{ "format_version": 3, "policy": { "external_id": "a1cc7bf9932e937d90259e00d9cb8c92", "name": "CIS Red Hat Enterprise Linux 9 Benchmark v2.0.0 - Level 1 Server", "version": "1.0.1", "description": "Center for Internet Security benchmark — Level 1 server hardening for Red Hat Enterprise Linux 9 (and rpm-based downstream rebuilds: CentOS Stream 9, Rocky Linux 9, AlmaLinux 9). Generated from CIS_Red_Hat_Enterprise_Linux_9_Benchmark_v2.0.0.pdf.", "author": "Center for Internet Security" }, "tests": [ { "external_id": "37e8362157d0a056d0bbe09f491bd0bf", "name": "1.1.1.1 — Ensure cramfs kernel module is not available", "description": "Ensure cramfs kernel module is not available", "rational": "Removing support for unneeded filesystem types reduces the local attack surface of the \nsystem. If this filesystem type is not needed, disable it.", "remediation": "Run the following script to unload and disable the cramfs module: \n- IF - the cramfs kernel module is available in ANY installed kernel: \n\n• Create a file ending in .conf with install cramfs /bin/false in the \n\n/etc/modprobe.d/ directory \n\n• Create a file ending in .conf with blacklist cramfs in the /etc/modprobe.d/ \n\ndirectory \n\n• Run modprobe -r cramfs 2>/dev/null; rmmod cramfs 2>/dev/null to \n\nremove cramfs from the kernel \n\n- IF - the cramfs kernel module is not available on the system...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^cramfs ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "4056b9e0a9ca5350b5f059df00c6f607", "name": "1.1.1.3 — Ensure hfs kernel module is not available", "description": "Ensure hfs kernel module is not available", "rational": "Removing support for unneeded filesystem types reduces the local attack surface of the \nsystem. If this filesystem type is not needed, disable it.", "remediation": "Run the following script to unload and disable the hfs module: \n- IF - the hfs kernel module is available in ANY installed kernel: \n\n• Create a file ending in .conf with install hfs /bin/false in the \n\n/etc/modprobe.d/ directory \n\n• Create a file ending in .conf with blacklist hfs in the /etc/modprobe.d/ \n\ndirectory \n\n• Run modprobe -r hfs 2>/dev/null; rmmod hfs 2>/dev/null to remove \n\nhfs from the kernel \n\n- IF - the hfs kernel module is not available on the system, or pre-compiled into t...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^hfs ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "01bcc8b7903052e091aad36bd4875c31", "name": "1.1.1.4 — Ensure hfsplus kernel module is not available", "description": "Ensure hfsplus kernel module is not available", "rational": "Removing support for unneeded filesystem types reduces the local attack surface of the \nsystem. If this filesystem type is not needed, disable it.", "remediation": "Run the following script to unload and disable the hfsplus module: \n- IF - the hfsplus kernel module is available in ANY installed kernel: \n\n• Create a file ending in .conf with install hfsplus /bin/false in the \n\n/etc/modprobe.d/ directory \n\n• Create a file ending in .conf with blacklist hfsplus in the \n\n/etc/modprobe.d/ directory \n\n• Run modprobe -r hfsplus 2>/dev/null; rmmod hfsplus 2>/dev/null to \n\nremove hfsplus from the kernel \n\n- IF - the hfsplus kernel module is not available on th...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^hfsplus ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "0d113758ef218e75e1169d15de4aa4a7", "name": "1.1.1.5 — Ensure jffs2 kernel module is not available", "description": "Ensure jffs2 kernel module is not available", "rational": "Removing support for unneeded filesystem types reduces the local attack surface of the \nsystem. If this filesystem type is not needed, disable it.", "remediation": "Run the following script to unload and disable the jffs2 module: \n- IF - the jffs2 kernel module is available in ANY installed kernel: \n\n• Create a file ending in .conf with install jffs2 /bin/false in the \n\n/etc/modprobe.d/ directory \n\n• Create a file ending in .conf with blacklist jffs2 in the /etc/modprobe.d/ \n\ndirectory \n\n• Run modprobe -r jffs2 2>/dev/null; rmmod jffs2 2>/dev/null to \n\nremove jffs2 from the kernel \n\n- IF - the jffs2 kernel module is not available on the system, or pre...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^jffs2 ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "7a92a79de71c95166f0e0caf2b14ee87", "name": "1.1.1.7 — Ensure udf kernel module is not available", "description": "Ensure udf kernel module is not available", "rational": "Removing support for unneeded filesystem types reduces the local attack surface of the \nsystem. If this filesystem type is not needed, disable it.", "remediation": "Run the following script to unload and disable the udf module: \n- IF - the udf kernel module is available in ANY installed kernel: \n\n• Create a file ending in .conf with install udf /bin/false in the \n\n/etc/modprobe.d/ directory \n\n• Create a file ending in .conf with blacklist udf in the /etc/modprobe.d/ \n\ndirectory \n\n• Run modprobe -r udf 2>/dev/null; rmmod udf 2>/dev/null to remove \n\nudf from the kernel \n\n- IF - the udf kernel module is not available on the system, or pre-compiled into t...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^udf ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "fe11cd59c63c524f5cc676364b1b7fba", "name": "1.1.2.1.1 — Ensure /tmp is a separate partition", "description": "Ensure /tmp is a separate partition", "rational": "Making /tmp its own file system allows an administrator to set additional mount options \nsuch as the noexec option on the mount, making /tmp useless for an attacker to install \nexecutable code. It would also prevent an attacker from establishing a hard link to a \nsystem setuid program and wait for it to be updated. Once the program was updated, \nthe hard link would be broken, and the attacker w...", "remediation": "First ensure that systemd is correctly configured to ensure that /tmp will be mounted at \nboot time. \n\n# systemctl unmask tmp.mount \n\nFor specific configuration requirements of the /tmp mount for your environment, modify \n/etc/fstab. \nExample of using tmpfs with specific mount options: \n\ntmpfs /tmp \n0 \n\ntmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 \n\nNote: the size=2G is an example of setting a specific size for tmpfs. \nExample of using a volume or disk with specific mount op...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "SERVICE", "input": "tmp.mount", "selement": "ENABLED", "condition": null, "sinput": null } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "fe1e24f8e263a4bec56fcbd0cb196655", "name": "1.1.2.1.2 — Ensure nodev option set on /tmp partition", "description": "Ensure nodev option set on /tmp partition", "rational": "Since the /tmp filesystem is not intended to support devices, set this option to ensure \nthat users cannot create a block or character special devices in /tmp.", "remediation": "- IF - a separate partition exists for /tmp. \nEdit the /etc/fstab file and add nodev to the fourth field (mounting options) for the \n/tmp partition. \nExample: \n\n /tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 \n\nRun the following command to remount /tmp with the configured options: \n\n# mount -o remount /tmp", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /tmp", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nodev" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "e54ab044030591017c06d5bfe9fc6314", "name": "1.1.2.1.3 — Ensure nosuid option set on /tmp partition", "description": "Ensure nosuid option set on /tmp partition", "rational": "Since the /tmp filesystem is only intended for temporary file storage, set this option to \nensure that users cannot create setuid files in /tmp.", "remediation": "- IF - a separate partition exists for /tmp. \nEdit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the \n/tmp partition. \nExample: \n\n /tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 \n\nRun the following command to remount /tmp with the configured options: \n\n# mount -o remount /tmp", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /tmp", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nosuid" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "8038847b8e15dcc3ea1ee543ac2e289a", "name": "1.1.2.1.4 — Ensure noexec option set on /tmp partition", "description": "Ensure noexec option set on /tmp partition", "rational": "Since the /tmp filesystem is only intended for temporary file storage, set this option to \nensure that users cannot run executable binaries from /tmp.", "remediation": "- IF - a separate partition exists for /tmp. \nEdit the /etc/fstab file and add noexec to the fourth field (mounting options) for the \n/tmp partition. \nExample: \n\n /tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 \n\nRun the following command to remount /tmp with the configured options: \n\n# mount -o remount /tmp", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /tmp", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "noexec" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "998dee377a66daa425fd67d90212e170", "name": "1.1.2.2.1 — Ensure /dev/shm is a separate partition", "description": "Ensure /dev/shm is a separate partition", "rational": "Making /dev/shm its own file system allows an administrator to set additional mount \noptions such as the noexec option on the mount, making /dev/shm useless for an \nattacker to install executable code. It would also prevent an attacker from establishing a \nhard link to a system setuid program and wait for it to be updated. Once the program \nwas updated, the hard link would be broken and the att...", "remediation": "For specific configuration requirements of the /dev/shm mount for your environment, \nmodify /etc/fstab. \nExample: \n\ntmpfs /dev/shm \ndefaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 0 \n\ntmpfs", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /dev/shm", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "535866fa12577c963ee275cc272ef0a2", "name": "1.1.2.3.2 — Ensure nodev option set on /home partition", "description": "Ensure nodev option set on /home partition", "rational": "Since the /home filesystem is not intended to support devices, set this option to ensure \nthat users cannot create a block or character special devices in /home.", "remediation": "- IF - a separate partition exists for /home. \nEdit the /etc/fstab file and add nodev to the fourth field (mounting options) for the \n/home partition. \nExample: \n\n /home defaults,rw,nosuid,nodev,noexec,relatime 0 0 \n\nRun the following command to remount /home with the configured options: \n\n# mount -o remount /home", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /home", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nodev" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "c611ec2c22e2e9f8c8b7b9b9560ea9f1", "name": "1.1.2.3.3 — Ensure nosuid option set on /home partition", "description": "Ensure nosuid option set on /home partition", "rational": "Since the /home filesystem is only intended for user file storage, set this option to \nensure that users cannot create setuid files in /home.", "remediation": "- IF - a separate partition exists for /home. \nEdit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the \n/home partition. \nExample: \n\n /home defaults,rw,nosuid,nodev,noexec,relatime 0 0 \n\nRun the following command to remount /home with the configured options: \n\n# mount -o remount /home", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /home", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nosuid" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "f86621f13ae96b70984441577afe4fca", "name": "1.1.2.4.2 — Ensure nodev option set on /var partition", "description": "Ensure nodev option set on /var partition", "rational": "Since the /var filesystem is not intended to support devices, set this option to ensure \nthat users cannot create a block or character special devices in /var.", "remediation": "- IF - a separate partition exists for /var. \nEdit the /etc/fstab file and add nodev to the fourth field (mounting options) for the \n/var partition. \nExample: \n\n /var defaults,rw,nosuid,nodev,noexec,relatime 0 0 \n\nRun the following command to remount /var with the configured options: \n\n# mount -o remount /var", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /var", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nodev" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "821ef1f72a0c788724a1adc34bb1381d", "name": "1.1.2.4.3 — Ensure nosuid option set on /var partition", "description": "Ensure nosuid option set on /var partition", "rational": "Since the /var filesystem is only intended for variable files such as logs, set this option \nto ensure that users cannot create setuid files in /var.", "remediation": "- IF - a separate partition exists for /var. \nEdit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the \n/var partition. \nExample: \n\n /var defaults,rw,nosuid,nodev,noexec,relatime 0 0 \n\nRun the following command to remount /var with the configured options: \n\n# mount -o remount /var", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /var", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nosuid" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "3a08d69b72a863395fafb4c1e5eaebbf", "name": "1.1.2.6.1 — Ensure separate partition exists for /var/log", "description": "Ensure separate partition exists for /var/log", "rational": "The default installation only creates a single / partition. Since the /var/log directory \ncontains log files which can grow quite large, there is a risk of resource exhaustion. It \nwill essentially have the whole disk available to fill up and impact the system as a whole. \n\nConfiguring /var/log as its own file system allows an administrator to set additional \nmount options such as noexec/nosuid...", "remediation": "For new installations, during installation create a custom partition setup and specify a \nseparate partition for /var/log . \nFor systems that were previously installed, create a new partition and configure \n/etc/fstab as appropriate. \n\nPage 112", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /var/log", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "78cbacad42444027ae825d4482e5e4f5", "name": "1.2.1.2 — Ensure gpgcheck is globally activated", "description": "Ensure gpgcheck is globally activated", "rational": "It is important to ensure that an RPM's package signature is always checked prior to \ninstallation to ensure that the software is obtained from a trusted source.", "remediation": "Edit /etc/dnf/dnf.conf and set gpgcheck=1: \nExample \n\n# sed -i 's/^gpgcheck\\s*=\\s*.