-
Notifications
You must be signed in to change notification settings - Fork 15
/
ubuntu-xccdf.xml
5150 lines (4994 loc) · 317 KB
/
ubuntu-xccdf.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_ubuntu_benchmark_draft" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" resolved="0">
<!-- METADATA -->
<status date="2014-06-06">draft</status>
<title>Ubuntu 12.04/14.04 SCAP Profiles</title>
<description>
This SCAP file provides a GovReady security audit for Ubuntu 12.04/14.04 Server.
</description>
<platform idref="cpe:/o:ubuntu-trusty:linux"/>
<version>0.01</version>
<model system="urn:xccdf:scoring:default"/>
<model system="urn:xccdf:scoring:flat"/>
<model system="urn:xccdf:scoring:flat-unweighted"/>
<!-- PROFILES -->
<Profile id="xccdf_ubuntu_profile_default">
<title>Ubuntu 12.04/14.04 Server</title>
<description>
This profile contains all of the checks available.
</description>
<select idref="xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_accounts_umask_login_defs" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_deactivate_wireless_interfaces" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_disable_host_auth" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_disable_users_coredumps" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_ensure_logrotate_activated" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_file_groupowner_etc_group" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_file_owner_etc_group" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_file_owner_etc_passwd" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_file_ownership_library_dirs" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_group" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_file_permissions_library_dirs" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_homedir_perms_no_groupwrite_worldread" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_kernel_module_rds_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind_var" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_mountopt_nodev_on_nonroot_partitions" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_mountopt_nodev_on_removable_partitions" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_mountopt_nosuid_on_removable_partitions" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_network_ipv6_disable_rpc" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_no_empty_passwords" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_no_files_unowned_by_user" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_no_rsh_trust_files" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_partition_for_home" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_partition_for_tmp" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_partition_for_var" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log_audit" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_postfix_network_listening" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_require_smb_client_signing" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_require_smb_client_signing_mount.cifs" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_restrict_serial_port_logins" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_root_path_no_dot" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_root_path_no_groupother_writable" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_rsyslog_accept_remote_messages_none" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_rsyslog_file_permissions" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_rsyslog_send_messages_to_logserver" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_securetty_root_login_console_only" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_set_system_login_banner" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sticky_world_writable_dirs" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sysctl_ipv4_all_send_redirects" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sysctl_ipv4_ip_forward" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sysctl_ipv6_default_accept_redirects" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_use_nodev_option_on_nfs_mounts" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_use_nosuid_option_on_nfs_mounts" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_userowner_rsyslog_files" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_userowner_shadow_file" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_world_writable_files_system_ownership" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_world_writeable_files" selected="true"/>
<!--
NEED TO BE CHECKED AND EITHER REMOVED OR REPLACED WITH AN UBUNTU-SPECIFIC RULE
<select idref="xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_cracklib_dcredit" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_cracklib_difok" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_cracklib_lcredit" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_cracklib_ocredit" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_cracklib_retry" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_cracklib_ucredit" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_accounts_password_reuse_limit" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_accounts_umask_bashrc" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_accounts_umask_cshrc" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_audit_account_changes" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_audit_config_immutable" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_audit_kernel_module_loading" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_audit_mac_changes" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_audit_media_exports" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_audit_network_modifications" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_audit_privileged_commands" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_stime" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_audit_sysadmin_actions" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_bootloader_password" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_configure_auditd_max_log_file" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_configure_auditd_max_log_file_action" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_configure_auditd_num_logs" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_disable_avahi" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_disable_dhcp_client" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_disable_dhcp_server" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_disable_dns_server" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_disable_dovecot" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_disable_httpd" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_disable_interactive_boot" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_disable_rexec" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_disable_rlogin" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_disable_rsh" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_disable_smb_server" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_disable_snmpd" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_disable_squid" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_disable_telnet_service" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_disable_tftp" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_disable_vsftpd" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_disable_xinetd" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_disable_xwindows_with_runlevel" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_disable_ypbind" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_enable_auditd_bootloader" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_enable_auditd_bootloader" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