1. No category

Security Blanket® Modules Guide Version 4.1.1 - Shadow-Soft

Security Blanket® Modules Guide
Version 4.1.1
September 23, 2013
Prepared by:
Shadow-Soft
8200 Roberts Drive, Suite 201
Atlanta, GA 30350
This document contains data whose export/transfer/disclosure is restricted by U.S. law. Dissemination to non-U.S. persons
outside of the United States requires an export license or other authorization. Diversion contrary to U.S. law prohibited.
Security Blanket® Modules Guide: Version 4.1.1
Copyright © 2007-2013 Raytheon Trusted Computer Solutions, Inc., all rights reserved worldwide.
Legal Notice
This document contains information that is the property of Raytheon Trusted Computer Solutions, Inc. (RTCS), and is furnished for the sole purpose of the operation
and maintenance of RTCS products. No part of this publication is to be used for any other purpose, nor is it to be reproduced, copied, disclosed, transmitted, stored in a
retrieval system or translated into any human or computer language, in any form, by any means, in whole or in part, without the prior express written consent of RTCS.
Except as may otherwise be explicitly agreed to in writing, RTCS makes no representation that equipment, software programs and practices described herein will
not infringe on existing or future patent rights, copyrights, trademarks, trade secrets or other proprietary rights of third parties. The descriptions contained herein do
not imply the granting of the right to make, use, sell, license or otherwise transfer RTCS products described herein. RTCS disclaims responsibility for errors that
may appear in this document, and it reserves the right, at its sole discretion and without notice, to make substitutions and modifications in the products and practices
described in this document.
This document is documentation for an RTCS commercial item, which is “commercial computer software” as defined in the FAR and DFARS. This document is
provided to Defense Department agencies, Government civilian agencies, and commercial companies subject to the terms of the RTCS standard commercial Software
License Agreement. The manufacturer is Raytheon Trusted Computer Solutions, Inc., 12950 Worldgate Drive, Suite 600, Herndon, VA 20170.
For a complete list of all open source software used in this product, refer to /usr/share/security-blanket/Attributions/CREDIT.secblanket.noOS.
For complete copies of all licenses, refer to /usr/share/security-blanket/Attributions/LICENSES.sec-blanket.
All brand or product names are trademarks or registered trademarks of their respective companies or organizations.
Commerce ECCN 5D002.c.1 per EAR Part 740.17 (b) (3). CCATS #G064690 issued 7/4/08
Export Controlled - See Sheet 1
Table of Contents
1. Profile-Specific Additions ........................................................................................................................................ 1
(PROFILE CUSTOMIZATION) - additions to exclude-dirs ....................................................................................... 1
(PROFILE CUSTOMIZATION) - additions to inclusion-fstypes ................................................................................. 1
(PROFILE CUSTOMIZATION) - additions to sgid_whitelist ..................................................................................... 1
(PROFILE CUSTOMIZATION) - additions to suid_whitelist ..................................................................................... 2
2. Auditing and Logging ............................................................................................................................................. 3
Audit Log Rotation ............................................................................................................................................. 3
Audit Rules ....................................................................................................................................................... 3
Audit Rules (Solaris) .......................................................................................................................................... 7
Configure /etc/audit/auditd.conf Settings ................................................................................................................. 9
Cron Logging ................................................................................................................................................... 10
Enable Auditing For All Processes ...................................................................................................................... 11
Enable Vsftpd Additional Logging ....................................................................................................................... 11
Enable the Audit Subsystem ............................................................................................................................... 12
Log Critical Sendmail Messages .......................................................................................................................... 14
Secure Authpriv Logging ................................................................................................................................... 15
System Accounting ........................................................................................................................................... 16
3. Password Policy .................................................................................................................................................... 18
Expired Password Invalidation ............................................................................................................................ 18
Limit Password Reuse ....................................................................................................................................... 18
Lock Expired Account after Inactivity .................................................................................................................. 19
Maximum Time Between Password Changes ......................................................................................................... 20
Minimum Delay Between Password Changes ........................................................................................................ 22
No Empty Passwords ........................................................................................................................................ 23
No Hashes Allowed in Passwd/Group Files ........................................................................................................... 24
No Plus Entries in Password Files ....................................................................................................................... 25
Password Expiration Warning ............................................................................................................................. 26
Password Policy Consecutive Characters ............................................................................................................... 27
Password Policy Different Characters ................................................................................................................... 28
Password Policy Length Minimum ...................................................................................................................... 29
Password Policy Lowercase Minimum ................................................................................................................. 31
Password Policy Numeric Minimum .................................................................................................................... 32
Password Policy Special Characters ..................................................................................................................... 33
Password Policy Uppercase Minimum .................................................................................................................. 35
Set Password Aging on Active Accounts .............................................................................................................. 36
4. Account and Access Control ................................................................................................................................... 38
Allowed Shells in /etc/shells ............................................................................................................................... 38
Block System Accounts ..................................................................................................................................... 38
Default umask .................................................................................................................................................. 39
Disable PAM Console Library ............................................................................................................................ 41
Disable console.perms File ................................................................................................................................. 41
Home Directory Contents ................................................................................................................................... 42
Home Directory Ownership ................................................................................................................................ 43
Home Directory Permissions ............................................................................................................................... 44
Limit Access To Root From Su .......................................................................................................................... 45
Limit Term Write Access to Owner ..................................................................................................................... 46
Lock Invalid Accounts ....................................................................................................................................... 47
Lock Non-Root Accounts with UID 0 .................................................................................................................. 48
Maximum Number of Logins per User ................................................................................................................. 49
Remove Games User Account ............................................................................................................................ 49
Remove Gopher User Account ............................................................................................................................ 50
Remove Halt User Account ................................................................................................................................ 51
Remove News User Account .............................................................................................................................. 51
Remove Shutdown User Account ........................................................................................................................ 52
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
iii
Security Blanket® Modules Guide
Remove Sync User Account ...............................................................................................................................
Restrict use of Mesg Command ..........................................................................................................................
Root Console Only Logins .................................................................................................................................
Root Home Directory Permissions .......................................................................................................................
Root Path ........................................................................................................................................................
Root Shell must be on / filesystem ......................................................................................................................
Single User Mode Password ...............................................................................................................................
Sync Shells File ...............................................................................................................................................
User Dot File Perms .........................................................................................................................................
5. Network Configuration ...........................................................................................................................................
ARP Cleanup Interval .......................................................................................................................................
ARP IRE_CACHE Cleanup Interval ....................................................................................................................
Adjust Maximum Pending Connections ................................................................................................................
Configure System to Log 'martian' Network Packets ...............................................................................................
Disable Accepting ICMP Redirects ......................................................................................................................
Disable Accepting Secure Redirects .....................................................................................................................
Disable Broadcast Packet Forwarding ...................................................................................................................
Disable IP Forwarding .......................................................................................................................................
Disable IPv6 Kernel Module ..............................................................................................................................
Disable Proxy Address Resolution Protocol (Proxy ARP) ........................................................................................
Disable Sending ICMP Redirects .........................................................................................................................
Disable Source Routing .....................................................................................................................................
Disable Support for DCCP .................................................................................................................................
Disable Support for RDS ...................................................................................................................................
Disable Support for SCTP ..................................................................................................................................
Disable Support for TIPC ..................................................................................................................................
Disable Zeroconf Networking .............................................................................................................................
Enable Reverse Path Source Validation ................................................................................................................
Enable Strong TCP Sequence Number Generation ..................................................................................................
Enable TCP Syncookies .....................................................................................................................................
Enable TCP Wrappers .......................................................................................................................................
Ignore Bogus ICMP4 Error Responses .................................................................................................................
Ignore ICMP ECHO and TIMESTAMP Requests ...................................................................................................
Prohibit DHCP Client Dynamic DNS Updates .......................................................................................................
Set IP Strict Multihoming ..................................................................................................................................
6. Network Services ..................................................................................................................................................
Configure Time Synchronization .........................................................................................................................
Disable DNS ....................................................................................................................................................
Disable Dhcpd .................................................................................................................................................
Disable Gated ..................................................................................................................................................
Disable Inetd ....................................................................................................................................................
Disable Innd ....................................................................................................................................................
Disable Network Analysis Tools .........................................................................................................................
Disable Routed .................................................................................................................................................
Disable XFS ....................................................................................................................................................
7. File Sharing Services .............................................................................................................................................
Deny NFS Client Access Without UID or GID ......................................................................................................
Disable File Sharing Networks ............................................................................................................................
Disable Fspd ....................................................................................................................................................
Disable NFS Client ...........................................................................................................................................
Disable NFS Server ..........................................................................................................................................
Disable NetFS ..................................................................................................................................................
Disable SMB ...................................................................................................................................................
Disable rpc.ugidd ..............................................................................................................................................
Remove Insecure_Locks Option for NFS Server ....................................................................................................
Remove SMB Guest Authentication .....................................................................................................................
SMB Configuration ...........................................................................................................................................
53
53
54
55
56
57
57
58
59
61
61
61
62
63
64
65
66
66
67
68
68
70
71
71
72
73
73
74
75
75
76
77
77
78
79
80
80
80
81
82
83
84
85
85
86
88
88
88
89
90
91
92
93
94
95
95
96
Security Blanket® Modules Guide
iv
Export Controlled - See Sheet 1
Security Blanket® Modules Guide
Secure Option for NFS Server ............................................................................................................................ 97
8. File Transfer Services ............................................................................................................................................ 99
Create ftpusers File ........................................................................................................................................... 99
Disable FTP (gssftp) ......................................................................................................................................... 99
Disable FTP (vsftpd) ....................................................................................................................................... 100
Disable TFTP ................................................................................................................................................. 102
Disable UUCP ................................................................................................................................................ 102
Remove ftp Account ........................................................................................................................................ 103
Set FTP Umask (gssftp) ................................................................................................................................... 104
Set TFTP Startup Directory .............................................................................................................................. 105
9. Electronic Mail Services ....................................................................................................................................... 106
Configure Sendmail Options ............................................................................................................................. 106
Disable Mail (Cyrus Mail Server) ...................................................................................................................... 107
Disable Mail (Dovecot Mail Server) ................................................................................................................... 108
Disable Sendmail ............................................................................................................................................ 109
Disable Sendmail Help ..................................................................................................................................... 110
Disable Sendmail if Older than 8.13.8 ................................................................................................................ 110
10. Web Services .................................................................................................................................................... 112
Disable Apache ............................................................................................................................................... 112
Disable Squid ................................................................................................................................................. 113
Disable Squid if Older than 2.4STABLE6 ........................................................................................................... 113
Disable Tux ................................................................................................................................................... 114
PHP - Disallow HTTP File Uploads ................................................................................................................... 115
PHP - Enhance Session Management ................................................................................................................. 115
PHP - General Security .................................................................................................................................... 116
PHP - Remove Stored MySQL Password ............................................................................................................ 117
PHP - Set Error Logging .................................................................................................................................. 117
11. Database Services .............................................................................................................................................. 119
Disable CDE ToolTalk Database Server .............................................................................................................. 119
Disable MySQL .............................................................................................................................................. 119
Disable Postgresql ........................................................................................................................................... 120
MySQL - Disable Command History .................................................................................................................. 121
12. Desktop Applications .......................................................................................................................................... 123
Configure User Firefox Prefs ............................................................................................................................ 123
Disable Firefox if Older than 3.0 ....................................................................................................................... 123
Disable Instant Messenger Client (Yahoo!) .......................................................................................................... 124
Disable Instant Messenger Client (gaim) ............................................................................................................. 124
Firefox - Addons ............................................................................................................................................ 125
Firefox - Dynamic Content ............................................................................................................................... 125
Firefox - Encryption ........................................................................................................................................ 126
Firefox - Java ................................................................................................................................................. 126
Firefox - JavaScript ......................................................................................................................................... 127
Firefox - Network ........................................................................................................................................... 128
Firefox - Privacy ............................................................................................................................................. 128
Firefox - Updating .......................................................................................................................................... 129
13. Printing Services ................................................................................................................................................ 130
Disable CUPS Printer Browsing ........................................................................................................................ 130
Disable HP Printing and Imaging ....................................................................................................................... 130
Disable Printer Configuration Daemon ................................................................................................................ 131
Disable Printer Daemon ................................................................................................................................... 132
14. Authentication Services ....................................................................................................................................... 134
Configure /etc/ldap.conf Settings ........................................................................................................................ 134
Disable Kerberos TGT Expiration Warning ......................................................................................................... 134
Disable LDAP Client Cache Manager ................................................................................................................. 135
Disable NIS Client .......................................................................................................................................... 135
Disable NIS Server .......................................................................................................................................... 136
15. Hardware Services ............................................................................................................................................. 138
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
v
Security Blanket® Modules Guide
Check Kernel for XD/NX Support .....................................................................................................................
Disable ACPI Daemon .....................................................................................................................................
Disable Avahi Daemon ....................................................................................................................................
Disable Bluetooth ............................................................................................................................................
Disable Bluetooth Input Devices Daemon ...........................................................................................................
Disable Bluetooth Kernel Modules .....................................................................................................................
Disable CPU Throttling ....................................................................................................................................
Disable HAL Daemon .....................................................................................................................................
Disable IA32 Microcode Utility .........................................................................................................................
Disable IRDA Service .....................................................................................................................................
Disable IRQ Balance Service ............................................................................................................................
Disable Kudzu ................................................................................................................................................
Disable Power Management ..............................................................................................................................
Disable SMART Disk Monitoring Support ..........................................................................................................
Disable USB and PCMCIA Devices ...................................................................................................................
16. User Session Management ...................................................................................................................................
Lock Account after Three Failed Login Attempts .................................................................................................
Set CDE Screen Saver .....................................................................................................................................
Set Delay after Failed Login .............................................................................................................................
Set Mandatory Screen Saver .............................................................................................................................
Set Shell Timeout Period ..................................................................................................................................
Set X Screen Saver Application Defaults ............................................................................................................
17. Remote Access Services .....................................................................................................................................
Configure Xinetd Logging ................................................................................................................................
Disable Finger ................................................................................................................................................
Disable Graphical Login ...................................................................................................................................
Disable ISDN .................................................................................................................................................
Disable Login Prompts on Serial Ports ...............................................................................................................
Disable Remote Exec (rexec) ............................................................................................................................
Disable Remote Login (rlogin) ..........................................................................................................................
Disable Remote Shell (rsh) ...............................................................................................................................
Disable Rhosts Support ....................................................................................................................................
Disable Telnet ................................................................................................................................................
Remove rsh Authorization Files .........................................................................................................................
Restrict Remote X Clients ................................................................................................................................
SSH Disable GSSAPI Authentication .................................................................................................................
SSH Parameters ..............................................................................................................................................
SSH Restrict Ciphers .......................................................................................................................................
SSH Restrict HMAC .......................................................................................................................................
SSHD Disable Empty Passwords .......................................................................................................................
SSHD Disable GSSAPI Authentication ...............................................................................................................
SSHD Disable Host-based Authentication ...........................................................................................................
SSHD Disable Kerberos Authentication ..............................................................................................................
SSHD Disable Rhosts Authentication .................................................................................................................
SSHD Disable Rhosts RSA Authentication ..........................................................................................................
SSHD Disable Root Login ................................................................................................................................
SSHD Enable Banner ......................................................................................................................................
SSHD Enable Ignore Rhosts .............................................................................................................................
SSHD Enable X11 Forwarding ..........................................................................................................................
SSHD Logging Level ......................................................................................................................................
SSHD Maximum Authentication Attempts ...........................................................................................................
SSHD Permit User Environment ........................................................................................................................
SSHD Print Last Log .......................................................................................................................................
SSHD Protocol ...............................................................................................................................................
SSHD Restrict Ciphers .....................................................................................................................................
SSHD Restrict HMAC .....................................................................................................................................
SSHD Restrict Users and Groups .......................................................................................................................
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
138
138
138
139
140
141
142
142
143
143
144
145
146
147
147
149
149
150
151
152
154
155
157
157
157
158
159
160
160
161
162
163
164
165
165
166
167
168
169
169
170
171
172
173
173
174
175
176
177
178
178
179
179
180
181
182
183
vi
Security Blanket® Modules Guide
18.
19.
20.
21.
22.
SSHD Set Compression ...................................................................................................................................
SSHD Set Idle Timeout Interval for User Logins ..................................................................................................
SSHD Strict Mode Checking ............................................................................................................................
SSHD Use Privilege Separation .........................................................................................................................
Security Services ...............................................................................................................................................
Disable GSS Daemon ......................................................................................................................................
Disable RPC Keyserv ......................................................................................................................................
Disable Smart Card Support ..............................................................................................................................
Security-Enhanced Linux (SELinux) .....................................................................................................................
Disable MCS Translation Service ......................................................................................................................
Disable Restorecon ..........................................................................................................................................
Disable SETroubleshoot ...................................................................................................................................
Ensure SELinux is Properly Enabled ..................................................................................................................
System Services ................................................................................................................................................
Daemon Umask ..............................................................................................................................................
Disable Autofs Daemon ...................................................................................................................................
Disable Boot Caching ......................................................................................................................................
Disable CDE Calendar Manager Server ..............................................................................................................
Disable Console Mouse Support ........................................................................................................................
Disable Firstboot Service ..................................................................................................................................
Disable Interactive Boot ...................................................................................................................................
Disable Portmap Daemon .................................................................................................................................
Disable Prelinking ...........................................................................................................................................
Disable Remote Syslog ....................................................................................................................................
Disable atd Service ..........................................................................................................................................
Restrict the CDE Subprocess Control Service ......................................................................................................
System Management Services ..............................................................................................................................
Disable Abrtd .................................................................................................................................................
Disable Java Web Console ...............................................................................................................................
Disable Netconsole ..........................................................................................................................................
Disable Ntpdate ..............................................................................................................................................
Disable Oddjobd .............................................................................................................................................
Disable Qpidd ................................................................................................................................................
Disable Rdisc .................................................................................................................................................
Disable Rhnsd ................................................................................................................................................
Disable SNMP ................................................................................................................................................
Disable SNMP if Default Public String Exists ......................................................................................................
Disable Solaris Volume Manager .......................................................................................................................
Disable Solaris Volume Manager GUI ................................................................................................................
Disable WBEM ..............................................................................................................................................
Disable Webmin .............................................................................................................................................
Enable Crond .................................................................................................................................................
Enable Ip6tables .............................................................................................................................................
Enable Iptables ...............................................................................................................................................
Enable Postfix ................................................................................................................................................
Ensure YUM Repositories use gpgcheck .............................................................................................................
Screen Package Installed ..................................................................................................................................
Directory and File Permissions .............................................................................................................................
Access.conf File Permissions ............................................................................................................................
At Directory Permissions ..................................................................................................................................
At/Cron Access File Permissions .......................................................................................................................
Audit Tools Perms ..........................................................................................................................................
Boot Loader Configuration File Permissions ........................................................................................................
Configure Permissions on /usr/bin/ldd .................................................................................................................
Consult the RPM Database for file/directory Setting ..............................................................................................
Correct Uneven File Permissions .......................................................................................................................
Crontab Dir Perms ..........................................................................................................................................
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
184
184
186
186
187
187
188
188
190
190
190
191
192
194
194
194
195
196
197
197
198
199
200
200
201
202
203
203
203
204
204
205
205
205
206
207
208
208
209
210
211
212
212
213
213
214
214
215
215
215
217
218
219
220
221
222
223
vii
Security Blanket® Modules Guide
Crontab Perms ................................................................................................................................................
Crontab Script Perms .......................................................................................................................................
FTP Configuration File Permissions ...................................................................................................................
Global Initialization File Permissions .................................................................................................................
Hosts File Permissions .....................................................................................................................................
Inetd/Xinetd Configuration File Permissions ........................................................................................................
InterNetNews Config File Perms .......................................................................................................................
Kernel Core Dump Directory Permissions ...........................................................................................................
LDAP Configuration File Permissions ................................................................................................................
Mail Agent Aliases Files Permissions .................................................................................................................
Management Information Base (MIB) File Permissions .........................................................................................
NFS Export Configuration File Permissions .........................................................................................................
NIS/NIS+/YP Configuration File Permissions ......................................................................................................
NTP Perms ....................................................................................................................................................
Name Service Switch Configuration File Permissions ............................................................................................
Password Perms ..............................................................................................................................................
Printer Configuration File Permissions ................................................................................................................
Resolver Configuration File Permissions .............................................................................................................
Restrict Use of Compiler Tools .........................................................................................................................
Restrict Use of Traceroute and Ping ...................................................................................................................
Restrict Write Access on Man Pages ..................................................................................................................
SNMP Configuration File Permissions ................................................................................................................
Samba Configuration File Permissions ................................................................................................................
Samba Password File Permissions ......................................................................................................................
Secure Audio Devices ......................................................................................................................................
Secure SUID/SGID Executables ........................................................................................................................
Secure Shell Binaries .......................................................................................................................................
Secure Unowned Files .....................................................................................................................................
Secure World Writable Devices .........................................................................................................................
Secure World Writable Directories .....................................................................................................................
Secure World Writable Files .............................................................................................................................
Services File Permissions .................................................................................................................................
Shadow Perms ................................................................................................................................................
Skeleton File Permissions .................................................................................................................................
Sysctl.conf Permissions ....................................................................................................................................
System Command File Permissions ....................................................................................................................
System Configuration File Permissions ...............................................................................................................
System Device Directory Ownership ..................................................................................................................
System Library File Permissions ........................................................................................................................
System Log File Permissions ............................................................................................................................
System Logging Configuration File Permissions ...................................................................................................
System Run Control Script Permissions ..............................................................................................................
Verify Required Software Cryptographic Certs are Installed ...................................................................................
23. File Systems .....................................................................................................................................................
Bind Mount /var/tmp to /tmp .............................................................................................................................
Check for Separate /home File System ................................................................................................................
Check for Separate /tmp File System ..................................................................................................................
Check for Separate /var File System ...................................................................................................................
Check for Separate /var/log File System ..............................................................................................................
Check for Separate /var/log/audit File System ......................................................................................................
Disable GNOME Automounting ........................................................................................................................
Disable Mounting of Uncommon Filesystem Types ...............................................................................................
Use NODEV Option for Non-Root Partitions .......................................................................................................
Use NOSUID and NODEV for Removable Media ................................................................................................
Use NOSUID on User Filesystems .....................................................................................................................
User Mountable Media .....................................................................................................................................
24. General ............................................................................................................................................................
224
225
226
227
228
229
230
231
233
234
235
236
237
238
239
240
241
243
244
244
245
246
247
248
249
250
251
252
253
254
255
256
257
259
260
261
262
263
263
265
266
267
268
269
269
269
269
270
270
271
271
272
273
273
274
275
277
Security Blanket® Modules Guide
viii
Export Controlled - See Sheet 1
Security Blanket® Modules Guide
Correct Global Init Script PATH Variables ..........................................................................................................
Correct System RC Script PATH Variables .........................................................................................................
Create Login Banner ........................................................................................................................................
Create Login FTP Banner .................................................................................................................................
Create Pre-Login GUI Banner ...........................................................................................................................
Create Pre-Session GUI Banner .........................................................................................................................
Disable Core Dumps .......................................................................................................................................
Disable Ctrl-Alt-Del ........................................................................................................................................
Disable Kernel Crash Analyzer ..........................................................................................................................
Disable Raw Devices Service ............................................................................................................................
Disable SUID Core Dumps ...............................................................................................................................
Disable Software RAID Monitor ........................................................................................................................
Disable Support for Firewire .............................................................................................................................
Disable Support for USB Storage ......................................................................................................................
Enable ExecShield Kernel Module .....................................................................................................................
Enable Stack Protection ...................................................................................................................................
Exec Shell Startups in /etc/profile.d ....................................................................................................................
GRUB Boot Single Image ................................................................................................................................
Password Protect GRUB ..................................................................................................................................
Remove Telnet Service Banner ..........................................................................................................................
Require GRUB Password .................................................................................................................................
Restrict At and Cron .......................................................................................................................................
Secure Netrc Files ...........................................................................................................................................
A. Cross Reference to Guidelines ..............................................................................................................................
CAG 20 Critical Security Controls v2.3 ..............................................................................................................
CIA DCID 6/3 May 2000 .................................................................................................................................
DHS Linux Configuration Guidance 2010.8 .........................................................................................................
DISA Mozilla Firefox STIG v4 R2 ....................................................................................................................
DISA Red Hat 5 STIG v1R4 ............................................................................................................................
DISA Red Hat 6 STIG v1R2 ............................................................................................................................
DISA UNIX STIG v5 R1.30 .............................................................................................................................
DoD JAFAN 6/3 Oct 2004 ...............................................................................................................................
DoD NISPOM Feb 2006 ..................................................................................................................................
NERC Cyber Security - Electronic Security Perimeters CIP-005-3 ...........................................................................
NERC Cyber Security - Systems Security Management CIP-007-3 ..........................................................................
NIST FISMA SP 800-53 ..................................................................................................................................
NSA Guide to the Secure Configuration of RHEL5 Rev. 4.2 / Aug 2011 ...................................................................
NVD CCE .....................................................................................................................................................
PCI DSS v2.0 .................................................................................................................................................
B. Specific Module Behavior ....................................................................................................................................
Disabling Services ...........................................................................................................................................
Excluding Directories from Scans ......................................................................................................................
C. Implementing a Password Policy ...........................................................................................................................
Password Aging ..............................................................................................................................................
Password Length and Composition .....................................................................................................................
Enforcing the Policy ........................................................................................................................................
Index ....................................................................................................................................................................
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
277
277
278
279
280
281
283
284
285
285
286
286
287
287
288
288
289
289
290
291
291
293
294
295
295
302
304
307
307
323
331
340
342
345
348
351
359
363
368
377
377
377
379
379
379
379
381
ix
List of Figures
4.1. Home Directory Ownership - Scan Flow ................................................................................................................ 43
4.2. Home Directory Perms - Scan Flow ....................................................................................................................... 44
B.1. Disabling Services - Scanning Process ................................................................................................................. 377
B.2. Master Exclusion List ....................................................................................................................................... 378
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
x
List of Tables
5.1. Setting the ARP Cleanup Interval .......................................................................................................................... 61
5.2. Setting the IRE_CACHE Scan Interval ................................................................................................................... 61
5.3. Setting the Maximum Number of TCP SYN Requests Kept in Memory ........................................................................ 62
5.4. IP Settings to Log Martian Packets ........................................................................................................................ 63
5.5. IP Settings to Refuse ICMP Redirects .................................................................................................................... 64
5.6. IP Settings to Block Secure Redirects .................................................................................................................... 65
5.7. IP Settings to Prohibit the Sending of ICMP Redirects .............................................................................................. 66
5.8. IP Settings to Enable Reverse Path Source Validation ............................................................................................... 68
5.9. IP Settings to Prohibit the Sending of ICMP Redirects .............................................................................................. 69
5.10. IP Settings to Disable Source Routing .................................................................................................................. 70
5.11. IP Settings to Enable Reverse Path Source Validation ............................................................................................. 74
5.12. TCP Setting to Enable Sending of SYN Cookies .................................................................................................... 75
5.13. IP Settings to Ignore Bogus ICMP4 Error Responses .............................................................................................. 77
5.14. ICMP Settings to Ignore Echo and Timestamp Requests .......................................................................................... 77
5.15. IP Settings to Prohibit the Sending of ICMP Redirects ............................................................................................ 79
A.1. Guideline name/description for CAG 20 Critical Security Controls v2.3 ..................................................................... 295
A.2. Module to line item breakdown for CAG 20 Critical Security Controls v2.3 ................................................................ 295
A.3. CIA DCID 6/3 May 2000 .................................................................................................................................. 302
A.4. DHS Linux Configuration Guidance 2010.8 .......................................................................................................... 304
A.5. DISA Mozilla Firefox STIG v4 R2 ..................................................................................................................... 307
A.6. DISA Red Hat 5 STIG v1R4 ............................................................................................................................. 307
A.7. DISA Red Hat 6 STIG v1R2 ............................................................................................................................. 324
A.8. DISA UNIX STIG v5 R1.30 .............................................................................................................................. 332
A.9. DoD JAFAN 6/3 Oct 2004 ................................................................................................................................ 340
A.10. DoD NISPOM Feb 2006 ................................................................................................................................. 343
A.11. Guideline name/description for NERC Cyber Security - Electronic Security Perimeters CIP-005-3 ................................. 345
A.12. Module to line item breakdown for NERC Cyber Security - Electronic Security Perimeters CIP-005-3 ............................ 345
A.13. Guideline name/description for NERC Cyber Security - Systems Security Management CIP-007-3 ................................ 348
A.14. Module to line item breakdown for NERC Cyber Security - Systems Security Management CIP-007-3 ........................... 349
A.15. Guideline name/description for NIST FISMA SP 800-53 ....................................................................................... 351
A.16. Module to line item breakdown for NIST FISMA SP 800-53 ................................................................................. 352
A.17. NSA Guide to the Secure Configuration of RHEL5 Rev. 4.2 / Aug 2011 .................................................................. 359
A.18. NVD CCE ..................................................................................................................................................... 363
A.19. PCI DSS v2.0 ................................................................................................................................................ 369
C.1. Password Aging - Configuration ......................................................................................................................... 379
C.2. Password Length - Configuration ........................................................................................................................ 379
C.3. Password Composition - Configuration ................................................................................................................. 379
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
xi
Chapter 1. Profile-Specific Additions
These modules do not do any processing on their own, but allow for a profile to specify alterations in how it will be processed by
Security Blanket.
(PROFILE CUSTOMIZATION) - additions to exclude-dirs
This module allows the profile to contain specific executables that should be added to /var/lib/security-blanket/files/
exclude_dirs file processing when this profile is run. The additions are transient, and will not persist past the execution of the
profile.
Module Options
• Additional directories to exclude (one per line)
This allows for Profile specific directories that Security Blanket will exclude from processing. There should be one directory per
line.
Compliancy
N/A
(PROFILE CUSTOMIZATION) - additions to inclusion-fstypes
This module allows the profile to contain specific file system types (fstypes) that should be added to /var/lib/securityblanket/files/inclusion-fstypes processing when this profile is run. The additions are transient, and will not persist past
the execution of the profile.
Module Options
• Additional filesystem types to search
This allows for Profile specific filesystem types that Security Blanket will include for processing. There should be one file system
type per line.
Compliancy
N/A
(PROFILE CUSTOMIZATION) - additions to sgid_whitelist
This module allows the profile to contain specific executables that should be added to /var/lib/security-blanket/files/
sgid_whitelist file processing when this profile is run. The additions are transient, and will not persist past the execution of the
profile.
Module Options
• Additional SGID executables (one per line)
This allows for Profile specific executables that are allowed to have the SGID bit set. There should be one executable per line.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
1
Profile-Specific Additions
Compliancy
N/A
(PROFILE CUSTOMIZATION) - additions to suid_whitelist
This module allows the profile to contain specific executables that should be added to /var/lib/security-blanket/files/
suid_whitelist file processing when this profile is run. The additions are transient, and will not persist past the execution of the
profile.
Module Options
• Additional SUID executables (one per line)
This allows for Profile specific executables that are allowed to have the SUID bit set. There should be one executable per line.
Compliancy
N/A
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
2
Chapter 2. Auditing and Logging
Audit Log Rotation
Configures the system to rotate audit logs on a daily basis.
This module should be used in conjunction with the “Enable the Audit Subsystem” module. Depending on the rules set by the “Audit
Rules” or the “Audit Rules (Solaris)” module, the audit subsystem can quickly consume large amounts of disk space.
Creating a process to ensure the audit logs are transferred to a secure location is strongly recommended. For example, use an
isolated server or offline physical media such as tapes or DVDs. The type of information your system processes and your business
requirements will determine the necessary retention period and help to define the “secure location”.
Operating Systems
Configuration Files
Settings
/etc/logrotate.d/audit
/var/log/audit/audit.log {
daily
rotate 14
compress
notifempty
missingok
postrotate
/sbin/service auditd \
restart 1>/dev/null 2>&1 || true
endscript
}
Root’s crontab
0 0 * * * /usr/sbin/audit -n
Fedora™ 10, 11, 12, and 13
Red Hat® Enterprise Linux® 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE® 10 and 11
Solaris™ 10
Compliancy
DHS Linux Configuration Guidance (2010.8)
• 5 - Audit Trail
DISA Red Hat 5 STIG (v1R4)
• GEN002860 - Audit logs must be rotated daily.
DISA UNIX STIG (v5 R1.30)
• GEN002860 - Audit Logs Rotation
NIST FISMA (SP 800-53)
• AU-11 - Audit Retention
Audit Rules
Configures the audit subsystem to record relevant security events such as administrative actions, file access, file deletions, login,
logout, session initiations, and access control changes. 1
1
McDougall, Richard and Jim Mauro. Solaris Internals: Solaris 10 and OpenSolaris Kernel Architecture. Santa Clara, CA: Sun Microsystems Press, 2007.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
3
Auditing and Logging
The audit rules configuration must be finely tuned to balance the number of recorded events against system performance needs. An
overload of event records can occur and substantially reduce system performance. This rules set will not be initialized until the audit
subsystem is restarted, so it is safe to apply the change and review the rules manually.
Using the “Audit Log Rotation” module with this module is strongly recommended.
Operating Systems
Configuration Files
Settings
/etc/audit/audit.rules
Industry-standard profiles provide auditing rules.
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Module Options
• Kernel auditing rules.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-11 - Account Monitoring and Control
• CC-6 - Maintenance, Monitoring, and Analysis of Audit Logs
CIA DCID 6/3 (May 2000)
•
•
•
•
•
•
•
•
4.B.1.b(2)(a) - Auditing - Date and time entity performed system action
4.B.1.b(2)(d)(1) - Auditing - Record Successful and unsuccessful logons and logoffs
4.B.1.b(2)(d)(2) - Auditing - Record accesses to security-relevant objects
4.B.1.b(2)(d)(3) - Auditing - Record activities at the system console
4.B.2.a(4)(d)(1) - Auditing - Record Successful and unsuccessful logons and logoffs (PL2)
4.B.2.a(4)(d)(2) - Auditing - Record accesses to security-relevant objects (PL2)
4.B.2.a(4)(d)(3) - Auditing - Record activities at the system console (PL2)
4.B.3.a(7) - Auditing - Record changes to the mechanism's list of user formal access permissions (PL3)
DHS Linux Configuration Guidance (2010.8)
• 5 - Audit Trail
DISA Red Hat 5 STIG (v1R4)
•
•
•
•
•
•
•
•
•
•
GEN002720 - The audit system must be configured to audit failed attempts to access files and programs.
GEN002720-2 - The audit system must be configured to audit failed attempts to access files and programs.
GEN002720-3 - The audit system must be configured to audit failed attempts to access files and programs.
GEN002720-4 - The audit system must be configured to audit failed attempts to access files and programs.
GEN002720-5 - The audit system must be configured to audit failed attempts to access files and programs.
GEN002740 - The audit system must be configured to audit files and programs deleted by the user.
GEN002740-2 - The audit system must be configured to audit file deletions.
GEN002750 - The audit system must be configured to audit account creation.
GEN002751 - The audit system must be configured to audit account modification.
GEN002752 - The audit system must be configured to audit account disabling.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
4
Auditing and Logging
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
GEN002753 - The audit system must be configured to audit account termination.
GEN002760-10 - The audit system must be configured to audit all administrative, privileged, and security actions.
GEN002760-2 - The audit system must be configured to audit all administrative, privileged, and security actions.
GEN002760-3 - The audit system must be configured to audit all administrative, privileged, and security actions.
GEN002760-4 - The audit system must be configured to audit all administrative, privileged, and security actions.
GEN002760-5 - The audit system must be configured to audit all administrative, privileged, and security actions.
GEN002760-6 - The audit system must be configured to audit all administrative, privileged, and security actions.
GEN002760-7 - The audit system must be configured to audit all administrative, privileged, and security actions.
GEN002760-8 - The audit system must be configured to audit all administrative, privileged, and security actions.
GEN002760-9 - The audit system must be configured to audit all administrative, privileged, and security actions.
GEN002820 - The audit system must be configured to audit all discretionary access control permission modifications.
GEN002820-10 - The audit system must be configured to audit all discretionary access control permission modifications.
GEN002820-11 - The audit system must be configured to audit all discretionary access control permission modifications.
GEN002820-12 - The audit system must be configured to audit all discretionary access control permission modifications.
GEN002820-13 - The audit system must be configured to audit all discretionary access control permission modifications.
GEN002820-2 - The audit system must be configured to audit all discretionary access control permission modifications.
GEN002820-3 - The audit system must be configured to audit all discretionary access control permission modifications.
GEN002820-4 - The audit system must be configured to audit all discretionary access control permission modifications.
GEN002820-5 - The audit system must be configured to audit all discretionary access control permission modifications.
GEN002820-6 - The audit system must be configured to audit all discretionary access control permission modifications.
GEN002820-7 - The audit system must be configured to audit all discretionary access control permission modifications.
GEN002820-8 - The audit system must be configured to audit all discretionary access control permission modifications.
GEN002820-9 - The audit system must be configured to audit all discretionary access control permission modifications.
GEN002825 - The audit system must be configured to audit the loading and unloading of dynamic kernel modules.
GEN002825-2 - The audit system must be configured to audit the loading and unloading of dynamic kernel modules delete_module.
• GEN002825-3 - The audit system must be configured to audit the loading and unloading of dynamic kernel modules - /sbin/insmod.
• GEN002825-4 - The audit system must be configured to audit the loading and unloading of dynamic kernel modules -/sbin/
modprobe.
• GEN002825-5 - The audit system must be configured to audit the loading and unloading of dynamic kernel modules - /sbin/rmmod
DISA Red Hat 6 STIG (v1R2)
•
•
•
•
•
•
•
•
•
•
•
RHEL-06-000165 - The audit system must be configured to audit all attempts to alter system time through adjtimex.
RHEL-06-000167 - The audit system must be configured to audit all attempts to alter system time through settimeofday.
RHEL-06-000169 - The audit system must be configured to audit all attempts to alter system time through stime.
RHEL-06-000171 - The audit system must be configured to audit all attempts to alter system time through clock_settime.
RHEL-06-000173 - The audit system must be configured to audit all attempts to alter system time through /etc/localtime.
RHEL-06-000174 - The operating system must automatically audit account creation.
RHEL-06-000175 - The operating system must automatically audit account modification.
RHEL-06-000176 - The operating system must automatically audit account disabling actions.
RHEL-06-000177 - The operating system must automatically audit account termination.
RHEL-06-000182 - The audit system must be configured to audit modifications to the systems network configuration.
RHEL-06-000183 - The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC)
configuration (SELinux).
• RHEL-06-000184 - The audit system must be configured to audit all discretionary access control permission modifications using
chmod.
• RHEL-06-000185 - The audit system must be configured to audit all discretionary access control permission modifications using
chown.
• RHEL-06-000186 - The audit system must be configured to audit all discretionary access control permission modifications using
fchmod.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
5
Auditing and Logging
• RHEL-06-000187 - The audit system must be configured to audit all discretionary access control permission modifications using
fchmodat.
• RHEL-06-000188 - The audit system must be configured to audit all discretionary access control permission modifications using
fchown.
• RHEL-06-000189 - The audit system must be configured to audit all discretionary access control permission modifications using
fchownat.
• RHEL-06-000190 - The audit system must be configured to audit all discretionary access control permission modifications using
fremovexattr.
• RHEL-06-000191 - The audit system must be configured to audit all discretionary access control permission modifications using
fsetxattr.
• RHEL-06-000192 - The audit system must be configured to audit all discretionary access control permission modifications using
lchown.
• RHEL-06-000193 - The audit system must be configured to audit all discretionary access control permission modifications using
lremovexattr.
• RHEL-06-000194 - The audit system must be configured to audit all discretionary access control permission modifications using
lsetxattr.
• RHEL-06-000195 - The audit system must be configured to audit all discretionary access control permission modifications using
removexattr.
• RHEL-06-000196 - The audit system must be configured to audit all discretionary access control permission modifications using
setxattr.
• RHEL-06-000197 - The audit system must be configured to audit failed attempts to access files and programs.
• RHEL-06-000198 - The audit system must be configured to audit all use of setuid programs.
• RHEL-06-000199 - The audit system must be configured to audit successful file system mounts.
• RHEL-06-000200 - The audit system must be configured to audit user deletions of files and programs.
• RHEL-06-000201 - The audit system must be configured to audit changes to the /etc/sudoers file.
• RHEL-06-000202 - The audit system must be configured to audit the loading and unloading of dynamic kernel modules.
DISA UNIX STIG (v5 R1.30)
•
•
•
•
•
GEN002720 - Audit Failed File and Program Access Attempts
GEN002740 - Audit File and Program Deletion
GEN002760 - Audit Administrative, Privileged, and Security Actions
GEN002800 - Audit Login, Logout, and Session Initiation
GEN002820 - Audit Discretionary Access Control Permission Modifications
DoD JAFAN 6/3 (Oct 2004)
•
•
•
•
•
•
•
•
4.B.1.b(2)(a) - Auditing - Date and time entity performed system action
4.B.1.b(2)(d)(1) - Auditing - Record Successful and unsuccessful logons and logoffs
4.B.1.b(2)(d)(2) - Auditing - Record accesses to security-relevant objects
4.B.1.b(2)(d)(3) - Auditing - Record activities at the system console
4.B.2.a(4)(d)(1) - Auditing - Record Successful and unsuccessful logons and logoffs (PL2)
4.B.2.a(4)(d)(2) - Auditing - Record accesses to security-relevant objects (PL2)
4.B.2.a(4)(d)(3) - Auditing - Record activities at the system console (PL2)
4.B.3.a(7) - Auditing - Record changes to the mechanism's list of user formal access permissions (PL3)
DoD NISPOM (Feb 2006)
• 8.303a - Unique Identification
• 8.602a1 - Automated Audit Trail Creation
• 8.602d1 - Audit 4 Requirements
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
6
Auditing and Logging
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R5.1.2 - Generate logs of sufficient detail to create historical audit trails of individual user account access
NIST FISMA (SP 800-53)
•
•
•
•
AU-10 - Non-repudiation
AU-2 - Auditable Events
AU-3 - Content of Audit Records
AU-8 - Time Stamps
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.6.2.4 - Configure auditd Rules for Comprehensive Auditing
NVD CCE
•
•
•
•
CCE-4075-8
CCE-4600-3
CCE-4610-2
CCE-4679-7
PCI DSS (v2.0)
•
•
•
•
•
•
•
•
•
•
•
10.1 - Link all access to system components to each individual user
10.2.2 - Audit Events: All actions taken by any individual with root or administrative privileges
10.2.3 - Audit Events: Access to all audit trails
10.2.7 - Audit Events: Creation and deletion of system-level objects.
10.3.1 - Audit Events: User identification
10.3.2 - Audit Events: Type of event
10.3.3 - Audit Events: Date and time
10.3.4 - Audit Events: Success or failure indication
10.3.5 - Audit Events: Origination of event
10.3.6 - Audit Events: Identity or name of affected data, system component
2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Audit Rules (Solaris)
Configures the audit subsystem to record relevant security events such as administrative actions, file access, file deletions, login,
logout, session initiations, and access control changes. 2
The audit rules configuration must be finely tuned to balance the number of recorded events against system performance needs. An
overload of event records can occur and substantially reduce system performance. This rules set will not be initialized until the audit
subsystem is restarted, so it is safe to apply the change and review the rules manually.
Using the “Audit Log Rotation” module with this module is strongly recommended.
Operating Systems
Configuration Files
Settings
Solaris 10
/etc/security/audit_control
Industry-standard profiles provide
auditing rules.
2
McDougall, Richard and Jim Mauro. Solaris Internals: Solaris 10 and OpenSolaris Kernel Architecture. Santa Clara, CA: Sun Microsystems Press, 2007.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
7
Auditing and Logging
Module Options
• Kernel auditing rules.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-11 - Account Monitoring and Control
• CC-6 - Maintenance, Monitoring, and Analysis of Audit Logs
CIA DCID 6/3 (May 2000)
• 4.B.1.b(2)(a) - Auditing - Date and time entity performed system action
• 4.B.1.b(2)(d)(1) - Auditing - Record Successful and unsuccessful logons and logoffs
• 4.B.1.b(2)(d)(2) - Auditing - Record accesses to security-relevant objects
• 4.B.1.b(2)(d)(3) - Auditing - Record activities at the system console
• 4.B.2.a(4)(d)(1) - Auditing - Record Successful and unsuccessful logons and logoffs (PL2)
• 4.B.2.a(4)(d)(2) - Auditing - Record accesses to security-relevant objects (PL2)
• 4.B.2.a(4)(d)(3) - Auditing - Record activities at the system console (PL2)
• 4.B.3.a(7) - Auditing - Record changes to the mechanism's list of user formal access permissions (PL3)
DHS Linux Configuration Guidance (2010.8)
• 5 - Audit Trail
DISA UNIX STIG (v5 R1.30)
• GEN002720 - Audit Failed File and Program Access Attempts
• GEN002740 - Audit File and Program Deletion
• GEN002760 - Audit Administrative, Privileged, and Security Actions
• GEN002800 - Audit Login, Logout, and Session Initiation
• GEN002820 - Audit Discretionary Access Control Permission Modifications
DoD JAFAN 6/3 (Oct 2004)
• 4.B.1.b(2)(a) - Auditing - Date and time entity performed system action
• 4.B.1.b(2)(d)(1) - Auditing - Record Successful and unsuccessful logons and logoffs
• 4.B.1.b(2)(d)(2) - Auditing - Record accesses to security-relevant objects
• 4.B.1.b(2)(d)(3) - Auditing - Record activities at the system console
• 4.B.2.a(4)(a) - Auditing - Date and time entity performed system action (PL2)
• 4.B.2.a(4)(d)(1) - Auditing - Record Successful and unsuccessful logons and logoffs (PL2)
• 4.B.2.a(4)(d)(2) - Auditing - Record accesses to security-relevant objects (PL2)
• 4.B.2.a(4)(d)(3) - Auditing - Record activities at the system console (PL2)
• 4.B.3.a(7) - Auditing - Record changes to the mechanism's list of user formal access permissions (PL3)
DoD NISPOM (Feb 2006)
• 8.303a - Unique Identification
• 8.602a1 - Automated Audit Trail Creation
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
8
Auditing and Logging
• 8.602d1 - Audit 4 Requirements
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R5.1.2 - Generate logs of sufficient detail to create historical audit trails of individual user account access
NIST FISMA (SP 800-53)
• AU-10 - Non-repudiation
• AU-2 - Auditable Events
• AU-3 - Content of Audit Records
• AU-8 - Time Stamps
NVD CCE
• CCE-4075-8
• CCE-4600-3
• CCE-4610-2
• CCE-4679-7
PCI DSS (v2.0)
• 10.1 - Link all access to system components to each individual user
• 10.2.2 - Audit Events: All actions taken by any individual with root or administrative privileges
• 10.2.3 - Audit Events: Access to all audit trails
• 10.2.7 - Audit Events: Creation and deletion of system-level objects.
• 10.3.1 - Audit Events: User identification
• 10.3.2 - Audit Events: Type of event
• 10.3.3 - Audit Events: Date and time
• 10.3.4 - Audit Events: Success or failure indication
• 10.3.5 - Audit Events: Origination of event
• 10.3.6 - Audit Events: Identity or name of affected data, system component
Configure /etc/audit/auditd.conf Settings
Verify that the indicated lines are contained in the /etc/audit/auditd.conf file. Note that the specific settings vary between
guidelines and also can change based on site requirements. Security Blanket does not perform checks here except that the lines below
are or are not present in the auditd.conf file with the required settings. Lines missing (or with different settings) will be added/
corrected when applied. Note that on Red Hat Enterprise Linux 4 systems the /etc/auditd.conf file may be examined rather
than the /etc/audit/auditd.conf file.
Module Options
• List of setting (one per line, "NAME VALUE")
Compliancy
DISA Red Hat 5 STIG (v1R4)
• GEN002719 - The audit system must alert the SA in the event of an audit processing failure.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
9
Auditing and Logging
• GEN002730 - The audit system must alert the SA when the audit storage volume approaches its capacity.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000005 - The audit system must alert designated staff members when the audit storage volume approaches capacity.
• RHEL-06-000159 - The system must retain enough rotated audit logs to cover the required log retention period.
• RHEL-06-000160 - The system must set a maximum audit log file size.
• RHEL-06-000161 - The system must rotate audit log files that reach the maximum file size.
• RHEL-06-000311 - The audit system must provide a warning when allocated audit record storage volume reaches a documented
percentage of maximum audit record storage capacity.
• RHEL-06-000313 - The audit system must identify staff members to receive notifications of audit log storage volume capacity
issues.
• RHEL-06-000510 - The audit system must take appropriate action when the audit storage volume is full.
• RHEL-06-000511 - The audit system must take appropriate action when there are disk errors on the audit storage volume.
Cron Logging
Configures cron(8) logging so that cron-related logging information is sent to /var/log/cron , which is readable only by the
superuser.
It is recommended that you review and archive /var/log/cron (Linux) or /var/cron/log (Solaris) on a regular basis. Cron
logging is enabled by default, so enabling this module should not impact normal operations.
Operating Systems
Configuration Files
Fedora 10, 11, 12, and 13
/etc/rsyslog.conf
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
/etc/syslog.conf
Red Hat Enterprise Linux 6
/etc/rsyslog.conf
Solaris 10
/etc/default/cron
Settings
cron.* /var/log/cron
CRONLOG=yes
SUSE 10 and 11 systems use syslog-ng so the following configuration changes will be made to /etc/syslog-ng/syslogng.conf:
filter f_cron { facility(cron); };
destination cron { file("/var/log/cron"); };
log { source(src); filter(f_cron); destination(cron); };
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-6 - Maintenance, Monitoring, and Analysis of Audit Logs
DISA Red Hat 5 STIG (v1R4)
• GEN003160 - Cron logging must be implemented.
DISA UNIX STIG (v5 R1.30)
• GEN003160 - Cron Logging
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
10
Auditing and Logging
DoD NISPOM (Feb 2006)
• 8.602a1 - Automated Audit Trail Creation
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R5.1.2 - Generate logs of sufficient detail to create historical audit trails of individual user account access
NIST FISMA (SP 800-53)
• AU-2 - Auditable Events
• AU-3 - Content of Audit Records
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Enable Auditing For All Processes
This module adds an 'audit=1' argument to the kernel line for each boot definition in the GRUB config file. Should multiple boot
definitions be found, a warning will be issued and the argument will be added to each boot definition as required.
If the immutable bit is set within the extended attributes in the configuration file, it will be removed while making any changes and
then restored.
Operating Systems
Configuration Files
Settings
/boot/grub/grub.conf
Add audit=1 argument to default kernel
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Red Hat Enterprise Linux 5.2+ (zSeries)
GRUB not used on IBM zSeries platforms. Instead the zSeries Initial Program Loader
(z/IPL) is used.
Compliancy
DISA Red Hat 5 STIG (v1R4)
• GEN000000-LNX00720 - Auditing must be enabled at boot by setting a kernel parameter.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000525 - Auditing must be enabled at boot by setting a kernel parameter.
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.6.2.3 - Enable Auditing for Processes Which Start Prior to the Audit Daemon
Enable Vsftpd Additional Logging
Configures Vsftpd daemon to log all FTP requests and responses.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
11
Auditing and Logging
It is recommended that you apply this module. If Vsftpd service is not installed or configured, then this module will exit. However, if
Vsftpd is installed, it is recommended to routinely review the audit logs produced by this service.
Operating Systems
Configuration Files
Settings
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
/etc/vsftpd/vsftpd.conf
Red Hat Enterprise Linux 5
and/or /etc/vsftpd.conf
Red Hat Enterprise Linux 6
xferlog_std_format = YES
log_ftp_protocol = YES
SUSE 10 and 11
Solaris 10
Not part of the standard Solaris distribution.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-6 - Maintenance, Monitoring, and Analysis of Audit Logs
DHS Linux Configuration Guidance (2010.8)
• 5 - Audit Trail
DISA Red Hat 5 STIG (v1R4)
• GEN004980 - The FTP daemon must be configured for logging or verbose mode.
DISA UNIX STIG (v5 R1.30)
• GEN004980 - FTP Daemon Logging
DoD NISPOM (Feb 2006)
• 8.602a1 - Automated Audit Trail Creation
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R5.1.2 - Generate logs of sufficient detail to create historical audit trails of individual user account access
NIST FISMA (SP 800-53)
• AC-17 - Remote Access
• AU-2 - Auditable Events
• AU-3 - Content of Audit Records
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Enable the Audit Subsystem
Enables the audit subsystem to record security-relevant events occurring on the system. This information is critical to understanding
security breaches or vulnerabilities. Once auditing is enabled, it is recommended that you periodically review the audit logs.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
12
Auditing and Logging
The audit rules configuration determines how many events will be recorded by the audit subsystem. The audit rules configuration
needs to carefully balance the number of events recorded against system performance needs. An overload of event records can occur
and substantially reduce system performance.
Operating Systems
Packages or Config File
Service Name or Parameter
audit
auditd
/etc/system
set c2audit:audit_load = 1
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10 (Global Zone Only)
Note
On Linux systems, this module will not enable auditing if there is less than 32MB of storage on the designated filesystem.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-11 - Account Monitoring and Control
• CC-6 - Maintenance, Monitoring, and Analysis of Audit Logs
CIA DCID 6/3 (May 2000)
• 4.B.1.b(2)(a) - Auditing - Date and time entity performed system action
• 4.B.2.a(16)(b) - Session Control - Station or session time-outs (PL2)
• 4.B.2.a(4)(a) - Auditing - Date and time entity performed system action (PL2)
• 4.B.2.b(5)(a) - System Assurance - Control access to the security support structure (PL2)
• 4.B.3.a(17)(a) - Session Control - Station or session time-outs (PL3)
DHS Linux Configuration Guidance (2010.8)
• 5 - Audit Trail
DISA Red Hat 5 STIG (v1R4)
• GEN002660 - Auditing must be implemented.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000145 - The operating system must produce audit records containing sufficient information to establish the identity of
any user/subject associated with the event.
• RHEL-06-000148 - The operating system must employ automated mechanisms to facilitate the monitoring and control of remote
access methods.
• RHEL-06-000154 - The operating system must produce audit records containing sufficient information to establish what type of
events occurred.
DISA UNIX STIG (v5 R1.30)
• GEN002660 - Configure and Implement Auditing
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
13
Auditing and Logging
DoD JAFAN 6/3 (Oct 2004)
• 4.B.1.b(2)(a) - Auditing - Date and time entity performed system action
• 4.B.2.a(16)(b) - Session Control - Station or session time-outs (PL2)
• 4.B.2.a(4)(a) - Auditing - Date and time entity performed system action (PL2)
• 4.B.2.b(5)(a) - System Assurance - Control access to the security support structure (PL2)
• 4.B.3.a(17)(a) - Session Control - Station or session time-outs (PL3)
DoD NISPOM (Feb 2006)
• 8.303a - Unique Identification
• 8.602a1 - Automated Audit Trail Creation
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R5.1.2 - Generate logs of sufficient detail to create historical audit trails of individual user account access
NIST FISMA (SP 800-53)
• AU-1 - Audit and Accountability Policy and Procedures
• AU-4 - Audit Storage Capacity
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.6.2.1 - Enable the auditd Service
NVD CCE
• CCE-4292-9
• CCE-4675-5
PCI DSS (v2.0)
• 10.2 - Implement automated audit trails for all system components
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Log Critical Sendmail Messages
Logs critical-level Sendmail messages to /var/log/maillog .
It is recommended that you review and archive /var/log/maillog on a regular basis.
Operating Systems
Configuration Files
Fedora 10, 11, 12, and 13
/etc/rsyslog.conf
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
/etc/syslog.conf
Red Hat Enterprise Linux 6
/etc/rsyslog.conf
Solaris 10
/etc/syslog.conf
Settings
mail.crit -/var/log/maillog
mail.crit /var/log/maillog
SUSE 10 and 11 systems use syslog-ng so the following configuration changes will be made to /etc/syslog-ng/syslogng.conf:
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
14
Auditing and Logging
filter f_mailerr { level(err, crit) and facility(mail); };
destination mailerr { file("/var/log/mail.err" fsync(yes)); };
log { source(src); filter(f_mailerr); destination(mailerr); };
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-6 - Maintenance, Monitoring, and Analysis of Audit Logs
DISA Red Hat 5 STIG (v1R4)
• GEN004460 - The system syslog service must log informational and more severe SMTP service messages.
• GEN006600 - Accounts must be locked upon 35 days of inactivity.
DISA UNIX STIG (v5 R1.30)
• GEN004460 - Critical Level Sendmail Messages Logging
• GEN006600 - Access Control Program Logging
DoD NISPOM (Feb 2006)
• 8.602a1 - Automated Audit Trail Creation
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R5.1.2 - Generate logs of sufficient detail to create historical audit trails of individual user account access
NIST FISMA (SP 800-53)
• AC-17 - Remote Access
• AU-2 - Auditable Events
• AU-3 - Content of Audit Records
Secure Authpriv Logging
Secures authpriv logging so that security-related logging information is sent to /var/log/secure , which is readable only by the
superuser.
It is recommended that you review and archive /var/log/secure on a regular basis.
Operating Systems
Configuration Files
Fedora 10, 11, 12, and 13
/etc/rsyslog.conf
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
/etc/syslog.conf
Red Hat Enterprise Linux 6
/etc/rsyslog.conf
Solaris 10
/etc/syslog.conf
Settings
authpriv.* /var/log/secure
auth.info /var/log/authlog
SUSE 10 and 11 systems use syslog-ng so the following configuration changes will be made to /etc/syslog-ng/syslogng.conf:
filter f_auth { facility(auth,authpriv); };
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
15
Auditing and Logging
destination d_auth { file("/var/log/secure"); };
log { source(src); filter(f_auth); destination(d_auth); };
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-11 - Account Monitoring and Control
• CC-6 - Maintenance, Monitoring, and Analysis of Audit Logs
• CC-8 - Controlled Use of Administrative Privileges
DHS Linux Configuration Guidance (2010.8)
• 5 - Audit Trail
DISA Red Hat 5 STIG (v1R4)
• GEN001060 - The system must log successful and unsuccessful access to the root account.
• GEN003660 - The system must log informational authentication data.
• GEN006600 - Accounts must be locked upon 35 days of inactivity.
DISA UNIX STIG (v5 R1.30)
• GEN001060 - Log Root Access Attempts
• GEN003660 - Authentication Data Logging
• GEN006600 - Access Control Program Logging
DoD NISPOM (Feb 2006)
• 8.303a - Unique Identification
• 8.602a1 - Automated Audit Trail Creation
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R5.1.2 - Generate logs of sufficient detail to create historical audit trails of individual user account access
NIST FISMA (SP 800-53)
• AU-2 - Auditable Events
• AU-3 - Content of Audit Records
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.5.4.4 - Monitor Syslog for Relevant Connections and Failures
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
System Accounting
Enables system accounting to gather system usage such as CPU utilization and Disk I/O.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
16
Auditing and Logging
It is recommended that you apply this module and routinely analyze the system’s operating behavior to determine a baseline. Spikes in
activity could expose potentially malicious or abnormal activity.
Operating Systems
Package
Service Names
sysstat
sysstat
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10
SUSE 11
Solaris 10
sysstat
SUNWaccu
sysstat
boot.sysstat
svc:/system/sar:default
On Solaris systems, the sys account's crontab will also be modified to include the following:
0,20,40 * * * * /usr/lib/sa/sa1
45 23 * * * /usr/lib/sa/sa2 -s 0:00 -e 23:59 -i 1200 -A
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-11 - Account Monitoring and Control
NVD CCE
• CCE-4075-8
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
17
Chapter 3. Password Policy
Expired Password Invalidation
Sets the inactivity interval to seven days. The account is locked if there is no activity on the account for seven days after the account’s
password expires. Once locked, the account cannot be used until an administrator unlocks it. This prevents old accounts from being
used by an attacker.
Operating Systems
Accounts
Command
UIDs >= 500
/usr/bin/chage -I 7 user_account
UIDs >= 100
None: Once an account’s password expires in Solaris, the
account is immediately locked.
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-11 - Account Monitoring and Control
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
• CC-8 - Controlled Use of Administrative Privileges
DISA UNIX STIG (v5 R1.30)
• GEN000760 - Inactive Accounts are not locked
DoD NISPOM (Feb 2006)
• 8.303i - Protection of Individual Passwords
NIST FISMA (SP 800-53)
• AC-2 - Account Management
Limit Password Reuse
Limits the number of times a password can be reused. Requiring users to change passwords on a routine basis is only effective when
the use of previous passwords is disallowed. This module enables limitations on password reuse. It restricts users from selecting one
of their previous five passwords whenever they attempt to make password changes.
Operating Systems
Configuration Files
Settings
/etc/pam.d/system-auth
Ensure that password lines using
pam_unix.so has remember =X
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
18
Password Policy
Operating Systems
Configuration Files
Settings
Solaris 10
/etc/default/passwd
HISTORY =X
/etc/pam.d/common-password
The pam-config -a --pwhistoryremember=X command is used to set the
parameter and the -q option is used to query.
If pwhistory is not disabled, this module will
enable it.
SUSE 10 and 11
Module Options
• Number of previous passwords which can not be reused.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-8 - Controlled Use of Administrative Privileges
CIA DCID 6/3 (May 2000)
• 4.B.3.a(9)(f) - Identification and Authentication - Limiting reuse of static authenticators
DISA Red Hat 5 STIG (v1R4)
• GEN000800 - The system must prohibit the reuse of passwords within five iterations.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000274 - The system must prohibit the reuse of passwords within twenty-four iterations.
DISA UNIX STIG (v5 R1.30)
• GEN000800 - Password Reuse
DoD JAFAN 6/3 (Oct 2004)
• 4.B.3.a(9)(f) - Identification and Authentication - Limiting reuse of static authenticators
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.3.3.6 - Limit Password Reuse
NVD CCE
• CCE-14939-3
PCI DSS (v2.0)
• 8.5.12 - Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used.
Lock Expired Account after Inactivity
Controls the minimum amount of time that must pass before users can change their passwords.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
19
Password Policy
Note
This module does not change the current settings on active user accounts. The parameter this module sets applies to newly
created local user accounts.
Setting the minimum delay between password changes to less than one day allows users to change their password as many times as
necessary so that they can return to using their original password. This security setting does not affect daily system operation but it
does require careful consideration of its impact on system usability.
Operating Systems
Configuration Files
Settings
/etc/login.defs
PASS_MIN_DAYS
/etc/default/passwd
MINWEEKS
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Module Options
• Number of days after password expires the account becomes locked.
Compliancy
DISA Red Hat 5 STIG (v1R4)
• GEN006600 - Accounts must be locked upon 35 days of inactivity.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000334 - Accounts must be locked upon 35 days of inactivity.
Maximum Time Between Password Changes
Controls the maximum allowed time period between password changes.
Note
This module does not change the current settings on existing, active user accounts. The parameter this module sets applies to
newly created local user accounts.
This is a standard security practice that should have no impact on daily operation. Change the password of each password-protected
account routinely. One to three months is a reasonable amount of time, which also limits the time frame in which a password can be
shared.
Operating Systems
Configuration Files
Settings
/etc/login.defs
PASS_MAX_DAYS
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
20
Password Policy
Operating Systems
Configuration Files
Settings
Solaris 10
/etc/default/passwd
MAXWEEKS
Module Options
• Maximum number of days between password changes.
The maximum time (in days) between password changes.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-8 - Controlled Use of Administrative Privileges
CIA DCID 6/3 (May 2000)
• 4.B.1.b(3)(e) - Identification and Authentication - Aging of static authenticators
DHS Linux Configuration Guidance (2010.8)
• 3.1 - Password Settings
DISA Red Hat 5 STIG (v1R4)
• GEN000700 - User passwords must be changed at least every 60 days.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000053 - User passwords must be changed at least every 60 days.
DISA UNIX STIG (v5 R1.30)
• GEN000700 - Password Change Every 60 Days
• GEN000820 - Global Password Configuration Files
DoD JAFAN 6/3 (Oct 2004)
• 4.B.1.b(3)(e) - Identification and Authentication - Aging of static authenticators
DoD NISPOM (Feb 2006)
• 8.303i - Protection of Individual Passwords
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R5.3.3 - Passwords shall be changed at least annually
NIST FISMA (SP 800-53)
• IA-5 - Authenticator Management
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.3.1.7 - Set Password Expiration Parameters
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
21
Password Policy
NVD CCE
• CCE-4092-3
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 8.5.9 - Change user passwords at least every 90 days.
Minimum Delay Between Password Changes
Controls the minimum amount of time that must pass before users can change their passwords.
Note
This module does not change the current settings on active user accounts. The parameter this module sets applies to newly
created local user accounts.
Setting the minimum delay between password changes to less than one day allows users to change their password as many times as
necessary so that they can return to using their original password. This security setting does not affect daily system operation but it
does require careful consideration of its impact on system usability.
Operating Systems
Configuration Files
Settings
/etc/login.defs
PASS_MIN_DAYS
/etc/default/passwd
MINWEEKS
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Module Options
• Minimum number of days between password changes.
The minimum time (in days) allowed between password changes.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-8 - Controlled Use of Administrative Privileges
DHS Linux Configuration Guidance (2010.8)
• 3.1 - Password Settings
DISA Red Hat 5 STIG (v1R4)
• GEN000540 - Users must not be able to change passwords more than once every 24 hours.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000051 - Users must not be able to change passwords more than once every 24 hours.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
22
Password Policy
DISA UNIX STIG (v5 R1.30)
• GEN000540 - Password Change 24 Hours
• GEN000820 - Global Password Configuration Files
NIST FISMA (SP 800-53)
• IA-5 - Authenticator Management
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.3.1.7 - Set Password Expiration Parameters
NVD CCE
• CCE-4180-6
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
No Empty Passwords
Prevents user accounts from having empty password fields. If a user account has an empty password field, then that account can be
used to log in without entering a password. Therefore, it is recommended to lock local user accounts that have empty password fields.
If direct login access to the account is not required, then it is recommended to lock the account. Many applications such as Apache™
set the effective user ID to a non-privileged account such as “daemon”. Locking the account does not prevent the application from
functioning normally.
Operating Systems
Configuration Files
Settings
/etc/pam.d/system-auth
Ensure that auth lines using pam_unix*.so
do not have nullok set.
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
/etc/pam.d/common-auth
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-8 - Controlled Use of Administrative Privileges
CIA DCID 6/3 (May 2000)
• 4.B.1.a(2) - Identification and Authentication - Unique Users
DISA Red Hat 5 STIG (v1R4)
• GEN000560 - The system must not have accounts configured with blank or null passwords.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000030 - The system must not have accounts configured with blank or null passwords.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
23
Password Policy
DISA UNIX STIG (v5 R1.30)
• GEN000560 - Password Protect Enabled Accounts
DoD JAFAN 6/3 (Oct 2004)
• 4.B.1.a(2) - Identification and Authentication - Unique Users
DoD NISPOM (Feb 2006)
• 8.303b - Authentication at Login
• 8.303i - Protection of Individual Passwords
• 8.607e - Identification and Authentication 5 Requirements
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R5.3.1 - Passwords shall be a minimum of six characters
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
• IA-2 - User Identification and Authentication
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.3.1.5 - Verify that No Accounts Have Empty Password Fields
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
• 8.2 - Password Authentication
No Hashes Allowed in Passwd/Group Files
This module looks for password entries in the given files that are hashed passwords, including those that are locked. The second
field of the Unix/Linux /etc/passwd, /etc/group, or /etc/gshadow file is the password field. If the first character of this
field in /etc/passwd or /etc/group is an 'x' (or '*' for Linux) then this indicates that the password is 'shadowed' in the /etc/
shadow or /etc/gshadow file respectively. This file is normally protected so that regular users are unable to read the file. If the
first character of this file is an '!' on any system, then the user or group account is considered 'locked'.
Note
Some guidelines indicate that a locked account should not be considered a failure for this particular step. Security Blanket
will flag these locked accounts.
Note
The recommended resolution if hashed passwords are found in the /etc/passwd or /etc/group files is to run the
pwconv system command to migrate those fields into the appropriate shadow file. Security Blanket will detect that there
are hash passwords present, but will not run pwconv on the off chance that the /etc/passwd, /etc/shadow, /etc/
group, and /etc/gshadow files may not be in sync with each other.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
24
Password Policy
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
Compliancy
DISA Red Hat 5 STIG (v1R4)
• GEN000000-LNX001476 - The /etc/gshadow file must not contain any group password hashes.
