Ensure /var/log/audit Located On Separate Partition

python 2.6.6 5.10 2011-09-21T13:44:00 Ensure /var/log/audit Located On Separate Partition Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon. Verify group who owns 'passwd' file Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The /etc/passwd file should be owned by the appropriate group. Verify /etc/shadow Permissions Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 This test makes sure that /etc/shadow is owned by 0, group owned by 0, and has mode 0000. If the target file or directory has an extended ACL then it will fail the mode check. Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 7 The operating system installed on the system is Red Hat Enterprise Linux 7 Set Password Expiration Parameters Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The minimum password age policy should be set appropriately. SELinux Enforcing Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The SELinux state should be enforcing the local policy. Verify user who owns 'passwd' file Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The /etc/passwd file should be owned by the appropriate user. Lock out account after failed login attempts Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The number of allowed failed logins should be set correctly. Set Password ucredit Requirements Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The password ucredit should meet minimum requirements using pam_cracklib Verify user who owns 'gshadow' file Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The /etc/gshadow file should be owned by the appropriate user. Limit Password Reuse Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The passwords to remember should be set correctly. Require Authentication for Single-User Mode Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The requirement for a password to boot into single-user mode should be configured correctly. Verify /etc/gshadow Permissions Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 This test makes sure that /etc/gshadow is owned by 0, group owned by 0, and has mode 0000. If the target file or directory has an extended ACL then it will fail the mode check. Set Password ocredit Requirements Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The password ocredit should meet minimum requirements using pam_cracklib Verify user who owns 'shadow' file Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The /etc/shadow file should be owned by the appropriate user. No nullok Option in /etc/pam.d/system-auth Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The file /etc/pam.d/system-auth should not contain the nullok option Verify /etc/passwd Permissions Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 This test makes sure that /etc/passwd is owned by 0, group owned by 0, and has mode 0644. If the target file or directory has an extended ACL then it will fail the mode check. Do Not Allow Users to Set Environment Options Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 PermitUserEnvironment should be disabled Ensure Yum gpgcheck Globally Activated Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The gpgcheck option should be used to ensure that checking of an RPM package's signature always occurs prior to its installation. Ensure /home Located On Separate Partition Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 If user home directories will be stored locally, create a separate partition for /home. If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at this time, and the mountpoint can instead be configured later. Disable Host-Based Authentication Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 SSH host-based authentication should be disabled. Ensure /var/log Located On Separate Partition Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 System logs are stored in the /var/log directory. Ensure that it has its own partition or logical volume. Ensure Only Protocol 2 Connections Allowed Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The OpenSSH daemon should be running protocol 2. Ensure gpgcheck Enabled For All Yum Package Repositories Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Ensure all yum repositories utilize signature checking. Set Password retry Requirements Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The password retry should meet minimum requirements using pam_cracklib Disable root Login via SSH Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Root login via SSH should be disabled (and dependencies are met) Verify /var/log/audit Permissions Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Checks for correct permissions for all log files in /var/log/audit. Ensure /tmp Located On Separate Partition Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The /tmp directory is a world-writable directory used for temporary file storage. Verify that it has its own partition or logical volume. Enable SELinux Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The SELinux policy should