>
13713:               <check-content-ref name="oval:org.fedoraproject.f14:def:20327" href="scap-fedora14-oval.xml"/>
13714:             </check>
13715:           </Rule>
13716:           <Rule id="rule-3.16.5.1.c" selected="false" weight="10.000000">
13717:             <title xml:lang="en">Restrict permissions on /usr/sbin/httpd</title>
13718:             <description xml:lang="en">File permissions for /usr/sbin/httpd should be set correctly.</description>
13719:             <ident system="http://cce.mitre.org">CCE-4029-5</ident>
13720:             <fixtext xml:lang="en">(1) via chmod</fixtext>
13721:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
13722:               <check-export export-name="oval:org.fedoraproject.f14:var:20328" value-id="var-3.16.5.1.c"/>
13723:               <check-content-ref name="oval:org.fedoraproject.f14:def:20328" href="scap-fedora14-oval.xml"/>
13724:             </check>
13725:           </Rule>
13726:           <Rule id="rule-3.16.5.1.d" selected="false" weight="10.000000">
13727:             <title xml:lang="en">Restrict group access to /etc/httpd/conf/*</title>
13728:             <description xml:lang="en">The /etc/httpd/conf/* files should be owned by the appropriate group.</description>
13729:             <ident system="http://cce.mitre.org">CCE-3581-6</ident>
13730:             <fixtext xml:lang="en">(1) via chgrp</fixtext>
13731:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
13732:               <check-export export-name="oval:org.fedoraproject.f14:var:20329" value-id="var-3.16.5.1.d"/>
13733:               <check-content-ref name="oval:org.fedoraproject.f14:def:20329" href="scap-fedora14-oval.xml"/>
13734:             </check>
13735:           </Rule>
13736:           <Rule id="rule-3.16.5.1.e" selected="false" weight="10.000000">
13737:             <title xml:lang="en">Restrict permissions on /var/log/httpd</title>
13738:             <description xml:lang="en">File permissions for /var/log/httpd should be set correctly.</description>
13739:             <ident system="http://cce.mitre.org">CCE-4574-0</ident>
13740:             <fixtext xml:lang="en">(1) via chmod</fixtext>
13741:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
13742:               <check-export export-name="oval:org.fedoraproject.f14:var:20330" value-id="var-3.16.5.1.e"/>
13743:               <check-content-ref name="oval:org.fedoraproject.f14:def:20330" href="scap-fedora14-oval.xml"/>
13744:             </check>
13745:           </Rule>
13746:         </Group>
13747:         <Group id="group-3.16.5.2" hidden="false">
13748:           <title xml:lang="en">Configure iptables to Allow Access to the Web Server</title>
13749:           <description xml:lang="en">
13750:             Edit /etc/sysconfig/iptables. Add the following lines, ensuring
13751:             that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13752:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13753:             -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13754:             -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13755:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13756:             The default
13757:             Iptables configuration does not allow inbound access to the HTTP (80) and HTTPS (443)
13758:             ports used by the web server. This modification allows that access, while keeping other
13759:             ports on the server in their default protected state. See Section 2.5.5 for more
13760:             information about Iptables.</description>
13761:         </Group>
13762:         <Group id="group-3.16.5.3" hidden="false">
13763:           <title xml:lang="en">Run Apache in a chroot Jail if Possible</title>
13764:           <description xml:lang="en">
13765:             Putting Apache in a chroot jail minimizes the damage done by a
13766:             potential break-in by isolating the web server to a small section of the filesystem. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13767:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13768:             In
13769:             order to configure Apache to run from a chroot directory, edit the Apache configuration
13770:             file, /etc/httpd/ conf/httpd.conf, and add the directive: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13771:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13772:             SecChrootDir /chroot/apache <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13773:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13774:             It
13775:             is also necessary to place all files required by Apache inside the filesystem rooted at
13776:             /chroot/apache , including Apache's binaries, modules, configuration files, and served
13777:             web pages. The details of this configuration are beyond the scope of this guide.</description>
13778:         </Group>
13779:       </Group>
13780:       <Group id="group-3.16.6" hidden="false">
13781:         <title xml:lang="en">Additional Resources</title>
13782:         <description xml:lang="en">
13783:           Further resources should be consulted if your web server requires
13784:           more extensive configuration guidance, especially if particular applications need to be
13785:           secured. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13786:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13787:           In particular, [26] is recommended as a more comprehensive guide to securing Apache.</description>
13788:       </Group>
13789:     </Group>
13790:     <Group id="group-3.17" hidden="false">
13791:       <title xml:lang="en">IMAP and POP3 Server</title>
13792:       <description xml:lang="en">
13793:         Dovecot provides IMAP and POP3 services. It is not installed by
13794:         default. The project page at http://www.dovecot.org contains more detailed information
13795:         about Dovecot configuration.</description>
13796:       <Group id="group-3.17.1" hidden="false">
13797:         <title xml:lang="en">Disable Dovecot if Possible</title>
13798:         <description xml:lang="en">
13799:           If the system does not need to operate as an IMAP or POP3 server,
13800:           disable and remove Dovecot if it was installed: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13801:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13802:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig dovecot off <xhtml:br/>
13803:           # yum erase dovecot</xhtml:code></description>
13804:         <Rule id="rule-3.17.1.a" selected="false" weight="10.000000" severity="low">
13805:           <title xml:lang="en">Disable Dovecot if Possible</title>
13806:           <description xml:lang="en">The dovecot service should be disabled.</description>
13807:           <ident system="http://cce.mitre.org">CCE-3847-1</ident>
13808:           <fixtext xml:lang="en">(1) via chkconfig</fixtext>
13809:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
13810:             <check-content-ref name="oval:org.fedoraproject.f14:def:20331" href="scap-fedora14-oval.xml"/>
13811:           </check>
13812:         </Rule>
13813:         <Rule id="rule-3.17.1.b" selected="false" weight="10.000000">
13814:           <title xml:lang="en">Uninstall Dovecot if Possible</title>
13815:           <description xml:lang="en">The dovecot package should be uninstalled.</description>
13816:           <ident system="http://cce.mitre.org">CCE-4239-0</ident>
13817:           <fixtext xml:lang="en">(1) via yum</fixtext>
13818:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
13819:             <check-content-ref name="oval:org.fedoraproject.f14:def:20332" href="scap-fedora14-oval.xml"/>
13820:           </check>
13821:         </Rule>
13822:       </Group>
13823:       <Group id="group-3.17.2" hidden="false">
13824:         <title xml:lang="en">Configure Dovecot if Necessary</title>
13825:         <description xml:lang="en">Dovecot's main configuration file is /etc/dovecot.conf. The settings which appear, commented out, in the file are the defaults.</description>
13826:         <Group id="group-3.17.2.1" hidden="false">
13827:           <title xml:lang="en">Support Only the Necessary Protocols</title>
13828:           <description xml:lang="en">
13829:             Edit /etc/dovecot.conf. Add or correct the following lines,
13830:             replacing PROTOCOL with only the subset of protocols (imap, imaps, pop3, pop3s)
13831:             required: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13832:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13833:             protocols = PROTOCOL <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13834:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13835:             Dovecot supports the IMAP and POP3 protocols, as well as
13836:             SSL-protected versions of those protocols. Configure the Dovecot server to support only
13837:             the protocols needed by your site. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13838:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13839:             If possible, require SSL protection for all
13840:             transactions. The SSL protocol variants listen on alternate ports (995 instead of 110
13841:             for pop3s, and 993 instead of 143 for imaps), and require SSL-aware clients. An
13842:             alternate approach is to listen on the standard port and require the client to use the
13843:             STARTTLS command before authenticating.</description>
13844:           <Rule id="rule-3.17.2.1.a" selected="false" weight="10.000000">
13845:             <title xml:lang="en">Dovecot should not support imaps</title>
13846:             <description xml:lang="en">Dovecot should be configured to not support the imaps protocol</description>
13847:             <ident system="http://cce.mitre.org">CCE-4384-4</ident>
13848:             <fixtext xml:lang="en">(1) via /etc/dovecot.conf</fixtext>
13849:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
13850:               <check-content-ref name="oval:org.fedoraproject.f14:def:20333" href="scap-fedora14-oval.xml"/>
13851:             </check>
13852:           </Rule>
13853:           <Rule id="rule-3.17.2.1.b" selected="false" weight="10.000000">
13854:             <title xml:lang="en">Dovecot should not support pop3s</title>
13855:             <description xml:lang="en">Dovecot should be configured to not support the pop3s protocol</description>
13856:             <ident system="http://cce.mitre.org">CCE-3887-7</ident>
13857:             <fixtext xml:lang="en">(1) via /etc/dovecot.conf</fixtext>
13858:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
13859:               <check-content-ref name="oval:org.fedoraproject.f14:def:20334" href="scap-fedora14-oval.xml"/>
13860:             </check>
13861:           </Rule>
13862:           <Rule id="rule-3.17.2.1.c" selected="false" weight="10.000000">
13863:             <title xml:lang="en">Dovecot should not support pop3</title>
13864:             <description xml:lang="en">Dovecot should be configured to not support the pop3 protocol</description>
13865:             <ident system="http://cce.mitre.org">CCE-4530-2</ident>
13866:             <fixtext xml:lang="en">(1) via /etc/dovecot.conf</fixtext>
13867:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
13868:               <check-content-ref name="oval:org.fedoraproject.f14:def:20335" href="scap-fedora14-oval.xml"/>
13869:             </check>
13870:           </Rule>
13871:           <Rule id="rule-3.17.2.1.d" selected="false" weight="10.000000">
13872:             <title xml:lang="en">Dovecot should not support imap</title>
13873:             <description xml:lang="en">Dovecot should be configured to not support the imap protocol</description>
13874:             <ident system="http://cce.mitre.org">CCE-4547-6</ident>
13875:             <fixtext xml:lang="en">(1) via /etc/dovecot.conf</fixtext>
13876:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
13877:               <check-content-ref name="oval:org.fedoraproject.f14:def:20336" href="scap-fedora14-oval.xml"/>
13878:             </check>
13879:           </Rule>
13880:         </Group>
13881:         <Group id="group-3.17.2.2" hidden="false">
13882:           <title xml:lang="en">Enable SSL Support</title>
13883:           <description xml:lang="en">
13884:             SSL should be used to encrypt network traffic between the
13885:             Dovecot server and its clients. Users must authenticate to the Dovecot server in order
13886:             to read their mail, and passwords should never be transmitted in clear text. In
13887:             addition, protecting mail as it is downloaded is a privacy measure, and clients may use
13888:             SSL certificates to authenticate the server, preventing another system from
13889:             impersonating the server. See Section 2.5.6 for general SSL information, including the
13890:             setup of a Certificate Authority (CA).</description>
13891:           <reference href="">Apache 2 with SSL/TLS: Step-by-step, Part 2. Tech. rep.</reference>
13892:           <Group id="group-3.17.2.2.1" hidden="false">
13893:             <title xml:lang="en">Create an SSL Certificate</title>
13894:             <description xml:lang="en">
13895:               Note: The following steps should be performed on your CA
13896:               system, and not on the Dovecot server itself. If you will have a commercial CA sign
13897:               certificates, then these steps should be performed on a separate, physically secure
13898:               system devoted to that purpose. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13899:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13900:               On your CA (if you are using your own) or on another
13901:               physically secure system, generate a key pair for the Dovecot server: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13902:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13903:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cd /etc/pki/tls/certs <xhtml:br/>
13904:               # openssl genrsa -out imapserverkey.pem 2048 <xhtml:br/></xhtml:code>
13905:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13906:               Next, generate a
13907:               certificate signing request (CSR) for the CA to sign, making sure to enter the
13908:               server's fully-qualified domain name when prompted for the Common Name: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13909:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13910:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># openssl req -new -key imapserverkey.pem -out imapserver.csr <xhtml:br/></xhtml:code>
13911:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13912:               Next, the mail server CSR must be
13913:               signed to create the Dovecot server certificate. You can either send the CSR to an
13914:               established CA or sign it with your CA. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13915:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13916:               To sign imapserver.csr using your CA: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13917:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13918:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># openssl ca -in imapserver.csr -out imapservercert.pem <xhtml:br/></xhtml:code>
13919:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13920:               This step creates a private key,
13921:               imapserverkey.pem, and a public certificate, imapservercert.pem. The Dovecot server
13922:               will use these to prove its identity by demonstrating that it has a certificate which
13923:               has been signed by a CA. POP3 or IMAP clients at your site should only be willing to
13924:               provide users' credentials to a server they can authenticate.</description>
13925:           </Group>
13926:           <Group id="group-3.17.2.2.2" hidden="false">
13927:             <title xml:lang="en">Install the SSL Certificate</title>
13928:             <description xml:lang="en">
13929:               Create the PKI directory for POP and IMAP certificates if it
13930:               does not already exist: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13931:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13932:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># mkdir /etc/pki/tls/imap <xhtml:br/>
13933:               # chown root:root /etc/pki/tls/imap<xhtml:br/>
13934:               # chmod 755 /etc/pki/tls/imap <xhtml:br/></xhtml:code>
13935:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13936:               Using removable media or some other secure transmission
13937:               format, install the files generated in the previous step onto the Dovecot server: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13938:               <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
13939:                 <xhtml:li>/etc/pki/tls/imap/serverkey.pem: the private key imapserverkey.pem</xhtml:li>
13940:                 <xhtml:li>/etc/pki/tls/imap/servercert.pem: the certificate file imapservercert.pem</xhtml:li>
13941:               </xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13942:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13943:               Verify thepermissions on these files: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13944:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13945:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chown root:root /etc/pki/tls/imap/serverkey.pem <xhtml:br/>
13946:               # chown root:root /etc/pki/tls/imap/servercert.pem <xhtml:br/>
13947:               # chmod 600 /etc/pki/tls/imap/serverkey.pem<xhtml:br/>
13948:               # chmod 600 /etc/pki/tls/imap/servercert.pem <xhtml:br/></xhtml:code>
13949:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13950:               Verify that the CA's public certificate
13951:               file has been installed as /etc/pki/tls/CA/cacert.pem, and has the correct
13952:               permissions: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13953:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13954:               <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chown root:root /etc/pki/tls/CA/cacert.pem <xhtml:br/>
13955:               # chmod 644 /etc/pki/tls/CA/cacert.pem</xhtml:code></description>
13956:           </Group>
13957:           <Group id="group-3.17.2.2.3" hidden="false">
13958:             <title xml:lang="en">Configure Dovecot to Use the SSL Certificate</title>
13959:             <description xml:lang="en">
13960:               Edit /etc/dovecot.conf and add or correct the following lines
13961:               (ensuring they reference the appropriate files): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13962:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13963:               ssl_cert_file = /etc/pki/tls/imap/servercert.pem <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13964:               ssl_key_file = /etc/pki/tls/imap/serverkey.pem<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13965:               ssl_ca_file = /etc/pki/tls/CA/cacert.pem <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13966:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13967:               These options tell Dovecot where to find the
13968:               TLS configuration, allowing clients to make encrypted connections.</description>
13969:           </Group>
13970:           <Group id="group-3.17.2.2.4" hidden="false">
13971:             <title xml:lang="en">Disable Plaintext Authentication</title>
13972:             <description xml:lang="en">
13973:               To prevent Dovecot from attempting plaintext authentication
13974:               of clients, edit /etc/dovecot.conf and add or correct the following line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13975:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13976:               disable_plaintext_auth = yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13977:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13978:               The disable_plaintext_auth command disallows
13979:               login-related commands until an encrypted session has been negotiated using SSL. If
13980:               client compatibility requires you to allow connections to the pop3 or imap ports,
13981:               rather than the alternate SSL ports, you should use this command to require STARTTLS
13982:               before authentication.</description>
13983:             <Rule id="rule-3.17.2.2.4.a" selected="false" weight="10.000000">
13984:               <title xml:lang="en">Disable Plaintext Authentication</title>
13985:               <description xml:lang="en">Dovecot plaintext authentication of clients should be disabled</description>
13986:               <ident system="http://cce.mitre.org">CCE-4552-6</ident>
13987:               <fixtext xml:lang="en">(1) via /etc/dovecot.conf</fixtext>
13988:               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
13989:                 <check-content-ref name="oval:org.fedoraproject.f14:def:20337" href="scap-fedora14-oval.xml"/>
13990:               </check>
13991:             </Rule>
13992:           </Group>
13993:         </Group>
13994:         <Group id="group-3.17.2.3" hidden="false">
13995:           <title xml:lang="en">Enable Dovecot Options to Protect Against Code Flaws</title>
13996:           <description xml:lang="en">
13997:             Edit /etc/dovecot.conf and add or correct the following line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13998:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13999:             login_process_per_connection = yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14000:             mail_drop_priv_before_exec = yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14001:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14002:             IMAP and POP3 are
14003:             remote authenticated protocols, meaning that the server must accept remote connections
14004:             from anyone, but provide substantial services only to clients who have successfully
14005:             authenticated. To protect against security problems, Dovecot splits these functions into
14006:             separate server processes. The imap-login and/or pop3-login processes accept connections
14007:             from unauthenticated users, and only spawn imap or pop3 processes on successful
14008:             authentication. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14009:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14010:             However, the imap-login and pop3-login processes themselves may contain
14011:             vulnerabilities. Since each of these processes operates as a daemon, handling multiple
14012:             sequential client connections from different users, bugs in the code could allow
14013:             unauthenticated users to steal credential data. If the login_process_per_connection
14014:             option is enabled, then a separate imap-login or pop3-login process is created for each
14015:             new connection, protecting against this class of problems. This option has an efficiency
14016:             cost, but is strongly recommended. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14017:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14018:             If the mail_drop_priv_before_exec option is on, the
14019:             imap-login or pop3-login process will drop privileges to the user's ID after
14020:             authentication and before executing the imap or pop3 process itself. Under some very
14021:             limited circumstances, this could protect against privilege escalation by authenticated
14022:             users. However, if the mail executable option is used to run code before starting each
14023:             user's session, it is important to drop privileges to prevent the custom code from
14024:             running as root.</description>
14025:           <Rule id="rule-3.17.2.3.a" selected="false" weight="10.000000">
14026:             <title xml:lang="en">Enable Dovecot Option mail_drop_priv_before_exec</title>
14027:             <description xml:lang="en">The Dovecot option to drop privileges to user before executing mail process should be enabled</description>
14028:             <ident system="http://cce.mitre.org">CCE-4371-1</ident>
14029:             <fixtext xml:lang="en">(1) via /etc/dovecot.conf</fixtext>
14030:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14031:               <check-content-ref name="oval:org.fedoraproject.f14:def:20338" href="scap-fedora14-oval.xml"/>
14032:             </check>
14033:           </Rule>
14034:           <Rule id="rule-3.17.2.3.b" selected="false" weight="10.000000">
14035:             <title xml:lang="en">Enable Dovecot Option mail_drop_priv_before_exec</title>
14036:             <description xml:lang="en">The Dovecot option to spawn a new login process per connection should be enabled</description>
14037:             <ident system="http://cce.mitre.org">CCE-4410-7</ident>
14038:             <fixtext xml:lang="en">(1) via /etc/dovecot.conf</fixtext>
14039:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14040:               <check-content-ref name="oval:org.fedoraproject.f14:def:20339" href="scap-fedora14-oval.xml"/>
14041:             </check>
14042:           </Rule>
14043:         </Group>
14044:         <Group id="group-3.17.2.4" hidden="false">
14045:           <title xml:lang="en">Allow IMAP Clients to Access the Server</title>
14046:           <description xml:lang="en">
14047:             Edit /etc/sysconfig/iptables. Add the following line, ensuring
14048:             that it appears before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14049:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14050:             -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14051:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14052:             The default
14053:             iptables configuration does not allow inbound access to any services. This modification
14054:             will allow remote hosts to initiate connections to the IMAP daemon, while keeping all
14055:             other ports on the server in their default protected state. See Section 2.5.5 for more
14056:             information about iptables.</description>
14057:         </Group>
14058:       </Group>
14059:     </Group>
14060:     <Group id="group-3.18" hidden="false">
14061:       <title xml:lang="en">Samba(SMB) Microsoft Windows File Sharing Server</title>
14062:       <description xml:lang="en">
14063:         When properly configured, the Samba service allows Linux machines
14064:         to provide file and print sharing to Microsoft Windows machines. There are two software
14065:         packages that provide Samba support. The first, samba-client, provides a series of command
14066:         line tools that enable a client machine to access Samba shares. The second, simply labeled
14067:         samba, provides the Samba service. It is this second package that allows a Linux machine to
14068:         act as an Active Directory server, a domain controller, or as a domain member. Only the
14069:         samba-client package is installed by default.</description>
14070:       <Group id="group-3.18.1" hidden="false">
14071:         <title xml:lang="en">Disable Samba if Possible</title>
14072:         <description xml:lang="en">
14073:           If the Samba service has been enabled and will not be used, disable it: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14074:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14075:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig smb off <xhtml:br/></xhtml:code>
14076:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14077:           Even after the Samba server package has been installed, it
14078:           will remain disabled. Do not enable this service unless it is absolutely necessary to
14079:           provide Microsoft Windows file and print sharing functionality.</description>
14080:         <Rule id="rule-3.18.1.a" selected="false" weight="10.000000" severity="medium">
14081:           <title xml:lang="en">Disable Samba if Possible</title>
14082:           <description xml:lang="en">The smb service should be disabled.</description>
14083:           <ident system="http://cce.mitre.org">CCE-4551-8</ident>
14084:           <fixtext xml:lang="en">(1) via chkconfig</fixtext>
14085:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14086:             <check-content-ref name="oval:org.fedoraproject.f14:def:20340" href="scap-fedora14-oval.xml"/>
14087:           </check>
14088:         </Rule>
14089:       </Group>
14090:       <Group id="group-3.18.2" hidden="false">
14091:         <title xml:lang="en">Configure Samba if Necessary</title>
14092:         <description xml:lang="en">
14093:           All settings for the Samba daemon can be found in
14094:           /etc/samba/smb.conf. Settings are divided between a [global] configuration section and a
14095:           series of user created share definition sections meant to describe file or print shares on
14096:           the system. By default, Samba will operate in user mode and allow client machines to
14097:           access local home directories and printers. It is recommended that these settings be
14098:           changed or that additional limitations be set in place.</description>
14099:         <Group id="group-3.18.2.1" hidden="false">
14100:           <title xml:lang="en">Testing the Samba Configuration File</title>
14101:           <description xml:lang="en">
14102:             To test the configuration file for syntax errors, use the
14103:             testparm command. It will also list all settings currently in place, including defaults
14104:             that may not appear in the configuration file. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14105:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14106:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># testparm -v</xhtml:code></description>
14107:         </Group>
14108:         <Group id="group-3.18.2.2" hidden="false">
14109:           <title xml:lang="en">Choosing the Appropriate security Parameter</title>
14110:           <description xml:lang="en">
14111:             There are two kinds of security in Samba, share-level (share)
14112:             and user-level. User-level security is further subdivided into four separate
14113:             implementations: user, domain, ads, and server. It is recommended that the share and
14114:             server security modes not be used. In share security, everyone is given the same
14115:             password for each share, preventing individual user accountability. server security mode
14116:             has been superseded by the domain and ads security modes. It may now be considered
14117:             obsolete. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14118:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14119:             The security parameter is set in the [global] section of the Samba
14120:             configuration file. It determines how the server will handle user names and passwords.
