Reference (cui) | Rule Title | Description | Rationale | Variable Setting |
3.13.16 | Encrypt Partitions |
Red Hat Enterprise Linux 7 natively supports partition encryption through the
Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to
encrypt a partition is during installation time.
For manual installations, select the Encrypt checkbox during
partition creation to encrypt the partition. When this
option is selected the system will prompt for a passphrase to use in
decrypting the partition. The passphrase will subsequently need to be entered manually
every time the system boots.
For automated/unattended installations, it is possible to use Kickstart by adding the --encrypted and --passphrase= options to the definition of each partition to be
encrypted. For example, the following line would encrypt the root partition:
part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASEAny PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the --passphrase= option from the partition definition will cause the
installer to pause and interactively ask for the passphrase during installation.
By default, the Anaconda installer uses aes-xts-plain64 cipher
with a minimum 512 bit key size which should be compatible with FIPS enabled.
Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on the Red Hat Documentation web site: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html |
The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost. | |
3.4.8 | Ensure Red Hat GPG Key Installed |
To ensure the system can cryptographically verify base software
packages come from Red Hat (and to connect to the Red Hat Network to
receive them), the Red Hat GPG key must properly be installed.
To install the Red Hat GPG key, run:
$ sudo subscription-manager registerIf the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom , use the following command as the root user to import
it into the keyring:
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY |
Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat. | |
3.4.8 | Ensure gpgcheck Enabled For All Yum Package Repositories | To ensure signature checking is not disabled for
any repos, remove any lines from files in /etc/yum.repos.d of the form:
gpgcheck=0 |
Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA). | |
3.13.11 | Disable Prelinking |
The prelinking feature changes binaries in an attempt to decrease their startup
time. In order to disable it, change or add the following line inside the file
/etc/sysconfig/prelink :
PRELINKING=noNext, run the following command to return binaries to a normal, non-prelinked state: $ sudo /usr/sbin/prelink -ua |
Because the prelinking feature changes binaries, it can interfere with the operation of certain software and/or modes such as AIDE, FIPS, etc. | |
3.13.11 | Install the dracut-fips Package |
To enable FIPS, the system requires that the dracut-fips
package be installed.
The dracut-fips package can be installed with the following command:
$ sudo yum install dracut-fips |
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. | |
3.13.8 | Install the dracut-fips Package |
To enable FIPS, the system requires that the dracut-fips
package be installed.
The dracut-fips package can be installed with the following command:
$ sudo yum install dracut-fips |
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. | |
3.1.8 | Set the GNOME3 Login Number of Failures | In the default graphical environment, the GNOME3 login
screen and be configured to restart the authentication process after
a configured number of attempts. This can be configured by setting
allowed-failures to 3 or less.
To enable, add or edit allowed-failures to
/etc/dconf/db/gdm.d/00-security-settings . For example:
[org/gnome/login-screen] allowed-failures=3Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/allowed-failuresAfter the settings have been set, run dconf update .
|
Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. | |
3.1.10 | Implement Blank Screensaver |
To set the screensaver mode in the GNOME3 desktop to a blank screen,
add or set picture-uri to string '' in
/etc/dconf/db/local.d/00-security-settings . For example:
[org/gnome/desktop/screensaver] picture-uri=string ''Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/picture-uriAfter the settings have been set, run dconf update .
|
Setting the screensaver mode to blank-only conceals the contents of the display from passersby. | |
3.1.5 | Disable User Administration in GNOME3 |
By default, GNOME will allow all users to have some administratrion
capability. This should be disabled so that non-administrative users are not making
configuration changes. To configure the system to disable user administration
capability in the Graphical User Interface (GUI), add or set
user-administration-disabled to true in
/etc/dconf/db/local.d/00-security-settings . For example:
[org/gnome/desktop/lockdown] user-administration-disabled=trueOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/lockdown/user-administration-disabledAfter the settings have been set, run dconf update .
|
Allowing all users to have some administratrive capabilities to the system through the Graphical User Interface (GUI) when they would not have them otherwise could allow unintended configuration changes as well as a nefarious user the capability to make system changes such as adding new accounts, etc. | |
3.1.16 | Disable WIFI Network Connection Creation in GNOME3 |
GNOME allows users to create ad-hoc wireless connections through the
NetworkManager applet. Wireless connections should be disabled by
adding or setting disable-wifi-create to true in
/etc/dconf/db/local.d/00-security-settings . For example:
[org/gnome/nm-applet] disable-wifi-create=trueOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/nm-applet/disable-wifi-createAfter the settings have been set, run dconf update .
|
Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks. | |
3.1.16 | Disable WIFI Network Notification in GNOME3 |
By default, GNOME disables WIFI notification. This should be permanently set
so that users do not connect to a wireless network when the system finds one.
While useful for mobile devices, this setting should be disabled for all other systems.
To configure the system to disable the WIFI notication, add or set
suppress-wireless-networks-available to true in
/etc/dconf/db/local.d/00-security-settings . For example:
[org/gnome/nm-applet] suppress-wireless-networks-available=trueOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/nm-applet/suppress-wireless-networks-availableAfter the settings have been set, run dconf update .
|
Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks. | |
3.1.12 | Require Credential Prompting for Remote Access in GNOME3 |
By default, GNOME does not require credentials when using Vino for
remote access. To configure the system to require remote credentials, add or set
authentication-methods to ['vnc'] in
/etc/dconf/db/local.d/00-security-settings . For example:
[org/gnome/Vino] authentication-methods=['vnc']Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/Vino/authentication-methodsAfter the settings have been set, run dconf update .
|
Username and password prompting is required for remote access. Otherwise, non-authorized and nefarious users can access the system freely. | |
3.1.7 | Disable GNOME3 Automounting | The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable automount and autorun within GNOME3, add or set
automount to false , automount-open to false , and
autorun-never to true in /etc/dconf/db/local.d/00-security-settings .
