| Mapping | Rule Title | Description | Rationale |
|---|---|---|---|
| 3.1.1 | Disable GDM Automatic Login |
The GNOME Display Manager (GDM) can allow users to automatically login without
user interaction or credentials. User should always be required to authenticate themselves
to the system that they are authorized to use. To disable user ability to automatically
login to the system, set the AutomaticLoginEnable to false in the
[daemon] section in /etc/gdm/custom.conf. For example:
[daemon] AutomaticLoginEnable=false |
Failure to restrict system access to authenticated users negatively impacts operating system security. |
| 3.1.1 3.4.5 |
Require Authentication for Emergency Systemd Target |
Emergency mode is intended as a system recovery
method, providing a single user root access to the system
during a failed boot sequence.
By default, Emergency mode is protected by requiring a password and is set in /usr/lib/systemd/system/emergency.service. |
This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. |
| 3.1.1 3.1.5 |
Disable SSH Root Login |
The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line in
/etc/ssh/sshd_config:
PermitRootLogin no |
Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password. |
| 3.1.1 3.1.5 |
Prevent Login to Accounts With Empty Password | If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok in /etc/pam.d/system-auth and /etc/pam.d/password-auth to prevent logins with empty passwords. | If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. |
| 3.1.1 3.1.5 |
Restrict Virtual Console Root Logins |
To restrict root logins through the (deprecated) virtual console devices,
ensure lines of this form do not appear in /etc/securetty:
vc/1 vc/2 vc/3 vc/4 |
Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. |
| 3.1.1 3.1.6 |
Direct root Logins Not Allowed |
To further limit access to the root account, administrators
can disable root logins at the console by editing the /etc/securetty file.
This file lists all devices the root user is allowed to login to. If the file does
not exist at all, the root user can login through any communication device on the
system, whether via the console or via a raw network interface. This is dangerous
as user can login to the system as root via Telnet, which sends the password in
plain text over the network. By default, Red Hat Enterprise Linux 8's
/etc/securetty file only allows the root user to login at the console
physically attached to the system. To prevent root from logging in, remove the
contents of this file. To prevent direct root logins, remove the contents of this
file by typing the following command:
$ sudo echo > /etc/securetty |
Disabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts. Users will first login, then escalate to privileged (root) access via su / sudo. This is required for FISMA Low and FISMA Moderate systems. |
| 3.1.1 3.1.5 |
Restrict Serial Port Root Logins |
To restrict root logins on serial ports,
ensure lines of this form do not appear in /etc/securetty:
ttyS0 ttyS1 |
Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account. |
| 3.1.1 3.4.5 |
Require Authentication for Single User Mode |
Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup.
By default, single-user mode is protected by requiring a password and is set in /usr/lib/systemd/system/rescue.service. |
This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. |
| 3.1.1 3.1.5 |
Verify Only Root Has UID 0 |
If any account other than root has a UID of 0, this misconfiguration should
be investigated and the accounts other than root should be removed or have
their UID changed.
If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned. |
An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner. |
| 3.1.1 | Disable GDM Guest Login |
The GNOME Display Manager (GDM) can allow users to login without credentials
which can be useful for public kiosk scenarios. Allowing users to login without credentials
or "guest" account access has inherent security risks and should be disabled. To do disable
timed logins or guest account access, set the TimedLoginEnable to false in
the [daemon] section in /etc/gdm/custom.conf. For example:
[daemon] TimedLoginEnable=false |
Failure to restrict system access to authenticated users negatively impacts operating system security. |
| 3.1.1 3.1.5 |
Disable SSH Access via Empty Passwords |
Disallow SSH login with empty passwords.
The default SSH configuration disables logins with empty passwords. The appropriate
configuration is used if no value is set for PermitEmptyPasswords.
To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config: PermitEmptyPasswords noAny accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. |
Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. |
| 3.1.2 3.1.5 3.7.2 |
Ensure No Device Files are Unlabeled by SELinux |
Device files, which are used for communication with important system
resources, should be labeled with proper SELinux types. If any device files
carry the SELinux type device_t or unlabeled_t, report the
bug so that policy can be corrected. Supply information about what the
device is and what programs use it.
To check for incorrectly labeled device files, run following commands: $ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n" $ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"It should produce no output in a well-configured system. |
If a device file carries the SELinux type device_t or unlabeled_t, then SELinux cannot properly restrict access to the device file. |
| 3.1.2 3.7.2 |
Ensure SELinux Not Disabled in /etc/default/grub | SELinux can be disabled at boot time by an argument in /etc/default/grub. Remove any instances of selinux=0 from the kernel arguments in that file to prevent SELinux from being disabled at boot. | Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation. |
| 3.1.2 3.1.5 3.7.2 |
Ensure No Daemons are Unconfined by SELinux |
Daemons for which the SELinux policy does not contain rules will inherit the
context of the parent process. Because daemons are launched during
startup and descend from the init process, they inherit the unconfined_service_t context.
To check for unconfined daemons, run the following command: $ sudo ps -eZ | grep "unconfined_service_t"It should produce no output in a well-configured system. |
Daemons which run with the unconfined_service_t context may cause AVC denials, or allow privileges that the daemon does not require. |
| 3.1.2 3.4.5 |
Verify that Interactive Boot is Disabled | Red Hat Enterprise Linux 8 systems support an "interactive boot" option that can be used to prevent services from being started. On a Red Hat Enterprise Linux 8 system, interactive boot can be enabled by providing a 1, yes, true, or on value to the systemd.confirm_spawn kernel argument. | Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security. |
| 3.1.2 | Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 |
By default, GNOME will reboot the system if the
Ctrl-Alt-Del key sequence is pressed.
To configure the system to ignore the Ctrl-Alt-Del key sequence from the Graphical User Interface (GUI) instead of rebooting the system, add or set logout to [''] in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/settings-daemon/plugins/media-keys] logout=['']Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/settings-daemon/plugins/media-keys/logoutAfter the settings have been set, run dconf update. |
A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. |
| 3.1.2 3.7.2 |
Ensure SELinux State is Enforcing |
The SELinux state should be set to enforcing at
system boot time. In the file /etc/selinux/config, add or correct the
following line to configure the system to boot into enforcing mode:
SELINUX=enforcing |
Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. |
| 3.1.2 3.4.5 |
Verify that Interactive Boot is Disabled |
Red Hat Enterprise Linux 8 systems support an "interactive boot" option that can
be used to prevent services from being started. On a Red Hat Enterprise Linux 8
system, interactive boot can be enabled by providing a 1,
yes, true, or on value to the
systemd.confirm_spawn kernel argument in /etc/default/grub.
Remove any instance of systemd.confirm_spawn=(1|yes|true|on)from the kernel arguments in that file to disable interactive boot. Recovery booting must also be disabled. Confirm that GRUB_DISABLE_RECOVERY=true is set in /etc/default/grub. It is also required to change the runtime configuration, run: /sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn" grub2-mkconfig -o /boot/grub2/grub.cfg |
Using interactive or recovery boot, the console user could disable auditing, firewalls, or other services, weakening system security. |
| 3.1.2 3.7.2 |
Configure SELinux Policy |
The SELinux targeted policy is appropriate for
general-purpose desktops and servers, as well as systems in many other roles.
To configure the system to use this policy, add or correct the following line
in /etc/selinux/config:
SELINUXTYPE=targetedOther policies, such as mls, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases. |
Setting the SELinux policy to targeted or a more specialized policy
ensures the system will confine processes that are likely to be
targeted for exploitation, such as network or system services.
Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in permissive mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to . |
| 3.1.2 | Disable the GNOME3 Login Restart and Shutdown Buttons |
In the default graphical environment, users logging directly into the
system are greeted with a login screen that allows any user, known or
unknown, the ability the ability to shutdown or restart the system. This
functionality should be disabled by setting
disable-restart-buttons to true.
To disable, add or edit disable-restart-buttons to /etc/dconf/db/gdm.d/00-security-settings. For example: [org/gnome/login-screen] disable-restart-buttons=trueOnce the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/login-screen/disable-restart-buttonsAfter the settings have been set, run dconf update. |
A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability of systems due to reboot. |
| 3.1.2 3.7.2 |
Ensure SELinux Not Disabled in the kernel arguments | SELinux can be disabled at boot time by disabling it via a kernel argument. Remove any instances of selinux=0 from the kernel arguments in that file to prevent SELinux from being disabled at boot. | Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation. |
| 3.1.3 3.4.7 3.13.6 |
Set Default firewalld Zone for Incoming Packets |
To set the default zone to drop for
the built-in default zone which processes incoming IPv4 and IPv6 packets,
modify the following line in
/etc/firewalld/firewalld.conf to be:
DefaultZone=drop |
In firewalld the default zone is applied only after all the applicable rules in the table are examined for a match. Setting the default zone to drop implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted. |
| 3.1.3 3.4.7 |
Verify firewalld Enabled |
The firewalld service can be enabled with the following command:
$ sudo systemctl enable firewalld.service |
Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols. |
| 3.1.5 | Restrict Access to Kernel Message Buffer |
To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.dmesg_restrict=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.dmesg_restrict = 1 |
Unprivileged access to the kernel syslog can expose sensitive kernel address information. |
| 3.1.5 | Disable User Administration in GNOME3 |
By default, GNOME will allow all users to have some administratrion
capability. This should be disabled so that non-administrative users are not making
configuration changes. To configure the system to disable user administration
capability in the Graphical User Interface (GUI), add or set
user-administration-disabled to true in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/lockdown] user-administration-disabled=trueOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/lockdown/user-administration-disabledAfter the settings have been set, run dconf update. |
Allowing all users to have some administratrive capabilities to the system through the Graphical User Interface (GUI) when they would not have them otherwise could allow unintended configuration changes as well as a nefarious user the capability to make system changes such as adding new accounts, etc. |
| 3.1.7 | Ensure auditd Collects File Deletion Events by User - unlink |
At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete |
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. |
| 3.1.7 | Record Unsuccessful Access Attempts to Files - openat |
At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| 3.1.7 | Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE |
The audit system should collect detailed unauthorized file accesses for
all users and root. The open_by_handle_at syscall can be used to modify files
if called for write operation of with O_TRUNC_WRITE flag.
The following auidt rules will asure that unsuccessful attempts to modify a
file via open_by_handle_at syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modificationIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| 3.1.7 | Record Unsuccessful Creation Attempts to Files - open O_CREAT |
The audit system should collect unauthorized file accesses for
all users and root. The open syscall can be used to create new files
when O_CREAT flag is specified.
The following auidt rules will asure that unsuccessful attempts to create a
file via open syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-createIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| 3.1.7 | Record Unsuccessful Access Attempts to Files - open |
At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| 3.1.7 | Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT |
The audit system should collect unauthorized file accesses for
all users and root. The open_by_handle_at syscall can be used to create new files
when O_CREAT flag is specified.