*/gpgcheck=1/' /etc/dnf/dnf.conf \n\nEdit any failing files in /etc/yum.repos.d/* and set all instances starting with \ngpgcheck to 1. \nExample: \n\n# find /etc/yum.repos.d/ -name \"*.repo\" -exec echo \"Checking:\" {} \\; -exec \nsed -i 's/^gpgcheck\\s*=\\s*.*/gpgcheck=1/' {} \\;", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Pi -- '^\\h*gpgcheck\\h*=\\h*(1|true|yes)\\b' /etc/dnf/dnf.conf", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "89c4dc99b2fbe2f3c255532ee14baf8e", "name": "1.3.1.1 — Ensure SELinux is installed", "description": "Ensure SELinux is installed", "rational": "Without a Mandatory Access Control system installed only the default Discretionary \nAccess Control system will be available.", "remediation": "Run the following command to install SELinux: \n\n# dnf install libselinux", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "libselinux", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "4506979dcf1e73790b08efc613cf989e", "name": "1.3.1.3 — Ensure SELinux policy is configured", "description": "Ensure SELinux policy is configured", "rational": "Security configuration requirements vary from site to site. Some sites may mandate a \npolicy that is stricter than the default policy, which is perfectly acceptable. This item is \nintended to ensure that at least the default recommendations are met.", "remediation": "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: \n\nSELINUXTYPE=targeted", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "FILE", "input": "/etc/selinux/config", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "^\\s*SELINUXTYPE=(targeted|mls)\\b" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "2d5e4585f90af6999020816cecf37d3a", "name": "1.3.1.4 — Ensure the SELinux mode is not disabled", "description": "Ensure the SELinux mode is not disabled", "rational": "Running SELinux in disabled mode is strongly discouraged; not only does the system \navoid enforcing the SELinux policy, it also avoids labeling any persistent objects such \nas files, making it difficult to enable SELinux in the future. \n\nPage 153", "remediation": "Run one of the following commands to set SELinux's running mode: \nTo set SELinux mode to Enforcing: \n\n# setenforce 1 \n\n- OR - \nTo set SELinux mode to Permissive: \n\n# setenforce 0 \n\nEdit the /etc/selinux/config file to set the SELINUX parameter: \nFor Enforcing mode: \n\nSELINUX=enforcing \n\n- OR - \nFor Permissive mode: \n\nSELINUX=permissive", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "FILE", "input": "/etc/selinux/config", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "^\\s*SELINUX=(enforcing|permissive)" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "55a2de525d1d6eedc489cac4cd9aee91", "name": "1.3.1.8 — Ensure SETroubleshoot is not installed", "description": "Ensure SETroubleshoot is not installed", "rational": "The SETroubleshoot service is an unnecessary daemon to have running on a server, \nespecially if X Windows is disabled.", "remediation": "Run the following command to uninstall setroubleshoot: \n\n# dnf remove setroubleshoot", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "setroubleshoot", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "d5758592659ae9bad264538c1f3efa9d", "name": "1.4.1 — Ensure bootloader password is set", "description": "Ensure bootloader password is set", "rational": "Requiring a boot password upon execution of the boot loader will prevent an \nunauthorized user from entering boot parameters or changing the boot partition. This \nprevents users from weakening security (e.g. turning off SELinux at boot time).", "remediation": "Create an encrypted password with grub2-setpassword: \n\n# grub2-setpassword \n\nEnter password: \nConfirm password: ", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "1f7f61f716c1dfb77d09abb006884ebc", "name": "1.5.2 — Ensure ptrace_scope is restricted", "description": "Ensure ptrace_scope is restricted", "rational": "If one application is compromised, it would be possible for an attacker to attach to other \nrunning processes (e.g. Bash, Firefox, SSH sessions, GPG agent, etc) to extract \nadditional credentials and continue to expand the scope of their attack. \n\nEnabling restricted mode will limit the ability of a compromised process to \nPTRACE_ATTACH on other processes running under the same user. With restr...", "remediation": "Set the following parameter in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending \nin .conf: \n\n• kernel.yama.ptrace_scope = 1 \n\nExample: \n# printf \" \nkernel.yama.ptrace_scope = 1 \n\" >> /etc/sysctl.d/60-kernel_sysctl.conf \n\nRun the following command to set the active kernel parameter: \n\n# sysctl -w kernel.yama.ptrace_scope=1 \n\nNote: If these settings appear in a canonically later file, or later in the same file, these \nsettings will be overwritten", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "c8874d02c024886eb11cca299ec596b7", "name": "1.5.3 — Ensure core dump backtraces are disabled", "description": "Ensure core dump backtraces are disabled", "rational": "A core dump includes a memory image taken at the time the operating system \nterminates an application. The memory image could contain sensitive data and is \ngenerally useful only for developers trying to debug problems, increasing the risk to the \nsystem.", "remediation": "Create or edit the file /etc/systemd/coredump.conf, or a file in the \n/etc/systemd/coredump.conf.d directory ending in .conf. \nEdit or add the following line in the [Coredump] section: \n\nProcessSizeMax=0 \n\nExample: \n\n#!/usr/bin/env bash \n\n{ \n [ ! -d /etc/systemd/coredump.conf.d/ ] && mkdir \n/etc/systemd/coredump.conf.d/ \n if grep -Psq -- '^\\h*\\[Coredump\\]' /etc/systemd/coredump.conf.d/60-\ncoredump.conf; then \n printf '%s\\n' \"ProcessSizeMax=0\" >> /etc/systemd/coredump.conf.d/60-\ncored...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "cb479f6f35e2bb35e23c99e57506c68c", "name": "1.5.4 — Ensure core dump storage is disabled", "description": "Ensure core dump storage is disabled", "rational": "A core dump includes a memory image taken at the time the operating system \nterminates an application. The memory image could contain sensitive data and is \ngenerally useful only for developers trying to debug problems.", "remediation": "Create or edit the file /etc/systemd/coredump.conf, or a file in the \n/etc/systemd/coredump.conf.d directory ending in .conf. \nEdit or add the following line in the [Coredump] section: \n\nStorage=none \n\nExample: \n\n#!/usr/bin/env bash \n\n{ \n [ ! -d /etc/systemd/coredump.conf.d/ ] && mkdir \n/etc/systemd/coredump.conf.d/ \n if grep -Psq -- '^\\h*\\[Coredump\\]' /etc/systemd/coredump.conf.d/60-\ncoredump.conf; then \n printf '%s\\n' \"Storage=none\" >> /etc/systemd/coredump.conf.d/60-\ncoredump.conf...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "70139a3878202ec20216c93afaf26407", "name": "1.7.4 — Ensure access to /etc/motd is configured", "description": "Ensure access to /etc/motd is configured", "rational": "- IF - the /etc/motd file does not have the correct access configured, it could be \nmodified by unauthorized users with incorrect or misleading information.", "remediation": "Run the following commands to set mode, owner, and group on /etc/motd: \n\n# chown root:root $(readlink -e /etc/motd) \n# chmod u-x,go-wx $(readlink -e /etc/motd) \n\n- OR - \nRun the following command to remove the /etc/motd file: \n\n# rm /etc/motd", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "[ -e /etc/motd ] && stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: { %g/", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "061b241c9021fe6e23344a0d016e75b5", "name": "1.7.5 — Ensure access to /etc/issue is configured", "description": "Ensure access to /etc/issue is configured", "rational": "- IF - the /etc/issue file does not have the correct access configured, it could be \nmodified by unauthorized users with incorrect or misleading information.", "remediation": "Run the following commands to set mode, owner, and group on /etc/issue: \n\n# chown root:root $(readlink -e /etc/issue) \n# chmod u-x,go-wx $(readlink -e /etc/issue)", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: { %g/ %G)' /etc/issue", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "2e83419e53cbb6fd38bd647d46f95daa", "name": "1.7.6 — Ensure access to /etc/issue.net is configured", "description": "Ensure access to /etc/issue.net is configured", "rational": "- IF - the /etc/issue.net file does not have the correct access configured, it could be \nmodified by unauthorized users with incorrect or misleading information.", "remediation": "Run the following commands to set mode, owner, and group on /etc/issue.net: \n\n# chown root:root $(readlink -e /etc/issue.net) \n# chmod u-x,go-wx $(readlink -e /etc/issue.net)", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: { %g/ %G)' /etc/issue.net", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "10b5e1ec65d40ce4edb97671abcd5b77", "name": "1.8.2 — Ensure GDM login banner is configured", "description": "Ensure GDM login banner is configured", "rational": "Warning messages inform users who are attempting to login to the system of their legal \nstatus regarding the system and must include the name of the organization that owns \nthe system and any monitoring policies that are in place.", "remediation": "Run the following script to verify that the banner message is enabled and set: \n\nPage 231 \n\n \n\f#!/usr/bin/env bash \n\n{ \n l_pkgoutput=\"\" \n if command -v dpkg-query > /dev/null 2>&1; then \n l_pq=\"dpkg-query -W\" \n elif command -v rpm > /dev/null 2>&1; then \n l_pq=\"rpm -q\" \n fi \n l_pcl=\"gdm gdm3\" # Space separated list of packages to check \n for l_pn in $l_pcl; do \n $l_pq \"$l_pn\" > /dev/null 2>&1 && l_pkgoutput=\"$l_pkgoutput\\n - Package: \\\"$l_pn\\\" exists \non the system\\...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "b0183f84f3f193c979e678a9a2b57246", "name": "1.8.3 — Ensure GDM disable-user-list option is enabled", "description": "Ensure GDM disable-user-list option is enabled", "rational": "Displaying the user list eliminates half of the Userid/Password equation that an \nunauthorized person would need to log on.", "remediation": "Run the following script to enable the disable-user-list option: \nNote: the l_gdm_profile variable in the script can be changed if a different profile \nname is desired in accordance with local site policy. \n\n#!/usr/bin/env bash \n\n{ \n l_gdmprofile=\"gdm\" \n if [ ! -f \"/etc/dconf/profile/$l_gdmprofile\" ]; then \n echo \"Creating profile \\\"$l_gdmprofile\\\"\" \n echo -e \"user-db:user\\nsystem-db:$l_gdmprofile\\nfile-\ndb:/usr/share/$l_gdmprofile/greeter-dconf-defaults\" > \n/etc/dconf/profile/$...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "9f1a2f7e126451eea24c197de1b6d823", "name": "1.8.8 — Ensure GDM autorun-never is enabled", "description": "Ensure GDM autorun-never is enabled", "rational": "Malware on removable media may take advantage of Autorun features when the media \nis inserted into a system and execute.", "remediation": "Run the following script to set autorun-never to true for GDM users: \n\nPage 259 \n\n\f#!/usr/bin/env bash \n\n{ \n l_pkgoutput=\"\" l_output=\"\" l_output2=\"\" \n l_gpname=\"local\" # Set to desired dconf profile name (default is local) \n # Check if GNOME Desktop Manager is installed. If package isn't \ninstalled, recommendation is Not Applicable\\n \n # determine system's package manager \n if command -v dpkg-query > /dev/null 2>&1; then \n l_pq=\"dpkg-query -W\" \n elif command -v rpm > /dev/nu...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "9bf2635f16f264b17170c7931e0326e8", "name": "1.8.9 — Ensure GDM autorun-never is not overridden", "description": "Ensure GDM autorun-never is not overridden", "rational": "Malware on removable media may take advantage of Autorun features when the media \nis inserted into a system and execute.", "remediation": "Run the following script to ensure that autorun-never=true cannot be overridden: \n\n#!/usr/bin/env bash \n\n{ \n # Check if GNOME Desktop Manager is installed. If package isn't installed, \nrecommendation is Not Applicable\\n \n # determine system's package manager \n l_pkgoutput=\"\" \n if command -v dpkg-query > /dev/null 2>&1; then \n l_pq=\"dpkg-query -W\" \n elif command -v rpm > /dev/null 2>&1; then \n l_pq=\"rpm -q\" \n fi \n # Check if GDM is installed \n l_pcl=\"gdm gdm3\" # Spac...