_enable_selinux_bootloader" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_enable_selinux_bootloader" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_group_owner_grub_conf" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_groupowner_rsyslog_files" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_groupowner_shadow_file" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_ldap_client_start_tls" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_ldap_client_tls_cacertpath" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_network_disable_zeroconf" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_no_files_unowned_by_group" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_no_unpackaged_sgid_files" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_no_unpackaged_suid_files" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_package_aide_installed" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_package_openldap-servers_removed" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_package_rsyslog_installed" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_package_screen_installed" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_package_sendmail_removed" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_packagegroup_xwindows_remove" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_permissions_grub_conf" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_require_singleuser_auth" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_rpm_verify_hashes" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_rpm_verify_permissions" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_security_patches_up_to_date" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_selinux_policytype" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_selinux_state" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_service_abrtd_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_service_atd_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_service_auditd_enabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_service_autofs_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_service_bluetooth_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_service_crond_enabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_service_ip6tables_enabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_service_iptables_enabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_service_kdump_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_service_netfs_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_service_nfslock_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_service_ntpd_enabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_service_ntpdate_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_service_oddjobd_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_service_portreserve_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_service_qpidd_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_service_rdisc_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_service_rhnsd_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_service_rpcgssd_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_service_rpcidmapd_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_service_rpcsvcgssd_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_set_iptables_default_rule" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_set_iptables_default_rule_forward" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sshd_set_keepalive" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_umask_for_daemons" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_uninstall_bind" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_uninstall_dhcp_server" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_uninstall_dovecot" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_uninstall_httpd" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_uninstall_net-snmp" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_uninstall_rsh-server" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_uninstall_squid" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_uninstall_telnet_server" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_uninstall_tftp-server" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_uninstall_vsftpd" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_uninstall_xinetd" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_uninstall_ypserv" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_user_owner_grub_conf" selected="true"/>
-->
<!-- NO UBUNTU EQUIVALENT
<select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile" selected="true"/>
-->
<!-- POSSIBLY OBSOLETE?
These rules should be reconsidered!
<select idref="xccdf_org.ssgproject.content_rule_kernel_module_ipv6_option_disabled" selected="true"/>
-->
<!-- NOT AUTOMATED
These checks from SSG have no actual criteria and so are not checked in an automated way.
They should be replaced by rules that actually check something.
<select idref="xccdf_org.ssgproject.content_rule_install_PAE_kernel_on_x86-32" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_wireless_disable_in_bios" selected="true"/>
-->
<refine-value idref="xccdf_org.ssgproject.content_value_file_groupowner_logfiles_value" selector="root"/>
<refine-value idref="xccdf_org.ssgproject.content_value_file_owner_logfiles_value" selector="root"/>
<refine-value idref="xccdf_org.ssgproject.content_value_login_banner_text" selector="usgcb_default"/>
<refine-value idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_log_martians_value" selector="enabled"/>
<refine-value idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_secure_redirects_value" selector="disabled"/>
<refine-value idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_secure_redirects_value" selector="disabled"/>
<refine-value idref="xccdf_org.ssgproject.content_value_var_account_disable_post_pw_expiration" selector="30"/>
<refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs" selector="12"/>
<refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_user_umask" selector="077"/>
<refine-value idref="xccdf_org.ssgproject.content_value_var_password_history_retain_limit" selector="5"/>
<refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs" selector="1"/>
</Profile>
<!-- DEFINITIONS -->
<Value id="xccdf_org.ssgproject.content_value_conditional_clause" operator="equals" type="string">
<title xml:lang="en-US">A conditional clause for check statements.</title>
<description xml:lang="en-US">A conditional clause for check statements.</description>
<value>This is a placeholder.</value>
</Value>
<!-- TESTS -->
<Group id="xccdf_ubuntu_group_redhat">
<title>Tests Imported from the Red Hat Scap Security Guide</title>
<description>
These tests have been imported from ssg-rhel6-xccdf-1.2.xml compiled by the scap-security-guide project.
</description>
<rationale>
Many tests for Ubuntu are the same as in the scap-security-guide.
</rationale>
<Group id="xccdf_org.ssgproject.content_group_system">
<title xml:lang="en-US">System Settings</title>
<Group id="xccdf_org.ssgproject.content_group_software">
<title xml:lang="en-US">Installing and Maintaining Software</title>
<description xml:lang="en-US">The following sections contain information on
security-relevant choices during the initial operating system
installation process and the setup of software
updates.</description>
<Group id="xccdf_org.ssgproject.content_group_disk_partitioning">
<title xml:lang="en-US">Disk Partitioning</title>
<description xml:lang="en-US">To ensure separation and protection of data, there
are top-level system directories which should be placed on their
own physical partition or logical volume. The installer's default
partitioning scheme creates separate logical volumes for
<h:code>/</h:code>, <h:code>/boot</h:code>, and <h:code>swap</h:code>.
