CCE ID | Rule Title | Description | Rationale | Variable Setting | NIST 800-53 Mapping |
Remove tftp Daemon | Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
typically used to automatically transfer configuration or boot files between systems.
TFTP does not support authentication and can be easily hacked. The package
tftp is a client program that allows for connections to a tftp server. |
It is recommended that TFTP be removed, unless there is a specific need for TFTP (such as a boot server). In that case, use extreme caution when configuring the services. | |||
Uninstall tftp-server Package |
The tftp-server package can be removed with the following command:
$ sudo yum erase tftp-server |
Removing the tftp-server package decreases the risk of the
accidental (or intentional) activation of tftp services.
If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the Information Systems Securty Manager (ISSM), restricted to only authorized personnel, and have access control rules established. |
AC-17(8) CM-6(c) CM-7 |
||
CCE-27175-9 | Verify Only Root Has UID 0 | If any account other than root has a UID of 0, this misconfiguration should
be investigated and the accounts other than root should be removed or
have their UID changed.
If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned. |
An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner. | AC-6 IA-2(1) IA-4 |
|
CCE-27138-7 | Verify User Who Owns passwd File |
To properly set the owner of /etc/passwd , run the command:
$ sudo chown root /etc/passwd |
The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. |
AC-6 |
|
CCE-27161-9 | Verify User Who Owns gshadow File |
To properly set the owner of /etc/gshadow , run the command:
$ sudo chown root /etc/gshadow |
The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. |
AC-6 |
|
CCE-26639-5 | Verify Group Who Owns passwd File |
To properly set the group owner of /etc/passwd , run the command:
$ sudo chgrp root /etc/passwd |
The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. |
AC-6 |
|
CCE-26840-9 | Verify Group Who Owns gshadow File |
To properly set the group owner of /etc/gshadow , run the command:
$ sudo chgrp root /etc/gshadow |
The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. |
AC-6 |
|
CCE-26887-0 | Verify Permissions on passwd File |
To properly set the permissions of /etc/passwd , run the command:
$ sudo chmod 0644 /etc/passwd |
If the /etc/passwd file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the list of
accounts on the system and associated information, and protection of this file
is critical for system security. |
AC-6 |
|
CCE-27162-7 | Verify Permissions on gshadow File |
To properly set the permissions of /etc/gshadow , run the command:
$ sudo chmod 0000 /etc/gshadow |
The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. |
AC-6 |
|
Ensure All Accounts on the System Have Unique Master Group IDs | Change user master group IDs, or delete accounts. | To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. | |||
Ensure All Accounts on the System Have Unique User IDs | Change user IDs (UIDs), or delete accounts, so each has a unique id. | To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. | |||
CCE-80202-5 | Ensure the Default Bash Umask is Set Correctly | To ensure the default umask for users of the Bash shell is set properly,
add or correct the umask setting in /etc/bashrc to read
as follows:
umask |
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. | SA-8 |
|
Disable Host-Based Authentication | SSH's cryptographic host-based authentication is
more secure than .rhosts authentication. However, it is
not recommended that hosts unilaterally trust one another, even
within an organization.
To disable host-based authentication, add or correct the following line in /etc/ssh/sshd_config :
HostbasedAuthentication no |
SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. | AC-3 CM-6(b) |
||
CCE-27293-0 | Set Password Minimum Length | The pam_pwquality module's minlen parameter controls requirements for
minimum characters required in a password. Add minlen=
after pam_pwquality to set minimum password length requirements. |
The shorter the password, the lower the number of possible combinations
that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password. |
IA-5(1)(a) |
|
CCE-27115-5 | Set Password Strength Minimum Different Categories | The pam_pwquality module's minclass parameter controls
requirements for usage of different character classes, or types, of character
that must exist in a password before it is considered valid. For example,
setting this value to three (3) requires that any password must have characters
from at least three different categories in order to be approved. The default
value is zero (0), meaning there are no required classes. There are four
categories available:
* Upper-case characters * Lower-case characters * Digits * Special characters (for example, punctuation)Modify the minclass setting in /etc/security/pwquality.conf entry to require |
Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of character categories makes password guessing attacks more difficult by ensuring a larger search space. |
IA-5 |
|
CCE-27200-5 | Set Password Strength Minimum Uppercase Characters | The pam_pwquality module's ucredit= parameter controls requirements for
usage of uppercase letters in a password. When set to a negative number, any password will be required to
contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each uppercase character. Modify the ucredit setting in
/etc/security/pwquality.conf to require the use of an uppercase character in passwords. |
Use of a complex password helps to increase the time and resources reuiqred to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. |
IA-5(b) IA-5(c) IA-5(1)(a) |
|
CCE-27345-8 | Set Password Strength Minimum Lowercase Characters | The pam_pwquality module's lcredit parameter controls requirements for
usage of lowercase letters in a password. When set to a negative number, any password will be required to
contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each lowercase character. Modify the lcredit setting in
/etc/security/pwquality.conf to require the use of a lowercase character in passwords. |
Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space. |
IA-5(b) IA-5(c) IA-5(1)(a) |
|
CCE-27214-6 | Set Password Strength Minimum Digit Characters | The pam_pwquality module's dcredit parameter controls requirements for
usage of digits in a password. When set to a negative number, any password will be required to
contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each digit. Modify the dcredit setting in
/etc/security/pwquality.conf to require the use of a digit in passwords. |
Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space. |
IA-5(1)(a) IA-5(b) IA-5(c) 194 |
|
CCE-27360-7 | Set Password Strength Minimum Special Characters | The pam_pwquality module's ocredit= parameter controls requirements for
usage of special (or "other") characters in a password. When set to a negative number, any password will be
required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1
additional length credit for each special character. Modify the ocredit setting in
/etc/security/pwquality.conf to equal |
Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space. |
IA-5(b) IA-5(c) IA-5(1)(a) |
|
CCE-26989-4 | Ensure gpgcheck Enabled In Main Yum Configuration | The gpgcheck option controls whether
RPM packages' signatures are always checked prior to installation.