14121:             Some security modes require additional parameters, such as workgroup, realm, or password
14122:             server names. All security modes will require that each remote user have a matching
14123:             local account. One workaround to this problem is to use the winbindd daemon. Please
14124:             consult the official Samba documentation to learn more.</description>
14125:           <Group id="group-3.18.2.2.1" hidden="false">
14126:             <title xml:lang="en">Use user Security for Servers Not in a Domain Context</title>
14127:             <description xml:lang="en">
14128:               This is the default setting with a new Samba installation and
14129:               the best choice when operating outside of a domain security context. The relevant
14130:               parameters in /etc/samba/smb.conf will read as follows: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14131:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14132:               security = user <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14133:               workgroup = MYGROUP <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14134:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14135:               Set the value of workgroup so that it matches the value of other machines on
14136:               the network. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14137:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14138:               In user mode, authentication requests are handled locally and not passed
14139:               on to a separate authentication server. This is the desired behavior for standalone
14140:               servers and domain controllers.</description>
14141:           </Group>
14142:           <Group id="group-3.18.2.2.2" hidden="false">
14143:             <title xml:lang="en">Use domain Security for Servers in a Domain Context</title>
14144:             <description xml:lang="en">
14145:               First, change the security parameter to domain.
14146:               Next, set the workgroup and netbios name parameters (if necessary): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14147:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14148:               security = domain<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14149:               workgroup = WORKGROUP <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14150:               netbios name = NETBIOSNAME <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14151:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14152:               domain mode is used for any machine
14153:               that will act as a domain member server. It lets Samba know that the authentication
14154:               information it needs can be found on another machine. Primary and Backup Domain
14155:               Controllers host copies of this information. Samba will try to automatically determine
14156:               which machine it should authenticate against on a domain network. If this detection
14157:               fails, it may be necessary to specify the location manually. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14158:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14159:               Unlike the Microsoft
14160:               Windows implementation of the SMB standard, a Samba machine can freely change roles
14161:               within a domain without requiring that the machine be reinstalled (such roles include
14162:               primary and backup domain controllers, domain member servers, and ordinary domain
14163:               workstations). However, there are some limitations on how each machine can fulfill
14164:               each role in a mixed network.</description>
14165:             <warning xml:lang="en">When using Samba as a Primary or Backup Domain Controller,
14166:               use security = user, not security = domain. This tells Samba that the local machine is
14167:               hosting the authentication backend. </warning>
14168:           </Group>
14169:           <Group id="group-3.18.2.2.3" hidden="false">
14170:             <title xml:lang="en">Use ads (Active Directory Service) Security For Servers in an ADS
14171:               Domain</title>
14172:             <description xml:lang="en">
14173:               Context The security mode ads enables a Samba machine to act
14174:               as an ADS domain member server. Since ADS requires Kerberos, be sure to set the realm
14175:               parameter appropriately and configure the local copy of Kerberos. If necessary, it is
14176:               also possible to manually set the password server parameter. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14177:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14178:               security = ads <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14179:               realm = MY_REALM <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14180:               password server = your.kerberos.server <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14181:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14182:               Currently, it is possible to act as an
14183:               Active Directory domain member server, but not as a domain controller. Be sure to
14184:               operate in mixed mode. Native mode may not work yet in current versions of Samba.
14185:               Future support for ADS should be forthcoming in Samba 4. See the Samba project web
14186:               site at http://www.samba.org for more details.</description>
14187:           </Group>
14188:         </Group>
14189:         <Group id="group-3.18.2.3" hidden="false">
14190:           <title xml:lang="en">Disable Guest Access and Local Login Support</title>
14191:           <description xml:lang="en">
14192:             Do not allow guest users to access local file or printer
14193:             shares. In global or in each share, set the parameter guest ok to no: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14194:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14195:             [share] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14196:             guest ok = no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14197:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14198:             It is safe to disable local login support for remote Samba users. Consider changing
14199:             the add user account script to set remote user shells to /sbin/nologin.</description>
14200:           <Rule id="rule-3.18.2.3.a" selected="false" weight="10.000000">
14201:             <title xml:lang="en">Disable Guest Access and Local Login Support</title>
14202:             <description xml:lang="en">Do not allow guest users to access local file or printer shares. In global or in each share, set the parameter guest ok to no.</description>
14203:             <fixtext xml:lang="en">(1) via /etc/samba/smb.conf in [share] guest ok = no </fixtext>
14204:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14205:               <check-content-ref name="oval:org.fedoraproject.f14:def:203403" href="scap-fedora14-oval.xml"/>
14206:             </check>
14207:           </Rule>
14208:         </Group>
14209:         <Group id="group-3.18.2.4" hidden="false">
14210:           <title xml:lang="en">Disable Root Access</title>
14211:           <description xml:lang="en">
14212:             Administrators should not use administrator accounts to access
14213:             Samba file and printer shares. If possible, disable the root user and the wheel
14214:             administrator group: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14215:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14216:             [share] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14217:             invalid users = root @wheel <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14218:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14219:             If administrator accounts
14220:             cannot be disabled, ensure that local machine passwords and Samba service passwords do
14221:             not match. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14222:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14223:             Typically, administrator access is required when Samba must create user and
14224:             machine accounts and shares. Domain member servers and standalone servers may not need
14225:             administrator access at all. If that is the case, add the invalid users parameter to
14226:             [global] instead.</description>
14227:         </Group>
14228:         <Group id="group-3.18.2.5" hidden="false">
14229:           <title xml:lang="en">Set the Allowed Authentication Negotiation Levels</title>
14230:           <description xml:lang="en">By default, Samba will attempt to negotiate with Microsoft
14231:             Windows machines to set a common communication protocol. Whenever possible, be sure to
14232:             disable LANMAN authentication, as it is far weaker than the other supported protocols.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14233:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14234:             [global] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14235:             client lanman auth = no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14236:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14237:             Newer versions of Microsoft Windows may require the use
14238:             of NTLMv2. NTLMv2 is the preferred protocol for authentication, but since older machines
14239:             do not support it, Samba has disabled it by default. If possible, reenable it. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14240:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14241:             [global]<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14242:             client ntlmv2 auth = yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14243:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14244:             For the sake of backwards compatibility, most modern Windows
14245:             machines will still allow other machines to communicate with them over weak protocols
14246:             such as LANMAN. On Samba, by enabling NTLMv2, you are also disabling LANMAN and NTLMv1.
14247:             If NTLMv1 is required, it is still possible to individually disable LANMAN.</description>
14248:         </Group>
14249:         <Group id="group-3.18.2.6" hidden="false">
14250:           <title xml:lang="en">Let Domain Controllers Create Machine Trust Accounts On-the-Fly</title>
14251:           <description xml:lang="en">
14252:             Add or correct an add machine script entry to the [global]
14253:             section of /etc/samba/smb.conf to allow Samba to dynamically create Machine Trust
14254:             Accounts: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14255:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14256:             [global] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14257:             add machine script = /usr/sbin/useradd -n -g machines -d /dev/null -s /sbin/nologin %u <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14258:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14259:             Make sure that the group machines exists. If not, add it with the
14260:             following command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14261:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14262:             /usr/sbin/groupadd machines <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14263:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14264:             When acting as a PDC, it becomes
14265:             necessary to create and store Machine Trust Accounts for each machine that joins the
14266:             domain. On a Microsoft Windows PDC, this account is created with the Server Manager
14267:             tool, but on a Samba PDC, two accounts must be created. The first is the local machine
14268:             account, and the second is the Samba account. For security purposes, it is recommended
14269:             to let Samba create these accounts on-the-fly. When Machine Trust Accounts are created
14270:             manually, there is a small window of opportunity in which a rogue machine could join the
14271:             domain in place of the new server.</description>
14272:         </Group>
14273:         <Group id="group-3.18.2.7" hidden="false">
14274:           <title xml:lang="en">Restrict Access to the [IPC$] Share</title>
14275:           <description xml:lang="en">
14276:             Limit access to the [IPC$] share so that only machines in your
14277:             network will be able to connect to it: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14278:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14279:             [IPC$] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14280:             hosts allow = 192.168.1. 127.0.0.1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14281:             hosts deny = 0.0.0.0/0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14282:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14283:             The [IPC$] share allows users to anonymously fetch a list of shared
14284:             resources from a server. It is intended to allow users to browse the list of available
14285:             shares. It also can be used as a point of attack into a system. Disabling it completely
14286:             may break some functionality, so it is recommended that you merely limit access to it
14287:             instead.</description>
14288:         </Group>
14289:         <Group id="group-3.18.2.8" hidden="false">
14290:           <title xml:lang="en">Restrict File Sharing</title>
14291:           <description xml:lang="en">
14292:             Only users with local user accounts will be able to log in to
14293:             Samba shares by default. Shares can be limited to particular users or network addresses.
14294:             Use the hosts allow and hosts deny directives accordingly, and consider setting the
14295:             valid users directive to a limited subset of users or to a group of users. Separate each
14296:             address, user, or user group with a space as follows: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14297:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14298:             [share] hosts allow = 192.168.1. 127.0.0.1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14299:             valid users = userone usertwo @usergroup <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14300:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14301:             It is also possible to limit read and
14302:             write access to particular users with the read list and write list options, though the
14303:             permissions set by the system itself will override these settings. Set the read only
14304:             attribute for each share to ensure that global settings will not accidentally override
14305:             the individual share settings. Then, as with the valid users directive, separate each
14306:             user or group of users with a space: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14307:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14308:             [share] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14309:             read only = yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14310:             write list = userone usertwo @usergroup <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14311:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14312:             The Samba service is only required for sharing files and printers
14313:             with Microsoft Windows workstations, and even then, other options may exist. Do not use
14314:             the Samba service to share files between Unix or Linux machines.</description>
14315:         </Group>
14316:         <Group id="group-3.18.2.9" hidden="false">
14317:           <title xml:lang="en">Require Server SMB Packet Signing</title>
14318:           <description xml:lang="en">
14319:             To make the server use packet signing, add the following to the [global] section of the Samba configuration
14320:             file:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14321:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14322:             server signing = mandatory<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14323:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14324:             The Samba server should only communicate with clients who can support SMB packet signing. Packet signing
14325:             can prevent man-in-the-middle attacks which modify SMB packets in transit.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14326:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14327:             The Samba service is only required for sharing files and printers with Microsoft Windows workstations, and even
14328:             then, other options may exist. Do not use the Samba service to share files between Unix or Linux machines.
14329:           </description>
14330:         </Group>
14331:         <Group id="group-3.18.2.10" hidden="false">
14332:           <title xml:lang="en">Require Client SMB Packet Signing, if using smbclient</title>
14333:           <description xml:lang="en">
14334:             To require samba clients running smbclient to use packet signing, add the following to the [global] section
14335:             of the Samba configuration file:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14336:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14337:             client signing = mandatory<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14338:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14339:             A Samba client should only communicate with servers who can support SMB packet signing. Packet signing can
14340:             prevent man-in-the-middle attacks which modify SMB packets in transit.
14341:           </description>
14342:           <Rule id="rule-3.18.2.10.a" selected="false" weight="10.000000">
14343:             <title xml:lang="en">Require Client SMB Packet Signing, if using smbclient</title>
14344:             <description xml:lang="en">
14345:               Require samba clients running smbclient to use packet signing.  A Samba client should only communicate with servers who can support SMB packet signing. Packet signing can
14346:               prevent man-in-the-middle attacks which modify SMB packets in transit.</description>
14347:             <ident system="http://cce.mitre.org">CCE-4556-7</ident>
14348:             <fixtext xml:lang="en">(1) via /etc/samba/smb.conf in [global] client signing = mandatory</fixtext>
14349:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14350:               <check-content-ref name="oval:org.fedoraproject.f14:def:2034010" href="scap-fedora14-oval.xml"/>
14351:             </check>
14352:           </Rule>
14353:         </Group>
14354:         <Group id="group-3.18.2.11" hidden="false">
14355:           <title xml:lang="en">Require Client SMB Packet Signing, if using mount.cifs</title>
14356:           <description xml:lang="en">
14357:             Require packet signing of clients who mount Samba shares using the mount.cifs program (e.g., those who
14358:             specify shares in /etc/fstab). To do so, ensure that signing options (either sec=krb5i or sec=ntlmv2i) are
14359:             used.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14360:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14361:             See the mount.cifs(8) man page for more information. A Samba client should only communicate with servers
14362:             who can support SMB packet signing. Packet signing can prevent man-in-the-middle attacks which modify SMB
14363:             packets in transit.
14364:           </description>
14365:           <Rule id="rule-3.18.2.11.a" selected="false" weight="10.000000">
14366:             <title xml:lang="en">Require Client SMB Packet Signing, if using mount.cifs</title>
14367:             <description xml:lang="en">
14368:               Require packet signing of clients who mount Samba shares using the mount.cifs program (e.g., those who
14369:               specify shares in /etc/fstab). To do so, ensure that signing options (either sec=krb5i or sec=ntlmv2i) are
14370:               used.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14371:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14372:               See the mount.cifs(8) man page for more information. A Samba client should only communicate with servers
14373:               who can support SMB packet signing. Packet signing can prevent man-in-the-middle attacks which modify SMB
14374:               packets in transit.</description>
14375:             <ident system="http://cce.mitre.org">CCE-4556-7</ident>
14376:             <fixtext xml:lang="en">(1) via /etc/fstab</fixtext>
14377:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14378:               <check-content-ref name="oval:org.fedoraproject.f14:def:2034011" href="scap-fedora14-oval.xml"/>
14379:             </check>
14380:           </Rule>
14381:         </Group>
14382:         <Group id="group-3.18.2.12" hidden="false">
14383:           <title xml:lang="en">Restrict Printer Sharing</title>
14384:           <description xml:lang="en">
14385:             By default, Samba utilizes the CUPS printing service to enable
14386:             printer sharing with Microsoft Windows workstations. If there are no printers on the
14387:             local machine, or if printer sharing with Microsoft Windows is not required, disable the
14388:             printer sharing capability by commenting out the following lines, found in /etc/
14389:             samba/smb.conf: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14390:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14391:             [global] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14392:             ; load printers = yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14393:             ; cups options = raw <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14394:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14395:             [printers] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14396:             comment = All Printers <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14397:             path = /usr/spool/samba <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14398:             browseable = no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14399:             guest ok = no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14400:             writable = no
14401:             printable = yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14402:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14403:             There may be other options present, but these are the only options
14404:             enabled and uncommented by default. Removing the [printers] share should be enough for
14405:             most users. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14406:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14407:             If the Samba printer sharing capability is needed, consider disabling the
14408:             Samba network browsing capability or restricting access to a particular set of users or
14409:             network addresses. Set the valid users parameter to a small subset of users or restrict
14410:             it to a particular group of users with the shorthand @. Separate each user or group of
14411:             users with a space. For example, under the [printers] share: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14412:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14413:             [printers] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14414:             valid users = user @printerusers <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14415:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14416:             The CUPS service is capable of sharing printers with other Unix and
14417:             Linux machines on the local network without the Samba service. The Samba service is only
14418:             required when a Microsoft Windows machine needs printer access on a Unix or Linux host.</description>
14419:         </Group>
14420:         <Group id="group-3.18.2.13" hidden="false">
14421:           <title xml:lang="en">Configure iptables to Allow Access to the Samba Server</title>
14422:           <description xml:lang="en">
14423:             Determine an appropriate network block, netwk , and network
14424:             mask, mask , representing the machines on your network which should operate as clients
14425:             of the Samba server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14426:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14427:             Edit /etc/sysconfig/iptables. Add the following lines, ensuring
14428:             that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14429:             -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 137 -j ACCEPT<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14430:             -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 138 -j ACCEPT<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14431:             -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 139 -j ACCEPT<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14432:             -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 445 -j ACCEPT<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14433:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14434:             The default Iptables configuration does not allow inbound access to the ports used by
14435:             the Samba service. This modification allows that access, while keeping other ports on
14436:             the server in their default protected state. Since these ports are frequent targets of
14437:             network scanning attacks, restricting access to only the network segments which need to
14438:             access the Samba server is strongly recommended. See Section 2.5.5 for more information
14439:             about Iptables.</description>
14440:         </Group>
14441:       </Group>
14442:       <Group id="group-3.18.3" hidden="false">
14443:         <title xml:lang="en">Avoid the Samba Web Administration Tool (SWAT)</title>
14444:         <description xml:lang="en">
14445:           SWAT is a web based configuration tool provided by the Samba team
14446:           that enables both local and remote configuration management. It is not installed by
14447:           default. It is recommended that SWAT not be used, as it requires the use of a Samba
14448:           administrator account and sends that password in the clear over a network connection. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14449:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14450:           If
14451:           SWAT is absolutely required, limit access to the local machine or tunnel SWAT connections
14452:           through SSL with stunnel.</description>
14453:       </Group>
14454:     </Group>
14455:     <Group id="group-3.19" hidden="false">
14456:       <title xml:lang="en">Proxy Server</title>
14457:       <description xml:lang="en">
14458:         A proxy server is a very desirable target for a potential adversary
14459:         because much (or all) sensitive data for a given infrastructure may flow through it.
