Signed-off-by: David Smith <[email protected]> --- RHEL6/input/system/accounts/pam.xml | 24 +++++++++++++ RHEL6/input/system/accounts/physical.xml | 28 +++++++++++++++ .../accounts/restrictions/password_expiration.xml | 36 +++++++++++++++---- RHEL6/input/system/accounts/session.xml | 31 ++++++++++++----- 4 files changed, 102 insertions(+), 17 deletions(-)
diff --git a/RHEL6/input/system/accounts/pam.xml b/RHEL6/input/system/accounts/pam.xml index da19749..569489c 100644 --- a/RHEL6/input/system/accounts/pam.xml +++ b/RHEL6/input/system/accounts/pam.xml @@ -179,6 +179,10 @@ operator="equals" interactive="0"> <description>The pam_cracklib module's <tt>retry=</tt> parameter controls how many times a program will re-prompt a user after an incorrect password entry, on a per-session basis. </description> +<ocil clause="it is not the required value"> +To check the number of password retry attempts permitted, run the following command: +<pre>$ grep retry /etc/pam.d/system-auth</pre> +</ocil> <rationale> Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and @@ -197,6 +201,10 @@ usage of digits in a password. When set to a negative number, any password will contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. </description> +<ocil clause="it is not the required value"> +To check the minimum required number of digits, run the following command: +<pre>$ grep dcredit /etc/pam.d/system-auth</pre> +</ocil> <rationale> Requiring digits makes password guessing attacks more difficult by ensuring a larger search space. @@ -213,6 +221,10 @@ usage of uppercase letters in a password. When set to a negative number, any pas contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. </description> +<ocil clause="it is not the required value"> +To check the required number of uppercase characters, run the following command: +<pre>$ grep ucredit /etc/pam.d/system-auth</pre> +</ocil> <rationale> Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space. @@ -229,6 +241,10 @@ usage of special (or ``other'') characters in a password. When set to a negative contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. </description> +<ocil clause="it is not the required value"> +To check the required number of special characters, run the following command: +<pre>$ grep ocredit /etc/pam.d/system-auth</pre> +</ocil> <rationale> Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space. @@ -245,6 +261,10 @@ usage of lowercase letters in a password. When set to a negative number, any pas contain that many lowercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each lowercase character. </description> +<ocil clause="it is not the required value"> +To check the required number of lowercase characters, run the following command: +<pre>$ grep lcredit /etc/pam.d/system-auth</pre> +</ocil> <rationale> Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space. @@ -259,6 +279,10 @@ more difficult by ensuring a larger search space. <description>The pam_cracklib module's <tt>difok=</tt> parameter controls requirements for usage of different characters during a password change. </description> +<ocil clause="it is not the required value"> +To check the required number of minimum different characters, run the following command: +<pre>$ grep difok /etc/pam.d/system-auth</pre> +</ocil> <rationale> Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. diff --git a/RHEL6/input/system/accounts/physical.xml b/RHEL6/input/system/accounts/physical.xml index 568fc59..f67e766 100644 --- a/RHEL6/input/system/accounts/physical.xml +++ b/RHEL6/input/system/accounts/physical.xml @@ -112,6 +112,12 @@ started in single-user mode, add or correct the following line in the file <tt>/etc/sysconfig/init</tt>: <pre>SINGLE=/sbin/sulogin</pre> </description> +<ocil clause="the output is different"> +To ensure authentication is required for single-user mode, run the following command: +<pre>$ grep SINGLE /etc/sysconfig/init</pre> +The output should be: +<pre>SINGLE=/sbin/sulogin</pre> +</ocil> <rationale> This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented @@ -134,6 +140,12 @@ The <tt>PROMPT</tt> option allows the console user to perform an interactive system startup, in which it is possible to select the set of services which are started on boot. </description> +<ocil clause="it does not"> +To check whether interactive boot is disabled, run the following command: +<pre>$ grep PROMPT /etc/sysconfig/init</pre> +The output should show: +<pre>PROMPT=yes</pre> +</ocil> <rationale> Using interactive boot, the console user could disable auditing, firewalls, or other @@ -206,6 +218,12 @@ desktop lockout should be 15 minutes. --type int \ --set /apps/gnome-screensaver/idle_delay 15</pre> </description> +<ocil clause="it is not"> +To check the current idle time-out value, open the following +file:<pre>/etc/gconf/schemas/gnome-screensaver.schemas</pre> Search for the +<tt>idle_delay</tt> schema. If properly configured, the value +should be <tt>15</tt>. +</ocil> <rationale> Setting the idle