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "024e40925d95a1193e68e49d35466232", "name": "1.8.10 — Ensure XDMCP is not enabled", "description": "Ensure XDMCP is not enabled", "rational": "XDMCP is inherently insecure. \n\n• XDMCP is not a ciphered protocol. This may allow an attacker to capture \n\nkeystrokes entered by a user \n\n• XDMCP is vulnerable to man-in-the-middle attacks. This may allow an attacker to \nsteal the credentials of legitimate users by impersonating the XDMCP server.", "remediation": "Edit the file /etc/gdm/custom.conf and remove the line: \n\nEnable=true", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "FILE", "input": "/etc/gdm/custom.conf", "selement": "CONTENT", "condition": "NOT CONTAINS", "sinput": "^\\s*Enable\\s*=\\s*true" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "4c16d0c4d182cae4143080952155f3ae", "name": "2.1.1 — Ensure autofs services are not in use", "description": "Ensure autofs services are not in use", "rational": "With automounting enabled anyone with physical access could attach a USB drive or \ndisc and have its contents available in system even if they lacked permissions to mount \nit themselves.", "remediation": "Run the following commands to stop autofs.service and remove autofs package: \n\n# systemctl stop autofs.service \n# dnf remove autofs \n\n- OR - \n- IF - the autofs package is required as a dependency: \nRun the following commands to stop and mask autofs.service: \n\n# systemctl stop autofs.service \n# systemctl mask autofs.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "autofs", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "1e668db17627a26894844aae90505a29", "name": "2.1.2 — Ensure avahi daemon services are not in use", "description": "Ensure avahi daemon services are not in use", "rational": "Automatic discovery of network services is not normally required for system \nfunctionality. It is recommended to remove this package to reduce the potential attack \nsurface.", "remediation": "Run the following commands to stop avahi-daemon.socket and avahi-\ndaemon.service, and remove the avahi package: \n\n# systemctl stop avahi-daemon.socket avahi-daemon.service \n# dnf remove avahi \n\n- OR - \n- IF - the avahi package is required as a dependency: \nRun the following commands to stop and mask the avahi-daemon.socket and avahi-\ndaemon.service: \n\n# systemctl stop avahi-daemon.socket avahi-daemon.service \n# systemctl mask avahi-daemon.socket avahi-daemon.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "avahi", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "92019d06e68795f3e1e6caa6a9bed36e", "name": "2.1.3 — Ensure dhcp server services are not in use", "description": "Ensure dhcp server services are not in use", "rational": "Unless a system is specifically set up to act as a DHCP server, it is recommended that \nthe dhcp-server package be removed to reduce the potential attack surface.", "remediation": "Run the following commands to stop dhcpd.service and dhcpd6.service and \nremove dhcp-server package: \n\n# systemctl stop dhcpd.service dhcpd6.service \n# dnf remove dhcp-server \n\n- OR - \n- IF - the dhcp-server package is required as a dependency: \nRun the following commands to stop and mask dhcpd.service and dhcpd6.service: \n\n# systemctl stop dhcpd.service dhcpd6.service \n# systemctl mask dhcpd.service dhcpd6.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "dhcp-server", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "1f57759456ec9065bbf4aee7f4f33884", "name": "2.1.4 — Ensure dns server services are not in use", "description": "Ensure dns server services are not in use", "rational": "Unless a system is specifically designated to act as a DNS server, it is recommended \nthat the package be removed to reduce the potential attack surface.", "remediation": "Run the following commands to stop named.service and remove bind package: \n\n# systemctl stop named.service \n# dnf remove bind \n\n- OR - \n- IF - the bind package is required as a dependency: \nRun the following commands to stop and mask named.service: \n\n# systemctl stop named.service \n# systemctl mask named.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "bind", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "927133e8892f1d2455039ab8c0b30706", "name": "2.1.5 — Ensure dnsmasq services are not in use", "description": "Ensure dnsmasq services are not in use", "rational": "Unless a system is specifically designated to act as a DNS caching, DNS forwarding \nand/or DHCP server, it is recommended that the package be removed to reduce the \npotential attack surface.", "remediation": "Run the following commands to stop dnsmasq.service and remove dnsmasq package: \n\n# systemctl stop dnsmasq.service \n# dnf remove dnsmasq \n\n- OR - \n- IF - the dnsmasq package is required as a dependency: \nRun the following commands to stop and mask the dnsmasq.service: \n\n# systemctl stop dnsmasq.service \n# systemctl mask dnsmasq.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "dnsmasq", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "09ba4a606a562c6ddd954e0d76c9e41f", "name": "2.1.7 — Ensure ftp server services are not in use", "description": "Ensure ftp server services are not in use", "rational": "Unless there is a need to run the system as a FTP server, it is recommended that the \npackage be removed to reduce the potential attack surface.", "remediation": "Run the following commands to stop vsftpd.service and remove vsftpd package: \n\n# systemctl stop vsftpd.service \n# dnf remove vsftpd \n\n- OR - \n- IF - the vsftpd package is required as a dependency: \nRun the following commands to stop and mask the vsftpd.service: \n\n# systemctl stop vsftpd.service \n# systemctl mask vsftpd.service \n\nNote: Other ftp server packages may exist. If not required and authorized by local site \npolicy, they should also be removed. If the package is required for a depende...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "vsftpd", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "e2547219572b59d281da84a0640237f4", "name": "2.1.10 — Ensure nis server services are not in use", "description": "Ensure nis server services are not in use", "rational": "The NIS service is inherently an insecure system that has been vulnerable to DOS \nattacks, buffer overflows and has poor authentication for querying NIS maps. NIS \ngenerally has been replaced by such protocols as Lightweight Directory Access \nProtocol (LDAP). It is recommended that the service be removed.", "remediation": "Run the following commands to stop ypserv.service and remove ypserv package: \n\n# systemctl stop ypserv.service \n# dnf remove ypserv \n\n- OR - \n- IF - the ypserv package is required as a dependency: \nRun the following commands to stop and mask ypserv.service: \n\n# systemctl stop ypserv.service \n# systemctl mask ypserv.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "ypserv", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "28558b44c95380fd3dc436207cc5bf94", "name": "2.1.11 — Ensure print server services are not in use", "description": "Ensure print server services are not in use", "rational": "If the system does not need to print jobs or accept print jobs from other systems, it is \nrecommended that CUPS be removed to reduce the potential attack surface.", "remediation": "Run the following commands to stop cups.socket and cups.service, and remove the \ncups package: \n\n# systemctl stop cups.socket cups.service \n# dnf remove cups \n\n- OR - \n- IF - the cups package is required as a dependency: \nRun the following commands to stop and mask the cups.socket and cups.service: \n\n# systemctl stop cups.socket cups.service \n# systemctl mask cups.socket cups.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "cups", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "9884426a76e26d3d099145c0366d007d", "name": "2.1.12 — Ensure rpcbind services are not in use", "description": "Ensure rpcbind services are not in use", "rational": "A small request (~82 bytes via UDP) sent to the Portmapper generates a large \nresponse (7x to 28x amplification), which makes it a suitable tool for DDoS attacks. If \nrpcbind is not required, it is recommended to remove rpcbind package to reduce the \npotential attack surface.", "remediation": "Run the following commands to stop rpcbind.socket and rpcbind.service, and \nremove the rpcbind package: \n\n# systemctl stop rpcbind.socket rpcbind.service \n# dnf remove rpcbind \n\n- OR - \n- IF - the rpcbind package is required as a dependency: \nRun the following commands to stop and mask the rpcbind.socket and \nrpcbind.service: \n\n# systemctl stop rpcbind.socket rpcbind.service \n# systemctl mask rpcbind.socket rpcbind.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "rpcbind", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "ddbbdc99be44691d2f9835ee9e3d4424", "name": "2.1.13 — Ensure rsync services are not in use", "description": "Ensure rsync services are not in use", "rational": "Unless required, the rsync-daemon package should be removed to reduce the potential \nattack surface. \n\nThe rsyncd.service presents a security risk as it uses unencrypted protocols for \ncommunication.", "remediation": "Run the following commands to stop rsyncd.socket and rsyncd.service, and \nremove the rsync-daemon package: \n\n# systemctl stop rsyncd.socket rsyncd.service \n# dnf remove rsync-daemon \n\n- OR - \n- IF - the rsync-daemon package is required as a dependency: \nRun the following commands to stop and mask the rsyncd.socket and \nrsyncd.service: \n\n# systemctl stop rsyncd.socket rsyncd.service \n# systemctl mask rsyncd.socket rsyncd.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "rsync-daemon", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "fbc4b48991ff1bb0abf39c8895ff0650", "name": "2.1.14 — Ensure snmp services are not in use", "description": "Ensure snmp services are not in use", "rational": "The SNMP server can communicate using SNMPv1, which transmits data in the clear \nand does not require authentication to execute commands. SNMPv3 replaces the \nsimple/clear text password sharing used in SNMPv2 with more securely encoded \nparameters. If the the SNMP service is not required, the net-snmp package should be \nremoved to reduce the attack surface of the system. \n\nNote: If SNMP is requ...", "remediation": "Run the following commands to stop snmpd.service and remove net-snmp package: \n\n# systemctl stop snmpd.service \n# dnf remove net-snmp \n\n- OR - If the package is required for dependencies: \nRun the following commands to stop and mask the snmpd.service: \n\n# systemctl stop snmpd.service \n# systemctl mask snmpd.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "net-snmp", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "1bbcdfb510d14fcf3dfa74c183d93ed6", "name": "2.1.15 — Ensure telnet server services are not in use", "description": "Ensure telnet server services are not in use", "rational": "The telnet protocol is insecure and unencrypted. The use of an unencrypted \ntransmission medium could allow a user with access to sniff network traffic the ability to \nsteal credentials. The ssh package provides an encrypted session and stronger \nsecurity.", "remediation": "Run the following commands to stop telnet.socket and remove the telnet-server \npackage: \n\n# systemctl stop telnet.socket \n# dnf remove telnet-server \n\n- OR - \n- IF - a package is installed and is required for dependencies: \nRun the following commands to stop and mask telnet.socket: \n\n# systemctl stop telnet.socket \n# systemctl mask telnet.socket", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "telnet-server", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "f610ebd17d27434751947b8b537cb9ba", "name": "2.1.16 — Ensure tftp server services are not in use", "description": "Ensure tftp server services are not in use", "rational": "Unless there is a need to run the system as a TFTP server, it is recommended that the \npackage be removed to reduce the potential attack surface. \n\nTFTP does not have built-in encryption, access control or authentication. This makes it \nvery easy for an attacker to exploit TFTP to gain access to files", "remediation": "Run the following commands to stop tftp.socket and tftp.service, and remove the \ntftp-server package: \n\n# systemctl stop tftp.socket tftp.service \n# dnf remove tftp-server \n\n- OR - \n- IF - the tftp-server package is required as a dependency: \nRun the following commands to stop and mask tftp.socket and tftp.service: \n\n# systemctl stop tftp.socket tftp.service \n# systemctl mask tftp.socket tftp.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "tftp-server", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "94b2d715e95725613eacb5fa52dcff09", "name": "2.1.18 — Ensure web server services are not in use", "description": "Ensure web server services are not in use", "rational": "Unless there is a local site approved requirement to run a web server service on the \nsystem, web server packages should be removed to reduce the potential attack surface.", "remediation": "Run the following commands to stop httpd.socket, httpd.service, and \nnginx.service, and remove httpd and nginx packages: \n\n# systemctl stop httpd.socket httpd.service nginx.service \n# dnf remove httpd nginx \n\n- OR - \n- IF - a package is installed and is required for dependencies: \nRun the following commands to stop and mask httpd.socket, httpd.service, and \nnginx.service: \n\n# systemctl stop httpd.socket httpd.service nginx.service \n# systemctl mask httpd.socket httpd.service nginx.service \n\nN...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "httpd", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "09228a67cf4f0b0c0225230288716147", "name": "2.1.19 — Ensure xinetd services are not in use", "description": "Ensure xinetd services are not in use", "rational": "If there are no xinetd services required, it is recommended that the package be \nremoved to reduce the attack surface are of the system. \n\nNote: If an xinetd service or services are required, ensure that any xinetd service not \nrequired is stopped and masked", "remediation": "Run the following commands to stop xinetd.service, and remove the xinetd \npackage: \n\n# systemctl stop xinetd.service \n# dnf remove xinetd \n\n- OR - \n- IF - the xinetd package is required as a dependency: \nRun the following commands to stop and mask the xinetd.service: \n\n# systemctl stop xinetd.service \n# systemctl mask xinetd.