<h:ul><h:li>If starting with any of the default layouts, check the box to
"Review and modify partitioning." This allows for the easy creation
of additional logical volumes inside the volume group already
created, though it may require making <h:code>/</h:code>'s logical volume smaller to
create space. In general, using logical volumes is preferable to
using partitions because they can be more easily adjusted
later.</h:li><h:li>If creating a custom layout, create the partitions mentioned in
the previous paragraph (which the installer will require anyway),
as well as separate ones described in the following sections.</h:li></h:ul>
If a system has already been installed, and the default
partitioning scheme was used, it is possible but nontrivial to
modify it to create separate logical volumes for the directories
listed above. The Logical Volume Manager (LVM) makes this possible.
See the LVM HOWTO at http://tldp.org/HOWTO/LVM-HOWTO/ for more
detailed information on LVM.</description>
<Rule id="xccdf_org.ssgproject.content_rule_partition_for_tmp" selected="false" severity="low">
<title xml:lang="en-US">Ensure /tmp Located On Separate Partition</title>
<description xml:lang="en-US">
The <h:code>/tmp</h:code> directory is a world-writable directory used
for temporary file storage. Ensure it has its own partition or
logical volume at installation time, or migrate it using LVM.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<reference href="http://iase.disa.mil/cci/index.html">1208</reference>
<reference href="test_attestation">
<dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">MM</dc:contributor>
<dc:date xmlns:dc="http://purl.org/dc/elements/1.1/">20120928</dc:date>
</reference>
<rationale xml:lang="en-US">
The <h:code>/tmp</h:code> partition is used as temporary storage by many programs.
Placing <h:code>/tmp</h:code> in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it.
</rationale>
<ident system="http://cce.mitre.org">CCE-26435-8</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:1144" href="ssg-rhel6-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="no line is returned" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Run the following command to determine if <h:code>/tmp </h:code>
is on its own partition or logical volume:
<h:pre>$ mount | grep "on /tmp "</h:pre>
If <h:code>/tmp </h:code> has its own partition or volume group, a line
will be returned.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_partition_for_var" selected="false" severity="low">
<title xml:lang="en-US">Ensure /var Located On Separate Partition</title>
<description xml:lang="en-US">The <h:code>/var</h:code> directory is used by daemons and other system
services to store frequently-changing data. Ensure that <h:code>/var</h:code> has its own partition
or logical volume at installation time, or migrate it using LVM.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<reference href="http://iase.disa.mil/cci/index.html">1208</reference>
<reference href="test_attestation">
<dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">MM</dc:contributor>
<dc:date xmlns:dc="http://purl.org/dc/elements/1.1/">20120928</dc:date>
</reference>
<rationale xml:lang="en-US">
Ensuring that <h:code>/var</h:code> is mounted on its own partition enables the
setting of more restrictive mount options. This helps protect
system services such as daemons or other programs which use it.
It is not uncommon for the <h:code>/var</h:code> directory to contain
world-writable directories, installed by other software packages.
</rationale>
<ident system="http://cce.mitre.org">CCE-26639-5</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:840" href="ssg-rhel6-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="no line is returned" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Run the following command to determine if <h:code>/var </h:code>
is on its own partition or logical volume:
<h:pre>$ mount | grep "on /var "</h:pre>
If <h:code>/var </h:code> has its own partition or volume group, a line
will be returned.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_partition_for_var_log" selected="false" severity="low">
<title xml:lang="en-US">Ensure /var/log Located On Separate Partition</title>
<description xml:lang="en-US">
System logs are stored in the <h:code>/var/log</h:code> directory.
Ensure that it has its own partition or logical
volume at installation time, or migrate it using LVM.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-9</reference>
<reference href="http://iase.disa.mil/cci/index.html">1208</reference>
<reference href="test_attestation">
<dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">MM</dc:contributor>
<dc:date xmlns:dc="http://purl.org/dc/elements/1.1/">20120928</dc:date>
</reference>
<rationale xml:lang="en-US">
Placing <h:code>/var/log</h:code> in its own partition
enables better separation between log files
and other files in <h:code>/var/</h:code>.
