Guide to the Secure Configuration of Oracle Linux 7

with profile Security Profile of Oracle Linux 7 for SAP
This profile contains rules for Oracle Linux 7 Operating System in compliance with SAP note 2069760 and SAP Security Baseline Template version 1.9 Item I-8 and section 4.1.2.2. Regardless of your system's workload all of these checks should pass.

The SCAP Security Guide Project
https://www.open-scap.org/security-policies/scap-security-guide

This guide presents a catalog of security-relevant configuration settings for Oracle Linux 7. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile Title	Security Profile of Oracle Linux 7 for SAP
Profile ID	xccdf_org.ssgproject.content_profile_sap

CPE Platforms

cpe:/o:oracle:linux:7

Revision History

Current version: 0.1.73

draft (as of 2024-05-09)

System Settings
1. Installing and Maintaining Software
2. File Permissions and Masks
Services
1. Obsolete Services

Checklist

Group Guide to the Secure Configuration of Oracle Linux 7 Group contains 10 groups and 9 rules

Group System Settings Group contains 5 groups and 4 rules

[ref] Contains rules that check correct system settings.

Group Installing and Maintaining Software Group contains 1 group and 3 rules

[ref] The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of software updates.

Group SAP Specific Requirement Group contains 3 rules

[ref] SAP (Systems, Applications and Products in Data Processing) is enterprise software to manage business operations and customer relations. The following section contains SAP specific requirement that is not part of standard or common OS setting.

Rule Package glibc Installed [ref]

The package glibc is installed on Linux by default, but the glibc version might not be sufficient for SAP. Please refer to SAP note of your Linux version for the minimum requirement on glibc. The glibc package can be installed with the following command:

$ sudo yum install glibc

Rationale:

The glibc package contains standard C and math libraries used by multiple programs on Linux. The glibc shipped with first release of each major Linux version is often not sufficient for SAP. An update is required after the first OS installation.

Severity:

medium

Rule ID: xccdf_org.ssgproject.content_rule_package_glibc_installed

Remediation OSBuild Blueprint snippet ⇲


[[packages]]
name = "glibc"
version = "*"

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	enable

- name: Ensure glibc is installed
  package:
    name: glibc
    state: present
  tags:
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - package_glibc_installed

Remediation Puppet snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	enable

include install_glibc

class install_glibc {
  package { 'glibc':
    ensure => 'installed',
  }
}

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	enable


package --add=glibc

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	enable


if ! rpm -q --quiet "glibc" ; then
    yum install -y "glibc"
fi

Rule Package uuidd Installed [ref]

The package uuidd is not installed on normal Linux distribution by default. Applications require this package to avoid database inconsistences caused by duplicated UUIDs. Especially in banking services with SAP where massive UUIDs are created in a short time period, it is important to install the package uuidd. More information can be found in SAP note 1391070. The uuidd package can be installed with the following command:

$ sudo yum install uuidd

Rationale:

The uuidd package contains a userspace daemon (uuidd) which is used to generate unique identifiers even at very high rates on SMP systems.

Severity:

medium

Rule ID: xccdf_org.ssgproject.content_rule_package_uuidd_installed

Remediation OSBuild Blueprint snippet ⇲


[[packages]]
name = "uuidd"
version = "*"

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	enable

- name: Ensure uuidd is installed
  package:
    name: uuidd
    state: present
  tags:
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - package_uuidd_installed