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "xinetd", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "b1e3e11516ae3b2cc79c27e89cc9b795", "name": "2.2.1 — Ensure ftp client is not installed", "description": "Ensure ftp client is not installed", "rational": "FTP does not protect the confidentiality of data or authentication credentials. It is \nrecommended SFTP be used if file transfer is required. Unless there is a need to run \nthe system as a FTP server (for example, to allow anonymous downloads), it is \nrecommended that the package be removed to reduce the potential attack surface.", "remediation": "Run the following command to remove ftp: \n\n# dnf remove ftp", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "ftp", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "825a55e116d2197ba3c074ec3feac20b", "name": "2.2.3 — Ensure nis client is not installed", "description": "Ensure nis client is not installed", "rational": "The NIS service is inherently an insecure system that has been vulnerable to DOS \nattacks, buffer overflows and has poor authentication for querying NIS maps. NIS \ngenerally has been replaced by such protocols as Lightweight Directory Access \nProtocol (LDAP). It is recommended that the service be removed.", "remediation": "Run the following command to remove the ypbind package: \n\n# dnf remove ypbind", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "ypbind", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "7661f5e8379cb520ff29079fc268a79e", "name": "2.2.4 — Ensure telnet client is not installed", "description": "Ensure telnet client is not installed", "rational": "The telnet protocol is insecure and unencrypted. The use of an unencrypted \ntransmission medium could allow an unauthorized user to steal credentials. The ssh \npackage provides an encrypted session and stronger security and is included in most \nLinux distributions.", "remediation": "Run the following command to remove the telnet package: \n\n# dnf remove telnet", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "telnet", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "e905b1f0adb41d2e50c16e9b022ba7cc", "name": "2.2.5 — Ensure tftp client is not installed", "description": "Ensure tftp client is not installed", "rational": "TFTP does not have built-in encryption, access control or authentication. This makes it \nvery easy for an attacker to exploit TFTP to gain access to files", "remediation": "Run the following command to remove tftp: \n\n# dnf remove tftp", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "tftp", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "7704d835a99c641bfe28dc5eff608af1", "name": "2.3.1 — Ensure time synchronization is in use", "description": "Ensure time synchronization is in use", "rational": "Time synchronization is important to support time sensitive security mechanisms like \nKerberos and also ensures log files have consistent time records across the enterprise, \nwhich aids in forensic investigations.", "remediation": "Run the following command to install chrony: \n\n# dnf install chrony", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "chrony", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "55422048a54cfc77eacb640ae4688167", "name": "2.3.2 — Ensure chrony is configured", "description": "Ensure chrony is configured", "rational": "If chrony is in use on the system proper configuration is vital to ensuring time \nsynchronization is working properly.", "remediation": "Add or edit server or pool lines to /etc/chrony.conf or a file in the /etc/chrony.d \ndirectory as appropriate: \nExample: \n\nserver ", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Prs -- '^\\h*(server|pool)\\h+[^#\\n\\r]+' /etc/chrony.conf", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "2f5df09981701649641d30682a98cd53", "name": "2.3.3 — Ensure chrony is not run as the root user", "description": "Ensure chrony is not run as the root user", "rational": "Services should not be set to run as the root user", "remediation": "Edit the file /etc/sysconfig/chronyd and add or modify the following line to remove \n\"-u root\" from any OPTIONS= argument: \nExample: \n\nOPTIONS=\"-F 2\" \n\nRun the following command to reload the chronyd.service configuration: \n\n# systemctl reload-or-restart chronyd.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Psi -- '^\\h*OPTIONS=\\\"?\\h*([^#\\n\\r]+\\h+)?-u\\h+root\\b'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "c4ce488e5eb5bfe397d46e9b97c53d63", "name": "2.4.1.1 — Ensure cron daemon is enabled and active", "description": "Ensure cron daemon is enabled and active", "rational": "While there may not be user jobs that need to be run on the system, the system does \nhave maintenance jobs that may include security monitoring that have to run, and cron \nis used to execute them.", "remediation": "- IF - cron is installed on the system: \nRun the following commands to unmask, enable, and start cron: \n\n# systemctl unmask \"$(systemctl list-unit-files | awk \n'$1~/^crond?\\.service/{print $1}')\" \n# systemctl --now enable \"$(systemctl list-unit-files | awk \n'$1~/^crond?\\.service/{print $1}')\"", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "systemctl list-unit-files | awk '$1~/^crond?\\.service/{print $2}'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "55ecc2a5512a1300cdc7b5fccfe2aa61", "name": "2.4.2.1 — Ensure at is restricted to authorized users", "description": "Ensure at is restricted to authorized users", "rational": "On many systems, only the system administrator is authorized to schedule at jobs. \nUsing the at.allow file to control who can run at jobs enforces this policy. It is easier \nto manage an allow list than a deny list. In a deny list, you could potentially add a user \nID to the system and forget to add it to the deny files. \n\nPage 373", "remediation": "- IF - at is installed on the system: \nRun the following script to: \n\n• /etc/at.allow: \n\no Create the file if it doesn't exist \no Change owner or user root \no \n\nIf group daemon exists, change to group daemon, else change group to \nroot \n\no Change mode to 640 or more restrictive \n\n• \n\n- IF - /etc/at.deny exists: \n\no Change owner or user root \no \n\nIf group daemon exists, change to group daemon, else change group to \nroot \n\no Change mode to 640 or more restrictive \n\n#!/usr/bin/env bash \n\n{...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%a/%A) Owner: (%U) Group: (%G)' /etc/at.allow", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "fae514506975d8c7ed175e656f8588eb", "name": "3.1.2 — Ensure wireless interfaces are disabled", "description": "Ensure wireless interfaces are disabled", "rational": "- IF - wireless is not to be used, wireless devices can be disabled to reduce the potential \nattack surface.", "remediation": "Run the following script to disable any wireless interfaces: \n\n#!/usr/bin/env bash \n\n{ \n module_fix() \n { \n if ! modprobe -n -v \"$l_mname\" | grep -P -- '^\\h*install \n\\/bin\\/(true|false)'; then \n echo -e \" - setting module: \\\"$l_mname\\\" to be un-loadable\" \n echo -e \"install $l_mname /bin/false\" >> \n/etc/modprobe.d/\"$l_mname\".conf \n fi \n if lsmod | grep \"$l_mname\" > /dev/null 2>&1; then \n echo -e \" - unloading module \\\"$l_mname\\\"\" \n modprobe -r...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "6816696aaff1904dc83f3d07d5094ed9", "name": "3.1.3 — Ensure bluetooth services are not in use", "description": "Ensure bluetooth services are not in use", "rational": "An attacker may be able to find a way to access or corrupt your data. One example of \nthis type of activity is bluesnarfing, which refers to attackers using a Bluetooth \nconnection to steal information off of your Bluetooth device. Also, viruses or other \nmalicious code can take advantage of Bluetooth technology to infect other devices. If \nyou are infected, your data may be corrupted, compromi...", "remediation": "Run the following commands to stop bluetooth.service, and remove the bluez \npackage: \n\n# systemctl stop bluetooth.service \n# dnf remove bluez \n\n- OR - \n- IF - the bluez package is required as a dependency: \nRun the following commands to stop and mask bluetooth.service: \n\n# systemctl stop bluetooth.service \n# systemctl mask bluetooth.service \n\nNote: A reboot may be required", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "bluez", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "40dafddf6d744f9838dd9214b1b131c1", "name": "3.3.1 — Ensure ip forwarding is disabled", "description": "Ensure ip forwarding is disabled", "rational": "Setting net.ipv4.ip_forward and net.ipv6.conf.all.forwarding to 0 ensures \nthat a system with multiple interfaces (for example, a hard proxy), will never be able to \nforward packets, and therefore, never serve as a router.", "remediation": "Set the following parameter in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending \nin .conf: \n\n• net.ipv4.ip_forward = 0 \n\nExample: \n# printf '%s\\n' \"net.ipv4.ip_forward = 0\" >> /etc/sysctl.d/60-\nnetipv4_sysctl.conf \n\nRun the following script to set the active kernel parameters: \n\n#!/usr/bin/env bash \n\n{ \n sysctl -w net.ipv4.ip_forward=0 \n sysctl -w net.ipv4.route.flush=1 \n} \n\n- IF - IPv6 is enabled on the system: \nSet the following parameter in /etc/sysctl.conf or a file in /etc/sysctl...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "3a2e5fa182dd6ee94b3feba342a3ed6b", "name": "3.3.2 — Ensure packet redirect sending is disabled", "description": "Ensure packet redirect sending is disabled", "rational": "An attacker could use a compromised host to send invalid ICMP redirects to other \nrouter devices in an attempt to corrupt routing and have users access a system set up \nby the attacker as opposed to a valid system.", "remediation": "Set the following parameters in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending \nin .conf: \n\n• net.ipv4.conf.all.send_redirects = 0 \n• net.ipv4.conf.default.send_redirects = 0 \n\nExample: \n# printf '%s\\n' \"net.ipv4.conf.all.send_redirects = 0\" \n\"net.ipv4.conf.default.send_redirects = 0\" >> /etc/sysctl.d/60-\nnetipv4_sysctl.conf \n\nRun the following script to set the active kernel parameters: \n\n#!/usr/bin/env bash \n\n{ \n sysctl -w net.ipv4.conf.all.send_redirects=0 \n sysctl -w net.ipv4.c...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "da3f45b55b2c783ca5ac5397679084dc", "name": "3.3.3 — Ensure bogus icmp responses are ignored", "description": "Ensure bogus icmp responses are ignored", "rational": "Some routers (and some attackers) will send responses that violate RFC-1122 and \nattempt to fill up a log file system with many useless error messages.", "remediation": "Set the following parameter in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending \nin .conf: \n\n• net.ipv4.icmp_ignore_bogus_error_responses = 1 \n\nExample: \n# printf '%s\\n' \"net.ipv4.icmp_ignore_bogus_error_responses = 1\" >> \n/etc/sysctl.d/60-netipv4_sysctl.conf \n\nRun the following script to set the active kernel parameters: \n\n#!/usr/bin/env bash \n\n{ \n sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 \n sysctl -w net.ipv4.route.flush=1 \n} \n\nNote: If these settings appear in a canoni...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "ccf1eecef34b796aec033696009be10f", "name": "3.3.4 — Ensure broadcast icmp requests are ignored", "description": "Ensure broadcast icmp requests are ignored", "rational": "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations \nfor your network could be used to trick your host into starting (or participating) in a \nSmurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP \nbroadcast messages with a spoofed source address. All hosts receiving this message \nand responding would send echo-reply messages back to the...", "remediation": "Set the following parameter in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending \nin .conf: \n\n• net.ipv4.icmp_echo_ignore_broadcasts = 1 \n\nExample: \n# printf '%s\\n' \"net.ipv4.icmp_echo_ignore_broadcasts = 1\" >> \n/etc/sysctl.d/60-netipv4_sysctl.conf \n\nRun the following script to set the active kernel parameters: \n\n#!/usr/bin/env bash \n\n{ \n sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 \n sysctl -w net.ipv4.route.flush=1 \n} \n\nNote: If these settings appear in a canonically later file,...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "d7e004f854289ab31153c4f7026897bd", "name": "3.3.5 — Ensure icmp redirects are not accepted", "description": "Ensure icmp redirects are not accepted", "rational": "ICMP redirect messages are packets that convey routing information and tell your host \n(acting as a router) to send packets via an alternate path. It is a way of allowing an \noutside routing device to update your system routing tables. By setting \nnet.ipv4.conf.all.accept_redirects, \nnet.ipv4.conf.default.accept_redirects, \nnet.ipv6.conf.all.accept_redirects, and \nnet.ipv6.conf.default.accept_r...", "remediation": "Set the following parameters in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending \nin .conf: \n\n• net.ipv4.conf.all.accept_redirects = 0 \n• net.ipv4.conf.default.accept_redirects = 0 \n\nExample: \n# printf '%s\\n' \"net.ipv4.conf.all.accept_redirects = 0\" \n\"net.ipv4.conf.default.accept_redirects = 0\" >> /etc/sysctl.d/60-\nnetipv4_sysctl.conf \n\nRun the following script to set the active kernel parameters: \n\n#!/usr/bin/env bash \n\n{ \n sysctl -w net.ipv4.conf.all.accept_redirects=0 \n sysctl -w...