For example:
[org/gnome/desktop/media-handling] automount=false automount-open=false autorun-never=trueOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/automount /org/gnome/desktop/media-handling/automount-open /org/gnome/desktop/media-handling/autorun-neverAfter the settings have been set, run dconf update .
|
Disabling automatic mounting in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media. | |
3.4.6 | Disable Mounting of cramfs |
To configure the system to prevent the cramfs
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d :
install cramfs /bin/trueThis effectively prevents usage of this uncommon filesystem. |
Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | |
3.4.6 | Disable Mounting of freevxfs |
To configure the system to prevent the freevxfs
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d :
install freevxfs /bin/trueThis effectively prevents usage of this uncommon filesystem. |
Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | |
3.4.6 | Disable Mounting of jffs2 |
To configure the system to prevent the jffs2
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d :
install jffs2 /bin/trueThis effectively prevents usage of this uncommon filesystem. |
Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | |
3.4.6 | Disable Mounting of hfs |
To configure the system to prevent the hfs
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d :
install hfs /bin/trueThis effectively prevents usage of this uncommon filesystem. |
Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | |
3.4.6 | Disable Mounting of hfsplus |
To configure the system to prevent the hfsplus
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d :
install hfsplus /bin/trueThis effectively prevents usage of this uncommon filesystem. |
Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | |
3.4.6 | Disable Mounting of squashfs |
To configure the system to prevent the squashfs
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d :
install squashfs /bin/trueThis effectively prevents usage of this uncommon filesystem. |
Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | |
3.4.6 | Disable Mounting of udf |
To configure the system to prevent the udf
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d :
install udf /bin/trueThis effectively prevents usage of this uncommon filesystem. |
Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | |
3.1.7 | Enable ExecShield | By default on Red Hat Enterprise Linux 7 64-bit systems, ExecShield
is enabled and can only be disabled if the hardware does not support ExecShield
or is disabled in /etc/default/grub . For Red Hat Enterprise Linux 7
32-bit systems, sysctl can be used to enable ExecShield. |
ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware. | |
3.1.7 | Enable Randomized Layout of Virtual Address Space |
To set the runtime status of the kernel.randomize_va_space kernel parameter,
run the following command:
$ sudo sysctl -w kernel.randomize_va_space=2If this is not the system's default value, add the following line to /etc/sysctl.conf :
kernel.randomize_va_space = 2 |
Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques. | |
3.1.7 | Install PAE Kernel on Supported 32-bit x86 Systems | Systems that are using the 64-bit x86 kernel package
do not need to install the kernel-PAE package because the 64-bit
x86 kernel already includes this support. However, if the system is
32-bit and also supports the PAE and NX features as
determined in the previous section, the kernel-PAE package should
be installed to enable XD or NX support:
$ sudo yum install kernel-PAEThe installation process should also have configured the bootloader to load the new kernel at boot. Verify this at reboot and modify /etc/default/grub if necessary. |
On 32-bit systems that support the XD or NX bit, the vendor-supplied PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support. | |
3.1.7 | Enable NX or XD Support in the BIOS | Reboot the system and enter the BIOS or Setup configuration menu. Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX) on AMD-based systems. | Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will allow users to turn the feature on or off at will. | |
3.1.5 | Restrict Access to Kernel Message Buffer |
To set the runtime status of the kernel.dmesg_restrict kernel parameter,
run the following command:
$ sudo sysctl -w kernel.dmesg_restrict=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
kernel.dmesg_restrict = 1 |
Unprivileged access to the kernel syslog can expose sensitive kernel address information. | |
3.1.2 | Ensure SELinux Not Disabled in /etc/default/grub | SELinux can be disabled at boot time by an argument in
/etc/default/grub .
Remove any instances of selinux=0 from the kernel arguments in that
file to prevent SELinux from being disabled at boot.
|
Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation. | |
3.7.2 | Ensure SELinux Not Disabled in /etc/default/grub | SELinux can be disabled at boot time by an argument in
/etc/default/grub .
Remove any instances of selinux=0 from the kernel arguments in that
file to prevent SELinux from being disabled at boot.
|
Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation. | |
3.1.2 | Ensure No Daemons are Unconfined by SELinux |
Daemons for which the SELinux policy does not contain rules will inherit the
context of the parent process. Because daemons are launched during
startup and descend from the init process, they inherit the initrc_t context.
To check for unconfined daemons, run the following command: $ sudo ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'It should produce no output in a well-configured system. |
Daemons which run with the initrc_t context may cause AVC denials,
or allow privileges that the daemon does not require.
|
|
3.1.5 | Ensure No Daemons are Unconfined by SELinux |
Daemons for which the SELinux policy does not contain rules will inherit the
context of the parent process. Because daemons are launched during
startup and descend from the init process, they inherit the initrc_t context.
To check for unconfined daemons, run the following command: $ sudo ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'It should produce no output in a well-configured system. |
Daemons which run with the initrc_t context may cause AVC denials,
or allow privileges that the daemon does not require.
|
|
3.7.2 | Ensure No Daemons are Unconfined by SELinux |
Daemons for which the SELinux policy does not contain rules will inherit the
context of the parent process. Because daemons are launched during
startup and descend from the init process, they inherit the initrc_t context.
To check for unconfined daemons, run the following command: $ sudo ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'It should produce no output in a well-configured system. |
Daemons which run with the initrc_t context may cause AVC denials,
or allow privileges that the daemon does not require.
|
|
3.1.1 | Direct root Logins Not Allowed | To further limit access to the root account, administrators
can disable root logins at the console by editing the /etc/securetty file.
This file lists all devices the root user is allowed to login to. If the file does
not exist at all, the root user can login through any communication device on the
system, whether via the console or via a raw network interface. This is dangerous
as user can login to the system as root via Telnet, which sends the password in
plain text over the network. By default, Red Hat Enteprise Linux's
/etc/securetty file only allows the root user to login at the console
physically attached to the system. To prevent root from logging in, remove the
contents of this file. To prevent direct root logins, remove the contents of this
file by typing the following command:
$ sudo echo > /etc/securetty |
Disabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts. Users will first login, then escalate to privileged (root) access via su / sudo. This is required for FISMA Low and FISMA Moderate systems. | |
3.1.6 | Direct root Logins Not Allowed | To further limit access to the root account, administrators
can disable root logins at the console by editing the /etc/securetty file.