• GEN001470 - The /etc/passwd file must not contain password hashes.
• GEN001475 - The /etc/group file must not contain any group password hashes.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000031 - The /etc/passwd file must not contain password hashes.
DISA UNIX STIG (v5 R1.30)
• GEN001470 - The /etc/passwd file must not contain password hashes.
• GEN001475 - The /etc/group file must not contain any group password hashes.
No Plus Entries in Password Files
Removes any '+' characters from local identification and authentication (IA) repositories: passwd, shadow, and group files.
The '+' character is used to include Network Information Service (NIS) maps into local IA mechanisms. If NIS is not used, then do not
use the '+' character because it poses a security risk.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-8 - Controlled Use of Administrative Privileges
DISA Red Hat 5 STIG (v1R4)
• GEN001980 - The .rhosts, .shosts, hosts.equiv, shosts.equiv, /etc/passwd, /etc/shadow, and/or /etc/group files must not contain a
plus (+) without defining entries for NIS+ netgroups.
DISA UNIX STIG (v5 R1.30)
• GEN001980 - Plus (+) in Access Control Files
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.3.1.8 - Remove Legacy ’+’ Entries from Password Files
NVD CCE
• CCE-14071-5
• CCE-14675-3
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
25
Password Policy
• CCE-4114-5
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Password Expiration Warning
Controls when users receive warnings of password expiration. The number of days before password expiration can be set when
the user starts receiving warnings. Warnings are sent to the user starting on the date of the expiration warning. This module has an
adjustable parameter. The default parameter is 28 (days). The minimum acceptable parameter is 1.
Note
This module does not change the current settings on existing, active user accounts. The parameter this module sets applies to
newly created local user accounts.
This module should have no impact on daily operation. The user only receives warning messages according to the date of the
expiration warning.
Module Options
• Number of days before password expires the system will notify the user.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-8 - Controlled Use of Administrative Privileges
DHS Linux Configuration Guidance (2010.8)
• 3.1 - Password Settings
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000054 - Users must be warned 7 days in advance of password expiration.
NIST FISMA (SP 800-53)
• IA-5 - Authenticator Management
• IA-6 - Authenticator Feedback
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.3.1.7 - Set Password Expiration Parameters
NVD CCE
• CCE-4097-2
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
26
Password Policy
Password Policy Consecutive Characters
Requires that new user-created passwords do not have more than a certain number of consecutive repeats of the same character.
Each password policy module sets a small portion of the overall security objective for passwords. The objective is to establish
passwords that cannot be easily guessed. This is done through password policy settings that guide users to create passwords that are
not ordinary words, but instead are a mix of alphanumeric characters that are easy to remember.
Operating Systems
Configuration Files
Settings
/etc/pam.d/system-auth
Check for password lines using the
pam_cracklib.so library. If found, set the
maxrepeat parameter.
Solaris 10
/etc/default/passwd
MAXREPEATS
SUSE 10 and 11
N/A
Feature not available in default
pam_cracklib
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Module Options
• Maximum consecutive repeats of the same characters.
Maximum number of same character repeats in the new password.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-8 - Controlled Use of Administrative Privileges
DHS Linux Configuration Guidance (2010.8)
• 3.1 - Password Settings
DISA Red Hat 5 STIG (v1R4)
• GEN000680 - The system must require passwords contain no more than three consecutive repeating characters.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000299 - The system must require passwords to contain no more than three consecutive repeating characters.
DISA UNIX STIG (v5 R1.30)
• GEN000580 - Password Length
DoD NISPOM (Feb 2006)
• 8.303i - Protection of Individual Passwords
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R5.3.1 - Passwords shall be a minimum of six characters
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
27
Password Policy
NIST FISMA (SP 800-53)
• IA-5 - Authenticator Management
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.3.3.1.1 - Set Password Quality Requirements, if using pam cracklib
NVD CCE
• CCE-4154-1
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 8.5.10 - Require a minimum password length of at least seven characters.
Password Policy Different Characters
Requires that new user-created passwords have at a certain number of different characters compared to the old password.
Each password policy module sets a small portion of the overall security objective for passwords. The objective is to establish
passwords that cannot be easily guessed. This is done through password policy settings that guide users to create passwords that are
not ordinary words, but instead are a mix of alphanumeric characters that are easy to remember.
Operating Systems
Configuration Files
Settings
/etc/pam.d/system-auth
Check for password lines using the
pam_cracklib.so library. If found, set the
difok parameter.
/etc/default/passwd
MINLOWER
/etc/pam.d/common-password
The pam-config -a --cracklib-difok=X
command is used to set the parameter and the q option is used to query. If cracklib is not
disabled, this module will disable pwcheck
and enable cracklib.
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Solaris 10
SUSE 10 and 11
Module Options
• Minimum number of different characters.
Minimum number of different characters in the new password.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-8 - Controlled Use of Administrative Privileges
DHS Linux Configuration Guidance (2010.8)
• 3.1 - Password Settings
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
28
Password Policy
DISA Red Hat 5 STIG (v1R4)
• GEN000750 - The system must require at least four characters be changed between the old and new passwords during a password
change.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000060 - The system must require at least four characters be changed between the old and new passwords during a
password change.
DISA UNIX STIG (v5 R1.30)
• GEN000580 - Password Length
DoD NISPOM (Feb 2006)
• 8.303i - Protection of Individual Passwords
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R5.3.1 - Passwords shall be a minimum of six characters
NIST FISMA (SP 800-53)
• IA-5 - Authenticator Management
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.3.3.1.1 - Set Password Quality Requirements, if using pam cracklib
NVD CCE
• CCE-4154-1
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 8.5.10 - Require a minimum password length of at least seven characters.
Password Policy Length Minimum
Controls the minimum length of the user password. This module sets the parameter in the login.defs(5) configuration file
(which is used by many older commands). It also sets the parameter for the system’s pluggable authentication module (PAM), which
uses various libraries such as pam_cracklib(8) . This alters the minimum default length that pam_cracklib(8) uses to
determination satisfactory passwords.
On Solaris systems, this module sets the PASSLENGTH parameter in the /etc/default/passwd file.
In general, longer passwords are less vulnerable to brute force attacks than short passwords. This is dependent on the enforcement of a
strong password policy. It is recommended that you apply this module, along with other password policy controls.
Note
In Novell SUSE 10 SP3, this module requires the use of a special utility (the utility is not present in Novell SUSE 10 SP3, but
it is present in its counterpart, openSUSE 10.3).
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
29
Password Policy
If operational processes permit, the openSUSE 'pam-config' package can be installed in the Novell SUSE 10 SP3
environment. The Security Blanket development team is currently researching a more appropriate work-around in order to
support these modules in Novell SUSE 10 SP3. If this is an immediate requirement, please contact the customer support team
at [email protected] for a possible manually implemented solution.
Operating Systems
Configuration Files
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
In the login.defs file, set
PASS_MIN_LENGTH
/etc/login.defs
/etc/pam.d/system-auth
In the system-auth file, check
any password lines using the
pam_cracklib.so library. If found, set the
minlen parameter.
/etc/default/passwd
PASSLENGTH
/etc/pam.d/common-password
The pam-config -a --cracklib-minlen=X
command is used to set the parameter and the q option is used to query. If cracklib is not
disabled, this module will disable pwcheck
and enable cracklib.
Red Hat Enterprise Linux 6
Solaris 10
SUSE 10 and 11
Settings
Module Options
• Minimum password length.
Minimum length of the new password.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-8 - Controlled Use of Administrative Privileges
DHS Linux Configuration Guidance (2010.8)
• 3.1 - Password Settings
DISA Red Hat 5 STIG (v1R4)
• GEN000580 - The system must require passwords contain a minimum of 14 characters.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000050 - The system must require passwords to contain a minimum of 14 characters.
DISA UNIX STIG (v5 R1.30)
• GEN000580 - Password Length
DoD NISPOM (Feb 2006)
• 8.303i - Protection of Individual Passwords
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R5.3.1 - Passwords shall be a minimum of six characters
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
30
Password Policy
NIST FISMA (SP 800-53)
• IA-5 - Authenticator Management
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.3.3.1.1 - Set Password Quality Requirements, if using pam cracklib
NVD CCE
• CCE-4154-1
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 8.5.10 - Require a minimum password length of at least seven characters.
Password Policy Lowercase Minimum
Requires that new user-created passwords have at least one lowercase character.
Each password policy module sets a small portion of the overall security objective for passwords. The objective is to establish
passwords that cannot be easily guessed. This is done through password policy settings that guide users to create passwords that are
not ordinary words, but instead are a mix of alphanumeric characters that are easy to remember.
Operating Systems
Configuration Files
Settings
/etc/pam.d/system-auth
Check for password lines using the
pam_cracklib.so library. If found, set the
lcredit parameter.
/etc/default/passwd
MINLOWER
/etc/pam.d/common-password
The pam-config -a --cracklib-lcredit=X
command is used to set the parameter and the q option is used to query. If cracklib is not
disabled, this module will disable pwcheck
and enable cracklib.
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Solaris 10
SUSE 10 and 11
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-8 - Controlled Use of Administrative Privileges
DISA Red Hat 5 STIG (v1R4)
• GEN000610 - The system must require passwords contain at least one lowercase alphabetic character.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000059 - The system must require passwords to contain at least one lowercase alphabetic character.
DISA UNIX STIG (v5 R1.30)
• GEN000600 - Password Character Mix (Mixed case)
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
31
Password Policy
DoD NISPOM (Feb 2006)
• 8.303i - Protection of Individual Passwords
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R5.3.2 - Passwords shall consist of a combination of alpha, numeric, and special characters
NIST FISMA (SP 800-53)
• IA-5 - Authenticator Management
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.3.3.1.1 - Set Password Quality Requirements, if using pam cracklib
NVD CCE
• CCE-14712-4
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Password Policy Numeric Minimum
Controls the minimum number of numeric characters in a user password. The default is at least two numeric characters, and this
parameter cannot be changed.
Requiring passwords to have at least two numeric characters makes them more complex. This increases the time required for a brute
force attack to succeed, and in turn decreases the potential for a successful attack.
Note
In Novell SUSE 10 SP3, this module requires the use of a special utility (the utility is not present in Novell SUSE 10 SP3, but
it is present in its counterpart, openSUSE 10.3).
If operational processes permit, the openSUSE 'pam-config' package can be installed in the Novell SUSE 10 SP3
environment. The Security Blanket development team is currently researching a more appropriate work-around in order to
support these modules in Novell SUSE 10 SP3. If this is an immediate requirement, please contact the customer support team
at [email protected] for a possible manually implemented solution.
Operating Systems
Configuration Files
Settings
/etc/pam.d/system-auth
Check for password lines using the
pam_cracklib.so library. If found, set the
dcredit parameter.
/etc/default/passwd
MINDIGIT
/etc/pam.d/common-password
The pam-config -a --cracklib-dcredit=X
command is used to set the parameter and the q option is used to query. If cracklib is not
disabled, this module will disable pwcheck
and enable cracklib.
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Solaris 10
SUSE 10 and 11
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
32
Password Policy
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-8 - Controlled Use of Administrative Privileges
DISA Red Hat 5 STIG (v1R4)
• GEN000620 - The system must require passwords contain at least one numeric character.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000056 - The system must require passwords to contain at least one numeric character.
DISA UNIX STIG (v5 R1.30)
• GEN000620 - Password Character Mix (Digits)
DoD NISPOM (Feb 2006)
• 8.303i - Protection of Individual Passwords
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R5.3.2 - Passwords shall consist of a combination of alpha, numeric, and special characters
NIST FISMA (SP 800-53)
• IA-5 - Authenticator Management
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.3.3.1.1 - Set Password Quality Requirements, if using pam cracklib
NVD CCE
• CCE-14113-5
PCI DSS (v2.0)
• 8.5.11 - Use passwords containing both numeric and alphabetic characters.
Password Policy Special Characters
Controls the minimum number of special characters in a user password. The default is at least two special characters, and this
parameter cannot be changed.
In general, long and complex passwords make the system less vulnerable to brute force attacks. By requiring that passwords have at
least two special characters the password becomes more complex. This increases the time required for a brute force attack to succeed,
and in turn decreases the potential for a successful attack.
Note
In Novell SUSE 10 SP3, this module requires the use of a special utility (the utility is not present in Novell SUSE 10 SP3, but
it is present in its counterpart, openSUSE 10.3).
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
33
Password Policy
If operational processes permit, the openSUSE 'pam-config' package can be installed in the Novell SUSE 10 SP3
environment. The Security Blanket development team is currently researching a more appropriate work-around in order to
support these modules in Novell SUSE 10 SP3. If this is an immediate requirement, please contact the customer support team
at [email protected] for a possible manually implemented solution.
Operating Systems
Configuration Files
Settings
/etc/pam.d/system-auth
Check for password lines using the
pam_cracklib.so library. If found, set the
ocredit parameter.
/etc/default/passwd
MINSPECIAL
/etc/pam.d/common-password
The pam-config -a --cracklib-ocredit=X
command is used to set the parameter and the q option is used to query. If cracklib is not
disabled, this module will disable pwcheck
and enable cracklib.
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Solaris 10
SUSE 10 and 11
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-8 - Controlled Use of Administrative Privileges
DISA Red Hat 5 STIG (v1R4)
• GEN000640 - The system must require passwords contain at least one special character.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000058 - The system must require passwords to contain at least one special character.
DISA UNIX STIG (v5 R1.30)
• GEN000640 - Password Character Mix (Special)
DoD NISPOM (Feb 2006)
• 8.303i - Protection of Individual Passwords
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R5.3.2 - Passwords shall consist of a combination of alpha, numeric, and special characters
NIST FISMA (SP 800-53)
• IA-5 - Authenticator Management
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.3.3.1.1 - Set Password Quality Requirements, if using pam cracklib
NVD CCE
• CCE-14122-6
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
34
Password Policy
Password Policy Uppercase Minimum
Requires that passwords chosen by users have at least one uppercase character.
In general, long and complex passwords make the system less vulnerable to brute force attacks. Passwords with at least two uppercase
characters are more complex. This increases the time required for a brute force attack to succeed, and in turn decreases the potential
for a successful attack.
Note
In Novell SUSE 10 SP3, this module requires the use of a special utility (the utility is not present in Novell SUSE 10 SP3, but
it is present in its counterpart, openSUSE 10.3).
If operational processes permit, the openSUSE 'pam-config' package can be installed in the Novell SUSE 10 SP3
environment. The Security Blanket development team is currently researching a more appropriate work-around in order to
support these modules in Novell SUSE 10 SP3. If this is an immediate requirement, please contact the customer support team
at [email protected] for a possible manually implemented solution.
Operating Systems
Configuration Files
Settings
/etc/pam.d/system-auth
Check for password lines using the
pam_cracklib.so library. If found, set the
ucredit parameter.
/etc/default/passwd
MINUPPER
/etc/pam.d/common-password
The pam-config -a --cracklib-ucredit=X
command is used to set the parameter and the q option is used to query. If cracklib is not
disabled, this module will disable pwcheck
and enable cracklib.
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Solaris 10
SUSE 10 and 11
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-8 - Controlled Use of Administrative Privileges
DISA Red Hat 5 STIG (v1R4)
• GEN000600 - The system must require passwords contain at least one uppercase alphabetic character.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000057 - The system must require passwords to contain at least one uppercase alphabetic character.
DISA UNIX STIG (v5 R1.30)
• GEN000600 - Password Character Mix (Mixed case)
DoD NISPOM (Feb 2006)
• 8.303i - Protection of Individual Passwords
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R5.3.2 - Passwords shall consist of a combination of alpha, numeric, and special characters
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
35
Password Policy
NIST FISMA (SP 800-53)
• IA-5 - Authenticator Management
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.3.3.1.1 - Set Password Quality Requirements, if using pam cracklib
NVD CCE
• CCE-14712-4
Set Password Aging on Active Accounts
Sets all active accounts (except system accounts) to force password changes every MAX days, and then prevents password changes
for MIN days thereafter. Users begin receiving warnings WARN days before their password expires. Once the password expires, the
account is locked after INACT days. The option value provided to this module must be four integers in a comma separated list:
MIN,MAX,WARN,INACT
Sets password aging on non-system accounts that are not already locked and have aging parameters that do not match the specified
values.
Module Options
• Minimum number of days between password changes.
• Maximum number of days between password changes.
• Number of days before password expires the system will notify the user.
• Number of days to lock an account after its password has expired.
• System accounts are exempt?
Note - if system accounts are not exempt then they will be treated like user passwords and can expire, resulting in locked
accounts.
• Specific accounts to exempt.
This is a list of specific accounts (system or user accounts) that are exempt from the aging requirements. May require
justification to any security accreditors.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-11 - Account Monitoring and Control
• CC-8 - Controlled Use of Administrative Privileges
CIA DCID 6/3 (May 2000)
• 4.B.1.b(3)(e) - Identification and Authentication - Aging of static authenticators
• 4.B.3.a(9)(e) - Identification and Authentication - Aging of static authenticators
DHS Linux Configuration Guidance (2010.8)
• 3.1 - Password Settings
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
36
Password Policy
DISA Red Hat 5 STIG (v1R4)
• GEN000540 - Users must not be able to change passwords more than once every 24 hours.
• GEN000700 - User passwords must be changed at least every 60 days.
• GEN006600 - Accounts must be locked upon 35 days of inactivity.
DISA Red Hat 6 STIG (v1R2)
•
•
•
•
RHEL-06-000051 - Users must not be able to change passwords more than once every 24 hours.
RHEL-06-000053 - User passwords must be changed at least every 60 days.
RHEL-06-000054 - Users must be warned 7 days in advance of password expiration.
RHEL-06-000334 - Accounts must be locked upon 35 days of inactivity.
DISA UNIX STIG (v5 R1.30)
• GEN000540 - Password Change 24 Hours
• GEN000700 - Password Change Every 60 Days
DoD JAFAN 6/3 (Oct 2004)
• 4.B.1.b(3)(e) - Identification and Authentication - Aging of static authenticators
• 4.B.3.a(9)(e) - Identification and Authentication - Aging of static authenticators
NIST FISMA (SP 800-53)
• IA-5 - Authenticator Management
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.3.1.7 - Set Password Expiration Parameters
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
37
Chapter 4. Account and Access Control
Allowed Shells in /etc/shells
The /etc/shells file contains the list of approved system shell programs. This list varies slightly from Operating System (OS)
vendor to vendor. Restricting this list to only approved programs prevents users from changing their shell to an unapproved program.
Note
The order in which the shells appear is not important.
Module Options
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
• Explicitly allowed shells for user accounts. The order is not important. The default list is empty as they vary from OS to OS, so
please refer to the shells man page or your vendor OS documentation to obtain the correct default list.
Compliancy
DISA Red Hat 5 STIG (v1R4)
• GEN002120 - The /etc/shells (or equivalent) file must exist.
Block System Accounts
This module locks specific system accounts. The module first uses the passwd(1) to obtain the account’s password status. If the status
is not one of 'LK', 'NP', or 'NL' it is considered not blocked. The module then uses the passmgmt(1M) command in Solaris and the
usermod(8) to lock the account.
For Linux systems, these accounts include: 'bin', 'daemon', 'adm', 'lp', 'mail', 'news', 'uucp', 'operator', 'games', 'ftp', 'nobody', 'dbus',
'rpm', 'avahi', 'apache', 'nscd', 'mailnull', 'smmsp', 'distcache', 'ntp', 'vcsa', 'haldaemon', 'rpc', 'rpcuser', 'nfsnobody', 'named', 'sshd',
'squid', 'webalizer', 'pcap', 'hsqldb', 'xfs', 'gdm', 'lmadmin', 'sbwebapp', 'gopher', 'halt', 'shutdown', 'ftpsecure', 'suse-ncc', and 'man'.
For Solaris systems, these accounts include: 'bin', 'nuucp', 'listen', 'webservd', 'gdm', 'nobody', 'noaccess', 'nobody4', 'svctag', 'news',
'daemon', 'sys', 'adm', 'lp', 'uucp', and 'smmsp'.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-11 - Account Monitoring and Control
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
38
Account and Access Control
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
• CC-8 - Controlled Use of Administrative Privileges
DHS Linux Configuration Guidance (2010.8)
• 3.1 - Password Settings
DISA Red Hat 5 STIG (v1R4)
• GEN002640 - Default system accounts must be disabled or removed.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000029 - Default system accounts, other than root, must be locked.
DISA UNIX STIG (v5 R1.30)
• GEN002640 - Disabled Default System Accounts
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R4.4 - Review of controls for default accounts, passwords, and network management community strings
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R5.2.1 - Remove, disable, or rename factory default accounts
NIST FISMA (SP 800-53)
• AC-2 - Account Management
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.3.1.4 - Block Shell and Login Access for Non-Root System Accounts
NVD CCE
• CCE-3987-5
PCI DSS (v2.0)
• 2.1 - Do not use vendor-supplied defaults for system passwords and other security parameters
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Default umask
Sets the default umask so that newly created files or directories are only accessible by the user who created them.
If other users require access to files or directories, the permissions can be manually changed. If this creates problems for applications
that must share files, then modify the application account’s personal shell resource files to a less restrictive umask . It is
recommended that this only be done on a case-by-case basis and that all changes are well documented.
Operating Systems
Shell Resource Script
Settings
Fedora 10, 11, 12, and 13
/etc/profile
/etc/.login
umask 077
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
39
Account and Access Control
Operating Systems
Shell Resource Script
Settings
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
/etc/bashrc
/etc/csh.login
SUSE 10 and 11
Solaris 10
/etc/profile
/etc/.login
/etc/default/login
UMASK=077
Module Options
• Default umask
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 7.6.1 - Set umask for Users
DISA Red Hat 5 STIG (v1R4)
• GEN002560 - The system and user default umask must be 077.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000342 - The system default umask for the bash shell must be 077.
• RHEL-06-000343 - The system default umask for the csh shell must be 077.
• RHEL-06-000344 - The system default umask in /etc/profile must be 077.
• RHEL-06-000345 - The system default umask in /etc/login.defs must be 077.
DISA UNIX STIG (v5 R1.30)
• GEN002560 - Default umask
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
40
Account and Access Control
• 2.2.3 - Configure system security parameters to prevent misuse
Disable PAM Console Library
Disables PAM from granting sole access to administrative privileges to the first user who logs into the console. The PAM Console
library gives users (at the physical console) capabilities that they would not otherwise have, and removes those capabilities when the
users are no longer logged in at the console. It provides two main types of capabilities: file permissions and authentication.
This module affects the ability for non-privileged users to reboot and perform power-management functions from the console. See
pam_console(8) for more information.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN000000-LNX00600 - The Linux PAM system must not grant sole access to admin privileges to the first user who logs into the
console.
DISA UNIX STIG (v5 R1.30)
• LNX00600 - PAM Configuration
DoD NISPOM (Feb 2006)
• 8.613a1 - Access to Protection Functions
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
Disable console.perms File
Renames the /etc/security/console.perms file to /etc/security/console.perms.disabled. This file gives
users (at the physical console) capabilities that they would not otherwise have, and removes those capabilities when the users are no
longer logged in at the console. It provides two main types of capabilities: file permissions and authentication.
This module affects the ability for non-privileged users to reboot and perform power-management functions from the console. See
console.perms(5) for more information.
Compliancy
DISA Red Hat 5 STIG (v1R4)
• GEN000000-LNX00600 - The Linux PAM system must not grant sole access to admin privileges to the first user who logs into the
console.
DISA UNIX STIG (v5 R1.30)
• LNX00600 - PAM Configuration
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
41
Account and Access Control
Home Directory Contents
Ensures files and directories inside user home directories are secured. This means these files and directories must be:
• Owned by the owner of the home directory.
• Must not have world (other) permissions.
• Must not have group write permissions.
• In addition to the previous two bullets, all local initialization files (dot files) do not have group execute.
• .Xauthority files do not have group or world permissions.
There are some cases in which these rules should not apply; therefore, this module has safeguards in place to ensure the system
functions normally. This module will explicitly ignore the following accounts: 'daemon', 'nobody', 'apache', 'bin', 'operator', 'listen',
'uucp', and 'rpm', regardless of the UID assigned to them. It will also ignore any account that has a 'system' UID assigned to it (i.e.,
UID < 100 for Solaris, UID < 500 for Linux).
Additionally, it will ignore the following directories if they are assigned to any account: /sbin , /bin , /dev , /var/lib/nfs ,
/var/spool , /usr/share , /usr/net/nls , /usr/lib/uucp , /var/adm , and /var/lib/rpm .
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN001540 - All files and directories contained in interactive user home directories must be owned by the home directory's owner.
• GEN001550 - All files and directories contained in user home directories must be group-owned by a group of which the home
directory's owner is a member.
• GEN001560 - All files and directories contained in user home directories must have mode 0750 or less permissive.
• GEN001860 - All local initialization files must be owned by the home directory's user or root.
• GEN005180 - All .Xauthority files must have mode 0600 or less permissive.
DISA UNIX STIG (v5 R1.30)
• GEN001540 - Home Directories File Ownership
• GEN001560 - Home Directories File Permissions
• GEN001860 - Local Initialization Files Ownership
• GEN005180 - .Xauthority File Permissions
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
42
Account and Access Control
PCI DSS (v2.0)
• 2.2.3 - Configure system security parameters to prevent misuse
Home Directory Ownership
Sets user and group ownership of normal users to the primary user and group identified in the user account. In Linux, this module only
handles user accounts with an identification number between 500 and 65534. In Solaris, this module only handles user accounts with
an identification number between 100 and 65534. It does not change ownership of key system directories such as /opt or /var in
case a user account has an incorrectly configured home directory.
It is important that the system administrator ensures that user accounts own their own directories. If a shared directory is needed, do
not use a designated home directory.
As shown in the figure below, the module has some safeguards in place. This includes ignoring system accounts (UID < 100 and
Solaris UID < 500) because many of them require different ownership than expected by this module. Additionally, this module builds
an exclusion list. This is a list of directories in which ownership will never be changed by this module. The list includes the following
directories: / , /usr , /etc , /lib , /proc , /opt , /sbin , /usr/bin , /usr/sbin , and /var/lib/nfs .
Figure 4.1. Home Directory Ownership - Scan Flow
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN001500 - All interactive user home directories must be owned by their respective users.
• GEN001520 - All interactive user home directories must be group-owned by the home directory owner's primary group.
DISA UNIX STIG (v5 R1.30)
• GEN001500 - Home Directories Ownership
• GEN001520 - Home Directories Group Ownership
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
43
Account and Access Control
PCI DSS (v2.0)
• 2.2.3 - Configure system security parameters to prevent misuse
Home Directory Permissions
Configures user home directories to have file permissions that prevent all access by other users, while also preventing write access by
users in the same group.
If it is necessary for other users to have access to the files, then manually change the permissions. If this creates problems for
applications that must share files, configure the application, if possible, to use another more common directory such as /var/log or
a spooling directory which is common between applications. It is recommended that this only be done on a case-by-case basis and that
all changes are well documented.
As shown in the figure below, the module has some safeguards in place. This includes ignoring system accounts (UID < 100 and
Solaris UID < 500) because many of them require permissions greater than expected by this module. Additionally, this module
builds an exclusion list. This is a list of directories in which permissions will never be changed by this module. The list includes the
following directories: / , /usr , /etc , /lib , /proc , /opt , /sbin , /usr/bin , /usr/sbin , and /var/lib/nfs .
Figure 4.2. Home Directory Perms - Scan Flow
When the module is applied, the process is repeated except when it finds a directory with permissions > 750; the permissions are set to
750.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN001480 - All user home directories must have mode 0750 or less permissive.
DISA UNIX STIG (v5 R1.30)
• GEN001480 - Home Directories Permissions
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
44
Account and Access Control
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
Limit Access To Root From Su
Restricts root account access to users who belong to the wheel group. This prevents users outside of the wheel group from using the
su(1) command to access the root account, even with the root password.
Before applying this module, make sure authorized users belong to the wheel group.
IMPORTANT: Empty Wheel Group
If there are no members of the wheel group, to prevent accidental lockout, this module will not apply the change.
Operating Systems
Configuration Files
Settings
/etc/pam.d/su
auth required pam_wheel.so use_uid
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Operating System Not Applicable
See pam_wheel(8) for more information.
Module Options
• Require at least 1 non-root user in the wheel group? If 'no' this module can prevent anyone from using the 'su' command.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
• CC-8 - Controlled Use of Administrative Privileges
DHS Linux Configuration Guidance (2010.8)
• 4.3 - Restrict Substitute User (su) Access
DISA Red Hat 5 STIG (v1R4)
• GEN000850 - The system must restrict the ability to switch to the root user to members of a defined group.
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
45
Account and Access Control
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.3.1.2 - Limit su Access to the Root Account
NVD CCE
• CCE-14088-9
• CCE-15047-4
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Limit Term Write Access to Owner
Restricts write-access to a user’s terminal to only that user. See mesg(1) and write(1) for more information.
This communication method between users is seldom used anymore. Setting this should have no impact on normal system operations.
This module sets mesg n instead of mesg -n . In Red Hat Enterprise Linux, the preceding dash is not correct and in Solaris
the command will work with or without the dash. This information is provided to help explain false positives produced by other
assessment tools.
Important
This module will not enforce permissions on these files, as other modules are responsible for doing so.
Module Options
• Files to Search ('free' text, supports quotes and shell 'globbing')
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN001780 - Global initialization files must contain the "mesg -n" or "mesg n" commands.
DISA UNIX STIG (v5 R1.30)
• GEN001780 - Global Initialization Files do not Contain mesg -n
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2.3 - Configure system security parameters to prevent misuse
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
46
Account and Access Control
Lock Invalid Accounts
Locks any non-system user account that has an invalid configuration. At a minimum, valid configurations must contain user accounts
with:
• unique user names
• valid user and group identifiers (uid and gid)
• valid primary groups
• valid home directories
• valid login shells
In addition to verifying user account information, group accounts are also checked but only reported. These checks include:
• unique group name
• valid list of members
Since this module only locks user accounts with invalid configurations, it is imperative to manually review the logs and correct
user account configurations. Outside of Security Blanket the pwck(8) and grpck(8) utilities can be used to manually correct invalid
configurations.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN000300 - All accounts on the system must have unique user or account names.
• GEN000320 - All accounts must be assigned unique User Identification Numbers (UIDs).
• GEN000380 - All GIDs referenced in the /etc/passwd file must be defined in the /etc/group file.
• GEN001440 - All interactive users must be assigned a home directory in the /etc/passwd file.
• GEN001460 - All interactive user home directories defined in the /etc/passwd file must exist.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000294 - All GIDs referenced in /etc/passwd must be defined in /etc/group
• RHEL-06-000296 - All accounts on the system must have unique user or account names
DISA UNIX STIG (v5 R1.30)
• GEN000300 - Unique Account Name
• GEN000320 - Unique UID
• GEN000380 - Groups Referenced in /etc/passwd
• GEN001440 - Assign Home Directories
• GEN001460 - Assigned Home Directories Exist
DoD NISPOM (Feb 2006)
• 8.303a - Unique Identification
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
47
Account and Access Control
NIST FISMA (SP 800-53)
• AC-2 - Account Management
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 8.1 - Users must have a unique ID
Lock Non-Root Accounts with UID 0
Locks any account that has a user identification (UID) of zero that is also not the root user. Only the root user should have this unique
UID. A user with the same UID will have the same privileges as root.
It is highly recommended that you apply this module.
Manual Action May Be Required
This module will only lock the questionable account. Subsequent scans will also fail until you manually remove the account
in question.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-11 - Account Monitoring and Control
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
• CC-8 - Controlled Use of Administrative Privileges
CIA DCID 6/3 (May 2000)
• 4.B.1.a(2) - Identification and Authentication - Unique Users
DISA Red Hat 5 STIG (v1R4)
• GEN000880 - The root account must be the only account having a UID of 0.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000032 - The root account must be the only account having a UID of 0.
DISA UNIX STIG (v5 R1.30)
• GEN000880 - Root's UID
DoD JAFAN 6/3 (Oct 2004)
• 4.B.1.a(2) - Identification and Authentication - Unique Users
DoD NISPOM (Feb 2006)
• 8.303a - Unique Identification
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
48
Account and Access Control
NIST FISMA (SP 800-53)
• AC-2 - Account Management
• IA-2 - User Identification and Authentication
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.3.1.6 - Verify that No Non-Root Accounts Have UID 0
NVD CCE
• CCE-4009-7
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 8.1 - Users must have a unique ID
Maximum Number of Logins per User
Limits the maximum number of concurrent logins by a specific user.
Operating Systems
Configuration Files
Settings
/etc/security/
limits.conf
* soft core 0
* hard core 0
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Red Hat Enterprise Linux 4
Not currently supported
Solaris 10
Not currently supported
Module Options
• Maximum number of concurrent logins per user.
Compliancy
DISA Red Hat 5 STIG (v1R4)
• GEN000450 - The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with
operational requirements.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000319 - The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with
operational requirements.
Remove Games User Account
Removes the games system account.
It is recommended that you apply this module unless the games account is required by your system.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
49
Account and Access Control
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 3.1 - Password Settings
DISA Red Hat 5 STIG (v1R4)
• GEN000290-1 - The system must not have the unnecessary "games" account.
DISA UNIX STIG (v5 R1.30)
• LNX00340 - Unnecessary Accounts
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R5.2.1 - Remove, disable, or rename factory default accounts
NIST FISMA (SP 800-53)
• AC-2 - Account Management
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.4 - Remove all unnecessary functionality
Remove Gopher User Account
Disables gopher user accounts. As a general precaution, it is recommended that you remove default system accounts that are not used
or needed. The more accounts that are present on the system the more opportunities an attacker has to gain access or information about
your system.
Unless your system is running a gopher service, this account is safe to remove and highly recommended.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 3.1 - Password Settings
DISA Red Hat 5 STIG (v1R4)
• GEN000290-3 - The system must not have the unnecessary "gopher" account.
DISA UNIX STIG (v5 R1.30)
• LNX00340 - Unnecessary Accounts
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
50
Account and Access Control
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R5.2.1 - Remove, disable, or rename factory default accounts
NIST FISMA (SP 800-53)
• AC-2 - Account Management
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.4 - Remove all unnecessary functionality
Remove Halt User Account
Removes the halt user account. As a general precaution, default system accounts that are not used or needed should be removed. The
more accounts that are present on the system, the more opportunities an attacker has to gain access or information about your system.
It is recommended to remove the halt user account unless it is required by your system.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 3.1 - Password Settings
DISA Red Hat 5 STIG (v1R4)
• GEN000000-LNX00320 - The system must not have special privilege accounts, such as shutdown and halt.
DISA UNIX STIG (v5 R1.30)
• LNX00320 - Special Privileged Accounts
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R5.2.1 - Remove, disable, or rename factory default accounts
NIST FISMA (SP 800-53)
• AC-2 - Account Management
PCI DSS (v2.0)
• 2.2.4 - Remove all unnecessary functionality
Remove News User Account
Removes the news system account.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
51
Account and Access Control
It is recommended to apply this module unless the news account is required by your system.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 3.1 - Password Settings
DISA Red Hat 5 STIG (v1R4)
• GEN000290-2 - The system must not have the unnecessary "news" account.
DISA UNIX STIG (v5 R1.30)
• LNX00340 - Unnecessary Accounts
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R5.2.1 - Remove, disable, or rename factory default accounts
NIST FISMA (SP 800-53)
• AC-2 - Account Management
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.4 - Remove all unnecessary functionality
Remove Shutdown User Account
Removes the shutdown system account so that only a root login can shutdown the system. As a general precaution, it is recommended
that you remove this system account. The more accounts that are present on the system, the more opportunities an attacker has to gain
access or information about your system.
It is recommended to apply this module unless the shutdown user account is required by your system.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 3.1 - Password Settings
DISA Red Hat 5 STIG (v1R4)
• GEN000000-LNX00320 - The system must not have special privilege accounts, such as shutdown and halt.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
52
Account and Access Control
DISA UNIX STIG (v5 R1.30)
• LNX00320 - Special Privileged Accounts
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R5.2.1 - Remove, disable, or rename factory default accounts
NIST FISMA (SP 800-53)
• AC-2 - Account Management
PCI DSS (v2.0)
• 2.2.4 - Remove all unnecessary functionality
Remove Sync User Account
Removes the sync user account. As a general precaution, default system accounts that are not used or needed should be removed. The
more accounts that are present on the system, the more opportunities an attacker has to gain access or information about your system.
It is recommended to remove the sync user account unless it is required by your system.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 3.1 - Password Settings
DISA UNIX STIG (v5 R1.30)
• LNX00320 - Special Privileged Accounts
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R5.2.1 - Remove, disable, or rename factory default accounts
NIST FISMA (SP 800-53)
• AC-2 - Account Management
PCI DSS (v2.0)
• 2.2.4 - Remove all unnecessary functionality
Restrict use of Mesg Command
Ensures user’s local shell initialization files do not use mesg(1) command with the 'y' option.
This prevents users from adjusting access to their own terminals with the mesg(1) command. By default, only the owner can read and
write to their terminal.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
53
Account and Access Control
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA UNIX STIG (v5 R1.30)
• GEN001960 - Local Initialization Files mesg -y
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
Root Console Only Logins
Prevents direct login access to the root account (except in single-user mode). This ensures that personnel using the account have
physical access to the machine or have permission to use the switch user command (su(1)) to the account. Utilizing su(1) as the
vehicle to gain access to the root account provides an additional measure of accountability through auditing.
When this technique is used on a system with auditing enabled and where su(1) is restricted to members of the wheel group, you get a
much more detailed audit trail. If you intend to control the system through serial consoles, this security modification is recommended,
with one additional step. After exiting from this application, add the specific serial consoles being used to the /etc/securetty
file.
IMPORTANT: Linux-based Virtual Machines
When running the operating system in a virtual machine, a common misconception is that a direct login on the virtual console
is the same as /dev/console. Many virtualization frameworks such as VMware® configure this as tty1. Therefore, this
module may prevent direct login to the root account unless 'tty1' is included in this file.
Important
Some guidelines allow for more than one entry in this file, whereas others may specific a single entry. It is up to the user to
supply the correct entry or entries as appropriate to the guideline being used.
Module Options
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
• Required lines for /etc/securetty
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
54
Account and Access Control
Devices where direct root login will be allowed (i.e., console, tty1)
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
• CC-8 - Controlled Use of Administrative Privileges
DHS Linux Configuration Guidance (2010.8)
• 4.4 - Restrict Root Login to the Console
DISA Red Hat 5 STIG (v1R4)
• GEN000980 - The system must prevent the root account from directly logging in except from the system console.
• GEN001000 - Remote consoles must be disabled or protected from unauthorized access.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000027 - The system must prevent the root account from logging in from virtual consoles.
• RHEL-06-000028 - The system must prevent the root account from logging in from serial consoles.
DISA UNIX STIG (v5 R1.30)
• GEN000980 - Root Console Access
• GEN001000 - Remote Consoles
NIST FISMA (SP 800-53)
• AU-10 - Non-repudiation
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.3.1.1 - Restrict Root Logins to System Console
NVD CCE
• CCE-3485-0
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
Root Home Directory Permissions
Restricts access to the root home directory to only those users with root privileges. This module expects the root home directory to be
a directory other than /, otherwise it will fail and the module will NOT make any changes.
If scripts or applications are running as root, consider rewriting them to run as a non-privileged user. Rarely must an application
or a script absolutely have to be run as root. If the module fails because the home directory is /, then the root home directory must
manually be configured to be something other than /.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
55
Account and Access Control
Module Options
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
• CC-8 - Controlled Use of Administrative Privileges
DISA Red Hat 5 STIG (v1R4)
• GEN000900 - The root user's home directory must not be the root directory (/).
• GEN000920 - The root account's home directory (other than /) must have mode 0700.
DISA UNIX STIG (v5 R1.30)
• GEN000900 - Root's Home Directory
• GEN000920 - Root's Home Directory Permissions
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2.3 - Configure system security parameters to prevent misuse
Root Path
Including the current working directory ('.') or other writable directory in the root executable path allows an attacker to gain superuser
status by forcing an administrator operating as root to execute a Trojan horse program.
This module is unable to remove the current working directory ('.') from the root path because there are too many variables involved in
locating where this insertion takes place. The system administrator must perform this task.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN000940 - The root account's executable search path must be the vendor default and must contain only absolute paths.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
56
Account and Access Control
• GEN000960 - The root account must not have world-writable directories in its executable search path.
DISA UNIX STIG (v5 R1.30)
• GEN000940 - Root's Search Path
• GEN000960 - Root's Search Path
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.3.4.1 - Ensure that No Dangerous Directories Exist in Root’s Path
• 2.3.4.2 - Ensure that User Home Directories are not Group-Writable or World-Readable
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Root Shell must be on / filesystem
Changes the root account’s shell to the default /bin/bash if the current shell does not reside on the / filesystem. On Solaris
systems, this module will set the shell to /sbin/sh if the module fails.
It is recommended that you apply this module. This module ensures that root has a shell which resides on the / filesystem. It is
important for root to have a shell if it has problems mounting other filesystems.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN001080 - The root shell must be located in the / file system.
DISA UNIX STIG (v5 R1.30)
• GEN001080 - Root Shell
Single User Mode Password
This module modifies the system to require password authentication prior to allowing root access from within single user mode.
There is little reason to allow unauthenticated root access to a machine. In environments where physical access cannot be strictly
controlled, allowing unauthenticated root access greatly increases the risk of a security breach.
Operating Systems
Configuration Files
Settings
/etc/inittab
~~:S:wait:/sbin/sulogin
Fedora 10, 11, 12
/etc/event.d/rcS-sulogin
exec /bin/sulogin
Fedora 13
/etc/init/rcS-sulogin
exec /bin/sulogin
Red Hat Enterprise Linux 6
/etc/sysconfig/init
SINGLE=/bin/sulogin
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
SUSE 10 and 11
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
57
Account and Access Control
Operating Systems
Configuration Files
Settings
Solaris 10
/etc/default/sulogin
PASSREQ=YES
On Solaris systems, if the /etc/default/sulogin file does not exist, this module will still pass. This is because the default
value is PASSREQ=YES; however, it is always best to have the file and implicitly set the parameter to avoid false positives of many
third-party assessment tools.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
• CC-8 - Controlled Use of Administrative Privileges
DHS Linux Configuration Guidance (2010.8)
• 7.7 - Single User Mode Password
DISA Red Hat 5 STIG (v1R4)
• GEN000020 - The system must require authentication upon booting into single-user and maintenance modes.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000069 - The system must require authentication upon booting into single-user and maintenance modes.
DISA UNIX STIG (v5 R1.30)
• GEN000020 - Single User Mode Password
• GEN000040 - Single User Mode Password Incompatibility Documentation
• GEN000060 - Single User Mode Password Incompatibility Location
DoD NISPOM (Feb 2006)
• 8.613a1 - Access to Protection Functions
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.3.5.3 - Require Authentication for Single-User Mode
NVD CCE
• CCE-4241-6
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
Sync Shells File
Configures /etc/shells to contain shells assigned to users in /etc/passwd . The shells(5) file is consulted by chsh(1)
and is available to be queried by other programs. There are programs that consult this file to find out if a user is a normal user. For
example, FTP daemons traditionally disallow access to users with shells not included in /etc/shells.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
58
Account and Access Control
This module compares the shell for each account in /etc/passwd (including system accounts) against both the explicit list
of approved shells in /etc/shells, and if not found, then it also compares it against a list of implicitly acceptable shells that
traditionally indicate that the account is one where logins are allowed. This list consists of:
/bin/sync
/dev/null
/sbin/nologin
/usr/bin/false
/bin/false
/sbin/halt
Any account that has an unacceptable shell will be locked. It is up to the Administrator to assign a correct login shell for these
offending users.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN002140 - All shells referenced in /etc/passwd must be listed in the /etc/shells file, except any shells specified for the purpose of
preventing logins.
DISA UNIX STIG (v5 R1.30)
• GEN002120 - The /etc/shells File Does Not Exist
• GEN002140 - The /etc/shells Contents
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2.3 - Configure system security parameters to prevent misuse
User Dot File Perms
Prevents user dot files from being writable by other users. User dot files are local initialization files located in user’s home directories.
They are used by shells and other applications during startup. Typical user dot files include .bashrc and .profile .
This module will obtain a list of local, non-system user accounts from /etc/passwd . Non-system accounts in Linux are those with
user identification numbers greater than or equal to 500 and in Solaris with an identification number greater than or equal to 100. The
module then checks each account’s home directory and ensures that $HOME/.[A-Za-z0-9]* does not have group or world write
permissions.
It is recommended to apply this module to prevent users from modifying other user initialization files. Not applying this module
leaves the system vulnerable to malicious users who could introduce Trojan Horses.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
59
Account and Access Control
DISA Red Hat 5 STIG (v1R4)
• GEN001860 - All local initialization files must be owned by the home directory's user or root.
• GEN001870 - Local initialization files must be group-owned by the user's primary group or root.
• GEN001880 - All local initialization files must have mode 0740 or less permissive.
DISA UNIX STIG (v5 R1.30)
• GEN001880 - Local Initialization Files Permissions
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.3.4.3 - Ensure that User Dot-Files are not World-writable
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
60
Chapter 5. Network Configuration
ARP Cleanup Interval
Set the length of time, in milliseconds, that unsolicited Address Resolution Protocol (ARP) requests remain in the ARP cache. If
unsolicited ARP requests are allowed to remain in the ARP cache for long periods, an attacker could fill up the ARP cache with bogus
entries.
This module is used to manage unsolicited ARP entries, not solicited entries which are managed with Security Blanket's “ARP
IRE_CACHE Cleanup Interval” module.
Table 5.1. Setting the ARP Cleanup Interval
Operating Systems
Configuration Files
Setting
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Operating System Not Applicable
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
/etc/default/ndd
arp_cleanup_interval = value
Module Options
• The length of time that unsolicited Address Resolution Protocol (ARP) requests remain in the ARP cache.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
NIST FISMA (SP 800-53)
• SC-5 - Denial of Service Protection
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
ARP IRE_CACHE Cleanup Interval
Set the interval, in milliseconds, in which the IP Resolved Entries cache (IRE_CACHE) is scanned and entries are deleted that are
more than one scan old. This interval is used for solicited ARP entries, not unsolicited which are set with Security Blanket's “ARP
Cleanup Interval” module.
This can help mitigate ARP attacks (ARP poisoning). Consult with your local network team for additional security measures in this
area, such as using static ARP, or fixing MAC addresses to switch ports.
Table 5.2. Setting the IRE_CACHE Scan Interval
Operating Systems
Configuration Files
Fedora 10, 11, 12, and 13
Operating System Not Applicable
Security Blanket® Modules Guide
Setting
Export Controlled - See Sheet 1
61
Network Configuration
Operating Systems
Configuration Files
Setting
/etc/default/ndd
ip_ire_arp_interval = value
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Module Options
• The interval which the IRE_CACHE is scanned.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
NIST FISMA (SP 800-53)
• SC-5 - Denial of Service Protection
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Adjust Maximum Pending Connections
Configures the maximum number of SYN requests to keep in memory. These SYN requests are part of the TCP handshake process
used to establish connections.
This module has adjustable parameters; the default is 4096. A high number of connection requests can take up memory and processor
power and can lead to denial-of-service situations. Reduce this number if your machine is low on resources.
Table 5.3. Setting the Maximum Number of TCP SYN Requests Kept in Memory
Operating Systems
Configuration Files
Setting
/etc/sysctl.conf
net.ipv4.tcp_max_syn_backlog = 4096
/etc/default/ndd
tcp_conn_req_max_q = 1024
tcp_conn_req_max_q0 = 4096
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Module Options
• Maximum number of remembered connection requests, which have not received an acknowledgment from connecting client.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
62
Network Configuration
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.1 - Kernel TCP Stack Tuning
DISA Red Hat 5 STIG (v1R4)
• GEN003601 - TCP backlog queue sizes must be set appropriately.
DISA UNIX STIG (v5 R1.30)
• GEN003600 - Network Security Settings
NIST FISMA (SP 800-53)
• SC-5 - Denial of Service Protection
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Configure System to Log 'martian' Network Packets
A 'martian' network packet is a packet received on an interface that does not appear to be valid for that network. It can be an indication
of a misconfigured interface, or of a network intrusion attempt.
This module is not applicable to Oracle Solaris.
The following values will be set in /etc/sysctl.conf if not already there:
Table 5.4. IP Settings to Log Martian Packets
Operating Systems
Configuration Files
Setting
/etc/sysctl.conf
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.1 - Kernel TCP Stack Tuning
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
63
Network Configuration
DISA Red Hat 5 STIG (v1R4)
• GEN003611 - The system must log martian packets.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000088 - The system must log Martian packets.
NIST FISMA (SP 800-53)
• SC-5 - Denial of Service Protection
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Disable Accepting ICMP Redirects
Configures the system to refuse ICMP redirects.
The ICMP protocol uses “redirect” messages to notify a traffic source of its suboptimal use of routing. Such a redirect is normally sent
by the default router to the system to indicate that there is a shorter route to a particular destination.
Allowing your system to accept ICMP redirects is a security risk. It is recommended to apply this module to prevent denial-of-service
attacks.
Table 5.5. IP Settings to Refuse ICMP Redirects
Operating Systems
Configuration Files
Setting
/etc/sysctl.conf
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
/etc/default/ndd
ip_ignore_redirect = 1
ip6_ignore_redirect = 1
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
See the Solaris Tunable Parameters Reference Manual 1 and the Linux kernel’s networking variables/parameters (in the ipsysctl.txt file) for more information.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.1 - Kernel TCP Stack Tuning
1
Sun Microsystems. Solaris Tunable Parameters Reference Manual. Santa Clara, CA: Sun Microsystems Press, 2005.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
64
Network Configuration
DISA Red Hat 5 STIG (v1R4)
• GEN003609 - The system must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.
• GEN007860 - The system must ignore IPv6 ICMP redirect messages.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000084 - The system must not accept ICMPv4 redirect packets on any interface.
• RHEL-06-000091 - The system must ignore IPv4 ICMP redirect messages.
• RHEL-06-000099 - The system must ignore ICMPv6 redirects by default.
DISA UNIX STIG (v5 R1.30)
• GEN003600 - Network Security Settings
NIST FISMA (SP 800-53)
• SC-5 - Denial of Service Protection
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Disable Accepting Secure Redirects
Configures the system to block secure ICMP redirects.
A secure redirect message is sent by a gateway that appears in the host’s default gateway list. This message notifies the system that
there is a shorter route to a particular destination.
Spoofing a router’s IP address is fairly simple; therefore, an attacker could use ICMP redirects in a potential denial-of-service attack if
your system is configured to accept such redirects.
Table 5.6. IP Settings to Block Secure Redirects
Operating Systems
Configuration Files
Setting
/etc/sysctl.conf
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Operating System Not Applicable
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.1 - Kernel TCP Stack Tuning
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
65
Network Configuration
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000086 - The system must not accept ICMPv4 secure redirect packets on any interface.
• RHEL-06-000090 - The system must not accept ICMPv4 secure redirect packets by default.
NIST FISMA (SP 800-53)
• SC-5 - Denial of Service Protection
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Disable Broadcast Packet Forwarding
Directed broadcasts are packets that are sent from one system on a foreign network to all systems on another network. Directed
broadcasts are the basis for the “smurf” attack where forged ICMP packets are sent from a host to the broadcast address of a remote
network. The source address in the ICMP packets is forged to contain the address of the victim host. The systems on the remote
network receive the ICMP packet and then reply back to the victim host thereby flooding the host with traffic. Any Solaris system that
has IP forwarding enabled will forward directed broadcasts as well.
Table 5.7. IP Settings to Prohibit the Sending of ICMP Redirects
Operating Systems
Configuration Files
Setting
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Operating System Not Applicable
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
/etc/default/ndd
ip_forward_directed_broadcasts=0
See the Solaris Tunable Parameters Reference Manual 2 for more information.
Compliancy
DHS Linux Configuration Guidance (2010.8)
• 6.1 - Kernel TCP Stack Tuning
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Disable IP Forwarding
Disables IP forwarding. By default, your system is configured to forward IP packets for IPv4 network traffic. If your system is not
being used as a router or gateway for other machines, then apply this module to your profile to disable IP forwarding. The setting will
be changed from 1 to 0. In the event that your system is serving as a router or gateway, do not apply this configuration change.
2
Sun Microsystems. Solaris Tunable Parameters Reference Manual. Santa Clara, CA: Sun Microsystems Press, 2005.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
66
Network Configuration
This module will alter the net.ipv4.ip_forward kernel parameter stored in the sysctl.conf(5) file. On Solaris systems,
the routeadm(1M) command is used to modify the ipv4_forwarding and ipv6_forwarding parameters.
Unless your system is routing network traffic for other machines on your network, it is safe to disable IP forwarding. This will have no
impact on system operation.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.1 - Kernel TCP Stack Tuning
DISA Red Hat 5 STIG (v1R4)
• GEN005600 - IP forwarding for IPv4 must not be enabled, unless the system is a router.
• GEN005610 - The system must not have IP forwarding for IPv6 enabled, unless the system is an IPv6 router.
• GEN007920 - The system must not forward IPv6 source-routed packets.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000082 - IP forwarding for IPv4 must not be enabled, unless the system is a router.
DISA UNIX STIG (v5 R1.30)
• GEN003600 - Network Security Settings
• GEN005600 - Disable IP Forwarding
NIST FISMA (SP 800-53)
• SC-5 - Denial of Service Protection
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Disable IPv6 Kernel Module
Prevents the kernel from loading the IPv6 module.
This modules will examine all files in /etc/modprobe.d and the /etc/modprobe.conf file (if they exist) and look for the
line(s) that are specified as arguments. If a line is found that matches the first two whitespace separated fields but not the remainder,
then it will be updated to match the provided lines. If no matching line is found, then it will be added to either /etc/modprobe.d/
SecurityBlanket_modprobe_settings (if /etc/modprobe.d is a directory), or to /etc/modprobe.conf.
This module is not applicable to Oracle Solaris.
Module Options
• Required lines to disable Firewire kernel module(s)
One or more lines that can disable or otherwise alter how kernel modules are loaded/configured/disabled.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
67
Network Configuration
Compliancy
DHS Linux Configuration Guidance (2010.8)
• 6.14.2 - Ensure IPv6 Module Does Not Load
DISA Red Hat 5 STIG (v1R4)
• GEN007700 - The IPv6 protocol handler must not be bound to the network stack unless needed.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000098 - The IPv6 protocol handler must not be bound to the network stack unless needed.
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.5.3.1.1 - Disable Automatic Loading of IPv6 Kernel Module
NVD CCE
• CCE-3562-6
Disable Proxy Address Resolution Protocol (Proxy ARP)
Disables the system from using the Proxy Address Resolution Protocol (Proxy ARP). If this protocol is enabled, then ARP requests
from one interface can “leak” over onto other interfaces, potentially revealing information on network configuration.
Table 5.8. IP Settings to Enable Reverse Path Source Validation
Operating Systems
Configuration Files
Setting
/etc/sysctl.conf
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.default.proxy_arp = 0
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Operating System Not Applicable
Compliancy
DISA Red Hat 5 STIG (v1R4)
• GEN003608 - Proxy Address Resolution Protocol (Proxy ARP) must not be enabled on the system.
DISA UNIX STIG (v5 R1.30)
• GEN003608 - Proxy ARP must not be enabled on the system.
Disable Sending ICMP Redirects
Prohibits the system from sending ICMP redirects.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
68
Network Configuration
The ICMP protocol uses “redirect” messages to notify a traffic source regarding its suboptimal use of routing. Such a redirect is
normally sent by the default router to the system to indicate that there is a shorter route to a particular destination.
Allowing your system to send ICMP redirects is a security risk. It is recommended that you apply this module to prevent your system
from being involved in denial-of-service attacks.
Table 5.9. IP Settings to Prohibit the Sending of ICMP Redirects
Operating Systems
Configuration Files
Setting
/etc/sysctl.conf
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
/etc/default/ndd
ip_send_redirects=0
ip6_send_redirects=0
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
See the Solaris Tunable Parameters Reference Manual 3 and the Linux kernel’s networking variables/parameters (in the ipsysctl.txt file) for more information.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.1 - Kernel TCP Stack Tuning
DISA Red Hat 5 STIG (v1R4)
• GEN003610 - The system must not send IPv4 Internet Control Message Protocol (ICMP) redirects.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000080 - The system must not send ICMPv4 redirects by default.
• RHEL-06-000081 - The system must not send ICMPv4 redirects from any interface.
DISA UNIX STIG (v5 R1.30)
• GEN003600 - Network Security Settings
NIST FISMA (SP 800-53)
• SC-5 - Denial of Service Protection
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
3
Sun Microsystems. Solaris Tunable Parameters Reference Manual. Santa Clara, CA: Sun Microsystems Press, 2005.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
69
Network Configuration
Disable Source Routing
Prevents the system from accepting network packets with routes predetermined by their source. By not accepting such packets, your
system makes it difficult for an attacker to generate traffic that is pretending to be from inside your network.
Source routing has few valid uses. Unless you require the acceptance of source-routed packets, this module should be applied to
disable source routing.
Table 5.10. IP Settings to Disable Source Routing
Operating Systems
Configuration Files
Setting
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
/etc/sysctl.conf
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
/etc/default/ndd
ip_forward_src_routed = 0
tcp_rev_src_routes = 0
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
See the Solaris Tunable Parameters Reference Manual 4 and the Linux kernel’s networking variables/parameters (in the ipsysctl.txt file) for more information.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.1 - Kernel TCP Stack Tuning
DISA Red Hat 5 STIG (v1R4)
• GEN003600 - The system must not forward IPv4 source-routed packets.
• GEN003607 - The system must not accept source-routed IPv4 packets.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000083 - The system must not accept IPv4 source-routed packets on any interface.
• RHEL-06-000089 - The system must not accept IPv4 source-routed packets by default.
DISA UNIX STIG (v5 R1.30)
• GEN003600 - Network Security Settings
4
Sun Microsystems. Solaris Tunable Parameters Reference Manual. Santa Clara, CA: Sun Microsystems Press, 2005.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
70
Network Configuration
NIST FISMA (SP 800-53)
• SC-5 - Denial of Service Protection
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Disable Support for DCCP
Prevent kernel from loading the Datagram Congestion Control Protocol (DCCP) module.
This modules will examine all files in /etc/modprobe.d and the /etc/modprobe.conf file (if they exist) and look for the
line(s) that are specified as arguments. If a line is found that matches the first two whitespace separated fields but not the remainder,
then it will be updated to match the provided lines. If no matching line is found, then it will be added to either /etc/modprobe.d/
SecurityBlanket_modprobe_settings (if /etc/modprobe.d is a directory), or to /etc/modprobe.conf.
This module is not applicable to Oracle Solaris.
Module Options
• Required lines to disable Firewire kernel module(s)
One or more lines that can disable or otherwise alter how kernel modules are loaded/configured/disabled.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
DISA Red Hat 5 STIG (v1R4)
• GEN007080 - The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000124 - The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.5.7.1 - Disable Support for DCCP
NVD CCE
• CCE-14268-7
Disable Support for RDS
Prevent kernel from loading the Reliable Datagram Sockets (RDS) protocol module.
This modules will examine all files in /etc/modprobe.d and the /etc/modprobe.conf file (if they exist) and look for the
line(s) that are specified as arguments. If a line is found that matches the first two whitespace separated fields but not the remainder,
then it will be updated to match the provided lines. If no matching line is found, then it will be added to either /etc/modprobe.d/
SecurityBlanket_modprobe_settings (if /etc/modprobe.d is a directory), or to /etc/modprobe.conf.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
71
Network Configuration
This module is not applicable to Oracle Solaris.
Module Options
• Required lines to disable Firewire kernel module(s)
One or more lines that can disable or otherwise alter how kernel modules are loaded/configured/disabled.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
DISA Red Hat 5 STIG (v1R4)
• GEN007480 - The Reliable Datagram Sockets (RDS) protocol must be disabled or not installed unless required.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000126 - The Reliable Datagram Sockets (RDS) protocol must be disabled unless required.
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.5.7.3 - Disable Support for RDS
NVD CCE
• CCE-14027-7
Disable Support for SCTP
Prevent kernel from loading the Stream Control Transmission Protocol (SCTP) module.
This modules will examine all files in /etc/modprobe.d and the /etc/modprobe.conf file (if they exist) and look for the
line(s) that are specified as arguments. If a line is found that matches the first two whitespace separated fields but not the remainder,
then it will be updated to match the provided lines. If no matching line is found, then it will be added to either /etc/modprobe.d/
SecurityBlanket_modprobe_settings (if /etc/modprobe.d is a directory), or to /etc/modprobe.conf.
This module is not applicable to Oracle Solaris.
Module Options
• Required lines to disable Firewire kernel module(s)
One or more lines that can disable or otherwise alter how kernel modules are loaded/configured/disabled.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
DISA Red Hat 5 STIG (v1R4)
• GEN007020 - The Stream Control Transmission Protocol (SCTP) must be disabled unless required.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
72
Network Configuration
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000125 - The Stream Control Transmission Protocol (SCTP) must be disabled unless required.
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.5.7.2 - Disable Support for SCTP
NVD CCE
• CCE-14132-5
Disable Support for TIPC
Prevent kernel from loading the Transparent Inter-Process Communication (TIPC) protocol module.
This modules will examine all files in /etc/modprobe.d and the /etc/modprobe.conf file (if they exist) and look for the
line(s) that are specified as arguments. If a line is found that matches the first two whitespace separated fields but not the remainder,
then it will be updated to match the provided lines. If no matching line is found, then it will be added to either /etc/modprobe.d/
SecurityBlanket_modprobe_settings (if /etc/modprobe.d is a directory), or to /etc/modprobe.conf.
This module is not applicable to Oracle Solaris.
Module Options
• Required lines to disable Firewire kernel module(s)
One or more lines that can disable or otherwise alter how kernel modules are loaded/configured/disabled.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
DISA Red Hat 5 STIG (v1R4)
• GEN007540 - The Transparent Inter-Process Communication (TIPC) protocol must be disabled or uninstalled.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000127 - The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required.
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.5.7.4 - Disable Support for TIPC
NVD CCE
• CCE-14911-2
Disable Zeroconf Networking
Disables the 'zeroconfig' networking capability, to prevent devices from self-configuring themselves to work within the 169.254.0.0
subnet.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
73
Network Configuration
Some systems will automatically self-configure to have an address within this subnet if a DHCP request fails.
This module examines the /etc/sysconfig/network file to ensure the following line is present:
NOZEROCONF=yes
Compliancy
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.3.9.3 - Disable Zeroconf Networking
NVD CCE
• CCE-14054-1
Enable Reverse Path Source Validation
Configures the system to perform source validation by reversed path. When you enable reverse path source validation, inbound
packets are dropped if the IP address from where the packets were received is not reachable (i.e., asymmetrical route).
Enabling this may cause problems in complex networks running a slow and unreliable protocol, using static routes, or where
asymmetric routes are present. Asymmetric routes are not common, but may be necessary in certain cases. By default, Linux drops
packets in which asymmetric routes are used because of the security risk. 5
Table 5.11. IP Settings to Enable Reverse Path Source Validation
Operating Systems
Configuration Files
Setting
/etc/sysctl.conf
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Operating System Not Applicable
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.1 - Kernel TCP Stack Tuning
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000096 - The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
• RHEL-06-000097 - The system must use a reverse-path filter for IPv4 network traffic when possible by default.
5
Benvenuti, Christian. Understanding Linux Network Internals, Chapter 31. Sebastopol, CA: O'Reilly Media, Inc., 2006.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
74
Network Configuration
NIST FISMA (SP 800-53)
• SC-5 - Denial of Service Protection
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Enable Strong TCP Sequence Number Generation
Sets the mechanism for generating the order of TCP packets. For Solaris systems, this module sets the mechanism to use RFC 1948
sequence number generation, unique-per-connection-ID.
This makes remote session hijacking attacks more difficult, as well as any other network-based attack that relies on predicting TCP
sequence number information.
Operating Systems
Configuration Files
Setting
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Not applicable to Linux-kernels after 1996.
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10 (SPARC Global zone only)
/etc/default/inetinit
TCP_STRONG_ISS=2
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
NIST FISMA (SP 800-53)
• SC-5 - Denial of Service Protection
Enable TCP Syncookies
Enables the system to send out requests (syncookies) to remote hosts if they are flooding your system’s backlog queue with SYN
packets. These requests check whether or not the inbound SYN packets are legitimate. In cases where these inbound SYN packets are
not legitimate, your system might be experiencing a “SYN flood” denial-of-service attack.
Enabling this option on a system under normal load is useful. If your system is under high load it will make new connections but
without advanced features such as explicit congestion notification (ECN) or selective acknowledgement (SACK).
Table 5.12. TCP Setting to Enable Sending of SYN Cookies
Operating Systems
Configuration Files
Setting
/etc/sysctl.conf
net.ipv4.tcp_syncookies = 1
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
75
Network Configuration
Operating Systems
Configuration Files
Setting
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Operating System Not Applicable. This is a default, built-in feature of Solaris.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.1 - Kernel TCP Stack Tuning
DISA Red Hat 5 STIG (v1R4)
• GEN003612 - The system must be configured to use TCP syncookies when experiencing a TCP SYN flood.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000095 - The system must be configured to use TCP syncookies.
DISA UNIX STIG (v5 R1.30)
• GEN003600 - Network Security Settings
NIST FISMA (SP 800-53)
• SC-5 - Denial of Service Protection
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Enable TCP Wrappers
Verifies the /etc/hosts.allow and /etc/hosts.deny access control files are setup correctly for TCP Wrappers. Both files
will be examined for required lines, owned by the allowable user/group combination, and with acceptable permissions. If any of the
fields are blank, then those checks will be ignored.
Each line in the Required... options will be processed independently, and if that line is not found as is in the associated file, then
it will trigger either a scan failure or that line will be appended to the file. Should any text field be blank, then checks for that field will
be skipped.
Module Options
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
76
Network Configuration
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
• Required lines for /etc/hosts.allow
• Required lines for /etc/hosts.deny
Compliancy
DISA Red Hat 5 STIG (v1R4)
• GEN005540 - The SSH daemon must be configured for IP filtering.
• GEN006620 - The system's access control program must be configured to grant or deny system access to specific hosts.
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.5.4.1 - How TCP Wrapper Protects Services
Ignore Bogus ICMP4 Error Responses
Configures the system to ignore bogus ICMP4 error responses.
Misconfigured/noncompliant routers can generate bogus ICMP4 error responses. Configuring your system to ignore these error
messages can help reduce the amount of data that is logged.
Table 5.13. IP Settings to Ignore Bogus ICMP4 Error Responses
Operating Systems
Configuration Files
Setting
Red Hat Enterprise Linux 6
/etc/sysctl.conf
net.ipv4.icmp_ignore_bogus_error_responses=1
Compliancy
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000093 - The system must ignore ICMPv4 bogus error responses.
Ignore ICMP ECHO and TIMESTAMP Requests
Configures the system to disregard ICMP ECHO or TIMESTAMP requests that were sent to broadcast or multicast addresses.
Ignoring these types of requests prevents your system from being part of a “smurf” attack. If your network is flooded with these types
of requests, you should try to identify the source before it creates a denial-of-service situation for systems that cannot be configured to
ignore these requests.
Table 5.14. ICMP Settings to Ignore Echo and Timestamp Requests
Operating Systems
Configuration Files
Setting
Fedora 10, 11, 12, and 13
/etc/sysctl.conf
net.ipv4.icmp_echo_ignore_broadcasts = 1
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
77
Network Configuration
Operating Systems
Configuration Files
Setting
/etc/default/ndd
ip_respond_to_echo_broadcast = 0
ip_respond_to_echo_multicast = 0
ip6_respond_to_echo_multicast = 0
ip_respond_to_address_mask_broadcast = 0
ip_respond_to_timestamp = 0
ip_respond_to_timestamp_broadcast = 0
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
See the Solaris Tunable Parameters Reference Manual 6 and the Linux kernel’s networking variables/parameters (in the ipsysctl.txt file) for more information.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.1 - Kernel TCP Stack Tuning
DISA Red Hat 5 STIG (v1R4)
• GEN003603 - The system must not respond to Internet Control Message Protocol v4 (ICMPv4) echoes sent to a broadcast address.