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "4b92797a1c06f8de0f29ada903a6b8ba", "name": "3.3.6 — Ensure secure icmp redirects are not accepted", "description": "Ensure secure icmp redirects are not accepted", "rational": "It is still possible for even known gateways to be compromised. Setting \nnet.ipv4.conf.all.secure_redirects and \nnet.ipv4.conf.default.secure_redirects to 0 protects the system from routing \ntable updates by possibly compromised known gateways.", "remediation": "Set the following parameters in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending \nin .conf: \n\n• net.ipv4.conf.all.secure_redirects = 0 \n• net.ipv4.conf.default.secure_redirects = 0 \n\nExample: \n# printf '%s\\n' \"net.ipv4.conf.all.secure_redirects = 0\" \n\"net.ipv4.conf.default.secure_redirects = 0\" >> /etc/sysctl.d/60-\nnetipv4_sysctl.conf \n\nRun the following script to set the active kernel parameters: \n\n#!/usr/bin/env bash \n\n{ \n sysctl -w net.ipv4.conf.all.secure_redirects=0 \n sysctl -w...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "7fe9937bdd1a9c563304a4497c313f57", "name": "3.3.7 — Ensure reverse path filtering is enabled", "description": "Ensure reverse path filtering is enabled", "rational": "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to \n1 is a good way to deter attackers from sending your system bogus packets that cannot \nbe responded to. One instance where this feature breaks down is if asymmetrical \nrouting is employed. This would occur when using dynamic routing protocols (bgp, ospf, \netc) on your system. If you are using asymmetrical routing on you...", "remediation": "Set the following parameters in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending \nin .conf: \n\n• net.ipv4.conf.all.rp_filter = 1 \n• net.ipv4.conf.default.rp_filter = 1 \n\nExample: \n# printf '%s\\n' \"net.ipv4.conf.all.rp_filter = 1\" \n\"net.ipv4.conf.default.rp_filter = 1\" >> /etc/sysctl.d/60-netipv4_sysctl.conf \n\nRun the following script to set the active kernel parameters: \n\n#!/usr/bin/env bash \n\n{ \n sysctl -w net.ipv4.conf.all.rp_filter=1 \n sysctl -w net.ipv4.conf.default.rp_filter=1...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "da51ef0804331babe84e5be0e7efc4e6", "name": "3.3.9 — Ensure suspicious packets are logged", "description": "Ensure suspicious packets are logged", "rational": "Setting net.ipv4.conf.all.log_martians and \nnet.ipv4.conf.default.log_martians to 1 enables this feature. Logging these \npackets allows an administrator to investigate the possibility that an attacker is sending \nspoofed packets to their system.", "remediation": "Set the following parameters in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending \nin .conf: \n\n• net.ipv4.conf.all.log_martians = 1 \n• net.ipv4.conf.default.log_martians = 1 \n\nExample: \n# printf '%s\\n' \"net.ipv4.conf.all.log_martians = 1\" \n\"net.ipv4.conf.default.log_martians = 1\" >> /etc/sysctl.d/60-\nnetipv4_sysctl.conf \n\nRun the following script to set the active kernel parameters: \n\n#!/usr/bin/env bash \n\n{ \n sysctl -w net.ipv4.conf.all.log_martians=1 \n sysctl -w net.ipv4.conf.defaul...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "e372b4df6add0ff8fb75fde473861356", "name": "3.3.10 — Ensure tcp syn cookies is enabled", "description": "Ensure tcp syn cookies is enabled", "rational": "Attackers use SYN flood attacks to perform a denial of service attacked on a system by \nsending many SYN packets without completing the three way handshake. This will \nquickly use up slots in the kernel's half-open connection queue and prevent legitimate \nconnections from succeeding. Setting net.ipv4.tcp_syncookies to 1 enables SYN \ncookies, allowing the system to keep accepting valid connectio...", "remediation": "Set the following parameter in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending \nin .conf: \n\n• net.ipv4.tcp_syncookies = 1 \n\nExample: \n# printf '%s\\n' \"net.ipv4.tcp_syncookies = 1\" >> /etc/sysctl.d/60-\nnetipv4_sysctl.conf \n\nRun the following script to set the active kernel parameters: \n\n#!/usr/bin/env bash \n\n{ \n sysctl -w net.ipv4.tcp_syncookies=1 \n sysctl -w net.ipv4.route.flush=1 \n} \n\nNote: If these settings appear in a canonically later file, or later in the same file, these \nsetti...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "781d907ef04e644ee8596d22cb13ee76", "name": "4.1.1 — Ensure nftables is installed", "description": "Ensure nftables is installed", "rational": "nftables is a subsystem of the Linux kernel that can protect against threats originating \nfrom within a corporate network to include malicious mobile code and poorly configured \nsoftware on a host.", "remediation": "Run the following command to install nftables \n\n# dnf install nftables", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "nftables", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "48cb1f507ec257d9c2a6a35c17263fc1", "name": "4.2.2 — Ensure firewalld loopback traffic is configured", "description": "Ensure firewalld loopback traffic is configured", "rational": "Loopback traffic is generated between processes on machine and is typically critical to \noperation of the system. The loopback interface is the only place that loopback network \ntraffic should be seen, all other interfaces should ignore traffic on this network as an \nanti-spoofing measure.", "remediation": "Run the following script to implement the loopback rules: \n\n#!/usr/bin/env bash \n\n{ l_hbfw=\"\" \n if systemctl is-enabled firewalld.service | grep -q 'enabled'; then \n echo -e \"\\n - FirewallD is in use on the system\" && l_hbfw=\"fwd\" \n elif systemctl is-enabled nftables.service 2>/dev/null | grep -q 'enabled'; then \n echo -e \"\\n - nftables is in use on the system \\n - Recommendation is NA \\n - \nRemediation Complete\" && l_hbfw=\"nft\" \n fi \n if [ \"$l_hbfw\" = \"fwd\" ]; then...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "SERVICE", "input": "firewalld", "selement": "ENABLED", "condition": null, "sinput": null } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "83c8bf4e53462d23e0259276bbb398bb", "name": "4.3.1 — Ensure nftables base chains exist", "description": "Ensure nftables base chains exist", "rational": "If a base chain doesn't exist with a hook for input, forward, and delete, packets that \nwould flow through those chains will not be touched by nftables.", "remediation": "- IF - NFTables utility is in use on your system: \nRun the following command to create the base chains: \n\n# nft create chain inet { type filter hook \n<(input|forward|output)> priority 0 \\; } \n\nExample: \n\n# nft create chain inet filter input { type filter hook input priority 0 \\; } \n# nft create chain inet filter forward { type filter hook forward priority 0 \n\\; } \n# nft create chain inet filter output { type filter hook output priority 0 \\; \n} \n\nNote: use the ad...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "nft list ruleset | grep 'hook input'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "7ce06c343ca9369ff4421d25a4966705", "name": "4.3.3 — Ensure nftables default deny firewall policy", "description": "Ensure nftables default deny firewall policy", "rational": "There are two policies: accept (Default) and drop. If the policy is set to accept, the \nfirewall will accept any packet that is not configured to be denied and the packet will \ncontinue traversing the network stack. \n\nIt is easier to explicitly permit acceptable usage than to deny unacceptable usage. \n\nNote: \n\n- IF - Firewalld is in use, this recommendation can be skipped. \n\n• \n• Changing fire...", "remediation": "- IF - NFTables utility is in use on your system: \nRun the following command for the base chains with the input, forward, and output \nhooks to implement a default DROP policy: \n\n# nft chain
{ policy drop \\; } \n\nExample: \n\n# nft chain inet filter input { policy drop \\; } \n# nft chain inet filter forward { policy drop \\; }", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "systemctl --quiet is-enabled nftables.service && nft list ruleset | grep", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "0e2ef53f75e8b7452898da9fe5d47ebf", "name": "4.3.4 — Ensure nftables loopback traffic is configured", "description": "Ensure nftables loopback traffic is configured", "rational": "Loopback traffic is generated between processes on machine and is typically critical to \noperation of the system. The loopback interface is the only place that loopback network \ntraffic should be seen, all other interfaces should ignore traffic on this network as an \nanti-spoofing measure.", "remediation": "Run the following script to implement the loopback rules: \n\n#!/usr/bin/env bash \n\n{ l_hbfw=\"\" \n if systemctl is-enabled firewalld.service 2>/dev/null | grep -q \n'enabled'; then \n echo -e \"\\n - FirewallD is in use on the system\\n - Recommendation \nis NA \\n - Remediation Complete\" && l_hbfw=\"fwd\" \n elif systemctl is-enabled nftables.service | grep -q 'enabled'; then \n l_hbfw=\"nft\" \n fi \n if [ \"$l_hbfw\" = \"nft\" ]; then \n l_ipsaddr=\"$(nft list ruleset...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "SERVICE", "input": "firewalld", "selement": "ENABLED", "condition": null, "sinput": null } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "77410a119f13f8fbbac054e9b201554e", "name": "5.1.4 — Ensure sshd Ciphers are configured", "description": "Ensure sshd Ciphers are configured", "rational": "Weak ciphers that are used for authentication to the cryptographic module cannot be \nrelied upon to provide confidentiality or integrity, and system data may be compromised. \n\n• The Triple DES ciphers, as used in SSH, have a birthday bound of approximately \nfour billion blocks, which makes it easier for remote attackers to obtain clear text \ndata via a birthday attack against a long-duration e...", "remediation": "Note: \n\n• First occurrence of an option takes precedence. \n• Though ciphers may be configured through the Ciphers option in the \n\n• \n\n/etc/ssh/sshd_config file, it is recommended that the ciphers available to \nopenSSH server are configured through system-wide-crypto-policy \nIf the recommendations in the subsection \"Configure system wide crypto policy\" \nhave been followed, this Audit should be in a passing state. Please review that \nsection before following this Remediation Procedure \n\n• By...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep -Pi --", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "d28bd92716cdb88d3b579bf3e7f9a1f0", "name": "5.1.5 — Ensure sshd KexAlgorithms is configured", "description": "Ensure sshd KexAlgorithms is configured", "rational": "Key exchange methods that are considered weak should be removed. A key exchange \nmethod may be weak because too few bits are used, or the hashing algorithm is \nconsidered too weak. Using weak algorithms could expose connections to man-in-the-\nmiddle attacks \n\nPage 515", "remediation": "Note: \n\n• First occurrence of an option takes precedence. \n• Though key_exchange may be configured through the KexAlgorithms option in \nthe /etc/ssh/sshd_config file, it is recommended that the key_exchange \navailable to openSSH server are configured through system-wide-crypto-policy \nIf the recommendations in the subsection \"Configure system wide crypto policy\" \nhave been followed, this Audit should be in a passing state. Please review that \nsection before following this Remediation Proced...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep -Pi -- 'kexalgorithms\\h+([^#\\n\\r]+,)?(diffie-hellman-group1-", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "331bcdb3be29bdd50e664b2094107e20", "name": "5.1.6 — Ensure sshd MACs are configured", "description": "Ensure sshd MACs are configured", "rational": "MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase \nexploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal \nof attention as a weak spot that can be exploited with expanded computing power. An \nattacker that breaks the algorithm could take advantage of a MiTM position to decrypt \nthe SSH tunnel and capture credentials and information...", "remediation": "Note: \n\n• First occurrence of an option takes precedence. \n• Though MACs may be configured through the MACs option in the \n\n• \n\n/etc/ssh/sshd_config file, it is recommended that the MACs available to \nopenSSH server are configured through system-wide-crypto-policy \nIf the recommendations in the subsection \"Configure system wide crypto policy\" \nhave been followed, this Audit should be in a passing state. Please review that \nsection before following this Remediation Procedure \n\n• By default,...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep -Pi -- 'macs\\h+([^#\\n\\r]+,)?(hmac-md5|hmac-md5-96|hmac-", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "be94e6d0ec0a0d02bb5f534e55c64fc1", "name": "5.1.7 — Ensure sshd access is configured", "description": "Ensure sshd access is configured", "rational": "Restricting which users can remotely access the system via SSH will help ensure that \nonly authorized users access the system. \n\nPage 523", "remediation": "Edit the /etc/ssh/sshd_config file to set one or more of the parameters above any \nInclude and Match set statements as follows: \n\nAllowUsers \n - AND/OR - \nAllowGroups \nNote: \n\n• First occurrence of a option takes precedence, Match set statements \n\nwithstanding. If Include locations are enabled, used, and order of precedence is \nunderstood in your environment, the entry may be created in a .conf file in a \nInclude directory. \n\n• \n\n• \n\nBe advised that these options are \"...