contains 8 rules |
System Settings
[ref]groupContains rules that check correct system settings. |
contains 8 rules |
Installing and Maintaining Software
[ref]groupThe following sections contain information on
security-relevant choices during the initial operating system
installation process and the setup of software
updates. |
contains 2 rules |
Sudo , which stands for "su 'do'", provides the ability to delegate authority
to certain users, groups of users, or system administrators. When configured for system
users and/or groups, Sudo can allow a user or group to execute privileged commands
that normally only root is allowed to execute.
For more information on Sudo and addition Sudo configuration options, see
https://www.sudo.ws
|
contains 2 rules |
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
[ref]rule
The sudo NOPASSWD tag, when specified, allows a user to execute commands using
sudo without having to authenticate. This should be disabled by making sure that the
NOPASSWD tag does not exist in /etc/sudoers configuration file or
any sudo configuration snippets in /etc/sudoers.d/ .
Rationale:
Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate.
|
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
[ref]rule
The sudo !authenticate option, when specified, allows a user to execute commands using
sudo without having to authenticate. This should be disabled by making sure that the
!authenticate option does not exist in /etc/sudoers configuration file or
any sudo configuration snippets in /etc/sudoers.d/ .
Rationale:
Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate.
|
File Permissions and Masks
[ref]groupTraditional Unix security relies heavily on file and
directory permissions to prevent unauthorized users from reading or
modifying files to which they should not have access.
Several of the commands in this section search filesystems
for files or directories with certain characteristics, and are
intended to be run on every local partition on a given system.
When the variable PART appears in one of the commands below,
it means that the command is intended to be run repeatedly, with the
name of each local partition substituted for PART in turn.
The following command prints a list of all xfs partitions on the local
system, which is the default filesystem for Red Hat Enterprise Linux
7 installations:
$ mount -t xfs | awk '{print $3}'
For any systems that use a different
local filesystem type, modify this command as appropriate.
|
contains 4 rules |
Verify Permissions on Important Files and
Directories
[ref]groupPermissions for many files on a system must be set
restrictively to ensure sensitive information is properly protected.
This section discusses important
permission restrictions which can be verified
to ensure that no harmful discrepancies have
arisen. |
contains 4 rules |
Verify Permissions on Files with Local Account Information and Credentials
[ref]groupThe default restrictive permissions for files which act as
important security databases such as passwd , shadow ,
group , and gshadow files must be maintained. Many utilities
need read access to the passwd file in order to function properly, but
read access to the shadow file allows malicious attacks against system
passwords, and should never be enabled. |
contains 4 rules |
Verify Permissions on shadow File
[ref]rule
To properly set the permissions of /etc/shadow , run the command:
$ sudo chmod 0000 /etc/shadow
Rationale:The /etc/shadow file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture. Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | configure |
---|
chmod 0000 /etc/shadow
Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | configure |
---|
- name: Ensure permission 0000 on /etc/shadow
file:
path="{{item}}"
mode=0000
with_items:
- /etc/shadow
tags:
- file_permissions_etc_shadow
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- CCE-27100-7
- NIST-800-53-AC-6
- PCI-DSS-Req-8.7.c
- CJIS-5.5.2.2
|
Verify Permissions on group File
[ref]rule
To properly set the permissions of /etc/group , run the command:
$ sudo chmod 644 /etc/group
Rationale:The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | configure |
---|
chmod 0644 /etc/group
Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | configure |
---|
- name: Find /etc/group file(s)
find:
paths: "{{ '/etc/group' | dirname }}"
patterns: "{{ '/etc/group' | basename }}"
register: files_found
tags:
- file_permissions_etc_group
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- CCE-26949-8
- NIST-800-53-AC-6
- PCI-DSS-Req-8.7.c
- CJIS-5.5.2.2
- name: Set permissions
file:
path: "{{ item.path }}"
mode: 0644
with_items:
- "{{ files_found.files }}"
tags:
- file_permissions_etc_group
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- CCE-26949-8
- NIST-800-53-AC-6
- PCI-DSS-Req-8.7.c
- CJIS-5.5.2.2
|
Verify Permissions on gshadow File
[ref]rule
To properly set the permissions of /etc/gshadow , run the command:
$ sudo chmod 0000 /etc/gshadow
Rationale:The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. Identifiers:
CCE-27162-7 References:
AC-6, 6.1.5 Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | configure |
---|
chmod 0000 /etc/gshadow
Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | configure |
---|
- name: Find /etc/gshadow file(s)
find:
paths: "{{ '/etc/gshadow' | dirname }}"
patterns: "{{ '/etc/gshadow' | basename }}"
register: files_found
tags:
- file_permissions_etc_gshadow
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- CCE-27162-7
- NIST-800-53-AC-6
- name: Set permissions
file:
path: "{{ item.path }}"
mode: 0000
with_items:
- "{{ files_found.files }}"
tags:
- file_permissions_etc_gshadow
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- CCE-27162-7
- NIST-800-53-AC-6
|
Verify Permissions on passwd File
[ref]rule
To properly set the permissions of /etc/passwd , run the command:
$ sudo chmod 0644 /etc/passwd
Rationale:If the /etc/passwd file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the list of
accounts on the system and associated information, and protection of this file
is critical for system security. Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | configure |
---|
chmod 0644 /etc/passwd
Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | configure |
---|
- name: Find /etc/passwd file(s)
find:
paths: "{{ '/etc/passwd' | dirname }}"
patterns: "{{ '/etc/passwd' | basename }}"
register: files_found
tags:
- file_permissions_etc_passwd
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- CCE-26887-0
- NIST-800-53-AC-6
- PCI-DSS-Req-8.7.c
- CJIS-5.5.2.2
- name: Set permissions
file:
path: "{{ item.path }}"
mode: 0644
with_items:
- "{{ files_found.files }}"
tags:
- file_permissions_etc_passwd
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- CCE-26887-0
- NIST-800-53-AC-6
- PCI-DSS-Req-8.7.c
- CJIS-5.5.2.2
|
Configure Syslog
[ref]groupThe syslog service has been the default Unix logging mechanism for
many years. It has a number of downsides, including inconsistent log format,
lack of authentication for received messages, and lack of authentication,
encryption, or reliable transport for messages sent over a network. However,
due to its long history, syslog is a de facto standard which is supported by
almost all Unix applications.