• GEN003604 - The system must not respond to Internet Control Message Protocol (ICMP) timestamp requests sent to a broadcast
address.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000092 - The system must not respond to ICMPv4 sent to a broadcast address.
DISA UNIX STIG (v5 R1.30)
• GEN003600 - Network Security Settings
NIST FISMA (SP 800-53)
• SC-5 - Denial of Service Protection
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Prohibit DHCP Client Dynamic DNS Updates
Verify that the /etc/dhclient*.conf files have the do-forward-updates option set to 'false'.
6
Sun Microsystems. Solaris Tunable Parameters Reference Manual. Santa Clara, CA: Sun Microsystems Press, 2005.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
78
Network Configuration
Compliancy
DISA Red Hat 5 STIG (v1R4)
• GEN007850 - The DHCP client must not send dynamic DNS updates.
Set IP Strict Multihoming
Determines whether a packet arriving on a non-forwarding network interface can be accepted for an IP address that is not explicitly
configured on that interface. If ip_forwarding is enabled, or xxx:ip_forwarding for the appropriate interfaces is enabled,
then this parameter is ignored, because the packet is actually forwarded.
Use this module if a machine has interfaces that cross strict networking domains (for example, a firewall or a VPN node).
Table 5.15. IP Settings to Prohibit the Sending of ICMP Redirects
Operating Systems
Configuration Files
Setting
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Operating System Not Applicable
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
/etc/default/ndd
ip_strict_dst_multihoming=1
ip_strict_dst_multihoming=1
See the Solaris Tunable Parameters Reference Manual 7 for more information.
Compliancy
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
7
Sun Microsystems. Solaris Tunable Parameters Reference Manual. Santa Clara, CA: Sun Microsystems Press, 2005.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
79
Chapter 6. Network Services
Configure Time Synchronization
Configures the Network Time Protocol (NTP) daemon to synchronize time. This module ensures the ntp.conf(5) configuration
file matches the contents provided, the NTP daemon is configured to start during system startup, and is currently running.
Time synchronization is critical to accurate logging and correlating events. It is strongly recommended that the NTP daemon
documentation be reviewed and use this module to deploy a consistent configuration across the enterprise.
The default installation of the NTP daemon software for many operating systems points to an external time source. If your machines
do not have Internet access, it is recommended to configure one or more of your own servers to function as time servers. You can then
use this module to configure other servers to point to your designated time servers.
Compliancy
CAG 20 Critical Security Controls (2.1)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA UNIX STIG (5 R1.23)
• GEN000240 - Network Time-Server
Disable DNS
Disables the Domain Name System (DNS), which is used to translate numerical IP addresses into human-readable machine names.
Most machines in an organization do not need a DNS server running. Unless this machine is one of the organization’s name servers, it
is safe to disable this service.
Operating Systems
Package
Service Names
bind
named
SUNWbind
svc:/network/dns/server:default
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.2 - Configuring Stand Alone Services
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
80
Network Services
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.14.1 - Disable DNS Server if Possible
NVD CCE
• CCE-3578-2
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable Dhcpd
Dhcpd is a daemon that provides Dynamic Host Control Protocol addressing assignments.
IP address assignment will typically be handled by your network administrator and the presence of a DHCP server on your network
can potentially cause a network failure. Disable this daemon unless otherwise required.
Operating Systems
Packages
Service Names
dhcp
dhcpd
Solaris 10
SUNWdhcsr
svc:/network/dhcp-server:default
SUSE 10 and 11
dhcp-server
dhcp
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
81
Network Services
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.9.3 - Disable DHCP Server if Possible
NVD CCE
• CCE-4336-4
• CCE-4585-9
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable Gated
Disables the gated service. This service manages routing protocols, but it is seldom deployed and is not part of the base operating
system installation.
It is recommended to apply this module. If the gated service must be used, apply the appropriate firewall settings with iptables(8),
apply appropriate patches, and document the configuration with the security officer.
Operating Systems
Packages
Service Names
gated
gated
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
No related packages or services were found on the distribution CD, Extra
Packages for Enterprise Linux (EPEL) repository, or the Red Hat Enterprise
Linux Server (v. 6) subscription channel. This module looks for the same
packages and services as it does for Red Hat Enterprise Linux 5. If you have
identified specific packages and services, please contact the customer support
team at [email protected].
Solaris 10
Not part of the standard Solaris distribution.
SUSE 10 and 11
Not part of the standard SUSE distribution.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.1.3 - Guidance for Unfamiliar Services
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
82
Network Services
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable Inetd
Disables Inetd, which is the Internet super-server daemon. It spawns a number of other servers, such as telnet and ftp.
The operating system base installation does not enable Inetd by default. Therefore, provided that additional services were not added
during post-installation, you can safely disable it. To see what Inetd-based services are on your system, look in the /etc/xinetd.d
directory. Typical legacy services include 'finger' and 'uucp'.
Operating Systems
Package
Service Names
xinetd
xinetd
SUNWcsu
svc:/network/inetd:default
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN003700 - Inetd and xinetd must be disabled or removed if no network services utilizing them are enabled.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000203 - The xinetd service must be disabled if no network services utilizing it are enabled.
DISA UNIX STIG (v5 R1.30)
• GEN003700 - Disable inetd/xinetd
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.1.3 - Guidance for Unfamiliar Services
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
83
Network Services
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable Innd
The Internet Network News daemon (Innd) handles all incoming NNTP feeds and coordinates the storage, retransmission, and
overview generation for all accepted articles.
Innd can waste bandwidth and presents a possible attack vector on your network. In a secure environment, machines running Innd
should be separated from machines that host critical services.
Operating Systems
Packages
Service Names
inn
innd
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
No related packages or services were found on the distribution CD, Extra
Packages for Enterprise Linux (EPEL) repository, or the Red Hat Enterprise
Linux Server (v. 6) subscription channel. This module looks for the same
packages and services as it does for Red Hat Enterprise Linux 5. If you have
identified specific packages and services, please contact the customer support
team at [email protected].
Solaris 10
Not part of the standard Solaris distribution.
SUSE 10 and 11
inn
inn
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.2 - Configuring Stand Alone Services
DISA Red Hat 5 STIG (v1R4)
• GEN006240 - The system must not run an Internet Network News (INN) server.
DISA UNIX STIG (v5 R1.30)
• GEN006240 - INN Documentation
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
84
Network Services
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.1.3 - Guidance for Unfamiliar Services
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable Network Analysis Tools
Disables network analysis tools by removing execution permissions. These include Wireshark®, tcpdump, and Ethereal®.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN003865 - Network analysis tools must not be installed.
DISA UNIX STIG (v5 R1.30)
• GEN003865 - Network analysis tools enabled.
Disable Routed
Disables the routed service. This service dynamically updates the route table based on other machines on your network.
If this service must be used, apply appropriate firewall settings and patches and document the configuration with your security officer.
Operating Systems
Packages
Service Names
routed
routed
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
No related packages or services were found on the distribution CD, Extra
Packages for Enterprise Linux (EPEL) repository, or the Red Hat Enterprise
Linux Server (v. 6) subscription channel. This module looks for the same
packages and services as it does for Red Hat Enterprise Linux 5. If you have
identified specific packages and services, please contact the customer support
team at [email protected].
SUSE 10 and 11
routed
routed
Solaris 10
SUNWroute
svc:/network/routing/route:default
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
85
Network Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.1.3 - Guidance for Unfamiliar Services
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable XFS
Disables the X Window System font server (XFS) which supplies fonts to X Window System display servers.
WARNING: Graphical Desktop Users
If you plan on using your desktop’s browser, DO NOT APPLY this module.
If this module is not used, restrict access to at least TCP/7100.
Operating Systems
Package
Service Names
xorg-x11-xfs
xfs
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
No related packages or services were found on the distribution CD, Extra
Packages for Enterprise Linux (EPEL) repository, or the Red Hat Enterprise
Linux Server (v. 6) subscription channel. This module looks for the same
packages and services as it does for Red Hat Enterprise Linux 5. If you have
identified specific packages and services, please contact the customer support
team at [email protected].
Solaris 10
SUNWxwfs
svc:/application/x11/xfs:default
SUSE 10 and 11
xorg-x11
xfs
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
86
Network Services
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.6.1.3.1 - Disable X Font Server
NVD CCE
• CCE-4448-7
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
87
Chapter 7. File Sharing Services
Deny NFS Client Access Without UID or GID
Denies NFS client access without UID or GID by setting the NFS export options to change the UID and GID of the anonymous
account to “nfsnobody”.
Operating Systems
Configuration Files
Setting
/etc/exports
Ensures all anonuid and anongid
export options are set to -1, 60001, 65534,
or 65535.
/etc/dfs/dfstab
Ensures all anon export options are set to
-1, 60001, 65534, or 65535.
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
On Solaris systems, this module will also report a failure if the share(1M) command is not provided as the absolute path: /usr/
sbin/share .
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN005820 - The Network File System (NFS) anonymous UID and GID must be configured to values without permissions.
DISA UNIX STIG (v5 R1.30)
• GEN005820 - Deny NFS Client Access Without Userid
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2.3 - Configure system security parameters to prevent misuse
Disable File Sharing Networks
Peer-to-peer transfer services allow for the anonymous transfer of files. If not configured correctly, your system files may become
writable. This module will disable the executables and connection daemons for most of the file sharing networks available to Linux.
This module searches for the following executables in most standard directories: apollon, bittorrent, bittorrentconsole, bittorrent-curses, giftd, gift-gnutella, gift-setup, gtk-gnutella, LimeWire.jar,
mlbt, mldc, mldonkey, mlgnut, mlslsk, nap, napping, and qtella. If found, the permissions will be set to
zeros.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
88
File Sharing Services
Some of the clients for file sharing networks that run on Windows® will also work on Linux if launched using Wine. It is suggested
that unless Wine is necessary for your environment, it should be disabled.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN006040 - The system must not have any peer-to-peer file-sharing application installed.
DISA UNIX STIG (v5 R1.30)
• GEN006040 - Peer-to-Peer Application Authorization with DAA
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
PCI DSS (v2.0)
• 2.2.2 - Disable all unnecessary and insecure services
Disable Fspd
Disable the fspd daemon. If fspd is installed, this module will remove all permissions from the executable so it cannot be used.
Fspd is the server for an anonymous FTP style archive called File Service Protocol (FSP). Anonymous style file transfer services do
not meet normal security constraints and allow for potential data leaks.
Operating Systems
Executable File
Fedora 10, 11, 12, and 13
Change permissions of any of the following to 000 (non-executable):
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Solaris 10
SUSE 10 and 11
/bin/fspd
/sbin/fspd
/usr/bin/fspd
/usr/sbin/fspd
/usr/local/bin/fspd
/usr/sfw/bin/fspd
/usr/local/sbin/fspd
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
89
File Sharing Services
DISA UNIX STIG (v5 R1.30)
• GEN005060 - FSP Is Enabled
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.1.3 - Guidance for Unfamiliar Services
PCI DSS (v2.0)
• 2.2.2 - Disable all unnecessary and insecure services
Disable NFS Client
Disables the NFS client. The NFS is a file system exported by remote servers. This module prevents the client from sharing network
files remotely.
NFS is frequently exploited to gain unauthorized access to files and systems. Unless there is a specific need for NFS, it is
recommended to disable it.
Operating Systems
Packages
Service Names
nfs-utils & autofs
nfslock & autofs
Solaris 10
SUNWnfscr
svc:/network/nfs/client:default
svc:/network/nfs/status:default
svc:/network/nfs/nlockmgr:default
svc:/network/nfs/rquota:default
svc:/system/filesystem/autofs:default
SUSE 10
nfs-utils & autofs
nfs & autofs
SUSE 11
nfs-client & autofs
nfs & autofs
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.2 - Configuring Stand Alone Services
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
90
File Sharing Services
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.2.2.3 - Disable the Automounter if Possible
• 3.13.1.1 - Disable Services Used Only by NFS
• 3.13.3.1 - Disable NFS Server Daemons
NVD CCE
• CCE-4072-5
• CCE-4359-6
• CCE-4396-6
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable NFS Server
Disables the NFS server. The NFS is a file system exported by remote servers. This module prevents the server from sharing network
files remotely.
NFS is frequently exploited to gain unauthorized access to files and systems. Unless there is a specific need for NFS, it is
recommended to disable it.
Operating Systems
Package
Service Names
nfs-utils
nfs
Solaris 10
SUNWnfssr
svc:/network/nfs/mapid:default
svc:/network/nfs/cbd:default
svc:/network/nfs/server:default
SUSE 10
nfs-kernel-server
nfsserver
openSUSE 10
nfs-kernel-server
nfsserver
SUSE 11
nfs-kernel-server
nfsserver
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
91
File Sharing Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.2 - Configuring Stand Alone Services
• 6.9.1 - Disable NFS When Not Required
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NVD CCE
• CCE-4473-5
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable NetFS
Disables the NetFS functionality, which encapsulates NFS, Novell® Netware, and Windows file sharing services.
If network file sharing functionality is not needed, the NetFS functionality can safely be disabled. Although NetFS is not a persistent
daemon, deactivating these protocols makes the system much easier to audit.
Operating Systems
Service Names
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
netfs
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Not part of the standard Solaris distribution.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.2 - Configuring Stand Alone Services
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
92
File Sharing Services
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.13.1.2 - Disable netfs if Possible
NVD CCE
• CCE-4533-6
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable SMB
Disables SMB, which is the Windows file sharing protocol. The SMB server provides file and print services to Windows-based
systems.
Operating Systems
Packages
Service Names
samba
smb
SUNWsmbar
svc:/network/samba:default
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.2 - Configuring Stand Alone Services
DISA Red Hat 5 STIG (v1R4)
• GEN006060 - The system must not run Samba unless needed.
DISA UNIX STIG (v5 R1.30)
• GEN006060 - Samba is Enabled
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
93
File Sharing Services
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.18.1 - Disable Samba if Possible
NVD CCE
• CCE-4517-9
• CCE-4551-8
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable rpc.ugidd
Disable the rpc.ugidd service if it is installed. This service performs user and group identification matching jobs for NFS servers.
rpc.ugidd is currently not available for a Red Hat Enterprise Linux environment and must be built from source.
Operating Systems
Packages
Service Names
rpc.ugidd
rpc.ugidd
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
No related packages or services were found on the distribution CD, Extra Packages
for Enterprise Linux (EPEL) repository, or the Red Hat Enterprise Linux Server (v. 6)
subscription channel. This module looks for the same packages and services as it does
for Red Hat Enterprise Linux 5. If you have identified specific packages and services,
please contact the customer support team at [email protected].
SUSE 10 and 11
rpc.ugidd
Solaris 10
Not part of the standard Solaris distribution.
rpc.ugidd
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA UNIX STIG (v5 R1.30)
• LNX00300 - The rpc.ugidd Daemon is Enabled
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
94
File Sharing Services
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.1.3 - Guidance for Unfamiliar Services
Remove Insecure_Locks Option for NFS Server
Searches for exported filesystems that have the insecure_locks option set in the configuration file and removes the option.
Operating Systems
Configuration Files
Setting
/etc/exports
Removes any insecure_locks export
options.
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Operating System Not Applicable
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.9.2 - Restrict NFS to Privileged Ports
DISA Red Hat 5 STIG (v1R4)
• GEN000000-LNX00560 - The Linux NFS Server must not have the insecure file locking option.
DISA UNIX STIG (v5 R1.30)
• LNX00560 - The insecure_locks Option
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
NVD CCE
• CCE-3857-0
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
Remove SMB Guest Authentication
Disables support for guest access to Samba shares and printers.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
95
File Sharing Services
Setting the guest ok flag on a resource declared inside of the smb.conf file will allow access to that resource from any user that
can see the resource. This can provide many security risks. It is recommended to apply this module which will remove this flag.
Operating Systems
Package
Configuration Files
Setting
samba-common
/etc/samba/smb.conf
Remove guest ok from
resources.
SUNWsmbar
/etc/sfw/smb.conf
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN006235 - Samba must be configured to not allow guest access to shares.
DISA UNIX STIG (v5 R1.30)
• GEN006220 - smb.conf Configuration
NIST FISMA (SP 800-53)
• AC-14 - Permitted Actions w/o Identification or Authentication
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2.3 - Configure system security parameters to prevent misuse
SMB Configuration
Checks for recommended global Samba (SMB) configuration settings. Samba is a file sharing protocol for Windows machines. Unless
it is necessary for your environment, it should be turned off using the “Disable SMB” module.
Operating Systems
Package
Configuration Files
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
samba-common
/etc/samba/smb.conf
Red Hat Enterprise Linux 6
SUSE 10 and 11
samba
Solaris 10
SUNWsmbar
Security Blanket® Modules Guide
/etc/sfw/smb.conf
Export Controlled - See Sheet 1
Settings
[global]
guest ok = no
security = user
smb passwd file =
/etc/samba/passwd
encrypt passwords = yes
client lanman auth = no
client ntlmv2 auth = yes
server signing =
mandatory
client signing =
mandatory
96
File Sharing Services
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
•
•
•
•
GEN006220 - The smb.conf file must use the "hosts" option to restrict access to Samba.
GEN006225 - Samba must be configured to use an authentication mechanism other than "share."
GEN006230 - Samba must be configured to use encrypted passwords.
GEN006235 - Samba must be configured to not allow guest access to shares.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000272 - The system must use SMB client signing for connecting to samba servers using smbclient.
DISA UNIX STIG (v5 R1.30)
• GEN006220 - smb.conf Configuration
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
•
•
•
•
•
3.18.2.10 - Require Client SMB Packet Signing
3.18.2.2.1 - Use user Security for Servers Not in a Domain Context
3.18.2.3 - Disable Guest Access and Local Login Support
3.18.2.5 - Set the Allowed Authentication Negotiation Levels
3.18.2.9 - Require Server SMB Packet Signing
Secure Option for NFS Server
This module searches for NFS-exported filesystems that have the insecure option set in the configuration file, and replaces the
option with secure.
Using the secure option causes the NFS server to ignore NFS client requests that do not originate from the privileged port
range (ports less than 1024). This should not hinder normal NFS operations but may block automated NFS attacks that are run by
unprivileged users.
Operating Systems
Configuration Files
Setting
/etc/exports
Replace any insecure export options
with secure.
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Operating System Not Applicable
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
97
File Sharing Services
DHS Linux Configuration Guidance (2010.8)
• 6.9.2 - Restrict NFS to Privileged Ports
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000309 - The NFS server must not have the insecure file locking option enabled.
DISA UNIX STIG (v5 R1.30)
• LNX00540 - The insecure Option
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.13.4.1.3 - Restrict NFS Clients to Privileged Ports
NVD CCE
• CCE-4465-1
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
98
Chapter 8. File Transfer Services
Create ftpusers File
If the FTP software package is installed, this module will create ftpusers access control file if it does not exist. It then adds the root
user and all the system users to this file. The file contains the usernames of users who are NOT allowed to use FTP on the system. If
the file already exists, this module will leave existing entries but add missing system accounts.
For Linux systems, this module will add all user accounts with a UID less than 100; for Solaris systems, all accounts with a UID less
than 500. Additionally, the 'nfsnobody', 'nobody', 'nobody4', and 'noaccess' accounts will be added.
If FTP is not used, it is recommended that the associated software package be removed. However, SUSE system administrators must
not remove the 'netcfg' package; instead remove the 'vsftpd' package.
Operating Systems
Packages
Configuration File
vsftpd
/etc/ftpusers
SUSE 10 and 11
netcfg
/etc/vsftpd.ftpusers
Solaris 10
SUNWftpr
/etc/ftpd/ftpusers
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN004880 - The ftpusers file must exist.
• GEN004900 - The ftpusers file must contain account names not allowed to use FTP.
DISA UNIX STIG (v5 R1.30)
• GEN004780 - FTP or Telnet Userids and Passwords
• GEN004880 - The ftpusers File
• GEN004900 - The ftpusers File Contents
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
Disable FTP (gssftp)
Disables gssftp, which is an FTP server provided with the Kerberos Workstation package. FTP is an unencrypted protocol and
should be replaced with SSH-based file-transfer mechanisms such as scp(1) and sftp(1) when possible.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
99
File Transfer Services
Replacing FTP with SSH file transfer mechanisms is strongly recommended.
Operating Systems
Packages
Service Name or Configuration File
krb5-workstation
Set disable=yes in /etc/
xinetd.d/gssftp
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
No related packages or services were found on the distribution CD, Extra Packages
for Enterprise Linux (EPEL) repository, or the Red Hat Enterprise Linux Server (v. 6)
subscription channel. This module looks for the same packages and services as it does
for Red Hat Enterprise Linux 5. If you have identified specific packages and services,
please contact the customer support team at [email protected].
Solaris 10
Not part of the standard Solaris distribution.
SUSE 10 and 11
Not part of the standard SUSE distribution.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.2 - Configuring Stand Alone Services
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NIST FISMA (SP 800-53)
• AC-17 - Remote Access
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.1.3 - Guidance for Unfamiliar Services
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable FTP (vsftpd)
Disables vsftpd, which is a FTP server. FTP is an unencrypted protocol and should be replaced with SSH-based file-transfer
mechanisms such as scp(1) and sftp(1) when possible.
Replacing FTP with SSH file transfer mechanisms is strongly recommended.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
100
File Transfer Services
Operating Systems
Package
Service Names
vsftpd
vsftpd
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Not part of the standard Solaris distribution.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.2 - Configuring Stand Alone Services
DISA Red Hat 5 STIG (v1R4)
• GEN004800 - Unencrypted FTP must not be used on the system.
DISA UNIX STIG (v5 R1.30)
• GEN004800 - Unencrypted FTP or Telnet
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NIST FISMA (SP 800-53)
• AC-17 - Remote Access
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.15.1 - Disable vsftpd if Possible
NVD CCE
• CCE-3919-8
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
101
File Transfer Services
Disable TFTP
Disables TFTP, which is typically used for network booting of diskless workstations, X-terminals, and other remote devices.
Unless this system will be used in this type of role, always disable TFTP.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.2 - Configuring Stand Alone Services
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000223 - The TFTP service must not be running.
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.2.5 - TFTP Server
NVD CCE
• CCE-4273-9
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable UUCP
Disables the Unix-to-Unix Copy (UUCP) service. This is a utility and protocol that enables one computer to send files to another
computer over a direct serial connection or via modems and the telephone system.
This service is not part of the base operating system installation. For most file transfer applications, UUCP has been superseded by
other protocols, such as SSH, FTP, SMTP and NNTP.
Operating Systems
Packages
Service Name and Configuration
Fedora 10, 11, 12, and 13
xinetd & uucp
Set disable = yes in /etc/xinetd.d/
uucp
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
102
File Transfer Services
Operating Systems
Packages
Service Name and Configuration
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
No related packages or services were found on the distribution CD, Extra Packages
for Enterprise Linux (EPEL) repository, or the Red Hat Enterprise Linux Server (v. 6)
subscription channel. This module looks for the same packages and services as it does for
Red Hat Enterprise Linux 5. If you have identified specific packages and services, please
contact the customer support team at [email protected].
SUSE 10 and 11
xinetd & uucp
Set disable = yes in /etc/xinetd.d/
uucp
Solaris 10
SUNWbnuu
svc:/network/uucp:default
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.2 - Configuring Stand Alone Services
DISA Red Hat 5 STIG (v1R4)
• GEN005280 - The system must not have the UUCP service active.
DISA UNIX STIG (v5 R1.30)
• GEN005280 - Disable UUCP
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.1.3 - Guidance for Unfamiliar Services
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Remove ftp Account
Removes the ftp account from /etc/passwd .
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
103
File Transfer Services
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 3.1 - Password Settings
DISA Red Hat 5 STIG (v1R4)
• GEN000290-4 - The system must not have the unnecessary "ftp" account.
• GEN004820 - Anonymous FTP must not be active on the system unless authorized.
DISA UNIX STIG (v5 R1.30)
• GEN004820 - Anonymous FTP
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R5.2.1 - Remove, disable, or rename factory default accounts
NIST FISMA (SP 800-53)
• AC-2 - Account Management
PCI DSS (v2.0)
• 2.2.4 - Remove all unnecessary functionality
Set FTP Umask (gssftp)
Sets the default umask on the GSS FTP Server. This umask setting is 077 and it affects files uploaded by users. This is to prevent
other users from reading or writing to other user files.
If an FTP server is not needed, it is recommended to disable this service.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN005040 - All FTP users must have a default umask of 077.
DISA UNIX STIG (v5 R1.30)
• GEN005040 - FTP User's umask
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
104
File Transfer Services
PCI DSS (v2.0)
• 2.2.3 - Configure system security parameters to prevent misuse
Set TFTP Startup Directory
Sets the TFTP startup directory to /tftpboot for incoming connections.
On Linux systems, this module checks the /etc/xinetd.d/tftp file to ensure that the server_args parameter includes the s flag. Note that while a valid directory should be given as the argument, it is not required by the module. If the -s does not exist, or
there is no directory provided, then these fields will be added when applied.
On Solaris systems, this module ensures that TFTP’s inetd_start/exec service property includes the -s /tftpboot
argument. This is done using the svcprop(1) command.
This is the default configuration. If TFTP is not needed, it is recommended to use Security Blanket’s “Disable TFTP” module to
disable the TFTP service.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN005080 - The TFTP daemon must operate in "secure mode" which provides access only to a single directory on the host file
system.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000338 - The TFTP daemon must operate in secure mode which provides access only to a single directory on the host
file system.
DISA UNIX STIG (v5 R1.30)
• GEN005080 - TFTP Secure Mode
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
105
Chapter 9. Electronic Mail Services
Configure Sendmail Options
Sets various Sendmail options to mask its version, enforces privacy ( noexpn and novrfy ), disables interactive help, ensures log
level is at least nine, and prevents sendmail from finding and using $HOME/.forward files.
This module sets the privacy options and the log level to the defaults.
Operating Systems
Configuration Files
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
/etc/mail/sendmail.cf
Red Hat Enterprise Linux 6
Solaris 10
SUSE 10 and 11
/etc/sendmail.cf
The following options will be set in the respective configuration file:
O
O
O
O
O
PrivacyOptions=authwarnings,novrfy,noexpn,restrictqrun
LogLevel=9
ForwardPath=/dev/null
AllowBogusHELO=False
SmtpGreetingMessage=Mail Server Ready ; $b
NOTE: The DISA UNIX STIG (GEN004580) requests the removal of each user’s .forward file. However, this module sets the
ForwardPath option to /dev/null to prevent Sendmail from finding them. Individual .forward files should be manually
removed to satisfy auditors.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
•
•
•
•
8.9.4 - Change Sendmail Greeting
8.9.5 - Disable expand and verify Commands
8.9.6 - Enhance Sendmail Logging
8.9.7 - Ignore Bogus SMTP Connections
DISA Red Hat 5 STIG (v1R4)
•
•
•
•
•
•
GEN004440 - Sendmail logging must not be set to less than nine in the sendmail.cf file.
GEN004560 - The SMTP service's SMTP greeting must not provide version information.
GEN004580 - The system must not use .forward files.
GEN004620 - The sendmail server must have the debug feature disabled.
GEN004660 - The SMTP service must not have the EXPN feature active.
GEN004680 - The SMTP service must not have the Verify (VRFY) feature active.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
106
Electronic Mail Services
DISA UNIX STIG (v5 R1.30)
• GEN004440 - Sendmail Logging
• GEN004560 - Sendmail Greeting to Mask Version
• GEN004580 - .forward Files
• GEN004620 - Sendmail DEBUG Command
• GEN004660 - Sendmail EXPN Command
• GEN004680 - Sendmail VRFY Command
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.11.3.2 - Configure SMTP Greeting Banner
• 3.11.5.2 - Configure SMTP Greeting Banner
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
Disable Mail (Cyrus Mail Server)
Disables Cyrus, which is a mail server that provides IMAP, POP3, and KPOP support. IMAPS/POP3S/NNTPS support (IMAP/POP3/
NNTP encrypted using SSL) can be used for security.
IMAP and POP3 are unencrypted mail protocols and their use is not recommended. If this machine needs to serve mail to remote mail
clients, Cyrus can be used to support encrypted versions of these protocols. If this machine does not need to serve mail, then disable
this service.
Operating Systems
Package
Service Names
cyrus-imapd
cyrus-imapd
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Solaris 10
Not part of the standard Solaris distribution.
SUSE 10 and 11
cyrus-imapd
cyrus
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
107
Electronic Mail Services
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.1.3 - Guidance for Unfamiliar Services
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable Mail (Dovecot Mail Server)
Disables Dovecot, which is a mail server written primarily with security in mind. It provides IMAP and POP3 support. The IMAPS
and POP3S support (IMAP and POP3 encrypted using SSL) can be used for security.
IMAP and POP3 are unencrypted mail protocols and their use is not recommended. If this machine needs to serve mail to remote mail
clients, Dovecot can be used to provide encrypted versions of these protocols. If this machine does not need to serve mail, then disable
this service.
Operating Systems
Package
Service Names
dovecot
dovecot
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Solaris 10
Not part of the standard Solaris distribution.
SUSE 10 and 11
dovecot11
dovecot
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.17.1 - Disable Dovecot if Possible
NVD CCE
• CCE-3847-1
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
108
Electronic Mail Services
Disable Sendmail
Sendmail is a popular target of computer attackers. If this system is not intended to process incoming mail, it is recommended to
disable the Sendmail daemon to avoid potential security vulnerabilities.
The Sendmail daemon does not have to be running for email to be sent.
Operating Systems
Packages
Service Names
sendmail
sendmail
SUNWsndmr
svc:/network/smtp:sendmail
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Module Options
• Required lines for /etc/sysconfig/sendmail
List of required lines to put in /etc/sysconfig/sendmail if not already there (Linux only)
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.2 - Configuring Stand Alone Services
• 8.9.1 - Ensure Sendmail is Deactivated
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.11.2.1 - Disable the Listening Sendmail Daemon
NVD CCE
• CCE-4375-2
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
109
Electronic Mail Services
Disable Sendmail Help
Disables Sendmail help. This module removes the HelpFile option from sendmail.cf as well as emptying /etc/mail/
helpfile .
Operating Systems
Configuration Files
Setting to Remove
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
/etc/mail/sendmail.cf
O HelpFile=/etc/mail/helpfile
Red Hat Enterprise Linux 6
Solaris 10
SUSE 10 and 11
/etc/sendmail.cf
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN004540 - The SMTP service HELP command must not be enabled.
DISA UNIX STIG (v5 R1.30)
• GEN004540 - Sendmail Help Command
PCI DSS (v2.0)
• 2.2.3 - Configure system security parameters to prevent misuse
Disable Sendmail if Older than 8.13.8
Disables the Sendmail service if the currently installed version is not at least 8.13.8. When this module was written, prior versions of
Sendmail had many vulnerabilities including WIZ and DECODE problems.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN004600 - The SMTP service must be an up-to-date version.
DISA UNIX STIG (v5 R1.30)
• GEN004600 - Sendmail Version
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
110
Electronic Mail Services
• GEN004640 - Sendmail DECODE Command
• GEN004700 - Sendmail WIZ Command
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
111
Chapter 10. Web Services
Disable Apache
Disables Apache™, which is an HTTP server.
Unless this machine will be serving web content, it is recommended to disable Apache. If you need to enable Apache, there are many
external references that provide secure configuration information for Apache.
Operating Systems
Packages
Service Names
httpd
httpd
Solaris 10
SUNWapchr
svc:/network/http:apache2
SUSE 10 and 11
apache2
apache2
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.2 - Configuring Stand Alone Services
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.16.1 - Disable Apache if Possible
NVD CCE
• CCE-4306-7
• CCE-4338-0
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
112
Web Services
Disable Squid
Squid is a caching proxy server used to increase web transaction speed.
Squid can be beneficial to security because it imposes a proxy between the client and the server. If it is not being used, deactivate it.
Otherwise, configure it carefully.
Operating Systems
Packages
Service Names
squid
squid
SUNWsquidr
squid
CSKsquid
svc:/network/http:squid-csk
squid
squid
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Solaris 10
SUSE 10 and 11
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.2 - Configuring Stand Alone Services
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.19.1 - Disable Squid if Possible
NVD CCE
• CCE-4556-7
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable Squid if Older than 2.4STABLE6
Disables the Squid service if the currently installed version is at least 2.4.STABLE6. When this module was written, prior versions of
Squid had vulnerabilities including a vulnerability in the authentication header.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
113
Web Services
Operating Systems
Method
Service to Disable
Uses RPM API (librpm) to get information on 'squid'
squid
/usr/bin/pkgparam SUNWsquidr VERSION
squid
/usr/bin/pkgparam CSKsquid VERSION
svc:/network/http:squid-csk
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA UNIX STIG (v5 R1.30)
• GEN005640 - Squid Web Proxy Authentication Header Vulnerability
• GEN005660 - Squid Web Proxy MSNT Auth Helper Vulnerability
• GEN005680 - Squid Web Proxy Version
Disable Tux
Disables Tux, which is a kernel-based web server. It increases performance but is less flexible than a traditional web server such as
Apache.
A successful attack against Tux can lead to system-wide compromise because it runs as part of the kernel. Traditional web servers
such as Apache should be used instead.
Operating Systems
Package
Service Names
tux
tux
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
No related packages or services were found on the distribution CD, Extra Packages
for Enterprise Linux (EPEL) repository, or the Red Hat Enterprise Linux Server (v. 6)
subscription channel. This module looks for the same packages and services as it does for
Red Hat Enterprise Linux 5. If you have identified specific packages and services, please
contact the customer support team at [email protected].
Solaris 10
Not part of the standard Solaris distribution.
SUSE 10 and 11
Not part of the standard SUSE distribution.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
114
Web Services
DHS Linux Configuration Guidance (2010.8)
• 6.2 - Configuring Stand Alone Services
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.1.3 - Guidance for Unfamiliar Services
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
PHP - Disallow HTTP File Uploads
Disallows file uploads to your server via HTTP.
If your PHP application provides a feature to upload files, then do NOT apply this module. If you do not apply this module, examine
the php.ini to ensure the upload_max_filesize is set to a reasonable value like the default of 2MB. Setting this value too
high could result in network congestion or worse, filling up your filesystem. A value that is too high could be exploited by an attacker
resulting in denial of service.
Operating Systems
Configuration Files
Settings
/etc/php.ini
[PHP]
file_uploads = Off
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Solaris 10
/etc/apache2/php.ini
SUSE 10 and 11
/etc/php5/apache2/php.ini
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.16.4.4.1 - Configure PHP Securely
PHP - Enhance Session Management
Enhances the PHP session management for web applications. This module:
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
115
Web Services
• Increases the randomness of session filenames.
• Restricts the storage location of serialized session data.
• Sets the default cache control HTTP header to nocache which disallows any client/proxy caching.
• Only uses cookies to store the session ID on the client side. This prevents attacks involved in passing session IDs in URLs.
If a web application uses PHP’s session module, a visitor accessing the web site is assigned a unique ID, the session ID. This is either
stored in a cookie on the user side or is propagated in the URL. Sending session IDs in a URL could result in a leaked session that
would enable a third party to hijack the session and access all resources that are associated with a specific ID.
Session support in PHP contains a method of preserving certain data across subsequent accesses by registering an arbitrary number of
variables. All registered variables are serialized after the request finishes. This module sets parameters to help reduce the predictability
of the location of session data on the server.
The session module cannot guarantee that the information you store in a session is only viewed by the user who created the session. It
is recommended that you actively protect the integrity of the session, depending on the value associated with it.
If an application cannot run properly after applying this module, consider updating or rewriting the application.
Operating Systems Configuration Files
Settings
Fedora 10, 11, 12,
and 13
[Session]
session.save_handler = files
session.save_path = /var/lib/php/session
session.use_cookies = 1
session.use_only_cookies = 1
session.entropy_file = /dev/urandom
session.entropy_length = 1024
session.cookie_lifetime = 0
session.cache_limiter = nocache
session.hash_function = 1
session.hash_bits_per_character = 6
Red Hat Enterprise
Linux 4
Red Hat Enterprise
Linux 5
/etc/php.ini
Red Hat Enterprise
Linux 6
Solaris 10
/etc/apache2/php.ini
SUSE 10 and 11
/etc/php5/apache2/php.ini
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-11 - Account Monitoring and Control
PHP - General Security
Configures the PHP framework to help protect web applications from security defects, ranging from insufficient validation to
application logic errors.
• Disallows functions that use a filename as a parameter from using HTTP and FTP URLs (allow_url_fopen=off).
• Disables the registering of globals (register_globals). This will help prevent the injection of variables into your scripts, like
request variables from HTML forms.
• Enables the magic_quotes state for GPC (Get/Post/Cookie) operations. When magic_quotes are on, all ' (single quote),
" (double quote), \ (backslash) and NUL’s are escaped with a backslash automatically.
• Sets the expose_php parameter to off. Otherwise, PHP may expose the fact that it is installed on the server (e.g., by adding its
signature to the Web server header). It is not a security threat in any way, but it makes it difficult to determine whether you use PHP
on your server or not.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
116
Web Services
Operating Systems
Configuration Files
Settings
Fedora 10, 11, and 12
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
/etc/php.ini
Red Hat Enterprise Linux 6
Solaris 10
/etc/apache2/php.ini
SUSE 10 and 11
/etc/php5/apache2/php.ini
[PHP]
register_globals = Off
magic_quotes = Off
allow_url_fopen= Off
The registering of globals is a high level vulnerability identified by SANS and it is disabled by default. The only parameter that is not
a default is the allow_url_fopen parameter. This is another attack vector identified by SANS and it is highly recommended that
you apply this module to disable the registering of globals.
Compliancy
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.16.4.4.1 - Configure PHP Securely
PHP - Remove Stored MySQL Password
Removes the default MySQL password stored in the global PHP configuration file. The default PHP configuration has no password
set. Configuring PHP with a default database password is not recommended. It is possible for anyone with PHP command access to
get the database password from php.ini with the get_cfg_var() function.
If this module breaks your PHP application, then the application should be corrected. You should lock down the source code files and
ensure that the mysql_connect() function calls contain the appropriate credentials.
Operating Systems
Configuration Files
Settings
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
/etc/php.ini
[MySQL]
mysql.default_password
Red Hat Enterprise Linux 6
Solaris 10
/etc/apache2/php.ini
SUSE 10 and 11
/etc/php5/apache2/php.ini
Compliancy
N/A
PHP - Set Error Logging
Sets logging parameters for the PHP framework so that all web application errors are logged but not displayed in the end-user web
browsers.
These are the recommended settings for a production application. If errors are displayed in the web browsers, attackers could gain
more information regarding your application code.
Operating Systems
Configuration Files
Settings
Fedora 10, 11, 12, and 13
/etc/php.ini
[PHP]
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
117
Web Services
Operating Systems
Configuration Files
Red Hat Enterprise Linux 4
Settings
display_errors = Off
log_errors = On
display_startup_errors = Off
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Solaris 10
/etc/apache2/php.ini
SUSE 10 and 11
/etc/php5/apache2/php.ini
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-6 - Maintenance, Monitoring, and Analysis of Audit Logs
NIST FISMA (SP 800-53)
• AU-2 - Auditable Events
• AU-3 - Content of Audit Records
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.16.4.4.1 - Configure PHP Securely
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
118
Chapter 11. Database Services
Disable CDE ToolTalk Database Server
Disables the Local CDE ToolTalk Database Server. The ToolTalk service enables independent Common Desktop Environment (CDE)
desktop applications to communicate with each other without having direct knowledge of each other.
If you are not using the Solaris CDE, it is recommend to apply this module.
Operating Systems
Packages
Service Names
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Operating System Not Applicable
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
SUNWtltk
svc:/network/rpc/cde-ttdbserver:tcp
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NVD CCE
• CCE-4508-8
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable MySQL
Disables the MySQL database server.
Disabling MySQL does not prevent client-based applications from connecting to remote MySQL database servers.
If you must run MySQL, take the necessary steps to secure it.
It is recommended to set the MySQL root password (which by default is blank) and restrict access to its default TCP port of 3306 on
your host with the iptables(8) administration tool.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
119
Database Services
Also, make sure database user accounts have complex passwords and restrict the accounts on a host or network basis by avoiding the
use of the wildcard (%) in user accounts.
Operating Systems
Package
Service Names
mysql-server
mysqld
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
svc:/application/database/mysql:default
Solaris 10
CoolStack (Solaris AMP):
No check
svc:/application/database/mysql:mysql32-csk
svc:/application/database/mysql:mysql-csk
SUSE 10 and 11
mysql
mysql
openSUSE 11.3
No check
mysql
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.2 - Configuring Stand Alone Services
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable Postgresql
Disables the PostgreSQL database server.
Disabling PostgreSQL does not prevent client-based applications from connecting to remote PostgreSQL database servers.
If you must run PostgreSQL, take necessary steps to secure it.
It is recommended that you change the PostgreSQL root password after installation and restrict access to its default TCP port of 5432
on your host with the iptables(8) administration tool.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
120
Database Services
Also, make sure that database user accounts have complex passwords and restrict the accounts on a host or network basis by avoiding
the use of the wildcard (%) in user accounts.
Operating Systems
Package
Service Names
postgresql-server
postgresql
No check
svc:/application/database/postgresql:version_81
svc:/application/database/postgresql:version_82
svc:/application/database/postgresql
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.2 - Configuring Stand Alone Services
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
MySQL - Disable Command History
Disables the MySQL command history by setting the MYSQL_HISTFILE environment variable to "" for all login sessions.
By default, all commands run in the MySQL console application are saved to a history file. Disabling the MySQL command history
reduces the probability of exposing sensitive information, such as passwords.
Applying this module may adversely affect an administrator’s productivity because the familiar up/down arrow feature for recalling
command history is not available.
TIP: Enabling command history for certain accounts
On a case-by-case basis, you could authorize certain database administrators to set the MYSQL_HISTFILE back to the
default $HOME/.mysql_history file.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
121
Database Services
However, it is recommended that you erase the file when the session is complete. One way to do this is to add cat /dev/
null > $HOME/.mysql_history to their $HOME/.bash_logout script.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
122
Chapter 12. Desktop Applications
Configure User Firefox Prefs
This module has been retired because it has been expanded into multiple modules.
See:
• Firefox - Privacy
• Firefox - Addons
• Firefox - Dynamic Content
• Firefox - Encryption
• Firefox - Java
• Firefox - JavaScript
• Firefox - Network
• Firefox - Updating
Compliancy
DISA UNIX STIG (v5 R1.30)
• GEN004040 - Browser Software Update Feature
Disable Firefox if Older than 3.0
Disables the Mozilla Firefox® browser if the currently installed version is not at least 3.0. This module will set the permissions on the
firefox file to zeros, preventing it from being executed.
Operating Systems
Method
File to Disable
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Uses RPM API (librpm) to get information on the
'firefox' package.
Red Hat Enterprise Linux 6
SUSE 10 and 11
Uses RPM API (librpm) to get information on the
'MozillaFirefox' package.
Solaris 10
/usr/bin/pkgparam SFWfirefox VERSION
/usr/bin/pkgparam SUNWfirefox VERSION
/usr/bin/firefox
/opt/sfw/lib/firefox3/firefox
/usr/lib/firefox/firefox
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Mozilla Firefox STIG (v4 R2)
• DTBF003 - Installed version of Firefox unsupported
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
123
Desktop Applications
DISA UNIX STIG (v5 R1.30)
• GEN004240 - Browser Version
Disable Instant Messenger Client (Yahoo!)
Disables the Yahoo!® instant messenger client. If the “ymessenger” package is installed, this module will remove all permissions
from /usr/bin/ymessenger so it cannot be used.
If an instant messenger is needed, configure your network to restrict with whom end-users can communicate. If this client is not
needed, remove the package.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN006000 - The system must not have a public Instant Messaging (IM) client installed.
DISA UNIX STIG (v5 R1.30)
• GEN006000 - Public Instant Messaging Client is Installed
PCI DSS (v2.0)
• 2.2.2 - Disable all unnecessary and insecure services
Disable Instant Messenger Client (gaim)
Disables the Gaim and Pidgin instant messenger client. If the Gaim or Pidgin package is installed, this module will remove all
permissions from /usr/bin/gaim and /usr/bin/pidgin. On Solaris systems, this module will look in /usr/local/bin.
If an instant messenger is needed, configure your network to restrict with whom end-users can communicate. If this client is not
needed, remove the package.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN006000 - The system must not have a public Instant Messaging (IM) client installed.
DISA UNIX STIG (v5 R1.30)
• GEN006000 - Public Instant Messaging Client is Installed
PCI DSS (v2.0)
• 2.2.2 - Disable all unnecessary and insecure services
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
124
Desktop Applications
Firefox - Addons
Disable the automatic updating of Mozilla Firefox extensions (Addons).
These extensions add new functionality or change the browser’s appearance. Since the extensions run in a user’s session, they are
allowed to manipulate data and the way the browser interacts with other application and user commands. If malicious extensions
are installed automatically, a user’s security could be compromised. This module does not prevent users from installing or updating
extensions — it just forces users to review the source of the extension beforehand.
This module sets the following parameters in each user’s $HOME/.mozilla/firefox/*/prefs.js:
user_pref("xpinstall.whitelist.add", ""):
user_pref("xpinstall.whitelist.add.103", "");
user_pref("xpinstall.whitelist.required, true);
Compliancy
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Firefox - Dynamic Content
Provide protections against dynamic content such as scripts and native browser objects which can change the content of a browser
window without the user's knowledge.
This module sets each user’s preference to prevent direct downloading to their desktop. Additionally, it configures the browser to alert
the user before running an executable from the Download Manager. It also configures the browser to scan downloaded items for
viruses.
JavaScript™ is primarily implemented as part of a web browser to provide enhanced user interfaces and dynamic websites. This
module sets each user’s preference to disallow JavaScript from closing browser windows and to prevent JavaScripts from appearing in
the browser’s URL history.
The browser is also configured to alert the user if they are visiting a malicious site and to prevent the browser from locally caching the
content of SSL (secure) pages to disk.
The following parameters are set in each user’s $HOME/.mozilla/firefox/*/prefs.js:
user_pref("dom.disable_window_open_feature.status", false);
user_pref("browser.cache.disk_cache_ssl", false);
user_pref("browser.download.folderList", 2);
user_pref("browser.safebrowsing.enabled", true);
user_pref("browser.safebrowsing.malware.enabled", true);
user_pref("browser.urlbar.filter.javascript", true);
user_pref("browser.download.manager.scanWhenDone", true);
Compliancy
DISA Mozilla Firefox STIG (v4 R2)
• DTBF180 - Pop-up windows
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
125
Desktop Applications
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
Firefox - Encryption
Configure Firefox to use the Transport Layer Security (TLS) cryptographic protocol and disable its predecessor, Secure Socket Layer
(SSL) cryptographic protocol. This module also configures the browser to warn users if they enter a website using weak encryption or
a website with mixed levels of encryption.
The following parameters are set in each user’s $HOME/.mozilla/firefox/*/prefs.js:
user_pref("security.enable_ssl2", false);
user_pref("security.enable_ssl3", false)
user_pref("security.enable_tls", true);
user_pref("security.warn_viewing_mixed", true);
user_pref("security.warn_entering_weak", true);
user_pref("security.OCSP.enabled", 1);
user_pref("security.default_personal_cert", "Ask Every Time");
Compliancy
DISA Mozilla Firefox STIG (v4 R2)
• DTBF010 - Disable SSLv2
• DTBF030 - Enable TLS v1.0
• DTBF050 - Verification
DISA UNIX STIG (v5 R1.30)
• GEN004120 - Browser Data Redirection Warning
• GEN004160 - Browser Certificate Warning
• GEN004200 - Browser SSL Configuration
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
Firefox - Java
Configure Firefox to allow or disallow Java from loading code into the local machine which has more access to the local operating
system as compared to HTML.
Depending on the option chosen for the profile, the following is set to either 'true' or 'false' in each user’s $HOME/.mozilla/
firefox/*/prefs.js:
user_pref("security.enable_java", 'true');
or
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
126
Desktop Applications
user_pref("security.enable_java", 'false');
Module Options
• Javascript
Compliancy
DISA UNIX STIG (v5 R1.30)
• GEN004100 - Browser Allows Active Scripting
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
Firefox - JavaScript
Configure Firefox to disallow JavaScript from manipulating various characteristics of the web browser such as context menus,
window scaling, and status bar messages.
The following parameters are set in each user’s $HOME/.mozilla/firefox/*/prefs.js:
user_pref("dom.disable_window_status_change", 'true');
user_pref("dom.disable_window_flip", 'true');
user_pref("dom.event.contextmenu.enabled", 'false');
user_pref("dom.disable_window_move_resize", 'true' );
Module Options
• Javascript
Compliancy
DISA Mozilla Firefox STIG (v4 R2)
• DTBF181 - Javascript move or resize windows
• DTBF182 - Javascript raise or lower windows
• DTBF183 - Javascript Context Menus
• DTBF184 - Javascript hiding or changing status bar
DISA UNIX STIG (v5 R1.30)
• GEN004100 - Browser Allows Active Scripting
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
127
Desktop Applications
Firefox - Network
Configure Firefox to limit exposure of sensitive data in URLs, prevent the sending of Microsoft® LAN Manager (LM) hash responses
when authenticating to resources, and disable the network shell protocol.
The following parameters are set in each user’s $HOME/.mozilla/firefox/*/prefs.js:
user_pref ("network.http.sendSecureXSiteReferrer", 'false');
user_pref ("network.protocol-handler.external.shell", 'false');
user_pref ("network.ntlm.send-lm-response", 'false');
Compliancy
DISA Mozilla Firefox STIG (v4 R2)
• DTBF105 - Shell Protocol
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
Firefox - Privacy
Sets each user’s Mozilla Firefox browser preferences to not store previously entered form data, credentials, warn them when
submitting clear text form data, alert them when switching from secure to insecure websites, and to only accept first party cookies.
The following parameters are set in each user’s $HOME/.mozilla/firefox/*/prefs.js:
user_pref("network.cookie.cookieBehavior", 1);
user_pref("signon.rememberSignons, false);
user_pref("privacy.sanitize.sanitizeOnShutdown", true);
user_pref("security.ask_for_password, 0);
user_pref("browser.formfill.enable", false);
user_pref("browser.sessionstore.privacy_level", 1)
user_pref("browser.history_expire_days", 0);
user_pref("browser.history_expire_days.mirror", 0);
user_pref("browser.download.manager.retention", 0);
user_pref("security.warn_leaving_secure", true);
user_pref("security.warn_entering_secure", true);
user_pref("security.warn_submit_insecure", true);
Compliancy
DISA Mozilla Firefox STIG (v4 R2)
• DTBF130 - Switching from secure to insecure
• DTBF140 - Autofill forms
• DTBF160 - Password Store
• DTBF170 - Cookies
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
128
Desktop Applications
DISA UNIX STIG (v5 R1.30)
• GEN004280 - Browser Form Data Warning
• GEN004300 - Browser Secure and Non-secure Content Warning
• GEN004320 - Browser Leaving Encrypted Site Warning
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
Firefox - Updating
Enable or disable the auto-updating of Firefox software components. Some guidelines require that auto-updating be enabled while
others require them to be disabled. So, depending on the context which this module is deployed, the assessment results may have
different meaning.
Depending on the option chosen for the profile, the following is set to either 'true' or 'false' in each user’s $HOME/.mozilla/
firefox/*/prefs.js:
user_pref("app.update.auto", 'true');
user_pref("security.xpconnect.plugin.unrestricted", 'true');
or
user_pref("app.update.auto", 'false');
user_pref("security.xpconnect.plugin.unrestricted", 'false');
Module Options
• Firefox auto update
Compliancy
DISA UNIX STIG (v5 R1.30)
• GEN004040 - Browser Software Update Feature
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
129
Chapter 13. Printing Services
Disable CUPS Printer Browsing
Disable the ability for Common UNIX Printing System (CUPS) to broadcast the available printers on this system or receive broadcasts
from other CUPS-enabled systems.
In Linux systems, the following lines will be set in /etc/cups/cupsd.conf:
Browsing Off
BrowseAllow none
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.8.3.1.1 - Disable Printer Browsing Entirely if Possible
NVD CCE
• CCE-4407-3
• CCE-4420-6
Disable HP Printing and Imaging
Disables HP printing and imaging. The hplip service is used to support HP printing and imaging services.
If printing is not enabled and the service is not vital to the operation of the system, it is recommended to disable the service. Note that
for the operating systems listed below where the Service Name is '-', there is no service to be disabled. If Security Blanket detects that
the package is installed, it indicates that the Administrator should manually remove the package if it is not required.
Operating Systems
Package
Service Names
Fedora 10, 11, 12, and 13
hplip
-
hplip
hplip
Red Hat Enterprise Linux 6
hplip
-
SUSE 10
hplip
hplip
SUSE 11
hplip
-
Solaris 10
Not part of the Solaris operating system.
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
130
Printing Services
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.8.4.1 - Disable HPLIP Service if Possible
NVD CCE
• CCE-4425-5
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable Printer Configuration Daemon
Disables the CUPS printer configuration daemon that is used to configure the CUPS subsystem. The title of this module is deceiving
and its purpose is to prevent newly attached printers from automatically being configured.
The first release of this module was intended for earlier operating systems in which it actually disabled an independent service
daemon. However, in newer releases, the auto-configuration is performed by the Hardware Abstraction Layer (HAL) daemon which
is responsible for working with CUPS. The HAL daemon allows desktop applications to discover and use the hardware of the host
system through a simple, portable and abstract API, regardless of the type of underlying hardware. To prevent new printers from
automatically being added, the ConfigureNewPrinters parameter is set to "no".
In newer operating systems, the HAL architecture is being supplanted with "udev". This device manager is also the successor of devfs
and hotplug, which means that it handles the /dev directory and all user space actions when adding/removing devices, including
firmware load. Fedora 12, 13, Red Hat Enterprise Linux 6, and openSUSE11.3 have all moved this functionality to udev.
Operating Systems
Package
Setting
hal-cups-utils
Disable the "cups-config-daemon" service.
Red Hat Enterprise Linux 6
system-configprinter-udev
See Note below.
Solaris 10
Not part of the standard Solaris operating system.
SUSE 10 and 11
cups-autoconfig
Set ConfigureNewPrinters=no in /etc/cupsautoconfig.conf .
openSUSE 11.3
udev-configureprinter
See Note below.
Fedora 10, 11
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Fedora 12, 13
Note
The Udev system consists of default rules in /lib/udev/rules.d, with locally configured (automatically or manually)
files in /etc/udev/rules.d that override the default rules or hold the results of the default rules. The setting applied by
this module will ensure that the /etc/udev/rules.d/70-printers.rule file is either empty, or contains lines that
are commented out or are blank.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
131
Printing Services
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.2 - Configuring Stand Alone Services
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable Printer Daemon
Disables the Common UNIX Printing System (CUPS). When enabled, this service may allow unauthorized remote systems to send
print jobs to a system that is not properly configured.
As with all system daemons that provide network services, if the service is not vital to the operation of the system, it is recommended
that you disable the service. For Solaris systems, this module will disable print services to include: ipp-listener, rfc1179 service, and
the CDE Print Viewer.
Operating Systems
Package
Service Names
cups
cups
cups
cups-lpd
SUNWpsr
svc:/application/print/server:default
svc:/application/print/cleanup:default
svc:/application/print/ppd-cache-update:default
svc:/application/cde-printinfo:default
svc:/application/print/rfc1179:default
svc:/application/print/ipp-listener:default
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
TIP: Restricting the service
If you must run the CUPS service, restrict network access to the service within the cupsd.conf(5) configuration file
using the “Allow” directive. For added security, restrictions on both TCP and UDP port 3551 can be applied on your host
with the iptables(8) administration tool.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
132
Printing Services
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.2 - Configuring Stand Alone Services
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.8.1 - Disable the CUPS Service if Possible
NVD CCE
• CCE-3755-6
• CCE-4112-9
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
133
Chapter 14. Authentication Services
Configure /etc/ldap.conf Settings
Verify that the indicated lines are contained in the /etc/ldap.conf file.
Module Options
• List of setting (one per line, "NAME VALUE")
Compliancy
DISA Red Hat 5 STIG (v1R4)
• GEN008020 - If the system is using LDAP for authentication or account information, the LDAP TLS connection must require the
server provide a certificate with a valid trust path to a trusted CA.
• GEN008040 - If the system is using LDAP for authentication or account information, the system must verify the LDAP server's
certificate has not been revoked.
Disable Kerberos TGT Expiration Warning
Disables the Solaris Kerberos warning daemon ( ktkt_warnd(1M) ). When this daemon is enabled on Kerberos clients it can warn
users when their Kerberos tickets are about to expire, or renew the tickets before they expire.
Operating Systems
Package
Service Names
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Operating System Not Applicable
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
SUNWkrbr
svc:/network/security/ktkt_warn:default
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NVD CCE
• CCE-4557-5
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
134
Authentication Services
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable LDAP Client Cache Manager
Disables the Solaris LDAP client cache manager ( ldap_cachemgr(1M) ) daemon which manages client configuration for LDAPbased Network Information Service lookups.
Operating Systems
Package
Service Names
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Operating System Not Applicable
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
SUNWcsr
svc:/network/ldap/client:default
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NVD CCE
• CCE-4279-6
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable NIS Client
Disables the Network Information Service (NIS) client. The NIS is a system that provides network information such as login names
and home directories to all the machines on a network.
Unless the use of NIS is explicitly required, it is recommended that the NIS Client be disabled due to security concerns.
Operating Systems
Package
Service Names
Fedora 10, 11, 12, and 13
ypbind
ypbind
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
135
Authentication Services
Operating Systems
Package
Service Names
SUNWnisr
svc:/network/nis/client:default
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.11.1 - Disable NIS When Not Required
• 6.2 - Configuring Stand Alone Services
DISA Red Hat 5 STIG (v1R4)
• GEN006400 - The Network Information System (NIS) protocol must not be used.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000221 - The ypbind service must not be running.
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.2.4 - NIS (Disable)
NVD CCE
• CCE-3705-1
• CCE-4592-2
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable NIS Server
Disables the Network Information Service (NIS) server. The NIS is a system that provides network information such as login names
and home directories to all the machines on a network.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
136
Authentication Services
Unless the use of NIS is explicitly required, it is recommended that the NIS server be disabled due to security concerns.
Operating Systems
Package
Service Names
ypserv
ypserv and yppasswdd
SUNWypr
svc:/network/rpc/nisplus:default
svc:/network/nis/server:default
svc:/network/nis/passwd:default
svc:/network/nis/update:default
svc:/network/nis/xfr:default
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.2 - Configuring Stand Alone Services
DISA Red Hat 5 STIG (v1R4)
• GEN006400 - The Network Information System (NIS) protocol must not be used.
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NVD CCE
•
•
•
•
CCE-3622-8
CCE-4299-4
CCE-4362-0
CCE-4486-7
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
137
Chapter 15. Hardware Services
Check Kernel for XD/NX Support
Scan-only module, which checks the running Linux kernel to see if it supports Execute Disable (XD) or No Execute (NX).
Later 32-bit processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and
on AMD processors, this ability is called No Execute (NX), while on Intel® processors it is called Execute Disable (XD). This ability
can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken
to ensure that this protection is enabled on 32-bit x86 systems. Other processors, such as Itanium®, POWER™, and 64-bit x86 (both
AMD64 or Intel 64), have included such support since inception and the standard kernel for those platforms supports the feature.
This module examines the /proc/cpuinfo file for any CPUs which have the 'PAE' and 'NX' flag set. If these flags are set, the
module will use the uname(1) utility’s -r option to determine the running kernel’s name. If the name does not end with the string
“PAE”, it is assumed the current kernel does not support PAE so the module will report a failure. This module will only scan the
system, so it is the responsibility of the system administrator to install the “kernel-PAE” package and boot the system using a PAEenabled kernel.
Compliancy
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.2.4.4 - Enable Execute Disable (XD) or No Execute (NX) Support on 32-bit x86 Systems
NVD CCE
• CCE-4172-3
Disable ACPI Daemon
Disable the Advanced Configuration and Power Interface (acpid) daemon.
Operating Systems
Package
Service Names
Red Hat Enterprise Linux 5
acpid
acpid
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.3.15.2 - Advanced Configuration and Power Interface (acpid)
NVD CCE
• CCE-4298-6
Disable Avahi Daemon
Disables the Avahi daemon. The Avahi daemon facilitates automated service discovery on a local network.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
138
Hardware Services
Operating Systems
Package
Service Names
avahi
avahi-daemon
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Not part of the Solaris operating system.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000246 - The avahi service must be disabled.
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.7.1 - Disable Avahi Server if Possible
NVD CCE
• CCE-4365-3
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable Bluetooth
Disables Bluetooth® services. These services may allow unauthorized communications with the server if not properly configured.
Operating Systems
Packages
Service Names
Fedora 10, 11, 12, and 13
bluez
bluetooth
bluez-utils
bluetooth & hidd
Red Hat Enterprise Linux 6
bluez
bluetooth
Solaris 10
Not part of the standard Solaris distribution.
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
139
Hardware Services
Operating Systems
Packages
Service Names
SUSE 10
bluez
bluetooth
SUSE 11
bluez
bluez-coldplug
openSUSE 11.3
bluez
bluez-coldplug
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.2 - Configuring Stand Alone Services
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000331 - The Bluetooth service must be disabled.
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NIST FISMA (SP 800-53)
• AC-18 - Wireless Access Restrictions
• AC-19 - Access Control for Portable and Mobile Systems
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.3.14.1 - Bluetooth Host Controller Interface Daemon (bluetooth)
NVD CCE
• CCE-4355-4
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable Bluetooth Input Devices Daemon
If the system has no Bluetooth input devices (e.g., wireless keyboard or mouse), disable this daemon.
Operating Systems
Package
Service Names
Red Hat Enterprise Linux 5
hidd
bluez-utils
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
140
Hardware Services
Compliancy
NIST FISMA (SP 800-53)
• AC-18 - Wireless Access Restrictions
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.3.14.2 - Bluetooth Input Devices (hidd)
NVD CCE
• CCE-4377-8
Disable Bluetooth Kernel Modules
Prevents the kernel from loading the Bluetooth kernel module(s).
This modules will examine all files in /etc/modprobe.d and the /etc/modprobe.conf file (if they exist) and look for the
line(s) that are specified as arguments. If a line is found that matches the first two whitespace separated fields but not the remainder,
then it will be updated to match the provided lines. If no matching line is found, then it will be added to either /etc/modprobe.d/
SecurityBlanket_modprobe_settings (if /etc/modprobe.d is a directory), or to /etc/modprobe.conf.
This module is not applicable to Oracle Solaris.
Module Options
• Required lines to disable Bluetooth kernel module(s)
One or more lines that can disable or otherwise alter how kernel modules are loaded/configured/disabled.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
DISA Red Hat 5 STIG (v1R4)
• GEN007660 - The Bluetooth protocol handler must be disabled or not installed.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000315 - The Bluetooth kernel module must be disabled.
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NIST FISMA (SP 800-53)
• AC-18 - Wireless Access Restrictions
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
141
Hardware Services
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.3.14.3 - Disable Bluetooth Kernel Modules
Disable CPU Throttling
Disables the cpuspeed daemon which uses hardware support to throttle the CPU when the system is idle. If CPU power optimization is
necessary, do not use this module.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.3.15.3 - CPU Throttling (cpuspeed)
NVD CCE
• CCE-4051-9
Disable HAL Daemon
Disables the Hardware Abstraction Layer (HAL) daemon (haldaemon). The haldaemon provides a dynamic way of managing device
interfaces. It automates device configuration and provides an API for making devices accessible to applications through the D-Bus
interface. Since HAL provides valuable attack surfaces to attackers as an intermediary to privileged operations, it should be disabled
unless necessary.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
142
Hardware Services
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.3.13.2 - HAL Daemon (haldaemon)
NVD CCE
• CCE-4364-6
Disable IA32 Microcode Utility
Disables the IA32 Microcode utility. This module will prevent the utility from running during system startup. The utility is for use
with Intel IA32 processors (Pentium™ Pro, PII, Celeron™, PIII, Xeon™, Pentium 4, etc.).
Upon invocation, this module will examine /proc/cpuinfo to determine what types of processors (CPUs) are present. The module
looks for the following lines and if the 'cpu family' is less than 6, the module will not disable the IA32 microcode utility.
vendor_id : GenuineIntel
cpu family : 6
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.3.8 - IA32 Microcode Utility (microcode ctl)
NVD CCE
• CCE-4356-2
Disable IRDA Service
Disable the Infrared Data Association (IrDA) service.
Operating Systems
Package
Service Name
Red Hat Enterprise Linux 5
irda-utils
irda
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
143
Hardware Services
NIST FISMA (SP 800-53)
• AC-18 - Wireless Access Restrictions
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.3.16.1 - Disable the irda Service if Possible
NVD CCE
• CCE-18244-4
Disable IRQ Balance Service
In a server environment with multiple processors, the IRQ Balance Service is useful and should be left enabled. However, if a machine
has only one processor, the service should be disabled.
The goal of the service is to optimize the balance between power savings and performance through distribution of hardware interrupts
across multiple processors.
SINGLE CPU SYSTEMS
For systems with only a single CPU, this service is not useful and should be turned OFF.
MULTIPLE CPU SYSTEMS
For systems with multiple CPUs, this service is useful and should be turned ON.
This module detects how many CPUs are present and enforces the correct behavior.
Operating Systems
Service Names
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
irqbalance
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
irq_balancer
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.3.3 - Interrupt Distribution on Multiprocessor Systems (irqbalance)
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
144
Hardware Services
NVD CCE
• CCE-4123-6
Disable Kudzu
Kudzu is Red Hat’s hardware configuration daemon. The daemon allows anyone with console access to reconfigure the system’s
hardware without authentication.
The use of any system configuration tool that does not require prior authentication is strongly discouraged.
Operating Systems
Package
Service Names
kudzu
kudzu
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
No related packages or services were found on the distribution CD, Extra Packages
for Enterprise Linux (EPEL) repository, or the Red Hat Enterprise Linux Server (v. 6)
subscription channel. This module looks for the same packages and services as it does
for Red Hat Enterprise Linux 5. If you have identified specific packages and services,
please contact the customer support team at [email protected].
Solaris 10
Operating System Not Applicable
SUSE 10 and 11
Operating System Not Applicable
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.2 - Configuring Stand Alone Services
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NIST FISMA (SP 800-53)
• AC-19 - Access Control for Portable and Mobile Systems
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.3.6 - Kudzu Hardware Probing Utility (kudzu)
NVD CCE
• CCE-4211-9
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
145
Hardware Services
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable Power Management
Disables the power management service. If the system is not a laptop, it is recommended to disable the service.
Operating Systems
Package
Service Names
apmd
apmd
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
No related packages or services were found on the distribution CD, Extra Packages
for Enterprise Linux (EPEL) repository, or the Red Hat Enterprise Linux Server (v. 6)
subscription channel. This module looks for the same packages and services as it does for
Red Hat Enterprise Linux 5. If you have identified specific packages and services, please
contact the customer support team at [email protected].
SUSE 10 and 11
sysvinit
powerd (UPS monitoring daemon)
Solaris 10
SUNWpmu
svc:/system/power:default
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.2 - Configuring Stand Alone Services
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.3.15.1 - Advanced Power Management Subsystem (apmd)
NVD CCE
• CCE-4289-5
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
146
Hardware Services
• 2.2.2 - Disable all unnecessary and insecure services
Disable SMART Disk Monitoring Support
Disable SMART disk monitoring support (smartd). SMART (Self-Monitoring, Analysis, and Reporting Technology) is a feature of
hard drives that allows them to detect symptoms of disk failure and relay an appropriate warning. Leave this service running if the
system’s hard drives are SMART-capable. Otherwise, disable it.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.3.11 - SMART Disk Monitoring Support (smartd)
NVD CCE
• CCE-3455-3
Disable USB and PCMCIA Devices
Disables USB and PCMCIA ports on the system. USB and PCMCIA ports are used to attach PCMCIA cards, USB drives, and
memory devices.