be set appropriately. Set ClientAliveCountMax for User Logins Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The SSH ClientAliveCountMax should be set to an appropriate value (and dependencies are met) Set Password difok Requirements Red Hat Enterprise Linux 6 The password difok should meet minimum requirements using pam_cracklib Verify permissions on 'group' file Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 File permissions for /etc/group should be set correctly. System Accounts Do Not Run a Shell Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The root account is the only system account that should have a login shell. Set Password Expiration Parameters Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The password minimum length should be set appropriately. Set Password dcredit Requirements Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The password dcredit should meet minimum requirements using pam_cracklib Set Password Hashing Algorithm in /etc/pam.d/system-auth Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The password hashing algorithm should be set correctly in /etc/pam.d/system-auth. Verify that Shared Library Files Have Root Ownership Fedora 19 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and objects therein, are owned by root. Set SHA512 Password Hashing Algorithm in /etc/libuser.conf Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The password hashing algorithm should be set correctly in /etc/libuser.conf. Disable Empty Passwords Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Remote connections from accounts with empty passwords should be disabled (and dependencies are met) Enable a Warning Banner Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 SSH warning banner should be enabled (and dependencies are met) Set SHA512 Password Hashing Algorithm in /etc/login.defs Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The password hashing algorithm should be set correctly in /etc/login.defs. Set OpenSSH Idle Timeout Interval Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The SSH idle timeout interval should be set to an appropriate value. All Password Hashes Shadowed Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 All password hashes should be shadowed. Disable .rhosts Files Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Emulation of the rsh command through the ssh server should be disabled (and dependencies are met) Test for x86_64 Architecture Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Generic test for x86_64 architecture to be used by other tests Service sshd Disabled Red Hat Enterprise Linux 7 The sshd service should be disabled. Test for x86 Architecture Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Generic test for x86 architecture to be used by other tests Verify group who owns 'gshadow' file Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The /etc/gshadow file should be owned by the appropriate group. Verify group who owns 'shadow' file Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The /etc/shadow file should be owned by the appropriate group. Package openssh-server Removed Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The RPM package openssh-server should be removed. Verify that System Executables Have Restrictive Permissions Fedora 19 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Checks that binary files under /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, and /usr/local/sbin, are not group-writable or world-writable. Verify that Shared Library Files Have Restrictive Permissions Fedora 19 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and objects therein, are not group-writable or world-writable. Set Password lcredit Requirements Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The password lcredit should meet minimum requirements using pam_cracklib Set Password Expiration Parameters Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The password expiration warning age should be set appropriately. Verify that System Executables Have Root Ownership Fedora 19 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Checks that /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin, and objects therein, are owned by root. Use Only Approved Ciphers Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Limit the ciphers to those which are FIPS-approved and only use ciphers in counter (CTR) mode. UID 0 Belongs Only To Root Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Only the root account should be assigned a user id of 0. Ensure /var Located On Separate Partition Red Hat Enterprise Linux 7 Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options, which is used as temporary storage by many program, particularly system services such as daemons. It is not uncommon for the /var directory to contain world-writable directories, installed by other software packages. Package aide Installed Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The RPM package aide should be installed. Verify user who owns 'group' file Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The /etc/group file should be owned by the appropriate user. Red Hat Release and Auxiliary gpg-pubkey Packages Installed Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The Red Hat release and auxiliary key packages are required to be installed. Verify group who owns 'group' file Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The /etc/group file should be owned by the appropriate group. /var/log/audit /etc/passwd /etc/shadow redhat-release-workstation redhat-release-server /etc/login.defs ^[\s]*PASS_MIN_DAYS[\s]+(\d+)\s*$ 1 /etc/selinux/config ^[\s]*SELINUX[\s]*=[\s]*(.