14460:         Therefore, if one is required, the machine acting as a proxy server should be dedicated to
14461:         that purpose alone and be stored in a physically secure location. The system's default proxy
14462:         server software is Squid, and provided in an RPM package of the same name.</description>
14463:       <reference href="">Galarneua, E. Security Considerations with Squid proxy server. Tech. rep., Apr 2003</reference>
14464:       <reference href="">Wessels, D. Squid: The Definitive Guide. O’Reilly and Associates, Jan 2004</reference>
14465:       <Group id="group-3.19.1" hidden="false">
14466:         <title xml:lang="en">Disable Squid if Possible</title>
14467:         <description xml:lang="en">
14468:           If Squid was installed and activated, but the system does not
14469:           need to act as a proxy server, then it should be disabled and removed: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14470:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14471:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig squid off <xhtml:br/>
14472:           # yum erase squid</xhtml:code></description>
14473:         <Rule id="rule-3.19.1.a" selected="false" weight="10.000000" severity="low">
14474:           <title xml:lang="en">Disable Squid if Possible</title>
14475:           <description xml:lang="en">The squid service should be disabled.</description>
14476:           <ident system="http://cce.mitre.org">CCE-4556-7</ident>
14477:           <fixtext xml:lang="en">(1) via chkconfig</fixtext>
14478:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14479:             <check-content-ref name="oval:org.fedoraproject.f14:def:20341" href="scap-fedora14-oval.xml"/>
14480:           </check>
14481:         </Rule>
14482:         <Rule id="rule-3.19.1.b" selected="false" weight="10.000000">
14483:           <title xml:lang="en">Uninstall Squid if Possible</title>
14484:           <description xml:lang="en">The squid package should be uninstalled.</description>
14485:           <ident system="http://cce.mitre.org">CCE-4076-6</ident>
14486:           <fixtext xml:lang="en">(1) via yum</fixtext>
14487:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14488:             <check-content-ref name="oval:org.fedoraproject.f14:def:20342" href="scap-fedora14-oval.xml"/>
14489:           </check>
14490:         </Rule>
14491:       </Group>
14492:       <Group id="group-3.19.2" hidden="false">
14493:         <title xml:lang="en">Configure Squid if Necessary</title>
14494:         <description xml:lang="en">
14495:           The Squid configuration file is /etc/squid/squid.conf. The
14496:           following recommendations can be applied to this file. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14497:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14498:           Note: If a particular tag is not
14499:           present in the configuration file, Squid falls back to the default setting (which is often
14500:           illustrated by a comment).</description>
14501:         <Group id="group-3.19.2.1" hidden="false">
14502:           <title xml:lang="en">Listen on Uncommon Port</title>
14503:           <description xml:lang="en">
14504:             The default listening port for the Squid service is 3128. As
14505:             such, it is frequently scanned by adversaries looking for proxy servers. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14506:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14507:             Select an
14508:             arbitrary (but uncommon) high port to use as the Squid listening port and make the
14509:             corresponding change to the configuration file: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14510:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14511:             http_port port <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14512:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14513:             Run the following command
14514:             to add a new SELinux port mapping for the service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14515:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14516:             <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># semanage port -a -t http_cache_port_t -p tcp port</xhtml:code></description>
14517:         </Group>
14518:         <Group id="group-3.19.2.2" hidden="false">
14519:           <title xml:lang="en">Verify Default Secure Settings</title>
14520:           <description xml:lang="en">
14521:             Several security-enhancing settings in the Squid configuration
14522:             file are enabled by default, but appear as comments in the configuration file (as
14523:             mentioned in Section 3.19.2). In these instances, the explicit directive is not present,
14524:             which means it is implicitly enabled. If you are operating with a default configuration
14525:             file, this section can be ignored. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14526:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14527:             Ensure that the following security settings are NOT
14528:             explicitly changed from their default values: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14529:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14530:             ftp_passive on <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14531:             ftp_sanitycheck on<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14532:             check_hostnames on <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14533:             request_header_max_size 20 KB <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14534:             reply_header_max_size 20 KB<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14535:             cache_effective_user squid <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14536:             cache_effective_group squid <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14537:             ignore_unknown_nameservers on <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14538:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14539:             ftp_passive forces FTP passive connections. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14540:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14541:             ftp_sanitycheck performs additional sanity checks on FTP data connections. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14542:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14543:             check_hostnames ensures that hostnames meet RFC compliance. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14544:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14545:             request_header_max_size and reply_header_max_size place an upper limit on
14546:             HTTP header length, precautions against denial-of-service and buffer overflow
14547:             vulnerabilities. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14548:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14549:             cache_effective_user and cache_effective_group designate the EUID and
14550:             EGID of Squid following initialization (it is essential that the EUID/EGID be set to an
14551:             unprivileged sandbox account). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14552:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14553:             ignore_unknown_nameservers checks to make sure that DNS
14554:             responses come from the same IP the request was sent to.</description>
14555:           <Value id="var-3.19.2.2.d" operator="equals" type="string">
14556:             <title xml:lang="en">request_header_max_size</title>
14557:             <description xml:lang="en">Place an upper limit on HTTP request header length, precautions against denial-of-service and buffer overflow vulnerabilities.</description>
14558:             <question xml:lang="en">Specify an upper limit on HTTP request header length</question>
14559:             <value>20kb</value>
14560:             <value selector="20kb">20kb</value>
14561:             <match>^[\d][KMGkmg]?[Bb]?$</match>
14562:           </Value>
14563:           <Value id="var-3.19.2.2.e" operator="equals" type="string">
14564:             <title xml:lang="en">reply_header_max_size</title>
14565:             <description xml:lang="en">Place an upper limit on HTTP reply header length, precautions against denial-of-service and buffer overflow vulnerabilities.</description>
14566:             <question xml:lang="en">Specify an upper limit on HTTP reply header length</question>
14567:             <value>20kb</value>
14568:             <value selector="20kb">20kb</value>
14569:             <match>^[\d][KMGkmg]?[Bb]?$</match>
14570:           </Value>
14571:           <Value id="var-3.19.2.2.f" operator="equals" type="string">
14572:             <title xml:lang="en">cache_effective_user</title>
14573:             <description xml:lang="en">Designate the EUID of Squid following initialization (it is essential that the EUID be set to an unprivileged sandbox account)..</description>
14574:             <question xml:lang="en">Designate the EUID of Squid following initialization</question>
14575:             <value>squid</value>
14576:             <value selector="squid">squid</value>
14577:           </Value>
14578:           <Value id="var-3.19.2.2.g" operator="equals" type="string">
14579:             <title xml:lang="en">cache_effective_group</title>
14580:             <description xml:lang="en">Designate the EGID of Squid following initialization (it is essential that the EGID be set to an unprivileged sandbox account)..</description>
14581:             <question xml:lang="en">Designate the EGID of Squid following initialization</question>
14582:             <value>squid</value>
14583:             <value selector="squid">squid</value>
14584:           </Value>
14585:           <Rule id="rule-3.19.2.2.a" selected="false" weight="10.000000">
14586:             <title xml:lang="en">Verify ftp_passive setting</title>
14587:             <description xml:lang="en">The Squid option to force FTP passive connections should be enabled</description>
14588:             <ident system="http://cce.mitre.org">CCE-4454-5</ident>
14589:             <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14590:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14591:               <check-content-ref name="oval:org.fedoraproject.f14:def:20343" href="scap-fedora14-oval.xml"/>
14592:             </check>
14593:           </Rule>
14594:           <Rule id="rule-3.19.2.2.b" selected="false" weight="10.000000">
14595:             <title xml:lang="en">Verify ftp_sanitycheck setting</title>
14596:             <description xml:lang="en">The Squid option to perform FTP sanity checks should be enabled</description>
14597:             <ident system="http://cce.mitre.org">CCE-4459-4</ident>
14598:             <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14599:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14600:               <check-content-ref name="oval:org.fedoraproject.f14:def:20344" href="scap-fedora14-oval.xml"/>
14601:             </check>
14602:           </Rule>
14603:           <Rule id="rule-3.19.2.2.c" selected="false" weight="10.000000">
14604:             <title xml:lang="en">Verify check_hostnames stting</title>
14605:             <description xml:lang="en">The Squid option to check for RFC compliant hostnames should be enabled</description>
14606:             <ident system="http://cce.mitre.org">CCE-4503-9</ident>
14607:             <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14608:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14609:               <check-content-ref name="oval:org.fedoraproject.f14:def:20345" href="scap-fedora14-oval.xml"/>
14610:             </check>
14611:           </Rule>
14612:           <Rule id="rule-3.19.2.2.d" selected="false" weight="10.000000">
14613:             <title xml:lang="en">Verify request_header_max_size setting</title>
14614:             <description xml:lang="en">The Squid max request HTTP header length should be set to an appropriate value</description>
14615:             <ident system="http://cce.mitre.org">CCE-4353-9</ident>
14616:             <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14617:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14618:               <check-export export-name="oval:org.fedoraproject.f14:var:20346" value-id="var-3.19.2.2.d"/>
14619:               <check-content-ref name="oval:org.fedoraproject.f14:def:20346" href="scap-fedora14-oval.xml"/>
14620:             </check>
14621:           </Rule>
14622:           <Rule id="rule-3.19.2.2.e" selected="false" weight="10.000000">
14623:             <title xml:lang="en">Verify reply_header_max_size setting</title>
14624:             <description xml:lang="en">The Squid max reply HTTP header length should be set to an appropriate value</description>
14625:             <ident system="http://cce.mitre.org">CCE-4419-8</ident>
14626:             <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14627:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14628:               <check-export export-name="oval:org.fedoraproject.f14:var:20347" value-id="var-3.19.2.2.e"/>
14629:               <check-content-ref name="oval:org.fedoraproject.f14:def:20347" href="scap-fedora14-oval.xml"/>
14630:             </check>
14631:           </Rule>
14632:           <Rule id="rule-3.19.2.2.f" selected="false" weight="10.000000">
14633:             <title xml:lang="en">Verify cache_effective_user setting</title>
14634:             <description xml:lang="en">The Squid EUID should be set to an appropriate user</description>
14635:             <ident system="http://cce.mitre.org">CCE-3692-1</ident>
14636:             <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14637:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14638:               <check-export export-name="oval:org.fedoraproject.f14:var:20348" value-id="var-3.19.2.2.f"/>
14639:               <check-content-ref name="oval:org.fedoraproject.f14:def:20348" href="scap-fedora14-oval.xml"/>
14640:             </check>
14641:           </Rule>
14642:           <Rule id="rule-3.19.2.2.g" selected="false" weight="10.000000">
14643:             <title xml:lang="en">Verify cache_effective_group setting</title>
14644:             <description xml:lang="en">The Squid GUID should be set to an appropriate group</description>
14645:             <ident system="http://cce.mitre.org">CCE-4476-8</ident>
14646:             <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14647:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14648:               <check-export export-name="oval:org.fedoraproject.f14:var:20349" value-id="var-3.19.2.2.g"/>
14649:               <check-content-ref name="oval:org.fedoraproject.f14:def:20349" href="scap-fedora14-oval.xml"/>
14650:             </check>
14651:           </Rule>
14652:           <Rule id="rule-3.19.2.2.h" selected="false" weight="10.000000">
14653:             <title xml:lang="en">Verify ignore_unknown_nameservers setting</title>
14654:             <description xml:lang="en">The Squid option to ignore unknown nameservers should be enabled</description>
14655:             <ident system="http://cce.mitre.org">CCE-3585-7</ident>
14656:             <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14657:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14658:               <check-content-ref name="oval:org.fedoraproject.f14:def:20350" href="scap-fedora14-oval.xml"/>
14659:             </check>
14660:           </Rule>
14661:         </Group>
14662:         <Group id="group-3.19.2.3" hidden="false">
14663:           <title xml:lang="en">Change Default Insecure Settings</title>
14664:           <description xml:lang="en">
14665:             The default configuration settings for the following tags are
14666:             considered to be weak security and NOT recommended. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14667:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14668:             Add or modify the configuration file to include the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14669:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14670:             allow_underscore off <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14671:             httpd_suppress_version_string on<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14672:             forwarded_for off <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14673:             log_mime_hdrs on <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14674:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14675:             allow_underscore enforces RFC 1034 compliance on
14676:             hostnames by disallowing the use of underscores. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14677:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14678:             httpd_suppress_version string prevents
14679:             Squid from revealing version information in web headers and error pages. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14680:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14681:             forwarded_for
14682:             reveals proxy client IP addresses in HTTP headers and should be disabled to prevent the
14683:             leakage of internal network configuration details. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14684:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14685:             log_mime_hdrs enables logging of HTTP
14686:             response/request headers.</description>
14687:           <Value id="var-3.19.2.3.a" operator="equals" type="string">
14688:             <title xml:lang="en">allow_underscore</title>
14689:             <description xml:lang="en">allow_underscore enforces RFC 1034 compliance on hostnames by disallowing the use of underscores.</description>
14690:             <question xml:lang="en">Enable/Disable enforcing RFC 1034 compliance on hostnames</question>
14691:             <value>off</value>
14692:             <value selector="enabled">on</value>
14693:             <value selector="disabled">off</value>
14694:             <match>on|off</match>
14695:             <choices mustMatch="true">
14696:               <choice>on</choice>
14697:               <choice>off</choice>
14698:             </choices>
14699:           </Value>
14700:           <Value id="var-3.19.2.3.b" operator="equals" type="string">
14701:             <title xml:lang="en">httpd_suppress_version</title>
14702:             <description xml:lang="en">httpd_suppress_version string prevents Squid from revealing version information in web headers and error pages.</description>
14703:             <question xml:lang="en">Enable/Disable preventing squid from revealing version information in web headers and error pages</question>
14704:             <value>on</value>
14705:             <value selector="enabled">on</value>
14706:             <value selector="disabled">off</value>
14707:             <match>on|off</match>
14708:             <choices mustMatch="true">
14709:               <choice>on</choice>
14710:               <choice>off</choice>
14711:             </choices>
14712:           </Value>
14713:           <Value id="var-3.19.2.3.c" operator="equals" type="string">
14714:             <title xml:lang="en">forwarded_for</title>
14715:             <description xml:lang="en">forwarded_for reveals proxy client IP addresses in HTTP headers and should be disabled to prevent the leakage of internal network configuration details. </description>
14716:             <question xml:lang="en">Enable/Disable revealing proxy client IP addresses in HTTP headers</question>
14717:             <value>off</value>
14718:             <value selector="enabled">on</value>
14719:             <value selector="disabled">off</value>
14720:             <match>on|off</match>
14721:             <choices mustMatch="true">
14722:               <choice>on</choice>
14723:               <choice>off</choice>
14724:             </choices>
14725:           </Value>
14726:           <Value id="var-3.19.2.3.d" operator="equals" type="string">
14727:             <title xml:lang="en">log_mime_hdrs</title>
14728:             <description xml:lang="en">log_mime_hdrs enables logging of HTTP response/request headers.</description>
14729:             <question xml:lang="en">Enable/Disable logging of HTTP response/request headers</question>
14730:             <value>on</value>
14731:             <value selector="enabled">on</value>
14732:             <value selector="disabled">off</value>
14733:             <match>on|off</match>
14734:             <choices mustMatch="true">
14735:               <choice>on</choice>
14736:               <choice>off</choice>
14737:             </choices>
14738:           </Value>
14739:           <Rule id="rule-3.19.2.3.a" selected="false" weight="10.000000">
14740:             <title xml:lang="en">Check allow_underscore setting</title>
14741:             <description xml:lang="en">The Squid option to allow underscores in hostnames should be disabled</description>
14742:             <ident system="http://cce.mitre.org">CCE-4344-8</ident>
14743:             <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14744:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14745:               <check-export export-name="oval:org.fedoraproject.f14:var:20351" value-id="var-3.19.2.3.a"/>
14746:               <check-content-ref name="oval:org.fedoraproject.f14:def:20351" href="scap-fedora14-oval.xml"/>
14747:             </check>
14748:           </Rule>
14749:           <Rule id="rule-3.19.2.3.b" selected="false" weight="10.000000">
14750:             <title xml:lang="en">Check httpd_suppress_version setting</title>
14751:             <description xml:lang="en">The Squid option to suppress the httpd version string should be enabled</description>
14752:             <ident system="http://cce.mitre.org">CCE-4494-1</ident>
14753:             <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14754:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14755:               <check-export export-name="oval:org.fedoraproject.f14:var:20352" value-id="var-3.19.2.3.b"/>
14756:               <check-content-ref name="oval:org.fedoraproject.f14:def:20352" href="scap-fedora14-oval.xml"/>
14757:             </check>
14758:           </Rule>
14759:           <Rule id="rule-3.19.2.3.c" selected="false" weight="10.000000">
14760:             <title xml:lang="en">Check forwarded_for setting</title>
14761:             <description xml:lang="en">The Squid option to show proxy client IP addresses in HTTP headers should be disabled</description>
14762:             <ident system="http://cce.mitre.org">CCE-4181-4</ident>
14763:             <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14764:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14765:               <check-export export-name="oval:org.fedoraproject.f14:var:20353" value-id="var-3.19.2.3.c"/>
14766:               <check-content-ref name="oval:org.fedoraproject.f14:def:20353" href="scap-fedora14-oval.xml"/>
14767:             </check>
14768:           </Rule>
14769:           <Rule id="rule-3.19.2.3.d" selected="false" weight="10.000000">
14770:             <title xml:lang="en">Check log_mime_hdrs setting</title>
14771:             <description xml:lang="en">The Squid option to log HTTP MIME headers should be enabled</description>
14772:             <ident system="http://cce.mitre.org">CCE-4577-3</ident>
14773:             <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14774:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14775:               <check-export export-name="oval:org.fedoraproject.f14:var:20354" value-id="var-3.19.2.3.d"/>
14776:               <check-content-ref name="oval:org.fedoraproject.f14:def:20354" href="scap-fedora14-oval.xml"/>
14777:             </check>
14778:           </Rule>
14779:         </Group>
14780:         <Group id="group-3.19.2.4" hidden="false">
14781:           <title xml:lang="en">Configure Authentication if Applicable</title>
14782:           <description xml:lang="en">
14783:             Note: Authentication cannot be used in the case of transparent
14784:             proxies due to limitations of the TCP/IP protocol. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14785:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14786:             Similar to web servers, two of the
14787:             available options are Basic and Digest authentication. The other options are NTLM and
14788:             Negotiate authentication. As noted in Section 3.16.3.5, Basic authentication transmits
14789:             passwords in plain-text and is susceptible to passive monitoring. If network sniffing is
14790:             a concern, basic authentication should not be used. Negotiate is the newest and most
14791:             secure protocol. It attempts to use Kerberos authentication and falls back to NTLM if it
14792:             cannot. It should be noted that Kerberos requires a third-party Key Distribution Center
14793:             (KDC) to function properly, whereas the other methods of authentication are two-party
14794:             schemes. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14795:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14796:             Squid also offers the ability to choose a custom external authenticator.
14797:             Designating an external authenticator (also known as a 'helper' module) allows Squid to
14798:             offer pluggable third-party authentication schemes. LDAP is one example of a helper
14799:             module that exists and is in use today. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14800:             There are comments under the auth_param tag
14801:             inside /etc/squid/squid.conf that provide extensive detail on how to configure each of
14802:             these methods. If authentication is necessary, choose a method of authentication and
14803:             configure appropriately. The recommended minimum configurations illustrated for each
14804:             method are acceptable. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14805:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14806:             To force an ACL (as discussed in Section 3.19.2.5) to require
14807:             authentication, use the following directive: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14808:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14809:             acl name-of-ACL proxy_auth REQUIRED <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14810:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14811:             Note:
14812:             The keyword REQUIRED can be replaced with a user or list of users to further restrict
14813:             access to a smaller subset of users.</description>
14814:         </Group>
14815:         <Group id="group-3.19.2.5" hidden="false">
14816:           <title xml:lang="en">Access Control Lists (ACL)</title>
14817:           <description xml:lang="en">
14818:             The acl and http access tags are used in combination to allow filtering based on a series of
14819:             access control lists. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14820:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14821:             Squid has a list of default ACLs for localhost, SSL ports, and
14822:             'safe' ports. Following the definition of these ACLs, a series of http access directives
14823:             establish the following default filtering policy: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14824:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14825:             <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
14826:               <xhtml:li>Allow cachemgr access only from localhost </xhtml:li>
14827:               <xhtml:li>Allow access to only ports in the 'safe' access control list</xhtml:li>
14828:               <xhtml:li>Limit CONNECT method to SSL ports only</xhtml:li>
14829:               <xhtml:li>Allow access from localhost</xhtml:li>
14830:               <xhtml:li>Deny all other requests</xhtml:li>
14831:             </xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14832:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14833:             The
14834:             default ACL policies are reasonable from a security standpoint. However, the number of
14835:             ports listed as 'safe' could be significantly trimmed depending on the needs of your
14836:             network. Out of the box, ports 21, 70, 80, 210, 280, 443, 488, 591, 777, and 1025
14837:             through 65535 are all considered safe. Some of these ports are associated with
14838:             deprecated or rarely used protocols. As such, this list could be trimmed to further
14839:             tighten filtering. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14840:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14841:             The following actions should be taken to tighten the ACL policies: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14842:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14843:             <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
14844:               <xhtml:li>There is a filter line in the configuration file that is recommended but commented out.
14845:                 This line should be uncommented or added to prevent access to localhost from the proxy:<xhtml:br/>
14846:                 <xhtml:br/>
14847:                 http access deny to_localhost </xhtml:li>
14848:               <xhtml:li>An access list should be setup for the specific network
14849:                 or networks that the proxy is intended to serve. Only this subset of IP addresses should
14850:                 be allowed access. <xhtml:br/>
14851:                 <xhtml:br/>
14852:                 Add these lines where the following comment appears: <xhtml:br/>
14853:                 <xhtml:br/>
14854:                 # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS <xhtml:br/>
14855:                 acl your-network-acl-name src ip-range <xhtml:br/>
14856:                 http_access allow your-network-acl-name <xhtml:br/>
14857:                 <xhtml:br/>
14858:                 Note: ip-range is of the format xxx.xxx.xxx.xxx/xx</xhtml:li>
14859:               <xhtml:li>Ensure that the final http access line to appear in the document
14860:                 is the following: <xhtml:br/>
14861:                 <xhtml:br/>
14862:                 http_access deny all <xhtml:br/>
14863:                 <xhtml:br/>
14864:                 This guarantees that all traffic not meeting an
14865:                 explicit filtering rule is denied. <xhtml:br/>
14866:                 <xhtml:br/>
14867:                 Further filters should be established to meet the
14868:                 specific needs of a network, explicitly allowing access only where necessary.</xhtml:li>
14869:               <xhtml:li>Consult
14870:                 the chart below. Corresponding acl entries for unused protocols should be commented out
14871:                 and thus denied. </xhtml:li>
14872:             </xhtml:ol><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14873:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14874:             <xhtml:table xmlns:xhtml="http://www.w3.org/1999/xhtml">
14875:               <xhtml:thead>
14876:                 <xhtml:tr>
14877:                   <xhtml:td>Port</xhtml:td><xhtml:td>Service</xhtml:td><xhtml:td>Summary</xhtml:td><xhtml:td>Recommendation</xhtml:td>
14878:                 </xhtml:tr>
14879:               </xhtml:thead>
14880:               <xhtml:tbody>
14881:                 <xhtml:tr>
14882:                   <xhtml:td>21</xhtml:td>
14883:                   <xhtml:td>ftp</xhtml:td>
14884:                   <xhtml:td>File Transfer Protocol(FTP)
14885:                     is a widely used file transfer protocol. </xhtml:td>
14886:                   <xhtml:td>ALLOW</xhtml:td>
14887:                 </xhtml:tr>
14888:                 <xhtml:tr>
14889:                   <xhtml:td>70</xhtml:td>
14890:                   <xhtml:td>gopher</xhtml:td>
14891:                   <xhtml:td>The gopher protocol is a
14892:                     deprecated search and retrieval protocol that is almost extinct, with as few as 100
14893:                     gopher servers present worldwide. Support for gopher is disabled in most modern
14894:                     browsers. </xhtml:td>
14895:                   <xhtml:td>DENY</xhtml:td>
14896:                 </xhtml:tr>
14897:                 <xhtml:tr>
14898:                   <xhtml:td>80</xhtml:td>
14899:                   <xhtml:td>http</xhtml:td>
14900:                   <xhtml:td>A web proxy needs to allow access to HTTP traffic.  </xhtml:td>
14901:                   <xhtml:td>ALLOW</xhtml:td>
14902:                 </xhtml:tr>
14903:                 <xhtml:tr>
14904:                   <xhtml:td>210</xhtml:td>
14905:                   <xhtml:td>wais</xhtml:td>
14906:                   <xhtml:td>The Wide Area Information Server port is similar to gopher, serving as a text searching
14907:                     system to scour indexes on remote machines. Today, it is deprecated and nearly
14908:                     non-existent on the Internet.  </xhtml:td>
14909:                   <xhtml:td>DENY</xhtml:td>
14910:                 </xhtml:tr>
14911:                 <xhtml:tr>
14912:                     <xhtml:td>280</xhtml:td>
14913:                     <xhtml:td>http-mgmt</xhtml:td>
14914:                     <xhtml:td>No documentation of any kind could be
14915:                       found on the obscure service that resides on this port. </xhtml:td>
14916:                     <xhtml:td>DENY</xhtml:td>
14917:                   </xhtml:tr>
14918:                   <xhtml:tr>
14919:                     <xhtml:td>443</xhtml:td>
14920:                     <xhtml:td>https</xhtml:td>
14921:                     <xhtml:td>SSL traffic is
14922:                       likely (and recommended) for any proxy and should be allowed. </xhtml:td>
14923:                     <xhtml:td>ALLOW</xhtml:td>
14924:                   </xhtml:tr>
14925:                 <xhtml:tr>
14926:                   <xhtml:td>488</xhtml:td>
14927:                   <xhtml:td>gss-http</xhtml:td>
14928:                   <xhtml:td>No
14929:                     documentation of any kind could be found on the obscure service that resides on this
14930:                     port. </xhtml:td>
14931:                   <xhtml:td>DENY</xhtml:td>
14932:                 </xhtml:tr>
14933:                 <xhtml:tr>
14934:                   <xhtml:td>591</xhtml:td>
14935:                   <xhtml:td>filemaker</xhtml:td>
14936:                   <xhtml:td>Filemaker is a database application originally offered by Apple
14937:                     in the 1980s. Although development continues and it remains in use today, it should be
14938:                     disabled if your network does not require such traffic. </xhtml:td>
14939:                   <xhtml:td>DENY</xhtml:td>
14940:                 </xhtml:tr>
14941:                 <xhtml:tr>
14942:                   <xhtml:td>777</xhtml:td>
14943:                   <xhtml:td>multiling http</xhtml:td>
14944:                   <xhtml:td>No documentation of any kind could be found on
14945:                     the obscure service that resides on this port</xhtml:td>
14946:                   <xhtml:td>DENY</xhtml:td>
14947:                 </xhtml:tr>
14948:                 <xhtml:tr>
14949:                   <xhtml:td>1025-65535</xhtml:td>
14950:                   <xhtml:td>unregistered ports http</xhtml:td>
14951:                   <xhtml:td>unregistered
14952:                     ports Random high ports are used by a variety of applications and should be allowed.</xhtml:td>
14953:                   <xhtml:td>ALLOW</xhtml:td>
14954:                 </xhtml:tr>
14955:               </xhtml:tbody>
14956:             </xhtml:table></description>
14957:           <warning xml:lang="en">Be very careful with the order of access control tags. Access
14958:             control is handled top-down. The first rule that matches is the only rule adhered to.