Operating Systems
Configuration Files
Setting
Red Hat Enterprise Linux 4
If “pcmcia-cs” package is installed.
Disable “pcmcia” service.
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 5
/boot/grub/grub.conf
Red Hat Enterprise Linux 6
Set either nousb or nousbstorage
option for the default kernel. This is
performed using the grubby(8) utility.
Red Hat Enterprise Linux 5.2+ (zSeries)
GRUB not used on IBM zSeries platforms. Instead the zSeries Initial Program Loader
(z/IPL) is used. Currently, the Security Blanket development team knows of no way of
passing the nousb or nousbstorage option to the default kernel with z/IPL.
Solaris 10
/etc/system
exclude: scsa2usb
exclude: pcmcia
SUSE 10 and 11
/etc/modprobe.conf
remove usb-storage /sbin/
modprobe -r usb-storage
This module will prevent the USBA (Solaris USB architecture) compliant nexus driver from loading in the global zone. Additionally,
the PCMCIA nexus driver is also prevented from being loaded. For more information, see pcmcia(7D) [http://docs.sun.com/app/docs/
doc/816-5177/pcmcia-7d?a=view] or scsa2usb(7D) [http://docs.sun.com/app/docs/doc/816-5177/scsa2usb-7d?a=view] .
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
147
Hardware Services
Module Options
• Disable USB device support.
Should all USB devices be disabled or only USB storage in the grub.conf file. Note that on more recent Linux versions option 2
may have no effect, as the USB subsystem may be built into the kernel instead of being loaded on command.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 8.7 - Disable PCMCIA and USB
DISA Red Hat 5 STIG (v1R4)
• GEN008460 - The system must have USB disabled unless needed.
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NIST FISMA (SP 800-53)
• AC-20 - Personally Owned Information Systems
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.2.2.2.1 - Disable Modprobe Loading of USB Storage Driver
NVD CCE
• CCE-4187-1
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
148
Chapter 16. User Session Management
Lock Account after Three Failed Login Attempts
Accounts are often compromised through the use of brute force account name and password guessing attempts. These attempts can be
partially prevented by implementing account locking on your system. When an attacker attempts to force open an account, the account
becomes locked after three failed login attempts.
Enabling account locking for user accounts introduces the potential for a denial of service on user accounts. A locked account stays
locked until the administrator resets the account.
Operating Systems
Configuration Files
Fedora 10
/etc/pam.d/system-auth
Red Hat Enterprise Linux 4
/etc/pam.d/system-auth
Red Hat Enterprise Linux 5
/etc/pam.d/system-auth
Fedora 11, 12, and 13
/etc/pam.d/system-auth
/etc/pam.d/password-auth
Red Hat Enterprise Linux 6
/etc/pam.d/system-auth
Setting
Ensure auth and account lines use the
pam_tally(8) or pam_tally2(8)
library as appropriate (varies by system)
to enforce a limit of 3 failed logins before
locking the account.
/etc/pam.d/password-auth
SUSE 10 and 11
/etc/pam.d/login
Solaris 10
/etc/default/login
RETRIES=3
/etc/security/policy.conf
LOCK_AFTER_RETRIES=YES
Manually Resetting Accounts After Excessive Failed Login Attempts
Linux administrators can reset locked accounts by issuing the pam_tally or pam_tally2 command as illustrated below:
linux# pam_tally --user username --reset=0
Solaris administrators can unlock accounts by issuing the following command:
solaris# passwd -u username
By default, the root account is exempt from lockout. Account lockout can be disabled for other accounts with the following Solaris
command:
solaris# usermod -K lock_after_retries=no username
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-11 - Account Monitoring and Control
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
CIA DCID 6/3 (May 2000)
• 4.B.2.a(16)(c) - Session Control - Limit retry on logon as technically feasible (PL2)
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
149
User Session Management
• 4.B.3.a(20)(c)
DHS Linux Configuration Guidance (2010.8)
• 3.1 - Password Settings
DISA Red Hat 5 STIG (v1R4)
• GEN000460 - The system must disable accounts after three consecutive unsuccessful login attempts.
DISA UNIX STIG (v5 R1.30)
• GEN000460 - Three Failed Login Attempts
DoD JAFAN 6/3 (Oct 2004)
• 4.B.2.a(17)(c)
• 4.B.3.a(20)(c)
DoD NISPOM (Feb 2006)
• 8.609a2 - Successive Logon Attempts
NIST FISMA (SP 800-53)
• AC-7 - Unsuccessful Login Attempts
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.3.3.2 - Set Lockouts for Failed Password Attempts
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 8.5.13 - Limit repeated access attempts by locking out the user ID after not more than six attempts.
Set CDE Screen Saver
Configures timeout and activation values for the screen saver program for all Solaris Common Desktop Environment (CDE) users.
It is recommended to set the timeout parameter to no more than 10 minutes.
Operating Systems
Package
Configuration Files
Settings
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Operating System Not Applicable
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
SUNWdtwm
/usr/dt/config/*/
sys.resources
dtsession*saverTimeout: and
dtsession*lockTimeout:
Module Options
• Number of minutes a graphical CDE session can be idle before a password protected screen saver is activated.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
150
User Session Management
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-11 - Account Monitoring and Control
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
CIA DCID 6/3 (May 2000)
•
•
•
•
4.B.1.a(5) - Screen Lock
4.B.1.a(5)(a) - Screen Lock - Maximum Idle Time will be 15 minutes
4.B.2.a(16)(b) - Session Control - Station or session time-outs (PL2)
4.B.3.a(17)(a) - Session Control - Station or session time-outs (PL3)
DISA UNIX STIG (v5 R1.30)
• GEN000500 - Inactivity
DoD JAFAN 6/3 (Oct 2004)
•
•
•
•
4.B.1.a(5) - Screen Lock
4.B.1.a(5)(a) - Screen Lock - Maximum Idle Time will be 15 minutes
4.B.2.a(16)(b) - Session Control - Station or session time-outs (PL2)
4.B.3.a(17)(a) - Session Control - Station or session time-outs (PL3)
DoD NISPOM (Feb 2006)
• 8.609b2 - User Inactivity
NIST FISMA (SP 800-53)
• AC-11 - Session Lock
PCI DSS (v2.0)
• 8.5.15 - If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal.
Set Delay after Failed Login
Controls login delay between login prompts after a failed login. The recommended parameter is at least four seconds.
Recent DISA STIGS and other technical documents indicate that FAIL_DELAY (Linux) and SLEEPTIME (Solaris) settings have
been deprecated. This module is provided to avoid false positives reported by third-party scanners.
Operating Systems
Configuration Files
Setting
/etc/login.defs
FAIL_DELAY
/etc/default/login
SLEEPTIME
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
151
User Session Management
Module Options
• The number of seconds the system will wait after a failed login before redisplaying the login prompt.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN000480 - The delay between login prompts following a failed login attempt must be at least 4 seconds.
DISA UNIX STIG (v5 R1.30)
• GEN000480 - Login Delay
DoD NISPOM (Feb 2006)
• 8.609a2 - Successive Logon Attempts
NIST FISMA (SP 800-53)
• AC-7 - Unsuccessful Login Attempts
Set Mandatory Screen Saver
Configures mandatory timeout and activation values for the screen saver program for all users of the GNOME desktop.
It is recommended to set the timeout parameter to no more than 15 minutes.
Commands used to retrieve the current screen saver settings:
gconftool-2 --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--get /apps/gnome-screensaver/idle_activation_enabled
gconftool-2 --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--get /apps/gnome-screensaver/lock_enabled
gconftool-2 --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--get /apps/gnome-screensaver/mode
gconftool-2 --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--get /apps/gnome-screensaver/idle_delay
Commands used to set the screen saver:
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool --set /apps/gnome-screensaver/idle_activation_enabled true
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool --set /apps/gnome-screensaver/lock_enabled true
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
152
User Session Management
--type string --set /apps/gnome-screensaver/mode blank-only
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type int --set /apps/gnome-screensaver/idle_delay 15
The 15 applied to the idle_delay parameter will be replaced with the option value provided to the profile.
Module Options
• Number of minutes a graphical GNOME session can be idle before a password protected screen saver is activated.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-11 - Account Monitoring and Control
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
CIA DCID 6/3 (May 2000)
•
•
•
•
4.B.1.a(5) - Screen Lock
4.B.1.a(5)(a) - Screen Lock - Maximum Idle Time will be 15 minutes
4.B.2.a(16)(b) - Session Control - Station or session time-outs (PL2)
4.B.3.a(17)(a) - Session Control - Station or session time-outs (PL3)
DISA Red Hat 5 STIG (v1R4)
• GEN000500 - Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity and
the system must require users to re-authenticate to unlock the environment.
• GEN000500-2 - The graphical desktop environment must set the idle timeout to no more than 15 minutes.
• GEN000500-3 - Graphical desktop environments provided by the system must have automatic lock enabled.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000257 - The graphical desktop environment must set the idle timeout to no more than 15 minutes.
• RHEL-06-000258 - The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must
require user to re-authenticate to unlock the environment.
• RHEL-06-000259 - The graphical desktop environment must have automatic lock enabled.
• RHEL-06-000260 - The system must display a publicly-viewable pattern during a graphical desktop environment session lock.
DISA UNIX STIG (v5 R1.30)
• GEN000500 - Inactivity
DoD JAFAN 6/3 (Oct 2004)
•
•
•
•
4.B.1.a(5) - Screen Lock
4.B.1.a(5)(a) - Screen Lock - Maximum Idle Time will be 15 minutes
4.B.2.a(16)(b) - Session Control - Station or session time-outs (PL2)
4.B.3.a(17)(a) - Session Control - Station or session time-outs (PL3)
DoD NISPOM (Feb 2006)
• 8.609b2 - User Inactivity
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
153
User Session Management
NIST FISMA (SP 800-53)
• AC-11 - Session Lock
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.3.5.6.1 - Configure GUI Screen Locking
NVD CCE
•
•
•
•
•
CCE-14023-6
CCE-14604-3
CCE-14735-5
CCE-3315-9
CCE-3910-7
PCI DSS (v2.0)
• 8.5.15 - If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal.
Set Shell Timeout Period
Sets shell session timeout. Any shell session that is idle for longer than the specified time is disconnected.
The timeout value is specified in seconds and the recommended time is 900 seconds (or 15 minutes).
For accounts that require the running of long batch jobs with no terminal output, override this by setting TMOUT=0 for Bourne/bash/
korne shells and autologout for csh.tcsh shells. An example of this situation is a database account which is running large batch
jobs. A better method is to make the scripts more verbose so that output activity is more visible.
Important
Previous versions of this module created the /etc/profile.d/sb-timeout.sh and /etc/profile.d/sbtimeout.csh files as the remediation. The new names for the remediation files are /etc/profile.d/tmout.sh and
/etc/profile.d/autologout.csh, to better match the compliancy guidelines, several of which specify these files
by name.
Module Options
• Number of seconds a shell can be idle before the system automatically terminates the session.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-11 - Account Monitoring and Control
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
CIA DCID 6/3 (May 2000)
• 4.B.1.a(5) - Screen Lock
• 4.B.1.a(5)(a) - Screen Lock - Maximum Idle Time will be 15 minutes
• 4.B.2.a(16)(b) - Session Control - Station or session time-outs (PL2)
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
154
User Session Management
• 4.B.3.a(17)(a) - Session Control - Station or session time-outs (PL3)
• 4.B.3.a(20)(b)
DoD JAFAN 6/3 (Oct 2004)
•
•
•
•
•
4.B.1.a(5) - Screen Lock
4.B.1.a(5)(a) - Screen Lock - Maximum Idle Time will be 15 minutes
4.B.2.a(16)(b) - Session Control - Station or session time-outs (PL2)
4.B.3.a(17)(a) - Session Control - Station or session time-outs (PL3)
4.B.3.a(20)(b)
DoD NISPOM (Feb 2006)
• 8.609b2 - User Inactivity
NIST FISMA (SP 800-53)
• AC-12 - Session Termination
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.3.5.5 - Implement Inactivity Time-out for Login Shells
NVD CCE
• CCE-3689-7
• CCE-3707-7
PCI DSS (v2.0)
• 8.5.15 - If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal.
Set X Screen Saver Application Defaults
Configures the default timeout and activation values for the X screen saver program.
It is recommended to set the timeout parameter to no more than 10 minutes.
Operating Systems
Configuration Files
Setting
/usr/share/X11/app-defaults/
XScreenSaver
*lock: true
*lockTimeout: 0:00:00
*timeout: 0:MM:00
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
/usr/openwin/lib/app-defaults/
XScreenSaver
The Solaris variant of this module also ensures that the SUNWxwsvr package is installed. Otherwise, it will report not applicable.
Module Options
• Number of minutes a graphical X Windows session can be idle before a password protected screen saver is activated.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
155
User Session Management
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-11 - Account Monitoring and Control
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
CIA DCID 6/3 (May 2000)
•
•
•
•
4.B.1.a(5) - Screen Lock
4.B.1.a(5)(a) - Screen Lock - Maximum Idle Time will be 15 minutes
4.B.2.a(16)(b) - Session Control - Station or session time-outs (PL2)
4.B.3.a(17)(a) - Session Control - Station or session time-outs (PL3)
DISA UNIX STIG (v5 R1.30)
• GEN000500 - Inactivity
DoD JAFAN 6/3 (Oct 2004)
•
•
•
•
4.B.1.a(5) - Screen Lock
4.B.1.a(5)(a) - Screen Lock - Maximum Idle Time will be 15 minutes
4.B.2.a(16)(b) - Session Control - Station or session time-outs (PL2)
4.B.3.a(17)(a) - Session Control - Station or session time-outs (PL3)
DoD NISPOM (Feb 2006)
• 8.609b2 - User Inactivity
NIST FISMA (SP 800-53)
• AC-11 - Session Lock
PCI DSS (v2.0)
• 8.5.15 - If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
156
Chapter 17. Remote Access Services
Configure Xinetd Logging
Verify that the indicated settings are made to the /etc/xinetd.conf file and possibly all files in the /etc/xinetd.d
directory.
Module Options
• Required line for log_type
• Required line for log_on_success
• Required line for log_on_failure
• Add to all /etc/xinetd.d/* files if missing?
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN003800 - Inetd or xinetd logging/tracing must be enabled.
DISA UNIX STIG (v5 R1.30)
• GEN003800 - inetd Logging
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable Finger
Disables the Finger service. If left enabled, this service can be used by remote systems to obtain information about users.
This service is not part of the base operating system installation and is rarely used.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN003860 - The system must not have the finger service active.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
157
Remote Access Services
DISA UNIX STIG (v5 R1.30)
• GEN003860 - The finger Service Is Enabled
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.1.3 - Guidance for Unfamiliar Services
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable Graphical Login
Disables the graphical login manager by changing the system’s default run-level from 5 to 3 in /etc/inittab . When the machine
is rebooted, a text login will be provided instead of a graphical login.
On Linux systems, this module replaces the id:5:initdefault: line with id:3:initdefault: in the /etc/inittab file.
On Solaris systems, this module disables the svc:/application/graphical-login/cde-login:default service.
If you plan on using the Security Blanket graphical interface, you can still start the graphical login session with startx command.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN005260 - X Window System connections not required must be disabled.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000290 - X Windows must not be enabled unless required.
DISA UNIX STIG (v5 R1.30)
• GEN005260 - X Window System Not Required and Not Disabled
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
158
Remote Access Services
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.6.1.1 - Disable X Windows at System Boot
NVD CCE
• CCE-4462-8
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable ISDN
Disables the ISDN service. If your system does not connect to an Integrated Services Digital Network (ISDN), it is recommended that
you disable the service.
Operating Systems
Package
Service Names
isdn4k-utils
isdn
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Solaris 10
Not part of the standard Solaris operating system.
SUSE 10 and 11
capi4linux
isdn
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.2 - Configuring Stand Alone Services
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.3.4 - ISDN Support (isdn)
NVD CCE
• CCE-14825-4
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
159
Remote Access Services
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable Login Prompts on Serial Ports
Disables the login prompt on the system serial devices to make it more difficult for unauthorized users to attach modems, terminals,
and other remote access devices to these ports.
On Solaris systems, this action may safely be performed even if console access to the system is provided via the serial ports, because
the login prompt on the console device is provided through a different mechanism.
Operating Systems
Scan Method
Apply Method
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Do all /dev/ttyS[0-4] serial device
files have a corresponding /etc/
Create empty /etc/
nologin.ttyS[0-4] ? If not, the scan nologin.ttyS[0-4] files.
fails.
SUSE 10 and 11
Solaris 10
Execute /usr/sbin/padm -L -p zsmon
to see if any service tags do not have the
disable flag (x) set.
Use the /usr/sbin/pmadm -d -p zsmon
tty? command to disable.
WARNING: Linux Systems
It is strongly recommended that you maintain a network login to the system before applying this module for the first time. If
you must use a serial terminal for console access, then do not use this module.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable Remote Exec (rexec)
Disables rexec, which is one of the r-commands (rexec, rlogin, rsh) that use unencrypted protocols and are subject to network sniffing
and hijacking. Additionally, they have a number of well known weaknesses in their authentication scheme.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
160
Remote Access Services
It is recommended to always disable rexec. SSH was designed to be a drop-in replacement for these protocols.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN003840 - The rexec daemon must not be running.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000216 - The rexecd service must not be running.
DISA UNIX STIG (v5 R1.30)
• GEN003840 - The rexec Service Is Enabled
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.1.3 - Guidance for Unfamiliar Services
PCI DSS (v2.0)
•
•
•
•
2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
2.2.2 - Disable all unnecessary and insecure services
2.3 - Encrypt all non-console administrative access
8.4 - Render all passwords unreadable during transmission and storage on all system components.
Disable Remote Login (rlogin)
Disables rlogin, which is one of the r-commands (rexec, rlogin, rsh) that use unencrypted protocols and are subject to network sniffing
and hijacking. Additionally, they have a number of well known weaknesses in their authentication scheme.
It is recommended to always disable rlogin. SSH was designed to be a drop-in replacement for these protocols.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
161
Remote Access Services
DISA Red Hat 5 STIG (v1R4)
• GEN003830 - The rlogind service must not be running.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000218 - The rlogind service must not be running.
DISA UNIX STIG (v5 R1.30)
• GEN003820 - Remote Login or Shell Is Enabled
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.1.3 - Guidance for Unfamiliar Services
PCI DSS (v2.0)
•
•
•
•
2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
2.2.2 - Disable all unnecessary and insecure services
2.3 - Encrypt all non-console administrative access
8.4 - Render all passwords unreadable during transmission and storage on all system components.
Disable Remote Shell (rsh)
Disables rsh, which is one of the r-commands (rexec, rlogin, rsh) that use unencrypted protocols and are subject to network sniffing
and hijacking. Additionally, they have a number of well known weaknesses in their authentication scheme.
It is recommended to always disable rsh. SSH was designed to be a drop-in replacement for these protocols.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN003820 - The rsh daemon must not be running.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000214 - The rshd service must not be running.
DISA UNIX STIG (v5 R1.30)
• GEN003820 - Remote Login or Shell Is Enabled
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
162
Remote Access Services
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.1.3 - Guidance for Unfamiliar Services
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
• 2.3 - Encrypt all non-console administrative access
• 8.4 - Render all passwords unreadable during transmission and storage on all system components.
Disable Rhosts Support
Disables support for .rhosts files. Some login services (such as rlogin or rsh) can optionally use .rhosts files for authentication.
It is recommended to apply this module because .rhosts authentication is weak.
Operating Systems
Configuration Files
Setting
/etc/pam.d/*
Remove lines with pam_rhosts
/etc/pam.conf
Remove lines with pam_rhosts_auth
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN002100 - The .rhosts file must not be supported in PAM.
DISA UNIX STIG (v5 R1.30)
• GEN002100 - The .rhosts Supported in PAM
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
163
Remote Access Services
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.2.3.2 - Remove .rhosts Support from PAM Configuration Files
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
Disable Telnet
Disables Telnet, which uses an unencrypted network protocol that allows passwords to be stolen by network eavesdroppers or the
session to be hijacked by outsiders.
It is recommended to always disable Telnet service. SSH provides the same functionality in a secure manner and it is a better choice.
Operating Systems
Package
Service Names
telnet-server
telnet
SUNWtnetr
svc:/network/telnet:default
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.2 - Configuring Stand Alone Services
DISA Red Hat 5 STIG (v1R4)
• GEN003850 - The telnet daemon must not be running.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000211 - The telnet daemon must not be running.
DISA UNIX STIG (v5 R1.30)
• GEN004800 - Unencrypted FTP or Telnet
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
164
Remote Access Services
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NIST FISMA (SP 800-53)
• AC-17 - Remote Access
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.1.3 - Guidance for Unfamiliar Services
PCI DSS (v2.0)
•
•
•
•
2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
2.2.2 - Disable all unnecessary and insecure services
2.3 - Encrypt all non-console administrative access
8.4 - Render all passwords unreadable during transmission and storage on all system components.
Remove rsh Authorization Files
The /etc/hosts.equiv files and the .rhosts file in each user's home account can bypass the system authorization mechanism
allowing a user to login from a "trusted" machine without a password. This module deletes those files.
The entire rsh/rlogin/rexec set of services should not be used, and many guidelines recommend removing these packages if at
all possible. This module can reduce the risk of these services if they must be used at all.
Compliancy
DISA Red Hat 5 STIG (v1R4)
• GEN002040 - There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000019 - There must be no .rhosts or hosts.equiv files on the system.
Restrict Remote X Clients
Restricts remote X clients. The X servers listen on TCP port 6000 for messages from remote clients. However, the authentication
protocol is relatively unsecure and an attacker who is able to gain unauthorized access to the local X server can compromise the
system. Adding the “ -nolisten tcp ” argument to the server disables this functionality.
Operating Systems
Configuration File (or service)
Setting
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4, 5, & 6
SUSE 10 and 11
/etc/X11/xdm/Xservers
The /usr/X11R6/bin/X and /usr/bin/X entries
must have the -nolisten tcp argument.
/etc/X11/gdm/gdm.conf
DisallowTCP=True
/etc/gdm/gdm.conf
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
165
Remote Access Services
Operating Systems
Solaris 10
Configuration File (or service)
Setting
/etc/X11/xinit/xserverrc
exec X entries have the -nolisten tcp
argument.
svc:/application/x11/x11-server
Service property tcp_listen is set to false.
/etc/X11/gdm/gdm.conf
DisallowTCP=True is set under the
[security] section and that Enable=False is
set in the [xdmcp] section.
If none of the configuration files exist, then this module will report a pass.
If neither SUNWgnome-display-mgr-root or SUNWxwplt packages are installed, the module is not applicable. This module sets the
tcp_listen property using the svccfg(1M) utility as follows:
svccfg -s
svc:/application/x11/x11-server setprop options/tcp_listen = false
If remote clients need access to the local X server, it is recommended that X events be forwarded through SSH, which is the preferred
and more secure method.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.12.1 - Disable the Listener under X11
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.6.1.3.2 - Disable X Window System Listening
NVD CCE
• CCE-4074-1
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
SSH Disable GSSAPI Authentication
Configures the secure shell client to not accept GSSAPI authentication.
Operating Systems
Configuration Files
Setting
/etc/ssh/ssh_config
GSSAPIAuthentication no
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Solaris 10
SUSE 10 and 11
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
166
Remote Access Services
Compliancy
DHS Linux Configuration Guidance (2010.8)
• 4.5.4 - Use Secure Shell RSA Authentication
DISA Red Hat 5 STIG (v1R4)
• GEN005525 - The SSH client must not permit GSSAPI authentication unless needed.
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
SSH Parameters
Configures the secure shell (SSH) to only use protocol version 2 on outbound client connections by default. Version 1 of the SSH
supported protocols contains security concerns and known vulnerabilities.
The default SSH behavior is for both client and server to negotiate a protocol version 2 connection before it tries a version 1
connection. This module limits the negotiation to only protocol version 2.
Tip
Some older network devices only support version 1. For example, an old router with legacy firmware. If you cannot upgrade
the device but must connect to it, you can force protocol version 1 on the command line from your host with the "-1"
option. See the ssh(1) manual page for more details.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 4.5.1 - Limit SSH Protocol Use to Version 2
DISA Red Hat 5 STIG (v1R4)
• GEN005501 - The SSH client must be configured to only use the SSHv2 protocol.
DISA UNIX STIG (v5 R1.30)
• GEN005500 - SSH Version 1 Compatibility
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
167
Remote Access Services
• 2.2.3 - Configure system security parameters to prevent misuse
SSH Restrict Ciphers
Configures the secure shell client to use only FIPS 140-2 ciphers. These include ciphers that start with '3des' or 'aes', and are not
Cipher-Block Chaining (CBC) based ciphers.
For all operating systems, the /etc/ssh/ssh_config file will be examined. If present, the values for the 'Ciphers' settings will be
examined. If the setting does not exist, it will be created with the default values as found in Linux and Solaris 'ssh_config' pages.
Each cipher name will be compared to the restrictions in the options. It will be retained only if it passes all of the restrictions. An
empty restriction will be ignored.
As an example, suppose the only acceptable ciphers are those that start with '3des', 'aes', and do not end with 'cbc'. This example is
taken from the RHEL5 STIG line items GEN005510 (start with '3des' or 'aes') and GEN005511 (not ending with 'cbc'). The options
would be as follows:
• Cipher must (not) start with: 3des aes
• Cipher must (not) contain:
• Cipher must (not) end with: cbc
For Linux - the default allowed ciphers will be 'aes128-ctr'.
Module Options
• Cipher must (not) start with
Acceptable ciphers must start with one of the following entries. A leading '!' indicates that the cipher must not start with that text.
• Cipher must (not) contain
Acceptable ciphers must contain one of the following entries. A leading '!' indicates that the cipher must not contain that text.
• Cipher must (not) end with
Acceptable ciphers must end with one of the following entries. A leading '!' indicates that the cipher must not end with that text.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
• CC-8 - Controlled Use of Administrative Privileges
DHS Linux Configuration Guidance (2010.8)
• 4.5.2 - Disable Root Login Via SSH
DISA Red Hat 5 STIG (v1R4)
• GEN005510 - The SSH client must be configured to only use FIPS 140-2 approved ciphers.
• GEN005511 - The SSH client must be configured to not use Cipher-Block Chaining (CBC)-based ciphers.
DoD NISPOM (Feb 2006)
• 8.303a - Unique Identification
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
168
Remote Access Services
NVD CCE
• CCE-4387-7
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
SSH Restrict HMAC
Configures the secure shell client to use only Message Authentication Codes (MACs) that are FIPS 140-2 approved cryptographic
hash algorithms. At the current time, this list consists solely of 'hmac-sha1'.
For all operating systems, the /etc/ssh/ssh_config file will be examined. If present, the values for the 'MACs' settings will be
examined. All entries except 'hmac-sha1' will be removed. If the setting does not exist, it will be created with the value of 'hmac-sha1'.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
• CC-8 - Controlled Use of Administrative Privileges
DHS Linux Configuration Guidance (2010.8)
• 4.5.2 - Disable Root Login Via SSH
DISA Red Hat 5 STIG (v1R4)
• GEN005512 - The SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2
approved cryptographic hash algorithms.
DoD NISPOM (Feb 2006)
• 8.303a - Unique Identification
NVD CCE
• CCE-4387-7
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
SSHD Disable Empty Passwords
Configures the secure shell daemon to not allow logins for accounts with empty password strings.
Operating Systems
Configuration Files
Setting
Fedora 10, 11, 12, and 13
/etc/ssh/sshd_config
PermitEmptyPasswords no
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
169
Remote Access Services
Operating Systems
Configuration Files
Setting
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Solaris 10
SUSE 10 and 11
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 4.5.8 - Disallow Empty Passwords under SSH
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000239 - The SSH daemon must not allow authentication using an empty password.
DoD NISPOM (Feb 2006)
• 8.303b - Authentication at Login
• 8.607e - Identification and Authentication 5 Requirements
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R5.3.1 - Passwords shall be a minimum of six characters
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
• IA-2 - User Identification and Authentication
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.5.2.7 - Disable Empty Passwords
NVD CCE
• CCE-3660-8
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
• 8.2 - Password Authentication
SSHD Disable GSSAPI Authentication
Configures the secure shell daemon to not accept GSSAPI authentication.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
170
Remote Access Services
Operating Systems
Configuration Files
Setting
/etc/ssh/sshd_config
GSSAPIAuthentication no
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Solaris 10
SUSE 10 and 11
Compliancy
DHS Linux Configuration Guidance (2010.8)
• 4.5.4 - Use Secure Shell RSA Authentication
DISA Red Hat 5 STIG (v1R4)
• GEN005524 - The SSH daemon must not permit GSSAPI authentication unless needed.
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
SSHD Disable Host-based Authentication
Configures the secure shell daemon to not accept host-based authentication.
Operating Systems
Configuration Files
Setting
/etc/ssh/sshd_config
HostbasedAuthentication no
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Solaris 10
SUSE 10 and 11
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 4.5.4 - Use Secure Shell RSA Authentication
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
171
Remote Access Services
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000236 - The SSH daemon must not allow host-based authentication.
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.5.2.5 - Disable Host-Based Authentication
NVD CCE
• CCE-4370-3
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
SSHD Disable Kerberos Authentication
Configures the secure shell daemon to not accept Kerberos authentication.
Operating Systems
Configuration Files
Setting
/etc/ssh/sshd_config
KerberosAuthentication no
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Solaris 10
SUSE 10 and 11
Compliancy
DHS Linux Configuration Guidance (2010.8)
• 4.5.4 - Use Secure Shell RSA Authentication
DISA Red Hat 5 STIG (v1R4)
• GEN005526 - The SSH daemon must not permit Kerberos authentication unless needed.
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
172
Remote Access Services
SSHD Disable Rhosts Authentication
Configures the secure shell daemon to not accept rhost-based authentication.
Operating Systems
Configuration Files
Setting
/etc/ssh/sshd_config
RhostsAuthentication no
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Solaris 10
SUSE 10 and 11
The RhostsAuthentication is a deprecated option, but this module is provided to avoid false positives from third-party
scanners. Applying this module may result in a warning message similar to the following during system boot:
Starting sshd: /etc/ssh/sshd_config line 121: Deprecated option RhostsAuthentication
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 4.5.7 - Force Secure Shell to ignore rhosts
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.5.2.4 - Disable .rhosts Files
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
SSHD Disable Rhosts RSA Authentication
Configures the secure shell daemon to not accept rhost-based authentication in concert with RSA authentication.
Operating Systems
Configuration Files
Setting
/etc/ssh/sshd_config
RhostsRSAAuthentication no
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
173
Remote Access Services
Operating Systems
Configuration Files
Setting
Solaris 10
SUSE 10 and 11
Compliancy
DHS Linux Configuration Guidance (2010.8)
• 4.5.4 - Use Secure Shell RSA Authentication
DISA Red Hat 5 STIG (v1R4)
• GEN005538 - The SSH daemon must not allow rhosts RSA authentication.
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
SSHD Disable Root Login
Configures the secure shell (SSH) daemon to refuse remote connections to the server made by logging directly into the root account.
You should always prevent individuals from directly accessing the root account. It is more secure to have individuals log into their
normal account and then use the su(1) command to access the root account. When this technique is used on a system with auditing
enabled, a more detailed audit trail is provided.
Operating Systems
Configuration Files
Setting
/etc/ssh/sshd_config
PermitRootLogin no
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Solaris 10
SUSE 10 and 11
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
• CC-8 - Controlled Use of Administrative Privileges
DHS Linux Configuration Guidance (2010.8)
• 4.5.2 - Disable Root Login Via SSH
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
174
Remote Access Services
DISA Red Hat 5 STIG (v1R4)
• GEN001020 - The root account must not be used for direct log in.
• GEN001120 - The system must not permit root logins using remote access programs such as ssh.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000237 - The system must not permit root logins using remote access programs such as ssh.
DISA UNIX STIG (v5 R1.30)
• GEN001020 - Direct Root Login
• GEN001120 - Encrypting Root Access
DoD NISPOM (Feb 2006)
• 8.303a - Unique Identification
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.5.2.6 - Disable root Login via SSH
NVD CCE
• CCE-4387-7
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
SSHD Enable Banner
Configures the secure shell daemon to display a banner from the file /etc/issue.net .
Operating Systems
Configuration Files
Setting
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Banner /etc/issue.net
/etc/ssh/sshd_config
SUSE 10 and 11
Solaris 10
Banner /etc/issue
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
CIA DCID 6/3 (May 2000)
• 4.B.1.a(6)(a) - Session Control - Login Warning Banners
• 4.B.1.a(6)(b) - Session Control - Login Warning Banners - Consent
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
175
Remote Access Services
DHS Linux Configuration Guidance (2010.8)
• 4.5.3 - Display Secure Shell Warning Banner
DISA Red Hat 5 STIG (v1R4)
• GEN000400 - The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login
prompts.
• GEN005550 - The SSH daemon must be configured with the Department of Defense (DoD) logon banner.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000240 - The SSH daemon must be configured with the Department of Defense (DoD) login banner.
DISA UNIX STIG (v5 R1.30)
• GEN000400 - Logon Warning Banner Display
DoD JAFAN 6/3 (Oct 2004)
• 4.B.1.a(6)(a) - Session Control - Login Warning Banners
• 4.B.1.a(6)(b) - Session Control - Login Warning Banners - Consent
DoD NISPOM (Feb 2006)
• 8.609a1 - User Notification
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.6 - Appropriate Use Banner
NIST FISMA (SP 800-53)
• AC-8 - System Use Notification
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.5.2.8 - Enable a Warning Banner
NVD CCE
• CCE-4431-3
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
SSHD Enable Ignore Rhosts
Configures the secure shell daemon to not accept rhosts files for login authentication.
Operating Systems
Configuration Files
Setting
/etc/ssh/sshd_config
IgnoreRhosts yes
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
176
Remote Access Services
Operating Systems
Configuration Files
Setting
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Solaris 10
SUSE 10 and 11
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 4.5.4 - Use Secure Shell RSA Authentication
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000234 - The SSH daemon must ignore .rhosts files.
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.5.2.4 - Disable .rhosts Files
NVD CCE
• CCE-4475-0
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
SSHD Enable X11 Forwarding
Configures the secure shell daemon to allow X11 sessions to be tunneled over the connection.
Operating Systems
Configuration Files
Setting
/etc/ssh/sshd_config
X11Forwarding yes
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Solaris 10
SUSE 10 and 11
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
177
Remote Access Services
DHS Linux Configuration Guidance (2010.8)
• 4.5.5 - Allow X11 Forwarding under SSH
NIST FISMA (SP 800-53)
• SC-9 - Transmission Confidentiality
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
SSHD Logging Level
Configures the secure shell (SSH) daemon's logging level.
Acceptable logging levels are 'QUIET', 'FATAL', 'ERROR', 'INFO', 'VERBOSE', 'DEBUG', 'DEBUG1', 'DEBUG2', and 'DEBUG3'.
Most guidelines recommend the logging level be set to 'VERBOSE'.
Operating Systems
Configuration Files
Setting
/etc/ssh/sshd_config
LogLevel level
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Solaris 10
SUSE 10 and 11
Module Options
• Logging level
Log level for the secure shell daemon (sshd).
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-6 - Maintenance, Monitoring, and Analysis of Audit Logs
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R5.1.2 - Generate logs of sufficient detail to create historical audit trails of individual user account access
SSHD Maximum Authentication Attempts
Set Secure Shell Server’s maximum authentication attempts permitted per connection.
Operating Systems
Configuration Files
Setting
/etc/ssh/sshd_config
MaxAuthTries number
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
178
Remote Access Services
Operating Systems
Configuration Files
Setting
Red Hat Enterprise Linux 6
Solaris 10
SUSE 10 and 11
Module Options
• Maximum number of authentication attempts permitted per connection.
Compliancy
DHS Linux Configuration Guidance (2010.8)
• 4.5.6 - Force Secure Shell Account Lockout
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
SSHD Permit User Environment
Configures the secure shell (SSH) daemon to prevent the user from altering the default environment settings.
Operating Systems
Configuration Files
Setting
/etc/ssh/sshd_config
PermitRootLogin no
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Solaris 10
SUSE 10 and 11
Compliancy
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000241 - The SSH daemon must not permit user environment settings.
SSHD Print Last Log
Configures the secure shell daemon to print out information about the users last login.
For all operating systems, the /etc/ssh/sshd_config file will be examined. If present, the values for the 'PrintLastLog' settings
will be examined. If the entry is not 'yes', it will be set to 'yes'. If the setting does not exist, it will be created with the value of 'yes'.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
179
Remote Access Services
• CC-8 - Controlled Use of Administrative Privileges
DHS Linux Configuration Guidance (2010.8)
• 4.5.2 - Disable Root Login Via SSH
DISA Red Hat 5 STIG (v1R4)
• GEN000452 - The system must display the date and time of the last successful account login upon login.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000507 - The operating system, upon successful logon, must display to the user the date and time of the last logon or
access via ssh.
DoD NISPOM (Feb 2006)
• 8.303a - Unique Identification
NVD CCE
• CCE-4387-7
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
SSHD Protocol
Configures the secure shell daemon to not accept protocol 1 as an acceptable means of communication.
Operating Systems
Configuration Files
Setting
/etc/ssh/sshd_config
Protocol 2
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Solaris 10
SUSE 10 and 11
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 4.5.1 - Limit SSH Protocol Use to Version 2
DISA Red Hat 5 STIG (v1R4)
• GEN005500 - The SSH daemon must be configured to only use the SSHv2 protocol.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
180
Remote Access Services
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000227 - The SSH daemon must be configured to use only the SSHv2 protocol.
DISA UNIX STIG (v5 R1.30)
• GEN005500 - SSH Version 1 Compatibility
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.5.2.1 - Ensure Only Protocol 2 Connections Allowed
NVD CCE
• CCE-4325-7
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
• 2.2.3 - Configure system security parameters to prevent misuse
SSHD Restrict Ciphers
Configures the secure shell daemon to use only FIPS 140-2 ciphers. These include ciphers that start with '3des' or 'aes', and are not
Cipher-Block Chaining (CBC) based ciphers.
For all operating systems, the /etc/ssh/sshd_config file will be examined. If present, the values for the 'Ciphers' settings will
be examined. If the setting does not exist, it will be created with the default values as found in Linux and Solaris 'sshd_config' pages.
Each cipher name will be compared to the restrictions in the options. It will be retained only if it passes all of the restrictions. An
empty restriction will be ignored.
As an example, suppose the only acceptable ciphers are those that start with '3des', 'aes', and do not end with 'cbc'. This example is
taken from the RHEL5 STIG line items GEN005505 (start with '3des' or 'aes') and GEN005506 (not ending with 'cbc'). The options
would be as follows:
• Cipher must (not) start with: 3des aes
• Cipher must (not) contain:
• Cipher must (not) end with: cbc
For Linux - the default allowed ciphers will be 'aes128-ctr', 'aes192-ctr', and 'aes256-ctr'.
For Linux - the default allowed ciphers will be 'aes128-ctr'.
Module Options
• Cipher must (not) start with
Acceptable ciphers must start with one of the following entries. A leading '!' indicates that the cipher must not start with that text.
• Cipher must (not) contain
Acceptable ciphers must contain one of the following entries. A leading '!' indicates that the cipher must not contain that text.
• Cipher must (not) end with
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
181
Remote Access Services
Acceptable ciphers must end with one of the following entries. A leading '!' indicates that the cipher must not end with that text.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
• CC-8 - Controlled Use of Administrative Privileges
DHS Linux Configuration Guidance (2010.8)
• 4.5.2 - Disable Root Login Via SSH
DISA Red Hat 5 STIG (v1R4)
• GEN005505 - The SSH daemon must be configured to only use FIPS 140-2 approved ciphers.
• GEN005506 - The SSH daemon must be configured to not use Cipher-Block Chaining (CBC) ciphers.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000243 - The SSH daemon must be configured to use only FIPS 140-2 approved ciphers.
DoD NISPOM (Feb 2006)
• 8.303a - Unique Identification
NVD CCE
• CCE-4387-7
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
SSHD Restrict HMAC
Configures the secure shell daemon to use only Message Authentication Codes (MACs) that are FIPS 140-2 approved cryptographic
hash algorithms. At the current time, this list consists solely of 'hmac-sha1'.
For all operating systems, the /etc/ssh/sshd_config file will be examined. If present, the values for the 'MACs' settings will
be examined. All entries except 'hmac-sha1' will be removed. If the setting does not exist, it will be created with the value of 'hmacsha1'.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
• CC-8 - Controlled Use of Administrative Privileges
DHS Linux Configuration Guidance (2010.8)
• 4.5.2 - Disable Root Login Via SSH
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
182
Remote Access Services
DISA Red Hat 5 STIG (v1R4)
• GEN005507 - The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2
approved cryptographic hash algorithms.
DoD NISPOM (Feb 2006)
• 8.303a - Unique Identification
NVD CCE
• CCE-4387-7
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
SSHD Restrict Users and Groups
Configures the secure shell daemon to allow login only by approved users/groups.
For all operating systems, the /etc/ssh/sshd_config file will be examined. The settings for the 'AllowUsers' and
'AllowGroups' will be compared to the corresponding values in the profile, and set accordingly.
Note
If the profile does not have a setting (i.e., it is empty), then that setting will not be affected.
Important
No cross-check is made at this time to see if the users/groups specified actually exist on the system. It is possible to prevent
any ssh login if these fields are not set correctly.
Module Options
• Users allowed by sshd
• Groups allowed by sshd
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
• CC-8 - Controlled Use of Administrative Privileges
DHS Linux Configuration Guidance (2010.8)
• 4.5.2 - Disable Root Login Via SSH
DISA Red Hat 5 STIG (v1R4)
• GEN005521 - The SSH daemon must restrict login ability to specific users and/or groups.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
183
Remote Access Services
DoD NISPOM (Feb 2006)
• 8.303a - Unique Identification
NVD CCE
• CCE-4387-7
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
SSHD Set Compression
Configures the secure shell daemon to restrict the use of compression. If compression is enabled prior to authentication, there is the
chance that any vulnerabilities in the compression algorithms in use could result in compromising the system.
For all operating systems, the /etc/ssh/sshd_config file will be examined. If present, the values for the 'Compression' settings
will be examined. If the setting does not match the value in the profile, it will be corrected.
Module Options
• Compression setting for secure shell daemon (sshd)
Should compression be disabled, delayed (i.e., enabled after authentication), or enabled.
Compliancy
DHS Linux Configuration Guidance (2010.8)
• 4.5.4 - Use Secure Shell RSA Authentication
DISA Red Hat 5 STIG (v1R4)
• GEN005539 - The SSH daemon must not allow compression or must only allow compression after successful authentication.
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
SSHD Set Idle Timeout Interval for User Logins
Set Secure Shell Server's idle timeout interval. After this interval has passed, the idle user will be automatically logged out.
The timeout value is specified in seconds and the recommended time is 15 minutes (or 900 seconds).
The following lines will be set in /etc/ssh/sshd_config:
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
184
Remote Access Services
ClientAliveInterval 900
ClientAliveCountMax 0
Module Options
• Number of seconds a shell can be idle before the system automatically terminates the session.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-11 - Account Monitoring and Control
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
CIA DCID 6/3 (May 2000)
• 4.B.2.a(16)(b) - Session Control - Station or session time-outs (PL2)
• 4.B.3.a(17)(a) - Session Control - Station or session time-outs (PL3)
• 4.B.3.a(20)(b)
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000230 - The SSH daemon must set a timeout interval on idle sessions.
• RHEL-06-000231 - The SSH daemon must set a timeout count on idle sessions.
DISA UNIX STIG (v5 R1.30)
• GEN000500 - Inactivity
DoD JAFAN 6/3 (Oct 2004)
• 4.B.2.a(16)(b) - Session Control - Station or session time-outs (PL2)
• 4.B.3.a(17)(a) - Session Control - Station or session time-outs (PL3)
• 4.B.3.a(20)(b)
DoD NISPOM (Feb 2006)
• 8.609b2 - User Inactivity
NIST FISMA (SP 800-53)
• AC-12 - Session Termination
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.5.2.3 - Set Idle Timeout Interval for User Logins
NVD CCE
• CCE-14061-6
PCI DSS (v2.0)
• 8.5.15 - If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
185
Remote Access Services
SSHD Strict Mode Checking
Configures the secure shell daemon to use strict mode checking of the home directory configuration files. This setting ensures that the
sshd related files/directories in the users home account are not world writable.
For all operating systems, the /etc/ssh/sshd_config file will be examined. If present, the values for the 'StrictModes' settings
will be examined. If the setting is not 'yes', then it will be corrected.
Compliancy
DHS Linux Configuration Guidance (2010.8)
• 4.5.4 - Use Secure Shell RSA Authentication
DISA Red Hat 5 STIG (v1R4)
• GEN005536 - The SSH daemon must perform strict mode checking of home directory configuration files.
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
SSHD Use Privilege Separation
Configures the secure shell daemon to use multiple processes so that multiple processes are used to prevent potential privilege
escalation vulnerabilities.
For all operating systems, the /etc/ssh/sshd_config file will be examined. If present, the value for the
'UsePrivilegeSeparation' setting will be examined. If the value is not 'yes', it will be corrected.
Compliancy
DHS Linux Configuration Guidance (2010.8)
• 4.5.4 - Use Secure Shell RSA Authentication
DISA Red Hat 5 STIG (v1R4)
• GEN005537 - The SSH daemon must use privilege separation.
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
186
Chapter 18. Security Services
Disable GSS Daemon
Disables Generic Security Service (GSS) daemon.
On Linux systems, rpc.gssd(8) provides a means of using the GSS-API generic security API to provide security for protocols
using RPC (in particular, NFS).
On Solaris systems, gssd(1M) is the user mode daemon that operates between the kernel RPC and the GSS-API to generate and
validate GSS-API security tokens.
Many services use the GSS-API; therefore, it is recommended to review required services before applying this module.
Operating Systems
Packages
Service Names
nfs-utils
rpcgssd
Solaris 10
SUNWgssc
svc:/network/rpc/gss:default
SUSE 10 and 11
On SUSE systems, rpc.gssd(8) is integrated into the NFS server and client services.
It is controlled in the /etc/sysconfig/nfs file but is not started alone; therefore, this
module is not applicable on SUSE systems.
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NVD CCE
• CCE-3535-2
• CCE-4588-0
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
187
Security Services
Disable RPC Keyserv
Disables the Solaris RPC encryption key storage service. The keyserv(1M) is a daemon that is used for storing the private
encryption keys of each user logged into the system. These encryption keys are used for accessing secure network services such as
secure NFS and NIS+.
If there is a need for the secure RPC mechanism, do not apply this module. Secured NFS should not be confused with Kerberized NFS
which does not require the keyserv(1M) daemon.
Operating Systems
Package
Service Names
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Operating System Not Applicable
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
SUNWcsr
svc:/network/rpc/keyserv:default
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NVD CCE
• CCE-4596-3
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable Smart Card Support
Disable the pcscd service which provides support for smart cards and smart card readers.
Operating Systems
Package
Service Names
pcsc-lite
pcscd
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
188
Security Services
Operating Systems
Package
Service Names
SUSE 10 and 11
Solaris 10
Operating System Not Applicable
Compliancy
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.3.10 - Smart Card Support (pcscd)
NVD CCE
• CCE-4100-4
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
189
Chapter 19. Security-Enhanced Linux (SELinux)
Security-Enhanced Linux (SELinux) is an enhancement to the standard Linux kernel that provides fine-grained security by employing
Mandatory Access Control (MAC) rules. Security Blanket now supports Red Hat Enterprise Linux 4, 5, and 6 enforcing the default
Targeted SELinux policy – as well as Fedora 10 and later.
The aim of the targeted policy is to provide additional security to some of the more commonly used daemons such as httpd, dhcpd,
mailman, named, portmap, nscd, ntpd, portmap, mysqld, postgres, squid, syslogd, winbind, and ypbind by employing MAC rules.
Disable MCS Translation Service
Disable the SELinux Translation Service daemon. Category labelling is unlikely to be used except in sites with special requirements.
Therefore, it should be disabled in order to reduce the amount of potentially vulnerable code running on the system.
The mcstrans service provides the category label translation information defined in /etc/selinux/targeted/setrans.conf
to client processes which request this information.
Operating Systems
Package
Service Names
mcstrans
mcstrans
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Operating System Not Applicable
Compliancy
DHS Linux Configuration Guidance (2010.8)
• 10 - SELinux (Security Enhanced Linux)
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.4.3.2 - Disable MCS Translation Service (mcstrans) if Possible
NVD CCE
• CCE-3668-1
Disable Restorecon
Disables the SELinux Restorecon daemon. This daemon monitors a list of files which are frequently created or modified on running
systems, and whose SELinux contexts are not set correctly. The restorecond program is fairly simple, so it brings low risk, but, in
its default configuration, does not add much value to a system. An automated program such as restorecond may be used to monitor
problematic files for context problems, or system administrators may be trained to check file contexts of newly-created files.
The restorecond daemon looks for creation events related to files listed in /etc/selinux/restorecond.conf, and sets the
contexts of those files when they are discovered. However, system administrators can check file contexts of newly-created files using
the ls -lZ command, and to repair contexts manually using the restorecon command.
Operating Systems
Package
Service Names
Fedora 10, 11, 12, and 13
policycoreutils
restorecond
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
190
Security-Enhanced Linux (SELinux)
Operating Systems
Package
Red Hat Enterprise Linux 4
Operating System Not Applicable
Red Hat Enterprise Linux 5
Service Names
policycoreutils
Red Hat Enterprise Linux 6
SUSE 10 and 11
restorecond
Operating System Not Applicable
Solaris 10
Compliancy
DHS Linux Configuration Guidance (2010.8)
• 10 - SELinux (Security Enhanced Linux)
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.4.3.3 - Disable Restorecon Service
NVD CCE
• CCE-4129-3
Disable SETroubleshoot
Disabling the SETroubleshoot (setroubleshoot) service prevents desktop users from being notified of SELinux details. On Red Hat
systems, the SETroubleshoot service reports denials in a user-friendly fashion but SELinux errors may provide important information
about intrusion attempts in progress, or may give information about SELinux configuration problems which are preventing correct
system operation.
Red Hat Enterprise Linux 5, Fedora 10, and compatible systems
setroubleshoot is a service which has complex functionality. It runs a daemon and uses IPC to distribute information which
may be sensitive, or even to allow users to modify SELinux settings, and which does not yet implement real authentication
mechanisms. It is strongly recommended to disable setroubleshoot and use the kernel audit functionality to monitor
SELinux’s behavior.
In addition, since setroubleshoot automatically runs client-side code whenever a denial occurs, regardless of whether the
setroubleshootd daemon is running, it is recommended that the program be removed entirely unless it is needed.
Red Hat Enterprise Linux 6, Fedora 11+, and compatible systems
On these systems, setroubleshoot is not a service, but instead an audit plugin (sedispatch) monitors the audit log and invokes
setroubleshoot and sealert when messages are seen. For these systems, the sedispatch plugin will be disabled.
Operating Systems
Fedora 10
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Fedora 10, 11,12, 13
Red Hat Enterprise Linux 4
SUSE 10 and 11
Package
Service Names
Plugin Name
setroubleshoot
setroubleshoot
Not Applicable
setroubleshoot, setroubleshootserver
Not Applicable
/etc/audisp/plugins.d/
sedispatch.conf
Operating System Not Applicable
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
191
Security-Enhanced Linux (SELinux)
Operating Systems
Package
Service Names
Plugin Name
Solaris 10
Compliancy
DHS Linux Configuration Guidance (2010.8)
• 10 - SELinux (Security Enhanced Linux)
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.4.3.1 - Disable and Remove SETroubleshoot if Possible
NVD CCE
• CCE-4254-9
Ensure SELinux is Properly Enabled
This scan-only module ensures that Security-Enhanced Linux (SELinux) is enabled and enforcing an acceptable policy (e.g., targeted,
strict, or mls).
This module first ensures the system is SELinux capable. If it is, but is not enabled, this module will report a failure. If it is enabled,
/etc/selinux/config must contain SELINUX=enforcing, and SELINUXTYPE must be set to targeted, strict, or mls. If
SELINUX or SELINUXTYPE are not set correctly, the module will report a failure.
In addition to the configuration file, the system must currently be enforcing the appropriate policy (see sestatus(8) for more
information). If it is not, this module will report a failure.
Note
This is a scan-only module which means if it reports a failure, the system administrator must manually configure SELinux
properly.
Module Options
• Required SELinux mode
Specify what mode SELinux should execute in after the next reboot.
• Required SELinux Policy
Specify the policy SELinux should be in after the next reboot.
Compliancy
DISA Red Hat 5 STIG (v1R4)
• GEN000000-LNX00800 - The system must use a Linux Security Module configured to limit the privileges of system services.
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.4.2 - Enable SELinux
• 2.4.2.1 - Ensure SELinux is Properly Enabled
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
192
Security-Enhanced Linux (SELinux)
NVD CCE
• CCE-3624-4
• CCE-3977-6
• CCE-3999-0
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
193
Chapter 20. System Services
Daemon Umask
Configures system services to create files that only the user can modify and group members can read. Setting the system’s default
umask to 027 restricts newly created file and directory access to their respective owners and groups. This setting reduces the
likelihood of other services or users overwriting or reading data owned by another process.
If a particular daemon needs a less restrictive umask , consider editing the daemon’s startup script so that particular daemon has the
required umask .
Operating Systems
Configuration File
Setting
/etc/init.d/functions
umask 027
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
/etc/rc.status
Solaris 10
/etc/default/init
CMASK=027
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 7.6.2 - Set umask for Daemons
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.2.4.1 - Set Daemon umask
NVD CCE
• CCE-4220-0
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
Disable Autofs Daemon
Disables the autofs daemon. The autofs daemon facilitates automated mounting of filesystems.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
194
System Services
Operating Systems
Package
Service Names
autofs
autofs
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Not part of the Solaris operating system.
Compliancy
DISA Red Hat 5 STIG (v1R4)
• GEN008440 - Automated file system mounting tools must not be enabled unless needed.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000526 - Automated file system mounting tools must not be enabled unless needed.
Disable Boot Caching
Disables the readahead_early and readahead_later services on Red Hat systems. These services provide one-time caching of files
belonging to some boot services, with the goal of allowing the system to boot faster.
According to the NSA Guide to the Secure Configuration of RHEL5, the “...readahead services do not substantially increase a system’s
risk exposure, but they also do not provide great benefit. Unless the system is running a specialized application for which the file
caching substantially improves system boot time, this guide recommends disabling the services.”
Operating Systems
Package
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
readahead_early
No check
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Service Names
readahead_later
No related packages or services were found on the distribution CD, Extra Packages
for Enterprise Linux (EPEL) repository, or the Red Hat Enterprise Linux Server (v. 6)
subscription channel. This module looks for the same packages and services as it does
for Red Hat Enterprise Linux 5. If you have identified specific packages and services,
please contact the customer support team at [email protected].
Operating System Not Applicable
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
195
System Services
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.3.12 - Boot Caching (readahead early/readahead later)
NVD CCE
• CCE-4302-6
• CCE-4421-4
Disable CDE Calendar Manager Server
Disables network access to the Solaris CDE Calendar Manager.
If you are not using the Solaris Common Desktop Environment (CDE) or do not require other users to remotely connect to your
calendar, it is recommend to apply this module.
Operating Systems
Packages
Service Names
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Operating System Not Applicable
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
SUNWdtdmn
svc:/network/rpc/cde-calendar-manager
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NVD CCE
• CCE-4327-3
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
196
System Services
Disable Console Mouse Support
Disables the GPM service. The GPM (General Purpose Mouse) is a mouse server for the console and xterm.
Operating Systems
Package
Service Names
gpm
gpm
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Not part of the standard Solaris operating system.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.2 - Configuring Stand Alone Services
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.3.2 - Console Mouse Service (gpm)
NVD CCE
• CCE-4229-1
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable Firstboot Service
Firstboot is a daemon specific to the Red Hat installation process. It handles “one-time” configuration following successful installation
of the operating system. As such, there is no reason for this service to remain enabled.
Operating Systems
Service Names
Fedora 10, 11, 12, and 13
firstboot
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
197
System Services
Operating Systems
Service Names
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Operating System Not Applicable
Solaris 10
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.3.1 - Installation Helper Service (firstboot)
NVD CCE
• CCE-3412-4
Disable Interactive Boot
Disables the ability to select which set of system services will be enabled interactively during Linux system boot.
Operating Systems
Configuration File
Setting
/etc/sysconfig/init
PROMPT="no"
SUSE 10 and 11
/etc/sysconfig/boot
PROMPT_FOR_CONFIRM="no"
Solaris 10
Operating System Not Applicable
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Compliancy
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000070 - The system must not permit interactive boot.
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.3.5.4 - Disable Interactive Boot
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
198
System Services
NVD CCE
• CCE-4245-7
Disable Portmap Daemon
Disables the Portmap daemon that is used to convert RPC program numbers into DARPA protocol port numbers. RPC is an
unencrypted protocol that may carry authentication information.
By default, Red Hat provides support for applications built using the Generic Security Service (GSS) API; however, applications
delivered with Red Hat do not require GSS. If you are running applications built using GSS, then you must leave the portmap daemon
enabled because both the gss daemon and server-side rpcsec_gss daemon (rpcsvcgssd) require it.
Important
Before disabling the portmap daemon, ensure that dependent services such as NFS or NIS are not needed. If you do not know
which services require this daemon, use the rpcinfo(8) command to list all RPC registered programs.
Operating Systems
Package
Service Names
Fedora 10, 11, 12, and 13
rpcbind
rpcbind
portmap
portmap
Red Hat Enterprise Linux 6
rpcbind
rpcbind
SUSE 10
portmap
portmap
SUSE 11
rpcbind
rpcbind
Solaris 10
-
svc:/network/rpc/bind:default
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.2 - Configuring Stand Alone Services
DISA Red Hat 5 STIG (v1R4)
• GEN003810 - The portmap or rpcbind service must not be running unless needed.
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.13.1.3 - Disable RPC Portmapper if Possible
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
199
System Services
NVD CCE
• CCE-3950-3
• CCE-4550-0
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable Prelinking
This module disables prelinking by modifying the /etc/sysconfig/prelink to prevent the operating system from periodically
prelinking system binaries, in addition to calling /usr/sbin/prelink -ua to revert any prelinking that had been done. When an undo
is performed, /etc/sysconfig/prelink is restored, and the next time the /etc/cron.daily/prelink job is run, all
prelinks will be recalculated.
This module examines the /etc/sysconfig/prelink file to ensure that the following line is present:
PRELINKING=no
Compliancy
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.2.4.5.1 - Disable Prelink
• 2.2.4.5.2 - Undo Existing Prelinking
Disable Remote Syslog
Configures the syslog daemon to not accept messages from other systems.
Operating Systems
Configuration File or Property
Setting
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4 /etc/init.d/syslog
SYSLOGD_OPTIONS does not contain “-r”
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6 /etc/init.d/rsyslog
SUSE 10 and 11
/etc/sysconfig/syslog
SYSLOGD_PARAMS does not contain “-r”
Solaris 10
svcprop -p config/log_from_remote system-log
false
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-6 - Maintenance, Monitoring, and Analysis of Audit Logs
DISA Red Hat 5 STIG (v1R4)
• GEN005480 - The syslog daemon must not accept remote messages unless it is a syslog server documented using site-defined
procedures.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
200
System Services
DISA UNIX STIG (v5 R1.30)
• GEN005480 - Syslog Accepts Remote Messages
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable atd Service
Disable the at daemon (atd) which queues jobs for later execution. Many of the periodic or delayed execution features of the at
daemon can be provided through the cron daemon instead, so disable the at daemon if possible.
On Solaris systems, jobs scheduled with the at(1) command are ultimately executed via the cron daemon. Therefore, this module is
not applicable to Solaris systems.
Operating Systems
Package
Service Names
at
atd
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Operating System Not Applicable
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000262 - The atd service must be disabled.
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.4.3 - Disable at if Possible
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
201
System Services
NVD CCE
• CCE-14466-7
Restrict the CDE Subprocess Control Service
This Solaris-only module adds the CDE Subprocess Control Service (dtspcd) daemon's port (tcp/6112) to the privileged port list. This
prevents users from opening the service. When this module is applied, it adds port tcp/6112 to the running kernel as follows:
/usr/sbin/ndd -set /dev/tcp tcp_extra_priv_ports_add 6112
It also adds tcp_extra_priv_ports_add=6112 to /etc/default/ndd.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
202
Chapter 21. System Management Services
Disable Abrtd
The abrtd daemon is used to generate information about processes that have crashed, and can expose sensitive information about the
system. It is recommended that this service be disabled or removed.
Operating Systems
Packages
Service Names
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Operating System Not Applicable
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
abrt
SUSE 10 and 11
abrtd
Operating System Not Applicable
Solaris 10
Compliancy
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000261 - The Automatic Bug Reporting Tool (abrtd) service must not be running.
Disable Java Web Console
Disables the Solaris Java Web Console (smcwebserver(1M)).
If there is no need to use web-based management applications, it is recommended to apply this module.
Operating Systems
Packages
Service Names
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Operating System Not Applicable
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Solaris 10
SUNWmconr
svc:/system/webconsole:console
SUSE 10 and 11
Operating System Not Applicable
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
203
System Management Services
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NVD CCE
• CCE-4393-5
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable Netconsole
Unless there is a need to debug kernel panics, it is recommended that this service be disabled.
Operating Systems
Packages
Service Names
initscripts
netconsole
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Operating System Not Applicable
Compliancy
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000289 - The netconsole service must be disabled unless required.
Disable Ntpdate
The ntpdate daemon is used to configure system time when a box reboots. This functionality is present in the ntpd service, and
therefore should not be used.
Operating Systems
Packages
Service Names
Fedora 10, 11, 12, and 13
ntpdate
ntpdate
Red Hat Enterprise Linux 4
Operating System Not Applicable
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
ntpdate
ntpdate
Operating System Not Applicable
Compliancy
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000265 - The ntpdate service must not be running.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
204
System Management Services
Disable Oddjobd
The oddjob daemon provides some additional ability to execute actions via the D-Bus interface, but it is recommended that the service
be disabled unless required.
Operating Systems
Packages
Fedora 10, 11, 12, and 13
Operating System Not Applicable
Service Names
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
oddjob
oddjobd
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Operating System Not Applicable
Compliancy
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000266 - The oddjobd service must not be running.
Disable Qpidd
The qpidd service is used to listen for Advanced Message Queing Protocol (AMQP) traffic. It is recommended that the service be
disabled unless required.
Operating Systems
Packages
Service Names
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Operating System Not Applicable
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
rhnsd
rhnsd
Operating System Not Applicable
Compliancy
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000267 - The qpidd service must not be running.
Disable Rdisc
The rdisc daemon is used with the ICMP Router Discovery Protocol (IRDP) to assist with network discovery and setup. Since most
systems typically use static address, or DHCP, it is recommended that the service be disabled.
Operating Systems
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Security Blanket® Modules Guide
Packages
Service Names
iputils
rdisc
Export Controlled - See Sheet 1
205
System Management Services
Operating Systems
Packages
Service Names
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Operating System Not Applicable
Compliancy
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000268 - The rdisc service must not be running.
Disable Rhnsd
The rhnsd daemon polls the Red Hat Network web site for scheduled actions. Unless it is necessary to schedule updates remotely
through the RHN website, it is recommended that the service be disabled.
Operating Systems
Packages
Fedora 10, 11, 12, and 13
Operating System Not Applicable
Service Names
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
rhnsd
rhnsd
Red Hat Enterprise Linux 6
SUSE 10 and 11
Operating System Not Applicable
Solaris 10
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000009 - The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite.
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.1.2.2 - Disable the rhnsd Daemon
NVD CCE
• CCE-3416-5
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
206
System Management Services
Disable SNMP
Disables SNMP, which is a protocol used for network management.
If you must use SNMP to monitor your system, ensure that the default public and private community strings are changed in
snmpd.conf(5) .
Operating Systems
Package
Service Names
net-snmp
snmpd
No check
svc:/application/management/sma:default
svc:/application/management/seaport:default
svc:/application/management/snmpdx:default
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.2 - Configuring Stand Alone Services
• 6.7.1 - Deactivate SNMP
DISA Red Hat 5 STIG (v1R4)
• GEN005380 - If the system is a Network Management System (NMS) server, it must only run the NMS and any software required
by the NMS.
DISA UNIX STIG (v5 R1.30)
• GEN005380 - Dedicated Hardware for SNMP
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.20.1 - Disable SNMP Server if Possible
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
207
System Management Services
Disable SNMP if Default Public String Exists
Disables the SNMP agent if the default community 'public' has not been changed.
If you must use SNMP to monitor your system, ensure that the default public and private community strings are changed in
snmpd.conf(5) .
See Disable SNMP for a list of the specific services being disabled.
Note: Manual action may be required
This module only disables the agent. It does not remove the default community strings from the configuration file. Therefore,
other scanners such as DISA’s SRR may report it as a problem. You must manually edit the configuration file and set your
own strings.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.7.2 - Verify SNMP Configuration
DISA Red Hat 5 STIG (v1R4)
• GEN005300 - SNMP communities, users, and passphrases must be changed from the default.
DISA UNIX STIG (v5 R1.30)
• GEN005300 - Changed SNMP Community Strings
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R4.4 - Review of controls for default accounts, passwords, and network management community strings
PCI DSS (v2.0)
• 2.1 - Do not use vendor-supplied defaults for system passwords and other security parameters
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Disable Solaris Volume Manager
Disables the Solaris Volume Manager (SVM) services. This module disables the SVM initialization, multipath upgrade, and monitor
services.
WARNING: Solaris Mounted Filesystems on SVM Metadevices
During the scanning phase, this module will use the metastat(1M) utility to see if there are any metadevice state databases
present. If so, the module will log a warning message.
When applying this module, it will look for mounted filesystems using SVM metadevices ( /dev/md/* ) in the
mnttab(4) file. If it finds any, log entries will be made and the module will NOT DISABLE SVM services. This prevents
accidental shutdown of vital services required by mounted filesystems.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
208
System Management Services
Operating Systems
Service Names
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Operating System Not Applicable
Red Hat Enterprise Linux 6
SUSE 10 and 11
svc:/system/metainit:default
svc:/system/device/mpxio-upgrade:default
svc:/system/mdmonitor:default
Solaris 10 (Global zone only)
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NVD CCE
• CCE-4269-3
• CCE-4411-5
• CCE-4499-0
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable Solaris Volume Manager GUI
Disables the Solaris Volume Manager (SVM) graphical user interface (GUI). Specifically, this module disables SVM multi-node
communications (mdcomm), remote metaset (meta), remote mediator (metmed), and remote multihost disk (metamh) services.
These services are not required to use filesystems residing on metadevices. Most tasks can be completed by using the command line
utilities; therefore, it is recommended that you apply this module.
Operating Systems
Service Names
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Operating System Not Applicable
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10 (Global zone only)
Security Blanket® Modules Guide
svc:/network/rpc/mdcomm:default
Export Controlled - See Sheet 1
209
System Management Services
Operating Systems
Service Names
svc:/network/rpc/meta:default
svc:/network/rpc/metamed:default
svc:/network/rpc/metamh:default
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NVD CCE
•
•
•
•
CCE-3650-9
CCE-4305-9
CCE-4477-6
CCE-4571-6
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable WBEM
Disables the Solaris Web-Based Enterprise Management (WBEM) services.
If there is no need to use web-based management applications or the Sun Management Console (SMC), it is recommended to apply
this module.
Operating Systems
Packages
Service Names
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Operating System Not Applicable
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Solaris 10
SUNWwbcor
svc:/application/management/wbem
SUSE 10 and 11
Operating System Not Applicable
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
210
System Management Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NVD CCE
• CCE-3662-4
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Disable Webmin
Webmin allows remote administration over HTTP. Webmin, and other tools like it, can be dangerous as they have a history of bad
authentication or session management.
Webmin is part of Solaris by default, but is disabled. However, it is not part of Red Hat Enterprise Linux by default. It is highly
recommended to apply this module.
Operating Systems
Package
Service Names
webmin
webmin
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
No related packages or services were found on the distribution CD, Extra Packages
for Enterprise Linux (EPEL) repository, or the Red Hat Enterprise Linux Server (v. 6)
subscription channel. This module looks for the same packages and services as it does
for Red Hat Enterprise Linux 5. If you have identified specific packages and services,
please contact the customer support team at [email protected].
