Standard System Security Profile for Kylin Linux Advanced Server V10
This profile contains rules to ensure standard security baseline of a Kylin Linux Advanced Server V10 SP3 system. Regardless of your system's workload all of these checks should pass.


ID Severity Title Discussion (Rationale) Fix Text (Description) Check Text (OCIL Check) SRG Refs CCI Refs 800-53 Refs
package_tftp_removed high Remove tftp Daemon It is recommended that TFTP be removed, unless there is a specific need for TFTP (such as a boot server). In that case, use extreme caution when configuring the services. Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between systems. TFTP does not support authentication and can be easily hacked. The package tftp is a client program that allows for connections to a tftp server.
package_tftp-server_removed high Uninstall tftp-server Package Removing the tftp-server package decreases the risk of the accidental (or intentional) activation of tftp services.

If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the Information Systems Securty Manager (ISSM), restricted to only authorized personnel, and have access control rules established.
The tftp-server package can be removed with the following command:
$ sudo yum erase tftp-server
CCI-NaN
CCI-NaN
CCI-NaN
CCI-NaN
CCI-NaN
accounts_no_uid_except_zero high Verify Only Root Has UID 0 An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner. If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.
If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned.
CCI-NaN
file_owner_etc_passwd medium Verify User Who Owns passwd File The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security. To properly set the owner of /etc/passwd, run the command:
$ sudo chown root /etc/passwd 
file_owner_etc_gshadow medium Verify User Who Owns gshadow File The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. To properly set the owner of /etc/gshadow, run the command:
$ sudo chown root /etc/gshadow 
file_groupowner_etc_passwd medium Verify Group Who Owns passwd File The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security. To properly set the group owner of /etc/passwd, run the command:
$ sudo chgrp root /etc/passwd 
file_groupowner_etc_gshadow medium Verify Group Who Owns gshadow File The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. To properly set the group owner of /etc/gshadow, run the command:
$ sudo chgrp root /etc/gshadow 
file_permissions_etc_passwd medium Verify Permissions on passwd File If the /etc/passwd file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security. To properly set the permissions of /etc/passwd, run the command:
$ sudo chmod 0644 /etc/passwd
file_permissions_etc_gshadow medium Verify Permissions on gshadow File The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. To properly set the permissions of /etc/gshadow, run the command:
$ sudo chmod 0000 /etc/gshadow
account_unique_group_id medium Ensure All Accounts on the System Have Unique Master Group IDs To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. Change user master group IDs, or delete accounts.
account_unique_id medium Ensure All Accounts on the System Have Unique User IDs To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. Change user IDs (UIDs), or delete accounts, so each has a unique id.
accounts_umask_etc_bashrc unknown Ensure the Default Bash Umask is Set Correctly The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. To ensure the default umask for users of the Bash shell is set properly, add or correct the umask setting in /etc/bashrc to read as follows:
umask 
CCI-NaN
disable_host_auth medium Disable Host-Based Authentication SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization.