</rationale>
<ident system="http://cce.mitre.org">CCE-26215-4</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:483" href="ssg-rhel6-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="no line is returned" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Run the following command to determine if <h:code>/var/log </h:code>
is on its own partition or logical volume:
<h:pre>$ mount | grep "on /var/log "</h:pre>
If <h:code>/var/log </h:code> has its own partition or volume group, a line
will be returned.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_partition_for_var_log_audit" selected="false" severity="low">
<title xml:lang="en-US">Ensure /var/log/audit Located On Separate Partition</title>
<description xml:lang="en-US">
Audit logs are stored in the <h:code>/var/log/audit</h:code> directory. Ensure that it
has its own partition or logical volume at installation time, or migrate it
later using LVM. Make absolutely certain that it is large enough to store all
audit logs that will be created by the auditing daemon.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-4</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-9</reference>
<reference href="http://iase.disa.mil/cci/index.html">137</reference>
<reference href="http://iase.disa.mil/cci/index.html">138</reference>
<reference href="http://iase.disa.mil/cci/index.html">1208</reference>
<reference href="test_attestation">
<dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">MM</dc:contributor>
<dc:date xmlns:dc="http://purl.org/dc/elements/1.1/">20120928</dc:date>
</reference>
<rationale xml:lang="en-US">
Placing <h:code>/var/log/audit</h:code> in its own partition
enables better separation between audit files
and other files, and helps ensure that
auditing cannot be halted due to the partition running out
of space.
</rationale>
<ident system="http://cce.mitre.org">CCE-26436-6</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:1002" href="ssg-rhel6-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="no line is returned" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Run the following command to determine if <h:code>/var/log/audit </h:code>
is on its own partition or logical volume:
<h:pre>$ mount | grep "on /var/log/audit "</h:pre>
If <h:code>/var/log/audit </h:code> has its own partition or volume group, a line
will be returned.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_partition_for_home" selected="false" severity="low">
<title xml:lang="en-US">Ensure /home Located On Separate Partition</title>
<description xml:lang="en-US">
If user home directories will be stored locally, create a separate partition
for <h:code>/home</h:code> at installation time (or migrate it later using LVM). If
<h:code>/home</h:code> will be mounted from another system such as an NFS server, then
creating a separate partition is not necessary at installation time, and the
mountpoint can instead be configured later.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<reference href="http://iase.disa.mil/cci/index.html">1208</reference>
<reference href="test_attestation">
<dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">MM</dc:contributor>
<dc:date xmlns:dc="http://purl.org/dc/elements/1.1/">20120928</dc:date>
</reference>
<rationale xml:lang="en-US">
Ensuring that <h:code>/home</h:code> is mounted on its own partition enables the
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage.
</rationale>
<ident system="http://cce.mitre.org">CCE-26557-9</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:704" href="ssg-rhel6-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="no line is returned" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Run the following command to determine if <h:code>/home </h:code>
is on its own partition or logical volume:
<h:pre>$ mount | grep "on /home "</h:pre>
If <h:code>/home </h:code> has its own partition or volume group, a line
will be returned.
</check-content>
</check>
</Rule>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_permissions">
<title xml:lang="en-US">File Permissions and Masks</title>
<description xml:lang="en-US">Traditional Unix security relies heavily on file and
directory permissions to prevent unauthorized users from reading or
modifying files to which they should not have access.
<h:br/><h:br/>
Several of the commands in this section search filesystems
for files or directories with certain characteristics, and are
intended to be run on every local partition on a given system.
When the variable <h:i>PART</h:i> appears in one of the commands below,
it means that the command is intended to be run repeatedly, with the
name of each local partition substituted for <h:i>PART</h:i> in turn.
<h:br/><h:br/>
The following command prints a list of all ext4 partitions on the local
system, which is the default filesystem for Red Hat Enterprise Linux
6 installations:
<h:pre>$ mount -t ext4 | awk '{print $3}'</h:pre>
For any systems that use a different
local filesystem type, modify this command as appropriate.
