>From f2b0d4034b9fdf96431131e1378faed196b97cf0 Mon Sep 17 00:00:00 2001 From: Michael McConachie <[email protected]> Date: Fri, 21 Sep 2012 09:53:46 -0700 Subject: [PATCH] Various Check text entries for SSST
Signed-off-by: Michael McConachie <[email protected]> --- .../system/accounts/restrictions/root_logins.xml | 31 +++- .../system/accounts/restrictions/root_logins.xml~ | 195 +++++++++++++++++++++ 2 files changed, 218 insertions(+), 8 deletions(-) create mode 100644 RHEL6/input/system/accounts/restrictions/root_logins.xml~ diff --git a/RHEL6/input/system/accounts/restrictions/root_logins.xml b/RHEL6/input/system/accounts/restrictions/root_logins.xml index 5d10c95..0ee4e8b 100644 --- a/RHEL6/input/system/accounts/restrictions/root_logins.xml +++ b/RHEL6/input/system/accounts/restrictions/root_logins.xml @@ -47,6 +47,14 @@ vc/3 vc/4</pre> <!-- TODO: discussion/description of virtual consoles--> </description> +<ocil>To check for these entries from the command prompt, issue the +following command: +<pre># grep ^vc/[0-9] /etc/securetty</pre> +If any values are returned, you need to remove them by manipulating the file. +To remove any occurance of the virtual consoles in one command +type the following: +<pre># sed -i '/^vc/d' /etc/securetty</pre> +</ocil> <rationale> Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system @@ -61,12 +69,21 @@ using the root account. <title>Restrict Serial Port Root Logins</title> <description>To restrict root logins on serial ports, ensure lines of this form do not appear in <tt>/etc/securetty</tt>: -<pre>ttyS0 ttyS1</pre> +<pre>ttyS0 +ttyS1</pre> <!-- TODO: discussion/description of serial port --> </description> +<ocil>To check for these entries from the command prompt, +issue the following command: +<pre># grep ^ttyS/[0-9] /etc/securetty</pre> +If any values are returned, you need to remove them by manipulating +the file. To remove any occurance of the virtual consoles in one +command type the following: +<pre># sed -i '/^ttyS/d' /etc/securetty</pre> +</ocil> <rationale> Preventing direct root login to serial port interfaces -helps ensure accountability for actions taken on the system +helps ensure accountability for actions taken on the systems using the root account. </rationale> <ident cce="4256-4" /> @@ -89,17 +106,15 @@ their UIDs, and their shells, by running: Identify the system accounts from this listing. These will primarily be the accounts with UID numbers less than 500, other than root. -<br /><br /> +</description> <!--For each identified system account SYSACCT, lock the account: <pre># usermod -L SYSACCT</pre>--> -If any account <i>SYSACCT</i> has a login shell, +<ocil>If any account <i>SYSACCT</i> has a login shell, disable it with the command: <pre># usermod -s /sbin/nologin SYSACCT</pre> The RHEL6 default is <tt>/sbin/nologin</tt>, but any command which will -exit with a failure -status and disallow execution of any further commands, such as -<tt>/bin/false</tt> or <tt>/dev/null</tt>, will work. -</description> +exit with a failure status and disallow execution of any further +commands, such as <tt>/bin/false</tt> or <tt>/dev/null</tt>, will work.</ocil> <rationale> Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of diff --git a/RHEL6/input/system/accounts/restrictions/root_logins.xml~ b/RHEL6/input/system/accounts/restrictions/root_logins.xml~ new file mode 100644 index 0000000..2a3cc6c --- /dev/null +++ b/RHEL6/input/system/accounts/restrictions/root_logins.xml~ @@ -0,0 +1,195 @@ +<Group id="root_logins"> +<title>Restrict Root Logins</title> +<description> +Direct root logins should be allowed only for emergency use. +In normal situations, the administrator should access the system +via a unique unprivileged account, and then use <tt>su</tt> or <tt>sudo</tt> to execute +privileged commands. Discouraging administrators from accessing the +root account directly ensures an audit trail in organizations with +multiple administrators. Locking down the channels through which +root can connect directly also reduces opportunities for +password-guessing against the root account. The <tt>login</tt> program +uses the file <tt>/etc/securetty</tt> to determine which interfaces +should allow root logins. + +The virtual devices <tt>/dev/console</tt> +and <tt>/dev/tty*</tt> represent the system consoles (accessible via +the Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a default +installation). The default securetty file also contains <tt>/dev/vc/*</tt>. +These are likely to be deprecated in most environments, but may be retained +for compatibility. Root should also be prohibited from connecting +via network protocols. Other sections of this document +include guidance describing how to prevent root from logging in via SSH.</description> +<ref disa="770" /> + +<!-- +Ensure that the file +contains only the following lines: +<br /> +<ul> +<li>The primary system console device: +<pre>console</pre></li> +<li>The virtual console devices: +<pre>tty1 tty2 tty3 tty4 tty5 tty6 ...</pre></li> +<li>If required by your organization, the deprecated virtual +console interface may be retained for backwards compatibility: +<pre>vc/1 vc/2 vc/3 vc/4 vc/5 vc/6 ...</pre></li> +</ul> +--> +<Rule id="restrict_root_console_logins"> +<title>Restrict Virtual Console Root Logins</title> +<description> +To restrict root logins through the (deprecated) virtual console devices, +ensure lines of this form do not appear in <tt>/etc/securetty</tt>: +<pre>vc/1 +vc/2 +vc/3 +vc/4</pre> +<!