CCE Identifiers in Guide to the Secure Configuration of Kylin Linux Advanced Server V10


CCE ID Rule Title Description
CCE-27274-0 Uninstall rsh Package The rsh package contains the client commands for the rsh services
CCE-27342-5 Uninstall rsh-server Package The rsh-server package can be uninstalled with the following command:
$ sudo yum erase rsh-server
Remove telnet Clients The telnet client allows users to start connections to other systems via the telnet protocol.
CCE-27165-0 Uninstall telnet-server Package The telnet-server package can be uninstalled with the following command:
$ sudo yum erase telnet-server
CCE-27396-1 Remove NIS Client The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client (ypbind) was used to bind a system to an NIS server and receive the distributed configuration files.
CCE-27399-5 Uninstall ypserv Package The ypserv package can be uninstalled with the following command:
$ sudo yum erase ypserv
Remove tftp Daemon Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between systems. TFTP does not support authentication and can be easily hacked. The package tftp is a client program that allows for connections to a tftp server.
Uninstall tftp-server Package The tftp-server package can be removed with the following command:
$ sudo yum erase tftp-server
CCE-27361-5 Install tcp_wrappers Package When network services are using the xinetd service, the tcp_wrappers package should be installed. The tcp_wrappers package can be installed with the following command:
$ sudo yum install tcp_wrappers
CCE-27354-0 Uninstall xinetd Package The xinetd package can be uninstalled with the following command:
$ sudo yum erase xinetd
CCE-27432-4 Uninstall talk Package The talk package contains the client program for the Internet talk protocol, which allows the user to chat with other users on different systems. Talk is a communication program which copies lines from one terminal to the terminal of another user. The talk package can be removed with the following command:
$ sudo yum erase talk
CCE-27210-4 Uninstall talk-server Package The talk-server package can be removed with the following command:
$ sudo yum erase talk-server
CCE-80295-9 Uninstall dovecot Package The dovecot package can be uninstalled with the following command:
$ sudo yum erase dovecot
CCE-80246-2 Install vsftpd Package If this system must operate as an FTP server, install the vsftpd package via the standard channels.
$ sudo yum install vsftpd
CCE-80245-4 Uninstall vsftpd Package The vsftpd package can be removed with the following command:
$ sudo yum erase vsftpd
Uninstall net-snmp Package The net-snmp package provides the snmpd service. The net-snmp package can be removed with the following command:
$ sudo yum erase net-snmp
Ensure All Commands/Bashes In Crontab File Are Not Writeable By Low-privilege Users

It can not be scanned automatically, please check it manually.

Use below cli commands to check if there is any low-privilege users writeable commands/bashes in /etc/crontab

  • Step 1: list the commands/bashes from /etc/crontab
    # cat /etc/crontab
    /bin/example.sh
    
  • Step 2: check the right of the commands/bashes file
    # ll /bin/example.sh
    -rwxrwxrwx. 1 root root 200 Mar 17 18:00 /bin/example.sh
    