To disable host-based authentication, add or correct the following line in /etc/ssh/sshd_config:
HostbasedAuthentication no
CCI-NaN
accounts_password_pam_minlen medium Set Password Minimum Length The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password.
The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements. CCI-NaN
accounts_password_pam_minclass medium Set Password Strength Minimum Different Categories Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Requiring a minimum number of character categories makes password guessing attacks more difficult by ensuring a larger search space.
The pam_pwquality module's minclass parameter controls requirements for usage of different character classes, or types, of character that must exist in a password before it is considered valid. For example, setting this value to three (3) requires that any password must have characters from at least three different categories in order to be approved. The default value is zero (0), meaning there are no required classes. There are four categories available:
* Upper-case characters
* Lower-case characters
* Digits
* Special characters (for example, punctuation)
Modify the minclass setting in /etc/security/pwquality.conf entry to require differing categories of characters when changing passwords.
CCI-NaN
accounts_password_pam_ucredit medium Set Password Strength Minimum Uppercase Characters Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords. CCI-NaN
accounts_password_pam_lcredit medium Set Password Strength Minimum Lowercase Characters Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.
The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords. CCI-NaN
accounts_password_pam_dcredit medium Set Password Strength Minimum Digit Characters Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.
The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords. CCI-NaN
accounts_password_pam_ocredit medium Set Password Strength Minimum Special Characters Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.
The pam_pwquality module's ocredit= parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each special character. Modify the ocredit setting in /etc/security/pwquality.conf to equal to require use of a special character in passwords. CCI-NaN
ensure_gpgcheck_globally_activated high Ensure gpgcheck Enabled In Main Yum Configuration Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA).
The gpgcheck option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in /etc/yum.conf in the [main] section:
gpgcheck=1
CCI-NaN
ensure_gpgcheck_never_disabled high Ensure gpgcheck Enabled For All Yum Package Repositories Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA). To ensure signature checking is not disabled for any repos, remove any lines from files in /etc/yum.repos.d of the form:
gpgcheck=0
CCI-NaN
gid_passwd_group_same low All GIDs referenced in /etc/passwd must be defined in /etc/group If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group with the Gruop Identifier (GID) is subsequently created, the user may have unintended rights to any files associated with the group. Add a group to the system for each GID referenced without a corresponding group. CCI-NaN
group_unique_id medium Ensure All Groups on the System Have Unique Group ID To assure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system. Change the group name or delete groups, so each has a unique id.
set_password_hashing_algorithm_systemauth medium Set PAM's Password Hashing Algorithm Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text.

This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.
The PAM system service can be configured to only store encrypted representations of passwords. In /etc/pam.d/system-auth, the password section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the password section to include the argument sha512, as shown below:
password    sufficient    pam_unix.so sha512 other arguments...