In Red Hat Enterprise Linux 7, rsyslog has replaced ksyslogd as the
syslog daemon of choice, and it includes some additional security features
such as reliable, connection-oriented (i.e. TCP) transmission of logs, the
option to log to database formats, and the encryption of log data en route to
a central logging server.
This section discusses how to configure rsyslog for
best effect, and how to use tools provided with the system to maintain and
monitor logs. |
contains 2 rules |
Ensure rsyslog is Installed
[ref]rule
Rsyslog is installed by default.
The rsyslog package can be installed with the following command:
$ sudo yum install rsyslog
Rationale:
The rsyslog package provides the rsyslog daemon, which provides
system logging services.
Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Function to install or uninstall packages on RHEL and Fedora systems.
#
# Example Call(s):
#
# package_command install aide
# package_command remove telnet-server
#
function package_command {
# Load function arguments into local variables
local package_operation=$1
local package=$2
# Check sanity of the input
if [ $# -ne "2" ]
then
echo "Usage: package_command 'install/uninstall' 'rpm_package_name"
echo "Aborting."
exit 1
fi
# If dnf is installed, use dnf; otherwise, use yum
if [ -f "/usr/bin/dnf" ] ; then
install_util="/usr/bin/dnf"
else
install_util="/usr/bin/yum"
fi
if [ "$package_operation" != 'remove' ] ; then
# If the rpm is not installed, install the rpm
if ! /bin/rpm -q --quiet $package; then
$install_util -y $package_operation $package
fi
else
# If the rpm is installed, uninstall the rpm
if /bin/rpm -q --quiet $package; then
$install_util -y $package_operation $package
fi
fi
}
package_command install rsyslog
Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure rsyslog is installed
package:
name="{{item}}"
state=present
with_items:
- rsyslog
tags:
- package_rsyslog_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- CCE-80187-8
- NIST-800-53-AU-9(2)
Remediation Puppet snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
include install_rsyslog
class install_rsyslog {
package { 'rsyslog':
ensure => 'installed',
}
}
Remediation Anaconda snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
package --add=rsyslog
|
Enable rsyslog Service
[ref]ruleThe rsyslog service provides syslog-style logging by default on Red Hat Enterprise Linux 7.
The rsyslog service can be enabled with the following command:
$ sudo systemctl enable rsyslog.service
Rationale:The rsyslog service must be running in order to provide
logging services, which are essential to system administration.
Identifiers:
CCE-80188-6 References:
AU-4(1), AU-12, CCI-001311, CCI-001312, CCI-001557, CCI-001851, 4.2.1.1, NT28(R5), NT28(R46), 164.312(a)(2)(ii), A.12.3.1 Remediation Shell script: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Function to enable/disable and start/stop services on RHEL and Fedora systems.
#
# Example Call(s):
#
# service_command enable bluetooth
# service_command disable bluetooth.service
#
# Using xinetd:
# service_command disable rsh.socket xinetd=rsh
#
function service_command {
# Load function arguments into local variables
local service_state=$1
local service=$2
local xinetd=$(echo $3 | cut -d'=' -f2)
# Check sanity of the input
if [ $# -lt "2" ]
then
echo "Usage: service_command 'enable/disable' 'service_name.service'"
echo
echo "To enable or disable xinetd services add \'xinetd=service_name\'"
echo "as the last argument"
echo "Aborting."
exit 1
fi
# If systemctl is installed, use systemctl command; otherwise, use the service/chkconfig commands
if [ -f "/usr/bin/systemctl" ] ; then
service_util="/usr/bin/systemctl"
else
service_util="/sbin/service"
chkconfig_util="/sbin/chkconfig"
fi
# If disable is not specified in arg1, set variables to enable services.
# Otherwise, variables are to be set to disable services.
if [ "$service_state" != 'disable' ] ; then
service_state="enable"
service_operation="start"
chkconfig_state="on"
else
service_state="disable"
service_operation="stop"
chkconfig_state="off"
fi
# If chkconfig_util is not empty, use chkconfig/service commands.
if ! [ "x$chkconfig_util" = x ] ; then
$service_util $service $service_operation
$chkconfig_util --level 0123456 $service $chkconfig_state
else
$service_util $service_operation $service
$service_util $service_state $service
fi
# Test if local variable xinetd is empty using non-bashism.
# If empty, then xinetd is not being used.
if ! [ "x$xinetd" = x ] ; then
grep -qi disable /etc/xinetd.d/$xinetd && \
if ! [ "$service_operation" != 'disable' ] ; then
sed -i "s/disable.*/disable = no/gI" /etc/xinetd.d/$xinetd
else
sed -i "s/disable.*/disable = yes/gI" /etc/xinetd.d/$xinetd
fi
fi
}
service_command enable rsyslog
Remediation Ansible snippet: (show)
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Enable service rsyslog
service:
name="{{item}}"
enabled="yes"
state="started"
with_items:
- rsyslog
tags:
- service_rsyslog_enabled
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- CCE-80188-6
- NIST-800-53-AU-4(1)
- NIST-800-53-AU-12
|