</description>
<Group id="xccdf_org.ssgproject.content_group_partitions">
<title xml:lang="en-US">Restrict Partition Mount Options</title>
<description xml:lang="en-US">System partitions can be mounted with certain options
that limit what files on those partitions can do. These options
are set in the <h:code>/etc/fstab</h:code> configuration file, and can be
used to make certain types of malicious behavior more difficult.</description>
<Value id="xccdf_org.ssgproject.content_value_var_removable_partition" operator="equals" type="string">
<title xml:lang="en-US">Removable Partition</title>
<description xml:lang="en-US">This value is used by the checks mount_option_nodev_removable_partitions, mount_option_nodev_removable_partitions,
and mount_option_nodev_removable_partitions to ensure that the correct mount options are set on partitions mounted from
removable media such as CD-ROMs, USB keys, and floppy drives. This value should be modified to reflect any removable
partitions that are required on the local system.</description>
<value selector="dev_cdrom">/dev/cdrom</value>
</Value>
<Rule id="xccdf_org.ssgproject.content_rule_mountopt_nodev_on_nonroot_partitions" selected="false" severity="low">
<title xml:lang="en-US">Add nodev Option to Non-Root Local Partitions</title>
<description xml:lang="en-US">The <h:code>nodev</h:code> mount option prevents files from being
interpreted as character or block devices.
Legitimate character and block devices should exist only in
the <h:code>/dev</h:code> directory on the root partition or within chroot
jails built for system services.
Add the <h:code>nodev</h:code> option to the fourth column of
<h:code>/etc/fstab</h:code> for the line which controls mounting of
any non-root local partitions.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">The <h:code>nodev</h:code> mount option prevents files from being
interpreted as character or block devices. The only legitimate location
for device files is the <h:code>/dev</h:code> directory located on the root partition.
The only exception to this is chroot jails, for which it is not advised
to set <h:code>nodev</h:code> on these filesystems.</rationale>
<ident system="http://cce.mitre.org">CCE-27045-4</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:842" href="ssg-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_mountopt_nodev_on_removable_partitions" selected="false" severity="low">
<title xml:lang="en-US">Add nodev Option to Removable Media Partitions</title>
<description xml:lang="en-US">The <h:code>nodev</h:code> mount option prevents files from being
interpreted as character or block devices.
Legitimate character and block devices should exist only in
the <h:code>/dev</h:code> directory on the root partition or within chroot
jails built for system services.
Add the <h:code>nodev</h:code> option to the fourth column of
<h:code>/etc/fstab</h:code> for the line which controls mounting of
any removable media partitions.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(a)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(e)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MP-2</reference>
<rationale xml:lang="en-US"> The only legitimate location for device files is the <h:code>/dev</h:code> directory
located on the root partition. An exception to this is chroot jails, and it is
not advised to set <h:code>nodev</h:code> on partitions which contain their root
filesystems. </rationale>
<ident system="http://cce.mitre.org">CCE-26860-7</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:2201" value-id="xccdf_org.ssgproject.content_value_var_removable_partition"/>
<check-content-ref name="oval:ssg:def:168" href="ssg-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions" selected="false" severity="low">
<title xml:lang="en-US">Add noexec Option to Removable Media Partitions</title>
<description xml:lang="en-US">The <h:code>noexec</h:code> mount option prevents the direct
execution of binaries on the mounted filesystem.
Preventing the direct execution of binaries from removable media (such as a USB
key) provides a defense against malicious software that may be present on such
untrusted media.
Add the <h:code>noexec</h:code> option to the fourth column of
<h:code>/etc/fstab</h:code> for the line which controls mounting of
any removable media partitions.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(a)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(e)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MP-2</reference>
<reference href="http://iase.disa.mil/cci/index.html">87</reference>
<rationale xml:lang="en-US">Allowing users to execute binaries from removable media such as USB keys exposes
the system to potential compromise.</rationale>
<ident system="http://cce.mitre.org">CCE-27196-5</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:2201" value-id="xccdf_org.ssgproject.content_value_var_removable_partition"/>
<check-content-ref name="oval:ssg:def:522" href="ssg-rhel6-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="removable media partitions are present" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To verify that binaries cannot be directly executed from removable media, run the following command:
<h:pre># grep -v noexec /etc/fstab</h:pre>
The resulting output will show partitions which do not have the <h:code>noexec</h:code> flag. Verify all partitions
in the output are not removable media.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_mountopt_nosuid_on_removable_partitions" selected="false" severity="low">
<title xml:lang="en-US">Add nosuid Option to Removable Media Partitions</title>
<description xml:lang="en-US">The <h:code>nosuid</h:code> mount option prevents set-user-identifier (suid)
and set-group-identifier (sgid) permissions from taking effect. These permissions
allow users to execute binaries with the same permissions as the owner and group
of the file respectively. Users should not be allowed to introduce suid and guid
files into the system via partitions mounted from removeable media.