SUSE 10 and 11
webmin
webmin
Solaris 10
SUNWwebminu
svc:/application/management/webmin:default
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 6.2 - Configuring Stand Alone Services
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.2 - Enable only ports and services needed for operations
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
211
System Management Services
NERC Cyber Security - Systems Security Management (CIP-007-3)
• CIP-007-3-R2.2 - Disable ports and services not needed for operations
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.1.3 - Guidance for Unfamiliar Services
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.2 - Disable all unnecessary and insecure services
Enable Crond
The cron daemon (crond) is responsible for executing scheduled commands, and is used by many system routines to perform routine
maintenance. It is recommended that this service always be on.
Operating Systems
Package
Fedora 10, 11, 12, and 13
cronie
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Service Names
vixie-cron
Red Hat Enterprise Linux 6
cronie
SUSE 10 and 11
cron
crond
Solaris 10
SUNWcsr
svc:/system/cron:default
Compliancy
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000224 - The cron service must be running.
Enable Ip6tables
The ip6tables daemon is responsible for providing host-based firewall capability for IPv6 and ICMPv6. This module will check for
the ip6tables package and turn the service on (if not already on). Refer to the ip6tables man pages for information on how to
configure the firewall.
Note
The SUSE and openSUSE operating system wrap ip6tables in a different startup mechanism. Please refer to the OS
documentation for further assistance.
Operating Systems
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4, 5, and 6
Package
Service Names
iptables-ipv6
ip6tables
SUSE 10 and 11
See OS documentation.
Solaris 10
See OS documentation.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
212
System Management Services
Compliancy
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000103 - The system must employ a local IPv6 firewall.
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.5.5.1 - Inspect and Activate Default Rules
Enable Iptables
The iptables daemon is responsible for providing host-based firewall capability for IPv4 and ICMP. This module will check for the
iptables package and turn the service on (if not already on). Refer to the iptables man pages for information on how to configure
the firewall.
Note
The SUSE and openSUSE operating system wrap iptables in a different startup mechanism. Please refer to the OS
documentation for further assistance.
Operating Systems
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4, 5, and 6
Package
Service Names
iptables
iptables
SUSE 10 and 11
See OS documentation.
Solaris 10
Not applicable.
Compliancy
DISA Red Hat 5 STIG (v1R4)
• GEN008520 - The system must employ a local firewall.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000113 - The system must employ a local IPv4 firewall.
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.5.5.1 - Inspect and Activate Default Rules
Enable Postfix
The postfix daemon is responsible for local mail delivery, and is essential to many maintenance and notification activities. It is
recommended that this service always be on.
Operating Systems
Package
Service Names
Fedora 10, 11, 12, and 13
postfix
postfix
Red Hat Enterprise Linux 4
Not applicable
Red Hat Enterprise Linux 5
postfix
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
postfix
213
System Management Services
Operating Systems
Package
Service Names
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10
Not applicable
Compliancy
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000287 - The postfix service must be enabled for mail delivery.
Ensure YUM Repositories use gpgcheck
The yum package manager used by most Red Hat derived Linux distributions has the ability to require that all packages in a repository
must have a valid GPG signature before they can be installed. This provides an additional measure of security by not allowing
packages to be installed unless it is signed with the approved key.
Compliancy
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000013 - The system package management tool must cryptographically verify the authenticity of system software
packages during installation.
• RHEL-06-000015 - The system package management tool must cryptographically verify the authenticity of all software packages
during installation.
Screen Package Installed
The screen package provides a 'screen lock' capability to any tty device, analogous to a graphical screen lock. Please refer to the
screen man page for more information on usage and configuration.
Note
This module is a scan-only module, and will only check to see if the screen package is installed.
Compliancy
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000071 - The system must allow locking of the console screen in text mode.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
214
Chapter 22. Directory and File Permissions
Access.conf File Permissions
Restricts the ownership and group ownership of the files and/or directories below, as well as what maximum set of Discretionary
Access Controls (DACs) are allowed. The list of files/directories may have options for looking recursively or performing wildcard
expansion on names.
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
DISA Red Hat 5 STIG (v1R4)
• GEN000000-LNX00400 - The /etc/access.conf file must be owned by root.
• GEN000000-LNX00420 - The /etc/access.conf file must have a privileged group owner.
• GEN000000-LNX00440 - The /etc/access.conf file must have mode 0640 or less permissive.
DISA UNIX STIG (v5 R1.30)
• GEN000000-LNX00400 - The /etc/security/access.conf file must be owned by root.
• GEN000000-LNX00420 - The /etc/security/access.conf file must have a privileged group owner.
• GEN000000-LNX00440 - The /etc/security/access.conf file must have mode 0640 or less permissive.
At Directory Permissions
Restricts the users who are allowed to edit/view the 'access' (.allow and .deny) files for the at and crontab utilities. These files can be
restricted by setting the permitted owner/group settings as well as the maximum allowed DAC values.
Module Options
• List of files/directories
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
215
Directory and File Permissions
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Search recursively?
• Expand wildcards (shell globbing)?
Allow for wildcard expansion using shell globbing rules.
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN003400 - The "at" directory must have mode 0755 or less permissive.
• GEN003420 - The at directory must be owned by root, bin, sys, daemon, or cron.
• GEN003430 - The "at" directory must be group-owned by root, bin, sys, or cron.
DISA UNIX STIG (v5 R1.30)
• GEN003400 - The at Directory Permissions
• GEN003420 - The at Directory Ownership
• GEN003430 - The "at" directory must be group-owned by root, bin, sys, or cron.
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
216
Directory and File Permissions
At/Cron Access File Permissions
Restricts the users who are allowed to edit/view the 'access' (.allow and .deny) files for the at and crontab utilities. These files can be
restricted by setting the permitted owner/group settings as well as the maximum allowed Discretionary Access Controls (DAC) values.
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN002980 - The cron.allow file must have mode 0600 or less permissive.
• GEN003200 - The cron.deny file must have mode 0600 or less permissive.
• GEN003240 - The cron.allow file must be owned by root, bin, or sys.
• GEN003250 - The cron.allow file must be group-owned by root, bin, sys, or cron.
• GEN003252 - The at.deny file must have mode 0600 or less permissive.
• GEN003260 - The cron.deny file must be owned by root, bin, or sys.
• GEN003270 - The cron.deny file must be group-owned by root, bin, sys, or cron.
• GEN003340 - The at.allow file must have mode 0600 or less permissive.
• GEN003460 - The at.allow file must be owned by root, bin, or sys.
• GEN003470 - The at.allow file must be group-owned by root, bin, sys, or cron.
• GEN003480 - The at.deny file must be owned by root, bin, or sys.
• GEN003490 - The at.deny file must be group-owned by root, bin, sys, or cron.
DISA UNIX STIG (v5 R1.30)
• GEN002960 - Cron Utility Accessibility
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
217
Directory and File Permissions
• GEN002980 - The cron.allow Permissions
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.4.2 - Restrict Permissions on Files Used by cron
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Audit Tools Perms
Restricts the use of the audit tool commands by ensuring the indicated files are owned by the correct user/group, with permissions no
greater than the supplied DACs values.
If it is impractical to limit the use of these commands to root, consider setting the group owner to "wheel" and setting the group
execute bit. This will allow system administrators to use the commands.
Important
SUID/SGID bits are not considered here. If a command should be SUID/SGID, then the bits must be set manually (if not
already set) and the command added to /var/lib/security-blanket/files/suid_whitelist.custom or /
var/lib/security-blanket/files/sgid_whitelist.custom as appropriate.
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Expand wildcards (shell globbing)?
Allow for wildcard expansion using shell globbing rules.
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
218
Directory and File Permissions
Compliancy
DISA Red Hat 5 STIG (v1R4)
• GEN002715 - System audit tool executables must be owned by root.
• GEN002716 - System audit tool executables must be group-owned by root, bin, sys, or system.
• GEN002717 - System audit tool executables must have mode 0750 or less permissive.
Boot Loader Configuration File Permissions
Restricts the ownership and group ownership of the files and/or directories below, as well as what maximum set of Discretionary
Access Controls (DACs) are allowed. The list of files/directories may have options for looking recursively or performing wildcard
expansion on names.
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Search recursively?
• Expand wildcards (shell globbing)?
Allow for wildcard expansion using shell globbing rules.
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 7.4 - Reset Permissions on grub Boot Loader
• 7.5 - Reset Permissions on lilo Boot Loader
DISA Red Hat 5 STIG (v1R4)
• GEN008720 - The system's boot loader configuration file(s) must have mode 0600 or less permissive.
• GEN008760 - The system's boot loader configuration files must be owned by root.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
219
Directory and File Permissions
• GEN008780 - The system's boot loader configuration file(s) must be group-owned by root, bin, sys, or system.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000065 - The system boot loader configuration file(s) must be owned by root.
• RHEL-06-000066 - The system boot loader configuration file(s) must be group-owned by root.
• RHEL-06-000067 - The system boot loader configuration file(s) must have mode 0600 or less permissive.
DISA UNIX STIG (v5 R1.30)
• LNX00160 - grub.conf Permissions
• LNX00220 - /etc/lilo.conf Permissions
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.3.5.2 - Set Boot Loader Password
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Configure Permissions on /usr/bin/ldd
Restricts the use of the audit tool commands by ensuring the command is owned by the correct user/group, with permissions no
greater than the supplied DACs values.
If it is impractical to limit the use of this commands to root, you should consider setting the group owner to "wheel" and setting the
group execute bit. This will allow system administrators to use the commands.
Important
SUID/SGID bits are not considered here. If a command should be SUID/SGID, then the bits must be set manually (if not
already set) and the command added to /var/lib/security-blanket/files/suid_whitelist.custom or /
var/lib/security-blanket/files/sgid_whitelist.custom as appropriate.
Module Options
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
220
Directory and File Permissions
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN007960 - The 'ldd' command must be disabled unless it protects against the execution of untrusted files.
DISA UNIX STIG (v5 R1.30)
•
•
•
•
•
GEN001180 - Network Services Daemon Permissions
GEN001200 - System Command Permissions
GEN001220 - System Files, Programs, and Directories Ownership
GEN001240 - System Files, Programs, and Directories Group Ownership
GEN005100 - TFTP SUID/SGID Bit
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Consult the RPM Database for file/directory Setting
Use the information in the system RPM database to verify the various attributes (such as ownership, permissions, and MD5
signatures) of the files/directories for all installed packages. This module can detect places where the settings are invalid and call upon
RPM to restore certain settings. Some attributes can only be restored by re-installing the associated packages, which is beyond the
scope of this module. As well, this module can be told not to change some discrepancies, for example places where Security Blanket
has made other changes to the system, or where certain RPMs or files/directories are required to be changed.
Exemptions.
RPM has the concept of 'configuration' files, which are expected to change from what is originally installed. By
default this module will exempt such files from the MD5 signature check. If the file is missing however, this will be flagged as a
potential problem. Specific RPMs can be entered to ignore, such as the case of an RPM whose internal defaults are wrong, or one
where the files are modified after being installed. Specific files or directories can also be entered to ignore. Note that if a directory is
entered, it is not treated recursively, so only the directory itself (not the contents) will be ignored.
Important
This module uses the RPM to detect places where the RPM database is not in agreement with what is actually on file.
However, rather than just asking RPM to resolve these problems, each inconsistency is evaluated to see if a change should
be made. Part of this is to allow for system administrators to make an accommodation for instances where specific RPMs,
files, or directories need to have settings that differ from what was installed. In addition, other Security Blanket modules may
make changes to installed files and directories (for example Remove Unowned Files which set unowned files to root:root
ownership and permissions of 000) that would be undone by asking RPM to restore those settings. In cases where this
module is told not to take action, a message to that effect is always logged.
To mitigate those potential issues, the behavior of this module can be fine tuned using the options provided below.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
221
Directory and File Permissions
Please make changes to these options carefully, as the changes can directly impact the security posture of your system.
Module Options
• Should files owned by root/root with permissions of 000 be left alone?
If Security Blanket needs to remove a file or entry (for example, if an unowned file is found) the ownership it set to root:root, and
the permissions are set to 000. This module would undo every single one of those changes unless told to allow those changes to
persist.
• List of RPM packages to ignore
• List of specific files/dirs to ignore (dirs are treated non-recursively)
Compliancy
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000278 - The system package management tool must verify permissions on all files and directories associated with the
audit package.
• RHEL-06-000279 - The system package management tool must verify ownership on all files and directories associated with the
audit package.
• RHEL-06-000280 - The system package management tool must verify group-ownership on all files and directories associated with
the audit package.
• RHEL-06-000281 - The system package management tool must verify contents of all files associated with the audit package.
• RHEL-06-000516 - The system package management tool must verify ownership on all files and directories associated with
packages.
• RHEL-06-000517 - The system package management tool must verify group-ownership on all files and directories associated with
packages.
• RHEL-06-000518 - The system package management tool must verify permissions on all files and directories associated with
packages.
• RHEL-06-000519 - The system package management tool must verify contents of all files associated with packages.
Correct Uneven File Permissions
Ensures files and directories do not have uneven file permissions. This means that the group must not have more permissions than the
owner. If the permissions are uneven, this module will set the permissions to 0755.
This module does not check files inside user home directories.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN001140 - System files and directories must not have uneven access permissions.
DISA UNIX STIG (v5 R1.30)
• GEN001140 - Uneven File Permissions
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
222
Directory and File Permissions
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
• AU-9 - Protection of Audit Information
Crontab Dir Perms
Restricts the crontab directories to be directly accessible only to indicated users/groups with a maximum allowed DAC setting.
Module Options
• Location of user crontab directory
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN003100 - Cron and crontab directories must have mode 0755 or less permissive.
• GEN003120 - Cron and crontab directories must be owned by root or bin.
• GEN003140 - Cron and crontab directories must be group-owned by root, sys, bin or cron.
DISA UNIX STIG (v5 R1.30)
• GEN003100 - Cron and Crontab Directories Permissions
• GEN003120 - Cron and Crontab Directories Ownership
• GEN003140 - Cron and Crontab Directories Group Ownership
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
223
Directory and File Permissions
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Crontab Perms
Restricts the crontab files to be directly accessible only to indicated users/groups with a maximum allowed DAC setting.
Module Options
• Location of crontab spool directories and configuration file
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Allow users ownership (w/primary group) of personal crontab file?
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN003040 - Crontabs must be owned by root or the crontab creator.
• GEN003050 - Crontab files must be group-owned by root, cron, or the crontab creator's primary group.
• GEN003080 - Crontab files must have mode 0600 or less permissive, and files in cron script directories must have mode 0700 or
less permissive.
DISA UNIX STIG (v5 R1.30)
• GEN003050 - Crontab files must be group-owned by root, cron, or the crontab creator's primary group.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
224
Directory and File Permissions
• GEN003080 - Crontab files Permissions
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.4.2 - Restrict Permissions on Files Used by cron
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Crontab Script Perms
Restricts the scripts in the crontab directories to be directly accessible only to indicated users/groups with a maximum allowed DAC
setting.
Module Options
• Location of system crontab script directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN003040 - Crontabs must be owned by root or the crontab creator.
• GEN003050 - Crontab files must be group-owned by root, cron, or the crontab creator's primary group.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
225
Directory and File Permissions
• GEN003080-2 - Files in cron script directories must have mode 0700 or less permissive.
DISA UNIX STIG (v5 R1.30)
• GEN003050 - Crontab files must be group-owned by root, cron, or the crontab creator's primary group.
• GEN003080 - Crontab files Permissions
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.4.2 - Restrict Permissions on Files Used by cron
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
FTP Configuration File Permissions
Restricts the ownership and group ownership of the files and/or directories below, as well as what maximum set of Discretionary
Access Controls (DACs) are allowed. The list of files/directories may have options for looking recursively or performing wildcard
expansion on names.
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
226
Directory and File Permissions
DISA Red Hat 5 STIG (v1R4)
• GEN004920 - The ftpusers file must be owned by root.
• GEN004930 - The ftpusers file must be group-owned by root, bin, sys, or system.
• GEN004940 - The ftpusers file must have mode 0640 or less permissive.
DISA UNIX STIG (v5 R1.30)
• GEN004920 - The ftpusers File Ownership
• GEN004930 - The ftpusers file must be group-owned by root, bin, sys, or system.
• GEN004940 - The ftpusers File Permissions
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
Global Initialization File Permissions
Restricts the ownership and group ownership of the files and/or directories below, as well as what maximum set of Discretionary
Access Controls (DACs) are allowed. The list of files/directories may have options for looking recursively or performing wildcard
expansion on names.
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Search recursively?
• Expand wildcards (shell globbing)?
Allow for wildcard expansion using shell globbing rules.
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
227
Directory and File Permissions
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN001720 - All global initialization files must have mode 0644 or less permissive.
• GEN001740 - All global initialization files must be owned by root.
• GEN001760 - All global initialization files must be group-owned by root, sys, bin, other, system, or the system default.
DISA UNIX STIG (v5 R1.30)
• GEN001720 - Global Initialization Files Permissions
• GEN001740 - Global Initialization Files Ownership
• GEN001760 - Global Initialization Files Group Ownership
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Hosts File Permissions
Restricts the ownership and group ownership of the files and/or directories below, as well as what maximum set of Discretionary
Access Controls (DACs) are allowed. The list of files/directories may have options for looking recursively or performing wildcard
expansion on names.
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
228
Directory and File Permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN001366 - The /etc/hosts file must be owned by root.
• GEN001367 - The /etc/hosts file must be group-owned by root, bin, or sys.
• GEN001368 - The /etc/hosts file must have mode 0644 or less permissive.
DISA UNIX STIG (v5 R1.30)
• GEN001366 - The /etc/hosts file must be owned by root.
• GEN001367 - The /etc/hosts file must be group-owned by root, bin, sys, or system.
• GEN001368 - The /etc/hosts file must have mode 0644 or less permissive.
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
Inetd/Xinetd Configuration File Permissions
Restricts the ownership and group ownership of the files and/or directories below, as well as what maximum set of Discretionary
Access Controls (DACs) are allowed. The list of files/directories may have options for looking recursively or performing wildcard
expansion on names.
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Search recursively?
• Expand wildcards (shell globbing)?
Allow for wildcard expansion using shell globbing rules.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
229
Directory and File Permissions
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN003720 - The inetd.conf file, xinetd.conf file, and the xinetd.d directory must be owned by root or bin.
• GEN003730 - The inetd.conf file, xinetd.conf file, and the xinetd.d directory must be group-owned by root, bin, sys, or system.
• GEN003740 - The inetd.conf and xinetd.conf files must have mode 0640 or less permissive.
DISA UNIX STIG (v5 R1.30)
•
•
•
•
GEN003720 - inetd.conf Ownership
GEN003730 - The inetd.conf file, xinetd.conf file, and the xinetd.d directory must be group-owned by root, bin, sys, or system.
GEN003740 - inetd.conf Permissions
GEN003750 - The xinetd.d directory must have mode 0755 or less permissive.
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
InterNetNews Config File Perms
Restricts access to the InterNetNews (INN) configuration files.
INN service is not part of the base operating system installation. If INN is running, it is highly recommended to use this module to
ensure the file permissions are set to the default, restrictive access modes.
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Expand wildcards (shell globbing)?
Allow for wildcard expansion using shell globbing rules.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
230
Directory and File Permissions
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN006260 - The /etc/news/incoming.conf (or equivalent) must have mode 0600 or less permissive.
• GEN006280 - The /etc/news/infeed.conf (or equivalent) must have mode 0600 or less permissive.
• GEN006300 - The /etc/news/readers.conf (or equivalent) must have mode 0600 or less permissive.
• GEN006320 - The /etc/news/passwd.nntp file (or equivalent) must have mode 0600 or less permissive.
• GEN006340 - Files in /etc/news must be owned by root or news.
• GEN006360 - The files in /etc/news must be group-owned by root or news.
DISA UNIX STIG (v5 R1.30)
• GEN006260 - /etc/news/hosts.nntp Permissions
• GEN006280 - /etc/news/hosts.nntp.nolimit Permissions
• GEN006300 - /etc/news/nnrp.access Permissions
• GEN006320 - /etc/news/passwd.nntp Permissions
• GEN006340 - /etc/news Files Ownership
• GEN006360 - /etc/news Files Group Ownership
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
Kernel Core Dump Directory Permissions
Restricts the ownership and group ownership of the files and/or directories below, as well as what maximum set of Discretionary
Access Controls (DACs) are allowed. The list of files/directories may have options for looking recursively or performing wildcard
expansion on names.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
231
Directory and File Permissions
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Search recursively?
• Expand wildcards (shell globbing)?
Allow for wildcard expansion using shell globbing rules.
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN003520 - The kernel core dump data directory must be owned by root.
• GEN003521 - The kernel core dump data directory must be group-owned by root, bin, sys, or system.
• GEN003522 - The kernel core dump data directory must have mode 0700 or less permissive.
DISA UNIX STIG (v5 R1.30)
• GEN003520 - Core Dump Directory Ownership and Permissions
• GEN003521 - The kernel core dump data directory must be group-owned by root, bin, sys, or system.
• GEN003522 - The kernel core dump data directory must have mode 0700 or less permissive.
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
232
Directory and File Permissions
LDAP Configuration File Permissions
Restricts the ownership and group ownership of the files and/or directories below, as well as what maximum set of Discretionary
Access Controls (DACs) are allowed. The list of files/directories may have options for looking recursively or performing wildcard
expansion on names.
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN008060 - If the system is using LDAP for authentication or account information the /etc/ldap.conf (or equivalent) file must
have mode 0644 or less permissive.
• GEN008080 - If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be
owned by root.
• GEN008100 - If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be
group-owned by root, bin, sys, or system.
DISA UNIX STIG (v5 R1.30)
• GEN008060 - If the system is using LDAP for authentication or account information the /etc/ldap.conf (or equivalent) file must
have mode 0644 or less permissive.
• GEN008080 - If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be
owned by root.
• GEN008100 - If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be
group-owned by root, bin, sys, or system.
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
233
Directory and File Permissions
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
• AU-9 - Protection of Audit Information
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Mail Agent Aliases Files Permissions
Restricts the ownership and group ownership of the files and/or directories below, as well as what maximum set of Discretionary
Access Controls (DACs) are allowed. The list of files/directories may have options for looking recursively or performing wildcard
expansion on names.
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Allowed Group Names
Overrides the allowed groupname for filename 'aliases.db', as required by sendmail. This is normally the 'smmsp' group.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN004360 - The alias file must be owned by root.
• GEN004370 - The aliases file must be group-owned by root, sys, bin, or system.
• GEN004380 - The alias file must have mode 0644 or less permissive.
DISA UNIX STIG (v5 R1.30)
• GEN004360 - aliases Ownership
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
234
Directory and File Permissions
• GEN004380 - aliases Permissions
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Management Information Base (MIB) File Permissions
Restricts the ownership and group ownership of the files and/or directories below, as well as what maximum set of Discretionary
Access Controls (DACs) are allowed. The list of files/directories may have options for looking recursively or performing wildcard
expansion on names.
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Search recursively?
• Expand wildcards (shell globbing)?
Allow for wildcard expansion using shell globbing rules.
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN005340 - Management Information Base (MIB) files must have mode 0640 or less permissive.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
235
Directory and File Permissions
DISA UNIX STIG (v5 R1.30)
• GEN005340 - MIB File Permissions
• GEN005360 - snmpd.conf and .mib Ownership
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
NFS Export Configuration File Permissions
Restricts the ownership and group ownership of the files and/or directories below, as well as what maximum set of Discretionary
Access Controls (DACs) are allowed. The list of files/directories may have options for looking recursively or performing wildcard
expansion on names.
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN005740 - The Network File System (NFS) export configuration file must be owned by root.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
236
Directory and File Permissions
• GEN005750 - The Network File System (NFS) export configuration file must be group-owned by root, bin, sys, or system.
• GEN005760 - The Network File System (NFS) export configuration file must have mode 0644 or less permissive.
DISA UNIX STIG (v5 R1.30)
• GEN005740 - Export Configuration File Ownership
• GEN005750 - The NFS export configuration file must be group-owned by root, bin, sys, or system.
• GEN005760 - Export Configuration File Permissions
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
NIS/NIS+/YP Configuration File Permissions
Restricts the ownership and group ownership of the files and/or directories below, as well as what maximum set of Discretionary
Access Controls (DACs) are allowed. The list of files/directories may have options for looking recursively or performing wildcard
expansion on names.
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Search recursively?
• Expand wildcards (shell globbing)?
Allow for wildcard expansion using shell globbing rules.
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
237
Directory and File Permissions
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN001320 - NIS/NIS+/yp files must be owned by root, sys, or bin.
• GEN001340 - NIS/NIS+/yp files must be group-owned by root, sys, or bin.
• GEN001360 - The NIS/NIS+/yp command files must have mode 0755 or less permissive.
DISA UNIX STIG (v5 R1.30)
• GEN001320 - NIS/NIS+/yp File Ownership
• GEN001340 - NIS/NIS+/yp File Group Ownership
• GEN001360 - NIS/NIS+/yp File Permissions
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
NTP Perms
Restricts the indicated NTP setup files to be directly accessible only to specific users/groups with a maximum allowed DAC setting.
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Expand wildcards (shell globbing)?
Allow for wildcard expansion using shell globbing rules.
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
238
Directory and File Permissions
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
DISA Red Hat 5 STIG (v1R4)
• GEN000250 - The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.
• GEN000251 - The time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, or sys.
• GEN000252 - The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
Name Service Switch Configuration File Permissions
Restricts the ownership and group ownership of the files and/or directories below, as well as what maximum set of Discretionary
Access Controls (DACs) are allowed. The list of files/directories may have options for looking recursively or performing wildcard
expansion on names.
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN001371 - The /etc/nsswitch.conf file must be owned by root.
• GEN001372 - The /etc/nsswitch.conf file must be group-owned by root, bin, or sys.
• GEN001373 - The /etc/nsswitch.conf file must have mode 0644 or less permissive.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
239
Directory and File Permissions
DISA UNIX STIG (v5 R1.30)
• GEN001371 - The /etc/nsswitch.conf file must be owned by root.
• GEN001372 - The /etc/nsswitch.conf file must be group-owned by root, bin, sys, or system.
• GEN001373 - The /etc/nsswitch.conf file must have mode 0644 or less permissive.
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
Password Perms
Secures password files with permissions that protect them from being directly modified by unauthorized users.
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN001378 - The /etc/passwd file must be owned by root.
• GEN001379 - The /etc/passwd file must be group-owned by root, bin, or sys.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
240
Directory and File Permissions
• GEN001380 - The /etc/passwd file must have mode 0644 or less permissive.
• GEN001391 - The /etc/group file must be owned by root.
• GEN001392 - The /etc/group file must be group-owned by root, bin, or sys.
• GEN001393 - The /etc/group file must have mode 0644 or less permissive.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000039 - The /etc/passwd file must be owned by root.
• RHEL-06-000040 - The /etc/passwd file must be group-owned by root.
• RHEL-06-000041 - The /etc/passwd file must have mode 0644 or less permissive.
• RHEL-06-000042 - The /etc/group file must be owned by root.
• RHEL-06-000043 - The /etc/group file must be group-owned by root.
• RHEL-06-000044 - The /etc/group file must have mode 0644 or less permissive.
DoD NISPOM (Feb 2006)
• 8.303d - Access to Authentication Data
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
• IA-5 - Authenticator Management
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.2.3.1 - Verify Permissions on passwd, shadow, group and gshadow Files
NVD CCE
• CCE-3276-3
• CCE-3495-9
• CCE-3566-7
• CCE-3883-6
• CCE-3918-0
• CCE-3958-6
• CCE-3967-7
• CCE-3988-3
• CCE-4130-1
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 8.4 - Render all passwords unreadable during transmission and storage on all system components.
Printer Configuration File Permissions
Restricts the ownership and group ownership of the files and/or directories below, as well as what maximum set of Discretionary
Access Controls (DACs) are allowed. The list of files/directories may have options for looking recursively or performing wildcard
expansion on names.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
241
Directory and File Permissions
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Search recursively?
• Expand wildcards (shell globbing)?
Allow for wildcard expansion using shell globbing rules.
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN003920 - The hosts.lpd (or equivalent) file must be owned by root, bin, sys, or lp.
• GEN003930 - The hosts.lpd (or equivalent) file must be group-owned by root, bin, sys, or system.
• GEN003940 - The hosts.lpd (or equivalent) must have mode 0644 or less permissive.
DISA UNIX STIG (v5 R1.30)
• GEN003920 - hosts.lpd Ownership
• GEN003930 - The hosts.lpd (or equivalent) file must be group-owned by root, bin, sys, or system.
• GEN003940 - hosts.lpd Permissions
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
242
Directory and File Permissions
• 2.2.3 - Configure system security parameters to prevent misuse
Resolver Configuration File Permissions
Restricts the ownership and group ownership of the files and/or directories below, as well as what maximum set of Discretionary
Access Controls (DACs) are allowed. The list of files/directories may have options for looking recursively or performing wildcard
expansion on names.
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN001362 - The /etc/resolv.conf file must be owned by root.
• GEN001363 - The /etc/resolv.conf file must be group-owned by root, bin, or sys.
• GEN001364 - The /etc/resolv.conf file must have mode 0644 or less permissive.
DISA UNIX STIG (v5 R1.30)
• GEN001362 - The /etc/resolv.conf file must be owned by root.
• GEN001363 - The /etc/resolv.conf file must be group-owned by root, bin, sys, or system.
• GEN001364 - The /etc/resolv.conf file must have mode 0644 or less permissive.
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
243
Directory and File Permissions
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
Restrict Use of Compiler Tools
Restricts the use of compiler tools such as gcc and g++ to the superuser (root).
It is recommended that production systems do not have compilers installed. This module restricts the use of such compilers to only the
superuser. Applying this module should not affect the ability to install RPM packages which require a compiler.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Restrict Use of Traceroute and Ping
Restricts the use of the indicated commands by ensuring the commands are owned by the correct user/group, with permissions no
greater than the supplied DACs values.
If it is impractical to limit the use of these commands to root, consider setting the group owner to "wheel" and setting the group
execute bit. This will allow system administrators to use the commands.
Important
SUID/SGID bits are not considered here. If a command should be SUID/SGID, then the bits must be set manually (if not
already set) and the command added to /var/lib/security-blanket/files/suid_whitelist.custom or /
var/lib/security-blanket/files/sgid_whitelist.custom as appropriate.
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
244
Directory and File Permissions
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN003960 - The traceroute command owner must be root.
• GEN003980 - The traceroute command must be group-owned by sys, bin, root, or system.
• GEN004000 - The traceroute file must have mode 0700 or less permissive.
DISA UNIX STIG (v5 R1.30)
• GEN003960 - The traceroute Command Ownership
• GEN003980 - The traceroute Command Group Ownership
• GEN004000 - The traceroute Command Permissions
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
Restrict Write Access on Man Pages
Set permissions on manual pages in /usr/share/man , /usr/share/info , and /usr/share/infopage to allow only root
to modify them.
It is recommended to let this module restrict write access to the manual pages. This module sets the permissions to the operating
system defaults and should have no impact on normal operations.
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Search recursively?
• Expand wildcards (shell globbing)?
Allow for wildcard expansion using shell globbing rules.
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
245
Directory and File Permissions
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN001280 - Manual page files must have mode 0644 or less permissive.
DISA UNIX STIG (v5 R1.30)
• GEN001280 - Manual Page File Permissions
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
SNMP Configuration File Permissions
Restricts the ownership and group ownership of the files and/or directories below, as well as what maximum set of Discretionary
Access Controls (DACs) are allowed. The list of files/directories may have options for looking recursively or performing wildcard
expansion on names.
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Search recursively?
• Expand wildcards (shell globbing)?
Allow for wildcard expansion using shell globbing rules.
• Allowed User Names
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
246
Directory and File Permissions
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN005320 - The snmpd.conf file must have mode 0600 or less permissive.
• GEN005360 - The snmpd.conf file must be owned by root.
• GEN005365 - The snmpd.conf file must be group-owned by root, bin, sys, or system.
DISA UNIX STIG (v5 R1.30)
• GEN005320 - snmpd.conf Permissions
• GEN005360 - snmpd.conf and .mib Ownership
• GEN005365 - The snmpd.conf file must be group-owned by root, sys, bin, or system.
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Samba Configuration File Permissions
Restricts the ownership and group ownership of the files and/or directories below, as well as what maximum set of Discretionary
Access Controls (DACs) are allowed. The list of files/directories may have options for looking recursively or performing wildcard
expansion on names.
Module Options
• List of files/directories
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
247
Directory and File Permissions
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
DISA Red Hat 5 STIG (v1R4)
• GEN006100 - The /etc/smb.conf file must be owned by root.
• GEN006120 - The /etc/smb.conf file must be group-owned by root, bin, sys, or system.
• GEN006140 - The /etc/smb.conf file must have mode 0644 or less permissive.
DISA UNIX STIG (v5 R1.30)
• GEN006100 - smb.conf Ownership
• GEN006120 - smb.conf Group Ownership
• GEN006140 - smb.conf Permissions
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
• AU-9 - Protection of Audit Information
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Samba Password File Permissions
Restricts the ownership and group ownership of the files and/or directories below, as well as what maximum set of Discretionary
Access Controls (DACs) are allowed. The list of files/directories may have options for looking recursively or performing wildcard
expansion on names.
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Allowed User Names
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
248
Directory and File Permissions
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
DISA Red Hat 5 STIG (v1R4)
• GEN006160 - The /etc/smbpasswd file must be owned by root.
• GEN006180 - The smbpasswd file must be group-owned by root.
• GEN006200 - The smbpasswd file must have mode 0600 or less permissive.
DISA UNIX STIG (v5 R1.30)
• GEN006160 - smbpasswd Ownership
• GEN006180 - smbpasswd Group Ownership
• GEN006200 - smbpasswd Permissions
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
• AU-9 - Protection of Audit Information
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Secure Audio Devices
Restricts access to the audio device ( /dev/audio* ) files.
It is recommended to apply this module. The file permissions set by this module are operating system defaults; therefore, it should not
impact normal operations.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN002320 - Audio devices must have mode 0660 or less permissive.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
249
Directory and File Permissions
• GEN002340 - Audio devices must be owned by root.
• GEN002360 - Audio devices must be group-owned by root, sys, bin, or system.
DISA UNIX STIG (v5 R1.30)
• GEN002320 - Audio Device Permissions
• GEN002340 - Audio Device Ownership
• GEN002360 - Audio Device Group Ownership
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
Secure SUID/SGID Executables
Searches for unauthorized set-ID programs and removes their set-ID permissions. Set-UID and set-GID programs can be
compromised and used to violate system integrity.
Administrators can edit the files in the /var/lib/security-blanket/files/ directory to add additional set-ID programs
to the list of authorized set-ID files. Any set-ID file on the system that does not appear in one of these files is considered to be
unauthorized.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 8.2 - Verify File System Permissions
• 8.5 - Verify SUID/SGID Files Are Appropriate
DISA Red Hat 5 STIG (v1R4)
• GEN002380 - The owner, group-owner, mode, ACL, and location of files with the setuid bit set must be documented using sitedefined procedures.
• GEN002400 - The system must be checked weekly for unauthorized setuid files as well as unauthorized modification to authorized
setuid files.
• GEN002440 - The owner, group-owner, mode, ACL and location of files with the setgid bit set must be documented using sitedefined procedures.
• GEN002460 - The system must be checked weekly for unauthorized setgid files as well as unauthorized modification to authorized
setgid files.
DISA UNIX STIG (v5 R1.30)
• GEN000140 - Create and Maintain System Baseline
• GEN001620 - Run Control Scripts SGID/SUID
• GEN001920 - Local Initialization Files SGID/SUID
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
250
Directory and File Permissions
•
•
•
•
•
•
GEN002160 - Shells SUID
GEN002180 - Shells SGID
GEN002380 - SUID Files Baseline
GEN002400 - System Baseline for SUID Files Checking
GEN002440 - SGID Files Baseline
GEN002460 - System Baseline for SGID Files Checking
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
• AU-9 - Protection of Audit Information
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.2.3.4 - Find Unauthorized SUID/SGID System Executables
NVD CCE
• CCE-14340-4
• CCE-14970-8
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Secure Shell Binaries
Sets file permissions on shell binaries assigned to user accounts to only allow root to write to them. This prevents unauthorized
modifications to shell binaries such as /bin/bash or /bin/ksh.
If a shell binary has the SUID or SGID bit turned on, the authorized whitelists are consulted: /var/lib/security-blanket/
files/sgid_whitelist and /var/lib/security-blanket/files/suid_whitelist . If shell binary in question is
not listed in either whitelist, the respective SUID and SGID bits are turned off.
It is recommended to apply this module, which will restrict write access to the shell binaries pages to avoid possible Trojan Horses.
This module sets the permissions to the operating system defaults and should have no impact to normal operations.
The list of approved system shell files is taken from the /etc/shells file.
Module Options
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
251
Directory and File Permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN002200 - All shell files must be owned by root or bin.
• GEN002210 - All shell files must be group-owned by root, bin, sys, or system.
• GEN002220 - All shell files must have mode 0755 or less permissive.
DISA UNIX STIG (v5 R1.30)
•
•
•
•
GEN002160 - Shells SUID
GEN002180 - Shells SGID
GEN002200 - Shells Ownership
GEN002220 - Shells Permissions
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
Secure Unowned Files
Removes unowned status on files. Normally, file system objects should have named user and group ownership. This could be from
deleted applications or accounts. It could also be from an import of data from another system or an intruder.
Removing unowned status on files is recommended. If this breaks a third-party application, you can undo the operation. Also, review
the files owned by 'nobody' for potential removal.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 8.3 - Verify Unowned Files Do Not Exist
DISA Red Hat 5 STIG (v1R4)
• GEN001160 - All files and directories must have a valid owner.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
252
Directory and File Permissions
DISA UNIX STIG (v5 R1.30)
• GEN001160 - Unowned Files
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
• AU-9 - Protection of Audit Information
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.2.3.5 - Find and Repair Unowned Files
NVD CCE
• CCE-3573-3
• CCE-4223-4
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Secure World Writable Devices
Removes world writable permission on devices. Normally, any user on the system can read/write data in world writable devices. This
could lead to a malicious user altering data on an attached media/storage device.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 8.4 - Verify World Writable Files Are Limited
DISA Red Hat 5 STIG (v1R4)
• GEN002280 - Device files and directories must only be writable by users with a system account or as configured by the vendor.
• GEN002480 - Public directories must be the only world-writable directories and world-writable files must be located only in public
directories.
DISA UNIX STIG (v5 R1.30)
•
•
•
•
GEN001640 - Run Control Scripts World Writable Programs or Scripts
GEN001940 - Local Initialization Files World Writable Programs or Scripts
GEN002480 - World Writable Files and Directories
GEN003000 - Cron Executes World Writable Programs
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
253
Directory and File Permissions
• GEN003020 - Cron Executes Programs in World Writable Directories
• GEN003360 - At Executes World Writable Programs
• GEN003380 - At Executes Programs in World Writable Directories
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
• AU-9 - Protection of Audit Information
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.2.3.3 - Find Unauthorized World-Writable Files
NVD CCE
• CCE-14794-2
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Secure World Writable Directories
Secures world writable directories by setting the “sticky” bit on a directory that restricts file removal to the file owner. Without the
“sticky” bit, any user can remove any file in this directory. This setting is common practice for most shared directories such as /tmp
and /var/tmp .
Enabling the “sticky” bit on world writable directories is recommended. If this breaks a third-party application, you can undo the
operation.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 8.4 - Verify World Writable Files Are Limited
DISA Red Hat 5 STIG (v1R4)
• GEN002480 - Public directories must be the only world-writable directories and world-writable files must be located only in public
directories.
• GEN002500 - The sticky bit must be set on all public directories.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000336 - The sticky bit must be set on all public directories.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
254
Directory and File Permissions
DISA UNIX STIG (v5 R1.30)
• GEN002480 - World Writable Files and Directories
• GEN002500 - Sticky Bit on Public Directories
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
• AU-9 - Protection of Audit Information
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.2.3.2 - Verify that All World-Writable Directories Have Sticky Bits Set
NVD CCE
• CCE-3399-3
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Secure World Writable Files
Removes world writable permission on files. Normally, any user on the system can alter data in world writable files. If the file is a
program, world writable permission could lead to a larger compromise of the system’s integrity.
Removing world writable permission on files is recommended. If this breaks a third-party application, you can undo the operation.
However, the third-party application vendor should be encouraged to provide a better solution.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 8.4 - Verify World Writable Files Are Limited
DISA Red Hat 5 STIG (v1R4)
• GEN002480 - Public directories must be the only world-writable directories and world-writable files must be located only in public
directories.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000282 - There must be no world-writable files on the system.
DISA UNIX STIG (v5 R1.30)
• GEN001640 - Run Control Scripts World Writable Programs or Scripts
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
255
Directory and File Permissions
•
•
•
•
•
•
GEN001940 - Local Initialization Files World Writable Programs or Scripts
GEN002480 - World Writable Files and Directories
GEN003000 - Cron Executes World Writable Programs
GEN003020 - Cron Executes Programs in World Writable Directories
GEN003360 - At Executes World Writable Programs
GEN003380 - At Executes Programs in World Writable Directories
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
• AU-9 - Protection of Audit Information
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.2.3.3 - Find Unauthorized World-Writable Files
NVD CCE
• CCE-14794-2
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Services File Permissions
Restricts the ownership and group ownership of the files and/or directories below, as well as what maximum set of Discretionary
Access Controls (DACs) are allowed. The list of files/directories may have options for looking recursively or performing wildcard
expansion on names.
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
256
Directory and File Permissions
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN003760 - The services file must be owned by root or bin.
• GEN003770 - The services file must be group-owned by root, bin, sys, or system.
• GEN003780 - The services file must have mode 0644 or less permissive.
DISA UNIX STIG (v5 R1.30)
• GEN003760 - The Services File Ownership
• GEN003770 - The services file must be group-owned by root, bin, sys, or system.
• GEN003780 - The Services File Permissions
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
Shadow Perms
Secures shadow files with permissions that protect them from being directly modified by unauthorized users.
Important
Note that the /etc/shadow file on SUSE/openSUSE systems should be owned by the “shadow” user. This requirement
will be enforced.
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
257
Directory and File Permissions
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
•
•
•
•
•
•
GEN000000-LNX001431 - The /etc/gshadow file must be owned by root.
GEN000000-LNX001432 - The /etc/gshadow file must be group-owned by root.
GEN000000-LNX001433 - The /etc/gshadow file must have mode 0400.
GEN001400 - The /etc/shadow (or equivalent) file must be owned by root.
GEN001410 - The /etc/shadow file (or equivalent) must be group-owned by root, bin, or sys.
GEN001420 - The /etc/shadow (or equivalent) file must have mode 0400.
DISA Red Hat 6 STIG (v1R2)
•
•
•
•
•
•
RHEL-06-000033 - The /etc/shadow file must be owned by root.
RHEL-06-000034 - The /etc/shadow file must be group-owned by root.
RHEL-06-000035 - The /etc/shadow file must have mode 0000.
RHEL-06-000036 - The /etc/gshadow file must be owned by root.
RHEL-06-000037 - The /etc/gshadow file must be group-owned by root.
RHEL-06-000038 - The /etc/gshadow file must have mode 0000.
DoD NISPOM (Feb 2006)
• 8.303d - Access to Authentication Data
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
• IA-5 - Authenticator Management
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.2.3.1 - Verify Permissions on passwd, shadow, group and gshadow Files
NVD CCE
• CCE-3276-3
• CCE-3495-9
• CCE-3566-7
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
258
Directory and File Permissions
• CCE-3883-6
• CCE-3918-0
• CCE-3958-6
• CCE-3967-7
• CCE-3988-3
• CCE-4130-1
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 8.4 - Render all passwords unreadable during transmission and storage on all system components.
Skeleton File Permissions
Restricts the ownership and group ownership of the files and/or directories below, as well as what maximum set of Discretionary
Access Controls (DACs) are allowed. The list of files/directories may have options for looking recursively or performing wildcard
expansion on names.
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Search recursively?
• Expand wildcards (shell globbing)?
Allow for wildcard expansion using shell globbing rules.
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN001800 - All skeleton files (typically those in /etc/skel) must have mode 0644 or less permissive.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
259
Directory and File Permissions
• GEN001820 - All skeleton files and directories (typically in /etc/skel) must be owned by root or bin.
• GEN001830 - All skeleton files (typically in /etc/skel) must be group-owned by root, bin, sys, system, or other.
DISA UNIX STIG (v5 R1.30)
• GEN001800 - Default/Skeleton Dot Files Permissions
• GEN001820 - Default/Skeleton Dot Files Ownership
• GEN001830 - All skeleton files (typically in /etc/skel) must be group-owned by root, bin, sys, system, or other.
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Sysctl.conf Permissions
Secures configuration file permissions so that non-privileged users cannot modify sysctl.conf(5). Parameters for the kernel are stored
in this file. This file should be owned by the root user, belong to the root group, and be readable and writable only by the root user.
This module is highly recommended because setting the access permissions to anything less restrictive invites modifications or allows
individuals to gather information that could potentially be used to find a security weakness.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN000000-LNX00480 - The /etc/sysctl.conf file must be owned by root.
• GEN000000-LNX00500 - The /etc/sysctl.conf file must be group-owned by root.
• GEN000000-LNX00520 - The /etc/sysctl.conf file must have mode 0600 or less permissive.
DISA UNIX STIG (v5 R1.30)
• LNX00480 - /etc/sysctl.conf Ownership
• LNX00500 - /etc/sysctl.conf Group Ownership
• LNX00520 - / etc/sysctl.conf Permissions
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
260
Directory and File Permissions
System Command File Permissions
Controls access to key system commands. System command files should be owned by a system account (both UID/GID) and protected
from unauthorized modification. Note that for SUSE based systems the 'shadow' group is added to the allowed groupnames to prevent
inadvertent changes to the /etc/shadow and /usr/bin/passwd commands.
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Search recursively?
• Expand wildcards (shell globbing)?
Allow for wildcard expansion using shell globbing rules.
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
•
•
•
•
•
GEN001180 - All network services daemon files must have mode 0755 or less permissive.
GEN001200 - All system command files must have mode 0755 or less permissive.
GEN001220 - All system files, programs, and directories must be owned by a system account.
GEN001240 - System files, programs, and directories must be group-owned by a system group.
GEN005100 - The TFTP daemon must have mode 0755 or less permissive.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000047 - All system command files must have mode 0755 or less permissive.
• RHEL-06-000048 - All system command files must be owned by root.
DISA UNIX STIG (v5 R1.30)
• GEN001180 - Network Services Daemon Permissions
• GEN001200 - System Command Permissions
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
261
Directory and File Permissions
• GEN001220 - System Files, Programs, and Directories Ownership
• GEN001240 - System Files, Programs, and Directories Group Ownership
• GEN005100 - TFTP SUID/SGID Bit
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
System Configuration File Permissions
Controls access to key system configuration files and directories.
It is recommended to apply this module. In most cases, the permissions set by this module are operating system defaults; therefore,
applying this module should not impact normal operations.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
•
•
•
•
GEN000000-LNX00620 - The /etc/securetty file must be group-owned by root, sys, or bin.
GEN000000-LNX00640 - The /etc/securetty file must be owned by root.
GEN000000-LNX00660 - The /etc/securetty file must have mode 0640 or less permissive.
GEN003750 - The xinetd.d directory must have mode 0755 or less permissive.
DISA UNIX STIG (v5 R1.30)
•
•
•
•
•
•
•
•
•
•
•
•
•
GEN003280 - At Utility Accessibility
GEN003340 - at.allow and at.deny Permissions
LNX00400 - Access File Ownership
LNX00420 - Access File Group Ownership
LNX00440 - Access File Permissions
LNX00620 - /etc/securetty Group Ownership
LNX00640 - /etc/securetty Ownership
LNX00660 - /etc/securetty Permissions
SOL00060 - audit_user Ownership
SOL00080 - audit_user Group Ownership
SOL00100 - audit_user Permissions
SOL00240 - /usr/asset/userlist Ownership
SOL00260 - /usr/asset/userlist Permissions
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
262
Directory and File Permissions
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
• AU-9 - Protection of Audit Information
NVD CCE
• CCE-3923-0
• CCE-4144-2
• CCE-4197-0
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
System Device Directory Ownership
Controls access to key system device directories. System device directories under /dev should be owned by root and group root. This
module ensures that these subdirectories have root set as the owner and group.
It is recommended to apply this module. In most cases, the permissions set by this module are operating system defaults; therefore,
applying this module should not impact normal operations.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN002280 - Device files and directories must only be writable by users with a system account or as configured by the vendor.
DISA UNIX STIG (v5 R1.30)
• GEN002280 - Device Files Directories Permissions
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
System Library File Permissions
Controls access to key system commands. System command files should be owned by a system account (both UID/GID) and protected
from unauthorized modification.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
263
Directory and File Permissions
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Search recursively?
• Expand wildcards (shell globbing)?
Allow for wildcard expansion using shell globbing rules.
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN001300 - Library files must have mode 0755 or less permissive.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000045 - Library files must have mode 0755 or less permissive.
• RHEL-06-000046 - Library files must be owned by root.
DISA UNIX STIG (v5 R1.30)
• GEN001300 - Library File Permissions
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
264
Directory and File Permissions
System Log File Permissions
Controls system log files in /var/log so they have file permissions that prevent world read access, and in some cases, even group
access. Proper file ownership is also established.
This module sets most all of the log file permissions to their defaults. It should have no impact on normal system operations.
Note: Operating system reboots may reset some permissions
This module sets the recommended file permissions on /var/log/wtmp. However, when the operating system boots, the
permissions are reset. After a system has been rebooted and Security Blanket is run, this module will report a failure again,
but will reset the permissions if an apply was chosen.
Linux customers who use the DISA SRR Scripts Version 5, Release 1.22 or earlier will receive a false positive on
GEN002680 and GEN002700. This is because the SRR scripts do not check both /var/log/audit.d and /var/log/
audit/audit.log. The Security Blanket team has opened ticket CSD-AR001410371 with DISA.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
• CC-6 - Maintenance, Monitoring, and Analysis of Audit Logs
CIA DCID 6/3 (May 2000)
• 4.B.1.b(2)(b) - Auditing - Protect contents of audit trails against unauthorized access
• 4.B.2.a(4)(b) - Auditing - Protect contents of audit trails against unauthorized access (PL2)
• 4.B.4.a(6)(b)
DHS Linux Configuration Guidance (2010.8)
• 5 - Audit Trail
DISA Red Hat 5 STIG (v1R4)
•
•
•
•
•
•
•
GEN001260 - System log files must have mode 0640 or less permissive.
GEN002680 - System audit logs must be owned by root.
GEN002690 - System audit logs must be group-owned by root, bin, sys, or system.
GEN002700 - System audit logs must have mode 0640 or less permissive.
GEN003180 - The cronlog file must have mode 0600 or less permissive.
GEN004480 - The SMTP service log file must be owned by root.
GEN004500 - The SMTP service log file must have mode 0644 or less permissive.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000133 - All rsyslog-generated log files must be owned by root.
• RHEL-06-000134 - All rsyslog-generated log files must be group-owned by root.
• RHEL-06-000135 - All rsyslog-generated log files must have mode 0600 or less permissive.
DISA UNIX STIG (v5 R1.30)
• GEN001260 - System Log File Permissions
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
265
Directory and File Permissions
•
•
•
•
•
GEN002680 - Audit Logs Accessibility
GEN002700 - Audit Logs Permissions
GEN003180 - Cronlog Permissions
GEN004480 - Critical Sendmail Log File Ownership
GEN004500 - Critical Sendmail Log File Permissions
DoD JAFAN 6/3 (Oct 2004)
• 4.B.1.b(2)(b) - Auditing - Protect contents of audit trails against unauthorized access
• 4.B.2.a(4)(b) - Auditing - Protect contents of audit trails against unauthorized access (PL2)
• 4.B.4.a(6)(b)
DoD NISPOM (Feb 2006)
• 8.602a2 - Audit Trail Protection
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
• AU-9 - Protection of Audit Information
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.6.1.1.2 - Confirm Existence and Permissions of System Log Files
NVD CCE
• CCE-3701-0
• CCE-4233-3
• CCE-4366-1
PCI DSS (v2.0)
• 10.5.1 - Limit viewing of audit trails
• 10.5.2 - Protect audit trail files from unauthorized modifications
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
System Logging Configuration File Permissions
This module prevents non-root users from editing the files controlling how the system logger is configured, preventing unauthorized
access/modification.
Module Options
• List of files/directories
List of files/directories to process. May have wild card expansion (using shell globbing rules) available if the module supports it.
If empty, no file checks will be done.
• Search recursively?
• Expand wildcards (shell globbing)?
Allow for wildcard expansion using shell globbing rules.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
266
Directory and File Permissions
• Allowed User Names
List of user names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged accounts will be inserted at
this position, with duplicate names removed.
• Allowed Group Names
List of group names (ignored if empty). If '<SYSTEM;>' is in the list, then the list of all local privileged group accounts will be
inserted at this position, with duplicate names removed.
• Maximum allowed permissions
Maximum permitted Discretionary Access Controls (DACs) in octal format (i.e., max perms is 777 or 0777). Note that only the
read/write/execute bits are considered. Note also that if a directory has read permissions for user/group/other allowed, then
execute permissions for user/group/other are also allowed to allow for directory traversal. No extra permissions are enforced,
just allowed. If empty, no permissions checks will be done.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN005390 - The /etc/syslog.conf file must have mode 0640 or less permissive.
• GEN005400 - The /etc/syslog.conf file must be owned by root.
• GEN005420 - The /etc/syslog.conf file must be group-owned by root, bin, sys, or system.
DISA UNIX STIG (v5 R1.30)
• GEN005390 - The /etc/syslog.conf file must have mode 0640 or less permissive.
• GEN005400 - /etc/syslog.conf Accessibility
• GEN005420 - /etc/syslog.conf Group Ownership
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
System Run Control Script Permissions
Restricts access to the system run control scripts. System run control scripts are responsible for starting and stopping services as the
machine boots or shuts down.
It is highly recommended to apply this module to restrict access to the system run control scripts. This module sets the permissions to
the operating system defaults and should not impact normal operations.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
267
Directory and File Permissions
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN001580 - All run control scripts must have mode 0755 or less permissive.
• GEN001660 - All system start-up files must be owned by root.
• GEN001680 - All system start-up files must be group-owned by root, sys, bin, other, or system.
DISA UNIX STIG (v5 R1.30)
• GEN001580 - Run Control Scripts Permissions
• GEN001660 - Run Control Scripts Ownership
• GEN001680 - Run Control Scripts Group Ownership
DoD NISPOM (Feb 2006)
• 8.606b1 - Access 2 Requirements
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Verify Required Software Cryptographic Certs are Installed
Verify that all required software cryptographic signatures are present on the system. These signatures are used to verify that only
packages from reputable sources are installed on the system.
The list of installed certificates is determined by the using the rpm -qa --queryformat="%{SUMMARY}\n" gpg-pubkey*
command. Note that if extra certificates are found, this is not an immediate indication of a problem. However, the system
administrator should verify that the additional certificates are from trusted sites.
Module Options
• Required certificate lines
A line of required certificate values (one per line)
• Should any certificates found other than the above be shown?
Display any additional certificates found on the system that aren't in the required list. May help detect if a person is attempting to
install malicious software...
Compliancy
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000008 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
268
Chapter 23. File Systems
Bind Mount /var/tmp to /tmp
Requires /tmp be mounted to /var/tmp with restrictive options.
This module examines /etc/fstab, checking that the /tmp directory is mounted as /var/tmp using restrictive options. The
desired mount line in /etc/fstab looks like the following:
/tmp /var/tmp none rw,noexec,nosuid,nodev,bin 0 0
If this line is not found exactly as above, or if /tmp or /var/tmp are explicitly mounted in any other fashion, warning messages are
displayed. This module is scan-only, so any changes must be performed manually.
Compliancy
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.2.1.4 - Bind-mount /var/tmp/to /tmp
Check for Separate /home File System
The /home file system must be its own separate partition or logical volume.
This module checks the list of currently mounted file systems to ensure /home is a dedicated, separate file system. Since this is a
scan-only module, this module will report that a manual action is required during an apply if it is not a dedicated, separate file system.
This module is not applicable to Oracle Solaris.
Compliancy
DISA Red Hat 5 STIG (v1R4)
• GEN003620 - A separate file system must be used for user home directories (such as /home or an equivalent).
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000007 - The system must use a separate file system for user home directories.
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.1.1.1.5 - Create Separate Partition or Logical Volume for /home
NVD CCE
• CCE-14559-9
Check for Separate /tmp File System
The /tmp file system must be its own separate partition or logical volume.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
269
File Systems
This module checks the list of currently mounted file systems to ensure /tmp is a dedicated, separate file system. Since this is a scanonly module, this module will report that a manual action is required during an apply if it is not a dedicated, separate file system.
Compliancy
DISA Red Hat 5 STIG (v1R4)
• GEN003624 - The system must use a separate file system for /tmp (or equivalent).
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000001 - The system must use a separate file system for /tmp.
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.1.1.1.1 - Create Separate Partition or Logical Volume for /tmp
NVD CCE
• CCE-14161-4
Check for Separate /var File System
The /var file system must be its own separate partition or logical volume.
This module checks the list of currently mounted file systems to ensure /var is a dedicated, separate file system. Since this is a scanonly module, this module will report that a manual action is required during an apply if it is not a dedicated, separate file system.
Compliancy
DISA Red Hat 5 STIG (v1R4)
• GEN003621 - The system must use a separate file system for /var.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000002 - The system must use a separate file system for /var.
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.1.1.1.2 - Create Separate Partition or Logical Volume for /var
NVD CCE
• CCE-14777-7
Check for Separate /var/log File System
The /var/log file system must be its own separate partition or logical volume.
This module checks the list of currently mounted file systems to ensure /var/log is a dedicated, separate file system. Since this is a
scan-only module, this module will report that a manual action is required during an apply if it is not a dedicated, separate file system.
This module is not applicable to Oracle Solaris.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
270
File Systems
Compliancy
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000003 - The system must use a separate file system for /var/log.
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.1.1.1.3 - Create Separate Partition or Logical Volume for /var/log
NVD CCE
• CCE-14011-1
Check for Separate /var/log/audit File System
The /var/log/audit file system must be its own separate partition or logical volume.
This module checks the list of currently mounted file systems to ensure /var/log/audit is a dedicated, separate file system. Since
this is a scan-only module, this module will report that a manual action is required during an apply if it is not a dedicated, separate file
system.
This module is not applicable to Oracle Solaris.
Compliancy
DISA Red Hat 5 STIG (v1R4)
• GEN003623 - The system must use a separate file system for the system audit data path.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000004 - The system must use a separate file system for the system audit data path.
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.1.1.1.4 - Create Separate Partition or Logical Volume for /var/log/audit
NVD CCE
• CCE-14171-3
Disable GNOME Automounting
Prevents the GNOME desktop environment from automatically mounting devices and removable media (such as DVDs, CDs, and
USB flash drives) when they are inserted into the system.
Commands used to retrieve the current automount settings:
gconftool-2 --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--get /desktop/gnome/volume_manager/automount_media
gconftool-2 --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
271
File Systems
--get /desktop/gnome/volume_manager/automount_drives
Commands used to disable automounting:
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool --set /desktop/gnome/volume_manager/automount_media false
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool --set /desktop/gnome/volume_manager/automount_drives false
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.2.2.4 - Disable GNOME Automounting if Possible
NVD CCE
• CCE-4231-7
Disable Mounting of Uncommon Filesystem Types
Prevents the kernel from loading modules for uncommon file system types. When the kernel does not load the associated module, the
system will not support the file system type and will not be able to mount that type.
This modules will examine all files in /etc/modprobe.d and the /etc/modprobe.conf file (if they exist) and look for the
line(s) that are specified as arguments. If a line is found that matches the first two whitespace separated fields but not the remainder,
then it will be updated to match the provided lines. If no matching line is found, then it will be added to either /etc/modprobe.d/
SecurityBlanket_modprobe_settings (if /etc/modprobe.d is a directory), or to /etc/modprobe.conf.
This module is not applicable to Oracle Solaris.
Module Options
• Required lines to disable Firewire kernel module(s)
One or more lines that can disable or otherwise alter how kernel modules are loaded/configured/disabled.
Compliancy
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.2.2.5 - Disable Mounting of Uncommon Filesystem Types
NVD CCE
• CCE-14089-7
• CCE-14093-9
• CCE-14118-4
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
272
File Systems
• CCE-14457-6
• CCE-14853-6
• CCE-14871-8
• CCE-15087-0
Use NODEV Option for Non-Root Partitions
Places the nodev option on non-root partitions, which prevents users from mounting unauthorized devices on partitions that should
not contain devices. There should be no need to mount devices on any partition other than /dev.
Important
If you are using programs that run in chroot jails, this module may break the application because jails sometimes
requires devices to be created under the chroot directory.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 7.2 - File System Controls
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.2.1.1 - Add nodev Option to Non-Root Local Partitions
NVD CCE
• CCE-4249-9
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Use NOSUID and NODEV for Removable Media
Places the nodev and nosuid options on removable media partitions, which prevents users from bringing set-UID programs into the
system via CD-ROMs and floppy disks.
On Linux systems, this module modifies the /etc/fstab file. However, the modified entries in the file are managed entries which
are rewritten at system boot time (see the fstab-sync(8) manual page). As a result, this module will report a failure after each reboot.
On Solaris systems, this module modifies the /etc/rmmount.conf and /etc/vfstab files.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
273
File Systems
DHS Linux Configuration Guidance (2010.8)
• 7.2 - File System Controls
DISA Red Hat 5 STIG (v1R4)
• GEN002420 - Removable media, remote file systems, and any file system not containing approved setuid files must be mounted
with the "nosuid" option.
• GEN002430 - Removable media, remote file systems, and any file system not containing approved device files must be mounted
with the "nodev" option.
DISA UNIX STIG (v5 R1.30)
• GEN002420 - File Systems Mounted With nosuid
• SOL00020 - /etc/rmmount.conf Configuration
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.2.1.1 - Add nodev Option to Non-Root Local Partitions
NVD CCE
• CCE-3522-0
• CCE-4042-8
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Use NOSUID on User Filesystems
Places the nosuid option on user filesystems, which prevents users from bringing set-UID programs into the system.
On Linux systems, this module modifies the /etc/fstab file. However, the modified entries in the file are managed entries which
are rewritten at system boot time (see the fstab-sync(8) manual page). As a result, this module will report a failure after each reboot.
Operating Systems
Configuration Files
Filesystem Entries
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
/etc/fstab
Red Hat Enterprise Linux 6
/boot
/home
/usr/home
SUSE 10 and 11
Solaris 10
/etc/vfstab
/export/home
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 7.2 - File System Controls
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
274
File Systems
DISA Red Hat 5 STIG (v1R4)
• GEN002420 - Removable media, remote file systems, and any file system not containing approved setuid files must be mounted
with the "nosuid" option.
• GEN005900 - The "nosuid" option must be enabled on all Network File System (NFS) client mounts.
DISA UNIX STIG (v5 R1.30)
• GEN002420 - File Systems Mounted With nosuid
NVD CCE
• CCE-4042-8
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
User Mountable Media
Restricts the use of removable media drives. User-mountable media is a security risk. Allowing users to mount and access data from
removable media drives makes it easier for malicious programs and data to be imported onto the network or for data to be removed
from the server.
Operating Systems
Configuration Files
Setting or Service Name
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 6
Check /etc/security/
console.perms if it exists.
Otherwise, check /etc/security/
console.perms.d/50default.perms
The third column of each line beginning
with <console> must only be one of the
following: sound, fb, kbd, joystick, v4l,
mainboard, gpm, or scanner.
Solaris 10
No modifications
svc:/system/filesystem/volfs:default
svc:/network/rpc/smserver:default
SUSE 10 and 11
/etc/fstab
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Ensure no filesystem is mounted with the
'user' option.
On Red Hat-based systems, see console.perms(5). On SUSE systems, see mount(8). On Solaris systems, this module is only
applicable to global zones (see vold(1M) , volfs(7FS) , and rpc.smserverd(1M) for more information).
Note: Disabling USB storage devices
This module does not prevent the use of USB storage devices. To disable these devices, see Disable USB and PCMCIA
Devices.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
NVD CCE
• CCE-4240-8
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
275
File Systems
• CCE-4354-7
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
276
Chapter 24. General
Correct Global Init Script PATH Variables
Removes single periods or double colons from PATH environment variables set in global initialization files such as /etc/profile.
By default, global initialization scripts are not configured with :: or :.: . However, if this module finds a PATH variable set to
something like this:
PATH=/bin::/usr/bin:.:/sbin
then it will remove the :: and :.: from the environment variable.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN001840 - All global initialization files' executable search paths must contain only absolute paths.
DISA UNIX STIG (v5 R1.30)
• GEN001840 - Global Initialization Files PATH Variable
Correct System RC Script PATH Variables
Removes single periods or double colons from PATH environment variables set in system run control scripts such as /etc/
init.d/*.
By default, system run control scripts are not configured with :: or :.: . However, if this module finds a PATH variable set to something
like this:
PATH=/bin::/usr/bin:.:/sbin
then it will remove the :: and :.: from the environment variable.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN001600 - Run control scripts' executable search paths must contain only absolute paths.
DISA UNIX STIG (v5 R1.30)
• GEN001600 - Run Control Scripts PATH Variable
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
277
General
Create Login Banner
Displays a warning banner during login which may assist in prosecuting unauthorized system use.
It is recommended to customize the warning banner to meet site-specific needs.
Module Options
• Login banner text for motd(5) and issue(5).
Required text for login banner
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
CIA DCID 6/3 (May 2000)
• 4.B.1.a(6)(a) - Session Control - Login Warning Banners
• 4.B.1.a(6)(b) - Session Control - Login Warning Banners - Consent
DHS Linux Configuration Guidance (2010.8)
• 4.1 - Login Warning Banner
DISA Red Hat 5 STIG (v1R4)
• GEN000400 - The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login
prompts.
• GEN000402 - The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical
desktop environment login prompts.
• GEN000410 - The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
• GEN005550 - The SSH daemon must be configured with the Department of Defense (DoD) logon banner.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000073 - The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console
login prompts.
DISA UNIX STIG (v5 R1.30)
• GEN000400 - Logon Warning Banner Display
• GEN000420 - Logon Warning Banner Content
DoD JAFAN 6/3 (Oct 2004)
• 4.B.1.a(6)(a) - Session Control - Login Warning Banners
• 4.B.1.a(6)(b) - Session Control - Login Warning Banners - Consent
DoD NISPOM (Feb 2006)
• 8.609a1 - User Notification
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
278
General
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.6 - Appropriate Use Banner
NIST FISMA (SP 800-53)
• AC-8 - System Use Notification
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.3.7.1 - Modify the System Login Banner
NVD CCE
• CCE-4060-0
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Create Login FTP Banner
Displays a warning banner during login which may assist in prosecuting unauthorized system use.
Module Options
• Login banner text for FTP sessions.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
CIA DCID 6/3 (May 2000)
• 4.B.1.a(6)(a) - Session Control - Login Warning Banners
• 4.B.1.a(6)(b) - Session Control - Login Warning Banners - Consent
DHS Linux Configuration Guidance (2010.8)
• 4.1 - Login Warning Banner
DISA Red Hat 5 STIG (v1R4)
• GEN000400 - The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login
prompts.
• GEN000410 - The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000348 - The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
DISA UNIX STIG (v5 R1.30)
• GEN000420 - Logon Warning Banner Content
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
279
General
DoD JAFAN 6/3 (Oct 2004)
• 4.B.1.a(6)(a) - Session Control - Login Warning Banners
• 4.B.1.a(6)(b) - Session Control - Login Warning Banners - Consent
DoD NISPOM (Feb 2006)
• 8.609a1 - User Notification
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.6 - Appropriate Use Banner
NIST FISMA (SP 800-53)
• AC-8 - System Use Notification
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.15.3.2 - Create Warning Banners for All FTP Users
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Create Pre-Login GUI Banner
Displays a short text message prior to a user logging on. This banner may be used to show a short system announcement, or to inform
the user that a “Consent to Monitor” agreement must be agreed to before allowing a login to complete.