The following auidt rules will asure that unsuccessful attempts to create a
file via open_by_handle_at syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-createIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| 3.1.7 | Record Events that Modify the System's Discretionary Access Controls - chmod |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| 3.1.7 | Record Any Attempts to Run restorecon |
At a minimum, the audit system should collect any execution attempt
of the restorecon command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
| 3.1.7 | Ensure auditd Collects System Administrator Actions |
At a minimum, the audit system should collect administrator actions
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the default),
add the following line to a file with suffix .rules in the directory
/etc/audit/rules.d:
-w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actionsIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions |
The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. |
| 3.1.7 | Record Attempts to Alter Logon and Logout Events - faillock |
The audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/faillock -p wa -k loginsIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/faillock -p wa -k logins |
Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. |
| 3.1.7 | Record Attempts to Alter Logon and Logout Events |
The audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins -w /var/log/faillock -p wa -k logins -w /var/log/lastlog -p wa -k loginsIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/log/faillock -p wa -k logins -w /var/log/lastlog -p wa -k logins |
Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. |
| 3.1.7 | Record Events that Modify User/Group Information - /etc/security/opasswd |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification |
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. |
| 3.1.7 | Enable Randomized Layout of Virtual Address Space |
To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: $ sudo sysctl -w kernel.randomize_va_space=2To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.randomize_va_space = 2 |
Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques. |
| 3.1.7 | Record Unsuccessful Access Attempts to Files - creat |
At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| 3.1.7 | Record Events that Modify the System's Network Environment |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modificationIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification |
The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. |
| 3.1.7 | Record Events that Modify User/Group Information |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification |
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. |
| 3.1.7 | Ensure auditd Collects Information on the Use of Privileged Commands - chage |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
| 3.1.7 | Ensure auditd Collects Information on the Use of Privileged Commands |
The audit system should collect information about usage of privileged commands for all users.
These are commands with suid or sgid bits on and they are specially risky in local block
device partitions not mounted with noexec and nosuid options. Therefore, these partitions
should be first identified by the following command:
findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid"
For all partitions listed by the previous command, it is necessary to search for
setuid / setgid programs using the following command:
$ sudo find PARTITION -xdev -perm /6000 -type f 2>/dev/nullFor each setuid / setgid program identified by the previous command, an audit rule must be present in the appropriate place using the following line structure: -a always,exit -F path=PROG_PATH -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup, add the line to a file with suffix .rules in the /etc/audit/rules.d directory, replacing the PROG_PATH part with the full path of that setuid / setgid identified program. If the auditd daemon is configured to use the auditctl utility instead, add the line to the /etc/audit/audit.rules file, also replacing the PROG_PATH part with the full path of that setuid / setgid identified program. |
Misuse of privileged functions, either intentionally or unintentionally by authorized users,
or by unauthorized external entities that have compromised system accounts, is a serious and
ongoing concern that can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify the
risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
| 3.1.7 | Record Events that Modify the System's Discretionary Access Controls - fchown |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| 3.1.7 | Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly |
The audit system should collect detailed unauthorized file
accesses for all users and root.
To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
of files via open syscall the audit rules collecting these events need to be in certain order.
The more specific rules need to come before the less specific rules. The reason for that is that more
specific rules cover a subset of events covered in the less specific rules, thus, they need to come
before to not be overshadowed by less specific rules, which match a bigger set of events.
Make sure that rules for unsuccessful calls of open syscall are in the order shown below.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), check the order of
rules below in a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, check the order of rules below in
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access |
The more specific rules cover a subset of events covered by the less specific rules. By ordering them from more specific to less specific, it is assured that the less specific rule will not catch events better recorded by the more specific rule. |
| 3.1.7 | Record Events that Modify the System's Discretionary Access Controls - setxattr |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_modIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| 3.1.7 | Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
| 3.1.7 | Ensure auditd Collects Information on Kernel Module Loading and Unloading |
To capture kernel module loading and unloading events, use following lines, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S init_module,finit_module,delete_module -F auid>=1000 -F auid!=unset -F key=modulesThe place to add the lines depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the lines to file /etc/audit/audit.rules. |
The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. |
| 3.1.7 | Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE |
The audit system should collect detailed unauthorized file accesses for
all users and root. The open syscall can be used to modify files
if called for write operation of with O_TRUNC_WRITE flag.
The following auidt rules will asure that unsuccessful attempts to modify a
file via open syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modificationIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| 3.1.7 | Record Attempts to Alter Process and Session Initiation Information |
The audit system already collects process information for all
users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k sessionIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for attempted manual edits of files involved in storing such process information: -w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session |
Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. |
| 3.1.7 | Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly |
The audit system should collect detailed unauthorized file
accesses for all users and root.
To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
of files via open_by_handle_at syscall the audit rules collecting these events need to be in certain order.
The more specific rules need to come before the less specific rules. The reason for that is that more
specific rules cover a subset of events covered in the less specific rules, thus, they need to come
before to not be overshadowed by less specific rules, which match a bigger set of events.
Make sure that rules for unsuccessful calls of open_by_handle_at syscall are in the order shown below.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), check the order of
rules below in a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, check the order of rules below in
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access |
The more specific rules cover a subset of events covered by the less specific rules. By ordering them from more specific to less specific, it is assured that the less specific rule will not catch events better recorded by the more specific rule. |
| 3.1.7 | Ensure auditd Collects File Deletion Events by User - unlinkat |
At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete |
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. |
| 3.1.7 | Record Events that Modify User/Group Information - /etc/shadow |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/shadow -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/shadow -p wa -k audit_rules_usergroup_modification |
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. |
| 3.1.7 | Record Attempts to Alter Logon and Logout Events - tallylog |
The audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k loginsIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins |
Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. |
| 3.1.7 | Record Attempts to Alter the localtime File |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the default),
add the following line to a file with suffix .rules in the directory
/etc/audit/rules.d:
-w /etc/localtime -p wa -k audit_time_rulesIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rulesThe -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used. |
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. |
| 3.1.7 | Ensure auditd Collects Information on the Use of Privileged Commands - umount |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
| 3.1.7 | Record Any Attempts to Run setsebool |
At a minimum, the audit system should collect any execution attempt
of the setsebool command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
| 3.1.7 | Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) |
At a minimum the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| 3.1.7 | Record Events that Modify User/Group Information - /etc/group |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification |
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. |
| 3.1.7 | Record Unsuccessful Delete Attempts to Files - unlink |
The audit system should collect unsuccessful file deletion
attempts for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-deleteIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete |
Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| 3.1.7 | Disable GNOME3 Automount running |
The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable autorun-never within GNOME3, add or set
autorun-never to true in /etc/dconf/db/local.d/00-security-settings.
For example:
[org/gnome/desktop/media-handling] autorun-never=trueOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/media-handling/autorun-neverAfter the settings have been set, run dconf update. |
Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. Disabling automatic mount running in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media. |
| 3.1.7 | Record Events that Modify the System's Discretionary Access Controls - fchownat |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| 3.1.7 | Ensure auditd Collects Information on the Use of Privileged Commands - sudo |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
| 3.1.7 | Record Events that Modify the System's Discretionary Access Controls - chown |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| 3.1.7 | Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module |
If the auditd daemon is configured to use the augenrules program
to read audit rules during daemon startup (the default), add the following lines to a file
with suffix .rules in the directory /etc/audit/rules.d to capture kernel module
loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modulesIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules |
The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. |
| 3.1.7 | Ensure auditd Collects Information on the Use of Privileged Commands - postdrop |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
| 3.1.7 | Ensure auditd Collects Information on the Use of Privileged Commands - newgrp |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
| 3.1.7 | Ensure auditd Collects File Deletion Events by User - renameat |
At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete |
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. |
| 3.1.7 | Record Attempts to Alter Logon and Logout Events - lastlog |
The audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k loginsIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/lastlog -p wa -k logins |
Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. |
| 3.1.7 | Ensure auditd Collects Information on Kernel Module Unloading - delete_module |
To capture kernel module unloading events, use following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modulesPlace to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules. |
The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. |
| 3.1.7 | Ensure auditd Collects Information on the Use of Privileged Commands - postqueue |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
| 3.1.7 | Record Unsuccessful Creation Attempts to Files - openat O_CREAT |
The audit system should collect unauthorized file accesses for
all users and root. The openat syscall can be used to create new files
when O_CREAT flag is specified.
The following auidt rules will asure that unsuccessful attempts to create a
file via openat syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-createIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| 3.1.7 | Record Events that Modify the System's Discretionary Access Controls - fchmodat |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| 3.1.7 | Record Events that Modify the System's Discretionary Access Controls - lremovexattr |
At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| 3.1.7 | Disable GNOME3 Automounting |
The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable automount within GNOME3, add or set
automount to false in /etc/dconf/db/local.d/00-security-settings.
For example:
[org/gnome/desktop/media-handling] automount=falseOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/media-handling/automountAfter the settings have been set, run dconf update. |
Disabling automatic mounting in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media. |
| 3.1.7 | Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
| 3.1.7 | Ensure auditd Collects Information on the Use of Privileged Commands - chsh |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
| 3.1.7 | Record attempts to alter time through adjtimex |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rulesIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rulesIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rulesIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rulesThe -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules |
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. |
| 3.1.7 | Ensure auditd Collects Information on Kernel Module Loading - init_module |
To capture kernel module loading events, use following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modulesPlace to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules. |
The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. |
| 3.1.7 | Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly |
The audit system should collect detailed unauthorized file
accesses for all users and root.
To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
of files via openat syscall the audit rules collecting these events need to be in certain order.
The more specific rules need to come before the less specific rules. The reason for that is that more
specific rules cover a subset of events covered in the less specific rules, thus, they need to come
before to not be overshadowed by less specific rules, which match a bigger set of events.
Make sure that rules for unsuccessful calls of openat syscall are in the order shown below.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), check the order of
rules below in a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, check the order of rules below in
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access |
The more specific rules cover a subset of events covered by the less specific rules. By ordering them from more specific to less specific, it is assured that the less specific rule will not catch events better recorded by the more specific rule. |
| 3.1.7 | Record Events that Modify User/Group Information - /etc/passwd |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/passwd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/passwd -p wa -k audit_rules_usergroup_modification |
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. |
| 3.1.7 | Enable NX or XD Support in the BIOS | Reboot the system and enter the BIOS or Setup configuration menu. Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX) on AMD-based systems. | Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will allow users to turn the feature on or off at will. |
| 3.1.7 | Ensure auditd Collects File Deletion Events by User |
At a minimum the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=unset -F key=delete |
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. |
| 3.1.7 | Record Events that Modify the System's Discretionary Access Controls - lsetxattr |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_modIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| 3.1.7 | Record Attempts to Alter Time Through stime |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -F key=audit_time_rulesSince the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file for both 32 bit and 64 bit systems: -a always,exit -F arch=b32 -S stime -F key=audit_time_rulesSince the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined system calls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules |
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. |
| 3.1.7 | Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
| 3.1.7 | Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE |
The audit system should collect detailed unauthorized file accesses for
all users and root. The openat syscall can be used to modify files
if called for write operation of with O_TRUNC_WRITE flag.
The following auidt rules will asure that unsuccessful attempts to modify a
file via openat syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modificationIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| 3.1.7 | Record Events that Modify the System's Discretionary Access Controls - fsetxattr |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_modIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| 3.1.7 | Record Unsuccessful Delete Attempts to Files - rename |
The audit system should collect unsuccessful file deletion
attempts for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-deleteIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete |
Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| 3.1.7 | Record Any Attempts to Run semanage |
At a minimum, the audit system should collect any execution attempt
of the semanage command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
| 3.1.7 | Record Unsuccessful Access Attempts to Files - open_by_handle_at |
At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| 3.1.7 | Ensure auditd Collects File Deletion Events by User - rename |
At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete |
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. |
| 3.1.7 | Record attempts to alter time through settimeofday |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rulesIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rulesIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rulesIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rulesThe -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules |
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. |
| 3.1.7 | Record Events that Modify the System's Discretionary Access Controls - removexattr |
At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| 3.1.7 | Record Events that Modify the System's Discretionary Access Controls - fchmod |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| 3.1.7 | Disable GNOME3 Automount Opening |
The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable automount-open within GNOME3, add or set
automount-open to false in /etc/dconf/db/local.d/00-security-settings.