So, the wirteable flag of other users is present(-rwxrwxrwx.) and it is a risk.
CCE-27594-1 Uninstall quagga Package The quagga package can be removed with the following command:
$ sudo yum erase quagga
CCE-80326-2 Uninstall bind Package To remove the bind package, which contains the named service, run the following command:
$ sudo yum erase bind
Install postfix Install the postfix package with the command:
$ sudo yum install postfix
CCE-80278-5 Uninstall Samba Package The samba package can be uninstalled with the following command:
$ sudo yum erase samba
CCE-80360-1 Install the Samba Common Package The samba-common package should be installed. The samba-common package can be installed with the following command:
$ sudo yum install samba-common
CCE-80301-5 Uninstall httpd Package The httpd package can be removed with the following command:
$ sudo yum erase httpd
Install cronie check whether the cronie software package is installed.
CCE- Uninstall the ntpdate package ntpdate is a historical ntp synchronization client for unixes. It sould be uninstalled.
CCE-84299-7 Install chrony Install or update the Chrony time synchronization software package
CCE- Install the ntp service The ntpd service should be installed.
CCE-80258-7 Disable KDump Kernel Crash Analyzer (kdump) The kdump service provides a kernel crash dump analyzer. It uses the kexec system call to boot a secondary kernel ("capture" kernel) following a system crash, which can load information from the crashed kernel for analysis. The kdump service can be disabled with the following command:
$ sudo systemctl disable kdump.service
CCE-80286-8 Uninstall squid Package The squid package can be removed with the following command:
$ sudo yum erase squid
CCE-80331-2 Uninstall DHCP Server Package If the system does not need to act as a DHCP server, the dhcp package can be uninstalled. The dhcp package can be removed with the following command:
$ sudo yum erase dhcp
CCE-80242-1 Restrict NFS Clients to Privileged Ports By default, the server NFS implementation requires that all client requests be made from ports less than 1024. If your organization has control over systems connected to its network, and if NFS requests are prohibited at the border firewall, this offers some protection against malicious requests from unprivileged users. Therefore, the default should not be changed.

To ensure that the default has not been changed, ensure no line in /etc/exports contains the option insecure.
CCE-80243-9 Ensure Insecure File Locking is Not Allowed By default the NFS server requires secure file-lock requests, which require credentials from the client in order to lock a file. Most NFS clients send credentials with file lock requests, however, there are a few clients that do not send credentials when requesting a file-lock, allowing the client to only be able to lock world-readable files. To get around this, the insecure_locks option can be used so these clients can access the desired export. This poses a security risk by potentially allowing the client access to data for which it does not have authorization. Remove any instances of the insecure_locks option from the file /etc/exports.
Uninstall cups Package The cups software package has been removed
Install docker Install the docker package with the command:
$ sudo yum install docker
Use Only Strong MACs Limit the MACs to strong hash algorithms. The following line in /etc/ssh/sshd_config demonstrates use of those MACs:
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
Disable SSH Support for User Known Hosts SSH can allow system users user host-based authentication to connect to systems if a cache of the remote systems public keys are available. This should be disabled.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config:
IgnoreUserKnownHosts yes
Disable SSH Access via Empty Passwords To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config:
PermitEmptyPasswords no

Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.
Enable PAM UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types.
Set SSH Client Alive Count To ensure the SSH idle timeout occurs precisely when the ClientAliveCountMax is set, edit /etc/ssh/sshd_config as follows:
ClientAliveCountMax 0
Set SSH Idle Timeout Interval SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out.

To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as follows:
ClientAliveInterval interval
The timeout interval is given in seconds. To have a timeout of 10 minutes, set interval to 600.

If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.
Use Only Strong Key Exchange algorithms Limit the Key Exchange to strong algorithms.
Limit Users' SSH Access By default, the SSH configuration allows any user with an account to access the system. In order to specify the users that are allowed to login via SSH and deny all other users, add or correct the following line in the /etc/ssh/sshd_config file:
DenyUsers USER1 USER2
Where USER1 and USER2 are valid user names.
Enable SSH Warning Banner To enable the warning banner and ensure it is consistent across the system, add or correct the following line in /etc/ssh/sshd_config:
Banner /etc/issue
Another section contains information on how to create an appropriate system-wide warning banner.
Use Only Strong Algorithms For Public Key Limit the algorithm of public key to strong algorithms.
Use Only FIPS 140-2 Validated MACs Limit the MACs to those hash algorithms which are FIPS-approved. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved MACs:

MACs hmac-sha2-512,hmac-sha2-256


Only the following message authentication codes are FIPS 140-2 certified on RHEL 7:
- hmac-sha1
- hmac-sha2-256
- hmac-sha2-512
- hmac-sha1-etm@openssh.com
- hmac-sha2-256-etm@openssh.com
- hmac-sha2-512-etm@openssh.com