Remediation Puppet snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	enable

include install_uuidd

class install_uuidd {
  package { 'uuidd':
    ensure => 'installed',
  }
}

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	enable


package --add=uuidd

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	enable


if ! rpm -q --quiet "uuidd" ; then
    yum install -y "uuidd"
fi

Rule Only sidadm and orasid/oracle User Accounts Exist on Operating System [ref]
SAP tends to use the server or virtual machine exclusively. There should be only SAP system users `sidadm` and `orasid` that exist on the operating system (or virtual machine). If SAP Host Agent is installed, the user `sapadm` must exist too. With Oracle Database using `oracle` user, the user `oracle` should exist as well. While `SID` is the SAP System ID, which is always three alphanumeric characters in upper case, beginning with an alphabetic character, the user names `sidadm` and `orasid` are in lower case. Besides the above SAP users that are automatically detected, other operating system users can be customized in the refine value variable `var_accounts_authorized_local_users_regex`. OVAL regular expression is used for the user list. Test result of both `fail` or `error` means mismatch of user names and SAP system. The bash remediation commands can be used to delete unexpected users on the operating system. Warning: Currently this rule only works with following limitations: 1. `SAP system mount directory` is `/sapmnt` (mounted or local file system or a symbolic link to the target directory); 2. there is maximum one SAP System on each operating system or virtual machine (maximum one SID in /sapmnt and /usr/sap). With the above limitations, the SAP system users `sidadm`, `orasid`, `sapadm` and `oracle` can be automatically detected. For other cases, please use the general purpose rule `accounts_authorized_local_users` and customize the refine value variable `var_accounts_authorized_local_users_regex` by adding all the authorized user names to the list. The bash remediation is not limited by the above two conditions, it works in all the cases regardless there is zero, one or multiple SAP systems on the OS/VM.
Rationale:	Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_accounts_authorized_local_users_sidadm_orasid
Remediation Shell script ⇲ var_accounts_authorized_local_users_regex='^(root\|bin\|daemon\|adm\|lp\|sync\|shutdown\|halt\|mail\|operator\|games\|ftp\|nobody\|pegasus\|systemd-bus-proxy\|systemd-network\|dbus\|polkitd\|abrt\|unbound\|tss\|libstoragemgmt\|rpc\|colord\|usbmuxd$\|pcp\|saslauth\|geoclue\|setroubleshoot\|rtkit\|chrony\|qemu\|radvd\|rpcuser\|nfsnobody\|pulse\|gdm\|gnome-initial-setup\|postfix\|avahi\|ntp\|sshd\|tcpdump\|oprofile\|uuidd)$' # never delete the root user default_os_user="root" # add users sidamd, orasid, sapadm and oracle if needed userlist="root" sapmnt_SID_stem="/sapmnt/[A-Z][A-Z0-9][A-Z0-9]" oracle_SID_stem="/oracle/[A-Z][A-Z0-9][A-Z0-9]" # if owner of any directory or file in the given list is the user oracle, # add the user oracle to the variable userlist. # Usage: verify_oracle_user_to_userlist "$path_list" # Note: this function might modify the value of the global variable userlist function verify_oracle_user_to_userlist { local path_list="$1" local is_oracle=no for path in $path_list ; do if [ "$(stat -c %U -- "$path")" = "oracle" ]; then is_oracle=yes fi done if test "$is_oracle" = yes ; then userlist="$userlist\|oracle" ; fi } # if /sapmnt is a directory or a symbolic link to a directory, # then try to add SAP system users to the userlist if [ -d "/sapmnt" ] ; then # if /sapmnt/SID exists, add sidadm to the userlist path_sapmnt_SID_list=$(find /sapmnt/ -regex "^$sapmnt_SID_stem$") for path_sapmnt_SID in $path_sapmnt_SID_list ; do SID=${path_sapmnt_SID:8:3} userlist="$userlist\|$(echo "$SID" \| sed -e 's/$.$/\L\1/')adm" done # try to get brspace from directories /sapmnt/SID/exe (SAP binaries of old structure) # and /sapmnt/SID/exe/<codepage>/<platform> (SAP binaries of new structure) path_to_brspace_list=$(find /sapmnt/ -regex "^$sapmnt_SID_stem/exe/$\\|\(\\|n$uc/[a-z0-9_]+/\)brspace$") # if brspace exist in any of the above directory of a SID, add orasid to the userlist for path_to_brspace in $path_to_brspace_list ; do SID=${path_to_brspace:8:3} userlist="$userlist\|ora$(echo "$SID" \| sed -e 's/$.$/\L\1/')" done # if owner of any brspace file is oracle, add oracle to the userlist verify_oracle_user_to_userlist "$path_to_brspace_list" fi # if owner of any /oracle/SID directory is oracle, add oracle to the userlist # the user oracle could be added twice in the userlist, but it is harmlos to the final result if [ -d "/oracle" ] ; then path_oracle_SID_list=$(find /oracle/ -regex "^$oracle_SID_stem$") verify_oracle_user_to_userlist "$path_oracle_SID_list" fi # if /usr/sap/hostctrl is a directory or a symbolic link to a directory, add sapadm to the list if [ -d /usr/sap/hostctrl ] ; then userlist="$userlist\|sapadm" fi # delete users that is in /etc/passwd but neither in the userlist # nor in default_os_user nor in the var_accounts_authorized_local_users_regex default_os_user=^$default_os_user$ userlist=^$userlist$ for username in $( sed 's/:.*//' /etc/passwd ) ; do if [[ ! "$username" =~ ($default_os_user\|$userlist\|$var_accounts_authorized_local_users_regex) ]]; then userdel $username ; fi done