To configure yum to check package signatures before installing
them, ensure the following line appears in /etc/yum.conf in
the [main] section:
gpgcheck=1 |
Changes to any software components can have significant effects on the overall security
of the operating system. This requirement ensures the software has not been tampered with
and that it has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA). |
CM-5(3) SI-7 MA-1(b) |
|
Ensure gpgcheck Enabled For All Yum Package Repositories | To ensure signature checking is not disabled for
any repos, remove any lines from files in /etc/yum.repos.d of the form:
gpgcheck=0 |
Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA). | CM-5(3) SI-7 MA-1(b) |
||
CCE-27503-2 | All GIDs referenced in /etc/passwd must be defined in /etc/group | Add a group to the system for each GID referenced without a corresponding group. | If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group with the Gruop Identifier (GID) is subsequently created, the user may have unintended rights to any files associated with the group. | IA-2 |
|
Ensure All Groups on the System Have Unique Group ID | Change the group name or delete groups, so each has a unique id. | To assure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system. | |||
CCE-27104-9 | Set PAM's Password Hashing Algorithm | The PAM system service can be configured to only store encrypted representations of passwords.
In /etc/pam.d/system-auth , the password section of the file controls
which PAM modules execute during a password change. Set the pam_unix.so
module in the password section to include the argument sha512 , as shown below:
password sufficient pam_unix.so sha512 other arguments... This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. |
Passwords need to be protected at all times, and encryption is the standard method for protecting
passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily
compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they
are kepy in plain text.
This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option
ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult. |
IA-5(b) IA-5(c) IA-5(1)(c) IA-7 |
|
Allow Only SSH Protocol 2 | Only SSH protocol version 2 connections should be
permitted. The default setting in
/etc/ssh/sshd_config is correct, and can be
verified by ensuring that the following
line appears:
Protocol 2 |
SSH protocol version 1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. | AC-17(8).1(ii) IA-5(1)(c) |
||
Disable SSH Support for .rhosts Files | SSH can emulate the behavior of the obsolete rsh
command in allowing users to enable insecure access to their
accounts via .rhosts files.
To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config :
IgnoreRhosts yes |
SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. | AC-3 CM-6(a) |
||
Accounts Password Should Be Verified When Changing | Accounts password should be verified when it is modifying. It is done by pam_unix.so. | Anyone can change the password if no verifying. | |||
CCE-80134-0 | Ensure All Files Are Owned by a User | If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. | Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. | AC-3(4) AC-6 CM-6(b) |
|
Accounts Name Should Not Be Contained In Password | Accounts name should not be contained in password. There is no usercheck=0. | If the passowrd contains substring of accounts name, it is a risk. | |||
CCE-80135-7 | Ensure All Files Are Owned by a Group | If any files are not owned by a group, then the cause of their lack of group-ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate group. | Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. | AC-3(4) AC-6 IA-2 |
|
CCE-80187-8 | Ensure rsyslog is Installed | Rsyslog is installed by default.
The rsyslog package can be installed with the following command:
$ sudo yum install rsyslog |
The rsyslog package provides the rsyslog daemon, which provides system logging services. | AU-9(2) |
|
Record Events that Modify User/Group Information | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d , in order to capture events that modify
account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification |
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. | AC-2(4) AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 |
||
Ensure auditd Collects Information on the Use of Privileged Commands | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. To find the relevant setuid /
setgid programs, run the following command for each local partition
PART:
$ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/nullIf the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add a line of
the following form to a file with suffix .rules in the directory
/etc/audit/rules.d for each setuid / setgid program on the system,
replacing the SETUID_PROG_PATH part with the full path of that setuid /
setgid program in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules for each setuid / setgid program on the
system, replacing the SETUID_PROG_PATH part with the full path of that
setuid / setgid program in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-2(4) AU-6(9) AU-12(a) AU-12(c) IR-5 |
||
CCE-80258-7 | Disable KDump Kernel Crash Analyzer (kdump) | The kdump service provides a kernel crash dump analyzer. It uses the kexec
system call to boot a secondary kernel ("capture" kernel) following a system
crash, which can load information from the crashed kernel for analysis.