Any combination of the above MACs will pass this check. Official FIPS 140-2 paperwork for RHEL7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf.
Set LogLevel to INFO The INFO parameter specifices that record login and logout activity will be logged. To specify the log level in SSH, add or correct the following line in the /etc/ssh/sshd_config file:
LogLevel INFO
Disable Kerberos Authentication Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like Kerberos. To disable Kerberos authentication, add or correct the following line in the /etc/ssh/sshd_config file:
KerberosAuthentication no
Allow Only SSH Protocol 2 Only SSH protocol version 2 connections should be permitted. The default setting in /etc/ssh/sshd_config is correct, and can be verified by ensuring that the following line appears:
Protocol 2
Disable SSH Support for .rhosts Files SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts files.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config:
IgnoreRhosts yes
Disable SSH Support for Rhosts RSA Authentication SSH can allow authentication through the obsolete rsh command through the use of the authenticating user's SSH keys. This should be disabled.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config:
RhostsRSAAuthentication no
Do Not Allow SSH Environment Options To ensure users are not able to override environment options to the SSH daemon, add or correct the following line in /etc/ssh/sshd_config:
PermitUserEnvironment no
Enable Encrypted X11 Forwarding By default, remote X11 connections are not encrypted when initiated by users. SSH has the capability to encrypt remote X11 connections when SSH's X11Forwarding option is enabled.

To enable X11 Forwarding, add or correct the following line in /etc/ssh/sshd_config:
X11Forwarding yes
Use Only FIPS 140-2 Validated Ciphers Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of FIPS 140-2 validated ciphers:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr


The following ciphers are FIPS 140-2 certified on RHEL 7:
- aes128-ctr
- aes192-ctr
- aes256-ctr
- aes128-cbc
- aes192-cbc
- aes256-cbc
- 3des-cbc
- rijndael-cbc@lysator.liu.se

Any combination of the above ciphers will pass this check. Official FIPS 140-2 paperwork for RHEL7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf.
Disable Host-Based Authentication SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization.