*)[\s]*$ 1 /etc/passwd /etc/pam.d/system-auth ^\s*auth\s+(?:(?:required))\s+pam_faillock\.so.*deny=([0-9]*).*$ 1 /etc/pam.d/password-auth ^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so.*deny=([0-9]*).*$ 1 /etc/pam.d/system-auth ^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_\.\-=\s]+[\s]ucredit=(-?\d+)(?:[\s]|$) 1 /etc/gshadow /etc/pam.d/system-auth ^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*remember=([0-9]*).*$ 1 /etc/sysconfig/init ^SINGLE=/sbin/sulogin[\s]* 1 /etc/gshadow /etc/pam.d/system-auth ^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_\.\-=\s]+[\s]ocredit=(-?\d+)(?:[\s]|$) 1 /etc/shadow /etc/pam.d/system-auth \s*nullok\s* 1 /etc/passwd /etc/ssh/sshd_config ^[\s]*(?i)PermitUserEnvironment[\s]+no[\s]*$ 1 /etc/yum.conf ^\s*gpgcheck\s*=\s*1\s*$ 1 /home /etc/ssh/sshd_config ^[\s]*(?i)HostbasedAuthentication[\s]+yes[\s]*$ 1 /var/log /etc/ssh/sshd_config ^[\s]*(?i)Protocol[\s]+2[\s]*$ 1 /etc/yum.repos.d .* ^\s*gpgcheck\s*=\s*0\s*$ 1 /etc/pam.d/system-auth ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_cracklib\.so.*retry=([0-9]*).*$ 1 /etc/ssh/sshd_config ^[\s]*(?i)PermitRootLogin[\s]+yes[\s]*$ 1 /var/log/audit ^.*$ oval:ssg:ste:285 /tmp /etc/selinux/config ^[\s]*SELINUXTYPE[\s]*=[\s]*([^\s]*) 1 /etc/ssh/sshd_config ^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*$ 1 /etc/pam.d system-auth ^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_\.\-=\s]+[\s]difok=(-?\d+)(?:[\s]|$) 1 /etc/group /etc/passwd ^(?!root).*:x:[\d]*:0*([0-9]{1,2}|[1-4][0-9]{2}):[^:]*:[^:]*:(?!\/sbin\/nologin|\/bin\/sync|\/sbin\/shutdown|\/sbin\/halt).*$ 1 /etc/login.defs ^PASS_MIN_LEN\s+(\d+)\s*$ 1 /etc/pam.d/system-auth ^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_\.\-=\s]+[\s]dcredit=(-?\d+)(?:[\s]|$) 1 /etc/pam.d/system-auth ^[\s]*password[\s]+sufficient[\s]+pam_unix\.so[\s]+.*sha512.*$ 1 ^\/lib(|64)|^\/usr\/lib(|64) oval:ssg:ste:342 ^\/lib(|64)|^\/usr\/lib(|64) ^.*$ oval:ssg:ste:342 /etc/libuser.conf ^[\s]*crypt_style[\s]+=[\s]+(?i)sha512[\s]*$ 1 /etc/ssh/sshd_config ^[\s]*(?i)PermitEmptyPasswords[\s]+no[\s]*$ 1 /etc/ssh/sshd_config ^[\s]*(?i)Banner(?-i)[\s]+/etc/issue[\s]*$ 1 /etc/login.defs ^[\s]*ENCRYPT_METHOD[\s]+SHA512[\s]*$ 1 /etc/ssh/sshd_config ^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*$ 1 .* /etc/ssh/sshd_config ^[\s]*(?i)IgnoreRhosts[\s]+no[\s]*$ 1 /etc/systemd/system/multi-user.target.wants/sshd.service oval:ssg:ste:343 /etc/gshadow /etc/shadow openssh-server ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin ^.*$ oval:ssg:ste:344 oval:ssg:ste:345 ^\/lib(|64)|^\/usr\/lib(|64) oval:ssg:ste:346 oval:ssg:ste:347 ^\/lib(|64)|^\/usr\/lib(|64) ^.*$ oval:ssg:ste:346 oval:ssg:ste:347 /etc/pam.d/system-auth ^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_\.\-=\s]+[\s]lcredit=(-?\d+)(?:[\s]|$) 1 /etc/login.defs ^[\s]*PASS_WARN_AGE[\s]*(\d+)\s*$ 1 ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin oval:ssg:ste:348 ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin ^.*$ oval:ssg:ste:348 /etc/ssh/sshd_config ^[\s]*(?i)Ciphers(?-i)[\s]+aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc[\s]*$ 1 /etc/passwd ^(?!root:)[^:]*:[^:]:0 1 /var aide /etc/group gpg-pubkey /etc/group 0 0 0 false false false false false false false false false false false false unix ^7Workstation$ ^7Server$ 0 1 0 0 0 false false false false false false false false false false false false 1 0 0 0 false false false true true false true false false true false false true true true true true true true true true 0 1 true true false true false false true false false 1 0 x x86_64 symbolic link i686 0 0 true true symbolic link true true symbolic link 1 0 0 4ae0493b fd431d51 45700c69 2fa658e0 0 draft Guide to the Secure Configuration of Red Hat Enterprise Linux 7 This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 7 formatted in the eXtensible Configuration Checklist Description Format (XCCDF).

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for RHEL 7 is one example of a baseline created from this guidance. Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

The SCAP Security Guide Project
https://fedorahosted.org/scap-security-guide

Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.

0.9 test This profile is for testing.

Common Profile for General-Purpose Systems This profile contains items common to general-purpose desktop and server installations.