For example:
[org/gnome/desktop/media-handling] automount-open=falseOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/media-handling/automount-openAfter the settings have been set, run dconf update. |
Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. Disabling automatic mounting in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media. |
| 3.1.7 | Record Unsuccessful Delete Attempts to Files - renameat |
The audit system should collect unsuccessful file deletion
attempts for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-deleteIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete |
Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| 3.1.7 | Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
| 3.1.7 | Ensure auditd Collects Information on Exporting to Media (successful) |
At a minimum, the audit system should collect media exportation
events for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=exportIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export |
The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss. |
| 3.1.7 | Ensure auditd Collects Information on the Use of Privileged Commands - userhelper |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
| 3.1.7 | Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
| 3.1.7 | Record Events that Modify the System's Discretionary Access Controls - lchown |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| 3.1.7 | Record Unsuccessful Delete Attempts to Files - unlinkat |
The audit system should collect unsuccessful file deletion
attempts for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-deleteIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete |
Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| 3.1.7 | Install PAE Kernel on Supported 32-bit x86 Systems |
Systems that are using the 64-bit x86 kernel package
do not need to install the kernel-PAE package because the 64-bit
x86 kernel already includes this support. However, if the system is
32-bit and also supports the PAE and NX features as
determined in the previous section, the kernel-PAE package should
be installed to enable XD or NX support.
The kernel-PAE package can be installed with the following command:
$ sudo yum install kernel-PAEThe installation process should also have configured the bootloader to load the new kernel at boot. Verify this after reboot and modify /etc/default/grub if necessary. |
On 32-bit systems that support the XD or NX bit, the vendor-supplied PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support. |
| 3.1.7 | Record Attempts to Alter Time Through clock_settime |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-changeIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-changeIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-changeIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-changeThe -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules |
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. |
| 3.1.7 | Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
| 3.1.7 | Enable ExecShield via sysctl | By default on Red Hat Enterprise Linux 8 64-bit systems, ExecShield is enabled and can only be disabled if the hardware does not support ExecShield or is disabled in /etc/default/grub. | ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware. |
| 3.1.7 | Record Any Attempts to Run chcon |
At a minimum, the audit system should collect any execution attempt
of the chcon command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
| 3.1.7 | Ensure auditd Collects Information on the Use of Privileged Commands - unix2_chkpwd |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/sbin/unix2_chkpwd -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/sbin/unix2_chkpwd -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
| 3.1.7 | Ensure auditd Collects Information on the Use of Privileged Commands - su |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
| 3.1.7 | Ensure auditd Collects Information on the Use of Privileged Commands - passwd |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
| 3.1.7 | Record Events that Modify User/Group Information - /etc/gshadow |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification |
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. |
| 3.1.7 | Ensure auditd Collects Information on the Use of Privileged Commands - crontab |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
| 3.1.7 | Record Unsuccessful Access Attempts to Files - ftruncate |
At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| 3.1.7 | Record Unsuccessful Access Attempts to Files - truncate |
At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| 3.1.7 | Record Events that Modify the System's Discretionary Access Controls - fremovexattr |
At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod |
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| 3.1.7 | Ensure auditd Collects File Deletion Events by User - rmdir |
At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete |
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. |
| 3.1.8 | Record Events that Modify the System's Mandatory Access Controls in usr/share |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /usr/share/selinux/ -p wa -k MAC-policyIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /usr/share/selinux/ -p wa -k MAC-policy |
The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited. |
| 3.1.8 | Record Events that Modify the System's Mandatory Access Controls |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/selinux/ -p wa -k MAC-policyIf the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/selinux/ -p wa -k MAC-policy |
The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited. |
| 3.1.8 | Lock Accounts After Failed Password Attempts | This rule configures the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. Ensure that the file /etc/security/faillock.conf contains the following entry: deny = <count> Where count should be less than or equal to 3 and greater than 0. In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account. |
| 3.1.8 | Set Lockout Time for Failed Password Attempts | This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts using pam_faillock.so. Ensure that the file /etc/security/faillock.conf contains the following entry: unlock_time=<interval-in-seconds> where interval-in-seconds is 0 or greater. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid any errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version. If unlock_time is set to 0, manual intervention by an administrator is required to unlock a user. This should be done using the faillock tool. | By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. |
| 3.1.8 | Set the GNOME3 Login Number of Failures |
In the default graphical environment, the GNOME3 login
screen and be configured to restart the authentication process after
a configured number of attempts. This can be configured by setting
allowed-failures to 3 or less.
To enable, add or edit allowed-failures to /etc/dconf/db/gdm.d/00-security-settings. For example: [org/gnome/login-screen] allowed-failures=3Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/login-screen/allowed-failuresAfter the settings have been set, run dconf update. |
Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. |
| 3.1.9 | Enable SSH Warning Banner |
To enable the warning banner and ensure it is consistent
across the system, add or correct the following line in
/etc/ssh/sshd_config:
Banner /etc/issue.netAnother section contains information on how to create an appropriate system-wide warning banner. |
The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution. |
| 3.1.9 | Enable GNOME3 Login Warning Banner |
In the default graphical environment, displaying a login warning banner
in the GNOME Display Manager's login screen can be enabled on the login
screen by setting banner-message-enable to true.
To enable, add or edit banner-message-enable to /etc/dconf/db/gdm.d/00-security-settings. For example: [org/gnome/login-screen] banner-message-enable=trueOnce the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/login-screen/banner-message-enableAfter the settings have been set, run dconf update. The banner text must also be set. |
Display of a standardized and approved use notification before granting access to the operating system
ensures privacy and security notification verbiage used is consistent with applicable federal laws,
Executive Orders, directives, policies, regulations, standards, and guidance.
For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. |
| 3.1.9 | Modify the System Login Banner |
To configure the system login banner edit /etc/issue. Replace the
default text with a message compliant with the local site policy or a legal
disclaimer.
The DoD required text is either:
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR: I've read & consent to terms in IS user agreem't. |
Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. |
| 3.1.9 | Set the GNOME3 Login Warning Banner Text |
In the default graphical environment, configuring the login warning banner text
in the GNOME Display Manager's login screen can be configured on the login
screen by setting banner-message-text to 'APPROVED_BANNER'
where APPROVED_BANNER is the approved banner for your environment.
To enable, add or edit banner-message-text to /etc/dconf/db/gdm.d/00-security-settings. For example: [org/gnome/login-screen] banner-message-text='APPROVED_BANNER'Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/login-screen/banner-message-textAfter the settings have been set, run dconf update. When entering a warning banner that spans several lines, remember to begin and end the string with ' and use \n for new lines. |
An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. |
| 3.1.9 | Enable SSH Warning Banner |
To enable the warning banner and ensure it is consistent
across the system, add or correct the following line in
/etc/ssh/sshd_config:
Banner /etc/issueAnother section contains information on how to create an appropriate system-wide warning banner. |
The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution. |
| 3.1.10 | Set GNOME3 Screensaver Inactivity Timeout |
The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay
setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory
and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.
For example, to configure the system for a 15 minute delay, add the following to /etc/dconf/db/local.d/00-security-settings: [org/gnome/desktop/session] idle-delay=uint32 900 |
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME3 can be configured to identify when a user's session has idled and take action to initiate a session lock. |
| 3.1.10 | Ensure Users Cannot Change GNOME3 Screensaver Idle Activation |
If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
by adding /org/gnome/desktop/screensaver/idle-activation-enabledto /etc/dconf/db/local.d/00-security-settings. For example: /org/gnome/desktop/screensaver/idle-activation-enabledAfter the settings have been set, run dconf update. |
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. |
| 3.1.10 | Set GNOME3 Screensaver Lock Delay After Activation Period |
To activate the locking delay of the screensaver in the GNOME3 desktop when
the screensaver is activated, add or set lock-delay to uint32 0 in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver] lock-delay=uint32 0After the settings have been set, run dconf update. |
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. |
| 3.1.10 | Install the tmux Package |
To enable console screen locking, install the tmux package.
The tmux package can be installed with the following command:
$ sudo yum install tmuxA session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, Red Hat Enterprise Linux 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. Instruct users to begin new terminal sessions with the following command: $ tmuxThe console can now be locked with the following key combination: ctrl+b :lock-session |
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but does not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity,
operating systems need to be able to identify when a user's session has idled and take action to initiate the
session lock.
The tmux package allows for a session lock to be implemented and configured. |
| 3.1.10 | Ensure Users Cannot Change GNOME3 Screensaver Settings |
If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
by adding /org/gnome/desktop/screensaver/lock-delay
to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-delayAfter the settings have been set, run dconf update. |
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings. |
| 3.1.10 | Implement Blank Screensaver |
To set the screensaver mode in the GNOME3 desktop to a blank screen,
add or set picture-uri to string '' in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver] picture-uri=string ''Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/screensaver/picture-uriAfter the settings have been set, run dconf update. |
Setting the screensaver mode to blank-only conceals the contents of the display from passersby. |
| 3.1.10 | Enable GNOME3 Screensaver Lock After Idle Period |
To activate locking of the screensaver in the GNOME3 desktop when it is activated,
add or set lock-enabled to true in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver] lock-enabled=trueOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/screensaver/lock-enabledAfter the settings have been set, run dconf update. |
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. |
| 3.1.10 | Install the screen Package |
To enable console screen locking, install the screen package.
The screen package can be installed with the following command:
$ sudo yum install screenInstruct users to begin new terminal sessions with the following command: $ screenThe console can now be locked with the following key combination: ctrl+a x |
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but does not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity,
operating systems need to be able to identify when a user's session has idled and take action to initiate the
session lock.
The screen package allows for a session lock to be implemented and configured. |
| 3.1.10 | Enable GNOME3 Screensaver Idle Activation |
To activate the screensaver in the GNOME3 desktop after a period of inactivity,
add or set idle-activation-enabled to true in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver] idle-activation-enabled=trueOnce the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/screensaver/idle-activation-enabledAfter the settings have been set, run dconf update. |
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but does not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,
GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the
session lock.
Enabling idle activation of the screensaver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area. |
| 3.1.10 | Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period |
If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
by adding /org/gnome/desktop/screensaver/lock-enabledto /etc/dconf/db/local.d/locks/00-security-settings. For example: /org/gnome/desktop/screensaver/lock-enabledAfter the settings have been set, run dconf update. |
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. |
| 3.1.10 | Ensure Users Cannot Change GNOME3 Session Idle Settings |
If not already configured, ensure that users cannot change GNOME3 session idle settings
by adding /org/gnome/desktop/session/idle-delay
to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/session/idle-delayAfter the settings have been set, run dconf update. |
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings. |
| 3.1.11 | Set Interactive Session Timeout |
Setting the TMOUT option in /etc/profile ensures that
all user sessions will terminate based on inactivity.
The value of TMOUT should be exported and read only.
The TMOUT
setting in a file loaded by /etc/profile, e.g.
/etc/profile.d/tmout.sh should read as follows:
typeset -xr TMOUT=600or declare -xr TMOUT=600Using the typeset keyword is preferred for wider compatibility with ksh and other shells.
|
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. |
| 3.1.11 | Set SSH Client Alive Interval |
SSH allows administrators to set a network responsiveness timeout interval.