14959:             The last rule on the list defines the default behavior in the case of no rule match. </warning>
14960:           <Rule id="rule-3.19.2.5.a" selected="false" weight="10.000000">
14961:             <title xml:lang="en">Restrict gss-http traffic</title>
14962:             <description xml:lang="en">Squid should be configured to not allow gss-http traffic</description>
14963:             <ident system="http://cce.mitre.org">CCE-4511-2</ident>
14964:             <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14965:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14966:               <check-content-ref name="oval:org.fedoraproject.f14:def:20355" href="scap-fedora14-oval.xml"/>
14967:             </check>
14968:           </Rule>
14969:           <Rule id="rule-3.19.2.5.b" selected="false" weight="10.000000">
14970:             <title xml:lang="en">Restrict https traffic</title>
14971:             <description xml:lang="en">Squid should be configured to not allow https traffic</description>
14972:             <ident system="http://cce.mitre.org">CCE-4529-4</ident>
14973:             <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14974:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14975:               <check-content-ref name="oval:org.fedoraproject.f14:def:20356" href="scap-fedora14-oval.xml"/>
14976:             </check>
14977:           </Rule>
14978:           <Rule id="rule-3.19.2.5.c" selected="false" weight="10.000000">
14979:             <title xml:lang="en">Restrict wais traffic</title>
14980:             <description xml:lang="en">Squid should be configured to not allow wais traffic</description>
14981:             <ident system="http://cce.mitre.org">CCE-3610-3</ident>
14982:             <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14983:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14984:               <check-content-ref name="oval:org.fedoraproject.f14:def:20357" href="scap-fedora14-oval.xml"/>
14985:             </check>
14986:           </Rule>
14987:           <Rule id="rule-3.19.2.5.d" selected="false" weight="10.000000">
14988:             <title xml:lang="en">Restrict multiling http traffic</title>
14989:             <description xml:lang="en">Squid should be configured to not allow multiling http traffic</description>
14990:             <ident system="http://cce.mitre.org">CCE-4466-9</ident>
14991:             <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14992:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14993:               <check-content-ref name="oval:org.fedoraproject.f14:def:20358" href="scap-fedora14-oval.xml"/>
14994:             </check>
14995:           </Rule>
14996:           <Rule id="rule-3.19.2.5.e" selected="false" weight="10.000000">
14997:             <title xml:lang="en">Restrict http traffic</title>
14998:             <description xml:lang="en">Squid should be configured to not allow http traffic</description>
14999:             <ident system="http://cce.mitre.org">CCE-4607-8</ident>
15000:             <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
15001:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
15002:               <check-content-ref name="oval:org.fedoraproject.f14:def:20359" href="scap-fedora14-oval.xml"/>
15003:             </check>
15004:           </Rule>
15005:           <Rule id="rule-3.19.2.5.f" selected="false" weight="10.000000">
15006:             <title xml:lang="en">Restrict ftp traffic</title>
15007:             <description xml:lang="en">Squid should be configured to not allow ftp traffic</description>
15008:             <ident system="http://cce.mitre.org">CCE-4255-6</ident>
15009:             <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
15010:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
15011:               <check-content-ref name="oval:org.fedoraproject.f14:def:20360" href="scap-fedora14-oval.xml"/>
15012:             </check>
15013:           </Rule>
15014:           <Rule id="rule-3.19.2.5.g" selected="false" weight="10.000000">
15015:             <title xml:lang="en">Restrict gopher traffic</title>
15016:             <description xml:lang="en">Squid should be configured to not allow gopher traffic</description>
15017:             <ident system="http://cce.mitre.org">CCE-4127-7</ident>
15018:             <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
15019:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
15020:               <check-content-ref name="oval:org.fedoraproject.f14:def:20361" href="scap-fedora14-oval.xml"/>
15021:             </check>
15022:           </Rule>
15023:           <Rule id="rule-3.19.2.5.h" selected="false" weight="10.000000">
15024:             <title xml:lang="en">Restrict filemaker traffic</title>
15025:             <description xml:lang="en">Squid should be configured to not allow filemaker traffic</description>
15026:             <ident system="http://cce.mitre.org">CCE-4519-5</ident>
15027:             <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
15028:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
15029:               <check-content-ref name="oval:org.fedoraproject.f14:def:20362" href="scap-fedora14-oval.xml"/>
15030:             </check>
15031:           </Rule>
15032:           <Rule id="rule-3.19.2.5.i" selected="false" weight="10.000000">
15033:             <title xml:lang="en">Restrict proxy access to localhost </title>
15034:             <description xml:lang="en">Squid proxy access to localhost should be denied</description>
15035:             <ident system="http://cce.mitre.org">CCE-4413-1</ident>
15036:             <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
15037:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
15038:               <check-content-ref name="oval:org.fedoraproject.f14:def:20363" href="scap-fedora14-oval.xml"/>
15039:             </check>
15040:           </Rule>
15041:           <Rule id="rule-3.19.2.5.j" selected="false" weight="10.000000">
15042:             <title xml:lang="en">Restrict http-mgmt traffic</title>
15043:             <description xml:lang="en">Squid should be configured to not allow http-mgmt traffic</description>
15044:             <ident system="http://cce.mitre.org">CCE-4373-7</ident>
15045:             <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
15046:             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
15047:               <check-content-ref name="oval:org.fedoraproject.f14:def:20364" href="scap-fedora14-oval.xml"/>
15048:             </check>
15049:           </Rule>
15050:         </Group>
15051:         <Group id="group-3.19.2.6" hidden="false">
15052:           <title xml:lang="en">Configure Internet Cache Protocol (ICP) if Necessary</title>
15053:           <description xml:lang="en">
15054:             The ICP protocol is a cache communication protocol that allows
15055:             multiple Squid servers to communicate. The ICP protocol was designed with no security in
15056:             mind, relying on user-defined access control lists alone to determine which ICP messages
15057:             to allow. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15058:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15059:             If a Squid server is standalone, the ICP port should be disabled by adding or
15060:             correcting the following line in the configuration file: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15061:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15062:             icp_port 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15063:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15064:             If the Squid server
15065:             is meant to speak with peers, strict ACLs should be established to only allow ICP
15066:             traffic from trusted neighbors. To accomplish this, add or correct the following lines:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15067:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15068:             icp_access allow acl-defining-trusted-neighbors <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15069:             icp_access deny all</description>
15070:         </Group>
15071:         <Group id="group-3.19.2.7" hidden="false">
15072:           <title xml:lang="en">Configure iptables to Allow Access to the Proxy Server</title>
15073:           <description xml:lang="en">
15074:             Determine an appropriate network block, netwk , and network
15075:             mask, mask , representing the machines on your network which should operate as clients
15076:             of the proxy server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15077:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15078:             Edit /etc/sysconfig/iptables. Add the following line, ensuring that
15079:             it appears before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15080:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15081:             -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport port -j ACCEPT<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15082:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15083:             For port , use either the default 3128 or the alternate port was selected in Section
15084:             3.19.2.1. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15085:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15086:             The default Iptables configuration does not allow inbound access to the Squid
15087:             proxy service. This modification allows that access, while keeping other ports on the
15088:             server in their default protected state. See Section 2.5.5 for more information about
15089:             Iptables.</description>
15090:         </Group>
15091:         <Group id="group-3.19.2.8" hidden="false">
15092:           <title xml:lang="en">Forward Log Messages to Syslog Daemon</title>
15093:           <description xml:lang="en">
15094:             The default behavior of Squid is to record its log messages in
15095:             /var/log/squid.log. This behavior can be supplemented so that Squid also sends messages
15096:             to syslog as well. This is useful for centralizing log data, particularly in instances
15097:             where multiple Squid servers are present. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15098:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15099:             Squid provides a command line argument to
15100:             enable syslog forwarding. Modify the SQUID OPTS line in /etc/init.d/squid to include the
15101:             -s option: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15102:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15103:             SQUID_OPTS="${SQUID_OPTS:-"-D"} -s"</description>
15104:         </Group>
15105:         <Group id="group-3.19.2.9" hidden="false">
15106:           <title xml:lang="en">Do Not Run as Root</title>
15107:           <description xml:lang="en">
15108:             Since Squid is loaded by the system's service utility, it
15109:             starts as root and then changes its effective UID to the UID specified by the cache
15110:             effective user directive. However, since it was still executed by root, the program
15111:             maintains a saved UID of root even after changing its effective UID. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15112:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15113:             To prevent this
15114:             undesired behavior, Squid must either be configured to run in a chroot environment or it
15115:             must be executed by a non-privileged user in non-daemon mode (the service utility must
15116:             not be used).</description>
15117:           <Group id="group-3.19.2.9.1" hidden="false">
15118:             <title xml:lang="en">Run Squid in a chroot Jail</title>
15119:             <description xml:lang="en">
15120:               Chrooting Squid can be a very complicated task. Documentation
15121:               for the process is vague and a great deal of trial and error may be required to
15122:               determine all the files that need to be transitioned over to the chroot environment.
15123:               Therefore, this guide recommends instead the method detailed in Section 3.19.2.9.2 to
15124:               lower privileges. If chrooting Squid is still desired, it can be enabled with the
15125:               following directive in the configuration file: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15126:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15127:               chroot chroot-path <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15128:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15129:               Then, all the
15130:               necessary files used by Squid must be copied into the chroot-path directory. The
15131:               specifics of this step cannot be covered in this guide because they are highly
15132:               dependent on the external programs used in the Squid configuration. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15133:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15134:               Note: The strace
15135:               utility is a valuable resource for discovering the files needed for the chroot
15136:               environment.</description>
15137:           </Group>
15138:           <Group id="group-3.19.2.9.2" hidden="false">
15139:             <title xml:lang="en">Modify Service Entry to Lower Privileges</title>
15140:             <description xml:lang="en">T
15141:               he following modification to /etc/init.d/squid forces the
15142:               service utility to execute Squid as the squid user instead of the root user: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15143:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15144:               # determine the name of the squid binary <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15145:               [ -f /usr/sbin/squid ] &amp;&amp; SQUID="sudo -u squid squid" <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15146:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15147:               Making this change prevents Squid from writing its pid to
15148:               /var/run. This pid file is used by service to check to see if the program started
15149:               successfully. Therefore, a new location must be chosen for this pid file that the
15150:               squid user has access to, and the corresponding references in /etc/init.d/squid must
15151:               be altered to point to it. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15152:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15153:               Make the following modification to the Squid configuration file: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15154:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15155:               pid_filename /var/spool/squid/squid.pid <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15156:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15157:               Edit the file /etc/init.d/squid by
15158:               changing all occurrences of /var/run/squid.pid to /var/spool/squid/ squid.pid <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15159:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15160:               Also modify the following line in /etc/init.d/squid: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15161:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15162:               [ $RETVAL -eq 0 ] &amp;&amp; touch /var/lock/subsys/squid <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15163:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15164:               and add the following lines immediately after it: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15165:               <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15166:               rm -f /var/lock/subsys/squid <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15167:               status squid</description>
15168:           </Group>
15169:         </Group>
15170:       </Group>
15171:     </Group>
15172:     <Group id="group-3.20" hidden="false">
15173:       <title xml:lang="en">SNMP Server</title>
15174:       <description xml:lang="en">
15175:         The Simple Network Management Protocol allows administrators to
15176:         monitor the state of network devices, including computers. Older versions of SNMP were
15177:         well-known for weak security, such as plaintext transmission of the community string (used
15178:         for authentication) and also usage of easily-guessable choices for community string.</description>
15179:       <Group id="group-3.20.1" hidden="false">
15180:         <title xml:lang="en">Disable SNMP Server if Possible</title>
15181:         <description xml:lang="en">
15182:           The system includes an SNMP daemon that allows for its remote
15183:           monitoring, though it not installed by default. If it was installed and activated, it is
15184:           important that the software be disabled and removed. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15185:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15186:           If there is not a mission-critical
15187:           need for hosts at this site to be remotely monitored by a SNMP tool, then disable and
15188:           remove SNMP as follows: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15189:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15190:           <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig snmpd off <xhtml:br/>
15191:           # yum erase net-snmpd</xhtml:code></description>
15192:         <Rule id="rule-3.20.1.a" selected="false" weight="10.000000" severity="medium">
15193:           <title xml:lang="en">Disable snmpd if Possible</title>
15194:           <description xml:lang="en">The snmpd service should be disabled.</description>
15195:           <ident system="http://cce.mitre.org">CCE-3765-5</ident>
15196:           <fixtext xml:lang="en">(1) via chkconfig</fixtext>
15197:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
15198:             <check-content-ref name="oval:org.fedoraproject.f14:def:20365" href="scap-fedora14-oval.xml"/>
15199:           </check>
15200:         </Rule>
15201:         <Rule id="rule-3.20.1.b" selected="false" weight="10.000000">
15202:           <title xml:lang="en">Uninstall net-snmp if Possible</title>
15203:           <description xml:lang="en">The net-snmp package should be uninstalled.</description>
15204:           <ident system="http://cce.mitre.org">CCE-4404-0</ident>
15205:           <fixtext xml:lang="en">(1) via yum</fixtext>
15206:           <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
15207:             <check-content-ref name="oval:org.fedoraproject.f14:def:20366" href="scap-fedora14-oval.xml"/>
15208:           </check>
15209:         </Rule>
15210:       </Group>
15211:       <Group id="group-3.20.2" hidden="false">
15212:         <title xml:lang="en">Configure SNMP Server if Necessary</title>
15213:         <description xml:lang="en">
15214:           If it is necessary to run the snmpd agent on the system, some
15215:           best practices should be followed to minimize the security risk from the installation. The
15216:           multiple security models implemented by SNMP cannot be fully covered here so only the
15217:           following general configuration advice can be offered: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15218:           <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15219:           <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
15220:             <xhtml:li>use only SNMP version 3 security
15221:               models and enable the use of authentication and encryption for those </xhtml:li>
15222:             <xhtml:li>write access to the
15223:               MIB (Management Information Base) should be allowed only if necessary </xhtml:li>
15224:             <xhtml:li>all access to the
15225:               MIB should be restricted following a principle of least privilege </xhtml:li>
15226:             <xhtml:li>network access should
15227:               be limited to the maximum extent possible including restricting to expected network
15228:               addresses both in the configuration files and in the system firewall rules </xhtml:li>
15229:             <xhtml:li>ensure SNMP
15230:               agents send traps only to, and accept SNMP queries only from, authorized management
15231:               stations </xhtml:li>
15232:             <xhtml:li>ensure that permissions on the snmpd.conf configuration file (by default, in
15233:               /etc/snmp) are 640 or more restrictive </xhtml:li>
15234:             <xhtml:li>ensure that any MIB files' permissions are also
15235:               640 or more restrictive</xhtml:li>
15236:           </xhtml:ul></description>
15237:         <Group id="group-3.20.2.1" hidden="false">
15238:           <title xml:lang="en">Further Resources</title>
15239:           <description xml:lang="en">
15240:             The following resources provide more detailed information about the SNMP software: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15241:             <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15242:             <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
15243:               <xhtml:li>The CERT SNMP Vulnerabilities FAQ at http://www.cert.org/tech
15244:                 tips/snmp faq.html </xhtml:li>
15245:               <xhtml:li>The Net-SNMP project web page at http://net-snmp.sourceforge.net </xhtml:li>
15246:               <xhtml:li>The snmp config(5) man page </xhtml:li>
15247:               <xhtml:li>the snmpd.conf(5) man page</xhtml:li>
15248:             </xhtml:ul>
15249:             </description>
15250:         </Group>
15251:       </Group>
15252:     </Group>
15253:   </Group>
15254:   <TestResult id="OSCAP-Test-F14-Desktop" start-time="2011-06-28T00:21:03" end-time="2011-06-28T00:42:58">
15255:     <title>OSCAP Scan Result</title>
15256:     <profile idref="F14-Desktop"/>
15257:     <target>localhost.localdomain</target>
15258:     <target-address>127.0.0.1</target-address>
15259:     <target-address>192.168.0.9</target-address>
15260:     <target-address>::1</target-address>
15261:     <target-address>2002:614c:a6cd:0:a00:27ff:fefc:6b6</target-address>
15262:     <target-address>fe80::a00:27ff:fefc:6b6%eth0</target-address>
15263:     <target-facts>
15264:       <fact name="urn:xccdf:fact:ethernet:MAC" type="string">00:00:00:00:00:00</fact>
15265:       <fact name="urn:xccdf:fact:ethernet:MAC" type="string">08:00:27:FC:06:B6</fact>
15266:       <fact name="urn:xccdf:fact:ethernet:MAC" type="string">00:00:00:00:00:00</fact>