delay controls when the screensaver will start, and can be combined with @@ -225,6 +243,8 @@ enabled --type bool \ --set /apps/gnome-screensaver/idle_activation_enabled true</pre> </description> +<ocil>To check the screensaver mandatory use status, open the following file: <pre>/etc/gconf/schemas/gnome-screensaver.schemas</pre> Search for the <tt>idle_activation_enabled</tt> schema. If properly configured, the <tt>default</tt> value should be <tt>TRUE</tt>. If it is not, this is a finding. +</ocil> <rationale> Enabling idle activation of the screen saver ensures that the screensaver will be activated after the idle delay. @@ -243,6 +263,8 @@ enabled --type bool \ --set /apps/gnome-screensaver/lock_enabled true</pre> </description> +<ocil>To check the status of the idle screen lock activation, open the following file: <pre>/etc/gconf/schemas/gnome-screensaver.schemas</pre> Search for the <tt>lock_enabled</tt> schema. If properly configured, the <tt>default</tt> value should be <tt>TRUE</tt>. If it is not, this is a finding. +</ocil> <rationale> Enabling the activation of the screen lock after an idle period ensures that password entry will be required in order to @@ -263,6 +285,12 @@ The screen saver should be blank --type string \ --set /apps/gnome-screensaver/mode blank-only</pre> </description> +<ocil clause="it is not"> +To ensure the screensaver is configured to be blank, open the following +file: <pre>/etc/gconf/schemas/gnome-screensaver.schemas</pre> Search for the +<tt>mode</tt> schema. If properly configured, the <tt>default</tt> value +should be <tt>blank-only</tt>. +</ocil> <rationale> Setting the screensaver mode to blank-only conceals the contents of the display from passersby. diff --git a/RHEL6/input/system/accounts/restrictions/password_expiration.xml b/RHEL6/input/system/accounts/restrictions/password_expiration.xml index 88b3463..93fc1d8 100644 --- a/RHEL6/input/system/accounts/restrictions/password_expiration.xml +++ b/RHEL6/input/system/accounts/restrictions/password_expiration.xml @@ -81,20 +81,24 @@ age, and 7 day warning period with the following command: <description>To specify password length requirements for new accounts, edit the file <tt>/etc/login.defs</tt> and add or correct the following lines: -<pre>PASS_MIN_LEN 12<!-- <sub idref="var_password_min_len"> --></pre> -TODO: More research needed to understand exact interaction: when precisely is this file consulted? +<pre>PASS_MIN_LEN <i>LENGTH</i></pre> <br/><br/> +The DoD requirement is <tt>14</tt>. If a program consults <tt>/etc/login.defs</tt> and also another PAM module (such as <tt>pam_cracklib</tt>) during a password change operation, then the most restrictive must be satisfied. See PAM section for more information about enforcing password quality requirements. </description> +<ocil clause="it is not set to the required value"> +To check the minimum password length, run the command: +<pre>$ grep PASS_MIN_LEN /etc/login.defs</pre> +The DoD requirement is <tt>14</tt>. +</ocil> <rationale> Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement -must be carefully weighed -against usability problems, support costs, or counterproductive +must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result. </rationale> <ident cce="4154-1" /> @@ -109,9 +113,13 @@ behavior that may result. edit the file <tt>/etc/login.defs</tt> and add or correct the following line, replacing <i>DAYS</i> appropriately: <pre>PASS_MIN_DAYS <i>DAYS</i></pre> -A value of 7 days is considered for sufficient for many -environments. +The DoD requirement is <tt>7</tt>. </description> +<ocil clause="it is not set to the required value"> +To check the minimum password age, run the command: +<pre>$ grep PASS_MIN_DAYS /etc/login.defs</pre> +The DoD requirement is <tt>7</tt>. +</ocil> <rationale> Setting the minimum password age protects against users cycling back to a favorite password @@ -129,9 +137,15 @@ after satisfying the password reuse requirement. edit the file <tt>/etc/login.defs</tt> and add or correct the following line, replacing <i>DAYS</i> appropriately: <pre>PASS_MAX_DAYS <i>DAYS</i><!-- <sub idref="password_max_age_login_defs_value" /> --></pre> -A value of 180 days is sufficient for many -environments. The current setting required in DoD is 60 days. +A value of 180 days is sufficient for many environments. +The DoD requirement is <tt>60</tt>. </description> +<ocil clause="it is not set to the required value"> +To check the maximum password age, run the command: +<pre>$ grep PASS_MAX_DAYS /etc/login.defs</pre> +A value of 180 days is sufficient for many environments. +The DoD requirement is <tt>60</tt>. +</ocil> <rationale> Setting the password maximum age ensures that users are required to periodically change their passwords. This could possibly decrease @@ -155,6 +169,12 @@ A value of 7 days is considered for appropriate for many environments. <!