Group File Permissions and Masks Group contains 2 groups and 1 rule

[ref] Traditional Unix security relies heavily on file and directory permissions to prevent unauthorized users from reading or modifying files to which they should not have access.

Several of the commands in this section search filesystems for files or directories with certain characteristics, and are intended to be run on every local partition on a given system. When the variable PART appears in one of the commands below, it means that the command is intended to be run repeatedly, with the name of each local partition substituted for PART in turn.

The following command prints a list of all xfs partitions on the local system, which is the default filesystem for Oracle Linux 7 installations:

$ mount -t xfs | awk '{print $3}'

For any systems that use a different local filesystem type, modify this command as appropriate.

Group Verify Permissions on Important Files and Directories Group contains 1 group and 1 rule

[ref] Permissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses important permission restrictions which can be verified to ensure that no harmful discrepancies have arisen.

Group Verify Permissions on Files with Local Account Information and Credentials Group contains 1 rule

[ref] The default restrictive permissions for files which act as important security databases such as passwd, shadow, group, and gshadow files must be maintained. Many utilities need read access to the passwd file in order to function properly, but read access to the shadow file allows malicious attacks against system passwords, and should never be enabled.

Rule Verify Permissions on shadow File [ref]

To properly set the permissions of /etc/shadow, run the command:

$ sudo chmod 0000 /etc/shadow

Rationale:

The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.

Severity:

medium

Rule ID: xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow

References:

cis-csc	12, 13, 14, 15, 16, 18, 3, 5
cjis	5.5.2.2
cobit5	APO01.06, DSS05.04, DSS05.07, DSS06.02
disa	CCI-002223
isa-62443-2009	4.3.3.7.3
isa-62443-2013	SR 2.1, SR 5.2
iso27001-2013	A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
nerc-cip	CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
nist	CM-6(a), AC-6(1)
nist-csf	PR.AC-4, PR.DS-5
pcidss	Req-8.7.c
os-srg	SRG-OS-000480-GPOS-00227
anssi	R50
pcidss4	2.2.6

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

- name: Test for existence /etc/shadow
  stat:
    path: /etc/shadow
  register: file_exists
  tags:
  - CJIS-5.5.2.2
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.7.c
  - PCI-DSSv4-2.2.6
  - configure_strategy
  - file_permissions_etc_shadow
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure permission u-xwrs,g-xwrs,o-xwrt on /etc/shadow
  file:
    path: /etc/shadow
    mode: u-xwrs,g-xwrs,o-xwrt
  when: file_exists.stat is defined and file_exists.stat.exists
  tags:
  - CJIS-5.5.2.2
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.7.c
  - PCI-DSSv4-2.2.6
  - configure_strategy
  - file_permissions_etc_shadow
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure






chmod u-xwrs,g-xwrs,o-xwrt /etc/shadow

Group Services Group contains 3 groups and 5 rules

[ref] The best protection against vulnerable software is running less software. This section describes how to review the software which Oracle Linux 7 installs on a system and disable software which is not needed. It then enumerates the software packages installed on a default Oracle Linux 7 system and provides guidance about which ones can be safely disabled.