This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.
CCI-NaN
sshd_allow_only_protocol2 high Allow Only SSH Protocol 2 SSH protocol version 1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. Only SSH protocol version 2 connections should be permitted. The default setting in /etc/ssh/sshd_config is correct, and can be verified by ensuring that the following line appears:
Protocol 2
CCI-NaN
CCI-NaN
sshd_disable_rhosts medium Disable SSH Support for .rhosts Files SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts files.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config:
IgnoreRhosts yes
CCI-NaN
verify_owner_password high Accounts Password Should Be Verified When Changing Anyone can change the password if no verifying. Accounts password should be verified when it is modifying. It is done by pam_unix.so.
no_files_unowned_by_user medium Ensure All Files Are Owned by a User Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. CCI-NaN
no_name_contained_in_password high Accounts Name Should Not Be Contained In Password If the passowrd contains substring of accounts name, it is a risk. Accounts name should not be contained in password. There is no usercheck=0.
file_permissions_ungroupowned medium Ensure All Files Are Owned by a Group Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. If any files are not owned by a group, then the cause of their lack of group-ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate group. CCI-NaN
package_rsyslog_installed medium Ensure rsyslog is Installed The rsyslog package provides the rsyslog daemon, which provides system logging services. Rsyslog is installed by default. The rsyslog package can be installed with the following command:
$ sudo yum install rsyslog
CCI-NaN
CCI-NaN
audit_rules_usergroup_modification unknown Record Events that Modify User/Group Information In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
CCI-NaN
CCI-NaN
CCI-NaN
CCI-NaN
audit_rules_privileged_commands medium Ensure auditd Collects Information on the Use of Privileged Commands Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART:
$ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
CCI-NaN
service_kdump_disabled medium Disable KDump Kernel Crash Analyzer (kdump) Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service. The kdump service provides a kernel crash dump analyzer. It uses the kexec system call to boot a secondary kernel ("capture" kernel) following a system crash, which can load information from the crashed kernel for analysis. The kdump service can be disabled with the following command:
$ sudo systemctl disable kdump.service
CCI-NaN
package_rsh-server_removed high Uninstall rsh-server Package The rsh-server service provides unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. If a privileged user were to login using this service, the privileged user password could be compromised. The rsh-server package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation. The rsh-server package can be uninstalled with the following command:
$ sudo yum erase rsh-server
CCI-NaN
package_audit_installed medium Install audit "audit" usually refers to a software package used for system security audits. It can help system administrators monitor and record activities in the system to better understand the usage and security of the system. Install the audit package with the command:
$ sudo yum install audit
package_avahi_removed unknown Uninstall avahi Package Avahi is an open source network service discovery framework that helps devices discover and communicate with each other on a local network without the need to use a central server. Avahi provides support for several network service discovery protocols. The avahi software package has been removed
package_certmonger_removed unknown Uninstall certmonger Package Certmonger is an open source tool for managing SSL certificates that helps administrators automate the certificate application, renewal, and revocation process. Certmonger supports multiple certificate authorities (cas) and can be integrated with a variety of Linux systems. The certmonger software package has been removed
package_chrony_installed medium Install chrony Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems More information on chrony can be found at http://chrony.tuxfamily.org/. Chrony can be configured to be a client and/or a server. Add or edit server or pool lines to /etc/chrony.conf as appropriate. Install or update the Chrony time synchronization software package
package_cronie_installed medium Install cronie cronie is a tool used to manage scheduled tasks in Linux. It is often used to manage scheduled tasks of the system, such as periodic backup and periodic clearing. check whether the cronie software package is installed.
package_dconf_installed medium Install dconf The dconf package should be installed to change the Settings of various desktop environments. Install the dconf package with the command:
$ sudo yum install dconf
package_dovecot_removed unknown Uninstall dovecot Package If there is no need to make the Dovecot software available, removing it provides a safeguard against its activation. The dovecot package can be uninstalled with the following command:
$ sudo yum erase dovecot
package_dracut-fips_installed medium Install the dracut-fips Package Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. To enable FIPS, the system requires that the dracut-fips package be installed. The dracut-fips package can be installed with the following command:
$ sudo yum install dracut-fips
CCI-NaN
CCI-NaN
package_firewalld_installed medium Install firewalld The firewalld package should be installed to provide access control methods. Install the firewalld package with the command:
$ sudo yum install firewalld
package_libreswan_installed medium Install libreswan Package Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network. The Libreswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The libreswan package can be installed with the following command:
$ sudo yum install libreswan
CCI-NaN
CCI-NaN
package_ntp_installed high Install the ntp service Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906. The ntpd service should be installed. CCI-NaN
package_postfix_installed medium Install postfix postfix is a software package for sending and receiving mail on Linux operating systems. It is an open source mail transfer agent that can be used to send and receive email and supports protocols such as SMTP, POP3, and IMAP. Install the postfix package with the command:
$ sudo yum install postfix
package_quagga_removed medium Uninstall quagga Package Routing software is typically used on routers to exchange network topology information with other routers. If routing software is used when not required, system network information may be unnecessarily transmitted across the network.
If there is no need to make the router software available, removing it provides a safeguard against its activation.
The quagga package can be removed with the following command:
$ sudo yum erase quagga
CCI-NaN
package_rsh_removed unknown Uninstall rsh Package These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh,rcp, and rlogin. The rsh package contains the client commands for the rsh services
package_samba-common_installed medium Install the Samba Common Package If the samba-common package is not installed, samba cannot be configured. The samba-common package should be installed. The samba-common package can be installed with the following command:
$ sudo yum install samba-common
package_talk-server_removed medium Uninstall talk-server Package The talk software presents a security risk as it uses unencrypted protocols for communications. Removing the talk-server package decreases the risk of the accidental (or intentional) activation of talk services. The talk-server package can be removed with the following command:
$ sudo yum erase talk-server
package_talk_removed unknown Uninstall talk Package The talk software presents a security risk as it uses unencrypted protocols for communications. Removing the talk package decreases the risk of the accidental (or intentional) activation of talk client program. The talk package contains the client program for the Internet talk protocol, which allows the user to chat with other users on different systems. Talk is a communication program which copies lines from one terminal to the terminal of another user. The talk package can be removed with the following command:
$ sudo yum erase talk