To disable host-based authentication, add or correct the following line in /etc/ssh/sshd_config:
HostbasedAuthentication no
Set SSH authentication attempt limit The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. to set MaxAUthTries edit /etc/ssh/sshd_config as follows:
MaxAuthTries tries
Enable Use of Strict Mode Checking SSHs StrictModes option checks file and ownership permissions in the user's home directory .ssh folder before accepting login. If world- writable permissions are found, logon is rejected. To enable StrictModes in SSH, add or correct the following line in the /etc/ssh/sshd_config file:
StrictModes yes
Enable Use of Privilege Separation When enabled, SSH will create an unprivileged child process that has the privilege of the authenticated user. To enable privilege separation in SSH, add or correct the following line in the /etc/ssh/sshd_config file:
UsePrivilegeSeparation sandbox
Print Last Log When enabled, SSH will display the date and time of the last successful account logon. To enable LastLog in SSH, add or correct the following line in the /etc/ssh/sshd_config file:
PrintLastLog yes
Use Only Strong Ciphers Limit the ciphers to strong algorithms. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of those ciphers:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
The man page sshd_config(5) contains a list of supported ciphers.
Disable GSSAPI Authentication Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like GSSAPI. To disable GSSAPI authentication, add or correct the following line in the /etc/ssh/sshd_config file:
GSSAPIAuthentication no
Disable Compression Or Set Compression to delayed Compression is useful for slow network connections over long distances but can cause performance issues on local LANs. If use of compression is required, it should be enabled only after a user has authenticated; otherwise , it should be disabled. To disable compression or delay compression until after a user has successfully authenticated, add or correct the following line in the /etc/ssh/sshd_config file:
Compression no
or
Compression delayed
Disable SSH Root Login The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in /etc/ssh/sshd_config:
PermitRootLogin no
CCE-80215-7 Install the OpenSSH Server Package The openssh-server package should be installed. The openssh-server package can be installed with the following command:
$ sudo yum install openssh-server
Verify Permissions on SSH Server Public *.pub Key Files To properly set the permissions of /etc/ssh/*.pub, run the command:
$ sudo chmod 0644 /etc/ssh/*.pub
Verify Permissions on SSH Server Private *_key Key Files To properly set the permissions of /etc/ssh/*_key, run the command:
$ sudo chmod 0640 /etc/ssh/*_key
Uninstall certmonger Package The certmonger software package has been removed
CCE-80187-8 Ensure rsyslog is Installed Rsyslog is installed by default. The rsyslog package can be installed with the following command:
$ sudo yum install rsyslog
Remove abrt Client The Automatic Bug Reporting Tool is a set of tools that is designed to help users detect and report application crashes. Its main purpose is to ease the process of reporting issues and finding resolutions. In this context, the solution can be a Bugzilla ticket, a knowledge-base article, or a suggestion to update a package to a version containing a fix.
Uninstall portreserve Package The portreserve software package has been removed
CCE-80170-4 Install libreswan Package The Libreswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The libreswan package can be installed with the following command:
$ sudo yum install libreswan
Uninstall iputils Package The iputils software package has been removed
Install firewalld Install the firewalld package with the command:
$ sudo yum install firewalld
Uninstall avahi Package The avahi software package has been removed
Uninstall nptdate Package The nptdate software package has been removed
Install pam_pkcs11 Install the pam_pkcs11 package with the command:
$ sudo yum install pam_pkcs11
Install authconfig-gtk Install the authconfig-gtk package with the command:
$ sudo yum install authconfig-gtk
Uninstall cyrus-sasl Package The cyrus-sasl software package has been removed
CCE-27175-9 Verify Only Root Has UID 0 If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.
If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned.
CCE-27051-2 Set Password Maximum Age To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line:
PASS_MAX_DAYS 
A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .
CCE-27503-2 All GIDs referenced in /etc/passwd must be defined in /etc/group Add a group to the system for each GID referenced without a corresponding group.
Ensure All Groups on the System Have Unique Group ID Change the group name or delete groups, so each has a unique id.
Ensure All Accounts on the System Have Unique Master Group IDs Change user master group IDs, or delete accounts.
All Accounts Are Necessary

It can not be scanned automatically, please check it manually.

If any account is not necessary, it should be removed from /etc/passwd.

  • Use below cli command to list all accounts in system:
    # cat /etc/passwd | awk  -F ":" '{print $1}'
Ensure All Accounts on the System Have Unique User IDs Change user IDs (UIDs), or delete accounts, so each has a unique id.
Ensure All Groups on the System Have Unique Group Names Change the group name or delete groups, so each has a unique name.
All Login Accounts Are Necessary

It can not be scanned automatically, please check it manually.

If any account need not login, it should be removed from /etc/passwd or it should be marked by "nologin".

It can be checked as below cli commands:

  • List all nologin accounts, then check it manually:
    # cat /etc/passwd | grep "\/sbin\/nologin\|\/bin\/false" | awk -F ":" '{print $1}'
  • List all login accounts, then check it manually:
    # cat /etc/passwd | grep -v "\/sbin\/nologin\|\/bin\/false" | awk -F ":" '{print $1}'
  • List all accounts which the password are locked:
    # cat /etc/passwd | awk -F ":" '{print $1}' | xargs -I '{}' passwd -S '{}' | awk '($2=="L" || $2=="LK") {print $1}'
  • List all accounts which the password are not locked:
    # cat /etc/passwd | awk -F ":" '{print $1}' | xargs -I '{}' passwd -S '{}' | awk '($2!="L" && $2!="LK") {print $1}'
CCE-27351-6 Install the screen Package To enable console screen locking, install the screen package:
$ sudo yum install screen
Instruct users to begin new terminal sessions with the following command:
$ screen
The console can now be locked with the following key combination:
ctrl+a x
CCE-27287-2 Require Authentication for Single User Mode Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected.