Oracle Linux 7 provides a convenient minimal install option that essentially installs the bare necessities for a functional system. When building Oracle Linux 7 systems, it is highly recommended to select the minimal packages and then build up the system from there.

Group Obsolete Services Group contains 2 groups and 5 rules

[ref] This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or severely limiting the service has been the best available guidance for some time. As a result of this, many of these services are not installed as part of Oracle Linux 7 by default.

Organizations which are running these services should switch to more secure equivalents as soon as possible. If it remains absolutely necessary to run one of these services for legacy reasons, care should be taken to restrict the service as much as possible, for instance by configuring host firewall software such as iptables to restrict access to the vulnerable service to only those remote hosts which have a known need to use it.

Group NIS Group contains 2 rules

[ref] The Network Information Service (NIS), also known as 'Yellow Pages' (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and other modern centralized authentication services. NIS should not be used because it suffers from security problems inherent in its design, such as inadequate protection of important authentication information.

Rule Remove NIS Client [ref]

The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client (ypbind) was used to bind a system to an NIS server and receive the distributed configuration files.

Rationale:

The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed.

Severity:

unknown

Rule ID: xccdf_org.ssgproject.content_rule_package_ypbind_removed

References:

hipaa	164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
anssi	R62
pcidss4	2.2.4

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

- name: Ensure ypbind is removed
  package:
    name: ypbind
    state: absent
  tags:
  - PCI-DSSv4-2.2.4
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - package_ypbind_removed
  - unknown_severity

Remediation Puppet snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

include remove_ypbind

class remove_ypbind {
  package { 'ypbind':
    ensure => 'purged',
  }
}

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable


package --remove=ypbind

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable


# CAUTION: This remediation script will remove ypbind
#	   from the system, and may remove any packages
#	   that depend on ypbind. Execute this
#	   remediation AFTER testing on a non-production
#	   system!

if rpm -q --quiet "ypbind" ; then

    yum remove -y "ypbind"

fi

Rule Uninstall ypserv Package [ref]

The ypserv package can be removed with the following command:

$ sudo yum erase ypserv

Rationale:

The NIS service provides an unencrypted authentication service which does not provide for the confidentiality and integrity of user passwords or the remote session. Removing the ypserv package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.

Severity:

high

Rule ID: xccdf_org.ssgproject.content_rule_package_ypserv_removed

References:

cis-csc	11, 12, 14, 15, 3, 8, 9
cobit5	APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06
disa	CCI-000381
hipaa	164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
isa-62443-2009	4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013	A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2
nist	CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c)
nist-csf	PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4
pcidss	Req-2.2.2
os-srg	SRG-OS-000095-GPOS-00049
stigid	OL07-00-020010
anssi	R62
pcidss4	2.2.4
stigref	SV-221705r603260_rule

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

- name: Ensure ypserv is removed
  package:
    name: ypserv
    state: absent
  tags:
  - DISA-STIG-OL07-00-020010
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-IA-5(1)(c)
  - PCI-DSS-Req-2.2.2
  - PCI-DSSv4-2.2.4
  - disable_strategy
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - package_ypserv_removed

Remediation Puppet snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

include remove_ypserv

class remove_ypserv {
  package { 'ypserv':
    ensure => 'purged',
  }
}

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable


package --remove=ypserv

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable


# CAUTION: This remediation script will remove ypserv
#	   from the system, and may remove any packages
#	   that depend on ypserv. Execute this
#	   remediation AFTER testing on a non-production
#	   system!

if rpm -q --quiet "ypserv" ; then

    yum remove -y "ypserv"

fi

Group Rlogin, Rsh, and Rexec Group contains 3 rules

[ref] The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.