Add the <h:code>nosuid</h:code> option to the fourth column of
<h:code>/etc/fstab</h:code> for the line which controls mounting of
any removable media partitions.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(a)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(e)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MP-2</reference>
<rationale xml:lang="en-US">The presence of suid and sgid executables should be tightly controlled. Allowing
users to introduce suid or sgid binaries from partitions mounted off of
removable media would allow them to introduce their own highly-privileged programs.</rationale>
<ident system="http://cce.mitre.org">CCE-27056-1</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:2201" value-id="xccdf_org.ssgproject.content_value_var_removable_partition"/>
<check-content-ref name="oval:ssg:def:142" href="ssg-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev" selected="false" severity="low">
<title xml:lang="en-US">Add nodev Option to /tmp</title>
<description xml:lang="en-US">
The <h:code>nodev</h:code> mount option can be used to prevent device files from
being created in <h:code>/tmp</h:code>.
Legitimate character and block devices should not exist
within temporary directories like <h:code>/tmp</h:code>.
Add the <h:code>nodev</h:code> option to the fourth column of
<h:code>/etc/fstab</h:code> for the line which controls mounting of
<h:code>/tmp</h:code>.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MP-2</reference>
<rationale xml:lang="en-US">The only legitimate location for device files is the <h:code>/dev</h:code> directory
located on the root partition. The only exception to this is chroot jails.</rationale>
<ident system="http://cce.mitre.org">CCE-26499-4</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:115" href="ssg-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec" selected="false" severity="low">
<title xml:lang="en-US">Add noexec Option to /tmp</title>
<description xml:lang="en-US">The <h:code>noexec</h:code> mount option can be used to prevent binaries
from being executed out of <h:code>/tmp</h:code>.
Add the <h:code>noexec</h:code> option to the fourth column of
<h:code>/etc/fstab</h:code> for the line which controls mounting of
<h:code>/tmp</h:code>.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MP-2</reference>
<rationale xml:lang="en-US">Allowing users to execute binaries from world-writable directories
such as <h:code>/tmp</h:code> should never be necessary in normal operation and
can expose the system to potential compromise.</rationale>
<ident system="http://cce.mitre.org">CCE-26720-3</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:457" href="ssg-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid" selected="false" severity="low">
<title xml:lang="en-US">Add nosuid Option to /tmp</title>
<description xml:lang="en-US">The <h:code>nosuid</h:code> mount option can be used to prevent
execution of setuid programs in <h:code>/tmp</h:code>. The suid/sgid permissions
should not be required in these world-writable directories.
Add the <h:code>nosuid</h:code> option to the fourth column of
<h:code>/etc/fstab</h:code> for the line which controls mounting of
<h:code>/tmp</h:code>.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MP-2</reference>
<rationale xml:lang="en-US">The presence of suid and sgid executables should be tightly controlled. Users
should not be able to execute suid or sgid binaries from temporary storage partitions.</rationale>
<ident system="http://cce.mitre.org">CCE-26762-5</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:862" href="ssg-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev" selected="false" severity="low">
<title xml:lang="en-US">Add nodev Option to /dev/shm</title>
<description xml:lang="en-US">The <h:code>nodev</h:code> mount option can be used to prevent creation
of device files in <h:code>/dev/shm</h:code>.
Legitimate character and block devices should not exist
within temporary directories like <h:code>/dev/shm</h:code>.
Add the <h:code>nodev</h:code> option to the fourth column of
<h:code>/etc/fstab</h:code> for the line which controls mounting of
<h:code>/dev/shm</h:code>.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MP-2</reference>
<rationale xml:lang="en-US">The only legitimate location for device files is the <h:code>/dev</h:code> directory
located on the root partition. The only exception to this is chroot jails.</rationale>
<ident system="http://cce.mitre.org">CCE-26778-1</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:387" href="ssg-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec" selected="false" severity="low">
<title xml:lang="en-US">Add noexec Option to /dev/shm</title>
<description xml:lang="en-US">The <h:code>noexec</h:code> mount option can be used to prevent binaries
from being executed out of <h:code>/dev/shm</h:code>.
It can be dangerous to allow the execution of binaries
from world-writable temporary storage directories such as <h:code>/dev/shm</h:code>.