15267:       <fact name="urn:xccdf:fact:ethernet:MAC" type="string">08:00:27:FC:06:B6</fact>
15268:       <fact name="urn:xccdf:fact:ethernet:MAC" type="string">08:00:27:FC:06:B6</fact>
15269:     </target-facts>
15270:     <rule-result idref="rule-2.1.1.1.1.a" time="2011-06-28T00:21:03" weight="10.000000">
15271:       <result>notselected</result>
15272:     </rule-result>
15273:     <rule-result idref="rule-2.1.1.1.1.b" time="2011-06-28T00:21:03" weight="2.000000">
15274:       <result>notselected</result>
15275:     </rule-result>
15276:     <rule-result idref="rule-2.1.1.1.2.a" time="2011-06-28T00:21:03" severity="low" weight="10.000000">
15277:       <result>notselected</result>
15278:     </rule-result>
15279:     <rule-result idref="rule-2.1.1.1.2.b" time="2011-06-28T00:21:03" weight="10.000000">
15280:       <result>notselected</result>
15281:     </rule-result>
15282:     <rule-result idref="rule-2.1.1.1.3.a" time="2011-06-28T00:21:03" weight="10.000000">
15283:       <result>notselected</result>
15284:     </rule-result>
15285:     <rule-result idref="rule-2.1.1.1.4.a" time="2011-06-28T00:21:03" weight="10.000000">
15286:       <result>notselected</result>
15287:     </rule-result>
15288:     <rule-result idref="rule-2.1.1.1.5.a" time="2011-06-28T00:21:03" severity="low" weight="10.000000">
15289:       <result>notselected</result>
15290:     </rule-result>
15291:     <rule-result idref="rule-2.1.2.1.1.a" time="2011-06-28T00:21:03" weight="10.000000">
15292:       <result>pass</result>
15293:     </rule-result>
15294:     <rule-result idref="rule-2.1.2.3.2.a" time="2011-06-28T00:21:03" severity="low" weight="10.000000">
15295:       <result>notselected</result>
15296:       <ident system="http://cce.mitre.org">CCE-4218-4</ident>
15297:       <fix># chkconfig yum-updatesd off</fix>
15298:     </rule-result>
15299:     <rule-result idref="rule-2.1.2.3.2.b" time="2011-06-28T00:21:03" severity="medium" weight="10.000000">
15300:       <result>notselected</result>
15301:       <fix>echo -e "/usr/bin/yum -R 120 -e 0 -d 0 -y update yum\n/usr/bin/yum -R 10 -e 0 -d 0 -y update" &gt; /etc/cron.weekly/yum.cron</fix>
15302:     </rule-result>
15303:     <rule-result idref="rule-2.1.2.3.3.a" time="2011-06-28T00:21:03" weight="10.000000">
15304:       <result>pass</result>
15305:     </rule-result>
15306:     <rule-result idref="rule-2.1.2.3.4.a" time="2011-06-28T00:21:03" weight="10.000000">
15307:       <result>pass</result>
15308:     </rule-result>
15309:     <rule-result idref="rule-2.1.2.3.5.a" time="2011-06-28T00:21:03" weight="10.000000">
15310:       <result>notselected</result>
15311:     </rule-result>
15312:     <rule-result idref="rule-2.1.2.3.6.a" time="2011-06-28T00:21:03" weight="10.000000">
15313:       <result>pass</result>
15314:     </rule-result>
15315:     <rule-result idref="rule-2.1.3.1.1.a" time="2011-06-28T00:21:03" severity="medium" weight="10.000000">
15316:       <result>notselected</result>
15317:       <ident system="http://cce.mitre.org">CCE-4209-3</ident>
15318:       <fix>yum install aide</fix>
15319:     </rule-result>
15320:     <rule-result idref="rule-2.1.3.1.4.a" role="full" time="2011-06-28T00:21:03" severity="medium" weight="10.000000">
15321:       <result>notselected</result>
15322:       <fix>echo -e "/usr/sbin/aide --check" &gt; /etc/cron.daily/aide.cron</fix>
15323:     </rule-result>
15324:     <rule-result idref="rule-2.1.3.2.a" time="2011-06-28T00:21:03" weight="10.000000">
15325:       <result>notselected</result>
15326:     </rule-result>
15327:     <rule-result idref="rule-2.2.1.1.a" role="full" time="2011-06-28T00:21:03" severity="unknown" weight="10.000000">
15328:       <result>notselected</result>
15329:       <ident system="http://cce.mitre.org">CCE-4249-9</ident>
15330:     </rule-result>
15331:     <rule-result idref="rule-2.2.1.2.a" time="2011-06-28T00:21:03" weight="10.000000">
15332:       <result>notselected</result>
15333:       <ident system="http://cce.mitre.org">CCE-3522-0</ident>
15334:     </rule-result>
15335:     <rule-result idref="rule-2.2.1.2.b" time="2011-06-28T00:21:03" weight="10.000000">
15336:       <result>notselected</result>
15337:       <ident system="http://cce.mitre.org">CCE-4275-4</ident>
15338:     </rule-result>
15339:     <rule-result idref="rule-2.2.1.2.c" time="2011-06-28T00:21:03" severity="medium" weight="10.000000">
15340:       <result>notselected</result>
15341:       <ident system="http://cce.mitre.org">CCE-4042-8</ident>
15342:     </rule-result>
15343:     <rule-result idref="rule-2.2.2.1.1.a" time="2011-06-28T00:21:03" weight="10.000000">
15344:       <result>notselected</result>
15345:       <ident system="http://cce.mitre.org">CCE-4187-1</ident>
15346:       <fix>echo -e "\nblacklist usb_storage" &gt;&gt; /etc/modprobe.d/blacklist.conf</fix>
15347:     </rule-result>
15348:     <rule-result idref="rule-2.2.2.1.2.a" time="2011-06-28T00:21:03" weight="10.000000">
15349:       <result>notselected</result>
15350:       <ident system="http://cce.mitre.org">CCE-4006-3</ident>
15351:       <fix>rm /lib/modules/2.6.*/kernel/drivers/usb/storage/usb-storage.ko</fix>
15352:     </rule-result>
15353:     <rule-result idref="rule-2.2.2.1.3.a" time="2011-06-28T00:21:03" weight="10.000000">
15354:       <result>notselected</result>
15355:       <ident system="http://cce.mitre.org">CCE-4173-1</ident>
15356:     </rule-result>
15357:     <rule-result idref="rule-2.2.2.1.4.a" time="2011-06-28T00:21:03" severity="high" weight="10.000000">
15358:       <result>notselected</result>
15359:       <ident system="http://cce.mitre.org">CCE-3944-6</ident>
15360:     </rule-result>
15361:     <rule-result idref="rule-2.2.2.2.a" time="2011-06-28T00:21:03" severity="medium" weight="10.000000">
15362:       <result>notselected</result>
15363:       <ident system="http://cce.mitre.org">CCE-4072-5</ident>
15364:       <fix>chkconfig autofs off</fix>
15365:     </rule-result>
15366:     <rule-result idref="rule-2.2.2.3.a" time="2011-06-28T00:21:03" severity="medium" weight="10.000000">
15367:       <result>notselected</result>
15368:       <ident system="http://cce.mitre.org">CCE-4231-7</ident>
15369:     </rule-result>
15370:     <rule-result idref="rule-2.2.2.4.a" time="2011-06-28T00:21:03" weight="10.000000">
15371:       <result>notselected</result>
15372:       <fix>echo "blacklist cramfs" &gt;&gt; /etc/modprobe.d/blacklist.conf</fix>
15373:     </rule-result>
15374:     <rule-result idref="rule-2.2.2.4.b" time="2011-06-28T00:21:03" weight="10.000000">
15375:       <result>notselected</result>
15376:       <fix>echo "blacklist freevxfs" &gt;&gt; /etc/modprobe.d/blacklist.conf</fix>
15377:     </rule-result>
15378:     <rule-result idref="rule-2.2.2.4.c" time="2011-06-28T00:21:03" weight="10.000000">
15379:       <result>notselected</result>
15380:       <fix>echo "blacklist jffs2" &gt;&gt; /etc/modprobe.d/blacklist.conf</fix>
15381:     </rule-result>
15382:     <rule-result idref="rule-2.2.2.4.d" time="2011-06-28T00:21:03" weight="10.000000">
15383:       <result>notselected</result>
15384:       <fix>echo "blacklist hfs" &gt;&gt; /etc/modprobe.d/blacklist.conf</fix>
15385:     </rule-result>
15386:     <rule-result idref="rule-2.2.2.4.e" time="2011-06-28T00:21:03" weight="10.000000">
15387:       <result>notselected</result>
15388:       <fix>echo "blacklist hfsplus" &gt;&gt; /etc/modprobe.d/blacklist.conf</fix>
15389:     </rule-result>
15390:     <rule-result idref="rule-2.2.2.4.f" time="2011-06-28T00:21:03" weight="10.000000">
15391:       <result>notselected</result>
15392:       <fix>echo "blacklist squashfs" &gt;&gt; /etc/modprobe.d/blacklist.conf</fix>
15393:     </rule-result>
15394:     <rule-result idref="rule-2.2.2.4.g" time="2011-06-28T00:21:03" weight="10.000000">
15395:       <result>notselected</result>
15396:       <fix>echo "blacklist udf" &gt;&gt; /etc/modprobe.d/blacklist.conf</fix>
15397:     </rule-result>
15398:     <rule-result idref="rule-2.2.3.1.a" time="2011-06-28T00:21:03" severity="medium" weight="10.000000">
15399:       <result>pass</result>
15400:       <ident system="http://cce.mitre.org">CCE-3918-0</ident>
15401:     </rule-result>
15402:     <rule-result idref="rule-2.2.3.1.b" time="2011-06-28T00:21:03" severity="medium" weight="10.000000">
15403:       <result>pass</result>
15404:       <ident system="http://cce.mitre.org">CCE-3988-3</ident>
15405:     </rule-result>
15406:     <rule-result idref="rule-2.2.3.1.c" time="2011-06-28T00:21:03" severity="medium" weight="10.000000">
15407:       <result>pass</result>
15408:       <ident system="http://cce.mitre.org">CCE-3276-3</ident>
15409:     </rule-result>
15410:     <rule-result idref="rule-2.2.3.1.d" time="2011-06-28T00:21:03" severity="medium" weight="10.000000">
15411:       <result>pass</result>
15412:       <ident system="http://cce.mitre.org">CCE-3883-6</ident>
15413:     </rule-result>
15414:     <rule-result idref="rule-2.2.3.1.e" time="2011-06-28T00:21:03" severity="medium" weight="10.000000">
15415:       <result>pass</result>
15416:       <ident system="http://cce.mitre.org">CCE-4210-1</ident>
15417:     </rule-result>
15418:     <rule-result idref="rule-2.2.3.1.f" time="2011-06-28T00:21:03" severity="medium" weight="10.000000">
15419:       <result>pass</result>
15420:       <ident system="http://cce.mitre.org">CCE-4064-2</ident>
15421:     </rule-result>
15422:     <rule-result idref="rule-2.2.3.1.g" time="2011-06-28T00:21:04" severity="medium" weight="10.000000">
15423:       <result>pass</result>
15424:       <ident system="http://cce.mitre.org">CCE-3958-6</ident>
15425:     </rule-result>
15426:     <rule-result idref="rule-2.2.3.1.h" time="2011-06-28T00:21:04" severity="medium" weight="10.000000">
15427:       <result>pass</result>
15428:       <ident system="http://cce.mitre.org">CCE-3495-9</ident>
15429:     </rule-result>
15430:     <rule-result idref="rule-2.2.3.1.i" time="2011-06-28T00:21:04" severity="medium" weight="10.000000">
15431:       <result>pass</result>
15432:       <ident system="http://cce.mitre.org">CCE-4130-1</ident>
15433:     </rule-result>
15434:     <rule-result idref="rule-2.2.3.1.j" time="2011-06-28T00:21:04" severity="medium" weight="10.000000">
15435:       <result>pass</result>
15436:       <ident system="http://cce.mitre.org">CCE-3967-7</ident>
15437:     </rule-result>
15438:     <rule-result idref="rule-2.2.3.1.k" time="2011-06-28T00:21:04" severity="medium" weight="10.000000">
15439:       <result>pass</result>
15440:       <ident system="http://cce.mitre.org">CCE-3932-1</ident>
15441:     </rule-result>
15442:     <rule-result idref="rule-2.2.3.1.l" time="2011-06-28T00:21:04" severity="medium" weight="10.000000">
15443:       <result>pass</result>
15444:       <ident system="http://cce.mitre.org">CCE-3566-7</ident>
15445:     </rule-result>
15446:     <rule-result idref="rule-2.2.3.2.a" time="2011-06-28T00:23:27" severity="low" weight="10.000000">
15447:       <result>pass</result>
15448:       <ident system="http://cce.mitre.org">CCE-3399-3</ident>
15449:     </rule-result>
15450:     <rule-result idref="rule-2.2.3.3.a" time="2011-06-28T00:26:32" severity="medium" weight="10.000000">
15451:       <result>pass</result>
15452:       <ident system="http://cce.mitre.org">CCE-3795-2</ident>
15453:     </rule-result>
15454:     <rule-result idref="rule-2.2.3.4.a" time="2011-06-28T00:29:38" severity="medium" weight="10.000000">
15455:       <result>fail</result>
15456:       <ident system="http://cce.mitre.org">CCE-4178-0</ident>
15457:     </rule-result>
15458:     <rule-result idref="rule-2.2.3.4.b" time="2011-06-28T00:32:43" severity="high" weight="10.000000">
15459:       <result>fail</result>
15460:       <ident system="http://cce.mitre.org">CCE-3324-1</ident>
15461:     </rule-result>
15462:     <rule-result idref="rule-2.2.3.5.a" time="2011-06-28T00:36:29" severity="medium" weight="10.000000">
15463:       <result>fail</result>
15464:       <ident system="http://cce.mitre.org">CCE-4223-4</ident>
15465:     </rule-result>
15466:     <rule-result idref="rule-2.2.3.5.b" time="2011-06-28T00:40:53" severity="medium" weight="10.000000">
15467:       <result>fail</result>
15468:       <ident system="http://cce.mitre.org">CCE-3573-3</ident>
15469:     </rule-result>
15470:     <rule-result idref="rule-2.2.3.6.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15471:       <result>pass</result>
15472:     </rule-result>
15473:     <rule-result idref="rule-2.2.4.1.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15474:       <result>pass</result>
15475:       <ident system="http://cce.mitre.org">CCE-4220-0</ident>
15476:     </rule-result>
15477:     <rule-result idref="rule-2.2.4.2.a" time="2011-06-28T00:42:56" severity="low" weight="10.000000">
15478:       <result>notselected</result>
15479:       <ident system="http://cce.mitre.org">CCE-4225-9</ident>
15480:     </rule-result>
15481:     <rule-result idref="rule-2.2.4.2.b" time="2011-06-28T00:42:56" severity="low" weight="10.000000">
15482:       <result>pass</result>
15483:       <ident system="http://cce.mitre.org">CCE-4247-3</ident>
15484:     </rule-result>
15485:     <rule-result idref="rule-2.2.4.3.a" time="2011-06-28T00:42:56" weight="10.000000">
15486:       <result>pass</result>
15487:       <ident system="http://cce.mitre.org">CCE-4168-1</ident>
15488:     </rule-result>
15489:     <rule-result idref="rule-2.2.4.3.b" time="2011-06-28T00:42:56" weight="10.000000">
15490:       <result>pass</result>
15491:       <ident system="http://cce.mitre.org">CCE-4146-7</ident>
15492:     </rule-result>
15493:     <rule-result idref="rule-2.2.4.4.2.a" time="2011-06-28T00:42:56" weight="10.000000">
15494:       <result>notselected</result>
15495:       <ident system="http://cce.mitre.org">CCE-4177-2</ident>
15496:     </rule-result>
15497:     <rule-result idref="rule-2.3.1.1.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15498:       <result>notselected</result>
15499:       <ident system="http://cce.mitre.org">CCE-3820-8</ident>
15500:     </rule-result>
15501:     <rule-result idref="rule-2.3.1.1.b" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15502:       <result>notselected</result>
15503:       <ident system="http://cce.mitre.org">CCE-3485-0</ident>
15504:     </rule-result>
15505:     <rule-result idref="rule-2.3.1.1.c" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15506:       <result>notselected</result>
15507:       <ident system="http://cce.mitre.org">CCE-4111-1</ident>
15508:     </rule-result>
15509:     <rule-result idref="rule-2.3.1.1.d" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15510:       <result>pass</result>
15511:       <ident system="http://cce.mitre.org">CCE-4256-4</ident>
15512:     </rule-result>
15513:     <rule-result idref="rule-2.3.1.2.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15514:       <result>notselected</result>
15515:     </rule-result>
15516:     <rule-result idref="rule-2.3.1.2.b" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15517:       <result>notselected</result>
15518:     </rule-result>
15519:     <rule-result idref="rule-2.3.1.3.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15520:       <result>notselected</result>
15521:       <ident system="http://cce.mitre.org">CCE-4044-4</ident>
15522:       <fix>echo "%wheel ALL=(ALL) ALL" &gt;&gt; /etc/sudoers</fix>
15523:     </rule-result>
15524:     <rule-result idref="rule-2.3.1.4.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15525:       <result>notselected</result>
15526:       <ident system="http://cce.mitre.org">CCE-3987-5</ident>
15527:     </rule-result>
15528:     <rule-result idref="rule-2.3.1.5.1.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15529:       <result>pass</result>
15530:       <ident system="http://cce.mitre.org">CCE-4238-2</ident>
15531:     </rule-result>
15532:     <rule-result idref="rule-2.3.1.5.2.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15533:       <result>pass</result>
15534:     </rule-result>
15535:     <rule-result idref="rule-2.3.1.6.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15536:       <result>pass</result>
15537:       <ident system="http://cce.mitre.org">CCE-4009-7</ident>
15538:     </rule-result>
15539:     <rule-result idref="rule-2.3.1.7.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15540:       <result>pass</result>
15541:       <ident system="http://cce.mitre.org">CCE-4154-1</ident>
15542:     </rule-result>
15543:     <rule-result idref="rule-2.3.1.7.b" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15544:       <result>notselected</result>
15545:       <ident system="http://cce.mitre.org">CCE-4180-6</ident>
15546:     </rule-result>
15547:     <rule-result idref="rule-2.3.1.7.c" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15548:       <result>notselected</result>
15549:       <ident system="http://cce.mitre.org">CCE-4092-3</ident>
15550:     </rule-result>
15551:     <rule-result idref="rule-2.3.1.7.d" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15552:       <result>pass</result>
15553:       <ident system="http://cce.mitre.org">CCE-4097-2</ident>
15554:     </rule-result>
15555:     <rule-result idref="rule-2.3.1.8.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15556:       <result>notselected</result>
15557:     </rule-result>
15558:     <rule-result idref="rule-2.3.1.8.b" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15559:       <result>notselected</result>
15560:     </rule-result>
15561:     <rule-result idref="rule-2.3.1.8.c" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15562:       <result>notselected</result>
15563:       <ident system="http://cce.mitre.org">CCE-4114-5</ident>
15564:     </rule-result>
15565:     <rule-result idref="rule-2.3.3.1.1.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15566:       <result>notselected</result>
15567:       <ident system="http://cce.mitre.org">CCE-3762-2</ident>
15568:     </rule-result>
15569:     <rule-result idref="rule-2.3.3.1.2.a" time="2011-06-28T00:42:56" weight="10.000000">
15570:       <result>notselected</result>
15571:       <ident system="http://cce.mitre.org">CCE-3762-2</ident>
15572:     </rule-result>
15573:     <rule-result idref="rule-2.3.3.2.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15574:       <result>notselected</result>
15575:       <ident system="http://cce.mitre.org">CCE-3410-8</ident>
15576:     </rule-result>
15577:     <rule-result idref="rule-2.3.3.2.b" time="2011-06-28T00:42:56" weight="10.000000">
15578:       <result>notselected</result>
15579:     </rule-result>
15580:     <rule-result idref="rule-2.3.3.4.a" time="2011-06-28T00:42:56" weight="10.000000">
15581:       <result>notselected</result>
15582:       <ident system="http://cce.mitre.org">CCE-4185-5</ident>
15583:       <fix># chgrp usergroup /usr/sbin/userhelper</fix>
15584:     </rule-result>
15585:     <rule-result idref="rule-2.3.3.4.b" time="2011-06-28T00:42:56" weight="10.000000">
15586:       <result>notselected</result>
15587:       <ident system="http://cce.mitre.org">CCE-3952-9</ident>
15588:       <fix># chmod 4710 /usr/sbin/userhelper</fix>
15589:     </rule-result>
15590:     <rule-result idref="rule-2.3.3.5.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15591:       <result>fail</result>
15592:       <fix>/usr/sbin/authconfig --passalgo=sha512 --update</fix>
15593:     </rule-result>
15594:     <rule-result idref="rule-2.3.3.6.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15595:       <result>notselected</result>
15596:     </rule-result>
15597:     <rule-result idref="rule-2.3.4.1.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15598:       <result>pass</result>
15599:       <ident system="http://cce.mitre.org">CCE-3301-9</ident>
15600:     </rule-result>
15601:     <rule-result idref="rule-2.3.4.1.b" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15602:       <result>pass</result>
15603:     </rule-result>
15604:     <rule-result idref="rule-2.3.4.2.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15605:       <result>fail</result>
15606:       <ident system="http://cce.mitre.org">CCE-4090-7</ident>
15607:     </rule-result>
15608:     <rule-result idref="rule-2.3.4.4.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15609:       <result>pass</result>
15610:       <ident system="http://cce.mitre.org">CCE-3844-8</ident>
15611:     </rule-result>
15612:     <rule-result idref="rule-2.3.4.4.b" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15613:       <result>pass</result>
15614:       <ident system="http://cce.mitre.org">CCE-4227-5</ident>
15615:     </rule-result>
15616:     <rule-result idref="rule-2.3.4.5.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15617:       <result>notselected</result>
15618:       <fix>rm .netrc</fix>
15619:     </rule-result>
15620:     <rule-result idref="rule-2.3.5.2.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15621:       <result>pass</result>
15622:       <ident system="http://cce.mitre.org">CCE-4144-2</ident>
15623:       <fix>chown root /boot/grub/grub.conf</fix>
15624:     </rule-result>
15625:     <rule-result idref="rule-2.3.5.2.b" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15626:       <result>fail</result>
15627:       <ident system="http://cce.mitre.org">CCE-4197-0</ident>
15628:       <fix>chown :root /boot/grub/grub.conf</fix>
15629:     </rule-result>
15630:     <rule-result idref="rule-2.3.5.2.c" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15631:       <result>pass</result>
15632:       <ident system="http://cce.mitre.org">CCE-3923-0</ident>
15633:       <fix>chmod 600 /boot/grub/grub.conf</fix>
15634:     </rule-result>
15635:     <rule-result idref="rule-2.3.5.2.d" time="2011-06-28T00:42:57" severity="high" weight="10.000000">
15636:       <result>notselected</result>
15637:       <ident system="http://cce.mitre.org">CCE-3818-2</ident>
15638:     </rule-result>
15639:     <rule-result idref="rule-2.3.5.3.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15640:       <result>notselected</result>
15641:       <ident system="http://cce.mitre.org">CCE-4241-6</ident>
15642:     </rule-result>
15643:     <rule-result idref="rule-2.3.5.4.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15644:       <result>notselected</result>
15645:       <ident system="http://cce.mitre.org">CCE-4245-7</ident>
15646:     </rule-result>
15647:     <rule-result idref="rule-2.3.5.5.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15648:       <result>notselected</result>
15649:       <ident system="http://cce.mitre.org">CCE-3689-7</ident>
15650:     </rule-result>
15651:     <rule-result idref="rule-2.3.5.5.b" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15652:       <result>notselected</result>
15653:       <ident system="http://cce.mitre.org">CCE-3707-7</ident>
15654:     </rule-result>
15655:     <rule-result idref="rule-2.3.5.6.1.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15656:       <result>notselected</result>