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep -Pi -- '^\\h*(allow|deny)(users|groups)\\h+\\H+'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "10f867863764114a1fb06172836b6608", "name": "5.1.8 — Ensure sshd Banner is configured", "description": "Ensure sshd Banner is configured", "rational": "Banners are used to warn connecting users of the particular site's policy regarding \nconnection. Presenting a warning message prior to the normal user login may assist the \nprosecution of trespassers on the computer system. \n\nPage 526", "remediation": "Edit the /etc/ssh/sshd_config file to set the Banner parameter above any Include \nand Match entries as follows: \n\nBanner /etc/issue.net \n\nNote: First occurrence of a option takes precedence, Match set statements \nwithstanding. If Include locations are enabled, used, and order of precedence is \nunderstood in your environment, the entry may be created in a file in Include location. \nEdit the file being called by the Banner argument with the appropriate contents \naccording to your site policy, r...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep -Pi -- '^banner\\h+\\/\\H+'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "8360ad9c825f6ff7da42a50c26f116da", "name": "5.1.10 — Ensure sshd DisableForwarding is enabled", "description": "Ensure sshd DisableForwarding is enabled", "rational": "Disable X11 forwarding unless there is an operational requirement to use X11 \napplications directly. There is a small risk that the remote X11 servers of users who are \nlogged in via SSH with X11 forwarding could be compromised by other users on the \nX11 server. Note that even if X11 forwarding is disabled, users can always install their \nown forwarders. \n\nanyone with root privilege on the the...", "remediation": "Edit the /etc/ssh/sshd_config file to set the DisableForwarding parameter to yes \nabove any Include entry as follows: \n\nDisableForwarding yes \n\nNote: First occurrence of a option takes precedence. If Include locations are enabled, \nused, and order of precedence is understood in your environment, the entry may be \ncreated in a file in Include location.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep -i disableforwarding", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "d139e15ba3bedc77c21d89a5949e06f1", "name": "5.1.13 — Ensure sshd IgnoreRhosts is enabled", "description": "Ensure sshd IgnoreRhosts is enabled", "rational": "Setting this parameter forces users to enter a password when authenticating with SSH.", "remediation": "Edit the /etc/ssh/sshd_config file to set the IgnoreRhosts parameter to yes above \nany Include and Match entries as follows: \n\nIgnoreRhosts yes \n\nNote: First occurrence of a option takes precedence, Match set statements \nwithstanding. If Include locations are enabled, used, and order of precedence is \nunderstood in your environment, the entry may be created in a file in Include location.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep ignorerhosts", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "3d8a5ee5967f29f85a1b27130bc84608", "name": "5.1.14 — Ensure sshd LoginGraceTime is configured", "description": "Ensure sshd LoginGraceTime is configured", "rational": "Setting the LoginGraceTime parameter to a low number will minimize the risk of \nsuccessful brute force attacks to the SSH server. It will also limit the number of \nconcurrent unauthenticated connections While the recommended setting is 60 seconds \n(1 Minute), set the number based on site policy.", "remediation": "Edit the /etc/ssh/sshd_config file to set the LoginGraceTime parameter to 60 \nseconds or less above any Include entry as follows: \n\nLoginGraceTime 60 \n\nNote: First occurrence of a option takes precedence. If Include locations are enabled, \nused, and order of precedence is understood in your environment, the entry may be \ncreated in a file in Include location.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep logingracetime", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "73525b7f88b1a771868f42cb6f84ccaa", "name": "5.1.15 — Ensure sshd LogLevel is configured", "description": "Ensure sshd LogLevel is configured", "rational": "The INFO level is the basic level that only records login activity of SSH users. In many \nsituations, such as Incident Response, it is important to determine when a particular \nuser was active on a system. The logout record can eliminate those users who \ndisconnected, which helps narrow the field. \n\nThe VERBOSE level specifies that login and logout activity as well as the key fingerprint \nfor a...", "remediation": "Edit the /etc/ssh/sshd_config file to set the LogLevel parameter to VERBOSE or \nINFO above any Include and Match entries as follows: \n\nLogLevel VERBOSE \n - OR - \nLogLevel INFO \n\nNote: First occurrence of an option takes precedence, Match set statements \nwithstanding. If Include locations are enabled, used, and order of precedence is \nunderstood in your environment, the entry may be created in a file in Include location.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep loglevel", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "bb0c1f884190df79139b353c68e18340", "name": "5.1.16 — Ensure sshd MaxAuthTries is configured", "description": "Ensure sshd MaxAuthTries is configured", "rational": "Setting the MaxAuthTries parameter to a low number will minimize the risk of \nsuccessful brute force attacks to the SSH server. While the recommended setting is 4, \nset the number based on site policy.", "remediation": "Edit the /etc/ssh/sshd_config file to set the MaxAuthTries parameter to 4 or less \nabove any Include and Match entries as follows: \n\nMaxAuthTries 4 \n\nNote: First occurrence of an option takes precedence, Match set statements \nwithstanding. If Include locations are enabled, used, and order of precedence is \nunderstood in your environment, the entry may be created in a file in Include location. \n\nPage 545", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep maxauthtries", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "d568f8e88cb55b2c4ceb1682afa776c8", "name": "5.1.17 — Ensure sshd MaxStartups is configured", "description": "Ensure sshd MaxStartups is configured", "rational": "To protect a system from denial of service due to a large number of pending \nauthentication connection attempts, use the rate limiting function of MaxStartups to \nprotect availability of sshd logins and prevent overwhelming the daemon.", "remediation": "Edit the /etc/ssh/sshd_config file to set the MaxStartups parameter to 10:30:60 or \nmore restrictive above any Include entries as follows: \n\nMaxStartups 10:30:60 \n\nNote: First occurrence of a option takes precedence. If Include locations are enabled, \nused, and order of precedence is understood in your environment, the entry may be \ncreated in a file in Include location.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | awk '$1 ~ /^\\s*maxstartups/{split($2, a, \":\");{if(a[1] > 10 ||", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "77fae91b61720ae7ff75329ef3d31273", "name": "5.1.18 — Ensure sshd MaxSessions is configured", "description": "Ensure sshd MaxSessions is configured", "rational": "To protect a system from denial of service due to a large number of concurrent \nsessions, use the rate limiting function of MaxSessions to protect availability of sshd \nlogins and prevent overwhelming the daemon.", "remediation": "Edit the /etc/ssh/sshd_config file to set the MaxSessions parameter to 10 or less \nabove any Include and Match entries as follows: \n\nMaxSessions 10 \n\nNote: First occurrence of an option takes precedence, Match set statements \nwithstanding. If Include locations are enabled, used, and order of precedence is \nunderstood in your environment, the entry may be created in a file in Include location.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep -i maxsessions", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "77aa3d18d8dd2f6866588a60a845fea9", "name": "5.1.20 — Ensure sshd PermitRootLogin is disabled", "description": "Ensure sshd PermitRootLogin is disabled", "rational": "Disallowing root logins over SSH requires system admins to authenticate using their \nown individual account, then escalating to root. This limits opportunity for non-\nrepudiation and provides a clear audit trail in the event of a security incident.", "remediation": "Edit the /etc/ssh/sshd_config file to set the PermitRootLogin parameter to no \nabove any Include and Match entries as follows: \n\nPermitRootLogin no \n\nNote: First occurrence of an option takes precedence, Match set statements \nwithstanding. If Include locations are enabled, used, and order of precedence is \nunderstood in your environment, the entry may be created in a file in Include location. \n\nPage 553", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep permitrootlogin", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "3535bd390557e389c8ff5316c20cbf67", "name": "5.1.22 — Ensure sshd UsePAM is enabled", "description": "Ensure sshd UsePAM is enabled", "rational": "When usePAM is set to yes, PAM runs through account and session types properly. This \nis important if you want to restrict access to services based off of IP, time or other \nfactors of the account. Additionally, you can make sure users inherit certain \nenvironment variables on login or disallow access to the server", "remediation": "Edit the /etc/ssh/sshd_config file to set the UsePAM parameter to yes above any \nInclude entries as follows: \n\nUsePAM yes \n\nNote: First occurrence of an option takes precedence. If Include locations are enabled, \nused, and order of precedence is understood in your environment, the entry may be \ncreated in a file in Include location.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep -i usepam", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "3240c740ae7ae2af4df344956184a898", "name": "5.2.1 — Ensure sudo is installed", "description": "Ensure sudo is installed", "rational": "sudo supports a plug-in architecture for security policies and input/output logging. Third \nparties can develop and distribute their own policy and I/O logging plug-ins to work \nseamlessly with the sudo front end. The default security policy is sudoers, which is \nconfigured via the file /etc/sudoers and any entries in /etc/sudoers.d. \n\nThe security policy determines what privileges, if any, a u...", "remediation": "Run the following command to install sudo \n\n# dnf install sudo", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "sudo", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "e24ef9d1b489ddda14c08e18e59e3e65", "name": "5.2.2 — Ensure sudo commands use pty", "description": "Ensure sudo commands use pty", "rational": "Attackers can run a malicious program using sudo which would fork a background \nprocess that remains even when the main program has finished executing.", "remediation": "Edit the file /etc/sudoers with visudo or a file in /etc/sudoers.d/ with visudo -f \n and add the following line: \n\nDefaults use_pty \n\nEdit the file /etc/sudoers with visudo and any files in /etc/sudoers.d/ with visudo \n-f and remove any occurrence of !use_pty \nNote: \n\n• sudo will read each file in /etc/sudoers.d, skipping file names that end in ~ or \ncontain a . character to avoid causing problems with package manager or editor \ntemporary/backup files. \n\n• Files...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -rPi -- '^\\h*Defaults\\h+([^#\\n\\r]+,\\h*)?use_pty\\b' /etc/sudoers*", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "9aa4bb489dc71faeaf8ded8417360c67", "name": "5.2.3 — Ensure sudo log file exists", "description": "Ensure sudo log file exists", "rational": "Defining a dedicated log file for sudo simplifies auditing of sudo commands and creation \nof auditd rules for sudo.", "remediation": "Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo -f and add the following line: \n\nDefaults logfile=\"\" \n\nExample \n\nDefaults logfile=\"/var/log/sudo.log\" \n\nNotes: \n\n• sudo will read each file in /etc/sudoers.d, skipping file names that end in ~ or \ncontain a . character to avoid causing problems with package manager or editor \ntemporary/backup files. \n\n• Files are parsed in sorted lexical order. That is, /etc/sudoers.d/01_first will...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -rPsi", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "a7b724d97152c10c86726abbf21f9df8", "name": "5.2.7 — Ensure access to the su command is restricted", "description": "Ensure access to the su command is restricted", "rational": "Restricting the use of su , and using sudo in its place, provides system administrators \nbetter control of the escalation of user privileges to execute privileged commands. The \nsudo utility also provides a better logging and audit mechanism, as it can log each \ncommand executed via sudo , whereas su can only record that a user executed the su \nprogram.", "remediation": "Create an empty group that will be specified for use of the su command. The group \nshould be named according to site policy. \nExample: \n\n# groupadd sugroup \n\nAdd the following line to the /etc/pam.d/su file, specifying the empty group: \n\nauth required pam_wheel.so use_uid group=sugroup", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "FILE", "input": "/etc/group", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "63787b9bd3174403089968101e5ce643", "name": "5.3.1.1 — Ensure latest version of pam is installed", "description": "Ensure latest version of pam is installed", "rational": "To ensure the system has full functionality and access to the options covered by this \nBenchmark, pam-1.5.1-19 or latter is required", "remediation": "- IF - the version of PAM on the system is less that version pam-1.5.1-19: \nRun the following command to update to the latest version of PAM: \n\n# dnf upgrade pam \n\nPage 578 \n\n\f5.3.1.2 Ensure latest version of authselect is installed \n(Automated)", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "pam", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "64a5ab5d1adb644aba8d1cd95029300b", "name": "5.3.2.2 — Ensure pam_faillock module is enabled", "description": "Ensure pam_faillock module is enabled", "rational": "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute \nforce password attacks against your systems.", "remediation": "Run the following script to verify the pam_faillock.so lines exist in the profile \ntemplates: \n\n#!