Add the <h:code>noexec</h:code> option to the fourth column of
<h:code>/etc/fstab</h:code> for the line which controls mounting of
<h:code>/dev/shm</h:code>.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MP-2</reference>
<rationale xml:lang="en-US">Allowing users to execute binaries from world-writable directories
such as <h:code>/dev/shm</h:code> can expose the system to potential compromise.</rationale>
<ident system="http://cce.mitre.org">CCE-26622-1</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:1201" href="ssg-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid" selected="false" severity="low">
<title xml:lang="en-US">Add nosuid Option to /dev/shm</title>
<description xml:lang="en-US">The <h:code>nosuid</h:code> mount option can be used to prevent execution
of setuid programs in <h:code>/dev/shm</h:code>. The suid/sgid permissions should not
be required in these world-writable directories.
Add the <h:code>nosuid</h:code> option to the fourth column of
<h:code>/etc/fstab</h:code> for the line which controls mounting of
<h:code>/dev/shm</h:code>.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MP-2</reference>
<rationale xml:lang="en-US">The presence of suid and sgid executables should be tightly controlled. Users
should not be able to execute suid or sgid binaries from temporary storage partitions.</rationale>
<ident system="http://cce.mitre.org">CCE-26486-1</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:477" href="ssg-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind_var" selected="false" severity="low">
<title xml:lang="en-US">Bind Mount /var/tmp To /tmp</title>
<description xml:lang="en-US">The <h:code>/var/tmp</h:code> directory is a world-writable directory.
Bind-mount it to <h:code>/tmp</h:code> in order to consolidate temporary storage into
one location protected by the same techniques as <h:code>/tmp</h:code>. To do so, edit
<h:code>/etc/fstab</h:code> and add the following line:
<h:pre>/tmp /var/tmp none rw,nodev,noexec,nosuid,bind 0 0</h:pre>
See the <h:code>mount(8)</h:code> man page for further explanation of bind mounting.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">Having multiple locations for temporary storage is not required. Unless absolutely
necessary to meet requirements, the storage location <h:code>/var/tmp</h:code> should be bind mounted to
<h:code>/tmp</h:code> and thus share the same protections.</rationale>
<ident system="http://cce.mitre.org">CCE-26582-7</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:1230" href="ssg-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_mounting">
<title xml:lang="en-US">Restrict Dynamic Mounting and Unmounting of
Filesystems</title>
<description xml:lang="en-US">Linux includes a number of facilities for the automated addition
and removal of filesystems on a running system. These facilities may be
necessary in many environments, but this capability also carries some risk -- whether direct
risk from allowing users to introduce arbitrary filesystems,
or risk that software flaws in the automated mount facility itself could
allow an attacker to compromise the system.
<h:br/><h:br/>
This command can be used to list the types of filesystems that are
available to the currently executing kernel:
<h:pre># find /lib/modules/`uname -r`/kernel/fs -type f -name '*.ko'</h:pre>
If these filesystems are not required then they can be explicitly disabled
in a configuratio file in <h:code>/etc/modprobe.d</h:code>.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Mounting of cramfs</title>
<description xml:lang="en-US">
To configure the system to prevent the <h:code>cramfs</h:code>
kernel module from being loaded, add the following line to a file in the directory <h:code>/etc/modprobe.d</h:code>:
<h:pre xml:space="preserve">install cramfs /bin/false</h:pre>
This effectively prevents usage of this uncommon filesystem.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.</rationale>
<ident system="http://cce.mitre.org">CCE-26340-0</ident>
<fix system="urn:xccdf:fix:script:sh">echo "install cramfs /bin/false" > /etc/modprobe.d/cramfs.conf
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:605" href="ssg-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Mounting of freevxfs</title>
<description xml:lang="en-US">
To configure the system to prevent the <h:code>freevxfs</h:code>
kernel module from being loaded, add the following line to a file in the directory <h:code>/etc/modprobe.d</h:code>:
<h:pre xml:space="preserve">install freevxfs /bin/false</h:pre>
This effectively prevents usage of this uncommon filesystem.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.</rationale>
<ident system="http://cce.mitre.org">CCE-26544-7</ident>
<fix system="urn:xccdf:fix:script:sh">echo "install freevxfs /bin/false" > /etc/modprobe.d/freevxfs.conf
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:282" href="ssg-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Mounting of jffs2</title>
<description xml:lang="en-US">
To configure the system to prevent the <h:code>jffs2</h:code>
kernel module from being loaded, add the following line to a file in the directory <h:code>/etc/modprobe.d</h:code>:
<h:pre xml:space="preserve">install jffs2 /bin/false</h:pre>
This effectively prevents usage of this uncommon filesystem.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.</rationale>
<ident system="http://cce.mitre.org">CCE-26670-0</ident>
<fix system="urn:xccdf:fix:script:sh">echo "install jffs2 /bin/false" > /etc/modprobe.d/jffs2.conf
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:1171" href="ssg-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Mounting of hfs</title>
<description xml:lang="en-US">
To configure the system to prevent the <h:code>hfs</h:code>
kernel module from being loaded, add the following line to a file in the directory <h:code>/etc/modprobe.d</h:code>:
<h:pre xml:space="preserve">install hfs /bin/false</h:pre>
This effectively prevents usage of this uncommon filesystem.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.</rationale>
<ident system="http://cce.mitre.org">CCE-26800-3</ident>
<fix system="urn:xccdf:fix:script:sh">echo "install hfs /bin/false" > /etc/modprobe.d/hfs.conf
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:463" href="ssg-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Mounting of hfsplus</title>
<description xml:lang="en-US">
To configure the system to prevent the <h:code>hfsplus</h:code>
kernel module from being loaded, add the following line to a file in the directory <h:code>/etc/modprobe.d</h:code>:
<h:pre xml:space="preserve">install hfsplus /bin/false</h:pre>
This effectively prevents usage of this uncommon filesystem.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.</rationale>
<ident system="http://cce.mitre.org">CCE-26361-6</ident>
<fix system="urn:xccdf:fix:script:sh">echo "install hfsplus /bin/false" > /etc/modprobe.d/hfsplus.conf
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:714" href="ssg-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Mounting of squashfs</title>
<description xml:lang="en-US">
To configure the system to prevent the <h:code>squashfs</h:code>
kernel module from being loaded, add the following line to a file in the directory <h:code>/etc/modprobe.d</h:code>:
<h:pre xml:space="preserve">install squashfs /bin/false</h:pre>
This effectively prevents usage of this uncommon filesystem.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.</rationale>
<ident system="http://cce.mitre.org">CCE-26404-4</ident>
<fix system="urn:xccdf:fix:script:sh">echo "install squashfs /bin/false" > /etc/modprobe.d/squashfs.conf
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:815" href="ssg-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Mounting of udf</title>
<description xml:lang="en-US">
To configure the system to prevent the <h:code>udf</h:code>
kernel module from being loaded, add the following line to a file in the directory <h:code>/etc/modprobe.d</h:code>:
<h:pre xml:space="preserve">install udf /bin/false</h:pre>
This effectively prevents usage of this uncommon filesystem.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.</rationale>
<ident system="http://cce.mitre.org">CCE-26677-5</ident>
<fix system="urn:xccdf:fix:script:sh">echo "install udf /bin/false" > /etc/modprobe.d/udf.conf
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:259" href="ssg-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_files">
<title xml:lang="en-US">Verify Permissions on Important Files and
Directories</title>
<description xml:lang="en-US">Permissions for many files on a system must be set
restrictively to ensure sensitive information is properly protected.
This section discusses important
permission restrictions which can be verified
to ensure that no harmful discrepancies have
arisen.</description>
<Group id="xccdf_org.ssgproject.content_group_permissions_important_account_files">
<title xml:lang="en-US">Verify Permissions on Files with Local Account Information and Credentials</title>
<description xml:lang="en-US">The default restrictive permissions for files which act as
important security databases such as <h:code>passwd</h:code>, <h:code>shadow</h:code>,
<h:code>group</h:code>, and <h:code>gshadow</h:code> files must be maintained. Many utilities
need read access to the <h:code>passwd</h:code> file in order to function properly, but
read access to the <h:code>shadow</h:code> file allows malicious attacks against system
passwords, and should never be enabled.</description>
<Rule id="xccdf_org.ssgproject.content_rule_userowner_shadow_file" selected="false" severity="medium">
<title xml:lang="en-US">Verify User Who Owns shadow File</title>
<description xml:lang="en-US">
To properly set the owner of <h:code>/etc/shadow</h:code>, run the command:
<h:pre xml:space="preserve"># chown root/etc/shadow</h:pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference>
<reference href="http://iase.disa.mil/cci/index.html">225</reference>
<reference href="test_attestation">
<dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">DS</dc:contributor>
<dc:date xmlns:dc="http://purl.org/dc/elements/1.1/">20121026</dc:date>
</reference>
<rationale xml:lang="en-US">The <h:code>/etc/shadow</h:code> file contains the list of local
system accounts and stores password hashes. Protection of this file is