This file lists all devices the root user is allowed to login to. If the file does
not exist at all, the root user can login through any communication device on the
system, whether via the console or via a raw network interface. This is dangerous
as user can login to the system as root via Telnet, which sends the password in
plain text over the network. By default, Red Hat Enteprise Linux's
/etc/securetty file only allows the root user to login at the console
physically attached to the system. To prevent root from logging in, remove the
contents of this file. To prevent direct root logins, remove the contents of this
file by typing the following command:
$ sudo echo > /etc/securetty |
Disabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts. Users will first login, then escalate to privileged (root) access via su / sudo. This is required for FISMA Low and FISMA Moderate systems. | |
3.1.1 | Restrict Virtual Console Root Logins |
To restrict root logins through the (deprecated) virtual console devices,
ensure lines of this form do not appear in /etc/securetty :
vc/1 vc/2 vc/3 vc/4 |
Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. | |
3.1.5 | Restrict Virtual Console Root Logins |
To restrict root logins through the (deprecated) virtual console devices,
ensure lines of this form do not appear in /etc/securetty :
vc/1 vc/2 vc/3 vc/4 |
Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. | |
3.1.1 | Restrict Serial Port Root Logins | To restrict root logins on serial ports,
ensure lines of this form do not appear in /etc/securetty :
ttyS0 ttyS1 |
Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account. | |
3.1.5 | Restrict Serial Port Root Logins | To restrict root logins on serial ports,
ensure lines of this form do not appear in /etc/securetty :
ttyS0 ttyS1 |
Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account. | |
3.5.10 | Verify All Account Password Hashes are Shadowed |
If any password hashes are stored in /etc/passwd (in the second field,
instead of an x or * ), the cause of this misconfiguration should be
investigated. The account should have its password reset and the hash should be
properly stored, or the account should be deleted entirely.
|
The hashes for all user account passwords should be stored in
the file /etc/shadow and never in /etc/passwd ,
which is readable by all users.
|
|
3.5.7 | Set Password Minimum Length in login.defs | To specify password length requirements for new accounts,
edit the file /etc/login.defs and add or correct the following
line:
PASS_MIN_LEN The DoD requirement is 15 .
The FISMA requirement is 12 .
The profile requirement is .
If a program consults /etc/login.defs and also another PAM module
(such as pam_pwquality ) during a password change operation,
then the most restrictive must be satisfied. See PAM section
for more information about enforcing password quality requirements.
|
Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result. | |
3.5.8 | Set Password Warning Age | To specify how many days prior to password
expiration that a warning will be issued to users,
edit the file /etc/login.defs and add or correct
the following line:
PASS_WARN_AGEThe DoD requirement is 7. The profile requirement is .
|
Setting the password warning age enables users to make the change at a practical time. | |
3.4.5 | Verify /boot/grub2/grub.cfg User Ownership | The file /boot/grub2/grub.cfg should
be owned by the root user to prevent destruction
or modification of the file.
To properly set the owner of /boot/grub2/grub.cfg , run the command:
$ sudo chown root /boot/grub2/grub.cfg |
Only root should be able to modify important boot parameters. | |
3.4.5 | Verify /boot/grub2/grub.cfg Group Ownership | The file /boot/grub2/grub.cfg should
be group-owned by the root group to prevent
destruction or modification of the file.
To properly set the group owner of /boot/grub2/grub.cfg , run the command:
$ sudo chgrp root /boot/grub2/grub.cfg |
The root group is a highly-privileged group. Furthermore, the group-owner of this
file should not have any access privileges anyway.
|
|
3.4.5 | Verify /boot/grub2/grub.cfg Permissions | File permissions for /boot/grub2/grub.cfg should be set to 600.
To properly set the permissions of /boot/grub2/grub.cfg , run the command:
$ sudo chmod 600 /boot/grub2/grub.cfg |
Proper permissions ensure that only the root user can modify important boot parameters. | |
3.4.5 | Verify /boot/efi/EFI/redhat/grub.cfg User Ownership | The file /boot/efi/EFI/redhat/grub.cfg should
be owned by the root user to prevent destruction
or modification of the file.
To properly set the owner of /boot/efi/EFI/redhat/grub.cfg , run the command:
$ sudo chown root /boot/efi/EFI/redhat/grub.cfg |
Only root should be able to modify important boot parameters. | |
3.4.5 | Verify /boot/efi/EFI/redhat/grub.cfg Group Ownership | The file /boot/efi/EFI/redhat/grub.cfg should
be group-owned by the root group to prevent
destruction or modification of the file.
To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg , run the command:
$ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg |
The root group is a highly-privileged group. Furthermore, the group-owner of this
file should not have any access privileges anyway.
|
|
3.4.5 | Verify /boot/efi/EFI/redhat/grub.cfg Permissions | File permissions for /boot/efi/EFI/redhat/grub.cfg should be set to 600.
To properly set the permissions of /boot/efi/EFI/redhat/grub.cfg , run the command:
$ sudo chmod 700 /boot/efi/EFI/redhat/grub.cfg |
Proper permissions ensure that only the root user can modify important boot parameters. | |
3.1.1 | Require Authentication for Single User Mode | Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup. By default, no authentication
is performed if single-user mode is selected.
By default, single-user mode is protected by requiring a password and is set in /usr/lib/systemd/system/rescue.service .
|
This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. | |
3.4.5 | Require Authentication for Single User Mode | Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup. By default, no authentication
is performed if single-user mode is selected.
By default, single-user mode is protected by requiring a password and is set in /usr/lib/systemd/system/rescue.service .
|
This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. | |
3.4.5 | Disable debug-shell SystemD Service | SystemD's debug-shell service is intended to
diagnose SystemD related boot issues with various systemctl
commands. Once enabled and following a system reboot, the root shell
will be available on tty9 which is access by pressing
CTRL-ALT-F9 . The debug-shell service should only be used
for SystemD related issues and should otherwise be disabled.