-- <sub idref="password_warn_age_login_defs_value" /> --> </description> +<ocil clause="it is not set to the required value"> +To check the password warning age, run the command: +<pre>$ grep PASS_WARN_DAYS /etc/login.defs</pre> +A value of 7 days is sufficient for many environments. +The DoD requirement is <tt>7</tt>. +</ocil> <rationale> Setting the password warning age enables users to make the change at a practical time. diff --git a/RHEL6/input/system/accounts/session.xml b/RHEL6/input/system/accounts/session.xml index b7da2d2..694434e 100644 --- a/RHEL6/input/system/accounts/session.xml +++ b/RHEL6/input/system/accounts/session.xml @@ -36,7 +36,8 @@ Where <i>MAX</i> is the maximum number of login sessions allowed. problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions. </rationale> -<ocil>Run the following command to ensure the <tt>maxlogins</tt> value is configured for all users +<ocil clause="it is not similar"> +Run the following command to ensure the <tt>maxlogins</tt> value is configured for all users on the system: <pre># grep "maxlogins" /etc/security/limits.conf</pre> You should receive output simular to the following: @@ -99,6 +100,11 @@ For each element in root's path, run: and ensure that write permissions are disabled for group and other. </description> +<ocil clause="group or other write permissions exist"> +To ensure write permissions are disabled for group and other + for each element in root's path, run the following command: +<pre># ls -ld DIR</pre> +</ocil> <rationale> Such entries increase the risk that root could execute code provided by unprivileged users, @@ -114,12 +120,16 @@ and potentially malicious code. <title>Ensure that User Home Directories are not Group-Writable or World-Readable</title> <description>For each human user USER of the system, view the permissions of the user's home directory: -<pre># ls -ld /home/USER</pre> +<pre># ls -ld /home/<i>USER</i></pre> Ensure that the directory is not group-writable and that it is not world-readable. If necessary, repair the permissions: -<pre># chmod g-w /home/USER -# chmod o-rwx /home/USER</pre> +<pre># chmod g-w /home/<i>USER</i> +# chmod o-rwx /home/<i>USER</i></pre> </description> +<ocil clause="the user home directory is group-writable or world-readable"> +To ensure the user home directory is not group-writable or world-readable, run the following: +<pre># ls -ld /home/<i>USER</i></pre> +</ocil> <warning category="general">This action may involve modifying user home directories. Notify your user community, and solicit input if appropriate, before making this type of @@ -205,7 +215,8 @@ as follows: <rationale>The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.</rationale> -<ocil>Verify the <tt>umask</tt> setting is configured correctly in the <tt>/etc/bashrc</tt> file by +<ocil clause="the umask is configured incorrectly"> +Verify the <tt>umask</tt> setting is configured correctly in the <tt>/etc/bashrc</tt> file by running the following command: <pre># grep "umask" /etc/bashrc</pre> All output must show the value of <tt>umask</tt> set to 077, as shown below: @@ -229,7 +240,8 @@ add or correct the <tt>umask</tt> setting in <tt>/etc/csh.cshrc</tt> to read as <rationale>The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.</rationale> -<ocil>Verify the <tt>umask</tt> setting is configured correctly in the <tt>/etc/csh.cshrc</tt> file by +<ocil clause="the umask is configured incorrectly"> +Verify the <tt>umask</tt> setting is configured correctly in the <tt>/etc/csh.cshrc</tt> file by running the following command: <pre># grep "umask" /etc/csh.cshrc</pre> All output must show the value of <tt>umask</tt> set to 077, as shown in the below: @@ -253,7 +265,8 @@ add or correct the <tt>umask</tt> setting in <tt>/etc/profile</tt> to read as fo A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.</rationale> <ident cce="14847-8" /> -<ocil>Verify the <tt>umask</tt> setting is configured correctly in the <tt>/etc/profile</tt> file by +<ocil clause="the umask is configured incorrectly"> +Verify the <tt>umask</tt> setting is configured correctly in the <tt>/etc/profile</tt> file by running the following command: <pre># grep "umask" /etc/profile</pre> All output must show the value of <tt>umask</tt> set to 077, as shown in the below: @@ -275,14 +288,14 @@ add or correct the <tt>umask</tt> setting in <tt>/etc/login.defs</tt> to read as <rationale>The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.</rationale> -<ocil>Verify the <tt>umask</tt> setting is configured correctly in the <tt>/etc/login.defs</tt> file by +<ocil clause="the umask is configured incorrectly"> +Verify the <tt>umask</tt> setting is configured correctly in the <tt>/etc/login.defs</tt> file by running the following command: <pre># grep "umask" /etc/login.defs</pre> All output must show the value of <tt>umask</tt> set to 077, as shown in the below: <pre># grep "umask" /etc/login.defs umask 077</pre> </ocil> - <ident cce="14107-7" /> <oval id="accounts_umask_login_defs" value="umask_user_value" /> <ref nist="CM-6, CM-7"/> -- 1.7.1 _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