15657:       <ident system="http://cce.mitre.org">CCE-3315-9</ident>
15658:     </rule-result>
15659:     <rule-result idref="rule-2.3.5.6.1.b" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15660:       <result>notselected</result>
15661:     </rule-result>
15662:     <rule-result idref="rule-2.3.5.6.1.c" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15663:       <result>notselected</result>
15664:     </rule-result>
15665:     <rule-result idref="rule-2.3.5.6.1.d" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15666:       <result>notselected</result>
15667:     </rule-result>
15668:     <rule-result idref="rule-2.3.5.6.2.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15669:       <result>notselected</result>
15670:       <ident system="http://cce.mitre.org">CCE-3910-7</ident>
15671:       <fix>yum install vlock</fix>
15672:     </rule-result>
15673:     <rule-result idref="rule-2.3.7.1.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15674:       <result>notselected</result>
15675:       <ident system="http://cce.mitre.org">CCE-4060-0</ident>
15676:     </rule-result>
15677:     <rule-result idref="rule-2.3.7.2.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15678:       <result>notselected</result>
15679:       <ident system="http://cce.mitre.org">CCE-4188-9</ident>
15680:     </rule-result>
15681:     <rule-result idref="rule-2.4.2.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15682:       <result>pass</result>
15683:       <ident system="http://cce.mitre.org">CCE-3977-6</ident>
15684:     </rule-result>
15685:     <rule-result idref="rule-2.4.2.b" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15686:       <result>notselected</result>
15687:     </rule-result>
15688:     <rule-result idref="rule-2.4.2.c" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15689:       <result>fail</result>
15690:     </rule-result>
15691:     <rule-result idref="rule-2.4.2.d" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15692:       <result>pass</result>
15693:       <ident system="http://cce.mitre.org">CCE-3624-4</ident>
15694:     </rule-result>
15695:     <rule-result idref="rule-2.4.2.1.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15696:       <result>notselected</result>
15697:     </rule-result>
15698:     <rule-result idref="rule-2.4.3.2.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
15699:       <result>notselected</result>
15700:       <ident system="http://cce.mitre.org">CCE-3668-1</ident>
15701:     </rule-result>
15702:     <rule-result idref="rule-2.4.3.3.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
15703:       <result>notselected</result>
15704:       <ident system="http://cce.mitre.org">CCE-4129-3</ident>
15705:     </rule-result>
15706:     <rule-result idref="rule-2.4.5.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15707:       <result>notselected</result>
15708:     </rule-result>
15709:     <rule-result idref="rule-2.5.1.1.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15710:       <result>notselected</result>
15711:       <ident system="http://cce.mitre.org">CCE-4151-7</ident>
15712:     </rule-result>
15713:     <rule-result idref="rule-2.5.1.1.b" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15714:       <result>notselected</result>
15715:       <ident system="http://cce.mitre.org">CCE-4155-8</ident>
15716:     </rule-result>
15717:     <rule-result idref="rule-2.5.1.1.c" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15718:       <result>notselected</result>
15719:       <ident system="http://cce.mitre.org">CCE-3561-8</ident>
15720:     </rule-result>
15721:     <rule-result idref="rule-2.5.1.2.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15722:       <result>notselected</result>
15723:       <ident system="http://cce.mitre.org">CCE-4236-6</ident>
15724:     </rule-result>
15725:     <rule-result idref="rule-2.5.1.2.b" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15726:       <result>notselected</result>
15727:       <ident system="http://cce.mitre.org">CCE-4217-6</ident>
15728:     </rule-result>
15729:     <rule-result idref="rule-2.5.1.2.c" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15730:       <result>notselected</result>
15731:       <ident system="http://cce.mitre.org">CCE-3472-8</ident>
15732:     </rule-result>
15733:     <rule-result idref="rule-2.5.1.2.d" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15734:       <result>notselected</result>
15735:       <ident system="http://cce.mitre.org">CCE-4320-8</ident>
15736:     </rule-result>
15737:     <rule-result idref="rule-2.5.1.2.e" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15738:       <result>notselected</result>
15739:       <ident system="http://cce.mitre.org">CCE-4091-5</ident>
15740:     </rule-result>
15741:     <rule-result idref="rule-2.5.1.2.f" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15742:       <result>notselected</result>
15743:       <ident system="http://cce.mitre.org">CCE-4186-3</ident>
15744:     </rule-result>
15745:     <rule-result idref="rule-2.5.1.2.g" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15746:       <result>notselected</result>
15747:       <ident system="http://cce.mitre.org">CCE-3339-9</ident>
15748:     </rule-result>
15749:     <rule-result idref="rule-2.5.1.2.h" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15750:       <result>notselected</result>
15751:       <ident system="http://cce.mitre.org">CCE-3644-2</ident>
15752:     </rule-result>
15753:     <rule-result idref="rule-2.5.1.2.i" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15754:       <result>notselected</result>
15755:       <ident system="http://cce.mitre.org">CCE-4133-5</ident>
15756:     </rule-result>
15757:     <rule-result idref="rule-2.5.1.2.j" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15758:       <result>notselected</result>
15759:       <ident system="http://cce.mitre.org">CCE-4265-5</ident>
15760:     </rule-result>
15761:     <rule-result idref="rule-2.5.1.2.k" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15762:       <result>notselected</result>
15763:       <ident system="http://cce.mitre.org">CCE-4080-8</ident>
15764:     </rule-result>
15765:     <rule-result idref="rule-2.5.1.2.l" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15766:       <result>notselected</result>
15767:       <ident system="http://cce.mitre.org">CCE-3840-6</ident>
15768:     </rule-result>
15769:     <rule-result idref="rule-2.5.2.2.1.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15770:       <result>notselected</result>
15771:       <ident system="http://cce.mitre.org">CCE-3628-5</ident>
15772:     </rule-result>
15773:     <rule-result idref="rule-2.5.2.2.2.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15774:       <result>notselected</result>
15775:       <ident system="http://cce.mitre.org">CCE-4276-2</ident>
15776:     </rule-result>
15777:     <rule-result idref="rule-2.5.2.2.3.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15778:       <result>notselected</result>
15779:       <ident system="http://cce.mitre.org">CCE-4170-7</ident>
15780:     </rule-result>
15781:     <rule-result idref="rule-2.5.3.1.1.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15782:       <result>notselected</result>
15783:       <ident system="http://cce.mitre.org">CCE-3562-6</ident>
15784:     </rule-result>
15785:     <rule-result idref="rule-2.5.3.1.2.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15786:       <result>notselected</result>
15787:       <ident system="http://cce.mitre.org">CCE-3381-1</ident>
15788:     </rule-result>
15789:     <rule-result idref="rule-2.5.3.1.2.b" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15790:       <result>notselected</result>
15791:       <ident system="http://cce.mitre.org">CCE-3377-9</ident>
15792:     </rule-result>
15793:     <rule-result idref="rule-2.5.3.1.2.c" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15794:       <result>notselected</result>
15795:       <ident system="http://cce.mitre.org">CCE-4296-0</ident>
15796:     </rule-result>
15797:     <rule-result idref="rule-2.5.3.2.1.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15798:       <result>notselected</result>
15799:       <ident system="http://cce.mitre.org">CCE-4269-7</ident>
15800:     </rule-result>
15801:     <rule-result idref="rule-2.5.3.2.1.b" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15802:       <result>notselected</result>
15803:       <ident system="http://cce.mitre.org">CCE-4291-1</ident>
15804:     </rule-result>
15805:     <rule-result idref="rule-2.5.3.2.1.c" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15806:       <result>notselected</result>
15807:       <ident system="http://cce.mitre.org">CCE-4313-3</ident>
15808:     </rule-result>
15809:     <rule-result idref="rule-2.5.3.2.1.d" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15810:       <result>notselected</result>
15811:       <ident system="http://cce.mitre.org">CCE-4198-8</ident>
15812:     </rule-result>
15813:     <rule-result idref="rule-2.5.3.2.3.a" time="2011-06-28T00:42:57" weight="10.000000">
15814:       <result>notselected</result>
15815:       <ident system="http://cce.mitre.org">CCE-3842-2</ident>
15816:     </rule-result>
15817:     <rule-result idref="rule-2.5.3.2.5.a" time="2011-06-28T00:42:57" weight="10.000000">
15818:       <result>notselected</result>
15819:       <ident system="http://cce.mitre.org">CCE-4159-0</ident>
15820:     </rule-result>
15821:     <rule-result idref="rule-2.5.3.2.5.b" time="2011-06-28T00:42:57" weight="10.000000">
15822:       <result>notselected</result>
15823:       <ident system="http://cce.mitre.org">CCE-4221-8</ident>
15824:     </rule-result>
15825:     <rule-result idref="rule-2.5.3.2.5.c" time="2011-06-28T00:42:57" weight="10.000000">
15826:       <result>notselected</result>
15827:       <ident system="http://cce.mitre.org">CCE-4058-4</ident>
15828:     </rule-result>
15829:     <rule-result idref="rule-2.5.3.2.5.d" time="2011-06-28T00:42:57" weight="10.000000">
15830:       <result>notselected</result>
15831:       <ident system="http://cce.mitre.org">CCE-4128-5</ident>
15832:     </rule-result>
15833:     <rule-result idref="rule-2.5.3.2.5.e" time="2011-06-28T00:42:57" weight="10.000000">
15834:       <result>notselected</result>
15835:       <ident system="http://cce.mitre.org">CCE-4287-9</ident>
15836:     </rule-result>
15837:     <rule-result idref="rule-2.5.3.2.5.f" time="2011-06-28T00:42:57" weight="10.000000">
15838:       <result>notselected</result>
15839:       <ident system="http://cce.mitre.org">CCE-3895-0</ident>
15840:     </rule-result>
15841:     <rule-result idref="rule-2.5.3.2.5.g" time="2011-06-28T00:42:57" weight="10.000000">
15842:       <result>notselected</result>
15843:       <ident system="http://cce.mitre.org">CCE-4137-6</ident>
15844:     </rule-result>
15845:     <rule-result idref="rule-2.5.5.1.a" time="2011-06-28T00:42:57" severity="high" weight="10.000000">
15846:       <result>pass</result>
15847:       <ident system="http://cce.mitre.org">CCE-4167-3</ident>
15848:       <fix>chkconfig ip6tables on</fix>
15849:     </rule-result>
15850:     <rule-result idref="rule-2.5.5.1.b" time="2011-06-28T00:42:57" severity="high" weight="10.000000">
15851:       <result>pass</result>
15852:       <ident system="http://cce.mitre.org">CCE-4189-7</ident>
15853:       <fix>chkconfig iptables on</fix>
15854:     </rule-result>
15855:     <rule-result idref="rule-2.5.5.3.1.a" time="2011-06-28T00:42:57" severity="high" weight="10.000000">
15856:       <result>notselected</result>
15857:     </rule-result>
15858:     <rule-result idref="rule-2.5.5.3.1.b" time="2011-06-28T00:42:57" severity="high" weight="10.000000">
15859:       <result>notselected</result>
15860:     </rule-result>
15861:     <rule-result idref="rule-2.5.7.1.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15862:       <result>notselected</result>
15863:     </rule-result>
15864:     <rule-result idref="rule-2.5.7.2.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15865:       <result>notselected</result>
15866:     </rule-result>
15867:     <rule-result idref="rule-2.5.7.3.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15868:       <result>notselected</result>
15869:     </rule-result>
15870:     <rule-result idref="rule-2.5.7.4.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15871:       <result>notselected</result>
15872:     </rule-result>
15873:     <rule-result idref="rule-2.6.1.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15874:       <result>pass</result>
15875:       <ident system="http://cce.mitre.org">CCE-3679-8</ident>
15876:       <fix>chkconfig rsyslog on</fix>
15877:     </rule-result>
15878:     <rule-result idref="rule-2.6.1.2.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15879:       <result>pass</result>
15880:       <ident system="http://cce.mitre.org">CCE-4366-1</ident>
15881:     </rule-result>
15882:     <rule-result idref="rule-2.6.1.2.b" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15883:       <result>pass</result>
15884:       <ident system="http://cce.mitre.org">CCE-3701-0</ident>
15885:     </rule-result>
15886:     <rule-result idref="rule-2.6.1.2.c" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15887:       <result>pass</result>
15888:       <ident system="http://cce.mitre.org">CCE-4233-3</ident>
15889:     </rule-result>
15890:     <rule-result idref="rule-2.6.1.3.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15891:       <result>notselected</result>
15892:       <ident system="http://cce.mitre.org">CCE-4260-6</ident>
15893:     </rule-result>
15894:     <rule-result idref="rule-2.6.1.4.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15895:       <result>notselected</result>
15896:       <ident system="http://cce.mitre.org">CCE-3382-9</ident>
15897:     </rule-result>
15898:     <rule-result idref="rule-2.6.1.5.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15899:       <result>notselected</result>
15900:       <ident system="http://cce.mitre.org">CCE-4182-2</ident>
15901:     </rule-result>
15902:     <rule-result idref="rule-2.6.1.6.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15903:       <result>notselected</result>
15904:       <ident system="http://cce.mitre.org">CCE-4323-2</ident>
15905:     </rule-result>
15906:     <rule-result idref="rule-2.6.2.1.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15907:       <result>pass</result>
15908:       <ident system="http://cce.mitre.org">CCE-4292-9</ident>
15909:     </rule-result>
15910:     <rule-result idref="rule-2.6.2.3.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15911:       <result>notselected</result>
15912:     </rule-result>
15913:     <rule-result idref="rule-2.6.2.4.1.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15914:       <result>notselected</result>
15915:     </rule-result>
15916:     <rule-result idref="rule-2.6.2.4.2.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15917:       <result>notselected</result>
15918:       <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
15919:     </rule-result>
15920:     <rule-result idref="rule-2.6.2.4.3.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15921:       <result>notselected</result>
15922:       <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
15923:     </rule-result>
15924:     <rule-result idref="rule-2.6.2.4.4.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15925:       <result>notselected</result>
15926:       <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
15927:     </rule-result>
15928:     <rule-result idref="rule-2.6.2.4.5.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15929:       <result>notselected</result>
15930:     </rule-result>
15931:     <rule-result idref="rule-2.6.2.4.6.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15932:       <result>notselected</result>
15933:     </rule-result>
15934:     <rule-result idref="rule-2.6.2.4.7.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15935:       <result>notselected</result>
15936:       <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
15937:     </rule-result>
15938:     <rule-result idref="rule-2.6.2.4.8.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15939:       <result>notselected</result>
15940:       <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
15941:     </rule-result>
15942:     <rule-result idref="rule-2.6.2.4.9.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15943:       <result>notselected</result>
15944:       <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
15945:     </rule-result>
15946:     <rule-result idref="rule-2.6.2.4.10.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15947:       <result>notselected</result>
15948:       <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
15949:     </rule-result>
15950:     <rule-result idref="rule-2.6.2.4.11.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15951:       <result>notselected</result>
15952:       <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
15953:     </rule-result>
15954:     <rule-result idref="rule-2.6.2.4.12.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15955:       <result>notselected</result>
15956:       <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
15957:     </rule-result>
15958:     <rule-result idref="rule-2.6.2.4.13.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15959:       <result>notselected</result>
15960:     </rule-result>
15961:     <rule-result idref="rule-2.6.2.4.14.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15962:       <result>notselected</result>
15963:       <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
15964:     </rule-result>
15965:     <rule-result idref="rule-3.2.1.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15966:       <result>notselected</result>
15967:       <ident system="http://cce.mitre.org">CCE-4234-1</ident>
15968:     </rule-result>
15969:     <rule-result idref="rule-3.2.1.b" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15970:       <result>notselected</result>
15971:       <ident system="http://cce.mitre.org">CCE-4252-3</ident>
15972:     </rule-result>
15973:     <rule-result idref="rule-3.2.1.c" time="2011-06-28T00:42:57" weight="10.000000">
15974:       <result>notselected</result>
15975:       <ident system="http://cce.mitre.org">CCE-4023-8</ident>
15976:       <fix># yum erase inetd</fix>
15977:     </rule-result>
15978:     <rule-result idref="rule-3.2.1.d" time="2011-06-28T00:42:57" weight="10.000000">
15979:       <result>notselected</result>
15980:       <ident system="http://cce.mitre.org">CCE-4164-0</ident>
15981:       <fix># yum erase xinetd</fix>
15982:     </rule-result>
15983:     <rule-result idref="rule-3.2.2.a" time="2011-06-28T00:42:57" severity="high" weight="10.000000">
15984:       <result>notselected</result>
15985:       <ident system="http://cce.mitre.org">CCE-4330-7</ident>
15986:       <fix># yum erase telnet-server</fix>
15987:     </rule-result>
15988:     <rule-result idref="rule-3.2.2.b" time="2011-06-28T00:42:57" severity="high" weight="10.000000">
15989:       <result>notselected</result>
15990:       <ident system="http://cce.mitre.org">CCE-3390-2</ident>
15991:     </rule-result>
15992:     <rule-result idref="rule-3.2.2.1.a" time="2011-06-28T00:42:57" severity="high" weight="10.000000">
15993:       <result>notselected</result>
15994:       <fix># yum erase telnet</fix>
15995:     </rule-result>
15996:     <rule-result idref="rule-3.2.2.1.b" time="2011-06-28T00:42:57" weight="10.000000">
15997:       <result>notselected</result>
15998:       <fix># yum erase rsh-server</fix>
15999:     </rule-result>
16000:     <rule-result idref="rule-3.2.3.1.a" time="2011-06-28T00:42:57" severity="high" weight="10.000000">
16001:       <result>notselected</result>
16002:       <ident system="http://cce.mitre.org">CCE-4308-3</ident>
16003:       <fix># yum erase rsh-server</fix>
16004:     </rule-result>
16005:     <rule-result idref="rule-3.2.3.1.b" time="2011-06-28T00:42:57" severity="high" weight="10.000000">
16006:       <result>notselected</result>
16007:       <ident system="http://cce.mitre.org">CCE-3974-3</ident>
16008:       <fix># chkconfig rcp off</fix>
16009:     </rule-result>
16010:     <rule-result idref="rule-3.2.3.1.c" time="2011-06-28T00:42:57" severity="high" weight="10.000000">
16011:       <result>notselected</result>
16012:       <ident system="http://cce.mitre.org">CCE-4141-8</ident>
16013:       <fix># chkconfig rsh off</fix>
16014:     </rule-result>
16015:     <rule-result idref="rule-3.2.3.1.d" time="2011-06-28T00:42:57" severity="high" weight="10.000000">
16016:       <result>notselected</result>
16017:       <ident system="http://cce.mitre.org">CCE-3537-8</ident>
16018:       <fix># chkconfig rlogin off</fix>
16019:     </rule-result>
16020:     <rule-result idref="rule-3.2.3.2.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
16021:       <result>notselected</result>
16022:     </rule-result>
16023:     <rule-result idref="rule-3.2.3.3.a" time="2011-06-28T00:42:57" severity="high" weight="10.000000">
16024:       <result>notselected</result>
16025:       <fix># yum erase rsh</fix>
16026:     </rule-result>
16027:     <rule-result idref="rule-3.2.4.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
16028:       <result>notselected</result>
16029:       <ident system="http://cce.mitre.org">CCE-4348-9</ident>
16030:       <fix># yum erase ypserv</fix>
16031:     </rule-result>
16032:     <rule-result idref="rule-3.2.4.b" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
16033:       <result>notselected</result>
16034:       <ident system="http://cce.mitre.org">CCE-3705-1</ident>
16035:       <fix># chkconfig ypbind off</fix>
16036:     </rule-result>
16037:     <rule-result idref="rule-3.2.5.a" time="2011-06-28T00:42:57" weight="10.000000">
16038:       <result>notselected</result>
16039:       <ident system="http://cce.mitre.org">CCE-3916-4</ident>
16040:       <fix># yum erase tftp-server</fix>
16041:     </rule-result>
16042:     <rule-result idref="rule-3.2.5.b" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16043:       <result>notselected</result>
16044:       <ident system="http://cce.mitre.org">CCE-4273-9</ident>
16045:       <fix># chkconfig tftp off</fix>
16046:     </rule-result>
16047:     <rule-result idref="rule-3.3.1.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16048:       <result>notselected</result>
16049:       <ident system="http://cce.mitre.org">CCE-3412-4</ident>
16050:       <fix># chkconfig firstboot off</fix>
16051:     </rule-result>
16052:     <rule-result idref="rule-3.3.2.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16053:       <result>notselected</result>
16054:       <ident system="http://cce.mitre.org">CCE-4229-1</ident>