By default, the debug-shell SystemD service is disabled.
The debug-shell service can be disabled with the following command:
$ sudo systemctl disable debug-shell.service |
This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. | |
3.1.2 | Verify that Interactive Boot is Disabled |
Red Hat Enterprise Linux systems support an "interactive boot" option that can
be used to prevent services from being started. On a Red Hat Enterprise Linux 7
system, interactive boot can be enabled by providing a 1 ,
yes , true , or on value to the
systemd.confirm_spawn kernel argument in /etc/default/grub .
Remove any instance of systemd.confirm_spawn=(1|yes|true|on)from the kernel arguments in that file to disable interactive boot. |
Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security. | |
3.4.5 | Verify that Interactive Boot is Disabled |
Red Hat Enterprise Linux systems support an "interactive boot" option that can
be used to prevent services from being started. On a Red Hat Enterprise Linux 7
system, interactive boot can be enabled by providing a 1 ,
yes , true , or on value to the
systemd.confirm_spawn kernel argument in /etc/default/grub .
Remove any instance of systemd.confirm_spawn=(1|yes|true|on)from the kernel arguments in that file to disable interactive boot. |
Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security. | |
3.1.20 | Configure Kernel Parameter for Accepting Secure Redirects for All Interfaces |
To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.all.secure_redirects = 0 |
Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. | |
3.1.20 | Configure Kernel Parameter to Log Martian Packets |
To set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv4.conf.all.log_martians=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.all.log_martians = 1 |
The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. | |
3.1.20 | Configure Kernel Parameter to Log Martian Packets By Default |
To set the runtime status of the net.ipv4.conf.default.log_martians kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv4.conf.default.log_martians=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.default.log_martians = 1 |
The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. | |
3.1.20 | Configure Kernel Parameter for Accepting Secure Redirects By Default |
To set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.default.secure_redirects = 0 |
Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. | |
3.1.20 | Configure Kernel Parameter to Ignore Bogus ICMP Error Responses |
To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.icmp_ignore_bogus_error_responses = 1 |
Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged. | |
3.1.20 | Configure Kernel Parameter to Use TCP Syncookies |
To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv4.tcp_syncookies=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.tcp_syncookies = 1 |
A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests. | |
3.1.20 | Configure Kernel Parameter to Use Reverse Path Filtering for All Interfaces |
To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.all.rp_filter = 1 |
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. | |
3.1.20 | Configure Kernel Parameter to Use Reverse Path Filtering by Default |
To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv4.conf.default.rp_filter=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.default.rp_filter = 1 |
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. | |
3.1.16 | Deactivate Wireless Network Interfaces |
Deactivating wireless network interfaces should prevent
normal usage of the wireless capability.
Configure the system to disable all wireless network interfaces with the following command: $ sudo nmcli radio wifi off |
The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources. | |
3.1.16 | Disable Bluetooth Service |
The bluetooth service can be disabled with the following command:
$ sudo systemctl disable bluetooth.service $ sudo service bluetooth stop |
Disabling the bluetooth service prevents the system from attempting
connections to Bluetooth devices, which entails some security risk.
Nevertheless, variation in this risk decision may be expected due to the
utility of Bluetooth connectivity and its limited range. |
|
3.1.16 | Disable Bluetooth Kernel Modules | The kernel's module loading system can be configured to prevent
loading of the Bluetooth module. Add the following to
the appropriate /etc/modprobe.d configuration file
to prevent the loading of the Bluetooth module:
install bluetooth /bin/true |
If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation. | |
3.1.20 | Disable IPv6 Networking Support Automatic Loading | To disable support for (ipv6 ) add the following line to
/etc/sysctl.d/ipv6.conf (or another file in
/etc/sysctl.d ):
net.ipv6.conf.all.disable_ipv6 = 1This disables IPv6 on all network interfaces as other services and system functionality require the IPv6 stack loaded to work. |
Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation. | |
3.1.20 | Disable Support for RPC IPv6 | RPC services for NFSv4 try to load transport modules for
udp6 and tcp6 by default, even if IPv6 has been disabled in
/etc/modprobe.d . To prevent RPC services such as rpc.mountd
from attempting to start IPv6 network listeners, remove or comment out the
following two lines in /etc/netconfig :
udp6 tpi_clts v inet6 udp - - tcp6 tpi_cots_ord v inet6 tcp - - |
||
3.1.20 | Configure Accepting IPv6 Router Advertisements |
To set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv6.conf.all.accept_ra=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv6.conf.all.accept_ra = 0 |
An illicit router advertisement message could result in a man-in-the-middle attack. | |
3.1.20 | Configure Accepting IPv6 Router Advertisements |
To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv6.conf.default.accept_ra = 0 |
An illicit router advertisement message could result in a man-in-the-middle attack. | |
3.1.20 | Configure Accepting IPv6 Redirects By Default |
To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv6.conf.all.accept_redirects = 0 |
An illicit ICMP redirect message could result in a man-in-the-middle attack. | |
3.1.20 | Configure Accepting IPv6 Redirects By Default |
To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv6.conf.default.accept_redirects = 0 |
An illicit ICMP redirect message could result in a man-in-the-middle attack. | |
3.1.20 | Configure Kernel Parameter for Accepting Source-Routed Packets for Interfaces By Default |
To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv6.conf.default.accept_source_route = 0 |
Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required. | |
3.1.20 | Use Privacy Extensions for Address | To introduce randomness into the automatic generation of IPv6
addresses, add or correct the following line in
/etc/sysconfig/network-scripts/ifcfg-interface :
IPV6_PRIVACY=rfc3041Automatically-generated IPv6 addresses are based on the underlying hardware (e.g. Ethernet) address, and so it becomes possible to track a piece of hardware over its lifetime using its traffic. If it is important for a system's IP address to not trivially reveal its hardware address, this setting should be applied. |
||
3.4.6 | Disable DCCP Support |
The Datagram Congestion Control Protocol (DCCP) is a
relatively new transport layer protocol, designed to support
streaming media and telephony.