After this interval has passed, the unresponsive client will be automatically logged out.
To set this timeout interval, edit the following line in /etc/ssh/sshd_config as follows: ClientAliveInterval 300 The timeout interval is given in seconds. For example, have a timeout of 10 minutes, set interval to 600. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle. |
Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended. |
| 3.1.11 | Set SSH Client Alive Count Max | The SSH server sends at most ClientAliveCountMax messages during a SSH session and waits for a response from the SSH client. The option ClientAliveInterval configures timeout after each ClientAliveCountMax message. If the SSH server does not receive a response from the client, then the connection is considered unresponsive and terminated. For SSH earlier than v8.2, a ClientAliveCountMax value of 0 causes a timeout precisely when the ClientAliveInterval is set. Starting with v8.2, a value of 0 disables the timeout functionality completely. If the option is set to a number greater than 0, then the session will be disconnected after ClientAliveInterval * ClientAliveCountMax seconds without receiving a keep alive message. | This ensures a user login will be terminated as soon as the ClientAliveInterval is reached. |
| 3.1.11 | Configure Logind to terminate idle sessions after certain time of inactivity |
To configure logind service to terminate inactive user sessions
after 300 seconds, edit the file
/etc/systemd/logind.conf. Ensure that there is a section
[Login]which contains the configuration StopIdleSessionSec=300. |
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended. |
| 3.1.11 | Set SSH Client Alive Count Max to zero | The SSH server sends at most ClientAliveCountMax messages during a SSH session and waits for a response from the SSH client. The option ClientAliveInterval configures timeout after each ClientAliveCountMax message. If the SSH server does not receive a response from the client, then the connection is considered unresponsive and terminated. To ensure the SSH timeout occurs precisely when the ClientAliveInterval is set, set the ClientAliveCountMax to value of 0 in /etc/ssh/sshd_config: | This ensures a user login will be terminated as soon as the ClientAliveInterval is reached. |
| 3.1.12 | Limit Users' SSH Access | By default, the SSH configuration allows any user with an account to access the system. There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: - AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically allowing a user's access only from a particular host, the entry can be specified in the form of user@host. - AllowGroups variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. - DenyUsers variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host. - DenyGroups variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. | Specifying which accounts are allowed SSH access into the system reduces the possibility of unauthorized access to the system. |
| 3.1.12 | Disable GSSAPI Authentication |
Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like GSSAPI.
The default SSH configuration disallows authentications based on GSSAPI. The appropriate configuration is used if no value is set for GSSAPIAuthentication. To explicitly disable GSSAPI authentication, add or correct the following line in /etc/ssh/sshd_config: GSSAPIAuthentication no |
GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. |
| 3.1.12 | Do Not Allow SSH Environment Options |
Ensure that users are not able to override environment variables of the SSH daemon.
The default SSH configuration disables environment processing. The appropriate configuration is used if no value is set for PermitUserEnvironment. To explicitly disable Environment options, add or correct the following /etc/ssh/sshd_config: PermitUserEnvironment no |
SSH environment options potentially allow users to bypass access restriction in some configurations. |
| 3.1.12 | Disable Kerberos Authentication |
Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like Kerberos.
The default SSH configuration disallows authentication validation through Kerberos. The appropriate configuration is used if no value is set for KerberosAuthentication. To explicitly disable Kerberos authentication, add or correct the following line in /etc/ssh/sshd_config: KerberosAuthentication no |
Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere. |
| 3.1.12 | Enable Use of Strict Mode Checking |
SSHs StrictModes option checks file and ownership permissions in
the user's home directory .ssh folder before accepting login. If world-
writable permissions are found, logon is rejected.
The default SSH configuration has StrictModes enabled. The appropriate configuration is used if no value is set for StrictModes. To explicitly enable StrictModes in SSH, add or correct the following line in /etc/ssh/sshd_config: StrictModes yes |
If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user. |
| 3.1.12 | Disable Compression Or Set Compression to delayed |
Compression is useful for slow network connections over long
distances but can cause performance issues on local LANs. If use of compression
is required, it should be enabled only after a user has authenticated; otherwise,
it should be disabled. To disable compression or delay compression until after
a user has successfully authenticated, add or correct the following line in the
/etc/ssh/sshd_config file:
Compression no |
If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges. |
| 3.1.12 | Enable Use of Privilege Separation |
When enabled, SSH will create an unprivileged child process that
has the privilege of the authenticated user. To enable privilege separation in
SSH, add or correct the following line in the /etc/ssh/sshd_config file:
UsePrivilegeSeparation sandbox |
SSH daemon privilege separation causes the SSH process to drop root privileges when not needed which would decrease the impact of software vulnerabilities in the unprivileged section. |
| 3.1.12 | Disable SSH Support for Rhosts RSA Authentication |
SSH can allow authentication through the obsolete rsh
command through the use of the authenticating user's SSH keys. This should be disabled.
To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config: RhostsRSAAuthentication no |
Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. |
| 3.1.12 | Remove SSH Server firewalld Firewall exception (Unusual) |
By default, inbound connections to SSH's port are allowed. If
the SSH server is not being used, this exception should be removed from the
firewall configuration.
To configure firewalld to prevent access, run the following command(s):
firewall-cmd --permanent --remove-service=ssh
|
If inbound SSH connections are not expected, disallowing access to the SSH port will avoid possible exploitation of the port by an attacker. |
| 3.1.12 | Disable SSH Support for User Known Hosts |
SSH can allow system users to connect to systems if a cache of the remote
systems public keys is available. This should be disabled.
To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config: IgnoreUserKnownHosts yes |
Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. |
| 3.1.12 | Require Credential Prompting for Remote Access in GNOME3 |
By default, GNOME does not require credentials when using Vino for
remote access. To configure the system to require remote credentials, add or set
authentication-methods to ['vnc'] in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/Vino] authentication-methods=['vnc']Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/Vino/authentication-methodsAfter the settings have been set, run dconf update. |
Username and password prompting is required for remote access. Otherwise, non-authorized and nefarious users can access the system freely. |
| 3.1.12 | Disable SSH Support for .rhosts Files |
SSH can emulate the behavior of the obsolete rsh
command in allowing users to enable insecure access to their
accounts via .rhosts files.
The default SSH configuration disables support for .rhosts. The appropriate configuration is used if no value is set for IgnoreRhosts. To explicitly disable support for .rhosts files, add or correct the following line in /etc/ssh/sshd_config: IgnoreRhosts yes |
SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. |
| 3.1.12 | Disable Host-Based Authentication |
SSH's cryptographic host-based authentication is
more secure than .rhosts authentication. However, it is
not recommended that hosts unilaterally trust one another, even
within an organization.
The default SSH configuration disables host-based authentication. The appropriate configuration is used if no value is set for HostbasedAuthentication. To explicitly disable host-based authentication, add or correct the following line in /etc/ssh/sshd_config: HostbasedAuthentication no |
SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. |
| 3.1.12 | Enable SSH Server firewalld Firewall Exception |
If the SSH server is in use, inbound connections to SSH's port should be allowed to permit
remote access through SSH. In more restrictive firewalld settings, the SSH port should be
added to the proper firewalld zone in order to allow SSH remote access.
To configure firewalld to allow ssh access, run the following command(s):
firewall-cmd --permanent --add-service=sshThen run the following command to load the newly created rule(s): firewall-cmd --reload |
If inbound SSH connections are expected, adding the SSH port to the proper firewalld zone will allow remote access through the SSH port. |
| 3.1.13 | Remove telnet Clients | The telnet client allows users to start connections to other systems via the telnet protocol. | The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in Red Hat Enterprise Linux 8. |
| 3.1.13 | Require Encryption for Remote Access in GNOME3 |
By default, GNOME requires encryption when using Vino for remote access.
To prevent remote access encryption from being disabled, add or set
require-encryption to true in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/Vino] require-encryption=trueOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/Vino/require-encryptionAfter the settings have been set, run dconf update. |
Open X displays allow an attacker to capture keystrokes and to execute commands remotely. |
| 3.1.13 3.5.4 3.13.8 |
Enable the OpenSSH Service |
The SSH server service, sshd, is commonly needed.
The sshd service can be enabled with the following command:
$ sudo systemctl enable sshd.service |
Without protection of the transmitted information, confidentiality, and
integrity may be compromised because unprotected communications can be
intercepted and either read or altered.
This checklist item applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, etc). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. |
| 3.1.13 3.13.11 3.13.8 |
Use Only FIPS 140-2 Validated MACs |
Limit the MACs to those hash algorithms which are FIPS-approved.
The following line in /etc/ssh/sshd_config
demonstrates use of FIPS-approved MACs:
MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1The man page sshd_config(5) contains a list of supported MACs. The rule is parametrized to use the following MACs: hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com.
|
DoD Information Systems are required to use FIPS-approved cryptographic hash functions. The only SSHv2 hash algorithms meeting this requirement is SHA2. |
| 3.1.13 3.4.7 |
Disable rlogin Service |
The rlogin service, which is available with
the rsh-server package and runs as a service through xinetd or separately
as a systemd socket, should be disabled.
If using xinetd, set disable to yes in /etc/xinetd.d/rlogin.
The rlogin socket can be disabled with the following command:
$ sudo systemctl mask --now rlogin.socket |
The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. |
| 3.1.13 3.4.7 |
Disable rexec Service |
The rexec service, which is available with the rsh-server package
and runs as a service through xinetd or separately as a systemd socket, should be disabled.
If using xinetd, set disable to yes in /etc/xinetd.d/rexec.
The rexec socket can be disabled with the following command:
$ sudo systemctl mask --now rexec.socket |
The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. |
| 3.1.13 3.4.7 |
Disable rsh Service |
The rsh service, which is available with
the rsh-server package and runs as a service through xinetd or separately
as a systemd socket, should be disabled.
If using xinetd, set disable to yes in /etc/xinetd.d/rsh.
The rsh socket can be disabled with the following command:
$ sudo systemctl mask --now rsh.socket |
The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. |
| 3.1.13 3.4.7 |
Disable telnet Service |
Make sure that the activation of the telnet service on system boot is disabled.
The telnet socket can be disabled with the following command:
$ sudo systemctl mask --now telnet.socket |
The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks. |
| 3.1.13 3.13.11 3.13.8 |
Use Only FIPS 140-2 Validated Ciphers |
Limit the ciphers to those algorithms which are FIPS-approved.
Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
The following line in /etc/ssh/sshd_config
demonstrates use of FIPS-approved ciphers:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbcThe man page sshd_config(5) contains a list of supported ciphers. The rule is parametrized to use the following ciphers: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se.
|
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore
cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux 8. |
| 3.1.13 3.5.4 |
Allow Only SSH Protocol 2 |
Only SSH protocol version 2 connections should be
permitted. The default setting in
/etc/ssh/sshd_config is correct, and can be
verified by ensuring that the following
line appears:
Protocol 2 |
SSH protocol version 1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. |
| 3.1.13 | Uninstall rsh Package | The rsh package contains the client commands for the rsh services | These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh,rcp, and rlogin. |
| 3.1.13 | Enable Encrypted X11 Forwarding |
By default, remote X11 connections are not encrypted when initiated
by users. SSH has the capability to encrypt remote X11 connections when SSH's
X11Forwarding option is enabled.