-- TODO: discussion/description of virtual consoles--> +</description> +<ocil>To check for these entries from the command prompt, issue the +following command: +<pre># grep ^vc/[0-9] /etc/securetty</pre> +If any values are returned, you need to remove them by manipulating the file. +To remove any occurance of the virtual consoles in one command +type the following: +<pre># sed -i '/^vc/d' /etc/securetty</pre> +</ocil> +<rationale> +Preventing direct root login to virtual console devices +helps ensure accountability for actions taken on the system +using the root account. +</rationale> +<ident cce="3485-0" /> +<oval id="securetty_root_login_console_only" /> +<ref nist="CM-6, CM-7" disa="770" /> +</Rule> + +<Rule id="restrict_serial_port_logins"> +<title>Restrict Serial Port Root Logins</title> +<description>To restrict root logins on serial ports, +ensure lines of this form do not appear in <tt>/etc/securetty</tt>: +<pre>ttyS0 +ttyS1</pre> +<!-- TODO: discussion/description of serial port --> +</description> +<ocil>To check for these entries from the command prompt, +issue the following command: +<pre># grep ^ttyS/[0-9] /etc/securetty</pre> +If any values are returned, you need to remove them by manipulating the file. +To remove any occurance of the virtual consoles in one command +type the following: +<pre># sed -i '/^ttyS/d' /etc/securetty</pre> +</ocil> +<rationale> +Preventing direct root login to serial port interfaces +helps ensure accountability for actions taken on the system +using the root account. +</rationale> +<ident cce="4256-4" /> +<oval id="securetty_no_serial" /> +<ref nist="AC-3, AC-6" disa="770" /> +</Rule> + +<Rule id="no_shelllogin_for_systemaccounts"> +<title>Ensure that System Accounts Do Not Run a Shell Upon Login</title> +<description> +Some accounts are not associated with a human +user of the system, and exist to perform some administrative +function. Should an attacker be able to log into these accounts, +he or she should not be granted access to a shell. +<br /><br /> +Ensure that no shells are granted to system accounts. +First, obtain a listing of all users, +their UIDs, and their shells, by running: +<pre>$ awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd</pre> +Identify the system accounts from this listing. These will +primarily be the accounts with UID numbers less than 500, other +than root. +<br /><br /> +<!--For each identified system account SYSACCT, lock the account: +<pre># usermod -L SYSACCT</pre>--> +If any account <i>SYSACCT</i> has a login shell, +disable it with the command: +<pre># usermod -s /sbin/nologin SYSACCT</pre> +The RHEL6 default is <tt>/sbin/nologin</tt>, but any command which will +exit with a failure +status and disallow execution of any further commands, such as +<tt>/bin/false</tt> or <tt>/dev/null</tt>, will work. +</description> +<rationale> +Ensuring shells are not given to system accounts upon login +makes it more difficult for attackers to make use of +system accounts. +</rationale> +<warning category="functionality"> +Do not perform the steps in this +section on the root account. Doing so might cause the system to +become inaccessible. +</warning> +<ident cce="3987-5" /> +<oval id="accounts_nologin_for_system" /> +<ref nist="AC-3, CM-6" /> +</Rule> + + +<Rule id="no_uidzero_except_root"> +<title>Verify Only Root Has UID 0</title> +<description> +This command will print all password file entries for +accounts with UID 0: +<pre># awk -F: '($3 == "0") {print}' /etc/passwd</pre> +This should print only one line, for the user root. +<br /><br /> +</description> +<rationale> +An account has root authority if it has a UID of 0. Multiple accounts +with a UID of 0 afford more opportunity for potential intruders to +guess a password for a provilieged account. Proper configuration of +sudo is recommended to afford multiple System Administrators +access to the root account. +</rationale> +<ident cce="4009-7" /> +<oval id="accounts_no_uid_except_zero" /> +<ref nist="AC-3, AC-11, CM-6, CM-7" disa="366"/> +</Rule> + +</Group> + +<!-- Commenting the wheel/su items, since there may be little value/benefit +in dictating others' account privilege choices. + +<Group id="wheel_group"> +<title>The wheel group should exist</title> +<description> +<ol> +<li>Ensure that the group <tt>wheel</tt> exists, and that the usernames of +all administrators who should be allowed to execute commands as +root are members of that group. +<pre># grep ^wheel /etc/group</pre> +</li> +<li>Edit the file <tt>/etc/pam.d/su</tt>. Add, uncomment, or correct the +line: +<pre>auth required pam_wheel.so use_uid</pre> +</li> +</ol>The <tt>su</tt> command allows a user to gain the privileges of another +user by entering the password for that user's account. It is +desirable to restrict the root user so that only known +administrators are ever allowed to access the root account. This +restricts password-guessing against the root account by +unauthorized users or by accounts which have been compromised. +<br /><br /> +By convention, the group <tt>wheel</tt> contains all users who are +allowed to run privileged commands. The PAM module <tt>pam_wheel.so</tt> is +used to restrict root access to this set of users.</description> + +<Rule id="limit_su_to_wheel"> +<title>Limit /bin/su Access To Wheel Group</title> +<description>Command access to the root account should be +restricted to the <tt>wheel</tt> group.</description> +<ident cce="15047-4" /> +<oval id="accounts_su_wheel_only" /> +<ref nist="AC-3, CM-6" /> +</Rule> +</Group> +--> -- 1.7.11.4
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