To configure the system to prevent the dccp
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d :
install dccp /bin/true |
Disabling DCCP protects the system against exploitation of any flaws in its implementation. | |
3.4.6 | Disable SCTP Support |
The Stream Control Transmission Protocol (SCTP) is a
transport layer protocol, designed to support the idea of
message-oriented communication, with several streams of messages
within one connection.
To configure the system to prevent the sctp
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d :
install sctp /bin/true |
Disabling SCTP protects the system against exploitation of any flaws in its implementation. | |
3.3.1 | Enable Auditing for Processes Which Start Prior to the Audit Daemon | To ensure all processes can be audited, even those which start
prior to the audit daemon, add the argument audit=1 to the default
GRUB 2 command line for the Linux operating system in
/etc/default/grub , in the manner below:
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1" |
Each process on the system carries an "auditable" flag which indicates whether
its activities can be audited. Although auditd takes care of enabling
this for all processes which launch after it does, adding the kernel argument
ensures it is set for every process during boot.
|
|
3.3.1 | Configure auditd Number of Logs Retained | Determine how many log files
auditd should retain when it rotates logs.
Edit the file /etc/audit/auditd.conf . Add or modify the following
line, substituting NUMLOGS with the correct value of num_logs = NUMLOGSSet the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation. |
The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. | |
3.3.1 | Configure auditd space_left Action on Low Disk Space | The auditd service can be configured to take an action
when disk space starts to run low.
Edit the file /etc/audit/auditd.conf . Modify the following line,
substituting ACTION appropriately:
space_left_action = ACTIONPossible values for ACTION are described in the auditd.conf man page.
These include:
email (instead of the default,
which is suspend ) as it is more likely to get prompt attention. Acceptable values
also include suspend , single , and halt .
|
Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. | |
3.3.1 | Configure auditd flush priority | The auditd service can be configured to
synchronously write audit event data to disk. Add or correct the following
line in /etc/audit/auditd.conf to ensure that audit event data is
fully synchronized with the log files on the disk:
flush = |
Audit data should be synchronously written to disk to ensure log integrity. These parameters assure that all audit event data is fully synchronized with the log files on the disk. | |
3.3.1 | Configure auditd to use audispd's syslog plugin | To configure the auditd service to use the
syslog plug-in of the audispd audit event multiplexor, set
the active line in /etc/audisp/plugins.d/syslog.conf to
yes . Restart the auditd service:
$ sudo service auditd restart |
The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server | |
3.1.7 | Record attempts to alter time through adjtimex | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rulesIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rulesIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rulesIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rulesThe -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules |
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. | |
3.1.7 | Record attempts to alter time through settimeofday | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rulesIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rulesIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rulesIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rulesThe -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules |
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. | |
3.1.7 | Record Attempts to Alter Time Through stime | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -F key=audit_time_rulesSince the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). If the auditd daemon is configured to use the auditctl utility to
read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -F key=audit_time_rulesSince the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined system calls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules |
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. | |
3.1.7 | Record Attempts to Alter Time Through clock_settime | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-changeIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-changeIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-changeIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-changeThe -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules |
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. | |
3.1.7 | Record Attempts to Alter the localtime File | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the default),
add the following line to a file with suffix .rules in the directory
/etc/audit/rules.d :
-w /etc/localtime -p wa -k audit_time_rulesIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/localtime -p wa -k audit_time_rulesThe -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used. |
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. | |
3.1.7 | Record Events that Modify the System's Network Environment | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d , setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modificationIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification |
The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. | |
3.3.1 | System Audit Logs Must Have Mode 0640 or Less Permissive |
If log_group in /etc/audit/auditd.conf is set to a group other than the root
group account, change the mode of the audit log files with the following command:
$ sudo chmod 0640 audit_file Otherwise, change the mode of the audit log files with the following command: $ sudo chmod 0600 audit_file |
If users can write to audit logs, audit trails can be modified or destroyed. | |
3.3.1 | System Audit Logs Must Be Owned By Root | All audit logs must be owned by root user and group. By default, the path for audit log is /var/log/audit/. To properly set the owner of /var/log/audit , run the command:
$ sudo chown root /var/log/auditTo properly set the owner of /var/log/audit/* , run the command:
$ sudo chown root /var/log/audit/* |
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. | |
3.1.8 | Record Events that Modify the System's Mandatory Access Controls | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d :
-w /etc/selinux/ -p wa -k MAC-policyIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/selinux/ -p wa -k MAC-policy |
The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited. | |
3.1.7 | Record Attempts to Alter Logon and Logout Events | The audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k loginsIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins |
Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. | |
3.1.7 | Record Attempts to Alter Process and Session Initiation Information | The audit system already collects process information for all
users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k sessionIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session |
Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. | |
3.1.7 | Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) | At a minimum the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | |
3.1.7 | Ensure auditd Collects File Deletion Events by User | At a minimum the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d , setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete |
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. | |
3.1.7 | Ensure auditd Collects Information on Kernel Module Loading and Unloading | To capture kernel module loading and unloading events, use following lines, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module,delete_module -F key=modulesPlace to add the lines depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the lines to a file with suffix
.rules in the directory /etc/audit/rules.d .
If the auditd daemon is configured to use the auditctl utility,
add the lines to file /etc/audit/audit.rules .