The kdump service can be disabled with the following command:
$ sudo systemctl disable kdump.service |
Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service. | AC-17(8) CM-7 CM-6(b) |
|
CCE-27342-5 | Uninstall rsh-server Package | The rsh-server package can be uninstalled with
the following command:
$ sudo yum erase rsh-server |
The rsh-server service provides unencrypted remote access service which does not
provide for the confidentiality and integrity of user passwords or the remote session and has very weak
authentication. If a privileged user were to login using this service, the privileged user password
could be compromised. The rsh-server package provides several obsolete and insecure
network services. Removing it decreases the risk of those services' accidental (or intentional)
activation. |
AC-17(8) CM-7(a) |
|
Install audit | Install the audit package with the command:
$ sudo yum install audit |
"audit" usually refers to a software package used for system security audits. It can help system administrators monitor and record activities in the system to better understand the usage and security of the system. | |||
Uninstall avahi Package | The avahi software package has been removed | Avahi is an open source network service discovery framework that helps devices discover and communicate with each other on a local network without the need to use a central server. Avahi provides support for several network service discovery protocols. | |||
Uninstall certmonger Package | The certmonger software package has been removed | Certmonger is an open source tool for managing SSL certificates that helps administrators automate the certificate application, renewal, and revocation process. Certmonger supports multiple certificate authorities (cas) and can be integrated with a variety of Linux systems. | |||
CCE-84299-7 | Install chrony | Install or update the Chrony time synchronization software package | Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems More information on chrony can be found at http://chrony.tuxfamily.org/. Chrony can be configured to be a client and/or a server. Add or edit server or pool lines to /etc/chrony.conf as appropriate. | CM-3(d) CM-3(e) CM-6(d) CM-6(3) SC-28 SI-7 |
|
Install cronie | check whether the cronie software package is installed. | cronie is a tool used to manage scheduled tasks in Linux. It is often used to manage scheduled tasks of the system, such as periodic backup and periodic clearing. | |||
Install dconf | Install the dconf package with the command:
$ sudo yum install dconf |
The dconf package should be installed to change the Settings of various desktop environments. | |||
CCE-80295-9 | Uninstall dovecot Package | The dovecot package can be uninstalled
with the following command:
$ sudo yum erase dovecot |
If there is no need to make the Dovecot software available, removing it provides a safeguard against its activation. | ||
CCE-80358-5 | Install the dracut-fips Package | To enable FIPS, the system requires that the dracut-fips
package be installed.
The dracut-fips package can be installed with the following command:
$ sudo yum install dracut-fips |
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. | AC-17(2) |
|
Install firewalld | Install the firewalld package with the command:
$ sudo yum install firewalld |
The firewalld package should be installed to provide access control methods. | |||
CCE-80170-4 | Install libreswan Package | The Libreswan package provides an implementation of IPsec
and IKE, which permits the creation of secure tunnels over
untrusted networks.
The libreswan package can be installed with the following command:
$ sudo yum install libreswan |
Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network. | AC-17 MA-4 SC-9 |
|
CCE- | Install the ntp service | The ntpd service should be installed. | Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906. | AU-8(1) |
|
Install postfix | Install the postfix package with the command:
$ sudo yum install postfix |
postfix is a software package for sending and receiving mail on Linux operating systems. It is an open source mail transfer agent that can be used to send and receive email and supports protocols such as SMTP, POP3, and IMAP. | |||
CCE-27594-1 | Uninstall quagga Package |
The quagga package can be removed with the following command:
$ sudo yum erase quagga |
Routing software is typically used on routers to exchange network topology information
with other routers. If routing software is used when not required, system network
information may be unnecessarily transmitted across the network.
If there is no need to make the router software available, removing it provides a safeguard against its activation. |
SC-32 |
|
CCE-27274-0 | Uninstall rsh Package | The rsh package contains the client commands
for the rsh services |
These legacy clients contain numerous security exposures and have
been replaced with the more secure SSH package. Even if the server is removed,
it is best to ensure the clients are also removed to prevent users from
inadvertently attempting to use these commands and therefore exposing
their credentials. Note that removing the rsh package removes
the clients for rsh ,rcp , and rlogin . |
||
CCE-80360-1 | Install the Samba Common Package | The samba-common package should be installed.
The samba-common package can be installed with the following command:
$ sudo yum install samba-common |
If the samba-common package is not installed, samba cannot be configured. | ||
CCE-27210-4 | Uninstall talk-server Package |
The talk-server package can be removed with the following command:
$ sudo yum erase talk-server |
The talk software presents a security risk as it uses unencrypted protocols
for communications. Removing the talk-server package decreases the
risk of the accidental (or intentional) activation of talk services. |
||
CCE-27432-4 | Uninstall talk Package | The talk package contains the client program for the
Internet talk protocol, which allows the user to chat with other users on
different systems. Talk is a communication program which copies lines from one
terminal to the terminal of another user.
The talk package can be removed with the following command:
$ sudo yum erase talk |
The talk software presents a security risk as it uses unencrypted protocols
for communications. Removing the talk package decreases the
risk of the accidental (or intentional) activation of talk client program. |