Rule Disable rlogin Service [ref]

The rlogin service, which is available with the rsh-server package and runs as a service through xinetd or separately as a systemd socket, should be disabled. If using xinetd, set disable to yes in /etc/xinetd.d/rlogin. The rlogin socket can be disabled with the following command:

$ sudo systemctl mask --now rlogin.socket

Rationale:

The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.

Severity:

high

Rule ID: xccdf_org.ssgproject.content_rule_service_rlogin_disabled

References:

cis-csc	1, 11, 12, 14, 15, 16, 3, 5, 8, 9
cobit5	APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10
cui	3.1.13, 3.4.7
disa	CCI-001436
hipaa	164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
isa-62443-2009	4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013	A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
nist	CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c)
nist-csf	PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, PR.IP-1, PR.PT-3, PR.PT-4

Remediation OSBuild Blueprint snippet ⇲


[customizations.services]
masked = ["rlogin"]

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

- name: Disable rlogin Service - Collect systemd Services Present in the System
  ansible.builtin.command: systemctl -q list-unit-files --type service
  register: service_exists
  changed_when: false
  failed_when: service_exists.rc not in [0, 1]
  check_mode: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.13
  - NIST-800-171-3.4.7
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-IA-5(1)(c)
  - disable_strategy
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_rlogin_disabled

- name: Disable rlogin Service - Ensure rlogin.service is Masked
  ansible.builtin.systemd:
    name: rlogin.service
    state: stopped
    enabled: false
    masked: true
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - service_exists.stdout_lines is search("rlogin.service", multiline=True)
  tags:
  - NIST-800-171-3.1.13
  - NIST-800-171-3.4.7
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-IA-5(1)(c)
  - disable_strategy
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_rlogin_disabled

- name: Unit Socket Exists - rlogin.socket
  ansible.builtin.command: systemctl -q list-unit-files rlogin.socket
  register: socket_file_exists
  changed_when: false
  failed_when: socket_file_exists.rc not in [0, 1]
  check_mode: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.13
  - NIST-800-171-3.4.7
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-IA-5(1)(c)
  - disable_strategy
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_rlogin_disabled

- name: Disable rlogin Service - Disable Socket rlogin
  ansible.builtin.systemd:
    name: rlogin.socket
    enabled: false
    state: stopped
    masked: true
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - socket_file_exists.stdout_lines is search("rlogin.socket", multiline=True)
  tags:
  - NIST-800-171-3.1.13
  - NIST-800-171-3.4.7
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-IA-5(1)(c)
  - disable_strategy
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_rlogin_disabled

Remediation Puppet snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	enable

include disable_rlogin

class disable_rlogin {
  service {'rlogin':
    enable => false,
    ensure => 'stopped',
  }
}

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'rlogin.service'
"$SYSTEMCTL_EXEC" disable 'rlogin.service'
"$SYSTEMCTL_EXEC" mask 'rlogin.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files rlogin.socket; then
    "$SYSTEMCTL_EXEC" stop 'rlogin.socket'
    "$SYSTEMCTL_EXEC" mask 'rlogin.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'rlogin.service' || true

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Rule Disable rsh Service [ref]

The rsh service, which is available with the rsh-server package and runs as a service through xinetd or separately as a systemd socket, should be disabled. If using xinetd, set disable to yes in /etc/xinetd.d/rsh. The rsh socket can be disabled with the following command:

$ sudo systemctl mask --now rsh.socket

Rationale:

The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.