|
The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. | |
3.3.1 | Make the auditd Configuration Immutable | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d in order to make the auditd configuration
immutable:
-e 2If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file in order to make the auditd configuration
immutable:
-e 2With this setting, a reboot will be required to change any audit rules. |
Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation | |
3.4.3 | Make the auditd Configuration Immutable | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d in order to make the auditd configuration
immutable:
-e 2If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file in order to make the auditd configuration
immutable:
-e 2With this setting, a reboot will be required to change any audit rules. |
Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation | |
3.4.7 | Disable xinetd Service |
The xinetd service can be disabled with the following command:
$ sudo systemctl disable xinetd.service |
The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself. | |
3.1.13 | Disable telnet Service |
The telnet service configuration file /etc/xinetd.d/telnet
is not created automatically. If it was created manually, check the
/etc/xinetd.d/telnet file and ensure that disable = no
is changed to read disable = yes as follows below:
# description: The telnet server serves telnet sessions; it uses \\ # unencrypted username/password pairs for authentication. service telnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID disable = yes }If the /etc/xinetd.d/telnet file does not exist, make sure that
the activation of the telnet service on system boot is disabled
via the following command:
The rexec socket can be disabled with the following command:
$ sudo systemctl disable rexec.socket |
The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks. | |
3.4.7 | Disable telnet Service |
The telnet service configuration file /etc/xinetd.d/telnet
is not created automatically. If it was created manually, check the
/etc/xinetd.d/telnet file and ensure that disable = no
is changed to read disable = yes as follows below:
# description: The telnet server serves telnet sessions; it uses \\ # unencrypted username/password pairs for authentication. service telnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID disable = yes }If the /etc/xinetd.d/telnet file does not exist, make sure that
the activation of the telnet service on system boot is disabled
via the following command:
The rexec socket can be disabled with the following command:
$ sudo systemctl disable rexec.socket |
The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks. | |
3.1.13 | Remove telnet Clients | The telnet client allows users to start connections to other systems via the telnet protocol. | The telnet protocol is insecure and unencrypted. The use
of an unencrypted transmission medium could allow an unauthorized user
to steal credentials. The ssh package provides an
encrypted session and stronger security and is included in Red Hat
Enterprise Linux. |
|
3.1.13 | Disable rexec Service | The rexec service, which is available with
the rsh-server package and runs as a service through xinetd or separately
as a systemd socket, should be disabled.
If using xinetd, set disable to yes in /etc/xinetd.d/rexec .
If using systemd,
The rexec socket can be disabled with the following command:
$ sudo systemctl disable rexec.socket |
The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. | |
3.4.7 | Disable rexec Service | The rexec service, which is available with
the rsh-server package and runs as a service through xinetd or separately
as a systemd socket, should be disabled.
If using xinetd, set disable to yes in /etc/xinetd.d/rexec .
If using systemd,
The rexec socket can be disabled with the following command:
$ sudo systemctl disable rexec.socket |
The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. | |
3.1.13 | Disable rsh Service | The rsh service, which is available with
the rsh-server package and runs as a service through xinetd or separately
as a systemd socket, should be disabled.
If using xinetd, set disable to yes in /etc/xinetd.d/rsh .
If using systemd,
The rsh socket can be disabled with the following command:
$ sudo systemctl disable rsh.socket |
The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. | |
3.4.7 | Disable rsh Service | The rsh service, which is available with
the rsh-server package and runs as a service through xinetd or separately
as a systemd socket, should be disabled.
If using xinetd, set disable to yes in /etc/xinetd.d/rsh .
If using systemd,
The rsh socket can be disabled with the following command:
$ sudo systemctl disable rsh.socket |
The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. | |
3.1.13 | Uninstall rsh Package | The rsh package contains the client commands
for the rsh services |
These legacy clients contain numerous security exposures and have
been replaced with the more secure SSH package. Even if the server is removed,
it is best to ensure the clients are also removed to prevent users from
inadvertently attempting to use these commands and therefore exposing
their credentials. Note that removing the rsh package removes
the clients for rsh ,rcp , and rlogin .
|
|
3.1.13 | Disable rlogin Service | The rlogin service, which is available with
the rsh-server package and runs as a service through xinetd or separately
as a systemd socket, should be disabled.
If using xinetd, set disable to yes in /etc/xinetd.d/rlogin .
If using systemd,
The rlogin socket can be disabled with the following command:
$ sudo systemctl disable rlogin.socket |
The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. | |
3.4.7 | Disable rlogin Service | The rlogin service, which is available with
the rsh-server package and runs as a service through xinetd or separately
as a systemd socket, should be disabled.
If using xinetd, set disable to yes in /etc/xinetd.d/rlogin .
If using systemd,
The rlogin socket can be disabled with the following command:
$ sudo systemctl disable rlogin.socket |
The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. | |
3.1.13 | Verify Permissions on SSH Server Public *.pub Key Files |
To properly set the permissions of /etc/ssh/*.pub , run the command:
$ sudo chmod 0644 /etc/ssh/*.pub |
If a public host key file is modified by an unauthorized user, the SSH service may be compromised. | |
3.13.10 | Verify Permissions on SSH Server Public *.pub Key Files |
To properly set the permissions of /etc/ssh/*.pub , run the command:
$ sudo chmod 0644 /etc/ssh/*.pub |
If a public host key file is modified by an unauthorized user, the SSH service may be compromised. | |
3.1.13 | Verify Permissions on SSH Server Private *_key Key Files |
To properly set the permissions of /etc/ssh/*_key , run the command:
$ sudo chmod 0640 /etc/ssh/*_key |
If an unauthorized user obtains the private SSH host key file, the host could be impersonated. | |
3.13.10 | Verify Permissions on SSH Server Private *_key Key Files |
To properly set the permissions of /etc/ssh/*_key , run the command:
$ sudo chmod 0640 /etc/ssh/*_key |
If an unauthorized user obtains the private SSH host key file, the host could be impersonated. | |
3.1.12 | Remove SSH Server firewalld Firewall exception (Unusual) | By default, inbound connections to SSH's port are allowed. If
the SSH server is not being used, this exception should be removed from the
firewall configuration.
To configure firewalld to not allow access, run the following command(s):
|
If inbound SSH connections are not expected, disallowing access to the SSH port will avoid possible exploitation of the port by an attacker. | |
3.1.12 | Enable SSH Server firewalld Firewall exception | By default, inbound connections to SSH's port are allowed. If
the SSH server is being used but denied by the firewall, this exception should
be added to the firewall configuration.