Note
This module does not address CDE under Solaris; however, it does support the GDM.
It is recommended to customize the warning banner to meet site-specific needs.
Module Options
• Explicit text for pre login message.
Desired text for the prelogin banner. This message should be short, no more than a sentence or two. Anything longer should be in
either the 'Create Login GUI Banner' or 'Create Pre-Sessions GUI Banner' module.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
CIA DCID 6/3 (May 2000)
• 4.B.1.a(6)(a) - Session Control - Login Warning Banners
• 4.B.1.a(6)(b) - Session Control - Login Warning Banners - Consent
DHS Linux Configuration Guidance (2010.8)
• 4.2 - GUI Login Warning Banner
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
280
General
DISA Red Hat 5 STIG (v1R4)
• GEN000400 - The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login
prompts.
• GEN000402 - The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical
desktop environment login prompts.
DISA UNIX STIG (v5 R1.30)
• GEN000400 - Logon Warning Banner Display
• GEN000420 - Logon Warning Banner Content
DoD JAFAN 6/3 (Oct 2004)
• 4.B.1.a(6)(a) - Session Control - Login Warning Banners
• 4.B.1.a(6)(b) - Session Control - Login Warning Banners - Consent
DoD NISPOM (Feb 2006)
• 8.609a1 - User Notification
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.6 - Appropriate Use Banner
NIST FISMA (SP 800-53)
• AC-8 - System Use Notification
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.3.7.1 - Modify the System Login Banner
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Create Pre-Session GUI Banner
Displays a warning banner during GUI login which may assist in prosecuting unauthorized system use. The banner is displayed after
the user has authenticated, but must be acknowledged before the user's desktop will appear.
The banner can be an “Informative” or a “Consent” banner. The “Informative” banner displays the banner and waits for the user to
indicate that they have read it before continuing to the desktop.
The “Consent” banner also display the banner, but will only continue on to the desktop if the user indicates their acceptance of the
text. Should the user decline, they will not proceed to the desktop and will be logged out after a short delay (10 seconds). The user's
choice to consent or decline the banner will be logged using the logger -p authpriv.info (Linux) or logger -p auth.notice command.
The system file where this message is stored, and the exact text of the accept/decline buttons, will depend on the underlying operating
system. Note that if the logging facility is not configured to keep auth/authpriv messages, then no consent records will be kept. See
the Secure Authpriv Logging module for more information. The banner text will appear literally as it exists in the /etc/motd or the
Security Blanket manual text box unless the “reformat” module option is enabled (see below).
It is recommended to customize the banner to meet site-specific needs.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
281
General
Module Options
• Require Consent to Continue?
Select between using a Consent Banner (with the username and answer logged), or simply use an Informative banner.
• Source for Banner Text.
Select the source of the test, either the 'Message of the Day' file (/etc/motd) or from the 'Manual Banner Text' field.
• Manual Banner Text.
Text for the Banner if different from /etc/motd
• Reformat Banner for Display?
Allow reformatting the text into 'paragraphs', with line breaks inserted into appropriate places. All single newlines will be
converted to two spaces. Two newlines will be treated as an explicit paragraph boundary.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
CIA DCID 6/3 (May 2000)
• 4.B.1.a(6)(a) - Session Control - Login Warning Banners
• 4.B.1.a(6)(b) - Session Control - Login Warning Banners - Consent
DHS Linux Configuration Guidance (2010.8)
• 4.2 - GUI Login Warning Banner
DISA Red Hat 5 STIG (v1R4)
• GEN000400 - The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login
prompts.
DISA UNIX STIG (v5 R1.30)
• GEN000400 - Logon Warning Banner Display
• GEN000420 - Logon Warning Banner Content
DoD JAFAN 6/3 (Oct 2004)
• 4.B.1.a(6)(a) - Session Control - Login Warning Banners
• 4.B.1.a(6)(b) - Session Control - Login Warning Banners - Consent
DoD NISPOM (Feb 2006)
• 8.609a1 - User Notification
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.6 - Appropriate Use Banner
NIST FISMA (SP 800-53)
• AC-8 - System Use Notification
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
282
General
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.3.7.1 - Modify the System Login Banner
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Disable Core Dumps
Disables core dumps. Core dumps can consume considerable amounts of disk space and could contain sensitive data. It is
recommended to disable core dumps if they are not needed.
If you are troubleshooting an application and need core dumps, consider only allowing the user account which is running the
application to perform core dumps by specifying them in limits.conf(5).
Operating Systems
Configuration Files
Settings
/etc/security/
limits.conf
* soft core 0
* hard core 0
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE 10 and 11
When applied, the following commands are executed:
Solaris 10
Examine /etc/coreadm.conf
with coreadm(1M) utility
/usr/bin/coreadm -d process
/usr/bin/coreadm -d global-setid
/usr/bin/coreadm -d log
/usr/bin/coreadm -d proc-setid
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN003500 - Process core dumps must be disabled unless needed.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000308 - Process core dumps must be disabled unless needed.
DISA UNIX STIG (v5 R1.30)
• GEN003500 - Disable Core Dumps
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.2.4.2 - Disable Core Dumps
NVD CCE
• CCE-4225-9
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
283
General
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Disable Ctrl-Alt-Del
Disables the Ctrl+Alt+Del reboot key sequence to prevent some accidental system reboots in mixed operating system environments
where Ctrl+Alt+Del is commonly used to initiate a login. The use of Ctrl+Alt+Del is an easy way for an attacker who has physical
access to the system to circumvent security measures of the system.
Disabling the Ctrl+Alt+Del key sequence should have no impact on the usability of your system.
Operating Systems
Configuration Files
Setting
Fedora 10, 11, and 12
/etc/event.d/control-alt-delete
Comment out the line: exec /sbin/
shutdown -r now "Control-Alt-Delete
pressed"
Fedora 13
/etc/init/control-alt-delete.conf
Comment out the line: start on
control-alt-delete
Red Hat Enterprise Linux 5
/etc/inittab
Comment out the line that starts with:
ca::ctrlaltdel:/sbin/shutdown
Red Hat Enterprise Linux 6
/etc/init/control-alt-delete.conf
Comment out the line: start on
control-alt-delete
SUSE 10 and 11
/etc/inittab >
Comment out the line that starts with:
ca::ctrlaltdel:/sbin/shutdown
Solaris 10
Operating System Not Applicable
Red Hat Enterprise Linux 4
Note
Specifically for Red Hat Enterprise Linux 6, if the mandatory gconf setting of /apps/gnome_settings_daemon/
keybinding/power is not set to ' ' (empty quotes, which indicates 'disabled'), then it will be explicitly set. Users who are
currently logged in will not see this change until they log out and log back in.
This functionality will occur for the other operating systems (as appropriate) in future releases.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 7.8 - Disable Control-Alt-Del
DISA Red Hat 5 STIG (v1R4)
• GEN000000-LNX00580 - The x86 CTRL-ALT-DELETE key sequence must be disabled.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000286 - The x86 Ctrl-Alt-Delete key sequence must be disabled.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
284
General
DISA UNIX STIG (v5 R1.30)
• LNX00580 - Ctrl-Alt-Delete Sequence
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Disable Kernel Crash Analyzer
Disables the kernel crash dump analyzer (kdump), which uses kexec to boot a secondary kernel following a system crash.
For more information, see the online Red Hat Magazine article “A quick overview of Linux kernel crash dump analysis [http://
magazine.redhat.com/2007/08/15/a-quick-overview-of-linux-kernel-crash-dump-analysis/]” by Eugene Teo.
Operating Systems
Package
Service Names
Red Hat Enterprise Linux 5 and 6
kexec-tools
kdump
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
DISA Red Hat 5 STIG (v1R4)
• GEN003510 - Kernel core dumps must be disabled unless needed.
DISA UNIX STIG (v5 R1.30)
• GEN003510 - Kernel core dumps must be disabled unless needed.
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.3.5 - Kdump Kernel Crash Analyzer (kdump)
NVD CCE
• CCE-3425-6
Disable Raw Devices Service
Disables the Raw Devices service, which assigns raw devices to block devices and is commonly used by database systems.
Operating Systems
Package
Service Names
Red Hat Enterprise Linux 5
initscripts
rawdevices
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
285
General
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.3.17.1 - Disable the Raw Devices Daemon if Possible
NVD CCE
• CCE-18156-0
Disable SUID Core Dumps
Explicitly prevents any SUID program from writing a core dump file on abnormal termination.
Core dumps can consume considerable amounts of disk space, and may contain sensitive data. It is recommended to disable core
dumps if they are not needed, especially for programs that may contain privileged user information such as from SUID programs.
This module ensures the following line is present in /etc/sysctl.conf on Linux systems:
fs.suid_dumpable = 0
Compliancy
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.2.4.2.1 - Ensure SUID Core Dumps are Disabled
NVD CCE
• CCE-4247-3
Disable Software RAID Monitor
Disable the Software RAID Monitor (mdmonitor) service. This service is extraneous unless software RAID is in use.
Operating Systems
Package
Service Names
Red Hat Enterprise Linux 5
mdadm
mdmonitor
SUSE 11
mdadm
mdadmd
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 3.3.7 - Software RAID Monitor (mdmonitor)
NVD CCE
• CCE-3854-7
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
286
General
Disable Support for Firewire
Prevents the kernel from loading the Firewire (IEEE1394) module.
This modules will examine all files in /etc/modprobe.d and the /etc/modprobe.conf file (if they exist) and look for the
line(s) that are specified as arguments. If a line is found that matches the first two whitespace separated fields but not the remainder,
then it will be updated to match the provided lines. If no matching line is found, then it will be added to either /etc/modprobe.d/
SecurityBlanket_modprobe_settings (if /etc/modprobe.d is a directory), or to /etc/modprobe.conf.
This module is not applicable to Oracle Solaris.
Module Options
• Required lines to disable Firewire kernel module(s)
One or more lines that can disable or otherwise alter how kernel modules are loaded/configured/disabled.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
DISA Red Hat 5 STIG (v1R4)
• GEN008500 - The system must have IEEE 1394 (Firewire) disabled unless needed.
Disable Support for USB Storage
Prevents the kernel from loading the USB Storage module.
This modules will examine all files in /etc/modprobe.d and the /etc/modprobe.conf file (if they exist) and look for the
line(s) that are specified as arguments. If a line is found that matches the first two whitespace separated fields but not the remainder,
then it will be updated to match the provided lines. If no matching line is found, then it will be added to either /etc/modprobe.d/
SecurityBlanket_modprobe_settings (if /etc/modprobe.d is a directory), or to /etc/modprobe.conf.
This module is not applicable to Oracle Solaris.
Module Options
• Required lines to disable Firewire kernel module(s)
One or more lines that can disable or otherwise alter how kernel modules are loaded/configured/disabled.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-13 - Limitation and Control of Network Ports, Protocols, and Services
DISA Red Hat 5 STIG (v1R4)
• GEN008480 - The system must have USB Mass Storage disabled unless needed.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
287
General
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000503 - The operating system must enforce requirements for the connection of mobile devices to operating systems.
Enable ExecShield Kernel Module
The Linux kernel provides a number of features to provide protection against buffer overflows and provide address space
randomization. These features include random placement of the stack and other memory regions, prevention of execution in memory
that should only hold data, and special handling of text buffers. These features should be on by default; however, this module will also
ensure it is implicitly in /etc/sysctl.conf.
Please refer to your kernel documentation for more information on these features, and look in the /proc/sys/kernel pseudodirectory for additional settings that can be altered.
Module Options
• Required settings for /etc/sysconf.conf, one per line <param> = <valuegt;
Compliancy
DISA Red Hat 5 STIG (v1R4)
• GEN003540 - The system must implement non-executable program stacks.
• GEN008420 - The system must use available memory address randomization techniques.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000078 - The system must implement virtual address space randomization.
• RHEL-06-000079 - The system must limit the ability of processes to have simultaneous write and execute access to memory.
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.2.4.3 - Enable ExecShield
NVD CCE
• CCE-4146-7
• CCE-4168-1
Enable Stack Protection
Enables the stack to be marked as nonexecutable, which helps make buffer-overflow attacks more difficult. This module is not
applicable to Linux-based systems.
A Solaris system running a 64-bit kernel makes the stacks of all 64-bit applications nonexecutable by default. Setting this parameter is
necessary to make 32-bit applications nonexecutable on systems running 64-bit or 32-bit kernels.
This parameter exists on all systems running the Solaris 2.6, 7, 8, 9, or 10 releases, but it is only effective on 64-bit SPARC and
AMD64 architectures.
Operating Systems
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Configuration Files
Setting
Linux kernels must support the NX feature. Red Hat Enterprise Linux 4 and SUSE 9.1 and later
do support this feature. (See the Check Kernel for XD/NX Support and Enable ExecShield Kernel
Module modules for more information).
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
288
General
Operating Systems
Configuration Files
Setting
Red Hat Enterprise Linux 6
SUSE 10 and 11
set noexec_user_stack = 1
set noexec_user_stack_log = 1
Solaris 10 (SPARC Global zone
/etc/system
only)
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA UNIX STIG (v5 R1.30)
• GEN003540 - Disable Executable Stack
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Exec Shell Startups in /etc/profile.d
Most Linux distributions have a directory named /etc/profile.d that holds various environment “setup” files, which ensure at
a system level that applications are setup correctly. Most shells fall into one of two syntax flavors (Bourne shell or cshell); therefore
you will find files with the *.sh and *.csh suffixes. When a shell starts up (if it is a “login” shell), the appropriate flavor files in /etc/
profile.d are executed.
Solaris does not do this by default, so this module will append the requisite set of lines (if not there already) to the /etc/profile
and /etc/csh.login files to execute all files in /etc/profile.d, and will create /etc/profile.d directory if it does not
already exist. This module is required by any other module that might create a file in the /etc/profile.d directory.
All supported Linux platforms already have this directory, as well as the required lines in /etc/profile and /etc/csh.login;
therefore this module will return "OS Not Applicable" when run on a Linux platform.
Compliancy
N/A
GRUB Boot Single Image
Examines the GRand Unified Bootloader (GRUB) config file (usually /boot/grub/grub.conf or /boot/grub/menu.lst)
to see if there is only a single bootable definition. If not, the default boot definition is retained and all other boot definitions are
removed.
If the immutable bit is set in the extended attributes on the configuration file, it is removed while making any changes and then
restored.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
289
General
Operating Systems
Configuration Files
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
/boot/grub/grub.conf
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10 (x86 only)
/boot/grub/menu.lst
Red Hat Enterprise Linux 5.2+ (zSeries)
GRUB not used on IBM zSeries platforms. Instead the zSeries
Initial Program Loader (z/IPL) is used.
Compliancy
DISA UNIX STIG (v5 R1.30)
• LNX00280 - Capable of Dual Boot
Password Protect GRUB
Sets the specified password on the GRand Unified Bootloader (GRUB). This ensures that the kernel parameters cannot be changed
during boot time unless you have the correct password.
Important
This module has been retired, and is now a scan-only module. It has been replaced by the “Require GRUB Password”
module. Please modify any profiles accordingly. Any GRUB password settings should be made manually by a system
administrator.
To maintain system integrity, ensure that the kernel argument string is not changed at boot time. By configuring a GRUB password,
the administrator controls the initial boot process.
Operating Systems
Configuration Files
Setting
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
/boot/grub/grub.conf
password -md5 $1$md5hash
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10 (x86 only)
/boot/grub/menu.lst
Red Hat Enterprise Linux 5.2+ (zSeries)
GRUB not used on IBM zSeries platforms. Instead the zSeries Initial Program Loader
(z/IPL) is used.
Module Options
• GRUB password.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
290
General
Remove Telnet Service Banner
Removes the telnet service banner. On Solaris systems, the standard warning banner is displayed and then the telnet service banner is
displayed, which often contains the operating system version.
It is strongly recommended to disable the Telnet service.
Operating Systems
Configuration Files
Setting
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Not applicable to Linux systems because only the standard warning banner is
displayed.
SUSE 10 and 11
Solaris 10
/etc/default/telnetd
BANNER=""
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA UNIX STIG (v5 R1.30)
• GEN000400 - Logon Warning Banner Display
NERC Cyber Security - Electronic Security Perimeters (CIP-005-3)
• CIP-005-3-R2.6 - Appropriate Use Banner
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Require GRUB Password
Requires that a password setting be present for the GRand Unified Bootloader (GRUB). This ensures that the kernel parameters cannot
be changed during boot time unless you have the correct password. The permissions on the GRUB configuration file will also be
checked to limit access to root only.
To maintain system integrity, ensure that the kernel argument string is not changed at boot time. By configuring a GRUB password,
the administrator controls the initial boot process.
Operating Systems
Configuration Files
Setting
Fedora 10, 11, 12, and 13
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
/boot/grub/grub.conf
password --md5 password-hash
Red Hat Enterprise Linux 6
SUSE 10 and 11
Solaris 10 (x86 only)
Security Blanket® Modules Guide
/boot/grub/menu.lst
Export Controlled - See Sheet 1
291
General
Operating Systems
Configuration Files
Setting
Red Hat Enterprise Linux 5.2+ (zSeries)
GRUB is not used on IBM zSeries platforms. Instead the zSeries Initial Program Loader
(z/IPL) is used.
Important
This is a scan-only module, so the system administrator is required to set the GRUB password manually. Consult the
operating system documentation for instructions on how to do this correctly. This module will also not make any changes to
the permissions on the configuration file itself. The “System Configuration File Permissions” module (if in the same profile
as this module) will correct any ownership or permission issues.
Setting the GRUB password:
1.
Select a password and then generate a hash from it by running:
# /usr/sbin/grub-md5-crypt
2.
Insert the following line into the configuration file (shown in the above table) immediately after the header comments. Use the
output from the grub-md5-crypt as the value of password-hash:
password --md5 password-hash
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DHS Linux Configuration Guidance (2010.8)
• 8.6 - configure Boot Process
DISA Red Hat 5 STIG (v1R4)
• GEN008700 - The system boot loader must require authentication.
• GEN008710 - The system boot loader must protect passwords using an MD5 or stronger cryptographic hash.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000068 - The system boot loader must require authentication.
DISA UNIX STIG (v5 R1.30)
• LNX00140 - GRUB Boot Loader Encrypted Password
DoD NISPOM (Feb 2006)
• 8.613a1 - Access to Protection Functions
NSA Guide to the Secure Configuration of RHEL5 (Rev. 4.2 / Aug 2011)
• 2.3.5.2 - Set Boot Loader Password
NVD CCE
• CCE-3818-2
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
292
General
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Restrict At and Cron
Restricts the use of the at(1) and crontab(1) commands to a list of specified users.
Only the root user should use the at(1) and crontab(1) commands.
Operating Systems
Configuration Files
/etc/at.deny
Fedora 10, 11, 12, and 13
/etc/cron.deny
Red Hat Enterprise Linux 4, 5, and 6
SUSE 10 and 11
/etc/cron.allow
Solaris 10
Settings
Remove this file if it exists.
Remove this file if it exists.
If it does not exist, create it with just 'root'
listed.
/etc/cron.d/at.deny
Remove this file if it exists.
/etc/cron.d/cron.deny
Remove this file if it exists.
/etc/cron.d/cron.allow
If it does not exist, create it with just 'root'
listed.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
•
•
•
•
•
•
•
•
•
•
•
GEN002960 - Access to the cron utility must be controlled using the cron.allow and/or cron.deny file(s).
GEN002980 - The cron.allow file must have mode 0600 or less permissive.
GEN003200 - The cron.deny file must have mode 0600 or less permissive.
GEN003240 - The cron.allow file must be owned by root, bin, or sys.
GEN003250 - The cron.allow file must be group-owned by root, bin, sys, or cron.
GEN003252 - The at.deny file must have mode 0600 or less permissive.
GEN003260 - The cron.deny file must be owned by root, bin, or sys.
GEN003270 - The cron.deny file must be group-owned by root, bin, sys, or cron.
GEN003280 - Access to the "at" utility must be controlled via the at.allow and/or at.deny file(s).
GEN003300 - The at.deny file must not be empty if it exists.
GEN003320 - Default system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the
at.deny file if the at.allow file does not exist.
• GEN003340 - The at.allow file must have mode 0600 or less permissive.
DISA UNIX STIG (v5 R1.30)
•
•
•
•
•
•
GEN002960 - Cron Utility Accessibility
GEN002980 - The cron.allow Permissions
GEN003060 - Default System Accounts and Cron
GEN003200 - cron.deny Permissions
GEN003240 - cron.allow Ownership
GEN003260 - cron.deny Ownership
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
293
General
• GEN003300 - The at.deny File
• GEN003320 - Default System Accounts and At
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
Secure Netrc Files
Restricts .netrc file permissions to owner read and write access, which prevents others from gaining access to this information. The
.netrc files are used for remote login without interaction. This is achieved through storing an unencrypted password in the file. If
used, these files should be protected from all other users.
The use of .netrc files is strongly discouraged. If this breaks a third-party application, undo the operation and encourage the thirdparty vendor to provide a better solution.
Compliancy
CAG 20 Critical Security Controls (v2.3)
• CC-3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
DISA Red Hat 5 STIG (v1R4)
• GEN002000 - There must be no .netrc files on the system.
• GEN002060 - All .rhosts, .shosts, .netrc, or hosts.equiv files must be accessible by only root or the owner.
DISA Red Hat 6 STIG (v1R2)
• RHEL-06-000347 - There must be no .netrc files on the system.
DISA UNIX STIG (v5 R1.30)
• GEN002000 - The .netrc File Exists
• GEN002060 - Access Control Files Accessibility
NIST FISMA (SP 800-53)
• AC-3 - Access Enforcement
PCI DSS (v2.0)
• 2.2 - Configuration standards for system components consistent with industry-accepted system hardening standards
• 2.2.3 - Configure system security parameters to prevent misuse
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
294
Appendix A. Cross Reference to Guidelines
CAG 20 Critical Security Controls v2.3
Twenty Critical Controls for Effective Cyber Defense: Consensus Audit Guidelines (CAG)
“This consensus document of 20 crucial controls is designed to begin the process of establishing that prioritized baseline of
information security measures and controls. The consensus effort that has produced this document has identified 20 specific technical
security controls that are viewed as effective in blocking currently known high-priority attacks, as well as those attack types expected
in the near future. Fifteen of these controls can be monitored, at least in part, automatically and continuously. The consensus effort
has also identified a second set of five controls that are essential but that do not appear to be able to be monitored continuously or
automatically with current technology and practices. Each of the 20 control areas includes multiple individual subcontrols, each
specifying actions an organization can take to help improve its defenses.”
20 Total number of line items in guideline
5 Items at least partially addressed by Security Blanket
15 Items not addressed by Security Blanket
Table A.1. Guideline name/description for CAG 20 Critical Security Controls v2.3
Line Item
Description Item
CC-3
Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
CC-6
Maintenance, Monitoring, and Analysis of Audit Logs
CC-8
Controlled Use of Administrative Privileges
CC-11
Account Monitoring and Control
CC-13
Limitation and Control of Network Ports, Protocols, and Services
X
Adjust Maximum Pending Connections
X
At Directory Permissions
X
At/Cron Access File Permissions
X
X
X
Audit Rules (Solaris)
X
X
X
Boot Loader Configuration File Permissions
X
Configure Permissions on /usr/bin/ldd
X
Configure Sendmail Options
X
Configure Xinetd Logging
X
Correct Global Init Script PATH Variables
X
Correct System RC Script PATH Variables
X
Correct Uneven File Permissions
X
Create Login Banner
X
Security Blanket® Modules Guide
X
Audit Rules
Block System Accounts
Export Controlled - See Sheet 1
CC-13
ARP IRE_CACHE Cleanup Interval
CC-11
X
CC-8
ARP Cleanup Interval
CC-6
Security Blanket Module
CC-3
Table A.2. Module to line item breakdown for CAG 20 Critical Security Controls v2.3
X
X
X
295
X
Create Pre-Session GUI Banner
X
Create ftpusers File
X
Cron Logging
CC-13
Create Pre-Login GUI Banner
CC-11
X
CC-8
Create Login FTP Banner
CC-6
Security Blanket Module
CC-3
Cross Reference to Guidelines
X
Crontab Dir Perms
X
Crontab Perms
X
Crontab Script Perms
X
Daemon Umask
X
Default umask
X
Deny NFS Client Access Without UID or GID
X
Disable ACPI Daemon
X
Disable Accepting ICMP Redirects
X
X
Disable Accepting Secure Redirects
X
X
Disable Apache
X
X
Disable Avahi Daemon
X
X
Disable Bluetooth
X
X
Disable Bluetooth Kernel Modules
X
Disable Boot Caching
X
Disable CDE Calendar Manager Server
X
X
Disable CDE ToolTalk Database Server
X
X
Disable CPU Throttling
X
Disable CUPS Printer Browsing
X
Disable Console Mouse Support
X
Disable Core Dumps
X
Disable Ctrl-Alt-Del
X
Disable DNS
X
X
Disable Dhcpd
X
X
Disable FTP (gssftp)
X
Disable FTP (vsftpd)
X
X
Disable File Sharing Networks
X
X
Disable Finger
X
X
Disable Firefox if Older than 3.0
X
Disable Firstboot Service
X
X
Disable Fspd
X
Disable GNOME Automounting
X
Disable GSS Daemon
X
X
Disable Gated
X
X
Disable Graphical Login
X
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
X
296
Disable HAL Daemon
Disable HP Printing and Imaging
CC-13
CC-11
X
X
X
Disable IA32 Microcode Utility
Disable IP Forwarding
CC-8
CC-6
Security Blanket Module
CC-3
Cross Reference to Guidelines
X
X
X
Disable IRDA Service
X
Disable IRQ Balance Service
X
Disable ISDN
X
X
Disable Inetd
X
X
Disable Innd
X
X
Disable Instant Messenger Client (Yahoo!)
X
Disable Instant Messenger Client (gaim)
X
Disable Java Web Console
X
X
Disable Kerberos TGT Expiration Warning
X
X
Disable Kernel Crash Analyzer
X
Disable Kudzu
X
X
Disable LDAP Client Cache Manager
X
X
Disable Login Prompts on Serial Ports
X
X
Disable Mail (Cyrus Mail Server)
X
X
Disable Mail (Dovecot Mail Server)
X
X
Disable MySQL
X
X
Disable NFS Client
X
X
Disable NFS Server
X
X
Disable NIS Client
X
X
Disable NIS Server
X
X
Disable NetFS
X
X
Disable Network Analysis Tools
X
Disable PAM Console Library
X
Disable Portmap Daemon
X
X
Disable Postgresql
X
X
Disable Power Management
X
Disable Printer Configuration Daemon
X
X
Disable Printer Daemon
X
X
Disable RPC Keyserv
X
X
Disable Raw Devices Service
X
Disable Remote Exec (rexec)
X
X
Disable Remote Login (rlogin)
X
X
Disable Remote Shell (rsh)
X
X
Disable Remote Syslog
Disable Rhnsd
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
X
X
297
CC-13
CC-11
CC-8
Security Blanket Module
CC-3
CC-6
Cross Reference to Guidelines
Disable Rhosts Support
X
X
Disable Routed
X
X
Disable SMART Disk Monitoring Support
X
Disable SMB
X
X
Disable SNMP
X
X
Disable SNMP if Default Public String Exists
X
Disable Sending ICMP Redirects
X
X
Disable Sendmail
X
X
Disable Sendmail Help
X
Disable Sendmail if Older than 8.13.8
X
X
Disable Software RAID Monitor
X
Disable Solaris Volume Manager
X
X
Disable Solaris Volume Manager GUI
X
X
Disable Source Routing
X
X
Disable Squid
X
X
Disable Squid if Older than 2.4STABLE6
X
X
Disable Support for DCCP
X
Disable Support for Firewire
X
Disable Support for RDS
X
Disable Support for SCTP
X
Disable Support for TIPC
X
Disable Support for USB Storage
X
Disable TFTP
X
X
Disable Telnet
X
X
Disable Tux
X
X
Disable USB and PCMCIA Devices
X
X
Disable UUCP
X
X
Disable WBEM
X
X
Disable Webmin
X
X
Disable XFS
X
X
Disable atd Service
X
Disable rpc.ugidd
X
X
Enable Reverse Path Source Validation
X
X
Enable Stack Protection
X
Enable Strong TCP Sequence Number Generation
X
X
Enable TCP Syncookies
X
X
Enable the Audit Subsystem
X
Enable Vsftpd Additional Logging
X
Expired Password Invalidation
Security Blanket® Modules Guide
X
Export Controlled - See Sheet 1
X
X
X
298
X
Home Directory Contents
X
Home Directory Ownership
X
Home Directory Permissions
X
Hosts File Permissions
X
Ignore ICMP ECHO and TIMESTAMP Requests
X
Inetd/Xinetd Configuration File Permissions
X
InterNetNews Config File Perms
X
Kernel Core Dump Directory Permissions
X
LDAP Configuration File Permissions
X
Limit Access To Root From Su
X
X
X
Limit Password Reuse
X
Limit Term Write Access to Owner
X
Lock Invalid Accounts
X
Lock Non-Root Accounts with UID 0
X
Lock Account after Three Failed Login Attempts
X
Log Critical Sendmail Messages
X
X
Mail Agent Aliases Files Permissions
X
Management Information Base (MIB) File Permissions
X
X
X
Maximum Time Between Password Changes
X
Minimum Delay Between Password Changes
X
MySQL - Disable Command History
X
NFS Export Configuration File Permissions
X
NIS/NIS+/YP Configuration File Permissions
X
Name Service Switch Configuration File Permissions
X
No Empty Passwords
X
No Plus Entries in Password Files
X
X
PHP - Enhance Session Management
X
PHP - Set Error Logging
X
Password Expiration Warning
Password Perms
X
X
Password Policy Consecutive Characters
X
Password Policy Different Characters
X
Password Policy Length Minimum
X
Password Policy Lowercase Minimum
X
Password Policy Numeric Minimum
X
Security Blanket® Modules Guide
X
X
Configure System to Log 'martian' Network Packets
PHP - Disallow HTTP File Uploads
CC-13
Global Initialization File Permissions
CC-11
X
CC-8
FTP Configuration File Permissions
CC-6
Security Blanket Module
CC-3
Cross Reference to Guidelines
Export Controlled - See Sheet 1
299
Password Policy Special Characters
X
Password Policy Uppercase Minimum
X
Password Protect GRUB
X
Printer Configuration File Permissions
X
Remove Games User Account
X
Remove Gopher User Account
X
Remove Halt User Account
X
Remove Insecure_Locks Option for NFS Server
X
Remove News User Account
X
Remove SMB Guest Authentication
X
Remove Shutdown User Account
X
Remove Sync User Account
X
Remove Telnet Service Banner
X
Remove ftp Account
X
Require GRUB Password
X
Resolver Configuration File Permissions
X
Restrict At and Cron
X
Restrict Remote X Clients
X
Restrict Use of Compiler Tools
X
Restrict Use of Traceroute and Ping
X
Restrict Write Access on Man Pages
X
Restrict the CDE Subprocess Control Service
X
Restrict use of Mesg Command
X
Root Console Only Logins
X
X
Root Home Directory Permissions
X
X
Root Path
X
Root Shell must be on / filesystem
X
SMB Configuration
X
SNMP Configuration File Permissions
X
SSH Parameters
X
SSH Restrict Ciphers
X
X
SSH Restrict HMAC
X
X
SSHD Disable Empty Passwords
X
SSHD Disable Host-based Authentication
X
SSHD Disable Rhosts Authentication
X
SSHD Disable Root Login
X
SSHD Enable Banner
X
SSHD Enable Ignore Rhosts
X
SSHD Enable X11 Forwarding
X
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
CC-13
CC-11
CC-8
CC-6
Security Blanket Module
CC-3
Cross Reference to Guidelines
X
300
SSHD Logging Level
CC-13
X
SSHD Print Last Log
X
SSHD Protocol
X
SSHD Restrict Ciphers
X
X
SSHD Restrict HMAC
X
X
SSHD Restrict Users and Groups
X
X
SSHD Set Idle Timeout Interval for User Logins
X
Secure Audio Devices
X
Secure Authpriv Logging
X
X
X
Secure Netrc Files
X
Secure Option for NFS Server
X
Secure SUID/SGID Executables
X
Secure Shell Binaries
X
Secure Unowned Files
X
Secure World Writable Devices
X
Secure World Writable Directories
X
Secure World Writable Files
X
Services File Permissions
X
Set CDE Screen Saver
X
Set FTP Umask (gssftp)
X
Set Mandatory Screen Saver
X
X
X
X
Set TFTP Startup Directory
X
Set X Screen Saver Application Defaults
X
Set Delay after Failed Login
X
Set Shell Timeout Period
X
Shadow Perms
X
Single User Mode Password
X
Skeleton File Permissions
X
Sync Shells File
X
Sysctl.conf Permissions
X
X
X
Set Password Aging on Active Accounts
X
X
X
X
System Accounting
X
System Command File Permissions
X
System Configuration File Permissions
X
System Device Directory Ownership
X
System Library File Permissions
X
System Log File Permissions
X
System Logging Configuration File Permissions
X
System Run Control Script Permissions
X
Security Blanket® Modules Guide
CC-11
CC-8
CC-6
Security Blanket Module
CC-3
Cross Reference to Guidelines
Export Controlled - See Sheet 1
X
301
X
Use NOSUID on User Filesystems
X
User Dot File Perms
X
User Mountable Media
X
CC-13
Use NOSUID and NODEV for Removable Media
CC-11
X
CC-8
Use NODEV Option for Non-Root Partitions
CC-6
Security Blanket Module
CC-3
Cross Reference to Guidelines
CIA DCID 6/3 May 2000
DCID 6/3 is the Certification and Accreditation (C&A) process used by U.S. federal agencies working on intelligence projects
(e.g., the CIA). Specifically, information technology projects that require anyone working on them have a Top Secret, Sensitive
Compartmentalized Information (SCI) clearance use the DCID 6/3 process. DCID stands for Director of Central Intelligence Directive
and 6/3 refers to the process described in section 6, part 3 of the compendious Director of Central Intelligence Directives. The C&A
process that the Intelligence Community (IC) used before DCID 6/3 came along was called DCID 1/16.
The DCID 6/3 model is based on C&A performed on information systems that are characterized by Protection Levels (PL), and DCID
6/3 defines five different protection levels. DCID 6/3 deals only with classified information and its PL model helps ensure that only
properly cleared people have access to classified information. Although the DCID 6/3 model was designed for classified information
and intelligence work, it is publicly available for review, and any agency or private organization can adopt the methodology, and
customize it according to their own unique requirements. The DCID Standards Manual, which defines the DCID 6/3 C&A process,
can be found on the Federation of American Scientists Web site.
The DCID 6/3 C&A process must also comply with the DCID 6/3 Policy Manual. The DCID 6/3 Policy Manual can be found on the
Web.
Many of the requirements for IC C&A are based on physical security, since classified information must always be physically secured.
Aside from physical security, the IC puts a lot of emphasis on encryption. The emphasis in these two areas is what really sets apart
DCID C&A from the other C&A methodologies.
26 Total number of line items in guideline
26 Items at least partially addressed by Security Blanket
0 Items not addressed by Security Blanket
Table A.3. CIA DCID 6/3 May 2000
Item
4.B.1.a(2)
4.B.1.a(5)
4.B.1.a(5)(a)
4.B.1.a(6)(a)
Title
Security Blanket Modules
Identification and Authentication - Unique Users
Lock Non-Root Accounts with UID 0
No Empty Passwords
Screen Lock
Set CDE Screen Saver
Set Mandatory Screen Saver
Set X Screen Saver Application Defaults
Set Shell Timeout Period
Set CDE Screen Saver
Set Mandatory Screen Saver
Screen Lock - Maximum Idle Time will be 15 minutes
Set X Screen Saver Application Defaults
Set Shell Timeout Period
Session Control - Login Warning Banners
Security Blanket® Modules Guide
Create Login Banner
Create Login FTP Banner
Create Pre-Login GUI Banner
Create Pre-Session GUI Banner
SSHD Enable Banner
Export Controlled - See Sheet 1
302
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
4.B.1.a(6)(b)
Session Control - Login Warning Banners - Consent
Create Login Banner
Create Login FTP Banner
Create Pre-Login GUI Banner
Create Pre-Session GUI Banner
SSHD Enable Banner
4.B.1.b(2)(a)
Auditing - Date and time entity performed system
action
Audit Rules
Audit Rules (Solaris)
Enable the Audit Subsystem
4.B.1.b(2)(b)
Auditing - Protect contents of audit trails against
unauthorized access
System Log File Permissions
4.B.1.b(2)(d)(1)
Auditing - Record Successful and unsuccessful logons Audit Rules
and logoffs
Audit Rules (Solaris)
4.B.1.b(2)(d)(2)
Auditing - Record accesses to security-relevant objects
Audit Rules
Audit Rules (Solaris)
4.B.1.b(2)(d)(3)
Auditing - Record activities at the system console
Audit Rules
Audit Rules (Solaris)
4.B.1.b(3)(e)
Identification and Authentication - Aging of static
authenticators
Maximum Time Between Password Changes
Set Password Aging on Active Accounts
4.B.2.a(4)(a)
Auditing - Date and time entity performed system
action (PL2)
Enable the Audit Subsystem
4.B.2.a(4)(b)
Auditing - Protect contents of audit trails against
unauthorized access (PL2)
System Log File Permissions
4.B.2.a(4)(d)(1)
Auditing - Record Successful and unsuccessful logons Audit Rules
and logoffs (PL2)
Audit Rules (Solaris)
4.B.2.a(4)(d)(2)
Auditing - Record accesses to security-relevant objects Audit Rules
(PL2)
Audit Rules (Solaris)
4.B.2.a(4)(d)(3)
Auditing - Record activities at the system console
(PL2)
Audit Rules
Audit Rules (Solaris)
4.B.2.a(16)(b)
Session Control - Station or session time-outs (PL2)
Enable the Audit Subsystem
SSHD Set Idle Timeout Interval for User Logins
Set CDE Screen Saver
Set Mandatory Screen Saver
Set X Screen Saver Application Defaults
Set Shell Timeout Period
4.B.2.a(16)(c)
Session Control - Limit retry on logon as technically
feasible (PL2)
Lock Account after Three Failed Login Attempts
4.B.2.b(5)(a)
System Assurance - Control access to the security
support structure (PL2)
Enable the Audit Subsystem
Auditing - Record changes to the mechanism's list of
user formal access permissions (PL3)
Audit Rules
Audit Rules (Solaris)
4.B.3.a(9)(e)
Identification and Authentication - Aging of static
authenticators
Set Password Aging on Active Accounts
4.B.3.a(9)(f)
Identification and Authentication - Limiting reuse of
static authenticators
Limit Password Reuse
Session Control - Station or session time-outs (PL3)
Enable the Audit Subsystem
SSHD Set Idle Timeout Interval for User Logins
Set CDE Screen Saver
Set Mandatory Screen Saver
4.B.3.a(7)
4.B.3.a(17)(a)
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
303
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
Set X Screen Saver Application Defaults
Set Shell Timeout Period
4.B.3.a(20)(b)
SSHD Set Idle Timeout Interval for User Logins
Set Shell Timeout Period
4.B.3.a(20)(c)
Lock Account after Three Failed Login Attempts
4.B.4.a(6)(b)
System Log File Permissions
DHS Linux Configuration Guidance 2010.8
The United States Department of Homeland Security (DHS) is a Cabinet department of the U.S. federal government with the primary
responsibilities of protecting the territory of the U.S. from terrorist attacks and responding to natural disasters.
The Linux Configuration Guidance document is distributed to DHS system administrators to provide them with a clear, concise set of
procedures that will define a minimum baseline of security for every system installed. This document is intended for use with systems
supporting remote system, enterprise client, and enterprise server environments, as well as with high-security implementations of
these environments.
90 Total number of line items in guideline
42 Items at least partially addressed by Security Blanket
48 Items not addressed by Security Blanket
Table A.4. DHS Linux Configuration Guidance 2010.8
Item
Title
Security Blanket Modules
3.1
Password Settings
Block System Accounts
Lock Account after Three Failed Login Attempts
Maximum Time Between Password Changes
Minimum Delay Between Password Changes
Password Expiration Warning
Password Policy Consecutive Characters
Password Policy Different Characters
Password Policy Length Minimum
Remove Games User Account
Remove Gopher User Account
Remove Halt User Account
Remove News User Account
Remove Shutdown User Account
Remove Sync User Account
Remove ftp Account
Set Password Aging on Active Accounts
4.1
Login Warning Banner
Create Login Banner
Create Login FTP Banner
4.2
GUI Login Warning Banner
Create Pre-Login GUI Banner
Create Pre-Session GUI Banner
4.3
Restrict Substitute User (su) Access
Limit Access To Root From Su
4.4
Restrict Root Login to the Console
Root Console Only Logins
4.5.1
Limit SSH Protocol Use to Version 2
SSH Parameters
SSHD Protocol
4.5.2
Disable Root Login Via SSH
SSH Restrict Ciphers
SSH Restrict HMAC
SSHD Disable Root Login
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
304
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
SSHD Print Last Log
SSHD Restrict Ciphers
SSHD Restrict HMAC
SSHD Restrict Users and Groups
4.5.3
Display Secure Shell Warning Banner
SSHD Enable Banner
4.5.4
Use Secure Shell RSA Authentication
SSH Disable GSSAPI Authentication
SSHD Disable GSSAPI Authentication
SSHD Disable Host-based Authentication
SSHD Disable Kerberos Authentication
SSHD Disable Rhosts RSA Authentication
SSHD Enable Ignore Rhosts
SSHD Set Compression
SSHD Strict Mode Checking
SSHD Use Privilege Separation
4.5.5
Allow X11 Forwarding under SSH
SSHD Enable X11 Forwarding
4.5.6
Force Secure Shell Account Lockout
SSHD Maximum Authentication Attempts
4.5.7
Force Secure Shell to ignore rhosts
SSHD Disable Rhosts Authentication
4.5.8
Disallow Empty Passwords under SSH
SSHD Disable Empty Passwords
Audit Trail
Audit Log Rotation
Audit Rules
Audit Rules (Solaris)
Enable the Audit Subsystem
Enable Vsftpd Additional Logging
Secure Authpriv Logging
System Log File Permissions
Kernel TCP Stack Tuning
Adjust Maximum Pending Connections
Disable Accepting ICMP Redirects
Disable Accepting Secure Redirects
Disable Broadcast Packet Forwarding
Disable IP Forwarding
Disable Sending ICMP Redirects
Disable Source Routing
Enable Reverse Path Source Validation
Enable TCP Syncookies
Ignore ICMP ECHO and TIMESTAMP Requests
Configure System to Log 'martian' Network Packets
Configuring Stand Alone Services
Disable Apache
Disable Bluetooth
Disable Console Mouse Support
Disable DNS
Disable FTP (gssftp)
Disable FTP (vsftpd)
Disable ISDN
Disable Innd
Disable Kudzu
Disable MySQL
Disable NFS Client
Disable NFS Server
Disable NIS Client
Disable NIS Server
Disable NetFS
Disable Portmap Daemon
5
6.1
6.2
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
305
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
Disable Postgresql
Disable Power Management
Disable Printer Configuration Daemon
Disable Printer Daemon
Disable SMB
Disable SNMP
Disable Sendmail
Disable Squid
Disable TFTP
Disable Telnet
Disable Tux
Disable UUCP
Disable Webmin
6.7.1
Deactivate SNMP
Disable SNMP
6.7.2
Verify SNMP Configuration
Disable SNMP if Default Public String Exists
6.9.1
Disable NFS When Not Required
Disable NFS Server
6.9.2
Restrict NFS to Privileged Ports
Remove Insecure_Locks Option for NFS Server
Secure Option for NFS Server
6.11.1
Disable NIS When Not Required
Disable NIS Client
6.12.1
Disable the Listener under X11
Restrict Remote X Clients
6.14.2
Ensure IPv6 Module Does Not Load
Disable IPv6 Kernel Module
7.2
File System Controls
Use NODEV Option for Non-Root Partitions
Use NOSUID and NODEV for Removable Media
Use NOSUID on User Filesystems
7.4
Reset Permissions on grub Boot Loader
Boot Loader Configuration File Permissions
7.5
Reset Permissions on lilo Boot Loader
Boot Loader Configuration File Permissions
7.6.1
Set umask for Users
Default umask
7.6.2
Set umask for Daemons
Daemon Umask
7.7
Single User Mode Password
Single User Mode Password
7.8
Disable Control-Alt-Del
Disable Ctrl-Alt-Del
8.2
Verify File System Permissions
Secure SUID/SGID Executables
8.3
Verify Unowned Files Do Not Exist
Secure Unowned Files
8.4
Verify World Writable Files Are Limited
Secure World Writable Devices
Secure World Writable Directories
Secure World Writable Files
8.5
Verify SUID/SGID Files Are Appropriate
Secure SUID/SGID Executables
8.6
configure Boot Process
Require GRUB Password
8.7
Disable PCMCIA and USB
Disable USB and PCMCIA Devices
8.9.1
Ensure Sendmail is Deactivated
Disable Sendmail
8.9.4
Change Sendmail Greeting
Configure Sendmail Options
8.9.5
Disable expand and verify Commands
Configure Sendmail Options
8.9.6
Enhance Sendmail Logging
Configure Sendmail Options
8.9.7
Ignore Bogus SMTP Connections
Configure Sendmail Options
SELinux (Security Enhanced Linux)
Disable MCS Translation Service
Disable Restorecon
10
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
306
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
Disable SETroubleshoot
DISA Mozilla Firefox STIG v4 R2
Security Blanket can address the following items. It should be noted that many of these items are taken from various STIGs however,
there is not an industry standard profile delivered with Security Blanket. This is because these items do not cover a guideline in its
entirety; therefore, a dedicated Security Blanket profile is not warranted.
14 Total number of line items in guideline
14 Items at least partially addressed by Security Blanket
0 Items not addressed by Security Blanket
Table A.5. DISA Mozilla Firefox STIG v4 R2
Item
Title
Security Blanket Modules
DTBF003
Installed version of Firefox unsupported
Disable Firefox if Older than 3.0
DTBF010
Disable SSLv2
Firefox - Encryption
DTBF030
Enable TLS v1.0
Firefox - Encryption
DTBF050
Verification
Firefox - Encryption
DTBF105
Shell Protocol
Firefox - Network
DTBF130
Switching from secure to insecure
Firefox - Privacy
DTBF140
Autofill forms
Firefox - Privacy
DTBF160
Password Store
Firefox - Privacy
DTBF170
Cookies
Firefox - Privacy
DTBF180
Pop-up windows
Firefox - Dynamic Content
DTBF181
Javascript move or resize windows
Firefox - JavaScript
DTBF182
Javascript raise or lower windows
Firefox - JavaScript
DTBF183
Javascript Context Menus
Firefox - JavaScript
DTBF184
Javascript hiding or changing status bar
Firefox - JavaScript
DISA Red Hat 5 STIG v1R4
The Security Technical Implementation Guides (STIGs) are the configuration standards for U.S. Department of Defense (DoD)
Information Assurance (IA) and IA-enabled devices/systems. The guides are maintained and published by the Defense Information
Systems Agency’s (DISA) Field Security Office (FSO). Approximately every ninety days the FSO publishes updates to its checklists.
Purchasing yearly service from Raytheon Trusted Computer Solutions entitles you to regular updates of Security Blanket.
570 Total number of line items in guideline
373 Items at least partially addressed by Security Blanket
197 Items not addressed by Security Blanket
Table A.6. DISA Red Hat 5 STIG v1R4
Item
Title
Security Blanket Modules
GEN000000LNX00320
The system must not have special privilege accounts,
such as shutdown and halt.
Remove Halt User Account
Remove Shutdown User Account
GEN000000LNX00400
The /etc/access.conf file must be owned by root.
Access.conf File Permissions
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
307
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
GEN000000LNX00420
The /etc/access.conf file must have a privileged group
Access.conf File Permissions
owner.
GEN000000LNX00440
The /etc/access.conf file must have mode 0640 or less
Access.conf File Permissions
permissive.
GEN000000LNX00480
The /etc/sysctl.conf file must be owned by root.
GEN000000LNX00500
The /etc/sysctl.conf file must be group-owned by root. Sysctl.conf Permissions
GEN000000LNX00520
The /etc/sysctl.conf file must have mode 0600 or less
permissive.
GEN000000LNX00560
The Linux NFS Server must not have the insecure file
Remove Insecure_Locks Option for NFS Server
locking option.
GEN000000LNX00580
The x86 CTRL-ALT-DELETE key sequence must be
disabled.
Disable Ctrl-Alt-Del
GEN000000LNX00600
The Linux PAM system must not grant sole access
to admin privileges to the first user who logs into the
console.
Disable console.perms File
Disable PAM Console Library
GEN000000LNX00620
The /etc/securetty file must be group-owned by root,
sys, or bin.
System Configuration File Permissions
GEN000000LNX00640
The /etc/securetty file must be owned by root.
System Configuration File Permissions
GEN000000LNX00660
The /etc/securetty file must have mode 0640 or less
permissive.
System Configuration File Permissions
GEN000000LNX00720
Auditing must be enabled at boot by setting a kernel
parameter.
Enable Auditing For All Processes
GEN000000LNX00800
The system must use a Linux Security Module
configured to limit the privileges of system services.
Ensure SELinux is Properly Enabled
GEN000000LNX001431
The /etc/gshadow file must be owned by root.
Shadow Perms
GEN000000LNX001432
The /etc/gshadow file must be group-owned by root.
Shadow Perms
GEN000000LNX001433
The /etc/gshadow file must have mode 0400.
Shadow Perms
GEN000000LNX001476
The /etc/gshadow file must not contain any group
password hashes.
No Hashes Allowed in Passwd/Group Files
GEN000020
The system must require authentication upon booting
into single-user and maintenance modes.
Single User Mode Password
GEN000250
The time synchronization configuration file (such as /
etc/ntp.conf) must be owned by root.
NTP Perms
GEN000251
The time synchronization configuration file (such as /
etc/ntp.conf) must be group-owned by root, bin, or
sys.
NTP Perms
GEN000252
The time synchronization configuration file (such as /
NTP Perms
etc/ntp.conf) must have mode 0640 or less permissive.
GEN000290-1
The system must not have the unnecessary "games"
account.
Security Blanket® Modules Guide
Sysctl.conf Permissions
Sysctl.conf Permissions
Remove Games User Account
Export Controlled - See Sheet 1
308
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
GEN000290-2
The system must not have the unnecessary "news"
account.
Remove News User Account
GEN000290-3
The system must not have the unnecessary "gopher"
account.
Remove Gopher User Account
GEN000290-4
The system must not have the unnecessary "ftp"
account.
Remove ftp Account
GEN000300
All accounts on the system must have unique user or
account names.
Lock Invalid Accounts
GEN000320
All accounts must be assigned unique User
Identification Numbers (UIDs).
Lock Invalid Accounts
GEN000380
All GIDs referenced in the /etc/passwd file must be
defined in the /etc/group file.
Lock Invalid Accounts
GEN000400
The Department of Defense (DoD) login banner
must be displayed immediately prior to, or as part of,
console login prompts.
Create Login Banner
Create Login FTP Banner
Create Pre-Login GUI Banner
Create Pre-Session GUI Banner
SSHD Enable Banner
GEN000402
The Department of Defense (DoD) login banner
must be displayed immediately prior to, or as part of,
graphical desktop environment login prompts.
Create Login Banner
Create Pre-Login GUI Banner
GEN000410
The FTPS/FTP service on the system must be
configured with the Department of Defense (DoD)
login banner.
Create Login Banner
Create Login FTP Banner
GEN000450
The system must limit users to 10 simultaneous
system logins, or a site-defined number, in accordance Maximum Number of Logins per User
with operational requirements.
GEN000452
The system must display the date and time of the last
successful account login upon login.
SSHD Print Last Log
GEN000460
The system must disable accounts after three
consecutive unsuccessful login attempts.
Lock Account after Three Failed Login Attempts
GEN000480
The delay between login prompts following a failed
login attempt must be at least 4 seconds.
Set Delay after Failed Login
GEN000500
Graphical desktop environments provided by the
system must automatically lock after 15 minutes of
inactivity and the system must require users to reauthenticate to unlock the environment.
Set Mandatory Screen Saver
GEN000500-2
The graphical desktop environment must set the idle
timeout to no more than 15 minutes.
Set Mandatory Screen Saver
GEN000500-3
Graphical desktop environments provided by the
system must have automatic lock enabled.
Set Mandatory Screen Saver
GEN000540
Users must not be able to change passwords more than Minimum Delay Between Password Changes
once every 24 hours.
Set Password Aging on Active Accounts
GEN000560
The system must not have accounts configured with
blank or null passwords.
No Empty Passwords
GEN000580
The system must require passwords contain a
minimum of 14 characters.
Password Policy Length Minimum
GEN000600
The system must require passwords contain at least
one uppercase alphabetic character.
Password Policy Uppercase Minimum
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
309
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
GEN000610
The system must require passwords contain at least
one lowercase alphabetic character.
Password Policy Lowercase Minimum
GEN000620
The system must require passwords contain at least
one numeric character.
Password Policy Numeric Minimum
GEN000640
The system must require passwords contain at least
one special character.
Password Policy Special Characters
GEN000680
The system must require passwords contain no more
than three consecutive repeating characters.
Password Policy Consecutive Characters
GEN000700
User passwords must be changed at least every 60
days.
Maximum Time Between Password Changes
Set Password Aging on Active Accounts
GEN000750
The system must require at least four characters be
changed between the old and new passwords during a
password change.
Password Policy Different Characters
GEN000800
The system must prohibit the reuse of passwords
within five iterations.
Limit Password Reuse
GEN000850
The system must restrict the ability to switch to the
root user to members of a defined group.
Limit Access To Root From Su
GEN000880
The root account must be the only account having a
UID of 0.
Lock Non-Root Accounts with UID 0
GEN000900
The root user's home directory must not be the root
directory (/).
Root Home Directory Permissions
GEN000920
The root account's home directory (other than /) must
have mode 0700.
Root Home Directory Permissions
GEN000940
The root account's executable search path must be the
Root Path
vendor default and must contain only absolute paths.
GEN000960
The root account must not have world-writable
directories in its executable search path.
Root Path
GEN000980
The system must prevent the root account from
directly logging in except from the system console.
Root Console Only Logins
GEN001000
Remote consoles must be disabled or protected from
unauthorized access.
Root Console Only Logins
GEN001020
The root account must not be used for direct log in.
SSHD Disable Root Login
GEN001060
The system must log successful and unsuccessful
access to the root account.
Secure Authpriv Logging
GEN001080
The root shell must be located in the / file system.
Root Shell must be on / filesystem
GEN001120
The system must not permit root logins using remote
access programs such as ssh.
SSHD Disable Root Login
GEN001140
System files and directories must not have uneven
access permissions.
Correct Uneven File Permissions
GEN001160
All files and directories must have a valid owner.
Secure Unowned Files
GEN001180
All network services daemon files must have mode
0755 or less permissive.
System Command File Permissions
GEN001200
All system command files must have mode 0755 or
less permissive.
System Command File Permissions
GEN001220
All system files, programs, and directories must be
owned by a system account.
System Command File Permissions
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
310
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
GEN001240
System files, programs, and directories must be groupSystem Command File Permissions
owned by a system group.
GEN001260
System log files must have mode 0640 or less
permissive.
System Log File Permissions
GEN001280
Manual page files must have mode 0644 or less
permissive.
Restrict Write Access on Man Pages
GEN001300
Library files must have mode 0755 or less permissive. System Library File Permissions
GEN001320
NIS/NIS+/yp files must be owned by root, sys, or bin. NIS/NIS+/YP Configuration File Permissions
GEN001340
NIS/NIS+/yp files must be group-owned by root, sys,
or bin.
NIS/NIS+/YP Configuration File Permissions
GEN001360
The NIS/NIS+/yp command files must have mode
0755 or less permissive.
NIS/NIS+/YP Configuration File Permissions
GEN001362
The /etc/resolv.conf file must be owned by root.
Resolver Configuration File Permissions
GEN001363
The /etc/resolv.conf file must be group-owned by root,
Resolver Configuration File Permissions
bin, or sys.
GEN001364
The /etc/resolv.conf file must have mode 0644 or less
permissive.
Resolver Configuration File Permissions
GEN001366
The /etc/hosts file must be owned by root.
Hosts File Permissions
GEN001367
The /etc/hosts file must be group-owned by root, bin,
or sys.
Hosts File Permissions
GEN001368
The /etc/hosts file must have mode 0644 or less
permissive.
Hosts File Permissions
GEN001371
The /etc/nsswitch.conf file must be owned by root.
Name Service Switch Configuration File Permissions
GEN001372
The /etc/nsswitch.conf file must be group-owned by
root, bin, or sys.
Name Service Switch Configuration File Permissions
GEN001373
The /etc/nsswitch.conf file must have mode 0644 or
less permissive.
Name Service Switch Configuration File Permissions
GEN001378
The /etc/passwd file must be owned by root.
Password Perms
GEN001379
The /etc/passwd file must be group-owned by root,
bin, or sys.
Password Perms
GEN001380
The /etc/passwd file must have mode 0644 or less
permissive.
Password Perms
GEN001391
The /etc/group file must be owned by root.
Password Perms
GEN001392
The /etc/group file must be group-owned by root, bin,
Password Perms
or sys.
GEN001393
The /etc/group file must have mode 0644 or less
permissive.
GEN001400
The /etc/shadow (or equivalent) file must be owned by
Shadow Perms
root.
GEN001410
The /etc/shadow file (or equivalent) must be groupowned by root, bin, or sys.
Shadow Perms
GEN001420
The /etc/shadow (or equivalent) file must have mode
0400.
Shadow Perms
GEN001440
All interactive users must be assigned a home
directory in the /etc/passwd file.
Lock Invalid Accounts
Security Blanket® Modules Guide
Password Perms
Export Controlled - See Sheet 1
311
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
GEN001460
All interactive user home directories defined in the /
etc/passwd file must exist.
Lock Invalid Accounts
GEN001470
The /etc/passwd file must not contain password
hashes.
No Hashes Allowed in Passwd/Group Files
GEN001475
The /etc/group file must not contain any group
password hashes.
No Hashes Allowed in Passwd/Group Files
GEN001480
All user home directories must have mode 0750 or less
Home Directory Permissions
permissive.
GEN001500
All interactive user home directories must be owned
by their respective users.
Home Directory Ownership
GEN001520
All interactive user home directories must be groupowned by the home directory owner's primary group.
Home Directory Ownership
GEN001540
All files and directories contained in interactive
user home directories must be owned by the home
directory's owner.
Home Directory Contents
GEN001550
All files and directories contained in user home
directories must be group-owned by a group of which
the home directory's owner is a member.
Home Directory Contents
GEN001560
All files and directories contained in user home
directories must have mode 0750 or less permissive.
Home Directory Contents
GEN001580
All run control scripts must have mode 0755 or less
permissive.
System Run Control Script Permissions
GEN001600
Run control scripts' executable search paths must
contain only absolute paths.
Correct System RC Script PATH Variables
GEN001660
All system start-up files must be owned by root.
System Run Control Script Permissions
GEN001680
All system start-up files must be group-owned by root,
System Run Control Script Permissions
sys, bin, other, or system.
GEN001720
All global initialization files must have mode 0644 or
less permissive.
Global Initialization File Permissions
GEN001740
All global initialization files must be owned by root.
Global Initialization File Permissions
GEN001760
All global initialization files must be group-owned by
Global Initialization File Permissions
root, sys, bin, other, system, or the system default.
GEN001780
Global initialization files must contain the "mesg -n"
or "mesg n" commands.
Limit Term Write Access to Owner
GEN001800
All skeleton files (typically those in /etc/skel) must
have mode 0644 or less permissive.
Skeleton File Permissions
GEN001820
All skeleton files and directories (typically in /etc/skel)
Skeleton File Permissions
must be owned by root or bin.
GEN001830
All skeleton files (typically in /etc/skel) must be
group-owned by root, bin, sys, system, or other.
Skeleton File Permissions
GEN001840
All global initialization files' executable search paths
must contain only absolute paths.
Correct Global Init Script PATH Variables
GEN001860
All local initialization files must be owned by the
home directory's user or root.
Home Directory Contents
User Dot File Perms
GEN001870
Local initialization files must be group-owned by the
user's primary group or root.
User Dot File Perms
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
312
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
GEN001880
All local initialization files must have mode 0740 or
less permissive.
User Dot File Perms
GEN001980
The .rhosts, .shosts, hosts.equiv, shosts.equiv, /etc/
passwd, /etc/shadow, and/or /etc/group files must not
contain a plus (+) without defining entries for NIS+
netgroups.
No Plus Entries in Password Files
GEN002000
There must be no .netrc files on the system.
Secure Netrc Files
GEN002040
There must be no .rhosts, .shosts, hosts.equiv, or
shosts.equiv files on the system.
Remove rsh Authorization Files
GEN002060
All .rhosts, .shosts, .netrc, or hosts.equiv files must be
Secure Netrc Files
accessible by only root or the owner.
GEN002100
The .rhosts file must not be supported in PAM.
Disable Rhosts Support
GEN002120
The /etc/shells (or equivalent) file must exist.
Allowed Shells in /etc/shells
GEN002140
All shells referenced in /etc/passwd must be listed in
the /etc/shells file, except any shells specified for the
purpose of preventing logins.
Sync Shells File
GEN002200
All shell files must be owned by root or bin.
Secure Shell Binaries
GEN002210
All shell files must be group-owned by root, bin, sys,
or system.
Secure Shell Binaries
GEN002220
All shell files must have mode 0755 or less
permissive.
Secure Shell Binaries
GEN002280
Device files and directories must only be writable by
users with a system account or as configured by the
vendor.
Secure World Writable Devices
System Device Directory Ownership
GEN002320
Audio devices must have mode 0660 or less
permissive.
Secure Audio Devices
GEN002340
Audio devices must be owned by root.
Secure Audio Devices
GEN002360
Audio devices must be group-owned by root, sys, bin,
Secure Audio Devices
or system.
GEN002380
The owner, group-owner, mode, ACL, and location of
files with the setuid bit set must be documented using Secure SUID/SGID Executables
site-defined procedures.
GEN002400
The system must be checked weekly for unauthorized
setuid files as well as unauthorized modification to
Secure SUID/SGID Executables
authorized setuid files.
GEN002420
Removable media, remote file systems, and any file
system not containing approved setuid files must be
mounted with the "nosuid" option.
Use NOSUID and NODEV for Removable Media
Use NOSUID on User Filesystems
GEN002430
Removable media, remote file systems, and any file
system not containing approved device files must be
mounted with the "nodev" option.
Use NOSUID and NODEV for Removable Media
GEN002440
The owner, group-owner, mode, ACL and location of
files with the setgid bit set must be documented using
site-defined procedures.
Secure SUID/SGID Executables
GEN002460
The system must be checked weekly for unauthorized
setgid files as well as unauthorized modification to
Secure SUID/SGID Executables
authorized setgid files.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
313
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
GEN002480
Public directories must be the only world-writable
directories and world-writable files must be located
only in public directories.
Secure World Writable Devices
Secure World Writable Directories
Secure World Writable Files
GEN002500
The sticky bit must be set on all public directories.
Secure World Writable Directories
GEN002560
The system and user default umask must be 077.
Default umask
GEN002640
Default system accounts must be disabled or removed. Block System Accounts
GEN002660
Auditing must be implemented.
Enable the Audit Subsystem
GEN002680
System audit logs must be owned by root.
System Log File Permissions
GEN002690
System audit logs must be group-owned by root, bin,
sys, or system.
System Log File Permissions
GEN002700
System audit logs must have mode 0640 or less
permissive.
System Log File Permissions
GEN002715
System audit tool executables must be owned by root. Audit Tools Perms
GEN002716
System audit tool executables must be group-owned
by root, bin, sys, or system.
Audit Tools Perms
GEN002717
System audit tool executables must have mode 0750
or less permissive.
Audit Tools Perms
GEN002719
The audit system must alert the SA in the event of an
audit processing failure.
Configure /etc/audit/auditd.conf Settings
GEN002720
The audit system must be configured to audit failed
attempts to access files and programs.
Audit Rules
GEN002720-2
The audit system must be configured to audit failed
attempts to access files and programs.
Audit Rules
GEN002720-3
The audit system must be configured to audit failed
attempts to access files and programs.
Audit Rules
GEN002720-4
The audit system must be configured to audit failed
attempts to access files and programs.
Audit Rules
GEN002720-5
The audit system must be configured to audit failed
attempts to access files and programs.
Audit Rules
GEN002730
The audit system must alert the SA when the audit
storage volume approaches its capacity.
Configure /etc/audit/auditd.conf Settings
GEN002740
The audit system must be configured to audit files and
Audit Rules
programs deleted by the user.
The audit system must be configured to audit file
deletions.
Audit Rules
GEN002750
The audit system must be configured to audit account
creation.
Audit Rules
GEN002751
The audit system must be configured to audit account
modification.
Audit Rules
GEN002752
The audit system must be configured to audit account
disabling.
Audit Rules
GEN002753
The audit system must be configured to audit account
termination.
Audit Rules
The audit system must be configured to audit all
administrative, privileged, and security actions.
Audit Rules
GEN002740-2
GEN002760-2
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
314
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
GEN002760-3
The audit system must be configured to audit all
administrative, privileged, and security actions.
Audit Rules
GEN002760-4
The audit system must be configured to audit all
administrative, privileged, and security actions.
Audit Rules
GEN002760-5
The audit system must be configured to audit all
administrative, privileged, and security actions.
Audit Rules
GEN002760-6
The audit system must be configured to audit all
administrative, privileged, and security actions.
Audit Rules
GEN002760-7
The audit system must be configured to audit all
administrative, privileged, and security actions.
Audit Rules
GEN002760-8
The audit system must be configured to audit all
administrative, privileged, and security actions.
Audit Rules
GEN002760-9
The audit system must be configured to audit all
administrative, privileged, and security actions.
Audit Rules
GEN002760-10
The audit system must be configured to audit all
administrative, privileged, and security actions.
Audit Rules
GEN002820
The audit system must be configured to audit all
Audit Rules
discretionary access control permission modifications.
GEN002820-2
The audit system must be configured to audit all
Audit Rules
discretionary access control permission modifications.
GEN002820-3
The audit system must be configured to audit all
Audit Rules
discretionary access control permission modifications.
GEN002820-4
The audit system must be configured to audit all
Audit Rules
discretionary access control permission modifications.
GEN002820-5
The audit system must be configured to audit all
Audit Rules
discretionary access control permission modifications.
GEN002820-6
The audit system must be configured to audit all
Audit Rules
discretionary access control permission modifications.
GEN002820-7
The audit system must be configured to audit all
Audit Rules
discretionary access control permission modifications.
GEN002820-8
The audit system must be configured to audit all
Audit Rules
discretionary access control permission modifications.
GEN002820-9
The audit system must be configured to audit all
Audit Rules
discretionary access control permission modifications.
GEN002820-10
The audit system must be configured to audit all
Audit Rules
discretionary access control permission modifications.
GEN002820-11
The audit system must be configured to audit all
Audit Rules
discretionary access control permission modifications.
GEN002820-12
The audit system must be configured to audit all
Audit Rules
discretionary access control permission modifications.
GEN002820-13
The audit system must be configured to audit all
Audit Rules
discretionary access control permission modifications.
GEN002825
The audit system must be configured to audit the
loading and unloading of dynamic kernel modules.
Audit Rules
GEN002825-2
The audit system must be configured to audit the
loading and unloading of dynamic kernel modules delete_module.
Audit Rules
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
315
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
GEN002825-3
The audit system must be configured to audit the
loading and unloading of dynamic kernel modules - /
sbin/insmod.
Audit Rules
GEN002825-4
The audit system must be configured to audit the
loading and unloading of dynamic kernel modules -/
sbin/modprobe.
Audit Rules
GEN002825-5
The audit system must be configured to audit the
loading and unloading of dynamic kernel modules - /
sbin/rmmod
Audit Rules
GEN002860
Audit logs must be rotated daily.