/usr/bin/env bash \n\n{ \n l_module_name=\"faillock\" \n l_pam_profile=\"$(head -1 /etc/authselect/authselect.conf)\" \n if grep -Pq -- '^custom\\/' <<< \"$l_pam_profile\"; then \n l_pam_profile_path=\"/etc/authselect/$l_pam_profile\" \n else \n l_pam_profile_path=\"/usr/share/authselect/default/$l_pam_profile\" \n fi \n grep -P -- \"\\bpam_$l_module_name\\.so\\b\" \n\"$l_pam_profile_path\"/{password,sy...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -P -- '\\bpam_faillock.so\\b' /etc/pam.d/{password,system}-auth", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "585dcd19c0ccfe36909b179c09cafaee", "name": "5.3.2.3 — Ensure pam_pwquality module is enabled", "description": "Ensure pam_pwquality module is enabled", "rational": "Use of a unique, complex passwords helps to increase the time and resources required \nto compromise the password.", "remediation": "Review the authselect profile templates: \nRun the following script to verify the pam_pwquality.so lines exist in the active profile \ntemplates: \n\n#!/usr/bin/env bash \n\n{ \n l_module_name=\"pwquality\" \n l_pam_profile=\"$(head -1 /etc/authselect/authselect.conf)\" \n if grep -Pq -- '^custom\\/' <<< \"$l_pam_profile\"; then \n l_pam_profile_path=\"/etc/authselect/$l_pam_profile\" \n else \n l_pam_profile_path=\"/usr/share/authselect/default/$l_pam_profile\" \n fi \n grep -P -- \"\\bpam_$l_mod...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -P -- '\\bpam_pwquality\\.so\\b' /etc/pam.d/{password,system}-auth", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "2247ec25295d1cb4667695ded6656e5d", "name": "5.3.2.4 — Ensure pam_pwhistory module is enabled", "description": "Ensure pam_pwhistory module is enabled", "rational": "Requiring users not to reuse their passwords make it less likely that an attacker will be \nable to guess the password or use a compromised password.", "remediation": "Run the following script to verify the pam_pwhistory.so lines exist in the profile \ntemplates: \n\n#!/usr/bin/env bash \n\n{ \n l_module_name=\"pwhistory\" \n l_pam_profile=\"$(head -1 /etc/authselect/authselect.conf)\" \n if grep -Pq -- '^custom\\/' <<< \"$l_pam_profile\"; then \n l_pam_profile_path=\"/etc/authselect/$l_pam_profile\" \n else \n l_pam_profile_path=\"/usr/share/authselect/default/$l_pam_profile\" \n fi \n grep -P -- \"\\bpam_$l_module_name\\.so\\b\" \n\"$l_pam_profile_path\"/{password,...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -P -- '\\bpam_pwhistory\\.so\\b' /etc/pam.d/{password,system}-auth", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "6f0cf973bbaf5d5e1f5031fcf3cec583", "name": "5.3.2.5 — Ensure pam_unix module is enabled", "description": "Ensure pam_unix module is enabled", "rational": "Requiring users to use authentication make it less likely that an attacker will be able to \naccess the system.", "remediation": "Run the following script to verify the pam_unix.so lines exist in the profile templates: \n\n#!/usr/bin/env bash \n\n{ \n l_module_name=\"unix\" \n l_pam_profile=\"$(head -1 /etc/authselect/authselect.conf)\" \n if grep -Pq -- '^custom\\/' <<< \"$l_pam_profile\"; then \n l_pam_profile_path=\"/etc/authselect/$l_pam_profile\" \n else \n l_pam_profile_path=\"/usr/share/authselect/default/$l_pam_profile\" \n fi \n grep -P -- \"\\bpam_$l_module_name\\.so\\b\" \n\"$l_pam_profile_path\"/{password,system}-aut...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -P -- '\\bpam_unix\\.so\\b' /etc/pam.d/{password,system}-auth", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "36320156d5b8625544cea1e45f471d1a", "name": "5.3.3.1.2 — Ensure password unlock time is configured", "description": "Ensure password unlock time is configured", "rational": "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute \nforce password attacks against your systems.", "remediation": "Set password unlock time to conform to site policy. unlock_time should be 0 (never), \nor 900 seconds or greater. \nEdit /etc/security/faillock.conf and update or add the following line: \n\nunlock_time = 900 \n\nRun the following script to remove the unlock_time argument from the \npam_faillock.so module in the PAM files: \n\n#!/usr/bin/env bash \n{ \n for l_pam_file in system-auth password-auth; do \n l_authselect_file=\"/etc/authselect/$(head -1 \n/etc/authselect/authselect.conf | grep 'custom/')/...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Pi -- '^\\h*unlock_time\\h*=\\h*(0|9[0-9][0-9]|[1-9][0-9]{3,})\\b'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "f4623f453df57af620b2bcabb3339ab6", "name": "5.3.3.2.2 — Ensure password length is configured", "description": "Ensure password length is configured", "rational": "Strong passwords protect systems from being hacked through brute force methods. \n\nPage 619", "remediation": "Create or modify a file ending in .conf in the /etc/security/pwquality.conf.d/ \ndirectory or the file /etc/security/pwquality.conf and add or modify the following \nline to set password length of 14 or more characters. Ensure that password length \nconforms to local site policy: \nExample: \n\n# sed -ri 's/^\\s*minlen\\s*=/# &/' /etc/security/pwquality.conf \n# printf '\\n%s' \"minlen = 14\" >> /etc/security/pwquality.conf.d/50-\npwlength.conf \n\nRun the following script to remove setting minlen on the pa...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Psi -- '^\\h*minlen\\h*=\\h*(1[4-9]|[2-9][0-9]|[1-9][0-9]{2,})\\b'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "daa2666f8a3a392f2ba9102eb27955df", "name": "5.3.3.4.1 — Ensure pam_unix does not include nullok", "description": "Ensure pam_unix does not include nullok", "rational": "Using a strong password is essential to helping protect personal and sensitive \ninformation from unauthorized access", "remediation": "Run the following script to verify that the active authselect profile's system-auth and \npassword-auth files include {if not \"without-nullok\":nullok} - OR - don't \ninclude the nullok option on the pam_unix.so module: \n\n{ \n l_module_name=\"unix\" \n l_profile_name=\"$(head -1 /etc/authselect/authselect.conf)\" \n if [[ ! \"$l_profile_name\" =~ ^custom\\/ ]]; then \n echo \" - Follow Recommendation \\\"Ensure custom authselect profile is \nused\\\" and then return to this Recommendation\" \n else...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -P --", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "41b32d5ba9ca7fd71f6c2c91d4352774", "name": "5.3.3.4.4 — Ensure pam_unix includes use_authtok", "description": "Ensure pam_unix includes use_authtok", "rational": "use_authtok allows multiple pam modules to confirm a new password before it is \naccepted.", "remediation": "Run the following script to verify the active authselect profile includes use_authtok on \nthe password stack's pam_unix.so module lines: \n\n#!/usr/bin/env bash \n\n{ \n l_pam_profile=\"$(head -1 /etc/authselect/authselect.conf)\" \n if grep -Pq -- '^custom\\/' <<< \"$l_pam_profile\"; then \n l_pam_profile_path=\"/etc/authselect/$l_pam_profile\" \n else \n l_pam_profile_path=\"/usr/share/authselect/default/$l_pam_profile\" \n fi \n grep -P -- \n'^\\h*password\\h+(requisite|required|sufficient)\\h...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -P --", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "c72ea23c36fe240e572f3f888d57db4e", "name": "5.4.1.1 — Ensure password expiration is configured", "description": "Ensure password expiration is configured", "rational": "The window of opportunity for an attacker to leverage compromised credentials or \nsuccessfully compromise credentials via an online brute force attack is limited by the \nage of the password. Therefore, reducing the maximum age of a password also reduces \nan attacker's window of opportunity. \n\nWe recommend a yearly password change. This is primarily because for all their good \nintentions users w...", "remediation": "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs : \n\nPASS_MAX_DAYS 365 \n\nModify user parameters for all users with a password set to match: \n\n# chage --maxdays 365 \n\nEdit /etc/login.defs and set PASS_MAX_DAYS to a value greater than 0 that follows \nlocal site policy: \nExample: \n\nPASS_MAX_DAYS 365 \n\nRun the following command to modify user parameters for all users with a password set \nto a maximum age no greater than 365 or less than 1 that follows local site...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Pi -- '^\\h*PASS_MAX_DAYS\\h+\\d+\\b' /etc/login.defs", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "eaf735136387fc86d48d07faee82e795", "name": "5.4.1.5 — Ensure inactive password lock is configured", "description": "Ensure inactive password lock is configured", "rational": "Inactive accounts pose a threat to system security since the users are not logging in to \nnotice failed login attempts or other anomalies.", "remediation": "Run the following command to set the default password inactivity period to 45 days or \nless that meets local site policy: \n\n# useradd -D -f \n\nExample: \n\n# useradd -D -f 45 \n\nRun the following command to modify user parameters for all users with a password set \nto a inactive age of 45 days or less that follows local site policy: \n\n# chage --inactive \n\nExample: \n\n# awk -F: '($2~/^\\$.+\\$/) {if($7 > 45 || $7 < 0)system (\"chage --inactive 45 \n\" $1)}' /etc/shadow", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "useradd -D | grep INACTIVE", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "447bc2e967be5c100d26faed815f7d5b", "name": "5.4.2.1 — Ensure root is the only UID 0 account", "description": "Ensure root is the only UID 0 account", "rational": "This access must be limited to only the default root account and only from the system \nconsole. Administrative access must be through an unprivileged account using an \napproved mechanism as noted in the Recommendation \"Ensure access to the su \ncommand is restricted\".", "remediation": "Run the following command to change the root account UID to 0: \n\n# usermod -u 0 root \n\nModify any users other than root with UID 0 and assign them a new UID.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "awk -F: '($3 == 0) { print $1 }' /etc/passwd", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "2a5f6f6fba487e44027d28a60373ea84", "name": "5.4.2.2 — Ensure root is the only GID 0 account", "description": "Ensure root is the only GID 0 account", "rational": "Using GID 0 for the root account helps prevent root -owned files from accidentally \nbecoming accessible to non-privileged users.", "remediation": "Run the following command to set the root user's GID to 0: \n\n# usermod -g 0 root \n\nRun the following command to set the root group's GID to 0: \n\n# groupmod -g 0 root \n\nRemove any users other than the root user with GID 0 or assign them a new GID if \nappropriate.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "awk -F: '($1 !~ /^(sync|shutdown|halt|operator)/ && $4==\"0\") {print", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "c717ce5726ab146c19f0f42b6b8a4eaa", "name": "5.4.2.3 — Ensure group root is the only GID 0 group", "description": "Ensure group root is the only GID 0 group", "rational": "Using GID 0 for the root group helps prevent root group owned files from accidentally \nbecoming accessible to non-privileged users.", "remediation": "Run the following command to set the root group's GID to 0: \n\n# groupmod -g 0 root \n\nRemove any groups other than the root group with GID 0 or assign them a new GID if \nappropriate.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "awk -F: '$3==\"0\"{print $1\":\"$3}' /etc/group", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "c1dd93b29a4710005b28472a465f825e", "name": "5.4.2.4 — Ensure root account access is controlled", "description": "Ensure root account access is controlled", "rational": "Access to root should be secured at all times.", "remediation": "Run the following command to set a password for the root user: \n\n# passwd root \n\n- OR - \nRun the following command to lock the root user account: \n\n# usermod -L root", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "passwd -S root | awk '$2 ~ /^P/ {print \"User: \\\"\" $1 \"\\\" Password is set\"}'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "8716cdb44ad36f9410fafd01f028ca88", "name": "5.4.2.5 — Ensure root path integrity", "description": "Ensure root path integrity", "rational": "Including the current working directory (.) or other writable directory in root's \nexecutable path makes it likely that an attacker can gain superuser access by forcing an \nadministrator operating as root to execute a Trojan horse program. \n\nPage 693", "remediation": "Correct or justify any: \n\n• Locations that are not directories \n• Empty directories (::) \n• Trailing (:) \n• Current working directory (.) \n• Non root owned directories \n• Directories that less restrictive than mode 0755", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "a295dc198567434ccfdbefe4f4c56115", "name": "5.4.3.1 — Ensure nologin is not listed in /etc/shells", "description": "Ensure nologin is not listed in /etc/shells", "rational": "A user can use chsh to change their configured shell. \n\nIf a user has a shell configured that isn't in in /etc/shells, then the system assumes \nthat they're somehow restricted. In the case of chsh it means that the user cannot \nchange that value. \n\nOther programs might query that list and apply similar restrictions. \n\nBy putting nologin in /etc/shells, any user that has nologin as its shell is...", "remediation": "Edit /etc/shells and remove any lines that include nologin", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "FILE", "input": "/etc/shells", "selement": "CONTENT", "condition": "NOT CONTAINS", "sinput": "^\\h*([^#\\n\\r]+)?