By default, single-user mode is protected by requiring a password and is set in /usr/lib/systemd/system/rescue.service.
CCE-27104-9 Set PAM's Password Hashing Algorithm The PAM system service can be configured to only store encrypted representations of passwords. In /etc/pam.d/system-auth, the password section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the password section to include the argument sha512, as shown below:
password    sufficient    pam_unix.so sha512 other arguments...

This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.
CCE-80353-6 Configure the root Account for Failed Password Attempts To configure the system to lock out the root account after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • Modify the following line in the AUTH section to add even_deny_root:
    auth required pam_faillock.so preauth silent even_deny_root deny= unlock_time= fail_interval=
  • Modify the following line in the AUTH section to add even_deny_root:
    auth [default=die] pam_faillock.so authfail even_deny_root deny= unlock_time= fail_interval=
CCE-26884-7 Set Lockout Time For Failed Password Attempts To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • add the following line immediately before the pam_unix.so statement in the AUTH section:
    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
  • add the following line immediately after the pam_unix.so statement in the AUTH section:
    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
    account required pam_faillock.so
CCE-26923-3 Limit Password Reuse Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules.

In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below:
  • for the pam_unix.so case:
    password sufficient pam_unix.so ...existing_options... remember=
  • for the pam_pwhistory.so case:
    password requisite pam_pwhistory.so ...existing_options... remember=
The DoD STIG requirement is 5 passwords.
CCE-27350-8 Set Deny For Failed Password Attempts To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • add the following line immediately before the pam_unix.so statement in the AUTH section:
    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
  • add the following line immediately after the pam_unix.so statement in the AUTH section:
    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
    account required pam_faillock.so
CCE-27293-0 Set Password Minimum Length The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.
CCE-27214-6 Set Password Strength Minimum Digit Characters The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.
CCE-27115-5 Set Password Strength Minimum Different Categories The pam_pwquality module's minclass parameter controls requirements for usage of different character classes, or types, of character that must exist in a password before it is considered valid. For example, setting this value to three (3) requires that any password must have characters from at least three different categories in order to be approved. The default value is zero (0), meaning there are no required classes. There are four categories available:
* Upper-case characters
* Lower-case characters
* Digits
* Special characters (for example, punctuation)
Modify the minclass setting in /etc/security/pwquality.conf entry to require differing categories of characters when changing passwords.
Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words The pam_pwquality module's dictcheck check if passwords contains dictionary words. When dictcheck is set to 1 passwords will be checked for dictionary words.
Considering the usability of the community release of openEuler in different scenarios, the weak password dictionary check is not configured for the openEuler release by default. Please configure the weak password dictionary check based on the site requirements.
CCE-27360-7 Set Password Strength Minimum Special Characters The pam_pwquality module's ocredit= parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each special character. Modify the ocredit setting in /etc/security/pwquality.conf to equal to require use of a special character in passwords.
CCE-27345-8 Set Password Strength Minimum Lowercase Characters The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.
CCE-27200-5 Set Password Strength Minimum Uppercase Characters The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.
CCE-27160-1 Set Password Retry Prompts Permitted Per-Session To configure the number of retry prompts that are permitted per-session:

Edit the pam_pwquality.so statement in /etc/pam.d/system-auth to show retry=, or a lower value if site policy is more restrictive.