Audit Log Rotation
GEN002960
Access to the cron utility must be controlled using the
Restrict At and Cron
cron.allow and/or cron.deny file(s).
GEN002980
The cron.allow file must have mode 0600 or less
permissive.
At/Cron Access File Permissions
Restrict At and Cron
GEN003040
Crontabs must be owned by root or the crontab
creator.
Crontab Perms
Crontab Script Perms
GEN003050
Crontab files must be group-owned by root, cron, or
the crontab creator's primary group.
Crontab Perms
Crontab Script Perms
GEN003080
Crontab files must have mode 0600 or less permissive,
and files in cron script directories must have mode
Crontab Perms
0700 or less permissive.
GEN003080-2
Files in cron script directories must have mode 0700
or less permissive.
Crontab Script Perms
GEN003100
Cron and crontab directories must have mode 0755 or
Crontab Dir Perms
less permissive.
GEN003120
Cron and crontab directories must be owned by root or
Crontab Dir Perms
bin.
GEN003140
Cron and crontab directories must be group-owned by
Crontab Dir Perms
root, sys, bin or cron.
GEN003160
Cron logging must be implemented.
Cron Logging
GEN003180
The cronlog file must have mode 0600 or less
permissive.
System Log File Permissions
GEN003200
The cron.deny file must have mode 0600 or less
permissive.
At/Cron Access File Permissions
Restrict At and Cron
GEN003240
The cron.allow file must be owned by root, bin, or sys.
At/Cron Access File Permissions
Restrict At and Cron
GEN003250
The cron.allow file must be group-owned by root, bin, At/Cron Access File Permissions
sys, or cron.
Restrict At and Cron
GEN003252
The at.deny file must have mode 0600 or less
permissive.
At/Cron Access File Permissions
Restrict At and Cron
GEN003260
The cron.deny file must be owned by root, bin, or sys.
At/Cron Access File Permissions
Restrict At and Cron
GEN003270
The cron.deny file must be group-owned by root, bin,
sys, or cron.
At/Cron Access File Permissions
Restrict At and Cron
GEN003280
Access to the "at" utility must be controlled via the
at.allow and/or at.deny file(s).
Restrict At and Cron
GEN003300
The at.deny file must not be empty if it exists.
Restrict At and Cron
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
316
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
GEN003320
Default system accounts (with the exception of root)
must not be listed in the at.allow file or must be
Restrict At and Cron
included in the at.deny file if the at.allow file does not
exist.
GEN003340
The at.allow file must have mode 0600 or less
permissive.
At/Cron Access File Permissions
Restrict At and Cron
GEN003400
The "at" directory must have mode 0755 or less
permissive.
At Directory Permissions
GEN003420
The at directory must be owned by root, bin, sys,
daemon, or cron.
At Directory Permissions
GEN003430
The "at" directory must be group-owned by root, bin,
sys, or cron.
At Directory Permissions
GEN003460
The at.allow file must be owned by root, bin, or sys.
At/Cron Access File Permissions
GEN003470
The at.allow file must be group-owned by root, bin,
sys, or cron.
At/Cron Access File Permissions
GEN003480
The at.deny file must be owned by root, bin, or sys.
At/Cron Access File Permissions
GEN003490
The at.deny file must be group-owned by root, bin,
sys, or cron.
At/Cron Access File Permissions
GEN003500
Process core dumps must be disabled unless needed.
Disable Core Dumps
GEN003510
Kernel core dumps must be disabled unless needed.
Disable Kernel Crash Analyzer
GEN003520
The kernel core dump data directory must be owned
by root.
Kernel Core Dump Directory Permissions
GEN003521
The kernel core dump data directory must be groupowned by root, bin, sys, or system.
Kernel Core Dump Directory Permissions
GEN003522
The kernel core dump data directory must have mode
0700 or less permissive.
Kernel Core Dump Directory Permissions
GEN003540
The system must implement non-executable program
stacks.
Enable ExecShield Kernel Module
GEN003600
The system must not forward IPv4 source-routed
packets.
Disable Source Routing
GEN003601
TCP backlog queue sizes must be set appropriately.
Adjust Maximum Pending Connections
GEN003603
The system must not respond to Internet Control
Message Protocol v4 (ICMPv4) echoes sent to a
broadcast address.
Ignore ICMP ECHO and TIMESTAMP Requests
GEN003604
The system must not respond to Internet Control
Message Protocol (ICMP) timestamp requests sent to a Ignore ICMP ECHO and TIMESTAMP Requests
broadcast address.
GEN003607
The system must not accept source-routed IPv4
packets.
GEN003608
Proxy Address Resolution Protocol (Proxy ARP) must Disable Proxy Address Resolution Protocol (Proxy
not be enabled on the system.
ARP)
GEN003609
The system must ignore IPv4 Internet Control
Message Protocol (ICMP) redirect messages.
Disable Accepting ICMP Redirects
GEN003610
The system must not send IPv4 Internet Control
Message Protocol (ICMP) redirects.
Disable Sending ICMP Redirects
GEN003611
The system must log martian packets.
Configure System to Log 'martian' Network Packets
Security Blanket® Modules Guide
Disable Source Routing
Export Controlled - See Sheet 1
317
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
GEN003612
The system must be configured to use TCP syncookies
Enable TCP Syncookies
when experiencing a TCP SYN flood.
GEN003620
A separate file system must be used for user home
directories (such as /home or an equivalent).
Check for Separate /home File System
GEN003621
The system must use a separate file system for /var.
Check for Separate /var File System
GEN003623
The system must use a separate file system for the
system audit data path.
Check for Separate /var/log/audit File System
GEN003624
The system must use a separate file system for /tmp
(or equivalent).
Check for Separate /tmp File System
GEN003660
The system must log informational authentication
data.
Secure Authpriv Logging
GEN003700
Inetd and xinetd must be disabled or removed if no
network services utilizing them are enabled.
Disable Inetd
GEN003720
The inetd.conf file, xinetd.conf file, and the xinetd.d
directory must be owned by root or bin.
Inetd/Xinetd Configuration File Permissions
GEN003730
The inetd.conf file, xinetd.conf file, and the xinetd.d
directory must be group-owned by root, bin, sys, or
system.
Inetd/Xinetd Configuration File Permissions
GEN003740
The inetd.conf and xinetd.conf files must have mode
0640 or less permissive.
Inetd/Xinetd Configuration File Permissions
GEN003750
The xinetd.d directory must have mode 0755 or less
permissive.
System Configuration File Permissions
GEN003760
The services file must be owned by root or bin.
Services File Permissions
GEN003770
The services file must be group-owned by root, bin,
sys, or system.
Services File Permissions
GEN003780
The services file must have mode 0644 or less
permissive.
Services File Permissions
GEN003800
Inetd or xinetd logging/tracing must be enabled.
Configure Xinetd Logging
GEN003810
The portmap or rpcbind service must not be running
unless needed.
Disable Portmap Daemon
GEN003820
The rsh daemon must not be running.
Disable Remote Shell (rsh)
GEN003830
The rlogind service must not be running.
Disable Remote Login (rlogin)
GEN003840
The rexec daemon must not be running.
Disable Remote Exec (rexec)
GEN003850
The telnet daemon must not be running.
Disable Telnet
GEN003860
The system must not have the finger service active.
Disable Finger
GEN003865
Network analysis tools must not be installed.
Disable Network Analysis Tools
GEN003920
The hosts.lpd (or equivalent) file must be owned by
root, bin, sys, or lp.
Printer Configuration File Permissions
GEN003930
The hosts.lpd (or equivalent) file must be groupowned by root, bin, sys, or system.
Printer Configuration File Permissions
GEN003940
The hosts.lpd (or equivalent) must have mode 0644 or
Printer Configuration File Permissions
less permissive.
GEN003960
The traceroute command owner must be root.
GEN003980
The traceroute command must be group-owned by sys,
Restrict Use of Traceroute and Ping
bin, root, or system.
Security Blanket® Modules Guide
Restrict Use of Traceroute and Ping
Export Controlled - See Sheet 1
318
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
GEN004000
The traceroute file must have mode 0700 or less
permissive.
Restrict Use of Traceroute and Ping
GEN004360
The alias file must be owned by root.
Mail Agent Aliases Files Permissions
GEN004370
The aliases file must be group-owned by root, sys, bin,
Mail Agent Aliases Files Permissions
or system.
GEN004380
The alias file must have mode 0644 or less permissive. Mail Agent Aliases Files Permissions
GEN004440
Sendmail logging must not be set to less than nine in
the sendmail.cf file.
GEN004460
The system syslog service must log informational and
Log Critical Sendmail Messages
more severe SMTP service messages.
GEN004480
The SMTP service log file must be owned by root.
System Log File Permissions
GEN004500
The SMTP service log file must have mode 0644 or
less permissive.
System Log File Permissions
GEN004540
The SMTP service HELP command must not be
enabled.
Disable Sendmail Help
GEN004560
The SMTP service's SMTP greeting must not provide
version information.
Configure Sendmail Options
GEN004580
The system must not use .forward files.
Configure Sendmail Options
GEN004600
The SMTP service must be an up-to-date version.
Disable Sendmail if Older than 8.13.8
GEN004620
The sendmail server must have the debug feature
disabled.
Configure Sendmail Options
GEN004660
The SMTP service must not have the EXPN feature
active.
Configure Sendmail Options
GEN004680
The SMTP service must not have the Verify (VRFY)
feature active.
Configure Sendmail Options
GEN004800
Unencrypted FTP must not be used on the system.
Disable FTP (vsftpd)
GEN004820
Anonymous FTP must not be active on the system
unless authorized.
Remove ftp Account
GEN004880
The ftpusers file must exist.
Create ftpusers File
GEN004900
The ftpusers file must contain account names not
allowed to use FTP.
Create ftpusers File
GEN004920
The ftpusers file must be owned by root.
FTP Configuration File Permissions
GEN004930
The ftpusers file must be group-owned by root, bin,
sys, or system.
FTP Configuration File Permissions
GEN004940
The ftpusers file must have mode 0640 or less
permissive.
FTP Configuration File Permissions
GEN004980
The FTP daemon must be configured for logging or
verbose mode.
Enable Vsftpd Additional Logging
GEN005040
All FTP users must have a default umask of 077.
Set FTP Umask (gssftp)
GEN005080
The TFTP daemon must operate in "secure mode"
which provides access only to a single directory on the Set TFTP Startup Directory
host file system.
GEN005100
The TFTP daemon must have mode 0755 or less
permissive.
Security Blanket® Modules Guide
Configure Sendmail Options
System Command File Permissions
Export Controlled - See Sheet 1
319
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
GEN005180
All .Xauthority files must have mode 0600 or less
permissive.
Home Directory Contents
GEN005260
X Window System connections not required must be
disabled.
Disable Graphical Login
GEN005280
The system must not have the UUCP service active.
Disable UUCP
GEN005300
SNMP communities, users, and passphrases must be
changed from the default.
Disable SNMP if Default Public String Exists
GEN005320
The snmpd.conf file must have mode 0600 or less
permissive.
SNMP Configuration File Permissions
GEN005340
Management Information Base (MIB) files must have Management Information Base (MIB) File
mode 0640 or less permissive.
Permissions
GEN005360
The snmpd.conf file must be owned by root.
SNMP Configuration File Permissions
GEN005365
The snmpd.conf file must be group-owned by root,
bin, sys, or system.
SNMP Configuration File Permissions
GEN005380
If the system is a Network Management System
(NMS) server, it must only run the NMS and any
software required by the NMS.
Disable SNMP
GEN005390
The /etc/syslog.conf file must have mode 0640 or less
System Logging Configuration File Permissions
permissive.
GEN005400
The /etc/syslog.conf file must be owned by root.
GEN005420
The /etc/syslog.conf file must be group-owned by root,
System Logging Configuration File Permissions
bin, sys, or system.
GEN005480
The syslog daemon must not accept remote messages
unless it is a syslog server documented using sitedefined procedures.
Disable Remote Syslog
GEN005500
The SSH daemon must be configured to only use the
SSHv2 protocol.
SSHD Protocol
GEN005501
The SSH client must be configured to only use the
SSHv2 protocol.
SSH Parameters
GEN005505
The SSH daemon must be configured to only use FIPS
SSHD Restrict Ciphers
140-2 approved ciphers.
GEN005506
The SSH daemon must be configured to not use
Cipher-Block Chaining (CBC) ciphers.
SSHD Restrict Ciphers
GEN005507
The SSH daemon must be configured to only use
Message Authentication Codes (MACs) employing
FIPS 140-2 approved cryptographic hash algorithms.
SSHD Restrict HMAC
GEN005510
The SSH client must be configured to only use FIPS
140-2 approved ciphers.
SSH Restrict Ciphers
GEN005511
The SSH client must be configured to not use CipherSSH Restrict Ciphers
Block Chaining (CBC)-based ciphers.
GEN005512
The SSH client must be configured to only use
Message Authentication Codes (MACs) employing
FIPS 140-2 approved cryptographic hash algorithms.
GEN005521
The SSH daemon must restrict login ability to specific
SSHD Restrict Users and Groups
users and/or groups.
GEN005524
The SSH daemon must not permit GSSAPI
authentication unless needed.
Security Blanket® Modules Guide
System Logging Configuration File Permissions
SSH Restrict HMAC
SSHD Disable GSSAPI Authentication
Export Controlled - See Sheet 1
320
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
GEN005525
The SSH client must not permit GSSAPI
authentication unless needed.
SSH Disable GSSAPI Authentication
GEN005526
The SSH daemon must not permit Kerberos
authentication unless needed.
SSHD Disable Kerberos Authentication
GEN005536
The SSH daemon must perform strict mode checking
of home directory configuration files.
SSHD Strict Mode Checking
GEN005537
The SSH daemon must use privilege separation.
SSHD Use Privilege Separation
GEN005538
The SSH daemon must not allow rhosts RSA
authentication.
SSHD Disable Rhosts RSA Authentication
GEN005539
The SSH daemon must not allow compression
or must only allow compression after successful
authentication.
SSHD Set Compression
GEN005540
The SSH daemon must be configured for IP filtering.
Enable TCP Wrappers
GEN005550
The SSH daemon must be configured with the
Department of Defense (DoD) logon banner.
Create Login Banner
SSHD Enable Banner
GEN005600
IP forwarding for IPv4 must not be enabled, unless the
Disable IP Forwarding
system is a router.
GEN005610
The system must not have IP forwarding for IPv6
enabled, unless the system is an IPv6 router.
Disable IP Forwarding
GEN005740
The Network File System (NFS) export configuration
file must be owned by root.
NFS Export Configuration File Permissions
GEN005750
The Network File System (NFS) export configuration
NFS Export Configuration File Permissions
file must be group-owned by root, bin, sys, or system.
GEN005760
The Network File System (NFS) export configuration
file must have mode 0644 or less permissive.
NFS Export Configuration File Permissions
GEN005820
The Network File System (NFS) anonymous UID
and GID must be configured to values without
permissions.
Deny NFS Client Access Without UID or GID
GEN005900
The "nosuid" option must be enabled on all Network
File System (NFS) client mounts.
Use NOSUID on User Filesystems
GEN006000
The system must not have a public Instant Messaging
(IM) client installed.
Disable Instant Messenger Client (Yahoo!)
Disable Instant Messenger Client (gaim)
GEN006040
The system must not have any peer-to-peer filesharing application installed.
Disable File Sharing Networks
GEN006060
The system must not run Samba unless needed.
Disable SMB
GEN006100
The /etc/smb.conf file must be owned by root.
Samba Configuration File Permissions
GEN006120
The /etc/smb.conf file must be group-owned by root,
bin, sys, or system.
Samba Configuration File Permissions
GEN006140
The /etc/smb.conf file must have mode 0644 or less
permissive.
Samba Configuration File Permissions
GEN006160
The /etc/smbpasswd file must be owned by root.
Samba Password File Permissions
GEN006180
The smbpasswd file must be group-owned by root.
Samba Password File Permissions
GEN006200
The smbpasswd file must have mode 0600 or less
permissive.
Samba Password File Permissions
GEN006220
The smb.conf file must use the "hosts" option to
restrict access to Samba.
SMB Configuration
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
321
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
GEN006225
Samba must be configured to use an authentication
mechanism other than "share."
SMB Configuration
GEN006230
Samba must be configured to use encrypted
passwords.
SMB Configuration
GEN006235
Samba must be configured to not allow guest access to Remove SMB Guest Authentication
shares.
SMB Configuration
GEN006240
The system must not run an Internet Network News
(INN) server.
Disable Innd
GEN006260
The /etc/news/incoming.conf (or equivalent) must
have mode 0600 or less permissive.
InterNetNews Config File Perms
GEN006280
The /etc/news/infeed.conf (or equivalent) must have
mode 0600 or less permissive.
InterNetNews Config File Perms
GEN006300
The /etc/news/readers.conf (or equivalent) must have
mode 0600 or less permissive.
InterNetNews Config File Perms
GEN006320
The /etc/news/passwd.nntp file (or equivalent) must
have mode 0600 or less permissive.
InterNetNews Config File Perms
GEN006340
Files in /etc/news must be owned by root or news.
InterNetNews Config File Perms
GEN006360
The files in /etc/news must be group-owned by root or
InterNetNews Config File Perms
news.
GEN006400
The Network Information System (NIS) protocol must Disable NIS Client
not be used.
Disable NIS Server
GEN006600
Accounts must be locked upon 35 days of inactivity.
Lock Expired Account after Inactivity
Set Password Aging on Active Accounts
GEN006620
The system's access control program must be
configured to grant or deny system access to specific
hosts.
Enable TCP Wrappers
GEN007020
The Stream Control Transmission Protocol (SCTP)
must be disabled unless required.
Disable Support for SCTP
GEN007080
The Datagram Congestion Control Protocol (DCCP)
must be disabled unless required.
Disable Support for DCCP
GEN007480
The Reliable Datagram Sockets (RDS) protocol must
be disabled or not installed unless required.
Disable Support for RDS
GEN007540
The Transparent Inter-Process Communication (TIPC)
Disable Support for TIPC
protocol must be disabled or uninstalled.
GEN007660
The Bluetooth protocol handler must be disabled or
not installed.
Disable Bluetooth Kernel Modules
GEN007700
The IPv6 protocol handler must not be bound to the
network stack unless needed.
Disable IPv6 Kernel Module
GEN007850
The DHCP client must not send dynamic DNS
updates.
Prohibit DHCP Client Dynamic DNS Updates
GEN007860
The system must ignore IPv6 ICMP redirect messages. Disable Accepting ICMP Redirects
GEN007920
The system must not forward IPv6 source-routed
packets.
GEN007960
The 'ldd' command must be disabled unless it protects
Configure Permissions on /usr/bin/ldd
against the execution of untrusted files.
Security Blanket® Modules Guide
Disable IP Forwarding
Export Controlled - See Sheet 1
322
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
GEN008020
If the system is using LDAP for authentication or
account information, the LDAP TLS connection must
Configure /etc/ldap.conf Settings
require the server provide a certificate with a valid
trust path to a trusted CA.
GEN008040
If the system is using LDAP for authentication or
account information, the system must verify the LDAP Configure /etc/ldap.conf Settings
server's certificate has not been revoked.
GEN008060
If the system is using LDAP for authentication or
account information the /etc/ldap.conf (or equivalent)
file must have mode 0644 or less permissive.
GEN008080
If the system is using LDAP for authentication or
account information, the /etc/ldap.conf (or equivalent) LDAP Configuration File Permissions
file must be owned by root.
GEN008100
If the system is using LDAP for authentication or
account information, the /etc/ldap.conf (or equivalent) LDAP Configuration File Permissions
file must be group-owned by root, bin, sys, or system.
GEN008420
The system must use available memory address
randomization techniques.
Enable ExecShield Kernel Module
GEN008440
Automated file system mounting tools must not be
enabled unless needed.
Disable Autofs Daemon
GEN008460
The system must have USB disabled unless needed.
Disable USB and PCMCIA Devices
GEN008480
The system must have USB Mass Storage disabled
unless needed.
Disable Support for USB Storage
GEN008500
The system must have IEEE 1394 (Firewire) disabled
unless needed.
Disable Support for Firewire
GEN008520
The system must employ a local firewall.
Enable Iptables
GEN008700
The system boot loader must require authentication.
Require GRUB Password
GEN008710
The system boot loader must protect passwords using
an MD5 or stronger cryptographic hash.
Require GRUB Password
GEN008720
The system's boot loader configuration file(s) must
have mode 0600 or less permissive.
Boot Loader Configuration File Permissions
GEN008760
The system's boot loader configuration files must be
owned by root.
Boot Loader Configuration File Permissions
GEN008780
The system's boot loader configuration file(s) must be
Boot Loader Configuration File Permissions
group-owned by root, bin, sys, or system.
LDAP Configuration File Permissions
DISA Red Hat 6 STIG v1R2
The Security Technical Implementation Guides (STIGs) are the configuration standards for U.S. Department of Defense (DoD)
Information Assurance (IA) and IA-enabled devices/systems. The guides are maintained and published by the Defense Information
Systems Agency’s (DISA) Field Security Office (FSO). Approximately every ninety days the FSO publishes updates to its checklists.
Purchasing yearly service from Raytheon Trusted Computer Solutions entitles you to regular updates of Security Blanket.
255 Total number of line items in guideline
183 Items at least partially addressed by Security Blanket
72 Items not addressed by Security Blanket
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
323
Cross Reference to Guidelines
Table A.7. DISA Red Hat 6 STIG v1R2
Item
Title
Security Blanket Modules
RHEL-06-000001
The system must use a separate file system for /tmp.
Check for Separate /tmp File System
RHEL-06-000002
The system must use a separate file system for /var.
Check for Separate /var File System
RHEL-06-000003
The system must use a separate file system for /var/
log.
Check for Separate /var/log File System
RHEL-06-000004
The system must use a separate file system for the
system audit data path.
Check for Separate /var/log/audit File System
RHEL-06-000005
The audit system must alert designated staff members
Configure /etc/audit/auditd.conf Settings
when the audit storage volume approaches capacity.
RHEL-06-000007
The system must use a separate file system for user
home directories.
Check for Separate /home File System
RHEL-06-000008
Vendor-provided cryptographic certificates must be
installed to verify the integrity of system software.
Verify Required Software Cryptographic Certs are
Installed
RHEL-06-000009
The Red Hat Network Service (rhnsd) service must
Disable Rhnsd
not be running, unless using RHN or an RHN Satellite.
RHEL-06-000013
The system package management tool must
cryptographically verify the authenticity of system
software packages during installation.
Ensure YUM Repositories use gpgcheck
RHEL-06-000015
The system package management tool must
cryptographically verify the authenticity of all
software packages during installation.
Ensure YUM Repositories use gpgcheck
RHEL-06-000019
There must be no .rhosts or hosts.equiv files on the
system.
Remove rsh Authorization Files
RHEL-06-000027
The system must prevent the root account from
logging in from virtual consoles.
Root Console Only Logins
RHEL-06-000028
The system must prevent the root account from
logging in from serial consoles.
Root Console Only Logins
RHEL-06-000029
Default system accounts, other than root, must be
locked.
Block System Accounts
RHEL-06-000030
The system must not have accounts configured with
blank or null passwords.
No Empty Passwords
RHEL-06-000031
The /etc/passwd file must not contain password
hashes.
No Hashes Allowed in Passwd/Group Files
RHEL-06-000032
The root account must be the only account having a
UID of 0.
Lock Non-Root Accounts with UID 0
RHEL-06-000033
The /etc/shadow file must be owned by root.
Shadow Perms
RHEL-06-000034
The /etc/shadow file must be group-owned by root.
Shadow Perms
RHEL-06-000035
The /etc/shadow file must have mode 0000.
Shadow Perms
RHEL-06-000036
The /etc/gshadow file must be owned by root.
Shadow Perms
RHEL-06-000037
The /etc/gshadow file must be group-owned by root.
Shadow Perms
RHEL-06-000038
The /etc/gshadow file must have mode 0000.
Shadow Perms
RHEL-06-000039
The /etc/passwd file must be owned by root.
Password Perms
RHEL-06-000040
The /etc/passwd file must be group-owned by root.
Password Perms
RHEL-06-000041
The /etc/passwd file must have mode 0644 or less
permissive.
Password Perms
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
324
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
RHEL-06-000042
The /etc/group file must be owned by root.
Password Perms
RHEL-06-000043
The /etc/group file must be group-owned by root.
Password Perms
RHEL-06-000044
The /etc/group file must have mode 0644 or less
permissive.
Password Perms
RHEL-06-000045
Library files must have mode 0755 or less permissive. System Library File Permissions
RHEL-06-000046
Library files must be owned by root.
System Library File Permissions
RHEL-06-000047
All system command files must have mode 0755 or
less permissive.
System Command File Permissions
RHEL-06-000048
All system command files must be owned by root.
System Command File Permissions
RHEL-06-000050
The system must require passwords to contain a
minimum of 14 characters.
Password Policy Length Minimum
RHEL-06-000051
Users must not be able to change passwords more than Minimum Delay Between Password Changes
once every 24 hours.
Set Password Aging on Active Accounts
RHEL-06-000053
User passwords must be changed at least every 60
days.
Maximum Time Between Password Changes
Set Password Aging on Active Accounts
RHEL-06-000054
Users must be warned 7 days in advance of password
expiration.
Password Expiration Warning
Set Password Aging on Active Accounts
RHEL-06-000056
The system must require passwords to contain at least
Password Policy Numeric Minimum
one numeric character.
RHEL-06-000057
The system must require passwords to contain at least
Password Policy Uppercase Minimum
one uppercase alphabetic character.
RHEL-06-000058
The system must require passwords to contain at least
Password Policy Special Characters
one special character.
RHEL-06-000059
The system must require passwords to contain at least
Password Policy Lowercase Minimum
one lowercase alphabetic character.
RHEL-06-000060
The system must require at least four characters be
changed between the old and new passwords during a
password change.
Password Policy Different Characters
RHEL-06-000065
The system boot loader configuration file(s) must be
owned by root.
Boot Loader Configuration File Permissions
RHEL-06-000066
The system boot loader configuration file(s) must be
group-owned by root.
Boot Loader Configuration File Permissions
RHEL-06-000067
The system boot loader configuration file(s) must have
Boot Loader Configuration File Permissions
mode 0600 or less permissive.
RHEL-06-000068
The system boot loader must require authentication.
Require GRUB Password
RHEL-06-000069
The system must require authentication upon booting
into single-user and maintenance modes.
Single User Mode Password
RHEL-06-000070
The system must not permit interactive boot.
Disable Interactive Boot
RHEL-06-000071
The system must allow locking of the console screen
in text mode.
Screen Package Installed
RHEL-06-000073
The Department of Defense (DoD) login banner
must be displayed immediately prior to, or as part of,
console login prompts.
Create Login Banner
RHEL-06-000078
The system must implement virtual address space
randomization.
Enable ExecShield Kernel Module
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
325
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
RHEL-06-000079
The system must limit the ability of processes to have
Enable ExecShield Kernel Module
simultaneous write and execute access to memory.
RHEL-06-000080
The system must not send ICMPv4 redirects by
default.
RHEL-06-000081
The system must not send ICMPv4 redirects from any
Disable Sending ICMP Redirects
interface.
RHEL-06-000082
IP forwarding for IPv4 must not be enabled, unless the
Disable IP Forwarding
system is a router.
RHEL-06-000083
The system must not accept IPv4 source-routed
packets on any interface.
Disable Source Routing
RHEL-06-000084
The system must not accept ICMPv4 redirect packets
on any interface.
Disable Accepting ICMP Redirects
RHEL-06-000086
The system must not accept ICMPv4 secure redirect
packets on any interface.
Disable Accepting Secure Redirects
RHEL-06-000088
The system must log Martian packets.
Configure System to Log 'martian' Network Packets
RHEL-06-000089
The system must not accept IPv4 source-routed
packets by default.
Disable Source Routing
RHEL-06-000090
The system must not accept ICMPv4 secure redirect
packets by default.
Disable Accepting Secure Redirects
RHEL-06-000091
The system must ignore IPv4 ICMP redirect messages. Disable Accepting ICMP Redirects
RHEL-06-000092
The system must not respond to ICMPv4 sent to a
broadcast address.
Ignore ICMP ECHO and TIMESTAMP Requests
RHEL-06-000093
The system must ignore ICMPv4 bogus error
responses.
Ignore Bogus ICMP4 Error Responses
RHEL-06-000095
The system must be configured to use TCP
syncookies.
Enable TCP Syncookies
RHEL-06-000096
The system must use a reverse-path filter for IPv4
network traffic when possible on all interfaces.
Enable Reverse Path Source Validation
RHEL-06-000097
The system must use a reverse-path filter for IPv4
network traffic when possible by default.
Enable Reverse Path Source Validation
RHEL-06-000098
The IPv6 protocol handler must not be bound to the
network stack unless needed.
Disable IPv6 Kernel Module
RHEL-06-000099
The system must ignore ICMPv6 redirects by default.
Disable Accepting ICMP Redirects
RHEL-06-000103
The system must employ a local IPv6 firewall.
Enable Ip6tables
RHEL-06-000113
The system must employ a local IPv4 firewall.
Enable Iptables
RHEL-06-000124
The Datagram Congestion Control Protocol (DCCP)
must be disabled unless required.
Disable Support for DCCP
RHEL-06-000125
The Stream Control Transmission Protocol (SCTP)
must be disabled unless required.
Disable Support for SCTP
RHEL-06-000126
The Reliable Datagram Sockets (RDS) protocol must
be disabled unless required.
Disable Support for RDS
RHEL-06-000127
The Transparent Inter-Process Communication (TIPC)
Disable Support for TIPC
protocol must be disabled unless required.
RHEL-06-000133
All rsyslog-generated log files must be owned by root. System Log File Permissions
Security Blanket® Modules Guide
Disable Sending ICMP Redirects
Export Controlled - See Sheet 1
326
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
RHEL-06-000134
All rsyslog-generated log files must be group-owned
by root.
System Log File Permissions
RHEL-06-000135
All rsyslog-generated log files must have mode 0600
or less permissive.
System Log File Permissions
RHEL-06-000145
The operating system must produce audit records
containing sufficient information to establish the
identity of any user/subject associated with the event.
Enable the Audit Subsystem
RHEL-06-000148
The operating system must employ automated
mechanisms to facilitate the monitoring and control of Enable the Audit Subsystem
remote access methods.
RHEL-06-000154
The operating system must produce audit records
containing sufficient information to establish what
type of events occurred.
Enable the Audit Subsystem
RHEL-06-000159
The system must retain enough rotated audit logs to
cover the required log retention period.
Configure /etc/audit/auditd.conf Settings
RHEL-06-000160
The system must set a maximum audit log file size.
Configure /etc/audit/auditd.conf Settings
RHEL-06-000161
The system must rotate audit log files that reach the
maximum file size.
Configure /etc/audit/auditd.conf Settings
RHEL-06-000165
The audit system must be configured to audit all
attempts to alter system time through adjtimex.
Audit Rules
RHEL-06-000167
The audit system must be configured to audit all
attempts to alter system time through settimeofday.
Audit Rules
RHEL-06-000169
The audit system must be configured to audit all
attempts to alter system time through stime.
Audit Rules
RHEL-06-000171
The audit system must be configured to audit all
attempts to alter system time through clock_settime.
Audit Rules
RHEL-06-000173
The audit system must be configured to audit all
attempts to alter system time through /etc/localtime.
Audit Rules
RHEL-06-000174
The operating system must automatically audit
account creation.
Audit Rules
RHEL-06-000175
The operating system must automatically audit
account modification.
Audit Rules
RHEL-06-000176
The operating system must automatically audit
account disabling actions.
Audit Rules
RHEL-06-000177
The operating system must automatically audit
account termination.
Audit Rules
RHEL-06-000182
The audit system must be configured to audit
modifications to the systems network configuration.
Audit Rules
RHEL-06-000183
The audit system must be configured to audit
modifications to the systems Mandatory Access
Control (MAC) configuration (SELinux).
Audit Rules
RHEL-06-000184
The audit system must be configured to audit all
discretionary access control permission modifications
using chmod.
Audit Rules
RHEL-06-000185
The audit system must be configured to audit all
discretionary access control permission modifications
using chown.
Audit Rules
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
327
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
RHEL-06-000186
The audit system must be configured to audit all
discretionary access control permission modifications
using fchmod.
Audit Rules
RHEL-06-000187
The audit system must be configured to audit all
discretionary access control permission modifications
using fchmodat.
Audit Rules
RHEL-06-000188
The audit system must be configured to audit all
discretionary access control permission modifications
using fchown.
Audit Rules
RHEL-06-000189
The audit system must be configured to audit all
discretionary access control permission modifications
using fchownat.
Audit Rules
RHEL-06-000190
The audit system must be configured to audit all
discretionary access control permission modifications
using fremovexattr.
Audit Rules
RHEL-06-000191
The audit system must be configured to audit all
discretionary access control permission modifications
using fsetxattr.
Audit Rules
RHEL-06-000192
The audit system must be configured to audit all
discretionary access control permission modifications
using lchown.
Audit Rules
RHEL-06-000193
The audit system must be configured to audit all
discretionary access control permission modifications
using lremovexattr.
Audit Rules
RHEL-06-000194
The audit system must be configured to audit all
discretionary access control permission modifications
using lsetxattr.
Audit Rules
RHEL-06-000195
The audit system must be configured to audit all
discretionary access control permission modifications
using removexattr.
Audit Rules
RHEL-06-000196
The audit system must be configured to audit all
discretionary access control permission modifications
using setxattr.
Audit Rules
RHEL-06-000197
The audit system must be configured to audit failed
attempts to access files and programs.
Audit Rules
RHEL-06-000198
The audit system must be configured to audit all use of
Audit Rules
setuid programs.
RHEL-06-000199
The audit system must be configured to audit
successful file system mounts.
Audit Rules
RHEL-06-000200
The audit system must be configured to audit user
deletions of files and programs.
Audit Rules
RHEL-06-000201
The audit system must be configured to audit changes
Audit Rules
to the /etc/sudoers file.
RHEL-06-000202
The audit system must be configured to audit the
loading and unloading of dynamic kernel modules.
Audit Rules
RHEL-06-000203
The xinetd service must be disabled if no network
services utilizing it are enabled.
Disable Inetd
RHEL-06-000211
The telnet daemon must not be running.
Disable Telnet
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
328
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
RHEL-06-000214
The rshd service must not be running.
Disable Remote Shell (rsh)
RHEL-06-000216
The rexecd service must not be running.
Disable Remote Exec (rexec)
RHEL-06-000218
The rlogind service must not be running.
Disable Remote Login (rlogin)
RHEL-06-000221
The ypbind service must not be running.
Disable NIS Client
RHEL-06-000223
The TFTP service must not be running.
Disable TFTP
RHEL-06-000224
The cron service must be running.
Enable Crond
RHEL-06-000227
The SSH daemon must be configured to use only the
SSHv2 protocol.
SSHD Protocol
RHEL-06-000230
The SSH daemon must set a timeout interval on idle
sessions.
SSHD Set Idle Timeout Interval for User Logins
RHEL-06-000231
The SSH daemon must set a timeout count on idle
sessions.
SSHD Set Idle Timeout Interval for User Logins
RHEL-06-000234
The SSH daemon must ignore .rhosts files.
SSHD Enable Ignore Rhosts
RHEL-06-000236
The SSH daemon must not allow host-based
authentication.
SSHD Disable Host-based Authentication
RHEL-06-000237
The system must not permit root logins using remote
access programs such as ssh.
SSHD Disable Root Login
RHEL-06-000239
The SSH daemon must not allow authentication using
SSHD Disable Empty Passwords
an empty password.
RHEL-06-000240
The SSH daemon must be configured with the
Department of Defense (DoD) login banner.
SSHD Enable Banner
RHEL-06-000241
The SSH daemon must not permit user environment
settings.
SSHD Permit User Environment
RHEL-06-000243
The SSH daemon must be configured to use only FIPS
SSHD Restrict Ciphers
140-2 approved ciphers.
RHEL-06-000246
The avahi service must be disabled.
Disable Avahi Daemon
RHEL-06-000257
The graphical desktop environment must set the idle
timeout to no more than 15 minutes.
Set Mandatory Screen Saver
RHEL-06-000258
The graphical desktop environment must
automatically lock after 15 minutes of inactivity and
the system must require user to re-authenticate to
unlock the environment.
Set Mandatory Screen Saver
RHEL-06-000259
The graphical desktop environment must have
automatic lock enabled.
Set Mandatory Screen Saver
RHEL-06-000260
The system must display a publicly-viewable pattern
during a graphical desktop environment session lock.
Set Mandatory Screen Saver
RHEL-06-000261
The Automatic Bug Reporting Tool (abrtd) service
must not be running.
Disable Abrtd
RHEL-06-000262
The atd service must be disabled.
Disable atd Service
RHEL-06-000265
The ntpdate service must not be running.
Disable Ntpdate
RHEL-06-000266
The oddjobd service must not be running.
Disable Oddjobd
RHEL-06-000267
The qpidd service must not be running.
Disable Qpidd
RHEL-06-000268
The rdisc service must not be running.
Disable Rdisc
RHEL-06-000272
The system must use SMB client signing for
connecting to samba servers using smbclient.
SMB Configuration
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
329
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
RHEL-06-000274
The system must prohibit the reuse of passwords
within twenty-four iterations.
Limit Password Reuse
RHEL-06-000278
The system package management tool must verify
permissions on all files and directories associated with Consult the RPM Database for file/directory Setting
the audit package.
RHEL-06-000279
The system package management tool must verify
ownership on all files and directories associated with
the audit package.
RHEL-06-000280
The system package management tool must verify
group-ownership on all files and directories associated Consult the RPM Database for file/directory Setting
with the audit package.
RHEL-06-000281
The system package management tool must verify
Consult the RPM Database for file/directory Setting
contents of all files associated with the audit package.
RHEL-06-000282
There must be no world-writable files on the system.
Secure World Writable Files
RHEL-06-000286
The x86 Ctrl-Alt-Delete key sequence must be
disabled.
Disable Ctrl-Alt-Del
RHEL-06-000287
The postfix service must be enabled for mail delivery. Enable Postfix
RHEL-06-000289
The netconsole service must be disabled unless
required.
Disable Netconsole
RHEL-06-000290
X Windows must not be enabled unless required.
Disable Graphical Login
RHEL-06-000294
All GIDs referenced in /etc/passwd must be defined
in /etc/group
Lock Invalid Accounts
RHEL-06-000296
All accounts on the system must have unique user or
account names
Lock Invalid Accounts
RHEL-06-000299
The system must require passwords to contain no
more than three consecutive repeating characters.
Password Policy Consecutive Characters
RHEL-06-000308
Process core dumps must be disabled unless needed.
Disable Core Dumps
RHEL-06-000309
The NFS server must not have the insecure file
locking option enabled.
Secure Option for NFS Server
RHEL-06-000311
The audit system must provide a warning when
allocated audit record storage volume reaches a
documented percentage of maximum audit record
storage capacity.
Configure /etc/audit/auditd.conf Settings
RHEL-06-000313
The audit system must identify staff members to
receive notifications of audit log storage volume
capacity issues.
Configure /etc/audit/auditd.conf Settings
RHEL-06-000315
The Bluetooth kernel module must be disabled.
Disable Bluetooth Kernel Modules
RHEL-06-000319
The system must limit users to 10 simultaneous
system logins, or a site-defined number, in accordance Maximum Number of Logins per User
with operational requirements.
RHEL-06-000331
The Bluetooth service must be disabled.
Disable Bluetooth
RHEL-06-000334
Accounts must be locked upon 35 days of inactivity.
Lock Expired Account after Inactivity
Set Password Aging on Active Accounts
RHEL-06-000336
The sticky bit must be set on all public directories.
Secure World Writable Directories
RHEL-06-000338
The TFTP daemon must operate in secure mode which
provides access only to a single directory on the host Set TFTP Startup Directory
file system.
Security Blanket® Modules Guide
Consult the RPM Database for file/directory Setting
Export Controlled - See Sheet 1
330
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
RHEL-06-000342
The system default umask for the bash shell must be
077.
Default umask
RHEL-06-000343
The system default umask for the csh shell must be
077.
Default umask
RHEL-06-000344
The system default umask in /etc/profile must be 077. Default umask
RHEL-06-000345
The system default umask in /etc/login.defs must be
077.
Default umask
RHEL-06-000347
There must be no .netrc files on the system.
Secure Netrc Files
RHEL-06-000348
The FTPS/FTP service on the system must be
configured with the Department of Defense (DoD)
login banner.
Create Login FTP Banner
RHEL-06-000503
The operating system must enforce requirements for
Disable Support for USB Storage
the connection of mobile devices to operating systems.
RHEL-06-000507
The operating system, upon successful logon, must
display to the user the date and time of the last logon
or access via ssh.
SSHD Print Last Log
RHEL-06-000510
The audit system must take appropriate action when
the audit storage volume is full.
Configure /etc/audit/auditd.conf Settings
RHEL-06-000511
The audit system must take appropriate action when
there are disk errors on the audit storage volume.
Configure /etc/audit/auditd.conf Settings
RHEL-06-000516
The system package management tool must verify
ownership on all files and directories associated with
packages.
Consult the RPM Database for file/directory Setting
RHEL-06-000517
The system package management tool must verify
group-ownership on all files and directories associated Consult the RPM Database for file/directory Setting
with packages.
RHEL-06-000518
The system package management tool must verify
permissions on all files and directories associated with Consult the RPM Database for file/directory Setting
packages.
RHEL-06-000519
The system package management tool must verify
contents of all files associated with packages.
Consult the RPM Database for file/directory Setting
RHEL-06-000525
Auditing must be enabled at boot by setting a kernel
parameter.
Enable Auditing For All Processes
RHEL-06-000526
Automated file system mounting tools must not be
enabled unless needed.
Disable Autofs Daemon
DISA UNIX STIG v5 R1.30
The Security Technical Implementation Guides (STIGs) are the configuration standards for U.S. Department of Defense (DoD)
Information Assurance (IA) and IA-enabled devices/systems. The guides are maintained and published by the Defense Information
Systems Agency’s (DISA) Field Security Office (FSO). Approximately every ninety days the FSO publishes updates to its checklists.
Purchasing yearly service from Raytheon Trusted Computer Solutions entitles you to regular updates of Security Blanket.
Note that the SRRs have been deprecated by DISA
709 Total number of line items in guideline
275 Items at least partially addressed by Security Blanket
434 Items not addressed by Security Blanket
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
331
Cross Reference to Guidelines
Table A.8. DISA UNIX STIG v5 R1.30
Item
Title
Security Blanket Modules
GEN000000LNX00400
The /etc/security/access.conf file must be owned by
root.
Access.conf File Permissions
GEN000000LNX00420
The /etc/security/access.conf file must have a
privileged group owner.
Access.conf File Permissions
GEN000000LNX00440
The /etc/security/access.conf file must have mode
0640 or less permissive.
Access.conf File Permissions
GEN000020
Single User Mode Password
Single User Mode Password
GEN000040
Single User Mode Password Incompatibility
Documentation
Single User Mode Password
GEN000060
Single User Mode Password Incompatibility Location Single User Mode Password
GEN000140
Create and Maintain System Baseline
Secure SUID/SGID Executables
GEN000300
Unique Account Name
Lock Invalid Accounts
GEN000320
Unique UID
Lock Invalid Accounts
GEN000380
Groups Referenced in /etc/passwd
Lock Invalid Accounts
Logon Warning Banner Display
Create Login Banner
Create Pre-Login GUI Banner
Create Pre-Session GUI Banner
Remove Telnet Service Banner
SSHD Enable Banner
GEN000420
Logon Warning Banner Content
Create Login Banner
Create Login FTP Banner
Create Pre-Login GUI Banner
Create Pre-Session GUI Banner
GEN000460
Three Failed Login Attempts
Lock Account after Three Failed Login Attempts
GEN000480
Login Delay
Set Delay after Failed Login
GEN000500
Inactivity
SSHD Set Idle Timeout Interval for User Logins
Set CDE Screen Saver
Set Mandatory Screen Saver
Set X Screen Saver Application Defaults
GEN000540
Password Change 24 Hours
Minimum Delay Between Password Changes
Set Password Aging on Active Accounts
GEN000560
Password Protect Enabled Accounts
No Empty Passwords
GEN000580
Password Length
Password Policy Consecutive Characters
Password Policy Different Characters
Password Policy Length Minimum
GEN000600
Password Character Mix (Mixed case)
Password Policy Lowercase Minimum
Password Policy Uppercase Minimum
GEN000620
Password Character Mix (Digits)
Password Policy Numeric Minimum
GEN000640
Password Character Mix (Special)
Password Policy Special Characters
GEN000700
Password Change Every 60 Days
Maximum Time Between Password Changes
Set Password Aging on Active Accounts
GEN000760
Inactive Accounts are not locked
Expired Password Invalidation
GEN000800
Password Reuse
Limit Password Reuse
GEN000820
Global Password Configuration Files
Maximum Time Between Password Changes
GEN000400
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
332
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
Minimum Delay Between Password Changes
GEN000880
Root's UID
Lock Non-Root Accounts with UID 0
GEN000900
Root's Home Directory
Root Home Directory Permissions
GEN000920
Root's Home Directory Permissions
Root Home Directory Permissions
GEN000940
Root's Search Path
Root Path
GEN000960
Root's Search Path
Root Path
GEN000980
Root Console Access
Root Console Only Logins
GEN001000
Remote Consoles
Root Console Only Logins
GEN001020
Direct Root Login
SSHD Disable Root Login
GEN001060
Log Root Access Attempts
Secure Authpriv Logging
GEN001080
Root Shell
Root Shell must be on / filesystem
GEN001120
Encrypting Root Access
SSHD Disable Root Login
GEN001140
Uneven File Permissions
Correct Uneven File Permissions
GEN001160
Unowned Files
Secure Unowned Files
GEN001180
Network Services Daemon Permissions
Configure Permissions on /usr/bin/ldd
System Command File Permissions
GEN001200
System Command Permissions
Configure Permissions on /usr/bin/ldd
System Command File Permissions
GEN001220
System Files, Programs, and Directories Ownership
Configure Permissions on /usr/bin/ldd
System Command File Permissions
GEN001240
System Files, Programs, and Directories Group
Ownership
Configure Permissions on /usr/bin/ldd
System Command File Permissions
GEN001260
System Log File Permissions
System Log File Permissions
GEN001280
Manual Page File Permissions
Restrict Write Access on Man Pages
GEN001300
Library File Permissions
System Library File Permissions
GEN001320
NIS/NIS+/yp File Ownership
NIS/NIS+/YP Configuration File Permissions
GEN001340
NIS/NIS+/yp File Group Ownership
NIS/NIS+/YP Configuration File Permissions
GEN001360
NIS/NIS+/yp File Permissions
NIS/NIS+/YP Configuration File Permissions
GEN001362
The /etc/resolv.conf file must be owned by root.
Resolver Configuration File Permissions
GEN001363
The /etc/resolv.conf file must be group-owned by root,
Resolver Configuration File Permissions
bin, sys, or system.
GEN001364
The /etc/resolv.conf file must have mode 0644 or less
permissive.
Resolver Configuration File Permissions
GEN001366
The /etc/hosts file must be owned by root.
Hosts File Permissions
GEN001367
The /etc/hosts file must be group-owned by root, bin,
sys, or system.
Hosts File Permissions
GEN001368
The /etc/hosts file must have mode 0644 or less
permissive.
Hosts File Permissions
GEN001371
The /etc/nsswitch.conf file must be owned by root.
Name Service Switch Configuration File Permissions
GEN001372
The /etc/nsswitch.conf file must be group-owned by
root, bin, sys, or system.
Name Service Switch Configuration File Permissions
GEN001373
The /etc/nsswitch.conf file must have mode 0644 or
less permissive.
Name Service Switch Configuration File Permissions
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
333
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
GEN001440
Assign Home Directories
Lock Invalid Accounts
GEN001460
Assigned Home Directories Exist
Lock Invalid Accounts
GEN001470
The /etc/passwd file must not contain password
hashes.
No Hashes Allowed in Passwd/Group Files
GEN001475
The /etc/group file must not contain any group
password hashes.
No Hashes Allowed in Passwd/Group Files
GEN001480
Home Directories Permissions
Home Directory Permissions
GEN001500
Home Directories Ownership
Home Directory Ownership
GEN001520
Home Directories Group Ownership
Home Directory Ownership
GEN001540
Home Directories File Ownership
Home Directory Contents
GEN001560
Home Directories File Permissions
Home Directory Contents
GEN001580
Run Control Scripts Permissions
System Run Control Script Permissions
GEN001600
Run Control Scripts PATH Variable
Correct System RC Script PATH Variables
GEN001620
Run Control Scripts SGID/SUID
Secure SUID/SGID Executables
GEN001640
Run Control Scripts World Writable Programs or
Scripts
Secure World Writable Devices
Secure World Writable Files
GEN001660
Run Control Scripts Ownership
System Run Control Script Permissions
GEN001680
Run Control Scripts Group Ownership
System Run Control Script Permissions
GEN001720
Global Initialization Files Permissions
Global Initialization File Permissions
GEN001740
Global Initialization Files Ownership
Global Initialization File Permissions
GEN001760
Global Initialization Files Group Ownership
Global Initialization File Permissions
GEN001780
Global Initialization Files do not Contain mesg -n
Limit Term Write Access to Owner
GEN001800
Default/Skeleton Dot Files Permissions
Skeleton File Permissions
GEN001820
Default/Skeleton Dot Files Ownership
Skeleton File Permissions
GEN001830
All skeleton files (typically in /etc/skel) must be
group-owned by root, bin, sys, system, or other.
Skeleton File Permissions
GEN001840
Global Initialization Files PATH Variable
Correct Global Init Script PATH Variables
GEN001860
Local Initialization Files Ownership
Home Directory Contents
GEN001880
Local Initialization Files Permissions
User Dot File Perms
GEN001920
Local Initialization Files SGID/SUID
Secure SUID/SGID Executables
GEN001940
Local Initialization Files World Writable Programs or Secure World Writable Devices
Scripts
Secure World Writable Files
GEN001960
Local Initialization Files mesg -y
Restrict use of Mesg Command
GEN001980
Plus (+) in Access Control Files
No Plus Entries in Password Files
GEN002000
The .netrc File Exists
Secure Netrc Files
GEN002060
Access Control Files Accessibility
Secure Netrc Files
GEN002100
The .rhosts Supported in PAM
Disable Rhosts Support
GEN002120
The /etc/shells File Does Not Exist
Sync Shells File
GEN002140
The /etc/shells Contents
Sync Shells File
GEN002160
Shells SUID
Secure SUID/SGID Executables
Secure Shell Binaries
GEN002180
Shells SGID
Secure SUID/SGID Executables
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
334
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
Secure Shell Binaries
GEN002200
Shells Ownership
Secure Shell Binaries
GEN002220
Shells Permissions
Secure Shell Binaries
GEN002280
Device Files Directories Permissions
System Device Directory Ownership
GEN002320
Audio Device Permissions
Secure Audio Devices
GEN002340
Audio Device Ownership
Secure Audio Devices
GEN002360
Audio Device Group Ownership
Secure Audio Devices
GEN002380
SUID Files Baseline
Secure SUID/SGID Executables
GEN002400
System Baseline for SUID Files Checking
Secure SUID/SGID Executables
GEN002420
File Systems Mounted With nosuid
Use NOSUID and NODEV for Removable Media
Use NOSUID on User Filesystems
GEN002440
SGID Files Baseline
Secure SUID/SGID Executables
GEN002460
System Baseline for SGID Files Checking
Secure SUID/SGID Executables
GEN002480
World Writable Files and Directories
Secure World Writable Devices
Secure World Writable Directories
Secure World Writable Files
GEN002500
Sticky Bit on Public Directories
Secure World Writable Directories
GEN002560
Default umask
Default umask
GEN002640
Disabled Default System Accounts
Block System Accounts
GEN002660
Configure and Implement Auditing
Enable the Audit Subsystem
GEN002680
Audit Logs Accessibility
System Log File Permissions
GEN002700
Audit Logs Permissions
System Log File Permissions
GEN002720
Audit Failed File and Program Access Attempts
Audit Rules
Audit Rules (Solaris)
GEN002740
Audit File and Program Deletion
Audit Rules
Audit Rules (Solaris)
GEN002760
Audit Administrative, Privileged, and Security Actions
Audit Rules
Audit Rules (Solaris)
GEN002800
Audit Login, Logout, and Session Initiation
Audit Rules
Audit Rules (Solaris)
GEN002820
Audit Discretionary Access Control Permission
Modifications
Audit Rules
Audit Rules (Solaris)
GEN002860
Audit Logs Rotation
Audit Log Rotation
GEN002960
Cron Utility Accessibility
At/Cron Access File Permissions
Restrict At and Cron
GEN002980
The cron.allow Permissions
At/Cron Access File Permissions
Restrict At and Cron
GEN003000
Cron Executes World Writable Programs
Secure World Writable Devices
Secure World Writable Files
GEN003020
Cron Executes Programs in World Writable
Directories
Secure World Writable Devices
Secure World Writable Files
GEN003050
Crontab files must be group-owned by root, cron, or
the crontab creator's primary group.
Crontab Perms
Crontab Script Perms
GEN003060
Default System Accounts and Cron
Restrict At and Cron
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
335
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
GEN003080
Crontab files Permissions
Crontab Perms
Crontab Script Perms
GEN003100
Cron and Crontab Directories Permissions
Crontab Dir Perms
GEN003120
Cron and Crontab Directories Ownership
Crontab Dir Perms
GEN003140
Cron and Crontab Directories Group Ownership
Crontab Dir Perms
GEN003160
Cron Logging
Cron Logging
GEN003180
Cronlog Permissions
System Log File Permissions
GEN003200
cron.deny Permissions
Restrict At and Cron
GEN003240
cron.allow Ownership
Restrict At and Cron
GEN003260
cron.deny Ownership
Restrict At and Cron
GEN003280
At Utility Accessibility
System Configuration File Permissions
GEN003300
The at.deny File
Restrict At and Cron
GEN003320
Default System Accounts and At
Restrict At and Cron
GEN003340
at.allow and at.deny Permissions
System Configuration File Permissions
GEN003360
At Executes World Writable Programs
Secure World Writable Devices
Secure World Writable Files
GEN003380
At Executes Programs in World Writable Directories
Secure World Writable Devices
Secure World Writable Files
GEN003400
The at Directory Permissions
At Directory Permissions
GEN003420
The at Directory Ownership
At Directory Permissions
GEN003430
The "at" directory must be group-owned by root, bin,
sys, or cron.
At Directory Permissions
GEN003500
Disable Core Dumps
Disable Core Dumps
GEN003510
Kernel core dumps must be disabled unless needed.
Disable Kernel Crash Analyzer
GEN003520
Core Dump Directory Ownership and Permissions
Kernel Core Dump Directory Permissions
GEN003521
The kernel core dump data directory must be groupowned by root, bin, sys, or system.
Kernel Core Dump Directory Permissions
GEN003522
The kernel core dump data directory must have mode
0700 or less permissive.
Kernel Core Dump Directory Permissions
GEN003540
Disable Executable Stack
Enable Stack Protection
GEN003600
Network Security Settings
Adjust Maximum Pending Connections
Disable Accepting ICMP Redirects
Disable IP Forwarding
Disable Sending ICMP Redirects
Disable Source Routing
Enable TCP Syncookies
Ignore ICMP ECHO and TIMESTAMP Requests
GEN003608
Proxy ARP must not be enabled on the system.
Disable Proxy Address Resolution Protocol (Proxy
ARP)
GEN003660
Authentication Data Logging
Secure Authpriv Logging
GEN003700
Disable inetd/xinetd
Disable Inetd
GEN003720
inetd.conf Ownership
Inetd/Xinetd Configuration File Permissions
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
336
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
GEN003730
The inetd.conf file, xinetd.conf file, and the xinetd.d
directory must be group-owned by root, bin, sys, or
system.
Inetd/Xinetd Configuration File Permissions
GEN003740
inetd.conf Permissions
Inetd/Xinetd Configuration File Permissions
GEN003750
The xinetd.d directory must have mode 0755 or less
permissive.
Inetd/Xinetd Configuration File Permissions
GEN003760
The Services File Ownership
Services File Permissions
GEN003770
The services file must be group-owned by root, bin,
sys, or system.
Services File Permissions
GEN003780
The Services File Permissions
Services File Permissions
GEN003800
inetd Logging
Configure Xinetd Logging
GEN003820
Remote Login or Shell Is Enabled
Disable Remote Login (rlogin)
Disable Remote Shell (rsh)
GEN003840
The rexec Service Is Enabled
Disable Remote Exec (rexec)
GEN003860
The finger Service Is Enabled
Disable Finger
GEN003865
Network analysis tools enabled.
Disable Network Analysis Tools
GEN003920
hosts.lpd Ownership
Printer Configuration File Permissions
GEN003930
The hosts.lpd (or equivalent) file must be groupowned by root, bin, sys, or system.
Printer Configuration File Permissions
GEN003940
hosts.lpd Permissions
Printer Configuration File Permissions
GEN003960
The traceroute Command Ownership
Restrict Use of Traceroute and Ping
GEN003980
The traceroute Command Group Ownership
Restrict Use of Traceroute and Ping
GEN004000
The traceroute Command Permissions
Restrict Use of Traceroute and Ping
GEN004040
Browser Software Update Feature
Configure User Firefox Prefs
Firefox - Updating
GEN004100
Browser Allows Active Scripting
Firefox - Java
Firefox - JavaScript
GEN004120
Browser Data Redirection Warning
Firefox - Encryption
GEN004160
Browser Certificate Warning
Firefox - Encryption
GEN004200
Browser SSL Configuration
Firefox - Encryption
GEN004240
Browser Version
Disable Firefox if Older than 3.0
GEN004280
Browser Form Data Warning
Firefox - Privacy
GEN004300
Browser Secure and Non-secure Content Warning
Firefox - Privacy
GEN004320
Browser Leaving Encrypted Site Warning
Firefox - Privacy
GEN004360
aliases Ownership
Mail Agent Aliases Files Permissions
GEN004380
aliases Permissions
Mail Agent Aliases Files Permissions
GEN004440
Sendmail Logging
Configure Sendmail Options
GEN004460
Critical Level Sendmail Messages Logging
Log Critical Sendmail Messages
GEN004480
Critical Sendmail Log File Ownership
System Log File Permissions
GEN004500
Critical Sendmail Log File Permissions
System Log File Permissions
GEN004540
Sendmail Help Command
Disable Sendmail Help
GEN004560
Sendmail Greeting to Mask Version
Configure Sendmail Options
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
337
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
GEN004580
.forward Files
Configure Sendmail Options
GEN004600
Sendmail Version
Disable Sendmail if Older than 8.13.8
GEN004620
Sendmail DEBUG Command
Configure Sendmail Options
GEN004640
Sendmail DECODE Command
Disable Sendmail if Older than 8.13.8
GEN004660
Sendmail EXPN Command
Configure Sendmail Options
GEN004680
Sendmail VRFY Command
Configure Sendmail Options
GEN004700
Sendmail WIZ Command
Disable Sendmail if Older than 8.13.8
GEN004780
FTP or Telnet Userids and Passwords
Create ftpusers File
GEN004800
Unencrypted FTP or Telnet
Disable FTP (vsftpd)
Disable Telnet
GEN004820
Anonymous FTP
Remove ftp Account
GEN004880
The ftpusers File
Create ftpusers File
GEN004900
The ftpusers File Contents
Create ftpusers File
GEN004920
The ftpusers File Ownership
FTP Configuration File Permissions
GEN004930
The ftpusers file must be group-owned by root, bin,
sys, or system.
FTP Configuration File Permissions
GEN004940
The ftpusers File Permissions
FTP Configuration File Permissions
GEN004980
FTP Daemon Logging
Enable Vsftpd Additional Logging
GEN005040
FTP User's umask
Set FTP Umask (gssftp)
GEN005060
FSP Is Enabled
Disable Fspd
GEN005080
TFTP Secure Mode
Set TFTP Startup Directory
GEN005100
TFTP SUID/SGID Bit
Configure Permissions on /usr/bin/ldd
System Command File Permissions
GEN005180
.Xauthority File Permissions
Home Directory Contents
GEN005260
X Window System Not Required and Not Disabled
Disable Graphical Login
GEN005280
Disable UUCP
Disable UUCP
GEN005300
Changed SNMP Community Strings
Disable SNMP if Default Public String Exists
GEN005320
snmpd.conf Permissions
SNMP Configuration File Permissions
GEN005340
MIB File Permissions
Management Information Base (MIB) File
Permissions
GEN005360
snmpd.conf and .mib Ownership
Management Information Base (MIB) File
Permissions
SNMP Configuration File Permissions
GEN005365
The snmpd.conf file must be group-owned by root,
sys, bin, or system.
SNMP Configuration File Permissions
GEN005380
Dedicated Hardware for SNMP
Disable SNMP
GEN005390
The /etc/syslog.conf file must have mode 0640 or less
System Logging Configuration File Permissions
permissive.
GEN005400
/etc/syslog.conf Accessibility
System Logging Configuration File Permissions
GEN005420
/etc/syslog.conf Group Ownership
System Logging Configuration File Permissions
GEN005480
Syslog Accepts Remote Messages
Disable Remote Syslog
GEN005500
SSH Version 1 Compatibility
SSH Parameters
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
338
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
SSHD Protocol
GEN005600
Disable IP Forwarding
Disable IP Forwarding
GEN005640
Squid Web Proxy Authentication Header Vulnerability Disable Squid if Older than 2.4STABLE6
GEN005660
Squid Web Proxy MSNT Auth Helper Vulnerability
Disable Squid if Older than 2.4STABLE6
GEN005680
Squid Web Proxy Version
Disable Squid if Older than 2.4STABLE6
GEN005740
Export Configuration File Ownership
NFS Export Configuration File Permissions
GEN005750
The NFS export configuration file must be groupowned by root, bin, sys, or system.
NFS Export Configuration File Permissions
GEN005760
Export Configuration File Permissions
NFS Export Configuration File Permissions
GEN005820
Deny NFS Client Access Without Userid
Deny NFS Client Access Without UID or GID
GEN006000
Public Instant Messaging Client is Installed
Disable Instant Messenger Client (Yahoo!)
Disable Instant Messenger Client (gaim)
GEN006040
Peer-to-Peer Application Authorization with DAA
Disable File Sharing Networks
GEN006060
Samba is Enabled
Disable SMB
GEN006100
smb.conf Ownership
Samba Configuration File Permissions
GEN006120
smb.conf Group Ownership
Samba Configuration File Permissions
GEN006140
smb.conf Permissions
Samba Configuration File Permissions
GEN006160
smbpasswd Ownership
Samba Password File Permissions
GEN006180
smbpasswd Group Ownership
Samba Password File Permissions
GEN006200
smbpasswd Permissions
Samba Password File Permissions
GEN006220
smb.conf Configuration
Remove SMB Guest Authentication
SMB Configuration
GEN006240
INN Documentation
Disable Innd
GEN006260
/etc/news/hosts.nntp Permissions
InterNetNews Config File Perms
GEN006280
/etc/news/hosts.nntp.nolimit Permissions
InterNetNews Config File Perms
GEN006300
/etc/news/nnrp.access Permissions
InterNetNews Config File Perms
GEN006320
/etc/news/passwd.nntp Permissions
InterNetNews Config File Perms
GEN006340
/etc/news Files Ownership
InterNetNews Config File Perms
GEN006360
/etc/news Files Group Ownership
InterNetNews Config File Perms
GEN006600
Access Control Program Logging
Log Critical Sendmail Messages
Secure Authpriv Logging
GEN008060
If the system is using LDAP for authentication or
account information the /etc/ldap.conf (or equivalent)
file must have mode 0644 or less permissive.
LDAP Configuration File Permissions
GEN008080
If the system is using LDAP for authentication or
account information, the /etc/ldap.conf (or equivalent) LDAP Configuration File Permissions
file must be owned by root.
GEN008100
If the system is using LDAP for authentication or
account information, the /etc/ldap.conf (or equivalent) LDAP Configuration File Permissions
file must be group-owned by root, bin, sys, or system.
LNX00140
GRUB Boot Loader Encrypted Password
Require GRUB Password
LNX00160
grub.conf Permissions
Boot Loader Configuration File Permissions
LNX00220
/etc/lilo.conf Permissions
Boot Loader Configuration File Permissions
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
339
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
LNX00280
Capable of Dual Boot
GRUB Boot Single Image
LNX00300
The rpc.ugidd Daemon is Enabled
Disable rpc.ugidd
LNX00320
Special Privileged Accounts
Remove Halt User Account
Remove Shutdown User Account
Remove Sync User Account
LNX00340
Unnecessary Accounts
Remove Games User Account
Remove Gopher User Account
Remove News User Account
LNX00400
Access File Ownership
System Configuration File Permissions
LNX00420
Access File Group Ownership
System Configuration File Permissions
LNX00440
Access File Permissions
System Configuration File Permissions
LNX00480
/etc/sysctl.conf Ownership
Sysctl.conf Permissions
LNX00500
/etc/sysctl.conf Group Ownership
Sysctl.conf Permissions
LNX00520
/ etc/sysctl.conf Permissions
Sysctl.conf Permissions
LNX00540
The insecure Option
Secure Option for NFS Server
LNX00560
The insecure_locks Option
Remove Insecure_Locks Option for NFS Server
LNX00580
Ctrl-Alt-Delete Sequence
Disable Ctrl-Alt-Del
LNX00600
PAM Configuration
Disable console.perms File
Disable PAM Console Library
LNX00620
/etc/securetty Group Ownership
System Configuration File Permissions
LNX00640
/etc/securetty Ownership
System Configuration File Permissions
LNX00660
/etc/securetty Permissions
System Configuration File Permissions
SOL00020
/etc/rmmount.conf Configuration
Use NOSUID and NODEV for Removable Media
SOL00060
audit_user Ownership
System Configuration File Permissions
SOL00080
audit_user Group Ownership
System Configuration File Permissions
SOL00100
audit_user Permissions
System Configuration File Permissions
SOL00240
/usr/asset/userlist Ownership
System Configuration File Permissions
SOL00260
/usr/asset/userlist Permissions
System Configuration File Permissions
DoD JAFAN 6/3 Oct 2004
The U.S. Joint Air Force-Army-Navy (JAFAN) 6/3 manual establishes the security policy and procedures for storing, processing, and
communicating classified DoD Special Access Program (SAP) information in information systems (ISs). It should also be noted that
the Director of Central Intelligence Directive (DCID) 6/3 was used as the model publication from which the JAFAN 6/3 Manual was
crafted.