16055:       <fix># chkconfig gpm off</fix>
16056:     </rule-result>
16057:     <rule-result idref="rule-3.3.3.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16058:       <result>notselected</result>
16059:       <ident system="http://cce.mitre.org">CCE-4123-6</ident>
16060:       <fix># chkconfig irqbalance off</fix>
16061:     </rule-result>
16062:     <rule-result idref="rule-3.3.4.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16063:       <result>notselected</result>
16064:       <ident system="http://cce.mitre.org">CCE-4286-1</ident>
16065:       <fix># chkconfig isdn off</fix>
16066:     </rule-result>
16067:     <rule-result idref="rule-3.3.5.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16068:       <result>notselected</result>
16069:       <ident system="http://cce.mitre.org">CCE-3425-6</ident>
16070:       <fix># chkconfig kdump off</fix>
16071:     </rule-result>
16072:     <rule-result idref="rule-3.3.6.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16073:       <result>notselected</result>
16074:       <ident system="http://cce.mitre.org">CCE-4211-9</ident>
16075:       <fix># chkconfig kudzu off</fix>
16076:     </rule-result>
16077:     <rule-result idref="rule-3.3.7.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16078:       <result>notselected</result>
16079:       <ident system="http://cce.mitre.org">CCE-3854-7</ident>
16080:       <fix># chkconfig mdmonitor off</fix>
16081:     </rule-result>
16082:     <rule-result idref="rule-3.3.8.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16083:       <result>notselected</result>
16084:       <ident system="http://cce.mitre.org">CCE-4356-2</ident>
16085:       <fix># chkconfig microcode ctl off</fix>
16086:     </rule-result>
16087:     <rule-result idref="rule-3.3.9.1.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16088:       <result>notselected</result>
16089:       <ident system="http://cce.mitre.org">CCE-4369-5</ident>
16090:       <fix># chkconfig network off</fix>
16091:     </rule-result>
16092:     <rule-result idref="rule-3.3.9.2.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
16093:       <result>notselected</result>
16094:       <fix># rm /etc/sysconfig/network-scripts/ifcfg-interface</fix>
16095:     </rule-result>
16096:     <rule-result idref="rule-3.3.9.3.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
16097:       <result>notselected</result>
16098:       <ident system="http://cce.mitre.org">CCE-4369-5</ident>
16099:     </rule-result>
16100:     <rule-result idref="rule-3.3.10.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16101:       <result>notselected</result>
16102:       <ident system="http://cce.mitre.org">CCE-4100-4</ident>
16103:       <fix># chkconfig pcscd off</fix>
16104:     </rule-result>
16105:     <rule-result idref="rule-3.3.11.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16106:       <result>notselected</result>
16107:       <ident system="http://cce.mitre.org">CCE-3455-3</ident>
16108:       <fix># chkconfig smartd off</fix>
16109:     </rule-result>
16110:     <rule-result idref="rule-3.3.12.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16111:       <result>notselected</result>
16112:       <ident system="http://cce.mitre.org">CCE-4421-4</ident>
16113:       <fix># chkconfig readahead early off</fix>
16114:     </rule-result>
16115:     <rule-result idref="rule-3.3.12.b" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16116:       <result>notselected</result>
16117:       <ident system="http://cce.mitre.org">CCE-4302-6</ident>
16118:       <fix># chkconfig readahead later off</fix>
16119:     </rule-result>
16120:     <rule-result idref="rule-3.3.13.1.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16121:       <result>notselected</result>
16122:       <ident system="http://cce.mitre.org">CCE-3822-4</ident>
16123:       <fix># chkconfig messagebus off</fix>
16124:     </rule-result>
16125:     <rule-result idref="rule-3.3.13.2.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16126:       <result>notselected</result>
16127:       <ident system="http://cce.mitre.org">CCE-4364-6</ident>
16128:       <fix># chkconfig haldaemon off</fix>
16129:     </rule-result>
16130:     <rule-result idref="rule-3.3.14.1.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
16131:       <result>notselected</result>
16132:       <ident system="http://cce.mitre.org">CCE-4355-4</ident>
16133:       <fix># chkconfig bluetooth off</fix>
16134:     </rule-result>
16135:     <rule-result idref="rule-3.3.14.2.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16136:       <result>notselected</result>
16137:       <ident system="http://cce.mitre.org">CCE-4377-8</ident>
16138:       <fix># chkconfig hidd off</fix>
16139:     </rule-result>
16140:     <rule-result idref="rule-3.3.14.3.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
16141:       <result>notselected</result>
16142:     </rule-result>
16143:     <rule-result idref="rule-3.3.15.1.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16144:       <result>notselected</result>
16145:       <ident system="http://cce.mitre.org">CCE-4289-5</ident>
16146:       <fix># chkconfig apmd off</fix>
16147:     </rule-result>
16148:     <rule-result idref="rule-3.3.15.2.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16149:       <result>notselected</result>
16150:       <ident system="http://cce.mitre.org">CCE-4298-6</ident>
16151:     </rule-result>
16152:     <rule-result idref="rule-3.3.15.3.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16153:       <result>notselected</result>
16154:       <ident system="http://cce.mitre.org">CCE-4051-9</ident>
16155:     </rule-result>
16156:     <rule-result idref="rule-3.4.a" time="2011-06-28T00:42:57" severity="high" weight="10.000000">
16157:       <result>notselected</result>
16158:       <ident system="http://cce.mitre.org">CCE-4324-0</ident>
16159:     </rule-result>
16160:     <rule-result idref="rule-3.4.1.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16161:       <result>notselected</result>
16162:       <ident system="http://cce.mitre.org">CCE-4406-5</ident>
16163:     </rule-result>
16164:     <rule-result idref="rule-3.4.1.b" time="2011-06-28T00:42:57" weight="10.000000">
16165:       <result>notselected</result>
16166:       <ident system="http://cce.mitre.org">CCE-4428-9</ident>
16167:       <fix># yum erase anacron</fix>
16168:     </rule-result>
16169:     <rule-result idref="rule-3.4.2.1.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
16170:       <result>pass</result>
16171:       <ident system="http://cce.mitre.org">CCE-3626-9</ident>
16172:     </rule-result>
16173:     <rule-result idref="rule-3.4.2.1.b" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
16174:       <result>pass</result>
16175:       <ident system="http://cce.mitre.org">CCE-3851-3</ident>
16176:     </rule-result>
16177:     <rule-result idref="rule-3.4.2.1.c" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
16178:       <result>pass</result>
16179:       <ident system="http://cce.mitre.org">CCE-4388-5</ident>
16180:     </rule-result>
16181:     <rule-result idref="rule-3.4.2.2.a" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16182:       <result>pass</result>
16183:       <ident system="http://cce.mitre.org">CCE-3604-6</ident>
16184:     </rule-result>
16185:     <rule-result idref="rule-3.4.2.2.b" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16186:       <result>pass</result>
16187:       <ident system="http://cce.mitre.org">CCE-4379-4</ident>
16188:     </rule-result>
16189:     <rule-result idref="rule-3.4.2.2.c" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16190:       <result>pass</result>
16191:       <ident system="http://cce.mitre.org">CCE-4304-2</ident>
16192:     </rule-result>
16193:     <rule-result idref="rule-3.4.2.3.a" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16194:       <result>pass</result>
16195:       <ident system="http://cce.mitre.org">CCE-4054-3</ident>
16196:     </rule-result>
16197:     <rule-result idref="rule-3.4.2.3.b" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16198:       <result>pass</result>
16199:       <ident system="http://cce.mitre.org">CCE-3481-9</ident>
16200:     </rule-result>
16201:     <rule-result idref="rule-3.4.2.3.c" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16202:       <result>pass</result>
16203:       <ident system="http://cce.mitre.org">CCE-4331-5</ident>
16204:     </rule-result>
16205:     <rule-result idref="rule-3.4.2.3.d" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16206:       <result>pass</result>
16207:       <ident system="http://cce.mitre.org">CCE-4322-4</ident>
16208:     </rule-result>
16209:     <rule-result idref="rule-3.4.2.3.e" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16210:       <result>pass</result>
16211:       <ident system="http://cce.mitre.org">CCE-4212-7</ident>
16212:     </rule-result>
16213:     <rule-result idref="rule-3.4.2.3.f" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16214:       <result>pass</result>
16215:       <ident system="http://cce.mitre.org">CCE-3983-4</ident>
16216:     </rule-result>
16217:     <rule-result idref="rule-3.4.2.3.g" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16218:       <result>pass</result>
16219:       <ident system="http://cce.mitre.org">CCE-4022-0</ident>
16220:     </rule-result>
16221:     <rule-result idref="rule-3.4.2.3.h" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16222:       <result>pass</result>
16223:       <ident system="http://cce.mitre.org">CCE-3833-1</ident>
16224:     </rule-result>
16225:     <rule-result idref="rule-3.4.2.3.i" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16226:       <result>pass</result>
16227:       <ident system="http://cce.mitre.org">CCE-4441-2</ident>
16228:     </rule-result>
16229:     <rule-result idref="rule-3.4.2.3.j" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16230:       <result>pass</result>
16231:       <ident system="http://cce.mitre.org">CCE-4380-2</ident>
16232:     </rule-result>
16233:     <rule-result idref="rule-3.4.2.3.k" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16234:       <result>pass</result>
16235:       <ident system="http://cce.mitre.org">CCE-4106-1</ident>
16236:     </rule-result>
16237:     <rule-result idref="rule-3.4.2.3.l" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16238:       <result>pass</result>
16239:       <ident system="http://cce.mitre.org">CCE-4450-3</ident>
16240:     </rule-result>
16241:     <rule-result idref="rule-3.4.2.3.m" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16242:       <result>pass</result>
16243:       <ident system="http://cce.mitre.org">CCE-4203-6</ident>
16244:     </rule-result>
16245:     <rule-result idref="rule-3.4.2.3.n" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16246:       <result>pass</result>
16247:       <ident system="http://cce.mitre.org">CCE-4251-5</ident>
16248:     </rule-result>
16249:     <rule-result idref="rule-3.4.2.3.o" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16250:       <result>pass</result>
16251:       <ident system="http://cce.mitre.org">CCE-4250-7</ident>
16252:     </rule-result>
16253:     <rule-result idref="rule-3.4.2.4.a" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16254:       <result>pass</result>
16255:     </rule-result>
16256:     <rule-result idref="rule-3.4.2.4.b" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16257:       <result>pass</result>
16258:     </rule-result>
16259:     <rule-result idref="rule-3.4.2.4.c" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16260:       <result>pass</result>
16261:     </rule-result>
16262:     <rule-result idref="rule-3.4.3.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16263:       <result>notselected</result>
16264:     </rule-result>
16265:     <rule-result idref="rule-3.4.3.b" time="2011-06-28T00:42:58" weight="10.000000">
16266:       <result>notselected</result>
16267:     </rule-result>
16268:     <rule-result idref="rule-3.4.4.a" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16269:       <result>notselected</result>
16270:       <fix>rm /etc/cron.deny</fix>
16271:     </rule-result>
16272:     <rule-result idref="rule-3.4.4.b" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16273:       <result>notselected</result>
16274:       <fix>rm /etc/at.deny</fix>
16275:     </rule-result>
16276:     <rule-result idref="rule-3.5.1.1.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16277:       <result>notselected</result>
16278:       <ident system="http://cce.mitre.org">CCE-4268-9</ident>
16279:       <fix># chkconfig sshd off</fix>
16280:     </rule-result>
16281:     <rule-result idref="rule-3.5.1.1.b" time="2011-06-28T00:42:58" weight="10.000000">
16282:       <result>notselected</result>
16283:       <ident system="http://cce.mitre.org">CCE-4272-1</ident>
16284:       <fix># yum erase openssh-server</fix>
16285:     </rule-result>
16286:     <rule-result idref="rule-3.5.1.2.a" time="2011-06-28T00:42:58" severity="high" weight="10.000000">
16287:       <result>notselected</result>
16288:       <ident system="http://cce.mitre.org">CCE-4295-2</ident>
16289:     </rule-result>
16290:     <rule-result idref="rule-3.5.1.2.b" time="2011-06-28T00:42:58" severity="high" weight="10.000000">
16291:       <result>notselected</result>
16292:     </rule-result>
16293:     <rule-result idref="rule-3.5.2.1.a" time="2011-06-28T00:42:58" severity="high" weight="10.000000">
16294:       <result>notselected</result>
16295:       <ident system="http://cce.mitre.org">CCE-4325-7</ident>
16296:     </rule-result>
16297:     <rule-result idref="rule-3.5.2.3.a" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16298:       <result>notselected</result>
16299:       <ident system="http://cce.mitre.org">CCE-3845-5</ident>
16300:     </rule-result>
16301:     <rule-result idref="rule-3.5.2.3.b" time="2011-06-28T00:42:58" weight="10.000000">
16302:       <result>notselected</result>
16303:     </rule-result>
16304:     <rule-result idref="rule-3.5.2.4.a" time="2011-06-28T00:42:58" severity="high" weight="10.000000">
16305:       <result>notselected</result>
16306:       <ident system="http://cce.mitre.org">CCE-4475-0</ident>
16307:     </rule-result>
16308:     <rule-result idref="rule-3.5.2.5.a" time="2011-06-28T00:42:58" weight="10.000000">
16309:       <result>notselected</result>
16310:       <ident system="http://cce.mitre.org">CCE-4370-3</ident>
16311:     </rule-result>
16312:     <rule-result idref="rule-3.5.2.6.a" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16313:       <result>notselected</result>
16314:       <ident system="http://cce.mitre.org">CCE-4387-7</ident>
16315:     </rule-result>
16316:     <rule-result idref="rule-3.5.2.7.a" time="2011-06-28T00:42:58" weight="10.000000">
16317:       <result>notselected</result>
16318:       <ident system="http://cce.mitre.org">CCE-3660-8</ident>
16319:     </rule-result>
16320:     <rule-result idref="rule-3.5.2.8.a" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16321:       <result>notselected</result>
16322:       <ident system="http://cce.mitre.org">CCE-4431-3</ident>
16323:     </rule-result>
16324:     <rule-result idref="rule-3.5.2.9.a" time="2011-06-28T00:42:58" weight="10.000000">
16325:       <result>notselected</result>
16326:     </rule-result>
16327:     <rule-result idref="rule-3.5.2.10.a" time="2011-06-28T00:42:58" weight="10.000000">
16328:       <result>notselected</result>
16329:     </rule-result>
16330:     <rule-result idref="rule-3.6.1.1.a" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16331:       <result>notselected</result>
16332:       <ident system="http://cce.mitre.org">CCE-4462-8</ident>
16333:     </rule-result>
16334:     <rule-result idref="rule-3.6.1.2.a" time="2011-06-28T00:42:58" weight="10.000000">
16335:       <result>notselected</result>
16336:       <ident system="http://cce.mitre.org">CCE-4422-2</ident>
16337:       <fix># yum groupremove "X Window System"</fix>
16338:     </rule-result>
16339:     <rule-result idref="rule-3.6.1.3.2.a" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16340:       <result>notselected</result>
16341:       <ident system="http://cce.mitre.org">CCE-4074-1</ident>
16342:       <fix>echo "exec X :0 -nolisten tcp $@" &gt; /etc/X11/xinit/xserverrc</fix>
16343:     </rule-result>
16344:     <rule-result idref="rule-3.6.2.1.a" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16345:       <result>notselected</result>
16346:       <ident system="http://cce.mitre.org">CCE-3717-6</ident>
16347:     </rule-result>
16348:     <rule-result idref="rule-3.7.1.1.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16349:       <result>notselected</result>
16350:       <ident system="http://cce.mitre.org">CCE-4365-3</ident>
16351:       <fix># chkconfig avahi-daemon off</fix>
16352:     </rule-result>
16353:     <rule-result idref="rule-3.7.2.1.a" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16354:       <result>notselected</result>
16355:       <ident system="http://cce.mitre.org">CCE-4136-8</ident>
16356:     </rule-result>
16357:     <rule-result idref="rule-3.7.2.1.b" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16358:       <result>notselected</result>
16359:       <ident system="http://cce.mitre.org">CCE-4409-9</ident>
16360:     </rule-result>
16361:     <rule-result idref="rule-3.7.2.2.a" time="2011-06-28T00:42:58" weight="10.000000">
16362:       <result>notselected</result>
16363:       <ident system="http://cce.mitre.org">CCE-4426-3</ident>
16364:     </rule-result>
16365:     <rule-result idref="rule-3.7.2.3.a" time="2011-06-28T00:42:58" weight="10.000000">
16366:       <result>notselected</result>
16367:       <ident system="http://cce.mitre.org">CCE-4193-9</ident>
16368:     </rule-result>
16369:     <rule-result idref="rule-3.7.2.4.a" time="2011-06-28T00:42:58" weight="10.000000">
16370:       <result>notselected</result>
16371:       <ident system="http://cce.mitre.org">CCE-4444-6</ident>
16372:     </rule-result>
16373:     <rule-result idref="rule-3.7.2.5.a" time="2011-06-28T00:42:58" weight="10.000000">
16374:       <result>notselected</result>
16375:       <ident system="http://cce.mitre.org">CCE-4352-1</ident>
16376:     </rule-result>
16377:     <rule-result idref="rule-3.7.2.5.b" time="2011-06-28T00:42:58" weight="10.000000">
16378:       <result>notselected</result>
16379:       <ident system="http://cce.mitre.org">CCE-4433-9</ident>
16380:     </rule-result>
16381:     <rule-result idref="rule-3.7.2.5.c" time="2011-06-28T00:42:58" weight="10.000000">
16382:       <result>notselected</result>
16383:       <ident system="http://cce.mitre.org">CCE-4451-1</ident>
16384:     </rule-result>
16385:     <rule-result idref="rule-3.7.2.5.d" time="2011-06-28T00:42:58" weight="10.000000">
16386:       <result>notselected</result>
16387:       <ident system="http://cce.mitre.org">CCE-4341-4</ident>
16388:     </rule-result>
16389:     <rule-result idref="rule-3.7.2.5.e" time="2011-06-28T00:42:58" weight="10.000000">
16390:       <result>notselected</result>
16391:       <ident system="http://cce.mitre.org">CCE-4358-8</ident>
16392:     </rule-result>
16393:     <rule-result idref="rule-3.8.1.a" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16394:       <result>notselected</result>
16395:       <ident system="http://cce.mitre.org">CCE-4112-9</ident>
16396:       <fix># chkconfig cups off</fix>
16397:     </rule-result>
16398:     <rule-result idref="rule-3.8.2.a" time="2011-06-28T00:42:58" severity="high" weight="10.000000">
16399:       <result>notselected</result>
16400:       <ident system="http://cce.mitre.org">CCE-3649-1</ident>
16401:     </rule-result>
16402:     <rule-result idref="rule-3.8.2.b" time="2011-06-28T00:42:58" severity="high" weight="10.000000">
16403:       <result>notselected</result>
16404:     </rule-result>
16405:     <rule-result idref="rule-3.8.3.1.1.a" time="2011-06-28T00:42:58" weight="10.000000">
16406:       <result>notselected</result>
16407:       <ident system="http://cce.mitre.org">CCE-4420-6</ident>
16408:     </rule-result>
16409:     <rule-result idref="rule-3.8.3.1.1.b" time="2011-06-28T00:42:58" weight="10.000000">
16410:       <result>notselected</result>
16411:       <ident system="http://cce.mitre.org">CCE-4407-3</ident>
16412:     </rule-result>
16413:     <rule-result idref="rule-3.8.4.1.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16414:       <result>notselected</result>
16415:       <ident system="http://cce.mitre.org">CCE-4425-5</ident>
16416:     </rule-result>
16417:     <rule-result idref="rule-3.9.1.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16418:       <result>notselected</result>
16419:       <ident system="http://cce.mitre.org">CCE-4191-3</ident>
16420:     </rule-result>
16421:     <rule-result idref="rule-3.9.3.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16422:       <result>notselected</result>
16423:       <ident system="http://cce.mitre.org">CCE-4336-4</ident>
16424:       <fix># chkconfig dhcpd off</fix>
16425:     </rule-result>
16426:     <rule-result idref="rule-3.9.3.b" time="2011-06-28T00:42:58" weight="10.000000">
16427:       <result>notselected</result>
16428:       <ident system="http://cce.mitre.org">CCE-4464-4</ident>
16429:       <fix># yum erase dhcp</fix>
16430:     </rule-result>
16431:     <rule-result idref="rule-3.9.4.1.a" time="2011-06-28T00:42:58" weight="10.000000">
16432:       <result>notselected</result>
16433:       <ident system="http://cce.mitre.org">CCE-4257-2</ident>
16434:     </rule-result>
16435:     <rule-result idref="rule-3.9.4.2.a" time="2011-06-28T00:42:58" weight="10.000000">
16436:       <result>notselected</result>
16437:       <ident system="http://cce.mitre.org">CCE-4403-2</ident>
16438:     </rule-result>
16439:     <rule-result idref="rule-3.9.4.3.a" time="2011-06-28T00:42:58" weight="10.000000">
16440:       <result>notselected</result>
16441:       <ident system="http://cce.mitre.org">CCE-4345-5</ident>
16442:     </rule-result>
16443:     <rule-result idref="rule-3.9.4.4.a" time="2011-06-28T00:42:58" weight="10.000000">
16444:       <result>notselected</result>
16445:       <ident system="http://cce.mitre.org">CCE-3724-2</ident>
16446:     </rule-result>
16447:     <rule-result idref="rule-3.9.4.4.b" time="2011-06-28T00:42:58" weight="10.000000">
16448:       <result>notselected</result>
16449:       <ident system="http://cce.mitre.org">CCE-4243-2</ident>
16450:     </rule-result>
16451:     <rule-result idref="rule-3.9.4.4.c" time="2011-06-28T00:42:58" weight="10.000000">
16452:       <result>notselected</result>
16453:       <ident system="http://cce.mitre.org">CCE-4389-3</ident>
16454:     </rule-result>
16455:     <rule-result idref="rule-3.9.4.4.d" time="2011-06-28T00:42:58" weight="10.000000">
16456:       <result>notselected</result>