To enable X11 Forwarding, add or correct the following line in /etc/ssh/sshd_config: X11Forwarding yes |
Non-encrypted X displays allow an attacker to capture keystrokes and to execute commands remotely. |
| 3.1.13 3.13.10 |
Verify Permissions on SSH Server Public *.pub Key Files |
To properly set the permissions of /etc/ssh/*.pub, run the command: $ sudo chmod 0644 /etc/ssh/*.pub |
If a public host key file is modified by an unauthorized user, the SSH service may be compromised. |
| 3.1.13 3.13.10 |
Verify Permissions on SSH Server Private *_key Key Files |
SSH server private keys - files that match the /etc/ssh/*_key glob, have to have restricted permissions.
If those files are owned by the root user and the root group, they have to have the 0600 permission or stricter.
If they are owned by the root user, but by a dedicated group ssh_keys, they can have the 0640 permission or stricter.
|
If an unauthorized user obtains the private SSH host key file, the host could be impersonated. |
| 3.1.16 | Disable Bluetooth Kernel Module |
The kernel's module loading system can be configured to prevent
loading of the Bluetooth module. Add the following to
the appropriate /etc/modprobe.d configuration file
to prevent the loading of the Bluetooth module:
install bluetooth /bin/true |
If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation. |
| 3.1.16 | Disable WIFI Network Connection Creation in GNOME3 |
GNOME allows users to create ad-hoc wireless connections through the
NetworkManager applet. Wireless connections should be disabled by
adding or setting disable-wifi-create to true in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/nm-applet] disable-wifi-create=trueOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/nm-applet/disable-wifi-createAfter the settings have been set, run dconf update. |
Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks. |
| 3.1.16 | Deactivate Wireless Network Interfaces |
Deactivating wireless network interfaces should prevent normal usage of the wireless
capability.
Configure the system to disable all wireless network interfaces with the following command: $ sudo nmcli radio all off |
The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources. |
| 3.1.16 | Disable WIFI Network Notification in GNOME3 |
By default, GNOME disables WIFI notification. This should be permanently set
so that users do not connect to a wireless network when the system finds one.
While useful for mobile devices, this setting should be disabled for all other systems.
To configure the system to disable the WIFI notication, add or set
suppress-wireless-networks-available to true in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/nm-applet] suppress-wireless-networks-available=trueOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/nm-applet/suppress-wireless-networks-availableAfter the settings have been set, run dconf update. |
Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks. |
| 3.1.16 | Disable Bluetooth Service |
The bluetooth service can be disabled with the following command:
$ sudo systemctl mask --now bluetooth.service $ sudo service bluetooth stop |
Disabling the bluetooth service prevents the system from attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range. |
| 3.1.16 | Prevent non-Privileged Users from Modifying Network Interfaces using nmcli |
By default, non-privileged users are given permissions to modify networking
interfaces and configurations using the nmcli command. Non-privileged
users should not be making configuration changes to network configurations. To
ensure that non-privileged users do not have permissions to make changes to the
network configuration using nmcli, create the following configuration in
/etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla:
[Disable General User Access to NetworkManager] Identity=default Action=org.freedesktop.NetworkManager.* ResultAny=no ResultInactive=no ResultActive=auth_admin |
Allowing non-privileged users to make changes to network settings can allow untrusted access, prevent system availability, and/or can lead to a compromise or attack. |
| 3.1.20 | Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default |
To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.rp_filter=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.rp_filter = 1 |
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. |
| 3.1.20 | Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces |
To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_forward=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_forward = 0 |
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network. |
| 3.1.20 | Disable IPv6 Addressing on IPv6 Interfaces by Default |
To disable support for (ipv6) addressing on interfaces by default add the following line to
/etc/sysctl.d/ipv6.conf (or another file in /etc/sysctl.d):
net.ipv6.conf.default.disable_ipv6 = 1This disables IPv6 on network interfaces by default as other services and system functionality require the IPv6 stack loaded to work. |
Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation. |
| 3.1.20 | Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces |
To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_echo_ignore_broadcasts = 1 |
Responding to broadcast (ICMP) echoes facilitates network mapping
and provides a vector for amplification attacks.
Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network. |
| 3.1.20 | Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default |
To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_source_route = 0 |
Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required. |
| 3.1.20 | Disable Accepting ICMP Redirects for All IPv4 Interfaces |
To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_redirects = 0 |
ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required." |
| 3.1.20 | Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces |
To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.secure_redirects = 0 |
Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. |
| 3.1.20 | Disable Accepting ICMP Redirects for All IPv6 Interfaces |
To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_redirects = 0 |
An illicit ICMP redirect message could result in a man-in-the-middle attack. |
| 3.1.20 | Configure Kernel Parameter for Accepting Secure Redirects By Default |
To set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.secure_redirects = 0 |
Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. |
| 3.1.20 | Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default |
To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.send_redirects = 0 |
ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers. |
| 3.1.20 | Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces |
To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_source_route = 0 |
Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
the system is functioning as a router.
Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required. |
| 3.1.20 | Configure Accepting Router Advertisements on All IPv6 Interfaces |
To set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra = 0 |
An illicit router advertisement message could result in a man-in-the-middle attack. |
| 3.1.20 | Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default |
To set the runtime status of the net.ipv4.conf.default.log_martians kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.log_martians=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.log_martians = 1 |
The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. |
| 3.1.20 | Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default |
To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_source_route = 0 |
Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures.
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router. |
| 3.1.20 | Disable Accepting Router Advertisements on all IPv6 Interfaces by Default |
To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra = 0 |
An illicit router advertisement message could result in a man-in-the-middle attack. |
| 3.1.20 | Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces |
To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1 |
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. |
| 3.1.20 | Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces |
To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1 |
A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests. |
| 3.1.20 | Disable IPv6 Addressing on All IPv6 Interfaces |
To disable support for (ipv6) addressing on all interface add the following line to
/etc/sysctl.d/ipv6.conf (or another file in /etc/sysctl.d):
net.ipv6.conf.all.disable_ipv6 = 1This disables IPv6 on all network interfaces as other services and system functionality require the IPv6 stack loaded to work. |
Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation. |
| 3.1.20 | Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces |
To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_source_route = 0 |
Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures. This requirement
applies only to the forwarding of source-routerd traffic, such as when IPv4
forwarding is enabled and the system is functioning as a router.
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required. |
| 3.1.20 | Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces |
To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0 |
ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required. |
| 3.1.20 | Use Privacy Extensions for Address |
To introduce randomness into the automatic generation of IPv6
addresses, add or correct the following line in
/etc/sysconfig/network-scripts/ifcfg-interface:
IPV6_PRIVACY=rfc3041Automatically-generated IPv6 addresses are based on the underlying hardware (e.g. Ethernet) address, and so it becomes possible to track a piece of hardware over its lifetime using its traffic. If it is important for a system's IP address to not trivially reveal its hardware address, this setting should be applied. |
|
| 3.1.20 | Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces |
To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_redirects = 0 |
An illicit ICMP redirect message could result in a man-in-the-middle attack. |
| 3.1.20 | Disable Support for RPC IPv6 |
RPC services for NFSv4 try to load transport modules for
udp6 and tcp6 by default, even if IPv6 has been disabled in
/etc/modprobe.d. To prevent RPC services such as rpc.mountd
from attempting to start IPv6 network listeners, remove or comment out the
following two lines in /etc/netconfig:
udp6 tpi_clts v inet6 udp - - tcp6 tpi_cots_ord v inet6 tcp - - |
|
| 3.1.20 | Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces |
To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.send_redirects = 0 |
ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers. |
| 3.1.20 | Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces |
To set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.log_martians=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.log_martians = 1 |
The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. |
| 3.1.20 | Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces |
To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_ignore_bogus_error_responses = 1 |
Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged. |
| 3.1.21 | Disable Modprobe Loading of USB Storage Driver |
To prevent USB storage devices from being used, configure the kernel module loading system
to prevent automatic loading of the USB storage driver.
To configure the system to prevent the usb-storage
kernel module from being loaded, add the following line to the file /etc/modprobe.d/usb-storage.conf:
install usb-storage /bin/falseTo configure the system to prevent the usb-storage from being used,
add the following line to file /etc/modprobe.d/usb-storage.conf:
blacklist usb-storageThis will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually. |
USB storage devices such as thumb drives can be used to introduce malicious software. |
| 3.3.1 | System Audit Logs Must Be Owned By Root |
All audit logs must be owned by root user. The path for audit log can be
configured via log_file parameter in /etc/audit/auditd.confor by default, the path for audit log is /var/log/audit/. To properly set the owner of /var/log/audit/*, run the command:
$ sudo chown root /var/log/audit/* |
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. |
| 3.3.1 3.3.4 |
Shutdown System When Auditing Failures Occur |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to to the bottom of a file with suffix
.rules in the directory /etc/audit/rules.d:
-f 2If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to the bottom of the /etc/audit/audit.rules file: -f 2 |
It is critical for the appropriate personnel to be aware if a system
is at risk of failing to process audit logs as required. Without this
notification, the security personnel may be unaware of an impending failure of
the audit capability, and system operation may be adversely affected.
Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. |
| 3.3.1 | System Audit Directories Must Be Group Owned By Root |
All audit directories must be group owned by root user. By default, the path for audit log is /var/log/audit/. To properly set the group owner of /var/log/audit, run the command:
$ sudo chgrp root /var/log/auditIf log_group in /etc/audit/auditd.conf is set to a group other than the root group account, change the group ownership of the audit directories to this specific group. |
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. |
| 3.3.1 | Enable Auditing for Processes Which Start Prior to the Audit Daemon |
To ensure all processes can be audited, even those which start
prior to the audit daemon, add the argument audit=1 to the default
GRUB 2 command line for the Linux operating system.
To ensure that audit=1 is added as a kernel command line
argument to newly installed kernels, add audit=1 to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... audit=1 ..."Run the following command to update command line for already installed kernels: # grubby --update-kernel=ALL --args="audit=1" |
Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot. |
| 3.3.1 | Configure auditd mail_acct Action on Low Disk Space |
The auditd service can be configured to send email to
a designated account in certain situations. Add or correct the following line
in /etc/audit/auditd.conf to ensure that administrators are notified
via email for those situations:
action_mail_acct = root |
Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action. |
| 3.3.1 | Configure auditd admin_space_left Action on Low Disk Space |
The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting ACTION appropriately:
admin_space_left_action = ACTIONSet this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include suspend and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page. |
Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur. |
| 3.3.1 3.4.3 |
Make the auditd Configuration Immutable |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d in order to make the auditd configuration
immutable:
-e 2If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file in order to make the auditd configuration immutable: -e 2With this setting, a reboot will be required to change any audit rules. |
Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation. |
| 3.3.1 | System Audit Logs Must Have Mode 0640 or Less Permissive |
Determine where the audit logs are stored with the following command:
$ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.logConfigure the audit log to be protected from unauthorized read access by setting the correct permissive mode with the following command: $ sudo chmod 0600 audit_log_fileBy default, audit_log_file is "/var/log/audit/audit.log". |
If users can write to audit logs, audit trails can be modified or destroyed. |
| 3.3.1 | Enable Auditing for Processes Which Start Prior to the Audit Daemon | To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to all BLS (Boot Loader Specification) entries ('options' line) for the Linux operating system in /boot/loader/entries/*.conf. | Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot. |
| 3.3.1 3.3.2 3.3.6 |
Enable auditd Service |
The auditd service is an essential userspace component of
the Linux Auditing System, as it is responsible for writing audit records to
disk.
The auditd service can be enabled with the following command:
$ sudo systemctl enable auditd.service |
Without establishing what type of events occurred, it would be difficult
to establish, correlate, and investigate the events leading up to an outage or attack.