The DoD requirement is a maximum of 3 prompts per session.
Accounts Name Should Not Be Contained In Password Accounts name should not be contained in password. There is no usercheck=0.
Accounts Password Should Be Verified When Changing Accounts password should be verified when it is modifying. It is done by pam_unix.so.
CCE-80536-6 Ensure the Default Umask is Set Correctly For Interactive Users Remove the UMASK environment variable from all interactive users initialization files.
CCE-80202-5 Ensure the Default Bash Umask is Set Correctly To ensure the default umask for users of the Bash shell is set properly, add or correct the umask setting in /etc/bashrc to read as follows:
umask 
CCE-27557-8 Set Interactive Session Timeout Setting the TMOUT option in /etc/profile ensures that all user sessions will terminate based on inactivity. The TMOUT setting in /etc/profile should read as follows:
TMOUT=
CCE-80529-1 All Interactive Users Home Directories Must Exist Create home directories to all interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in /etc/passwd:
$ sudo mkdir /home/USER
CCE-27161-9 Verify User Who Owns gshadow File To properly set the owner of /etc/gshadow, run the command:
$ sudo chown root /etc/gshadow 
CCE-26639-5 Verify Group Who Owns passwd File To properly set the group owner of /etc/passwd, run the command:
$ sudo chgrp root /etc/passwd 
CCE-26840-9 Verify Group Who Owns gshadow File To properly set the group owner of /etc/gshadow, run the command:
$ sudo chgrp root /etc/gshadow 
CCE-27138-7 Verify User Who Owns passwd File To properly set the owner of /etc/passwd, run the command:
$ sudo chown root /etc/passwd 
CCE-27162-7 Verify Permissions on gshadow File To properly set the permissions of /etc/gshadow, run the command:
$ sudo chmod 0000 /etc/gshadow
CCE-26887-0 Verify Permissions on passwd File To properly set the permissions of /etc/passwd, run the command:
$ sudo chmod 0644 /etc/passwd
CCE-80135-7 Ensure All Files Are Owned by a Group If any files are not owned by a group, then the cause of their lack of group-ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate group.
CCE-80134-0 Ensure All Files Are Owned by a User If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user.
Ensure All Executable Files are not hidden Find out all hidden executable files from system.
Ensure All Symlink Files Have Canonical Path

It can not be scanned automatically, please check it manually.

If any symlink files have no camonical path, it should be removed.

  • You can use below cli command to find out all symlink files which have no canonical path under current path:
    # find ./ -type l -follow
  • Or find it under root path bug exclude some dirs:
    # find / -path /var -prune -o -path /run -prune -o -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -type l -follow
  • Or find it under the whole disk partition:
    # find / -xdev -type l -follow
CCE-27050-4 Restrict Access to Kernel Message Buffer To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command:
$ sudo sysctl -w kernel.dmesg_restrict=1
If this is not the system's default value, add the following line to /etc/sysctl.conf:
kernel.dmesg_restrict = 1
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F key=modules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F key=modules
Record Attempts to Alter Logon and Logout Events The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins
-w /var/log/lastlog -p wa -k logins
Ensure auditd Collects Information on the Use of Privileged Commands At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART:
$ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
Record Events that Modify User/Group Information If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
Install audit Install the audit package with the command:
$ sudo yum install audit
Install dconf Install the dconf package with the command:
$ sudo yum install dconf
Package uuidd Installed The package uuidd is not installed on normal Linux distribution by default. Applications require this package to avoid database inconsistences caused by duplicated UUIDs. Especially in banking services with SAP where massive UUIDs are created in a short time period, it is important to install the package uuidd. More information can be found in SAP note 1391070. Using the following command to install and/or update the package:
$ sudo yum install uuidd
CCE-80358-5 Install the dracut-fips Package To enable FIPS, the system requires that the dracut-fips package be installed. The dracut-fips package can be installed with the following command:
$ sudo yum install dracut-fips
CCE-27096-7 Install AIDE Install the AIDE package with the command:
$ sudo yum install aide
Ensure gpgcheck Enabled For All Yum Package Repositories To ensure signature checking is not disabled for any repos, remove any lines from files in /etc/yum.repos.d of the form:
gpgcheck=0
CCE-26989-4 Ensure gpgcheck Enabled In Main Yum Configuration The gpgcheck option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in /etc/yum.conf in the [main] section:
gpgcheck=1