16457:       <ident system="http://cce.mitre.org">CCE-3913-1</ident>
16458:     </rule-result>
16459:     <rule-result idref="rule-3.9.4.4.e" time="2011-06-28T00:42:58" weight="10.000000">
16460:       <result>notselected</result>
16461:       <ident system="http://cce.mitre.org">CCE-4169-9</ident>
16462:     </rule-result>
16463:     <rule-result idref="rule-3.9.4.4.f" time="2011-06-28T00:42:58" weight="10.000000">
16464:       <result>notselected</result>
16465:       <ident system="http://cce.mitre.org">CCE-4318-2</ident>
16466:     </rule-result>
16467:     <rule-result idref="rule-3.9.4.4.g" time="2011-06-28T00:42:58" weight="10.000000">
16468:       <result>notselected</result>
16469:       <ident system="http://cce.mitre.org">CCE-4319-0</ident>
16470:     </rule-result>
16471:     <rule-result idref="rule-3.9.4.5.a" time="2011-06-28T00:42:58" weight="10.000000">
16472:       <result>notselected</result>
16473:       <ident system="http://cce.mitre.org">CCE-3733-3</ident>
16474:     </rule-result>
16475:     <rule-result idref="rule-3.10.2.2.1.a" time="2011-06-28T00:42:58" severity="high" weight="10.000000">
16476:       <result>notselected</result>
16477:       <ident system="http://cce.mitre.org">CCE-4376-0</ident>
16478:       <fix># chkconfig ntpd on</fix>
16479:     </rule-result>
16480:     <rule-result idref="rule-3.10.2.2.2.a" time="2011-06-28T00:42:58" weight="10.000000">
16481:       <result>notselected</result>
16482:       <ident system="http://cce.mitre.org">CCE-4134-3</ident>
16483:     </rule-result>
16484:     <rule-result idref="rule-3.10.2.2.3.a" time="2011-06-28T00:42:58" weight="10.000000">
16485:       <result>notselected</result>
16486:       <ident system="http://cce.mitre.org">CCE-4385-1</ident>
16487:     </rule-result>
16488:     <rule-result idref="rule-3.10.3.1.a" time="2011-06-28T00:42:58" weight="10.000000">
16489:       <result>notselected</result>
16490:       <ident system="http://cce.mitre.org">CCE-4032-9</ident>
16491:     </rule-result>
16492:     <rule-result idref="rule-3.10.3.2.1.a" time="2011-06-28T00:42:58" severity="high" weight="10.000000">
16493:       <result>notselected</result>
16494:       <ident system="http://cce.mitre.org">CCE-4424-8</ident>
16495:     </rule-result>
16496:     <rule-result idref="rule-3.10.3.2.2.a" time="2011-06-28T00:42:58" severity="high" weight="10.000000">
16497:       <result>notselected</result>
16498:       <ident system="http://cce.mitre.org">CCE-3487-6</ident>
16499:     </rule-result>
16500:     <rule-result idref="rule-3.11.2.1.a" time="2011-06-28T00:42:58" weight="10.000000">
16501:       <result>notselected</result>
16502:       <ident system="http://cce.mitre.org">CCE-4293-7</ident>
16503:     </rule-result>
16504:     <rule-result idref="rule-3.12.2.2.a" time="2011-06-28T00:42:58" weight="10.000000">
16505:       <result>notselected</result>
16506:     </rule-result>
16507:     <rule-result idref="rule-3.12.3.1.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16508:       <result>notselected</result>
16509:       <ident system="http://cce.mitre.org">CCE-3501-4</ident>
16510:     </rule-result>
16511:     <rule-result idref="rule-3.13.1.1.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16512:       <result>notselected</result>
16513:       <ident system="http://cce.mitre.org">CCE-4396-8</ident>
16514:     </rule-result>
16515:     <rule-result idref="rule-3.13.1.1.b" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16516:       <result>notselected</result>
16517:       <ident system="http://cce.mitre.org">CCE-3535-2</ident>
16518:     </rule-result>
16519:     <rule-result idref="rule-3.13.1.1.c" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16520:       <result>notselected</result>
16521:       <ident system="http://cce.mitre.org">CCE-3568-3</ident>
16522:     </rule-result>
16523:     <rule-result idref="rule-3.13.1.2.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16524:       <result>notselected</result>
16525:       <ident system="http://cce.mitre.org">CCE-4533-6</ident>
16526:     </rule-result>
16527:     <rule-result idref="rule-3.13.2.3.a" time="2011-06-28T00:42:58" weight="10.000000">
16528:       <result>notselected</result>
16529:       <ident system="http://cce.mitre.org">CCE-4559-1</ident>
16530:     </rule-result>
16531:     <rule-result idref="rule-3.13.2.3.b" time="2011-06-28T00:42:58" weight="10.000000">
16532:       <result>notselected</result>
16533:       <ident system="http://cce.mitre.org">CCE-4015-4</ident>
16534:     </rule-result>
16535:     <rule-result idref="rule-3.13.2.3.c" time="2011-06-28T00:42:58" weight="10.000000">
16536:       <result>notselected</result>
16537:       <ident system="http://cce.mitre.org">CCE-3667-3</ident>
16538:     </rule-result>
16539:     <rule-result idref="rule-3.13.2.3.d" time="2011-06-28T00:42:58" weight="10.000000">
16540:       <result>notselected</result>
16541:       <ident system="http://cce.mitre.org">CCE-4310-9</ident>
16542:     </rule-result>
16543:     <rule-result idref="rule-3.13.2.3.e" time="2011-06-28T00:42:58" weight="10.000000">
16544:       <result>notselected</result>
16545:       <ident system="http://cce.mitre.org">CCE-4438-8</ident>
16546:     </rule-result>
16547:     <rule-result idref="rule-3.13.2.3.f" time="2011-06-28T00:42:58" weight="10.000000">
16548:       <result>notselected</result>
16549:       <ident system="http://cce.mitre.org">CCE-3579-0</ident>
16550:     </rule-result>
16551:     <rule-result idref="rule-3.13.3.1.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16552:       <result>notselected</result>
16553:       <ident system="http://cce.mitre.org">CCE-4473-5</ident>
16554:     </rule-result>
16555:     <rule-result idref="rule-3.13.3.1.b" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16556:       <result>notselected</result>
16557:       <ident system="http://cce.mitre.org">CCE-4491-7</ident>
16558:     </rule-result>
16559:     <rule-result idref="rule-3.13.3.2.a" time="2011-06-28T00:42:58" weight="10.000000">
16560:       <result>notselected</result>
16561:       <ident system="http://cce.mitre.org">CCE-4368-7</ident>
16562:     </rule-result>
16563:     <rule-result idref="rule-3.13.3.2.b" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16564:       <result>notselected</result>
16565:       <ident system="http://cce.mitre.org">CCE-4024-6</ident>
16566:     </rule-result>
16567:     <rule-result idref="rule-3.13.3.2.c" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16568:       <result>notselected</result>
16569:       <ident system="http://cce.mitre.org">CCE-4526-0</ident>
16570:     </rule-result>
16571:     <rule-result idref="rule-3.13.4.1.2.a" time="2011-06-28T00:42:58" weight="10.000000">
16572:       <result>notselected</result>
16573:       <ident system="http://cce.mitre.org">CCE-4544-3</ident>
16574:     </rule-result>
16575:     <rule-result idref="rule-3.13.4.1.3.a" time="2011-06-28T00:42:58" weight="10.000000">
16576:       <result>notselected</result>
16577:       <ident system="http://cce.mitre.org">CCE-4465-1</ident>
16578:     </rule-result>
16579:     <rule-result idref="rule-3.13.4.1.4.a" time="2011-06-28T00:42:58" weight="10.000000">
16580:       <result>notselected</result>
16581:       <ident system="http://cce.mitre.org">CCE-4350-5</ident>
16582:     </rule-result>
16583:     <rule-result idref="rule-3.14.1.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16584:       <result>notselected</result>
16585:       <ident system="http://cce.mitre.org">CCE-3578-2</ident>
16586:     </rule-result>
16587:     <rule-result idref="rule-3.14.1.b" time="2011-06-28T00:42:58" weight="10.000000">
16588:       <result>notselected</result>
16589:       <ident system="http://cce.mitre.org">CCE-4219-2</ident>
16590:     </rule-result>
16591:     <rule-result idref="rule-3.14.3.2.a" time="2011-06-28T00:42:58" weight="10.000000">
16592:       <result>notselected</result>
16593:       <ident system="http://cce.mitre.org">CCE-3985-9</ident>
16594:     </rule-result>
16595:     <rule-result idref="rule-3.14.3.2.b" time="2011-06-28T00:42:58" weight="10.000000">
16596:       <result>notselected</result>
16597:       <ident system="http://cce.mitre.org">CCE-4258-0</ident>
16598:     </rule-result>
16599:     <rule-result idref="rule-3.14.3.2.c" time="2011-06-28T00:42:58" weight="10.000000">
16600:       <result>notselected</result>
16601:       <ident system="http://cce.mitre.org">CCE-4487-5</ident>
16602:     </rule-result>
16603:     <rule-result idref="rule-3.14.4.5.a" time="2011-06-28T00:42:58" weight="10.000000">
16604:       <result>notselected</result>
16605:       <ident system="http://cce.mitre.org">CCE-4399-2</ident>
16606:     </rule-result>
16607:     <rule-result idref="rule-3.15.1.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16608:       <result>notselected</result>
16609:       <ident system="http://cce.mitre.org">CCE-3919-8</ident>
16610:     </rule-result>
16611:     <rule-result idref="rule-3.15.1.b" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16612:       <result>notselected</result>
16613:       <ident system="http://cce.mitre.org">CCE-3919-8</ident>
16614:     </rule-result>
16615:     <rule-result idref="rule-3.15.3.1.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16616:       <result>notselected</result>
16617:       <ident system="http://cce.mitre.org">CCE-4549-2</ident>
16618:     </rule-result>
16619:     <rule-result idref="rule-3.15.3.2.a" time="2011-06-28T00:42:58" weight="10.000000">
16620:       <result>notselected</result>
16621:       <ident system="http://cce.mitre.org">CCE-4554-2</ident>
16622:     </rule-result>
16623:     <rule-result idref="rule-3.15.3.3.1.a" time="2011-06-28T00:42:58" severity="high" weight="10.000000">
16624:       <result>notselected</result>
16625:       <ident system="http://cce.mitre.org">CCE-4443-8</ident>
16626:     </rule-result>
16627:     <rule-result idref="rule-3.15.3.4.a" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16628:       <result>notselected</result>
16629:       <ident system="http://cce.mitre.org">CCE-4461-0</ident>
16630:     </rule-result>
16631:     <rule-result idref="rule-3.16.1.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16632:       <result>notselected</result>
16633:       <ident system="http://cce.mitre.org">CCE-4338-0</ident>
16634:     </rule-result>
16635:     <rule-result idref="rule-3.16.1.b" time="2011-06-28T00:42:58" weight="10.000000">
16636:       <result>notselected</result>
16637:       <ident system="http://cce.mitre.org">CCE-4514-6</ident>
16638:     </rule-result>
16639:     <rule-result idref="rule-3.16.3.1.a" time="2011-06-28T00:42:58" weight="10.000000">
16640:       <result>notselected</result>
16641:       <ident system="http://cce.mitre.org">CCE-4474-3</ident>
16642:     </rule-result>
16643:     <rule-result idref="rule-3.16.3.1.b" time="2011-06-28T00:42:58" weight="10.000000">
16644:       <result>notselected</result>
16645:       <ident system="http://cce.mitre.org">CCE-3756-4</ident>
16646:     </rule-result>
16647:     <rule-result idref="rule-3.16.5.1.a" time="2011-06-28T00:42:58" weight="10.000000">
16648:       <result>notselected</result>
16649:       <ident system="http://cce.mitre.org">CCE-4509-6</ident>
16650:     </rule-result>
16651:     <rule-result idref="rule-3.16.5.1.b" time="2011-06-28T00:42:58" weight="10.000000">
16652:       <result>notselected</result>
16653:       <ident system="http://cce.mitre.org">CCE-4386-9</ident>
16654:     </rule-result>
16655:     <rule-result idref="rule-3.16.5.1.c" time="2011-06-28T00:42:58" weight="10.000000">
16656:       <result>notselected</result>
16657:       <ident system="http://cce.mitre.org">CCE-4029-5</ident>
16658:     </rule-result>
16659:     <rule-result idref="rule-3.16.5.1.d" time="2011-06-28T00:42:58" weight="10.000000">
16660:       <result>notselected</result>
16661:       <ident system="http://cce.mitre.org">CCE-3581-6</ident>
16662:     </rule-result>
16663:     <rule-result idref="rule-3.16.5.1.e" time="2011-06-28T00:42:58" weight="10.000000">
16664:       <result>notselected</result>
16665:       <ident system="http://cce.mitre.org">CCE-4574-0</ident>
16666:     </rule-result>
16667:     <rule-result idref="rule-3.17.1.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16668:       <result>notselected</result>
16669:       <ident system="http://cce.mitre.org">CCE-3847-1</ident>
16670:     </rule-result>
16671:     <rule-result idref="rule-3.17.1.b" time="2011-06-28T00:42:58" weight="10.000000">
16672:       <result>notselected</result>
16673:       <ident system="http://cce.mitre.org">CCE-4239-0</ident>
16674:     </rule-result>
16675:     <rule-result idref="rule-3.17.2.1.a" time="2011-06-28T00:42:58" weight="10.000000">
16676:       <result>notselected</result>
16677:       <ident system="http://cce.mitre.org">CCE-4384-4</ident>
16678:     </rule-result>
16679:     <rule-result idref="rule-3.17.2.1.b" time="2011-06-28T00:42:58" weight="10.000000">
16680:       <result>notselected</result>
16681:       <ident system="http://cce.mitre.org">CCE-3887-7</ident>
16682:     </rule-result>
16683:     <rule-result idref="rule-3.17.2.1.c" time="2011-06-28T00:42:58" weight="10.000000">
16684:       <result>notselected</result>
16685:       <ident system="http://cce.mitre.org">CCE-4530-2</ident>
16686:     </rule-result>
16687:     <rule-result idref="rule-3.17.2.1.d" time="2011-06-28T00:42:58" weight="10.000000">
16688:       <result>notselected</result>
16689:       <ident system="http://cce.mitre.org">CCE-4547-6</ident>
16690:     </rule-result>
16691:     <rule-result idref="rule-3.17.2.2.4.a" time="2011-06-28T00:42:58" weight="10.000000">
16692:       <result>notselected</result>
16693:       <ident system="http://cce.mitre.org">CCE-4552-6</ident>
16694:     </rule-result>
16695:     <rule-result idref="rule-3.17.2.3.a" time="2011-06-28T00:42:58" weight="10.000000">
16696:       <result>notselected</result>
16697:       <ident system="http://cce.mitre.org">CCE-4371-1</ident>
16698:     </rule-result>
16699:     <rule-result idref="rule-3.17.2.3.b" time="2011-06-28T00:42:58" weight="10.000000">
16700:       <result>notselected</result>
16701:       <ident system="http://cce.mitre.org">CCE-4410-7</ident>
16702:     </rule-result>
16703:     <rule-result idref="rule-3.18.1.a" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16704:       <result>notselected</result>
16705:       <ident system="http://cce.mitre.org">CCE-4551-8</ident>
16706:     </rule-result>
16707:     <rule-result idref="rule-3.18.2.3.a" time="2011-06-28T00:42:58" weight="10.000000">
16708:       <result>notselected</result>
16709:     </rule-result>
16710:     <rule-result idref="rule-3.18.2.10.a" time="2011-06-28T00:42:58" weight="10.000000">
16711:       <result>notselected</result>
16712:       <ident system="http://cce.mitre.org">CCE-4556-7</ident>
16713:     </rule-result>
16714:     <rule-result idref="rule-3.18.2.11.a" time="2011-06-28T00:42:58" weight="10.000000">
16715:       <result>notselected</result>
16716:       <ident system="http://cce.mitre.org">CCE-4556-7</ident>
16717:     </rule-result>
16718:     <rule-result idref="rule-3.19.1.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16719:       <result>notselected</result>
16720:       <ident system="http://cce.mitre.org">CCE-4556-7</ident>
16721:     </rule-result>
16722:     <rule-result idref="rule-3.19.1.b" time="2011-06-28T00:42:58" weight="10.000000">
16723:       <result>notselected</result>
16724:       <ident system="http://cce.mitre.org">CCE-4076-6</ident>
16725:     </rule-result>
16726:     <rule-result idref="rule-3.19.2.2.a" time="2011-06-28T00:42:58" weight="10.000000">
16727:       <result>notselected</result>
16728:       <ident system="http://cce.mitre.org">CCE-4454-5</ident>
16729:     </rule-result>
16730:     <rule-result idref="rule-3.19.2.2.b" time="2011-06-28T00:42:58" weight="10.000000">
16731:       <result>notselected</result>
16732:       <ident system="http://cce.mitre.org">CCE-4459-4</ident>
16733:     </rule-result>
16734:     <rule-result idref="rule-3.19.2.2.c" time="2011-06-28T00:42:58" weight="10.000000">
16735:       <result>notselected</result>
16736:       <ident system="http://cce.mitre.org">CCE-4503-9</ident>
16737:     </rule-result>
16738:     <rule-result idref="rule-3.19.2.2.d" time="2011-06-28T00:42:58" weight="10.000000">
16739:       <result>notselected</result>
16740:       <ident system="http://cce.mitre.org">CCE-4353-9</ident>
16741:     </rule-result>
16742:     <rule-result idref="rule-3.19.2.2.e" time="2011-06-28T00:42:58" weight="10.000000">
16743:       <result>notselected</result>
16744:       <ident system="http://cce.mitre.org">CCE-4419-8</ident>
16745:     </rule-result>
16746:     <rule-result idref="rule-3.19.2.2.f" time="2011-06-28T00:42:58" weight="10.000000">
16747:       <result>notselected</result>
16748:       <ident system="http://cce.mitre.org">CCE-3692-1</ident>
16749:     </rule-result>
16750:     <rule-result idref="rule-3.19.2.2.g" time="2011-06-28T00:42:58" weight="10.000000">
16751:       <result>notselected</result>
16752:       <ident system="http://cce.mitre.org">CCE-4476-8</ident>
16753:     </rule-result>
16754:     <rule-result idref="rule-3.19.2.2.h" time="2011-06-28T00:42:58" weight="10.000000">
16755:       <result>notselected</result>
16756:       <ident system="http://cce.mitre.org">CCE-3585-7</ident>
16757:     </rule-result>
16758:     <rule-result idref="rule-3.19.2.3.a" time="2011-06-28T00:42:58" weight="10.000000">
16759:       <result>notselected</result>
16760:       <ident system="http://cce.mitre.org">CCE-4344-8</ident>
16761:     </rule-result>
16762:     <rule-result idref="rule-3.19.2.3.b" time="2011-06-28T00:42:58" weight="10.000000">
16763:       <result>notselected</result>
16764:       <ident system="http://cce.mitre.org">CCE-4494-1</ident>
16765:     </rule-result>
16766:     <rule-result idref="rule-3.19.2.3.c" time="2011-06-28T00:42:58" weight="10.000000">
16767:       <result>notselected</result>
16768:       <ident system="http://cce.mitre.org">CCE-4181-4</ident>
16769:     </rule-result>
16770:     <rule-result idref="rule-3.19.2.3.d" time="2011-06-28T00:42:58" weight="10.000000">
16771:       <result>notselected</result>
16772:       <ident system="http://cce.mitre.org">CCE-4577-3</ident>
16773:     </rule-result>
16774:     <rule-result idref="rule-3.19.2.5.a" time="2011-06-28T00:42:58" weight="10.000000">
16775:       <result>notselected</result>
16776:       <ident system="http://cce.mitre.org">CCE-4511-2</ident>
16777:     </rule-result>
16778:     <rule-result idref="rule-3.19.2.5.b" time="2011-06-28T00:42:58" weight="10.000000">
16779:       <result>notselected</result>
16780:       <ident system="http://cce.mitre.org">CCE-4529-4</ident>
16781:     </rule-result>
16782:     <rule-result idref="rule-3.19.2.5.c" time="2011-06-28T00:42:58" weight="10.000000">
16783:       <result>notselected</result>
16784:       <ident system="http://cce.mitre.org">CCE-3610-3</ident>
16785:     </rule-result>
16786:     <rule-result idref="rule-3.19.2.5.d" time="2011-06-28T00:42:58" weight="10.000000">
16787:       <result>notselected</result>
16788:       <ident system="http://cce.mitre.org">CCE-4466-9</ident>
16789:     </rule-result>
16790:     <rule-result idref="rule-3.19.2.5.e" time="2011-06-28T00:42:58" weight="10.000000">
16791:       <result>notselected</result>
16792:       <ident system="http://cce.mitre.org">CCE-4607-8</ident>
16793:     </rule-result>
16794:     <rule-result idref="rule-3.19.2.5.f" time="2011-06-28T00:42:58" weight="10.000000">
16795:       <result>notselected</result>
16796:       <ident system="http://cce.mitre.org">CCE-4255-6</ident>
16797:     </rule-result>
16798:     <rule-result idref="rule-3.19.2.5.g" time="2011-06-28T00:42:58" weight="10.000000">
16799:       <result>notselected</result>
16800:       <ident system="http://cce.mitre.org">CCE-4127-7</ident>
16801:     </rule-result>
16802:     <rule-result idref="rule-3.19.2.5.h" time="2011-06-28T00:42:58" weight="10.000000">
16803:       <result>notselected</result>
16804:       <ident system="http://cce.mitre.org">CCE-4519-5</ident>
16805:     </rule-result>
16806:     <rule-result idref="rule-3.19.2.5.i" time="2011-06-28T00:42:58" weight="10.000000">
16807:       <result>notselected</result>
16808:       <ident system="http://cce.mitre.org">CCE-4413-1</ident>
16809:     </rule-result>
16810:     <rule-result idref="rule-3.19.2.5.j" time="2011-06-28T00:42:58" weight="10.000000">
16811:       <result>notselected</result>
16812:       <ident system="http://cce.mitre.org">CCE-4373-7</ident>
16813:     </rule-result>
16814:     <rule-result idref="rule-3.20.1.a" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16815:       <result>notselected</result>
16816:       <ident system="http://cce.mitre.org">CCE-3765-5</ident>
16817:     </rule-result>
16818:     <rule-result idref="rule-3.20.1.b" time="2011-06-28T00:42:58" weight="10.000000">
16819:       <result>notselected</result>
16820:       <ident system="http://cce.mitre.org">CCE-4404-0</ident>
16821:     </rule-result>
16822:     <rule-result idref="rule-2.3.3.2.c" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16823:       <result>notselected</result>
16824:     </rule-result>
16825:     <rule-result idref="rule-2.4.3.1.a" time="2011-06-28T00:42:58" weight="10.000000">
16826:       <result>notselected</result>
16827:       <ident system="http://cce.mitre.org">CCE-4148-3</ident>
16828:     </rule-result>
16829:     <rule-result idref="rule-2.4.3.1.b" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16830:       <result>notselected</result>
16831:       <ident system="http://cce.mitre.org">CCE-4254-9</ident>
16832:     </rule-result>
16833:     <rule-result idref="rule-3.11.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16834:       <result>notselected</result>
16835:       <ident system="http://cce.mitre.org">CCE-4416-4</ident>
16836:     </rule-result>
16837:     <rule-result idref="rule-3.12.3.7.a" time="2011-06-28T00:42:58" weight="10.000000">
16838:       <result>notselected</result>
16839:       <ident system="http://cce.mitre.org">CCE-4484-2</ident>
16840:     </rule-result>
16841:     <rule-result idref="rule-3.12.3.7.b" time="2011-06-28T00:42:58" weight="10.000000">
16842:       <result>notselected</result>
16843:       <ident system="http://cce.mitre.org">CCE-4502-1</ident>
16844:     </rule-result>
16845:     <rule-result idref="rule-3.13.1.3.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16846:       <result>notselected</result>
16847:       <ident system="http://cce.mitre.org">CCE-4550-0</ident>
16848:     </rule-result>
16849:     <score system="urn:xccdf:scoring:default" maximum="100.000000">7.925666</score>
16850:     <score system="urn:xccdf:scoring:flat" maximum="760.000000">680.000000</score>
16851:   </TestResult>
16852: </Benchmark>