Ensuring the auditd service is active ensures audit records
generated by the kernel are appropriately recorded.
Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. |
| 3.3.1 | Configure auditd to use audispd's syslog plugin |
To configure the auditd service to use the
syslog plug-in of the audispd audit event multiplexor, set
the active line in /etc/audit/plugins.d/syslog.conf to yes.
Restart the auditd service:
$ sudo service auditd restart |
The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server. |
| 3.3.1 | System Audit Logs Must Be Owned By Root |
All audit logs must be owned by root user and group. By default, the path for audit log is /var/log/audit/. To properly set the owner of /var/log/audit, run the command:
$ sudo chown root /var/log/auditTo properly set the owner of /var/log/audit/*, run the command:
$ sudo chown root /var/log/audit/* |
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. |
| 3.3.1 | Configure auditd Number of Logs Retained |
Determine how many log files
auditd should retain when it rotates logs.
Edit the file /etc/audit/auditd.conf. Add or modify the following
line, substituting NUMLOGS with the correct value of 5:
num_logs = NUMLOGSSet the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation. |
The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. |
| 3.3.1 | Configure auditd flush priority |
The auditd service can be configured to
synchronously write audit event data to disk. Add or correct the following
line in /etc/audit/auditd.conf to ensure that audit event data is
fully synchronized with the log files on the disk:
flush = data |
Audit data should be synchronously written to disk to ensure log integrity. These parameters assure that all audit event data is fully synchronized with the log files on the disk. |
| 3.3.1 | System Audit Directories Must Be Owned By Root |
All audit directories must be owned by root user. By default, the path for audit log is /var/log/audit/. To properly set the owner of /var/log/audit, run the command:
$ sudo chown root /var/log/audit |
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. |
| 3.3.1 | System Audit Logs Must Be Group Owned By Root |
All audit logs must be group owned by root user. The path for audit log can
be configured via log_file parameter in /etc/audit/auditd.confor, by default, the path for audit log is /var/log/audit/. To properly set the group owner of /var/log/audit/*, run the command:
$ sudo chgrp root /var/log/audit/*If log_group in /etc/audit/auditd.conf is set to a group other than the root group account, change the group ownership of the audit logs to this specific group. |
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. |
| 3.3.1 | Configure auditd space_left Action on Low Disk Space |
The auditd service can be configured to take an action
when disk space starts to run low.
Edit the file /etc/audit/auditd.conf. Modify the following line,
substituting ACTION appropriately:
space_left_action = ACTIONPossible values for ACTION are described in the auditd.conf man page. These include:
|
Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. |
| 3.3.7 | Specify a Remote NTP Server |
Depending on specific functional requirements of a concrete
production environment, the Red Hat Enterprise Linux 8 system can be
configured to utilize the services of the chronyd NTP daemon (the
default), or services of the ntpd NTP daemon. Refer to
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite
for more detailed comparison of the features of both of the choices, and for
further guidance how to choose between the two NTP daemons.
To specify a remote NTP server for time synchronization, perform the following:
server ntpserverThis instructs the NTP software to contact that remote server to obtain time data. |
Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. |
| 3.3.7 | Enable the NTP Daemon |
Run the following command to determine the current status of the
chronyd service:
$ sudo systemctl is-active chronydIf the service is running, it should return the following: activeNote: The chronyd daemon is enabled by default. Run the following command to determine the current status of the ntpd service:
$ sudo systemctl is-active ntpdIf the service is running, it should return the following: activeNote: The ntpd daemon is not enabled by default. Though as mentioned in the previous sections in certain environments the ntpd daemon might be preferred to be used rather than the chronyd one. Refer to: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite for guidance which NTP daemon to choose depending on the environment used. |
Enabling some of chronyd or ntpd services ensures
that the NTP daemon will be running and that the system will synchronize its
time to any servers specified. This is important whether the system is
configured to be a client (and synchronize only its own clock) or it is also
acting as an NTP server to other systems. Synchronizing time is essential for
authentication services such as Kerberos, but it is also important for
maintaining accurate logs and auditing possible security breaches.
The chronyd and ntpd NTP daemons offer all of the functionality of ntpdate, which is now deprecated. |
| 3.3.8 3.4.1 |
Verify and Correct File Permissions with RPM |
The RPM package management system can check file access permissions of installed software
packages, including many that are important to system security. Verify that the file
permissions of system files and commands match vendor values. Check the file permissions with
the following command:
$ sudo rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }'
Output indicates files that do not match vendor defaults.
After locating a file with incorrect permissions, run the following command to determine which
package owns it:
$ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --restore PACKAGENAME |
Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated. |
| 3.3.8 3.4.1 |
Verify and Correct Ownership with RPM |
The RPM package management system can check file ownership permissions of installed software
packages, including many that are important to system security. After locating a file with
incorrect permissions, which can be found with:
rpm -Va | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }'
run the following command to determine which package owns it:
$ rpm -qf FILENAMENext, run the following command to reset its permissions to the correct values: $ sudo rpm --restore PACKAGENAME |
Ownership of binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated. |
| 3.3.8 3.4.1 |
Verify File Hashes with RPM |
Without cryptographic integrity protections, system executables and files can be altered by
unauthorized users without detection. The RPM package management system can check the hashes
of installed software packages, including many that are important to system security.
To verify that the cryptographic hash of system files and commands matches vendor values, run
the following command to list which files on the system have hashes that differ from what is
expected by the RPM database:
$ rpm -Va --noconfig | grep '^..5'If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file: $ rpm -qf FILENAMEThe package can be reinstalled from a yum repository using the command: $ sudo yum reinstall PACKAGENAMEAlternatively, the package can be reinstalled from trusted media using the command: $ sudo rpm -Uvh PACKAGENAME |
The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system. |
| 3.4.5 | Verify /boot/grub2/user.cfg Permissions |
File permissions for /boot/grub2/user.cfg should be set to 600.
To properly set the permissions of /boot/grub2/user.cfg, run the command:
$ sudo chmod 600 /boot/grub2/user.cfg |
Proper permissions ensure that only the root user can read or modify important boot parameters. |
| 3.4.5 | Disable Ctrl-Alt-Del Burst Action |
By default, SystemD will reboot the system if the Ctrl-Alt-Del
key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds.
To configure the system to ignore the CtrlAltDelBurstAction setting, add or modify the following to /etc/systemd/system.conf: CtrlAltDelBurstAction=none |
A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. |
| 3.4.5 | Verify /boot/grub2/user.cfg Group Ownership |
The file /boot/grub2/user.cfg should be group-owned by the root
group to prevent reading or modification of the file.
To properly set the group owner of /boot/grub2/user.cfg, run the command:
$ sudo chgrp root /boot/grub2/user.cfg |
The root group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them. |
| 3.4.5 | Verify /boot/grub2/grub.cfg User Ownership |
The file /boot/grub2/grub.cfg should
be owned by the root user to prevent destruction
or modification of the file.
To properly set the owner of /boot/grub2/grub.cfg, run the command:
$ sudo chown root /boot/grub2/grub.cfg |
Only root should be able to modify important boot parameters. |
| 3.4.5 | Verify the UEFI Boot Loader grub.cfg Group Ownership |
The file /boot/efi/EFI/redhat/grub.cfg should
be group-owned by the root group to prevent
destruction or modification of the file.
To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
$ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg |
The root group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway. |
| 3.4.5 | Set the UEFI Boot Loader Password |
The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
Since plaintext passwords are a security risk, generate a hash for the password by running the following command: # grub2-setpasswordWhen prompted, enter the password that was selected. |
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. |
| 3.4.5 | Verify /boot/grub2/grub.cfg Group Ownership |
The file /boot/grub2/grub.cfg should
be group-owned by the root group to prevent
destruction or modification of the file.
To properly set the group owner of /boot/grub2/grub.cfg, run the command:
$ sudo chgrp root /boot/grub2/grub.cfg |
The root group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway. |
| 3.4.5 | Verify /boot/grub2/grub.cfg Permissions |
File permissions for /boot/grub2/grub.cfg should be set to 600.
To properly set the permissions of /boot/grub2/grub.cfg, run the command:
$ sudo chmod 600 /boot/grub2/grub.cfg |
Proper permissions ensure that only the root user can modify important boot parameters. |
| 3.4.5 | Disable debug-shell SystemD Service |
SystemD's debug-shell service is intended to
diagnose SystemD related boot issues with various systemctl
commands. Once enabled and following a system reboot, the root shell
will be available on tty9 which is access by pressing
CTRL-ALT-F9. The debug-shell service should only be used
for SystemD related issues and should otherwise be disabled.
By default, the debug-shell SystemD service is already disabled. The debug-shell service can be disabled with the following command:
$ sudo systemctl mask --now debug-shell.service |
This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. |
| 3.4.5 | Set the Boot Loader Admin Username to a Non-Default Value |
The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
To maximize the protection, select a password-protected superuser account with unique name, and modify the /etc/grub.d/01_users configuration file to reflect the account name change. Do not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. Change the superuser to a different username (The default is 'root'). $ sed -i 's/\(set superusers=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users Once the superuser account has been added, update the grub.cfg file by running: grubby --update-kernel=ALL --env=/boot/grub2/grubenv |
Having a non-default grub superuser username makes password-guessing attacks less effective. |
| 3.4.5 | Verify the UEFI Boot Loader grub.cfg Permissions |
File permissions for /boot/efi/EFI/redhat/grub.cfg should be set to 700.
To properly set the permissions of /boot/efi/EFI/redhat/grub.cfg, run the command:
$ sudo chmod 700 /boot/efi/EFI/redhat/grub.cfg |
Proper permissions ensure that only the root user can modify important boot parameters. |
| 3.4.5 | Verify the UEFI Boot Loader grub.cfg User Ownership |
The file /boot/efi/EFI/redhat/grub.cfg should
be owned by the root user to prevent destruction
or modification of the file.
To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
$ sudo chown root /boot/efi/EFI/redhat/grub.cfg |
Only root should be able to modify important boot parameters. |
| 3.4.5 | Verify /boot/efi/EFI/redhat/user.cfg Permissions |
File permissions for /boot/efi/EFI/redhat/user.cfg should be set to 600.
To properly set the permissions of /boot/efi/EFI/redhat/user.cfg, run the command:
$ sudo chmod 600 /boot/efi/EFI/redhat/user.cfg |
Proper permissions ensure that only the root user can read or modify important boot parameters. |
| 3.4.5 | Verify /boot/efi/EFI/redhat/user.cfg User Ownership |
The file /boot/efi/EFI/redhat/user.cfg should be owned by the root
user to prevent reading or modification of the file.
To properly set the owner of /boot/efi/EFI/redhat/user.cfg, run the command:
$ sudo chown root /boot/efi/EFI/redhat/user.cfg |
Only root should be able to modify important boot parameters. Also, non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them. |
| 3.4.5 | Set Boot Loader Password in grub2 |
The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
Since plaintext passwords are a security risk, generate a hash for the password by running the following command: # grub2-setpasswordWhen prompted, enter the password that was selected. |
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. |
| 3.4.5 | Set the UEFI Boot Loader Admin Username to a Non-Default Value |
The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
To maximize the protection, select a password-protected superuser account with unique name, and modify the /etc/grub.d/01_users configuration file to reflect the account name change. It is highly suggested not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. Change the superuser to a different username (The default is 'root'). $ sed -i 's/\(set superusers=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users Once the superuser account has been added, update the grub.cfg file by running: grubby --update-kernel=ALL --env=/boot/grub2/grubenv |
Having a non-default grub superuser username makes password-guessing attacks less effective. |
| 3.4.5 | Verify /boot/efi/EFI/redhat/user.cfg Group Ownership |
The file /boot/efi/EFI/redhat/user.cfg should be group-owned by the
root group to prevent reading or modification of the file.