Severity:

high

Rule ID: xccdf_org.ssgproject.content_rule_service_rsh_disabled

References:

cis-csc	1, 11, 12, 14, 15, 16, 3, 5, 8, 9
cobit5	APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10
cui	3.1.13, 3.4.7
disa	CCI-000068, CCI-001436
hipaa	164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
isa-62443-2009	4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013	A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
nist	CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c)
nist-csf	PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, PR.IP-1, PR.PT-3, PR.PT-4

Remediation OSBuild Blueprint snippet ⇲


[customizations.services]
masked = ["rsh"]

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

- name: Disable rsh Service - Collect systemd Services Present in the System
  ansible.builtin.command: systemctl -q list-unit-files --type service
  register: service_exists
  changed_when: false
  failed_when: service_exists.rc not in [0, 1]
  check_mode: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.13
  - NIST-800-171-3.4.7
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-IA-5(1)(c)
  - disable_strategy
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_rsh_disabled

- name: Disable rsh Service - Ensure rsh.service is Masked
  ansible.builtin.systemd:
    name: rsh.service
    state: stopped
    enabled: false
    masked: true
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - service_exists.stdout_lines is search("rsh.service", multiline=True)
  tags:
  - NIST-800-171-3.1.13
  - NIST-800-171-3.4.7
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-IA-5(1)(c)
  - disable_strategy
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_rsh_disabled

- name: Unit Socket Exists - rsh.socket
  ansible.builtin.command: systemctl -q list-unit-files rsh.socket
  register: socket_file_exists
  changed_when: false
  failed_when: socket_file_exists.rc not in [0, 1]
  check_mode: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-171-3.1.13
  - NIST-800-171-3.4.7
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-IA-5(1)(c)
  - disable_strategy
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_rsh_disabled

- name: Disable rsh Service - Disable Socket rsh
  ansible.builtin.systemd:
    name: rsh.socket
    enabled: false
    state: stopped
    masked: true
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - socket_file_exists.stdout_lines is search("rsh.socket", multiline=True)
  tags:
  - NIST-800-171-3.1.13
  - NIST-800-171-3.4.7
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-IA-5(1)(c)
  - disable_strategy
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_rsh_disabled

Remediation Puppet snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	enable

include disable_rsh

class disable_rsh {
  service {'rsh':
    enable => false,
    ensure => 'stopped',
  }
}

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'rsh.service'
"$SYSTEMCTL_EXEC" disable 'rsh.service'
"$SYSTEMCTL_EXEC" mask 'rsh.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files rsh.socket; then
    "$SYSTEMCTL_EXEC" stop 'rsh.socket'
    "$SYSTEMCTL_EXEC" mask 'rsh.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'rsh.service' || true

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Rule Remove Rsh Trust Files [ref]

The files /etc/hosts.equiv and ~/.rhosts (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location:

$ sudo rm /etc/hosts.equiv

$ rm ~/.rhosts

Rationale:

This action is only meaningful if .rhosts support is permitted through PAM. Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.

Severity:

high

Rule ID: xccdf_org.ssgproject.content_rule_no_rsh_trust_files

References:

cis-csc	11, 12, 14, 15, 3, 8, 9
cobit5	APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06
disa	CCI-001436
hipaa	164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
isa-62443-2009	4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
isa-62443-2013	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
iso27001-2013	A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2
nist	CM-7(a), CM-7(b), CM-6(a)
nist-csf	PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - no_rsh_trust_files
  - restrict_strategy

- name: Detect .rhosts files in users home directories
  find:
    paths:
    - /root
    - /home
    recurse: true
    patterns: .rhosts
    hidden: true
    file_type: file
  check_mode: false
  register: rhosts_locations
  when: '"rsh-server" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - no_rsh_trust_files
  - restrict_strategy

- name: Remove .rhosts files
  file:
    path: '{{ item }}'
    state: absent
  with_items: '{{ rhosts_locations.files | map(attribute=''path'') | list }}'
  when:
  - '"rsh-server" in ansible_facts.packages'
  - rhosts_locations is success
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - no_rsh_trust_files
  - restrict_strategy

- name: Remove /etc/hosts.equiv file
  file:
    path: /etc/hosts.equiv
    state: absent
  when: '"rsh-server" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - no_rsh_trust_files
  - restrict_strategy

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if rpm --quiet -q rsh-server; then

find /root -xdev -type f -name ".rhosts" -exec rm -f {} \;
find /home -maxdepth 2 -xdev -type f -name ".rhosts" -exec rm -f {} \;
rm -f /etc/hosts.equiv

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.