To configure firewalld to allow access, run the following command(s):
firewall-cmd --permanent --add-service=ssh
|
If inbound SSH connections are expected, adding a firewall rule exception will allow remote access through the SSH port. | |
3.1.13 | Allow Only SSH Protocol 2 | Only SSH protocol version 2 connections should be
permitted. The default setting in
/etc/ssh/sshd_config is correct, and can be
verified by ensuring that the following
line appears:
Protocol 2 |
SSH protocol version 1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. | |
3.5.4 | Allow Only SSH Protocol 2 | Only SSH protocol version 2 connections should be
permitted. The default setting in
/etc/ssh/sshd_config is correct, and can be
verified by ensuring that the following
line appears:
Protocol 2 |
SSH protocol version 1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. | |
3.1.12 | Limit Users' SSH Access | By default, the SSH configuration allows any user with an account
to access the system. In order to specify the users that are allowed to login
via SSH and deny all other users, add or correct the following line in the
/etc/ssh/sshd_config file:
DenyUsers USER1 USER2Where USER1 and USER2 are valid user names.
|
Specifying which accounts are allowed SSH access into the system reduces the possibility of unauthorized access to the system. | |
3.1.12 | Disable GSSAPI Authentication | Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like GSSAPI. To disable GSSAPI authentication, add or
correct the following line in the /etc/ssh/sshd_config file:
GSSAPIAuthentication no |
GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. | |
3.1.12 | Disable Kerberos Authentication | Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like Kerberos. To disable Kerberos authentication, add
or correct the following line in the /etc/ssh/sshd_config file:
KerberosAuthentication no |
Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation. | |
3.1.12 | Enable Use of Strict Mode Checking | SSHs StrictModes option checks file and ownership permissions in
the user's home directory .ssh folder before accepting login. If world-
writable permissions are found, logon is rejected. To enable StrictModes in SSH,
add or correct the following line in the /etc/ssh/sshd_config file:
StrictModes yes |
If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user. | |
3.1.12 | Enable Use of Privilege Separation | When enabled, SSH will create an unprivileged child process that
has the privilege of the authenticated user. To enable privilege separation in
SSH, add or correct the following line in the /etc/ssh/sshd_config file:
UsePrivilegeSeparation sandbox |
SSH daemon privilege separation causes the SSH process to drop root privileges when not needed which would decrease the impact of software vulnerabilities in the unprivileged section. | |
3.1.12 | Disable Compression Or Set Compression to delayed | Compression is useful for slow network connections over long
distances but can cause performance issues on local LANs. If use of compression
is required, it should be enabled only after a user has authenticated; otherwise
, it should be disabled. To disable compression or delay compression until after
a user has successfully authenticated, add or correct the following line in the
/etc/ssh/sshd_config file:
Compression noor Compression delayed |
If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially wih root privileges. | |
3.1.11 | Set SSH Idle Timeout Interval | SSH allows administrators to set an idle timeout
interval.
After this interval has passed, the idle user will be
automatically logged out.
To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as
follows:
ClientAliveInterval intervalThe timeout interval is given in seconds. To have a timeout of 10 minutes, set interval to 600. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle. |
Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended. | |
3.1.11 | Set SSH Client Alive Count | To ensure the SSH idle timeout occurs precisely when the ClientAliveCountMax is set,
edit /etc/ssh/sshd_config as follows:
ClientAliveCountMax 0 |
This ensures a user login will be terminated as soon as the ClientAliveCountMax
is reached.
|
|
3.1.12 | Disable SSH Support for .rhosts Files | SSH can emulate the behavior of the obsolete rsh
command in allowing users to enable insecure access to their
accounts via .rhosts files.
To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config :
IgnoreRhosts yes |
SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. | |
3.1.12 | Disable SSH Support for User Known Hosts | SSH can allow system users user host-based authentication to connect
to systems if a cache of the remote systems public keys are available.
This should be disabled.
To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config :
IgnoreUserKnownHosts yes |
Configuring this setting for the SSH daemon provides additional assurance that remove login via SSH will require a password, even in the event of misconfiguration elsewhere. | |
3.1.12 | Disable SSH Support for Rhosts RSA Authentication | SSH can allow authentication through the obsolete rsh
command through the use of the authenticating user's SSH keys. This should be disabled.
To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config :
RhostsRSAAuthentication no |
Configuring this setting for the SSH daemon provides additional assurance that remove login via SSH will require a password, even in the event of misconfiguration elsewhere. | |
3.1.12 | Disable Host-Based Authentication | SSH's cryptographic host-based authentication is
more secure than .rhosts authentication. However, it is
not recommended that hosts unilaterally trust one another, even
within an organization.
To disable host-based authentication, add or correct the following line in /etc/ssh/sshd_config :
HostbasedAuthentication no |
SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. | |
3.1.13 | Enable Encrypted X11 Forwarding | By default, remote X11 connections are not encrypted when initiated
by users. SSH has the capability to encrypt remote X11 connections when SSH's
X11Forwarding option is enabled.
To enable X11 Forwarding, add or correct the following line in /etc/ssh/sshd_config :
X11Forwarding yes |
Open X displays allow an attacker to capture keystrokes and to execute commands remotely. | |
3.1.1 | Disable SSH Root Login | The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line
in /etc/ssh/sshd_config :
PermitRootLogin no |
Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password. | |
3.1.5 | Disable SSH Root Login | The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line
in /etc/ssh/sshd_config :
PermitRootLogin no |
Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password. | |
3.1.1 | Disable SSH Access via Empty Passwords | To explicitly disallow SSH login from accounts with
empty passwords, add or correct the following line in /etc/ssh/sshd_config :
PermitEmptyPasswords no Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. |
Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. | |
3.1.5 | Disable SSH Access via Empty Passwords | To explicitly disallow SSH login from accounts with
empty passwords, add or correct the following line in /etc/ssh/sshd_config :
PermitEmptyPasswords no Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. |
Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. | |
3.1.9 | Enable SSH Warning Banner |
To enable the warning banner and ensure it is consistent
across the system, add or correct the following line in /etc/ssh/sshd_config :
Banner /etc/issueAnother section contains information on how to create an appropriate system-wide warning banner. |
The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution. | |
3.1.12 | Do Not Allow SSH Environment Options | To ensure users are not able to override environment
options to the SSH daemon, add or correct the following line
in /etc/ssh/sshd_config :
PermitUserEnvironment no |
SSH environment options potentially allow users to bypass access restriction in some configurations. | |
3.1.13 | Use Only FIPS 140-2 Validated Ciphers | Limit the ciphers to those algorithms which are FIPS-approved.
Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
The following line in /etc/ssh/sshd_config demonstrates use of
FIPS 140-2 validated ciphers:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr The following ciphers are FIPS 140-2 certified on RHEL 7: - aes128-ctr - aes192-ctr - aes256-ctr - aes128-cbc - aes192-cbc - aes256-cbc - 3des-cbc - rijndael-cbc@lysator.liu.se Any combination of the above ciphers will pass this check. Official FIPS 140-2 paperwork for RHEL7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf. |
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore
cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux. |
|
3.13.11 | Use Only FIPS 140-2 Validated Ciphers | Limit the ciphers to those algorithms which are FIPS-approved.
Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
The following line in /etc/ssh/sshd_config demonstrates use of
FIPS 140-2 validated ciphers:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr The following ciphers are FIPS 140-2 certified on RHEL 7: - aes128-ctr - aes192-ctr - aes256-ctr - aes128-cbc - aes192-cbc - aes256-cbc - 3des-cbc - rijndael-cbc@lysator.liu.se Any combination of the above ciphers will pass this check. Official FIPS 140-2 paperwork for RHEL7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf. |
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore
cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux. |
|
3.13.8 | Use Only FIPS 140-2 Validated Ciphers | Limit the ciphers to those algorithms which are FIPS-approved.
Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
The following line in /etc/ssh/sshd_config demonstrates use of
FIPS 140-2 validated ciphers:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr The following ciphers are FIPS 140-2 certified on RHEL 7: - aes128-ctr - aes192-ctr - aes256-ctr - aes128-cbc - aes192-cbc - aes256-cbc - 3des-cbc - rijndael-cbc@lysator.liu.se Any combination of the above ciphers will pass this check. Official FIPS 140-2 paperwork for RHEL7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf. |
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore
cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux. |
|
3.1.13 | Use Only FIPS 140-2 Validated MACs | Limit the MACs to those hash algorithms which are FIPS-approved.
The following line in /etc/ssh/sshd_config demonstrates use
of FIPS-approved MACs:
MACs hmac-sha2-512,hmac-sha2-256 Only the following message authentication codes are FIPS 140-2 certified on RHEL 7: - hmac-sha1 - hmac-sha2-256 - hmac-sha2-512 - hmac-sha1-etm@openssh.com - hmac-sha2-256-etm@openssh.com - hmac-sha2-512-etm@openssh.com Any combination of the above MACs will pass this check. Official FIPS 140-2 paperwork for RHEL7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf. |
DoD Information Systems are required to use FIPS-approved cryptographic hash functions. The only SSHv2 hash algorithms meeting this requirement is SHA2. | |
3.13.11 | Use Only FIPS 140-2 Validated MACs | Limit the MACs to those hash algorithms which are FIPS-approved.
The following line in /etc/ssh/sshd_config demonstrates use
of FIPS-approved MACs:
MACs hmac-sha2-512,hmac-sha2-256 Only the following message authentication codes are FIPS 140-2 certified on RHEL 7: - hmac-sha1 - hmac-sha2-256 - hmac-sha2-512 - hmac-sha1-etm@openssh.com - hmac-sha2-256-etm@openssh.com - hmac-sha2-512-etm@openssh.com Any combination of the above MACs will pass this check. Official FIPS 140-2 paperwork for RHEL7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf. |
DoD Information Systems are required to use FIPS-approved cryptographic hash functions. The only SSHv2 hash algorithms meeting this requirement is SHA2. | |
3.13.8 | Use Only FIPS 140-2 Validated MACs | Limit the MACs to those hash algorithms which are FIPS-approved.
The following line in /etc/ssh/sshd_config demonstrates use
of FIPS-approved MACs:
MACs hmac-sha2-512,hmac-sha2-256 Only the following message authentication codes are FIPS 140-2 certified on RHEL 7: - hmac-sha1 - hmac-sha2-256 - hmac-sha2-512 - hmac-sha1-etm@openssh.com - hmac-sha2-256-etm@openssh.com - hmac-sha2-512-etm@openssh.com Any combination of the above MACs will pass this check. Official FIPS 140-2 paperwork for RHEL7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf. |
DoD Information Systems are required to use FIPS-approved cryptographic hash functions. The only SSHv2 hash algorithms meeting this requirement is SHA2. | |
3.3.7 | Enable the NTP Daemon |
The chronyd service can be enabled with the following command:
$ sudo systemctl enable chronyd.serviceNote: The chronyd daemon is enabled by default.
The ntpd service can be enabled with the following command:
$ sudo systemctl enable ntpd.serviceNote: The ntpd daemon is not enabled by default. Though as mentioned
in the previous sections in certain environments the ntpd daemon might
be preferred to be used rather than the chronyd one. Refer to:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html
for guidance which NTP daemon to choose depending on the environment used.
|
Enabling some of chronyd or ntpd services ensures
that the NTP daemon will be running and that the system will synchronize its
time to any servers specified. This is important whether the system is
configured to be a client (and synchronize only its own clock) or it is also
acting as an NTP server to other systems. Synchronizing time is essential for
authentication services such as Kerberos, but it is also important for
maintaining accurate logs and auditing possible security breaches.
The chronyd and ntpd NTP daemons offer all of the
functionality of ntpdate , which is now deprecated. Additional
information on this is available at
http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate
|
|
3.3.7 | Specify a Remote NTP Server | Depending on specific functional requirements of a concrete
production environment, the Red Hat Enterprise Linux 7 Server system can be
configured to utilize the services of the chronyd NTP daemon (the
default), or services of the ntpd NTP daemon. Refer to
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html
for more detailed comparison of the features of both of the choices, and for
further guidance how to choose between the two NTP daemons.
To specify a remote NTP server for time synchronization, perform the following:
server ntpserverThis instructs the NTP software to contact that remote server to obtain time data. |
Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. |