To properly set the group owner of /boot/efi/EFI/redhat/user.cfg, run the command:
$ sudo chgrp root /boot/efi/EFI/redhat/user.cfg |
The root group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them. |
| 3.4.5 | Verify /boot/grub2/user.cfg User Ownership |
The file /boot/grub2/user.cfg should be owned by the root
user to prevent reading or modification of the file.
To properly set the owner of /boot/grub2/user.cfg, run the command:
$ sudo chown root /boot/grub2/user.cfg |
Only root should be able to modify important boot parameters. Also, non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them. |
| 3.4.5 | Disable Ctrl-Alt-Del Reboot Activation |
By default, SystemD will reboot the system if the Ctrl-Alt-Del
key sequence is pressed.
To configure the system to ignore the Ctrl-Alt-Del key sequence from the command line instead of rebooting the system, do either of the following: ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.targetor systemctl mask ctrl-alt-del.target Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file, as this file may be restored during future system updates. |
A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. |
| 3.4.6 | Disable Mounting of hfsplus |
To configure the system to prevent the hfsplus
kernel module from being loaded, add the following line to the file /etc/modprobe.d/hfsplus.conf:
install hfsplus /bin/falseTo configure the system to prevent the hfsplus from being used,
add the following line to file /etc/modprobe.d/hfsplus.conf:
blacklist hfsplusThis effectively prevents usage of this uncommon filesystem. |
Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. |
| 3.4.6 | Disable Mounting of udf |
To configure the system to prevent the udf
kernel module from being loaded, add the following line to the file /etc/modprobe.d/udf.conf:
install udf /bin/falseTo configure the system to prevent the udf from being used,
add the following line to file /etc/modprobe.d/udf.conf:
blacklist udfThis effectively prevents usage of this uncommon filesystem. The udf filesystem type is the universal disk format used to implement the ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is neccessary to support writing DVDs and newer optical disc formats. |
Removing support for unneeded filesystem types reduces the local attack surface of the system. |
| 3.4.6 | Disable Mounting of jffs2 |
To configure the system to prevent the jffs2
kernel module from being loaded, add the following line to the file /etc/modprobe.d/jffs2.conf:
install jffs2 /bin/falseTo configure the system to prevent the jffs2 from being used,
add the following line to file /etc/modprobe.d/jffs2.conf:
blacklist jffs2This effectively prevents usage of this uncommon filesystem. |
Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. |
| 3.4.6 | Disable Mounting of vFAT filesystems |
To configure the system to prevent the vfat
kernel module from being loaded, add the following line to the file /etc/modprobe.d/vfat.conf:
install vfat /bin/falseTo configure the system to prevent the vfat from being used,
add the following line to file /etc/modprobe.d/vfat.conf:
blacklist vfatThis effectively prevents usage of this uncommon filesystem. The vFAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12, FAT16, and FAT32 all of which are supported by the vfat kernel module. |
Removing support for unneeded filesystems reduces the local attack surface of the system. |
| 3.4.6 | Disable the Automounter |
The autofs daemon mounts and unmounts filesystems, such as user
home directories shared via NFS, on demand. In addition, autofs can be used to handle
removable media, and the default configuration provides the cdrom device as /misc/cd.
However, this method of providing access to removable media is not common, so autofs
can almost always be disabled if NFS is not in use. Even if NFS is required, it may be
possible to configure filesystem mounts statically by editing /etc/fstab
rather than relying on the automounter.
The autofs service can be disabled with the following command:
$ sudo systemctl mask --now autofs.service |
Disabling the automounter permits the administrator to
statically control filesystem mounting through /etc/fstab.
Additionally, automatically mounting filesystems permits easy introduction of unknown devices, thereby facilitating malicious activity. |
| 3.4.6 | Disable Mounting of cramfs |
To configure the system to prevent the cramfs
kernel module from being loaded, add the following line to the file /etc/modprobe.d/cramfs.conf:
install cramfs /bin/falseTo configure the system to prevent the cramfs from being used,
add the following line to file /etc/modprobe.d/cramfs.conf:
blacklist cramfsThis effectively prevents usage of this uncommon filesystem. The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image. |
Removing support for unneeded filesystem types reduces the local attack surface of the server. |
| 3.4.6 | Disable Mounting of hfs |
To configure the system to prevent the hfs
kernel module from being loaded, add the following line to the file /etc/modprobe.d/hfs.conf:
install hfs /bin/falseTo configure the system to prevent the hfs from being used,
add the following line to file /etc/modprobe.d/hfs.conf:
blacklist hfsThis effectively prevents usage of this uncommon filesystem. |
Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. |
| 3.4.6 | Disable Mounting of freevxfs |
To configure the system to prevent the freevxfs
kernel module from being loaded, add the following line to the file /etc/modprobe.d/freevxfs.conf:
install freevxfs /bin/falseTo configure the system to prevent the freevxfs from being used,
add the following line to file /etc/modprobe.d/freevxfs.conf:
blacklist freevxfsThis effectively prevents usage of this uncommon filesystem. |
Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. |
| 3.4.6 | Disable DCCP Support |
The Datagram Congestion Control Protocol (DCCP) is a
relatively new transport layer protocol, designed to support
streaming media and telephony.
To configure the system to prevent the dccp
kernel module from being loaded, add the following line to the file /etc/modprobe.d/dccp.conf:
install dccp /bin/falseTo configure the system to prevent the dccp from being used,
add the following line to file /etc/modprobe.d/dccp.conf:
blacklist dccp |
Disabling DCCP protects the system against exploitation of any flaws in its implementation. |
| 3.4.6 | Disable SCTP Support |
The Stream Control Transmission Protocol (SCTP) is a
transport layer protocol, designed to support the idea of
message-oriented communication, with several streams of messages
within one connection.
To configure the system to prevent the sctp
kernel module from being loaded, add the following line to the file /etc/modprobe.d/sctp.conf:
install sctp /bin/falseTo configure the system to prevent the sctp from being used,
add the following line to file /etc/modprobe.d/sctp.conf:
blacklist sctp |
Disabling SCTP protects the system against exploitation of any flaws in its implementation. |
| 3.4.6 | Disable Mounting of squashfs |
To configure the system to prevent the squashfs
kernel module from being loaded, add the following line to the file /etc/modprobe.d/squashfs.conf:
install squashfs /bin/falseTo configure the system to prevent the squashfs from being used,
add the following line to file /etc/modprobe.d/squashfs.conf:
blacklist squashfsThis effectively prevents usage of this uncommon filesystem. The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs). A squashfs image can be used without having to first decompress the image. |
Removing support for unneeded filesystem types reduces the local attack surface of the system. |
| 3.4.7 | Disable xinetd Service |
The xinetd service can be disabled with the following command:
$ sudo systemctl mask --now xinetd.service |
The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself. |
| 3.4.8 | Ensure Amazon GPG Key Installed |
To ensure the system can cryptographically verify base software packages
come from Amazon (and to connect to the Amazon Network to receive them),
the Amazon GPG key must properly be installed. To install the Amazon GPG
key, run:
$ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023 |
Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Amazon GPG key is necessary to cryptographically verify packages are from Amazon. |
| 3.4.8 | Ensure SUSE GPG Key Installed |
To ensure the system can cryptographically verify base software packages
come from SUSE (and to connect to the SUSE to receive them),
the SUSE GPG key must properly be installed. To install the SUSE GPG
key, run:
$ sudo zypper install suse-build-keyIf the system is not connected to the Internet or an RHN Satellite, then install the SUSE GPG key from trusted media such as the SUSE installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom, use the following command as the root user to import it into the keyring: $ sudo rpm --import /media/cdrom/content.keyor $ sudo rpm --import /media/cdrom/repodata/repomd.xml.keyAlternatively, the key may be pre-loaded during the SUSE installation. In such cases, one can use the repository cache files to install the key, for example by running the following command: sudo rpm --import /var/cache/zypp/raw/Basesystem_Module_15_SP2_x86_64:SLE-Module-Basesystem15-SP2-Pool/repodata/repomd.xml.key |
Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The SUSE GPG key is necessary to cryptographically verify packages are from SUSE. |
| 3.4.8 | Ensure Fedora GPG Key Installed |
To ensure the system can cryptographically verify base software
packages come from Fedora (and to connect to the Fedora Network to
receive them), the Fedora GPG key must properly be installed.
To install the Fedora GPG key, run one of the commands below, depending on your Fedora vesion:
$ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora--primary" $ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora--primary" |
Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Fedora GPG key is necessary to cryptographically verify packages are from Fedora." |
| 3.4.8 | Ensure gpgcheck Enabled In Main yum Configuration |
The gpgcheck option controls whether
RPM packages' signatures are always checked prior to installation.
To configure yum to check package signatures before installing
them, ensure the following line appears in /etc/yum.conf in
the [main] section:
gpgcheck=1 |
Changes to any software components can have significant effects on the
overall security of the operating system. This requirement ensures the
software has not been tampered with and that it has been provided by a
trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA). |
| 3.4.8 | Ensure gpgcheck Enabled for Local Packages | yum should be configured to verify the signature(s) of local packages prior to installation. To configure yum to verify signatures of local packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf. |
Changes to any software components can have significant effects to the overall security
of the operating system. This requirement ensures the software has not been tampered and
has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. |
| 3.4.8 | Ensure gpgcheck Enabled for All yum Package Repositories |
To ensure signature checking is not disabled for
any repos, remove any lines from files in /etc/yum.repos.d of the form:
gpgcheck=0 |
Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA)." |
| 3.4.8 | Ensure Red Hat GPG Key Installed |
To ensure the system can cryptographically verify base software packages
come from Red Hat (and to connect to the Red Hat Network to receive them),
the Red Hat GPG key must properly be installed. To install the Red Hat GPG
key, run:
$ sudo subscription-manager registerIf the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom, use the following command as the root user to import it into the keyring: $ sudo rpm --import /media/cdrom/RPM-GPG-KEYAlternatively, the key may be pre-loaded during the RHEL installation. In such cases, the key can be installed by running the following command: sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release |
Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat. |
| 3.4.8 | Ensure yum Removes Previous Package Versions | yum should be configured to remove previous software components after new versions have been installed. To configure yum to remove the previous software components after updating, set the clean_requirements_on_remove to 1 in /etc/yum.conf. | Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries. |
| 3.5.6 | Set existing passwords a period of inactivity before they been locked |
Configure user accounts that have been inactive for over a given period of time
to be automatically disabled by running the following command:
$ sudo chage --inactive 30USER |
Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies. |
| 3.5.6 | Set Password Maximum Age |
To specify password maximum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MAX_DAYS 60A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is 60. |
Any password, no matter how complex, can eventually be cracked. Therefore, passwords
need to be changed periodically. If the operating system does not limit the lifetime
of passwords and force users to change their passwords, there is the risk that the
operating system passwords could be compromised.
Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise. |
| 3.5.6 | Set Account Expiration Following Inactivity |
To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following line in /etc/default/useradd:
INACTIVE=35If a password is currently on the verge of expiration, then 35 day(s) remain(s) until the account is automatically disabled. However, if the password will not expire for another 60 days, then 60 days plus 35 day(s) could elapse until the account would be automatically disabled. See the useradd man page for more information. |
Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. |
| 3.5.7 | Set Password Minimum Length in login.defs |
To specify password length requirements for new accounts, edit the file
/etc/login.defs and add or correct the following line:
PASS_MIN_LEN 15 The DoD requirement is 15. The FISMA requirement is 12. The profile requirement is 15. If a program consults /etc/login.defs and also another PAM module (such as pam_pwquality) during a password change operation, then the most restrictive must be satisfied. See PAM section for more information about enforcing password quality requirements. |
Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result. |
| 3.5.8 | Limit Password Reuse | Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. | Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. |
| 3.5.8 | Set Password Minimum Age |
To specify password minimum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MIN_DAYS 7A value of 1 day is considered sufficient for many environments. The DoD requirement is 1. The profile requirement is 7. |
Enforcing a minimum password lifetime helps to prevent repeated password
changes to defeat the password reuse or history enforcement requirement. If
users are allowed to immediately and continually change their password,
then the password could be repeatedly changed in a short period of time to
defeat the organization's policy regarding password reuse.
Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement. |
| 3.5.8 | Limit Password Reuse: password-auth |
Do not allow users to reuse recent passwords. This can be accomplished by using the
remember option for the pam_pwhistory PAM module.
On systems with newer versions of authselect, the pam_pwhistory PAM module can be enabled via authselect feature: authselect enable-feature with-pwhistoryOtherwise, it should be enabled using an authselect custom profile. Newer systems also have the /etc/security/pwhistory.conf file for setting pam_pwhistory module options. This file should be used whenever available. Otherwise, the pam_pwhistory module options can be set in PAM files. The value for remember option must be equal or greater than 5 |
Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. |
| 3.5.8 | Limit Password Reuse: system-auth |
Do not allow users to reuse recent passwords. This can be accomplished by using the
remember option for the pam_pwhistory PAM module.
On systems with newer versions of authselect, the pam_pwhistory PAM module can be enabled via authselect feature: authselect enable-feature with-pwhistoryOtherwise, it should be enabled using an authselect custom profile. Newer systems also have the /etc/security/pwhistory.conf file for setting pam_pwhistory module options. This file should be used whenever available. Otherwise, the pam_pwhistory module options can be set in PAM files. The value for remember option must be equal or greater than 5 |
Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. |
| 3.5.8 | Set Password Warning Age |
To specify how many days prior to password
expiration that a warning will be issued to users,
edit the file /etc/login.defs and add or correct
the following line:
PASS_WARN_AGE 7The DoD requirement is 7. The profile requirement is 7. |
Setting the password warning age enables users to make the change at a practical time. |
| 3.5.10 | Verify All Account Password Hashes are Shadowed | If any password hashes are stored in /etc/passwd (in the second field, instead of an x or *), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely. | The hashes for all user account passwords should be stored in the file /etc/shadow and never in /etc/passwd, which is readable by all users. |
| 3.7.2 | Disable the awstats_purge_apache_log_files SELinux Boolean |
By default, the SELinux boolean awstats_purge_apache_log_files is disabled.
If this setting is enabled, it should be disabled.
To disable the awstats_purge_apache_log_files SELinux boolean, run the following command:
$ sudo setsebool -P awstats_purge_apache_log_files off |
|
| 3.7.2 | Disable the abrt_anon_write SELinux Boolean |
By default, the SELinux boolean abrt_anon_write is disabled.
If this setting is enabled, it should be disabled.
To disable the abrt_anon_write SELinux boolean, run the following command:
$ sudo setsebool -P abrt_anon_write off |
|
| 3.7.2 | Disable the abrt_upload_watch_anon_write SELinux Boolean |
By default, the SELinux boolean abrt_upload_watch_anon_write is enabled.
This setting should be disabled as it allows the Automatic Bug Report Tool (ABRT)
to modify public files used for public file transfer services.
To disable the abrt_upload_watch_anon_write SELinux boolean, run the following command:
$ sudo setsebool -P abrt_upload_watch_anon_write off |
|
| 3.7.2 | Disable the authlogin_yubikey SELinux Boolean |
By default, the SELinux boolean authlogin_yubikey is disabled.
If this setting is enabled, it should be disabled.
To disable the authlogin_yubikey SELinux boolean, run the following command:
$ sudo setsebool -P authlogin_yubikey off |
|
| 3.7.2 | Enable the antivirus_can_scan_system SELinux Boolean |
By default, the SELinux boolean antivirus_can_scan_system is disabled.
This setting should be enabled as it allows antivirus programs to read non-security
files on a system.
To enable the antivirus_can_scan_system SELinux boolean, run the following command:
$ sudo setsebool -P antivirus_can_scan_system on |
|
| 3.7.2 | Disable the abrt_handle_event SELinux Boolean |
By default, the SELinux boolean abrt_handle_event is disabled.
If this setting is enabled, it should be disabled.
To disable the abrt_handle_event SELinux boolean, run the following command:
$ sudo setsebool -P abrt_handle_event off |
|
| 3.7.2 | Disable the boinc_execmem SELinux Boolean |
By default, the SELinux boolean boinc_execmem is enabled.
This setting should be disabled.
To disable the boinc_execmem SELinux boolean, run the following command:
$ sudo setsebool -P boinc_execmem off |
|
| 3.7.2 | Disable the authlogin_radius SELinux Boolean |
By default, the SELinux boolean authlogin_radius is disabled.
If this setting is enabled, it should be disabled.
To disable the authlogin_radius SELinux boolean, run the following command:
$ sudo setsebool -P authlogin_radius off |
|
| 3.7.2 | Disable the antivirus_use_jit SELinux Boolean |
By default, the SELinux boolean antivirus_use_jit is disabled.
If this setting is enabled, it should be disabled.
To disable the antivirus_use_jit SELinux boolean, run the following command:
$ sudo setsebool -P antivirus_use_jit off |
|
| 3.7.2 | Disable the authlogin_nsswitch_use_ldap SELinux Boolean |
By default, the SELinux boolean authlogin_nsswitch_use_ldap is disabled.
If this setting is enabled, it should be disabled.
To disable the authlogin_nsswitch_use_ldap SELinux boolean, run the following command:
$ sudo setsebool -P authlogin_nsswitch_use_ldap off |
|
| 3.13.8 3.13.11 |
Enable FIPS Mode in GRUB2 |
To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands:
$ sudo yum install dracut-fips dracut -fAfter the dracut command has been run, add the argument fips=1 to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below: GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 fips=1"Finally, rebuild the grub.cfg file by using the grub2-mkconfig -ocommand as follows:
|
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. |
| 3.13.11 | Disable Prelinking |
The prelinking feature changes binaries in an attempt to decrease their startup
time. In order to disable it, change or add the following line inside the file
/etc/sysconfig/prelink:
PRELINKING=noNext, run the following command to return binaries to a normal, non-prelinked state: $ sudo /usr/sbin/prelink -ua |
Because the prelinking feature changes binaries, it can interfere with the operation of certain software and/or modes such as AIDE, FIPS, etc. |
| 3.13.11 | Set PAM''s Password Hashing Algorithm - password-auth |
The PAM system service can be configured to only store encrypted representations of passwords.
In /etc/pam.d/password-auth, the password section of the file controls which
PAM modules to execute during a password change.
Set the pam_unix.so module in the password section to include the option
sha512 and no other hashing
algorithms as shown below:
password sufficient pam_unix.so sha512 other arguments... This will help ensure that new passwords for local users will be stored using the sha512 algorithm. |
Passwords need to be protected at all times, and encryption is the standard method for
protecting passwords. If passwords are not encrypted, they can be plainly read
(i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm
are no more protected than if they are kept in plain text.
This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option in /etc/libuser.conf ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult. |
| 3.13.11 | Set Password Hashing Algorithm in /etc/login.defs |
In /etc/login.defs, add or update the following line to ensure the system will use
SHA512 as the hashing algorithm:
ENCRYPT_METHOD SHA512 |
Passwords need to be protected at all times, and encryption is the standard method for
protecting passwords. If passwords are not encrypted, they can be plainly read
(i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm
are no more protected than if they are kept in plain text.
Using a stronger hashing algorithm makes password cracking attacks more difficult. |
| 3.13.11 | Configure AIDE to Use FIPS 140-2 for Validating Hashes |
By default, the sha512 option is added to the NORMAL ruleset in AIDE.
If using a custom ruleset or the sha512 option is missing, add sha512
to the appropriate ruleset.
For example, add sha512 to the following line in /etc/aide.conf:
NORMAL = FIPSR+sha512AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. |
File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes. |
| 3.13.11 3.13.8 |
Install the dracut-fips Package |
To enable FIPS, the system requires that the dracut-fips
package be installed.
The dracut-fips package can be installed with the following command:
$ sudo yum install dracut-fips |
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. |
| 3.13.11 | Set Password Hashing Algorithm in /etc/libuser.conf |
In /etc/libuser.conf, add or correct the following line in its [defaults]
section to ensure the system will use the sha512
algorithm for password hashing:
crypt_style = sha512 |
Passwords need to be protected at all times, and encryption is the standard method for
protecting passwords. If passwords are not encrypted, they can be plainly read
(i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm
are no more protected than if they are kept in plain text.
This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option in /etc/libuser.conf ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult. |
| 3.13.11 | Enable the fips_mode SELinux Boolean |
By default, the SELinux boolean fips_mode is enabled.
This allows all SELinux domains to execute in fips_mode.
If this setting is disabled, it should be enabled.
To enable the fips_mode SELinux boolean, run the following command:
$ sudo setsebool -P fips_mode on |
|
| 3.13.11 3.13.8 |
Install the dracut-fips-aesni Package |
To enable FIPS on system that support the Advanced Encryption Standard (AES) or New
Instructions (AES-NI) engine, the system requires that the dracut-fips-aesni
package be installed.
The dracut-fips-aesni package can be installed with the following command:
$ sudo yum install dracut-fips-aesni |
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. |
| 3.13.11 | Set PAM''s Password Hashing Algorithm |
The PAM system service can be configured to only store encrypted representations of passwords.
In "/etc/pam.d/system-auth", the password section of the file controls which
PAM modules to execute during a password change.
Set the pam_unix.so module in the password section to include the option
sha512 and no other hashing
algorithms as shown below:
password sufficient pam_unix.so sha512 other arguments... This will help ensure that new passwords for local users will be stored using the sha512 algorithm. |
Passwords need to be protected at all times, and encryption is the standard method for
protecting passwords. If passwords are not encrypted, they can be plainly read
(i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm
are no more protected than if they are kept in plain text.
This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option in /etc/libuser.conf ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult. |
| 3.13.16 | Encrypt Partitions |
Red Hat Enterprise Linux 8 natively supports partition encryption through the
Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to
encrypt a partition is during installation time.
For manual installations, select the Encrypt checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. For automated/unattended installations, it is possible to use Kickstart by adding the --encrypted and --passphrase= options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition: part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASEAny PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the --passphrase= option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation. By default, the Anaconda installer uses aes-xts-plain64 cipher with a minimum 512 bit key size which should be compatible with FIPS enabled. Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on the Red Hat Enterprise Linux 8 Documentation web site: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening . |
The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost. |
| 80424-5 | Enable the auditadm_exec_content SELinux Boolean |
By default, the SELinux boolean auditadm_exec_content is enabled.
If this setting is disabled, it should be enabled.
To enable the auditadm_exec_content SELinux boolean, run the following command:
$ sudo setsebool -P auditadm_exec_content on |