\\/nologin\\b" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "59957f311f5369d59a224087f4456e9c", "name": "5.4.3.3 — Ensure default user umask is configured", "description": "Ensure default user umask is configured", "rational": "Setting a secure default value for umask ensures that users make a conscious choice \nabout their file permissions. A permissive umask value could result in directories or files \nwith excessive permissions that can be read and/or written to by unauthorized users. \n\nPage 712", "remediation": "Run the following script and perform the instructions in the output to set the default \numask to 027 or more restrictive: \n\n#!/usr/bin/env bash \n\n{ \n l_output=\"\" l_output2=\"\" l_out=\"\" \n file_umask_chk() \n { \n if grep -Psiq -- '^\\h*umask\\h+(0?[0-7][2-\n7]7|u(=[rwx]{0,3}),g=([rx]{0,2}),o=)(\\h*#.*)?$' \"$l_file\"; then \n l_out=\"$l_out\\n - umask is set correctly in \\\"$l_file\\\"\" \n elif grep -Psiq -- '^\\h*umask\\h+(([0-7][0-7][01][0-7]\\b|[0-7][0-7][0-\n7][0-6]\\b)|([0-7][01][0-7]\\...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "d514e9bb7a91dbd3ed97a5cd56848a3d", "name": "6.1.1 — Ensure AIDE is installed", "description": "Ensure AIDE is installed", "rational": "By monitoring the filesystem state compromised files can be detected to prevent or limit \nthe exposure of accidental or malicious misconfigurations or modified binaries.", "remediation": "Run the following command to install aide: \n\n# dnf install aide \n\nConfigure aide as appropriate for your environment. Consult the aide documentation \nfor options. \nInitialize aide: \nRun the following commands: \n\n# aide --init \n# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "aide", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "637cf518c8f4d4959e8d600bf9c656a1", "name": "6.1.2 — Ensure filesystem integrity is regularly checked", "description": "Ensure filesystem integrity is regularly checked", "rational": "Periodic file checking allows the system administrator to determine on a regular basis if \ncritical files have been changed in an unauthorized fashion.", "remediation": "- IF - cron will be used to schedule and run aide check \nRun the following command: \n\n# crontab -u root -e \n\nAdd the following line to the crontab: \n\n0 5 * * * /usr/sbin/aide --check \n\n- OR - \n- IF - aidecheck.service and aidecheck.timer will be used to schedule and run aide \ncheck: \nCreate or edit the file /etc/systemd/system/aidecheck.service and add the \nfollowing lines: \n\n[Unit] \nDescription=Aide Check \n\n[Service] \nType=simple \nExecStart=/usr/sbin/aide --check \n\n[Install] \nWantedBy=multi-...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "SERVICE", "input": "aidecheck", "selement": "ENABLED", "condition": null, "sinput": null } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "73fb59f6a576f87efb3523b960283cd5", "name": "6.2.1.1 — Ensure journald service is enabled and active", "description": "Ensure journald service is enabled and active", "rational": "If the systemd-journald service is not enabled to start on boot, the system will not \ncapture logging events.", "remediation": "Run the following commands to unmask and start systemd-journald.service \n\n# systemctl unmask systemd-journald.service \n# systemctl start systemd-journald.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "SERVICE", "input": "systemd-journald", "selement": "ENABLED", "condition": null, "sinput": null } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "3588a31db5d9ed97b84e296d3cc91011", "name": "6.2.1.4 — Ensure only one logging system is in use", "description": "Ensure only one logging system is in use", "rational": "Configuring only one logging service either rsyslog - OR - journald avoids \nredundancy, optimizes resources, simplifies configuration and management, and \nensures consistency.", "remediation": "1. Determine whether to use journald - OR - rsyslog depending on site needs \n2. Configure systemd-jounald.service \n3. Configure only ONE either journald - OR - rsyslog and complete the \n\nrecommendations in that subsection \n\n4. Return to this recommendation to ensure only one logging system is in use \n\nPage 740 \n\n \n \n \n\f6.2.2 Configure journald \n\nIncluded in the systemd suite is a journaling service called systemd-journald.service for \nthe collection and storage of logging data. It creates...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "SERVICE", "input": "--quiet", "selement": "ACTIVE", "condition": null, "sinput": null } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "37171a6eddf8683971397b4b5c6c7cd9", "name": "6.2.2.1.1 — Ensure systemd-journal-remote is installed", "description": "Ensure systemd-journal-remote is installed", "rational": "Storing log data on a remote host protects log integrity from local attacks. If an attacker \ngains root access on the local system, they could tamper with or remove log data that is \nstored on the local system. \n\nNote: This recommendation only applies if journald is the chosen method for \nclient side logging. Do not apply this recommendation if rsyslog is used.", "remediation": "Run the following command to install systemd-journal-remote: \n\n# dnf install systemd-journal-remote", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "systemd-journal-remote", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "d22eee490c0922084d32e3fc69ef1294", "name": "6.2.2.2 — Ensure journald ForwardToSyslog is disabled", "description": "Ensure journald ForwardToSyslog is disabled", "rational": "- IF - journald is the method for capturing logs, all logs of the system should be \nhandled by journald and not forwarded to other logging mechanisms. \n\nNote: This recommendation only applies if journald is the chosen method for \nclient side logging. Do not apply this recommendation if rsyslog is used.", "remediation": "- IF - rsyslog is the preferred method for capturing logs, this section and \nRecommendation should be skipped and the \"Configure rsyslog\" section followed. \n- IF - journald is the preferred method for capturing logs: \nSet the following parameter in the [Journal] section in \n/etc/systemd/journald.conf or a file in /etc/systemd/journald.conf.d/ ending in \n.conf: \n\nForwardToSyslog=no \n\nExample: \n\n#!/usr/bin/env bash \n\n{ \n [ ! -d /etc/systemd/journald.conf.d/ ] && mkdir \n/etc/systemd/journald.c...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "systemd-analyze cat-config systemd/journald.conf systemd/journald.conf.d/*", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "e5460a19ecd5c9debbac6ba4085079ae", "name": "6.2.2.3 — Ensure journald Compress is configured", "description": "Ensure journald Compress is configured", "rational": "Uncompressed large files may unexpectedly fill a filesystem leading to resource \nunavailability. Compressing logs prior to write can prevent sudden, unexpected \nfilesystem impacts. \n\nNote: This recommendation only applies if journald is the chosen method for \nclient side logging. Do not apply this recommendation if rsyslog is used.", "remediation": "Set the following parameter in the [Journal] section in \n/etc/systemd/journald.conf or a file in /etc/systemd/journald.conf.d/ ending \nin .conf: \n\nCompress=yes \n\nExample: \n\n#!/usr/bin/env bash \n\n{ \n [ ! -d /etc/systemd/journald.conf.d/ ] && mkdir \n/etc/systemd/journald.conf.d/ \n if grep -Psq -- '^\\h*\\[Journal\\]' /etc/systemd/journald.conf.d/60-\njournald.conf; then \n printf '%s\\n' \"Compress=yes\" >> /etc/systemd/journald.conf.d/60-\njournald.conf \n else \n printf '%s\\n' \"[Journal]...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "systemd-analyze cat-config systemd/journald.conf systemd/journald.conf.d/*", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "3f1a1022aef9eb631330bafc3430fa2d", "name": "6.2.2.4 — Ensure journald Storage is configured", "description": "Ensure journald Storage is configured", "rational": "Writing log data to disk will provide the ability to forensically reconstruct events which \nmay have impacted the operations or security of a system even after a system crash or \nreboot. \n\nNote: This recommendation only applies if journald is the chosen method for \nclient side logging. Do not apply this recommendation if rsyslog is used.", "remediation": "Set the following parameter in the [Journal] section in \n/etc/systemd/journald.conf or a file in /etc/systemd/journald.conf.d/ ending \nin .conf: \n\nStorage=persistent \n\nExample: \n\n#!/usr/bin/env bash \n\n{ \n [ ! -d /etc/systemd/journald.conf.d/ ] && mkdir \n/etc/systemd/journald.conf.d/ \n if grep -Psq -- '^\\h*\\[Journal\\]' /etc/systemd/journald.conf.d/60-\njournald.conf; then \n printf '%s\\n' \"Storage=persistent\" >> /etc/systemd/journald.conf.d/60-\njournald.conf \n else \n printf '%s\\n...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "systemd-analyze cat-config systemd/journald.conf systemd/journald.conf.d/*", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "564b1680c26ecd82f56e0a4baf13aeaf", "name": "6.2.3.1 — Ensure rsyslog is installed", "description": "Ensure rsyslog is installed", "rational": "The security enhancements of rsyslog such as connection-oriented (i.e. TCP) \ntransmission of logs, the option to log to database formats, and the encryption of log \ndata en route to a central logging server) justify installing and configuring the package. \n\nNote: This recommendation only applies if rsyslog is the chosen method for client side \nlogging. Do not apply this recommendation if journa...", "remediation": "Run the following command to install rsyslog: \n\n# dnf install rsyslog", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "rsyslog", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "43b6ff8830f95b05eb7cb92a132a1341", "name": "6.2.3.2 — Ensure rsyslog service is enabled and active", "description": "Ensure rsyslog service is enabled and active", "rational": "If the rsyslog service is not enabled to start on boot, the system will not capture \nlogging events. \n\nNote: This recommendation only applies if rsyslog is the chosen method for client side \nlogging. Do not apply this recommendation if journald is used.", "remediation": "- IF - rsyslog is being used for logging on the system: \nRun the following commands to unmask, enable, and start rsyslog.service: \n\n# systemctl unmask rsyslog.service \n# systemctl enable rsyslog.service \n# systemctl start rsyslog.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "SERVICE", "input": "rsyslog", "selement": "ENABLED", "condition": null, "sinput": null } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "cb8fb93efc3d20f4520477573d43fb78", "name": "6.3.4.9 — Ensure audit tools owner is configured", "description": "Ensure audit tools owner is configured", "rational": "Protecting audit information includes identifying and protecting the tools used to view \nand manipulate log data. Protecting audit tools is necessary to prevent unauthorized \noperation on audit information.", "remediation": "Run the following command to change the owner of the audit tools to the root user: \n\n# chown root /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace \n/sbin/auditd /sbin/augenrules", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc \"%n %U\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "d343676b10cad21c68d8170dd1d961b6", "name": "7.2.4 — Ensure no duplicate UIDs exist", "description": "Ensure no duplicate UIDs exist", "rational": "Users must be assigned unique UIDs for accountability and to ensure appropriate \naccess protections.", "remediation": "Based on the results of the audit script, establish unique UIDs and review all files owned \nby the shared UIDs to determine which UID they are supposed to belong to.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "c0a9d3ce2044b1913a097e811661b5fc", "name": "7.2.5 — Ensure no duplicate GIDs exist", "description": "Ensure no duplicate GIDs exist", "rational": "User groups must be assigned unique GIDs for accountability and to ensure appropriate \naccess protections.", "remediation": "Based on the results of the audit script, establish unique GIDs and review all files \nowned by the shared GID to determine which group they are supposed to belong to.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "d0143c2db374f90fd5a0084afd5816e0", "name": "7.2.6 — Ensure no duplicate user names exist", "description": "Ensure no duplicate user names exist", "rational": "If a user is assigned a duplicate user name, it will create and have access to files with \nthe first UID for that username in /etc/passwd . For example, if \"test4\" has a UID of \n1000 and a subsequent \"test4\" entry has a UID of 2000, logging in as \"test4\" will use \nUID 1000. Effectively, the UID is shared, which is a security problem.", "remediation": "Based on the results of the audit script, establish unique user names for the users. File \nownerships will automatically reflect the change as long as the users have unique UIDs.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] }, { "external_id": "50571475e2f55813071255deb3540eec", "name": "7.2.7 — Ensure no duplicate group names exist", "description": "Ensure no duplicate group names exist", "rational": "If a group is assigned a duplicate group name, it will create and have access to files \nwith the first GID for that group in /etc/group . Effectively, the GID is shared, which is \na security problem.", "remediation": "Based on the results of the audit script, establish unique names for the user groups. File \ngroup ownerships will automatically reflect the change as long as the groups have \nunique GIDs.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Red Hat" } ] } ] }