27 Total number of line items in guideline
26 Items at least partially addressed by Security Blanket
1 Items not addressed by Security Blanket
Table A.9. DoD JAFAN 6/3 Oct 2004
Item
4.B.1.a(2)
Title
Security Blanket Modules
Identification and Authentication - Unique Users
Lock Non-Root Accounts with UID 0
No Empty Passwords
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
340
Cross Reference to Guidelines
Item
4.B.1.a(5)
4.B.1.a(5)(a)
Title
Security Blanket Modules
Screen Lock
Set CDE Screen Saver
Set Mandatory Screen Saver
Set X Screen Saver Application Defaults
Set Shell Timeout Period
Set CDE Screen Saver
Set Mandatory Screen Saver
Screen Lock - Maximum Idle Time will be 15 minutes
Set X Screen Saver Application Defaults
Set Shell Timeout Period
Session Control - Login Warning Banners
Create Login Banner
Create Login FTP Banner
Create Pre-Login GUI Banner
Create Pre-Session GUI Banner
SSHD Enable Banner
4.B.1.a(6)(b)
Session Control - Login Warning Banners - Consent
Create Login Banner
Create Login FTP Banner
Create Pre-Login GUI Banner
Create Pre-Session GUI Banner
SSHD Enable Banner
4.B.1.b(2)(a)
Auditing - Date and time entity performed system
action
Audit Rules
Audit Rules (Solaris)
Enable the Audit Subsystem
4.B.1.b(2)(b)
Auditing - Protect contents of audit trails against
unauthorized access
System Log File Permissions
4.B.1.a(6)(a)
4.B.1.b(2)(d)(1)
Auditing - Record Successful and unsuccessful logons Audit Rules
and logoffs
Audit Rules (Solaris)
4.B.1.b(2)(d)(2)
Auditing - Record accesses to security-relevant objects
Audit Rules
Audit Rules (Solaris)
4.B.1.b(2)(d)(3)
Auditing - Record activities at the system console
Audit Rules
Audit Rules (Solaris)
4.B.1.b(3)(e)
Identification and Authentication - Aging of static
authenticators
Maximum Time Between Password Changes
Set Password Aging on Active Accounts
4.B.2.a(4)(a)
Auditing - Date and time entity performed system
action (PL2)
Audit Rules (Solaris)
Enable the Audit Subsystem
4.B.2.a(4)(b)
Auditing - Protect contents of audit trails against
unauthorized access (PL2)
System Log File Permissions
4.B.2.a(4)(d)(1)
Auditing - Record Successful and unsuccessful logons Audit Rules
and logoffs (PL2)
Audit Rules (Solaris)
4.B.2.a(4)(d)(2)
Auditing - Record accesses to security-relevant objects Audit Rules
(PL2)
Audit Rules (Solaris)
4.B.2.a(4)(d)(3)
Auditing - Record activities at the system console
(PL2)
Audit Rules
Audit Rules (Solaris)
Session Control - Station or session time-outs (PL2)
Enable the Audit Subsystem
SSHD Set Idle Timeout Interval for User Logins
Set CDE Screen Saver
Set Mandatory Screen Saver
Set X Screen Saver Application Defaults
Set Shell Timeout Period
4.B.2.a(16)(b)
4.B.2.a(17)(c)
Security Blanket® Modules Guide
Lock Account after Three Failed Login Attempts
Export Controlled - See Sheet 1
341
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
System Assurance - Control access to the security
support structure (PL2)
Enable the Audit Subsystem
Auditing - Record changes to the mechanism's list of
user formal access permissions (PL3)
Audit Rules
Audit Rules (Solaris)
4.B.3.a(9)(e)
Identification and Authentication - Aging of static
authenticators
Set Password Aging on Active Accounts
4.B.3.a(9)(f)
Identification and Authentication - Limiting reuse of
static authenticators
Limit Password Reuse
Session Control - Station or session time-outs (PL3)
Enable the Audit Subsystem
SSHD Set Idle Timeout Interval for User Logins
Set CDE Screen Saver
Set Mandatory Screen Saver
Set X Screen Saver Application Defaults
Set Shell Timeout Period
4.B.2.b(5)(a)
4.B.3.a(7)
4.B.3.a(17)(a)
4.B.3.a(20)(b)
SSHD Set Idle Timeout Interval for User Logins
Set Shell Timeout Period
4.B.3.a(20)(c)
Lock Account after Three Failed Login Attempts
4.B.4.a(6)(b)
System Log File Permissions
DoD NISPOM Feb 2006
The U.S. National Industrial Security Program Operating Manual (NISPOM) provides baseline standards for the protection of
classified information released or disclosed to industry in connection with classified contracts under the NISP. The operating manual
is provided under the authority of DoD Directive 5220.22, "National Industrial Security Program (NISP)", September 27, 2004.
The manual consists of eleven primary chapters, however additional information on the current interpretation of NISPOM
requirements can be found in Industrial Security Letters issued by the Defense Security Service (DSS). The following chapters
comprise the manual:
• CHAPTER 1 - General Provisions And Requirements
• CHAPTER 2 - Security Clearances
• CHAPTER 3 - Security Training and Briefings
• CHAPTER 4 - Classification and Marking
• CHAPTER 5 - Safeguarding Classified Information
• CHAPTER 6 - Visits and Meetings
• CHAPTER 7 - Subcontracting
• CHAPTER 8 - Information System Security
• CHAPTER 9 - Special Requirements
• CHAPTER 10 - International Security Requirements
• CHAPTER 11 - Miscellaneous Information
The majority of the NISPOM is policy and procedure oriented; however, Security Blanket can assist with satisfying some of the
requirements in "Chapter 8 - Information System Security".
14 Total number of line items in guideline
13 Items at least partially addressed by Security Blanket
1 Items not addressed by Security Blanket
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
342
Cross Reference to Guidelines
Table A.10. DoD NISPOM Feb 2006
Item
Title
Security Blanket Modules
8.303a
Unique Identification
Audit Rules
Audit Rules (Solaris)
Enable the Audit Subsystem
Lock Invalid Accounts
Lock Non-Root Accounts with UID 0
SSH Restrict Ciphers
SSH Restrict HMAC
SSHD Disable Root Login
SSHD Print Last Log
SSHD Restrict Ciphers
SSHD Restrict HMAC
SSHD Restrict Users and Groups
Secure Authpriv Logging
8.303b
Authentication at Login
No Empty Passwords
SSHD Disable Empty Passwords
8.303d
Access to Authentication Data
Password Perms
Shadow Perms
Protection of Individual Passwords
Expired Password Invalidation
Maximum Time Between Password Changes
No Empty Passwords
Password Policy Consecutive Characters
Password Policy Different Characters
Password Policy Length Minimum
Password Policy Lowercase Minimum
Password Policy Numeric Minimum
Password Policy Special Characters
Password Policy Uppercase Minimum
8.602a1
Automated Audit Trail Creation
Audit Rules
Audit Rules (Solaris)
Cron Logging
Enable the Audit Subsystem
Enable Vsftpd Additional Logging
Log Critical Sendmail Messages
Secure Authpriv Logging
8.602a2
Audit Trail Protection
System Log File Permissions
8.602d1
Audit 4 Requirements
Audit Rules
Audit Rules (Solaris)
Access 2 Requirements
At Directory Permissions
At/Cron Access File Permissions
Boot Loader Configuration File Permissions
Configure Permissions on /usr/bin/ldd
Correct Uneven File Permissions
Crontab Dir Perms
Crontab Perms
Crontab Script Perms
FTP Configuration File Permissions
Global Initialization File Permissions
Home Directory Contents
Home Directory Permissions
Hosts File Permissions
InterNetNews Config File Perms
8.303i
8.606b1
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
343
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
Kernel Core Dump Directory Permissions
LDAP Configuration File Permissions
Mail Agent Aliases Files Permissions
Management Information Base (MIB) File
Permissions
NFS Export Configuration File Permissions
NIS/NIS+/YP Configuration File Permissions
Name Service Switch Configuration File Permissions
Password Perms
Printer Configuration File Permissions
Resolver Configuration File Permissions
Restrict Use of Compiler Tools
Restrict Write Access on Man Pages
Root Home Directory Permissions
SNMP Configuration File Permissions
Secure Audio Devices
Secure SUID/SGID Executables
Secure Shell Binaries
Secure Unowned Files
Secure World Writable Devices
Secure World Writable Directories
Secure World Writable Files
Services File Permissions
Shadow Perms
Skeleton File Permissions
Sysctl.conf Permissions
System Command File Permissions
System Configuration File Permissions
System Device Directory Ownership
System Library File Permissions
System Log File Permissions
System Logging Configuration File Permissions
System Run Control Script Permissions
User Dot File Perms
Identification and Authentication 5 Requirements
No Empty Passwords
SSHD Disable Empty Passwords
8.609a1
User Notification
Create Login Banner
Create Login FTP Banner
Create Pre-Login GUI Banner
Create Pre-Session GUI Banner
SSHD Enable Banner
8.609a2
Successive Logon Attempts
Lock Account after Three Failed Login Attempts
Set Delay after Failed Login
8.609b2
User Inactivity
SSHD Set Idle Timeout Interval for User Logins
Set CDE Screen Saver
Set Mandatory Screen Saver
Set X Screen Saver Application Defaults
Set Shell Timeout Period
8.613a1
Access to Protection Functions
Disable PAM Console Library
Require GRUB Password
Single User Mode Password
8.607e
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
344
Cross Reference to Guidelines
NERC Cyber Security - Electronic Security Perimeters CIP-005-3
The U.S. Federal Energy Regulatory Commission (FERC) has mandated Critical Infrastructure Protection (CIP) standards for the
energy industries. The FERC regulates and oversees energy industries in the economic, environmental, and safety interests of the
American public. The FERC is an independent agency that regulates the interstate transmission of natural gas, oil, and electricity.
FERC also regulates natural gas and hydropower projects.
In response to the commission's mandates, the North American Electric Reliability Corporation (NERC) maintains the series of
Critical Infrastructure Protection (CIP) standards. The CIPs consist of nine documents and Security Blanket can assist in satisfying
some of them.
•
•
•
•
•
•
•
•
•
CIP-001-3 Sabotage Reporting
CIP-002-3 Critical cyberasset identification
CIP-003-3 Security management controls
CIP-004-3 Personnel and training
CIP-005-3 Electronic security perimeters
CIP-006-3 Physical security of critical cyberassets
CIP-007-3 Systems security management
CIP-008-3 Incident reporting and response planning
CIP-009-3 Recovery plans for critical cyberassets
Specifically, Security Blanket can assist with CIP-005 and CIP-007. The Security Blanket baselining technology can also assist in
satisfying the CIP-003-3-R6 requirement: "Change Control and Configuration Management". This requirement states:
The Responsible Entity shall establish and document a process of change control and configuration management
for adding, modifying, replacing, or removing Critical Cyber Asset hardware or software, and implement support
configuration management activities to identify, control and document all entity or vendor-related changes to
hardware and software components of Critical Cyber Assets pursuant to the change control process.
Once a system has been configured, a periodic system snapshot of the system using Security Blanket can assist in quickly identifying
and documenting changes. Use Security Blanket's baseline comparison feature to identify a system's network, hardware, routing, and
firewall configuration as well as changes in its software inventory.
3 Total number of line items in guideline
3 Items at least partially addressed by Security Blanket
0 Items not addressed by Security Blanket
Table A.11. Guideline name/description for NERC Cyber Security - Electronic Security Perimeters
CIP-005-3
Line Item
Description Item
CIP-005-3-R2.2
Enable only ports and services needed for operations
CIP-005-3-R2.6
Appropriate Use Banner
CIP-005-3-R4.4
Review of controls for default accounts, passwords, and network management community
strings
Block System Accounts
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
R4.4
R2.6
Security Blanket Module
R2.2
Table A.12. Module to line item breakdown for NERC Cyber Security - Electronic Security Perimeters
CIP-005-3
X
345
Security Blanket® Modules Guide
Create Login Banner
X
Create Login FTP Banner
X
Create Pre-Login GUI Banner
X
Create Pre-Session GUI Banner
X
Disable Apache
X
Disable Avahi Daemon
X
Disable Bluetooth
X
Disable Bluetooth Kernel Modules
X
Disable Boot Caching
X
Disable CDE Calendar Manager Server
X
Disable CDE ToolTalk Database Server
X
Disable CPU Throttling
X
Disable Console Mouse Support
X
Disable DNS
X
Disable Dhcpd
X
Disable FTP (gssftp)
X
Disable FTP (vsftpd)
X
Disable File Sharing Networks
X
Disable Finger
X
Disable Firstboot Service
X
Disable Fspd
X
Disable GSS Daemon
X
Disable Gated
X
Disable Graphical Login
X
Disable HAL Daemon
X
Disable HP Printing and Imaging
X
Disable IA32 Microcode Utility
X
Disable IRQ Balance Service
X
Disable ISDN
X
Disable Inetd
X
Disable Innd
X
Disable Java Web Console
X
Disable Kerberos TGT Expiration Warning
X
Disable Kudzu
X
Disable LDAP Client Cache Manager
X
Disable Login Prompts on Serial Ports
X
Disable Mail (Cyrus Mail Server)
X
Disable Mail (Dovecot Mail Server)
X
Disable MySQL
X
Export Controlled - See Sheet 1
R4.4
R2.6
Security Blanket Module
R2.2
Cross Reference to Guidelines
346
X
Disable NFS Server
X
Disable NIS Client
X
Disable NIS Server
X
Disable Portmap Daemon
X
Disable Postgresql
X
Disable Power Management
X
Disable Printer Configuration Daemon
X
Disable Printer Daemon
X
Disable RPC Keyserv
X
Disable Remote Exec (rexec)
X
Disable Remote Login (rlogin)
X
Disable Remote Shell (rsh)
X
Disable Remote Syslog
X
Disable Rhnsd
X
Disable Rhosts Support
X
Disable Routed
X
Disable SMART Disk Monitoring Support
X
Disable SMB
X
Disable SNMP
X
Disable SNMP if Default Public String Exists
X
Disable Sendmail
X
Disable Smart Card Support
X
Disable Solaris Volume Manager
X
Disable Solaris Volume Manager GUI
X
Disable Squid
X
Disable TFTP
X
Disable Telnet
X
Disable Tux
X
Disable USB and PCMCIA Devices
X
Disable UUCP
X
Disable WBEM
X
Disable Webmin
X
Disable XFS
X
Disable atd Service
X
Disable rpc.ugidd
X
Remove Telnet Service Banner
Restrict the CDE Subprocess Control Service
SSHD Enable Banner
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
R4.4
Disable NFS Client
R2.6
Security Blanket Module
R2.2
Cross Reference to Guidelines
X
X
X
347
Cross Reference to Guidelines
NERC Cyber Security - Systems Security Management CIP-007-3
The U.S. Federal Energy Regulatory Commission (FERC) has mandated Critical Infrastructure Protection (CIP) standards for the
energy industries. The FERC regulates and oversees energy industries in the economic, environmental, and safety interests of the
American public. The FERC is an independent agency that regulates the interstate transmission of natural gas, oil, and electricity.
FERC also regulates natural gas and hydropower projects.
In response to the commission's mandates, the North American Electric Reliability Corporation (NERC) maintains the series of
Critical Infrastructure Protection (CIP) standards. The CIPs consist of nine documents and Security Blanket can assist in satisfying
some of them.
• CIP-001-3 Sabotage Reporting
• CIP-002-3 Critical cyberasset identification
• CIP-003-3 Security management controls
• CIP-004-3 Personnel and training
• CIP-005-3 Electronic security perimeters
• CIP-006-3 Physical security of critical cyberassets
• CIP-007-3 Systems security management
• CIP-008-3 Incident reporting and response planning
• CIP-009-3 Recovery plans for critical cyberassets
Specifically, Security Blanket can assist with CIP-005 and CIP-007. The Security Blanket baselining technology can also assist in
satisfying the CIP-003-3-R6 requirement: "Change Control and Configuration Management". This requirement states:
The Responsible Entity shall establish and document a process of change control and configuration management
for adding, modifying, replacing, or removing Critical Cyber Asset hardware or software, and implement support
configuration management activities to identify, control and document all entity or vendor-related changes to
hardware and software components of Critical Cyber Assets pursuant to the change control process.
Once a system has been configured, a periodic system snapshot of the system using Security Blanket can assist in quickly identifying
and documenting changes. Use Security Blanket's baseline comparison feature to identify a system's network, hardware, routing, and
firewall configuration as well as changes in its software inventory.
6 Total number of line items in guideline
6 Items at least partially addressed by Security Blanket
0 Items not addressed by Security Blanket
Table A.13. Guideline name/description for NERC Cyber Security - Systems Security Management
CIP-007-3
Line Item
CIP-007-3-R2.2
Description Item
Disable ports and services not needed for operations
CIP-007-3-R5.1.2
Generate logs of sufficient detail to create historical audit trails of individual user account
access
CIP-007-3-R5.2.1
Remove, disable, or rename factory default accounts
CIP-007-3-R5.3.1
Passwords shall be a minimum of six characters
CIP-007-3-R5.3.2
Passwords shall consist of a combination of alpha, numeric, and special characters
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
348
Cross Reference to Guidelines
Line Item
Description Item
CIP-007-3-R5.3.3
Passwords shall be changed at least annually
Audit Rules
X
Audit Rules (Solaris)
X
Block System Accounts
R5.3.3
R5.3.2
R5.3.1
X
Cron Logging
X
Disable Apache
X
Disable Avahi Daemon
X
Disable Bluetooth
X
Disable Bluetooth Kernel Modules
X
Disable Boot Caching
X
Disable CDE Calendar Manager Server
X
Disable CDE ToolTalk Database Server
X
Disable CPU Throttling
X
Disable Console Mouse Support
X
Disable DNS
X
Disable Dhcpd
X
Disable FTP (gssftp)
X
Disable FTP (vsftpd)
X
Disable File Sharing Networks
X
Disable Finger
X
Disable Firstboot Service
X
Disable Fspd
X
Disable GSS Daemon
X
Disable Gated
X
Disable Graphical Login
X
Disable HAL Daemon
X
Disable HP Printing and Imaging
X
Disable IA32 Microcode Utility
X
Disable IRQ Balance Service
X
Disable ISDN
X
Disable Inetd
X
Disable Innd
X
Disable Java Web Console
X
Disable Kerberos TGT Expiration Warning
X
Disable Kudzu
X
Security Blanket® Modules Guide
R5.2.1
R5.1.2
Security Blanket Module
R2.2
Table A.14. Module to line item breakdown for NERC Cyber Security - Systems Security Management
CIP-007-3
Export Controlled - See Sheet 1
349
Disable Mail (Cyrus Mail Server)
X
Disable Mail (Dovecot Mail Server)
X
Disable MySQL
X
Disable NFS Client
X
Disable NFS Server
X
Disable NIS Client
X
Disable NIS Server
X
Disable Portmap Daemon
X
Disable Postgresql
X
Disable Power Management
X
Disable Printer Configuration Daemon
X
Disable Printer Daemon
X
Disable RPC Keyserv
X
Disable Remote Exec (rexec)
X
Disable Remote Login (rlogin)
X
Disable Remote Shell (rsh)
X
Disable Remote Syslog
X
Disable Rhnsd
X
Disable Rhosts Support
X
Disable Routed
X
Disable SMART Disk Monitoring Support
X
Disable SMB
X
Disable SNMP
X
Disable Sendmail
X
Disable Smart Card Support
X
Disable Solaris Volume Manager
X
Disable Solaris Volume Manager GUI
X
Disable Squid
X
Disable TFTP
X
Disable Telnet
X
Disable Tux
X
Disable USB and PCMCIA Devices
X
Disable UUCP
X
Disable WBEM
X
Disable Webmin
X
Disable XFS
X
Disable atd Service
X
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
R5.3.3
X
R5.3.2
Disable Login Prompts on Serial Ports
R5.3.1
X
R5.2.1
Disable LDAP Client Cache Manager
R5.1.2
Security Blanket Module
R2.2
Cross Reference to Guidelines
350
Enable the Audit Subsystem
X
Enable Vsftpd Additional Logging
X
Log Critical Sendmail Messages
X
Maximum Time Between Password Changes
X
No Empty Passwords
X
Password Policy Consecutive Characters
X
Password Policy Different Characters
X
Password Policy Length Minimum
X
Password Policy Lowercase Minimum
X
Password Policy Numeric Minimum
X
Password Policy Special Characters
X
Password Policy Uppercase Minimum
X
Remove Games User Account
X
Remove Gopher User Account
X
Remove Halt User Account
X
Remove News User Account
X
Remove Shutdown User Account
X
Remove Sync User Account
X
Remove ftp Account
X
Restrict the CDE Subprocess Control Service
R5.3.3
R5.3.2
R5.3.1
X
R5.2.1
Disable rpc.ugidd
R5.1.2
Security Blanket Module
R2.2
Cross Reference to Guidelines
X
SSHD Disable Empty Passwords
X
SSHD Logging Level
X
Secure Authpriv Logging
X
NIST FISMA SP 800-53
NIST Special Publication 800-53 (Rev. 3)
The Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. § 3541, et seq.) is a U.S. federal law enacted in
2002 as Title III of the E-Government Act of 2002 (Pub.L. 107-347, 116 Stat. 2899). The U.S. National Institute of Standards and
Technology (NIST) publishes the recommended security controls for Federal Information Systems and Organizations.
25 Total number of line items in guideline
24 Items at least partially addressed by Security Blanket
1 Items not addressed by Security Blanket
Table A.15. Guideline name/description for NIST FISMA SP 800-53
Line Item
Description Item
AC-2
Account Management
AC-3
Access Enforcement
AC-7
Unsuccessful Login Attempts
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
351
Cross Reference to Guidelines
Line Item
Description Item
AC-8
System Use Notification
AC-11
Session Lock
AC-12
Session Termination
AC-14
Permitted Actions w/o Identification or Authentication
AC-17
Remote Access
AC-18
Wireless Access Restrictions
AC-19
Access Control for Portable and Mobile Systems
AC-20
Personally Owned Information Systems
AU-1
Audit and Accountability Policy and Procedures
AU-2
Auditable Events
AU-3
Content of Audit Records
AU-4
Audit Storage Capacity
AU-8
Time Stamps
AU-9
Protection of Audit Information
AU-10
Non-repudiation
AU-11
Audit Retention
IA-2
User Identification and Authentication
IA-5
Authenticator Management
IA-6
Authenticator Feedback
SC-5
Denial of Service Protection
SC-9
Transmission Confidentiality
ARP Cleanup
Interval
X
ARP IRE_CACHE
Cleanup Interval
X
Adjust Maximum
Pending Connections
X
At Directory
Permissions
X
At/Cron Access File
Permissions
X
Audit Log Rotation
SC-9
SC-5
IA-6
IA-5
IA-2
AU-11
AU-10
AU-9
AU-8
AU-4
AU-3
AU-2
AU-1
AC-20
AC-19
AC-18
AC-17
AC-14
AC-12
AC-11
AC-8
AC-7
AC-3
Security Blanket
Module
AC-2
Table A.16. Module to line item breakdown for NIST FISMA SP 800-53
X
Audit Rules
X
X
X
X
Audit Rules (Solaris)
X
X
X
X
Block System
X
Accounts
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
352
Configure
Permissions on /usr/
bin/ldd
X
Correct Uneven File
Permissions
X
X
Create Login FTP
Banner
X
Create Pre-Login
GUI Banner
X
Create Pre-Session
GUI Banner
X
X
Cron Logging
X
Crontab Dir Perms
X
Crontab Perms
X
Crontab Script Perms
X
Daemon Umask
X
Default umask
X
Deny NFS Client
Access Without UID
or GID
X
X
Disable Accepting
ICMP Redirects
X
Disable Accepting
Secure Redirects
X
Disable Bluetooth
X
Disable Bluetooth
Input Devices
Daemon
X
Disable Bluetooth
Kernel Modules
X
Disable FTP (gssftp)
X
Disable FTP (vsftpd)
X
X
Disable IP
Forwarding
X
Disable IRDA
Service
X
Disable Kudzu
Disable PAM
Console Library
SC-9
SC-5
IA-6
IA-5
IA-2
AU-11
AU-10
AU-9
AU-8
AU-4
AU-3
AU-2
AU-1
AC-20
AC-19
AC-18
AC-17
AC-14
AC-12
X
Create Login Banner
Create ftpusers File
AC-11
AC-8
AC-7
AC-3
Security Blanket
Module
AC-2
Cross Reference to Guidelines
X
X
Disable Sending
ICMP Redirects
Security Blanket® Modules Guide
X
Export Controlled - See Sheet 1
353
Disable Source
Routing
SC-9
SC-5
IA-6
IA-5
IA-2
AU-11
X
Disable Telnet
X
Disable USB and
PCMCIA Devices
X
Enable Reverse Path
Source Validation
Enable Stack
Protection
AU-10
AU-9
AU-8
AU-4
AU-3
AU-2
AU-1
AC-20
AC-19
AC-18
AC-17
AC-14
AC-12
AC-11
AC-8
AC-7
AC-3
Security Blanket
Module
AC-2
Cross Reference to Guidelines
X
X
Enable Strong TCP
Sequence Number
Generation
X
Enable TCP
Syncookies
X
Enable the Audit
Subsystem
X
Enable Vsftpd
Additional Logging
X
X
X
X
Expired Password
X
Invalidation
FTP Configuration
File Permissions
X
Global Initialization
File Permissions
X
Home Directory
Contents
X
Home Directory
Ownership
X
Home Directory
Permissions
X
Hosts File
Permissions
X
Ignore ICMP ECHO
and TIMESTAMP
Requests
X
InterNetNews Config
File Perms
X
Kernel Core
Dump Directory
Permissions
X
LDAP Configuration
File Permissions
X
Limit Access To
Root From Su
X
Security Blanket® Modules Guide
X
Export Controlled - See Sheet 1
354
Limit Term Write
Access to Owner
SC-9
SC-5
IA-6
IA-5
IA-2
AU-11
AU-10
AU-9
AU-8
AU-4
AU-3
AU-2
AU-1
AC-20
AC-19
AC-18
AC-17
AC-14
AC-12
AC-11
AC-8
AC-7
AC-3
Security Blanket
Module
AC-2
Cross Reference to Guidelines
X
Lock Invalid
X
Accounts
Lock Non-Root
X
Accounts with UID 0
X
Lock Account after
Three Failed Login
Attempts
X
Log Critical
Sendmail Messages
X
X
X
Configure System
to Log 'martian'
Network Packets
X
Mail Agent Aliases
Files Permissions
X
Management
Information
Base (MIB) File
Permissions
X
Maximum Time
Between Password
Changes
X
Minimum Delay
Between Password
Changes
X
NFS Export
Configuration File
Permissions
X
NIS/NIS+/YP
Configuration File
Permissions
X
Name Service Switch
Configuration File
Permissions
X
No Empty Passwords
X
PHP - Set Error
Logging
X
X
Password Expiration
Warning
Password Perms
X
X
X
X
Password Policy
Consecutive
Characters
X
Password Policy
Different Characters
X
Security Blanket® Modules Guide
X
Export Controlled - See Sheet 1
355
Password Policy
Length Minimum
X
Password Policy
Lowercase Minimum
X
Password Policy
Numeric Minimum
X
Password Policy
Special Characters
X
Password Policy
Uppercase Minimum
X
Printer Configuration
File Permissions
SC-9
SC-5
IA-6
IA-5
IA-2
AU-11
AU-10
AU-9
AU-8
AU-4
AU-3
AU-2
AU-1
AC-20
AC-19
AC-18
AC-17
AC-14
AC-12
AC-11
AC-8
AC-7
AC-3
Security Blanket
Module
AC-2
Cross Reference to Guidelines
X
Remove Games User
X
Account
Remove Gopher User
X
Account
Remove Halt User
X
Account
Remove
Insecure_Locks
Option for NFS
Server
X
Remove News User
X
Account
Remove SMB Guest
Authentication
X
X
Remove Shutdown
X
User Account
Remove Sync User
X
Account
Remove ftp Account X
Resolver
Configuration File
Permissions
X
Restrict Use of
Compiler Tools
X
Restrict Use of
Traceroute and Ping
X
Restrict Write Access
on Man Pages
X
Restrict use of Mesg
Command
X
Root Console Only
Logins
Security Blanket® Modules Guide
X
Export Controlled - See Sheet 1
356
Root Home Directory
Permissions
X
SNMP Configuration
File Permissions
X
SSH Disable GSSAPI
Authentication
X
SSHD Disable Empty
Passwords
X
SSHD Disable
GSSAPI
Authentication
X
SSHD Disable Hostbased Authentication
X
SSHD Disable
Kerberos
Authentication
X
SSHD Disable Rhosts
Authentication
X
SSHD Disable Rhosts
RSA Authentication
X
SSHD Enable Banner
SC-9
SC-5
IA-6
IA-5
IA-2
AU-11
X
X
SSHD Enable X11
Forwarding
SSHD Set
Compression
AU-10
AU-9
AU-8
AU-4
AU-3
AU-2
AU-1
AC-20
AC-19
AC-18
AC-17
AC-14
AC-12
AC-11
AC-8
AC-7
AC-3
Security Blanket
Module
AC-2
Cross Reference to Guidelines
X
X
SSHD Set Idle
Timeout Interval for
User Logins
X
SSHD Strict Mode
Checking
X
SSHD Use Privilege
Separation
X
Samba Configuration
File Permissions
X
X
Samba Password File
Permissions
X
X
Secure Audio
Devices
X
Secure Authpriv
Logging
X
Secure Netrc Files
X
Secure SUID/SGID
Executables
X
Secure Shell Binaries
X
Security Blanket® Modules Guide
X
X
Export Controlled - See Sheet 1
357
Secure Unowned
Files
X
X
Secure World
Writable Devices
X
X
Secure World
Writable Directories
X
X
Secure World
Writable Files
X
X
Services File
Permissions
X
Set CDE Screen
Saver
Set FTP Umask
(gssftp)
SC-9
SC-5
IA-6
IA-5
IA-2
AU-11
AU-10
AU-9
AU-8
AU-4
AU-3
AU-2
AU-1
AC-20
AC-19
AC-18
AC-17
AC-14
AC-12
AC-11
AC-8
AC-7
AC-3
Security Blanket
Module
AC-2
Cross Reference to Guidelines
X
X
Set Mandatory
Screen Saver
X
Set Password Aging
on Active Accounts
X
Set X Screen Saver
Application Defaults
X
Set Delay after Failed
Login
X
Set Shell Timeout
Period
X
Shadow Perms
X
Skeleton File
Permissions
X
Sync Shells File
X
Sysctl.conf
Permissions
X
System Command
File Permissions
X
System Configuration
File Permissions
X
System Device
Directory Ownership
X
System Library File
Permissions
X
System Log File
Permissions
X
System Logging
Configuration File
Permissions
X
System Run Control
Script Permissions
X
Security Blanket® Modules Guide
X
X
X
Export Controlled - See Sheet 1
358
User Dot File Perms
SC-9
SC-5
IA-6
IA-5
IA-2
AU-11
AU-10
AU-9
AU-8
AU-4
AU-3
AU-2
AU-1
AC-20
AC-19
AC-18
AC-17
AC-14
AC-12
AC-11
AC-8
AC-7
AC-3
Security Blanket
Module
AC-2
Cross Reference to Guidelines
X
NSA Guide to the Secure Configuration of RHEL5 Rev. 4.2 / Aug 2011
The National Security Agency/Central Security Service (NSA/CSS) is home to America's codemakers and codebreakers. The Central
Security Service was established in 1972 to promote a full partnership between NSA and the cryptologic elements of the armed forces.
NSA/CSS is unique among the U.S. defense agencies because of its government-wide responsibilities. NSA/CSS provides products
and services to the Department of Defense, the Intelligence Community, government agencies, industry partners, and select allies and
coalition partners.
NSA's Information Assurance Mission focuses on protecting National Security Information and Information Systems, in accordance
with National Security Directive 42. As such, their lines of business include: IA Guidance, Security Engineering, and Integrated
Computer Network Operations. Security Blanket supports many of the items identified in their Guide to the Secure Configuration of
Red Hat Enterprise Linux 5 1.
187 Total number of line items in guideline
124 Items at least partially addressed by Security Blanket
63 Items not addressed by Security Blanket
Table A.17. NSA Guide to the Secure Configuration of RHEL5 Rev. 4.2 / Aug 2011
Item
Title
Security Blanket Modules
2.1.1.1.1
Create Separate Partition or Logical Volume for /tmp
Check for Separate /tmp File System
2.1.1.1.2
Create Separate Partition or Logical Volume for /var
Check for Separate /var File System
2.1.1.1.3
Create Separate Partition or Logical Volume for /var/
log
Check for Separate /var/log File System
2.1.1.1.4
Create Separate Partition or Logical Volume for /var/
log/audit
Check for Separate /var/log/audit File System
2.1.1.1.5
Create Separate Partition or Logical Volume for /home Check for Separate /home File System
2.1.2.2
Disable the rhnsd Daemon
Disable Rhnsd
2.2.1.1
Add nodev Option to Non-Root Local Partitions
Use NODEV Option for Non-Root Partitions
Use NOSUID and NODEV for Removable Media
2.2.1.4
Bind-mount /var/tmp/to /tmp
Bind Mount /var/tmp to /tmp
Disable Modprobe Loading of USB Storage Driver
Disable USB and PCMCIA Devices
2.2.2.3
Disable the Automounter if Possible
Disable NFS Client
2.2.2.4
Disable GNOME Automounting if Possible
Disable GNOME Automounting
2.2.2.5
Disable Mounting of Uncommon Filesystem Types
Disable Mounting of Uncommon Filesystem Types
2.2.3.1
Verify Permissions on passwd, shadow, group and
gshadow Files
Password Perms
Shadow Perms
2.2.3.2
Verify that All World-Writable Directories Have
Sticky Bits Set
Secure World Writable Directories
2.2.3.3
Find Unauthorized World-Writable Files
Secure World Writable Devices
Secure World Writable Files
2.2.3.4
Find Unauthorized SUID/SGID System Executables
Secure SUID/SGID Executables
2.2.2.2.1
1
http://www.nsa.gov/ia/guidance/security_configuration_guides/current_guides.shtml
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
359
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
2.2.3.5
Find and Repair Unowned Files
Secure Unowned Files
2.2.4.1
Set Daemon umask
Daemon Umask
2.2.4.2
Disable Core Dumps
Disable Core Dumps
Ensure SUID Core Dumps are Disabled
Disable SUID Core Dumps
2.2.4.3
Enable ExecShield
Enable ExecShield Kernel Module
2.2.4.4
Enable Execute Disable (XD) or No Execute (NX)
Support on 32-bit x86 Systems
Check Kernel for XD/NX Support
2.2.4.5.1
Disable Prelink
Disable Prelinking
2.2.4.5.2
Undo Existing Prelinking
Disable Prelinking
2.3.1.1
Restrict Root Logins to System Console
Root Console Only Logins
2.3.1.2
Limit su Access to the Root Account
Limit Access To Root From Su
2.3.1.4
Block Shell and Login Access for Non-Root System
Accounts
Block System Accounts
2.3.1.5
Verify that No Accounts Have Empty Password Fields No Empty Passwords
2.3.1.6
Verify that No Non-Root Accounts Have UID 0
Lock Non-Root Accounts with UID 0
2.3.1.7
Set Password Expiration Parameters
Maximum Time Between Password Changes
Minimum Delay Between Password Changes
Password Expiration Warning
Set Password Aging on Active Accounts
2.3.1.8
Remove Legacy ’+’ Entries from Password Files
No Plus Entries in Password Files
Set Password Quality Requirements, if using pam
cracklib
Password Policy Consecutive Characters
Password Policy Different Characters
Password Policy Length Minimum
Password Policy Lowercase Minimum
Password Policy Numeric Minimum
Password Policy Special Characters
Password Policy Uppercase Minimum
2.3.3.2
Set Lockouts for Failed Password Attempts
Lock Account after Three Failed Login Attempts
2.3.3.6
Limit Password Reuse
Limit Password Reuse
2.3.4.1
Ensure that No Dangerous Directories Exist in Root’s
Root Path
Path
2.3.4.2
Ensure that User Home Directories are not GroupWritable or World-Readable
Root Path
2.3.4.3
Ensure that User Dot-Files are not World-writable
User Dot File Perms
2.3.5.2
Set Boot Loader Password
Boot Loader Configuration File Permissions
Require GRUB Password
2.3.5.3
Require Authentication for Single-User Mode
Single User Mode Password
2.3.5.4
Disable Interactive Boot
Disable Interactive Boot
2.3.5.5
Implement Inactivity Time-out for Login Shells
Set Shell Timeout Period
Configure GUI Screen Locking
Set Mandatory Screen Saver
Modify the System Login Banner
Create Login Banner
Create Pre-Login GUI Banner
Create Pre-Session GUI Banner
Enable SELinux
Ensure SELinux is Properly Enabled
2.2.4.2.1
2.3.3.1.1
2.3.5.6.1
2.3.7.1
2.4.2
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
360
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
2.4.2.1
Ensure SELinux is Properly Enabled
Ensure SELinux is Properly Enabled
2.4.3.1
Disable and Remove SETroubleshoot if Possible
Disable SETroubleshoot
2.4.3.2
Disable MCS Translation Service (mcstrans) if
Possible
Disable MCS Translation Service
2.4.3.3
Disable Restorecon Service
Disable Restorecon
Disable Automatic Loading of IPv6 Kernel Module
Disable IPv6 Kernel Module
2.5.4.1
How TCP Wrapper Protects Services
Enable TCP Wrappers
2.5.4.4
Monitor Syslog for Relevant Connections and Failures Secure Authpriv Logging
2.5.5.1
Inspect and Activate Default Rules
Enable Ip6tables
Enable Iptables
2.5.7.1
Disable Support for DCCP
Disable Support for DCCP
2.5.7.2
Disable Support for SCTP
Disable Support for SCTP
2.5.7.3
Disable Support for RDS
Disable Support for RDS
2.5.7.4
Disable Support for TIPC
Disable Support for TIPC
Confirm Existence and Permissions of System Log
Files
System Log File Permissions
2.6.2.1
Enable the auditd Service
Enable the Audit Subsystem
2.6.2.3
Enable Auditing for Processes Which Start Prior to the
Enable Auditing For All Processes
Audit Daemon
2.6.2.4
Configure auditd Rules for Comprehensive Auditing
Audit Rules
Guidance for Unfamiliar Services
Disable FTP (gssftp)
Disable Finger
Disable Fspd
Disable Gated
Disable Inetd
Disable Innd
Disable Mail (Cyrus Mail Server)
Disable Remote Exec (rexec)
Disable Remote Login (rlogin)
Disable Remote Shell (rsh)
Disable Routed
Disable Telnet
Disable Tux
Disable UUCP
Disable Webmin
Disable rpc.ugidd
Remove .rhosts Support from PAM Configuration
Files
Disable Rhosts Support
3.2.4
NIS (Disable)
Disable NIS Client
3.2.5
TFTP Server
Disable TFTP
3.3.1
Installation Helper Service (firstboot)
Disable Firstboot Service
3.3.2
Console Mouse Service (gpm)
Disable Console Mouse Support
3.3.3
Interrupt Distribution on Multiprocessor Systems
(irqbalance)
Disable IRQ Balance Service
3.3.4
ISDN Support (isdn)
Disable ISDN
3.3.5
Kdump Kernel Crash Analyzer (kdump)
Disable Kernel Crash Analyzer
2.5.3.1.1
2.6.1.1.2
3.1.3
3.2.3.2
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
361
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
3.3.6
Kudzu Hardware Probing Utility (kudzu)
Disable Kudzu
3.3.7
Software RAID Monitor (mdmonitor)
Disable Software RAID Monitor
3.3.8
IA32 Microcode Utility (microcode ctl)
Disable IA32 Microcode Utility
3.3.9.3
Disable Zeroconf Networking
Disable Zeroconf Networking
3.3.10
Smart Card Support (pcscd)
Disable Smart Card Support
3.3.11
SMART Disk Monitoring Support (smartd)
Disable SMART Disk Monitoring Support
3.3.12
Boot Caching (readahead early/readahead later)
Disable Boot Caching
3.3.13.2
HAL Daemon (haldaemon)
Disable HAL Daemon
3.3.14.1
Bluetooth Host Controller Interface Daemon
(bluetooth)
Disable Bluetooth
3.3.14.2
Bluetooth Input Devices (hidd)
Disable Bluetooth Input Devices Daemon
3.3.14.3
Disable Bluetooth Kernel Modules
Disable Bluetooth Kernel Modules
3.3.15.1
Advanced Power Management Subsystem (apmd)
Disable Power Management
3.3.15.2
Advanced Configuration and Power Interface (acpid)
Disable ACPI Daemon
3.3.15.3
CPU Throttling (cpuspeed)
Disable CPU Throttling
3.3.16.1
Disable the irda Service if Possible
Disable IRDA Service
3.3.17.1
Disable the Raw Devices Daemon if Possible
Disable Raw Devices Service
3.4.2
Restrict Permissions on Files Used by cron
At/Cron Access File Permissions
Crontab Perms
Crontab Script Perms
3.4.3
Disable at if Possible
Disable atd Service
3.5.2.1
Ensure Only Protocol 2 Connections Allowed
SSHD Protocol
3.5.2.3
Set Idle Timeout Interval for User Logins
SSHD Set Idle Timeout Interval for User Logins
3.5.2.4
Disable .rhosts Files
SSHD Disable Rhosts Authentication
SSHD Enable Ignore Rhosts
3.5.2.5
Disable Host-Based Authentication
SSHD Disable Host-based Authentication
3.5.2.6
Disable root Login via SSH
SSHD Disable Root Login
3.5.2.7
Disable Empty Passwords
SSHD Disable Empty Passwords
3.5.2.8
Enable a Warning Banner
SSHD Enable Banner
3.6.1.1
Disable X Windows at System Boot
Disable Graphical Login
3.6.1.3.1
Disable X Font Server
Disable XFS
3.6.1.3.2
Disable X Window System Listening
Restrict Remote X Clients
3.7.1
Disable Avahi Server if Possible
Disable Avahi Daemon
3.8.1
Disable the CUPS Service if Possible
Disable Printer Daemon
Disable Printer Browsing Entirely if Possible
Disable CUPS Printer Browsing
3.8.4.1
Disable HPLIP Service if Possible
Disable HP Printing and Imaging
3.9.3
Disable DHCP Server if Possible
Disable Dhcpd
3.11.2.1
Disable the Listening Sendmail Daemon
Disable Sendmail
3.11.3.2
Configure SMTP Greeting Banner
Configure Sendmail Options
3.11.5.2
Configure SMTP Greeting Banner
Configure Sendmail Options
3.13.1.1
Disable Services Used Only by NFS
Disable NFS Client
3.8.3.1.1
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
362
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
3.13.1.2
Disable netfs if Possible
Disable NetFS
3.13.1.3
Disable RPC Portmapper if Possible
Disable Portmap Daemon
3.13.3.1
Disable NFS Server Daemons
Disable NFS Client
Restrict NFS Clients to Privileged Ports
Secure Option for NFS Server
3.14.1
Disable DNS Server if Possible
Disable DNS
3.15.1
Disable vsftpd if Possible
Disable FTP (vsftpd)
Create Warning Banners for All FTP Users
Create Login FTP Banner
Disable Apache if Possible
Disable Apache
Configure PHP Securely
PHP - Disallow HTTP File Uploads
PHP - General Security
PHP - Set Error Logging
3.17.1
Disable Dovecot if Possible
Disable Mail (Dovecot Mail Server)
3.18.1
Disable Samba if Possible
Disable SMB
3.18.2.2.1
Use user Security for Servers Not in a Domain
Context
SMB Configuration
3.18.2.3
Disable Guest Access and Local Login Support
SMB Configuration
3.18.2.5
Set the Allowed Authentication Negotiation Levels
SMB Configuration
3.18.2.9
Require Server SMB Packet Signing
SMB Configuration
3.18.2.10
Require Client SMB Packet Signing
SMB Configuration
3.19.1
Disable Squid if Possible
Disable Squid
3.20.1
Disable SNMP Server if Possible
Disable SNMP
3.13.4.1.3
3.15.3.2
3.16.1
3.16.4.4.1
NVD CCE
The Common Configuration Enumeration (CCE) list provides unique identifiers to security-related system configuration issues in
order to improve workflow by facilitating fast and accurate correlation of configuration data across multiple information sources and
tools.
172 Total number of line items in guideline
172 Items at least partially addressed by Security Blanket
0 Items not addressed by Security Blanket
Table A.18. NVD CCE
Item
Title
Security Blanket Modules
CCE-3276-3
Password Perms
Shadow Perms
CCE-3315-9
Set Mandatory Screen Saver
CCE-3399-3
Secure World Writable Directories
CCE-3412-4
Disable Firstboot Service
CCE-3416-5
Disable Rhnsd
CCE-3425-6
Disable Kernel Crash Analyzer
CCE-3455-3
Disable SMART Disk Monitoring Support
CCE-3485-0
Root Console Only Logins
CCE-3495-9
Password Perms
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
363
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
Shadow Perms
CCE-3522-0
Use NOSUID and NODEV for Removable Media
CCE-3535-2
Disable GSS Daemon
CCE-3562-6
Disable IPv6 Kernel Module
CCE-3566-7
Password Perms
Shadow Perms
CCE-3573-3
Secure Unowned Files
CCE-3578-2
Disable DNS
CCE-3622-8
Disable NIS Server
CCE-3624-4
Ensure SELinux is Properly Enabled
CCE-3650-9
Disable Solaris Volume Manager GUI
CCE-3660-8
SSHD Disable Empty Passwords
CCE-3662-4
Disable WBEM
CCE-3668-1
Disable MCS Translation Service
CCE-3689-7
Set Shell Timeout Period
CCE-3701-0
System Log File Permissions
CCE-3705-1
Disable NIS Client
CCE-3707-7
Set Shell Timeout Period
CCE-3755-6
Disable Printer Daemon
CCE-3818-2
Require GRUB Password
CCE-3847-1
Disable Mail (Dovecot Mail Server)
CCE-3854-7
Disable Software RAID Monitor
CCE-3857-0
Remove Insecure_Locks Option for NFS Server
CCE-3883-6
Password Perms
Shadow Perms
CCE-3910-7
Set Mandatory Screen Saver
CCE-3918-0
Password Perms
Shadow Perms
CCE-3919-8
Disable FTP (vsftpd)
CCE-3923-0
System Configuration File Permissions
CCE-3950-3
Disable Portmap Daemon
CCE-3958-6
Password Perms
Shadow Perms
CCE-3967-7
Password Perms
Shadow Perms
CCE-3977-6
Ensure SELinux is Properly Enabled
CCE-3987-5
Block System Accounts
CCE-3988-3
Password Perms
Shadow Perms
CCE-3999-0
Ensure SELinux is Properly Enabled
CCE-4009-7
Lock Non-Root Accounts with UID 0
CCE-4042-8
Use NOSUID and NODEV for Removable Media
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
364
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
Use NOSUID on User Filesystems
CCE-4051-9
Disable CPU Throttling
CCE-4060-0
Create Login Banner
CCE-4072-5
Disable NFS Client
CCE-4074-1
Restrict Remote X Clients
CCE-4075-8
Audit Rules
Audit Rules (Solaris)
System Accounting
CCE-4092-3
Maximum Time Between Password Changes
CCE-4097-2
Password Expiration Warning
CCE-4100-4
Disable Smart Card Support
CCE-4112-9
Disable Printer Daemon
CCE-4114-5
No Plus Entries in Password Files
CCE-4123-6
Disable IRQ Balance Service
CCE-4129-3
Disable Restorecon
CCE-4130-1
Password Perms
Shadow Perms
CCE-4144-2
System Configuration File Permissions
CCE-4146-7
Enable ExecShield Kernel Module
CCE-4154-1
Password Policy Consecutive Characters
Password Policy Different Characters
Password Policy Length Minimum
CCE-4168-1
Enable ExecShield Kernel Module
CCE-4172-3
Check Kernel for XD/NX Support
CCE-4180-6
Minimum Delay Between Password Changes
CCE-4187-1
Disable USB and PCMCIA Devices
CCE-4197-0
System Configuration File Permissions
CCE-4211-9
Disable Kudzu
CCE-4220-0
Daemon Umask
CCE-4223-4
Secure Unowned Files
CCE-4225-9
Disable Core Dumps
CCE-4229-1
Disable Console Mouse Support
CCE-4231-7
Disable GNOME Automounting
CCE-4233-3
System Log File Permissions
CCE-4240-8
User Mountable Media
CCE-4241-6
Single User Mode Password
CCE-4245-7
Disable Interactive Boot
CCE-4247-3
Disable SUID Core Dumps
CCE-4249-9
Use NODEV Option for Non-Root Partitions
CCE-4254-9
Disable SETroubleshoot
CCE-4269-3
Disable Solaris Volume Manager
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
365
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
CCE-4273-9
Disable TFTP
CCE-4279-6
Disable LDAP Client Cache Manager
CCE-4289-5
Disable Power Management
CCE-4292-9
Enable the Audit Subsystem
CCE-4298-6
Disable ACPI Daemon
CCE-4299-4
Disable NIS Server
CCE-4302-6
Disable Boot Caching
CCE-4305-9
Disable Solaris Volume Manager GUI
CCE-4306-7
Disable Apache
CCE-4325-7
SSHD Protocol
CCE-4327-3
Disable CDE Calendar Manager Server
CCE-4336-4
Disable Dhcpd
CCE-4338-0
Disable Apache
CCE-4354-7
User Mountable Media
CCE-4355-4
Disable Bluetooth
CCE-4356-2
Disable IA32 Microcode Utility
CCE-4359-6
Disable NFS Client
CCE-4362-0
Disable NIS Server
CCE-4364-6
Disable HAL Daemon
CCE-4365-3
Disable Avahi Daemon
CCE-4366-1
System Log File Permissions
CCE-4370-3
SSHD Disable Host-based Authentication
CCE-4375-2
Disable Sendmail
CCE-4377-8
Disable Bluetooth Input Devices Daemon
CCE-4387-7
SSH Restrict Ciphers
SSH Restrict HMAC
SSHD Disable Root Login
SSHD Print Last Log
SSHD Restrict Ciphers
SSHD Restrict HMAC
SSHD Restrict Users and Groups
CCE-4393-5
Disable Java Web Console
CCE-4396-6
Disable NFS Client
CCE-4407-3
Disable CUPS Printer Browsing
CCE-4411-5
Disable Solaris Volume Manager
CCE-4420-6
Disable CUPS Printer Browsing
CCE-4421-4
Disable Boot Caching
CCE-4425-5
Disable HP Printing and Imaging
CCE-4431-3
SSHD Enable Banner
CCE-4448-7
Disable XFS
CCE-4462-8
Disable Graphical Login
CCE-4465-1
Secure Option for NFS Server
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
366
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
CCE-4473-5
Disable NFS Server
CCE-4475-0
SSHD Enable Ignore Rhosts
CCE-4477-6
Disable Solaris Volume Manager GUI
CCE-4486-7
Disable NIS Server
CCE-4499-0
Disable Solaris Volume Manager
CCE-4508-8
Disable CDE ToolTalk Database Server
CCE-4517-9
Disable SMB
CCE-4533-6
Disable NetFS
CCE-4550-0
Disable Portmap Daemon
CCE-4551-8
Disable SMB
CCE-4556-7
Disable Squid
CCE-4557-5
Disable Kerberos TGT Expiration Warning
CCE-4571-6
Disable Solaris Volume Manager GUI
CCE-4585-9
Disable Dhcpd
CCE-4588-0
Disable GSS Daemon
CCE-4592-2
Disable NIS Client
CCE-4596-3
Disable RPC Keyserv
CCE-4600-3
Audit Rules
Audit Rules (Solaris)
CCE-4610-2
Audit Rules
Audit Rules (Solaris)
CCE-4675-5
Enable the Audit Subsystem
CCE-4679-7
Audit Rules
Audit Rules (Solaris)
CCE-14011-1
Check for Separate /var/log File System
CCE-14023-6
Set Mandatory Screen Saver
CCE-14027-7
Disable Support for RDS
CCE-14054-1
Disable Zeroconf Networking
CCE-14061-6
SSHD Set Idle Timeout Interval for User Logins
CCE-14071-5
No Plus Entries in Password Files
CCE-14088-9
Limit Access To Root From Su
CCE-14089-7
Disable Mounting of Uncommon Filesystem Types
CCE-14093-9
Disable Mounting of Uncommon Filesystem Types
CCE-14113-5
Password Policy Numeric Minimum
CCE-14118-4
Disable Mounting of Uncommon Filesystem Types
CCE-14122-6
Password Policy Special Characters
CCE-14132-5
Disable Support for SCTP
CCE-14161-4
Check for Separate /tmp File System
CCE-14171-3
Check for Separate /var/log/audit File System
CCE-14268-7
Disable Support for DCCP
CCE-14340-4
Secure SUID/SGID Executables
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
367
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
CCE-14457-6
Disable Mounting of Uncommon Filesystem Types
CCE-14466-7
Disable atd Service
CCE-14559-9
Check for Separate /home File System
CCE-14604-3
Set Mandatory Screen Saver
CCE-14675-3
No Plus Entries in Password Files
CCE-14712-4
Password Policy Lowercase Minimum
Password Policy Uppercase Minimum
CCE-14735-5
Set Mandatory Screen Saver
CCE-14777-7
Check for Separate /var File System
CCE-14794-2
Secure World Writable Devices
Secure World Writable Files
CCE-14825-4
Disable ISDN
CCE-14853-6
Disable Mounting of Uncommon Filesystem Types
CCE-14871-8
Disable Mounting of Uncommon Filesystem Types
CCE-14911-2
Disable Support for TIPC
CCE-14939-3
Limit Password Reuse
CCE-14970-8
Secure SUID/SGID Executables
CCE-15047-4
Limit Access To Root From Su
CCE-15087-0
Disable Mounting of Uncommon Filesystem Types
CCE-18156-0
Disable Raw Devices Service
CCE-18244-4
Disable IRDA Service
PCI DSS v2.0
Payment Card Industry (PCI) Security Standards Council includes members from Visa, MasterCard, American Express, Discover, and
JCB. This council administers the Data Security Standard (DSS).
The PCI DSS consists of twelve major requirements that are organized into six logically related groups, which are "control
objectives".
Build and Maintain a Secure Network
• Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
PCI DSS requirement 2.2 states, "Develop configuration standards for all system components. Assure that
these standards address all known security vulnerabilities and are consistent with industry-accepted system
hardening standards." The test procedure (2.2.a) for this requirement states "Examine the organization's system
configuration standards for all types of system components and verify the system configuration standards are
consistent with industry accepted hardening standards."
Protect Cardholder Data
• Requirement 3: Protect stored cardholder data
• Requirement 4: Encrypt transmission of cardholder data across open, public networks
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
368
Cross Reference to Guidelines
Maintain a Vulnerability Management Program
• Requirement 5: Use and regularly update anti-virus software
• Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
• Requirement 7: Restrict access to cardholder data by business need-to-know
• Requirement 8: Assign a unique ID to each person with computer access
• Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
• Requirement 10: Track and monitor all access to network resources and cardholder data
• Requirement 11: Regularly test security systems and processes
PCI DSS requirement 11.5 states "Deploy file-integrity monitoring software to alert personnel to unauthorized
modification of critical system files, configuration files, or content files; and configure the software to perform
critical file comparisons at least weekly." You can easily schedule weekly baselines to be performed from the
Security Blanket console.
Maintain an Information Security Policy
• Requirement 12: Maintain a policy that addresses information security
34 Total number of line items in guideline
28 Items at least partially addressed by Security Blanket
6 Items not addressed by Security Blanket
Table A.19. PCI DSS v2.0
Item
2.1
2.2
Title
Security Blanket Modules
Do not use vendor-supplied defaults for system
passwords and other security parameters
Block System Accounts
Disable SNMP if Default Public String Exists
Configuration standards for system components
consistent with industry-accepted system hardening
standards
ARP Cleanup Interval
ARP IRE_CACHE Cleanup Interval
Adjust Maximum Pending Connections
At Directory Permissions
At/Cron Access File Permissions
Audit Rules
Block System Accounts
Boot Loader Configuration File Permissions
Configure Permissions on /usr/bin/ldd
Configure Sendmail Options
Configure Xinetd Logging
Create Login Banner
Create Login FTP Banner
Create Pre-Login GUI Banner
Create Pre-Session GUI Banner
Create ftpusers File
Cron Logging
Crontab Dir Perms
Crontab Perms
Crontab Script Perms
Daemon Umask
Default umask
Disable Accepting ICMP Redirects
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
369
Cross Reference to Guidelines
Item
Title
Security Blanket® Modules Guide
Security Blanket Modules
Disable Accepting Secure Redirects
Disable Apache
Disable Avahi Daemon
Disable Bluetooth
Disable Broadcast Packet Forwarding
Disable CDE Calendar Manager Server
Disable CDE ToolTalk Database Server
Disable Console Mouse Support
Disable Core Dumps
Disable Ctrl-Alt-Del
Disable DNS
Disable Dhcpd
Disable FTP (gssftp)
Disable FTP (vsftpd)
Disable Finger
Disable GSS Daemon
Disable Gated
Disable Graphical Login
Disable HP Printing and Imaging
Disable IP Forwarding
Disable ISDN
Disable Inetd
Disable Innd
Disable Java Web Console
Disable Kerberos TGT Expiration Warning
Disable Kudzu
Disable LDAP Client Cache Manager
Disable Login Prompts on Serial Ports
Disable Mail (Cyrus Mail Server)
Disable Mail (Dovecot Mail Server)
Disable MySQL
Disable NFS Client
Disable NFS Server
Disable NIS Client
Disable NIS Server
Disable NetFS
Disable Portmap Daemon
Disable Postgresql
Disable Power Management
Disable Printer Configuration Daemon
Disable Printer Daemon
Disable RPC Keyserv
Disable Remote Exec (rexec)
Disable Remote Login (rlogin)
Disable Remote Shell (rsh)
Disable Remote Syslog
Disable Rhosts Support
Disable Routed
Disable SMB
Disable SNMP
Disable SNMP if Default Public String Exists
Disable Sending ICMP Redirects
Disable Sendmail
Disable Solaris Volume Manager
Disable Solaris Volume Manager GUI
Export Controlled - See Sheet 1
370
Cross Reference to Guidelines
Item
Title
Security Blanket® Modules Guide
Security Blanket Modules
Disable Source Routing
Disable Squid
Disable TFTP
Disable Telnet
Disable Tux
Disable USB and PCMCIA Devices
Disable UUCP
Disable WBEM
Disable Webmin
Disable XFS
Enable Reverse Path Source Validation
Enable Stack Protection
Enable TCP Syncookies
Enable the Audit Subsystem
Enable Vsftpd Additional Logging
FTP Configuration File Permissions
Firefox - Addons
Firefox - Dynamic Content
Firefox - Encryption
Firefox - Java
Firefox - JavaScript
Firefox - Network
Firefox - Privacy
Firefox - Updating
Global Initialization File Permissions
Home Directory Permissions
Hosts File Permissions
Ignore ICMP ECHO and TIMESTAMP Requests
Inetd/Xinetd Configuration File Permissions
Kernel Core Dump Directory Permissions
LDAP Configuration File Permissions
Limit Access To Root From Su
Lock Invalid Accounts
Lock Non-Root Accounts with UID 0
Lock Account after Three Failed Login Attempts
Configure System to Log 'martian' Network Packets
Mail Agent Aliases Files Permissions
Management Information Base (MIB) File
Permissions
Maximum Time Between Password Changes
Minimum Delay Between Password Changes
MySQL - Disable Command History
NFS Export Configuration File Permissions
NIS/NIS+/YP Configuration File Permissions
Name Service Switch Configuration File Permissions
No Empty Passwords
No Plus Entries in Password Files
Password Expiration Warning
Password Perms
Password Policy Consecutive Characters
Password Policy Different Characters
Password Policy Length Minimum
Password Policy Lowercase Minimum
Printer Configuration File Permissions
Remove Games User Account
Export Controlled - See Sheet 1
371
Cross Reference to Guidelines
Item
Title
Security Blanket® Modules Guide
Security Blanket Modules
Remove Gopher User Account
Remove Insecure_Locks Option for NFS Server
Remove News User Account
Remove Telnet Service Banner
Require GRUB Password
Resolver Configuration File Permissions
Restrict At and Cron
Restrict Remote X Clients
Restrict Use of Compiler Tools
Restrict Write Access on Man Pages
Restrict the CDE Subprocess Control Service
Root Console Only Logins
Root Path
SNMP Configuration File Permissions
SSH Disable GSSAPI Authentication
SSH Parameters
SSH Restrict Ciphers
SSH Restrict HMAC
SSHD Disable Empty Passwords
SSHD Disable GSSAPI Authentication
SSHD Disable Host-based Authentication
SSHD Disable Kerberos Authentication
SSHD Disable Rhosts Authentication
SSHD Disable Rhosts RSA Authentication
SSHD Disable Root Login
SSHD Enable Banner
SSHD Enable Ignore Rhosts
SSHD Enable X11 Forwarding
SSHD Maximum Authentication Attempts
SSHD Print Last Log
SSHD Protocol
SSHD Restrict Ciphers
SSHD Restrict HMAC
SSHD Restrict Users and Groups
SSHD Set Compression
SSHD Strict Mode Checking
SSHD Use Privilege Separation
Samba Configuration File Permissions
Samba Password File Permissions
Secure Authpriv Logging
Secure Netrc Files
Secure Option for NFS Server
Secure SUID/SGID Executables
Secure Unowned Files
Secure World Writable Devices
Secure World Writable Directories
Secure World Writable Files
Services File Permissions
Set IP Strict Multihoming
Set Password Aging on Active Accounts
Set TFTP Startup Directory
Shadow Perms
Single User Mode Password
Skeleton File Permissions
System Accounting
Export Controlled - See Sheet 1
372
Cross Reference to Guidelines
Item
2.2.2
Title
Security Blanket Modules
System Command File Permissions
System Configuration File Permissions
System Library File Permissions
System Log File Permissions
System Logging Configuration File Permissions
System Run Control Script Permissions
Use NODEV Option for Non-Root Partitions
Use NOSUID and NODEV for Removable Media
Use NOSUID on User Filesystems
User Dot File Perms
User Mountable Media
Disable all unnecessary and insecure services
Security Blanket® Modules Guide
Configure Xinetd Logging
Disable Apache
Disable Avahi Daemon
Disable Bluetooth
Disable CDE Calendar Manager Server
Disable CDE ToolTalk Database Server
Disable Console Mouse Support
Disable DNS
Disable Dhcpd
Disable FTP (gssftp)
Disable FTP (vsftpd)
Disable File Sharing Networks
Disable Finger
Disable Fspd
Disable GSS Daemon
Disable Gated
Disable Graphical Login
Disable HP Printing and Imaging
Disable ISDN
Disable Inetd
Disable Innd
Disable Instant Messenger Client (Yahoo!)
Disable Instant Messenger Client (gaim)
Disable Java Web Console
Disable Kerberos TGT Expiration Warning
Disable Kudzu
Disable LDAP Client Cache Manager
Disable Login Prompts on Serial Ports
Disable Mail (Cyrus Mail Server)
Disable Mail (Dovecot Mail Server)
Disable MySQL
Disable NFS Client
Disable NFS Server
Disable NIS Client
Disable NIS Server
Disable NetFS
Disable Portmap Daemon
Disable Postgresql
Disable Power Management
Disable Printer Configuration Daemon
Disable Printer Daemon
Disable RPC Keyserv
Disable Remote Exec (rexec)
Disable Remote Login (rlogin)
Export Controlled - See Sheet 1
373
Cross Reference to Guidelines
Item
2.2.3
Title
Security Blanket Modules
Disable Remote Shell (rsh)
Disable Remote Syslog
Disable Routed
Disable SMB
Disable SNMP
Disable Sendmail
Disable Solaris Volume Manager
Disable Solaris Volume Manager GUI
Disable Squid
Disable TFTP
Disable Telnet
Disable Tux
Disable UUCP
Disable WBEM
Disable Webmin
Disable XFS
SSHD Protocol
Configure system security parameters to prevent
misuse
Security Blanket® Modules Guide
At Directory Permissions
Configure Sendmail Options
Create ftpusers File
Daemon Umask
Default umask
Deny NFS Client Access Without UID or GID
Disable Rhosts Support
Disable Sendmail Help
FTP Configuration File Permissions
Firefox - Dynamic Content
Firefox - Encryption
Firefox - Java
Firefox - JavaScript
Firefox - Network
Firefox - Privacy
Home Directory Contents
Home Directory Ownership
Home Directory Permissions
Hosts File Permissions
Kernel Core Dump Directory Permissions
Limit Term Write Access to Owner
Management Information Base (MIB) File
Permissions
NFS Export Configuration File Permissions
NIS/NIS+/YP Configuration File Permissions
Name Service Switch Configuration File Permissions
No Empty Passwords
Printer Configuration File Permissions
Remove Insecure_Locks Option for NFS Server
Remove SMB Guest Authentication
Resolver Configuration File Permissions
Root Console Only Logins
Root Home Directory Permissions
SSH Disable GSSAPI Authentication
SSH Parameters
SSH Restrict Ciphers
SSH Restrict HMAC
SSHD Disable Empty Passwords
Export Controlled - See Sheet 1
374
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
SSHD Disable GSSAPI Authentication
SSHD Disable Host-based Authentication
SSHD Disable Kerberos Authentication
SSHD Disable Rhosts Authentication
SSHD Disable Rhosts RSA Authentication
SSHD Disable Root Login
SSHD Enable Ignore Rhosts
SSHD Print Last Log
SSHD Protocol
SSHD Restrict Ciphers
SSHD Restrict HMAC
SSHD Restrict Users and Groups
SSHD Set Compression
SSHD Strict Mode Checking
SSHD Use Privilege Separation
Secure Netrc Files
Secure Option for NFS Server
Services File Permissions
Set FTP Umask (gssftp)
Set TFTP Startup Directory
Single User Mode Password
Sync Shells File
System Configuration File Permissions
System Logging Configuration File Permissions
User Dot File Perms
Remove all unnecessary functionality
Remove Games User Account
Remove Gopher User Account
Remove Halt User Account
Remove News User Account
Remove Shutdown User Account
Remove Sync User Account
Remove ftp Account
2.3
Encrypt all non-console administrative access
Disable Remote Exec (rexec)
Disable Remote Login (rlogin)
Disable Remote Shell (rsh)
Disable Telnet
8.1
Users must have a unique ID
Lock Invalid Accounts
Lock Non-Root Accounts with UID 0
8.2
Password Authentication
No Empty Passwords
SSHD Disable Empty Passwords
Render all passwords unreadable during transmission
and storage on all system components.
Disable Remote Exec (rexec)
Disable Remote Login (rlogin)
Disable Remote Shell (rsh)
Disable Telnet
Password Perms
Shadow Perms
8.5.9
Change user passwords at least every 90 days.
Maximum Time Between Password Changes
8.5.10
Require a minimum password length of at least seven
characters.
Password Policy Consecutive Characters
Password Policy Different Characters
Password Policy Length Minimum
8.5.11
Use passwords containing both numeric and
alphabetic characters.
Password Policy Numeric Minimum
2.2.4
8.4
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
375
Cross Reference to Guidelines
Item
Title
Security Blanket Modules
8.5.12
Do not allow an individual to submit a new password
that is the same as any of the last four passwords he or Limit Password Reuse
she has used.
8.5.13
Limit repeated access attempts by locking out the user
Lock Account after Three Failed Login Attempts
ID after not more than six attempts.
8.5.15
SSHD Set Idle Timeout Interval for User Logins
If a session has been idle for more than 15 minutes,
Set CDE Screen Saver
require the user to re-enter the password to re-activate Set Mandatory Screen Saver
the terminal.
Set X Screen Saver Application Defaults
Set Shell Timeout Period
10.1
Link all access to system components to each
individual user
Audit Rules
Audit Rules (Solaris)
10.2
Implement automated audit trails for all system
components
Enable the Audit Subsystem
10.2.2
Audit Events: All actions taken by any individual with Audit Rules
root or administrative privileges
Audit Rules (Solaris)
10.2.3
Audit Events: Access to all audit trails
Audit Rules
Audit Rules (Solaris)
10.2.7
Audit Events: Creation and deletion of system-level
objects.
Audit Rules
Audit Rules (Solaris)
10.3.1
Audit Events: User identification
Audit Rules
Audit Rules (Solaris)
10.3.2
Audit Events: Type of event
Audit Rules
Audit Rules (Solaris)
10.3.3
Audit Events: Date and time
Audit Rules
Audit Rules (Solaris)
10.3.4
Audit Events: Success or failure indication
Audit Rules
Audit Rules (Solaris)
10.3.5
Audit Events: Origination of event
Audit Rules
Audit Rules (Solaris)
10.3.6
Audit Events: Identity or name of affected data,
system component
Audit Rules
Audit Rules (Solaris)
10.5.1
Limit viewing of audit trails
System Log File Permissions
10.5.2
Protect audit trail files from unauthorized
modifications
System Log File Permissions
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
376
Appendix B. Specific Module Behavior
Disabling Services
Several modules included with Security Blanket simply disable a service in order to reduce the system’s attack surface. Each module
performs its actions much the same way with the exception of the service and package associated with the service.
Figure B.1. Disabling Services - Scanning Process
Solaris 10: DISA UNIX STIGS - SRR Scripts may report a failure
Security Blanket uses the svcadm(1M) command to disable services to include the inetd(1M) daemon. Many legacy services
such as telnetd(1M) and in.ftpd(1M) are dependent on inetd(1M). Even though Security Blanket disables these legacy
services, a system reboot may leave some of these services in an uninitialized state because they are dependent on the
inetd(1M) daemon; which has been disabled.
The System Readiness Review (SRR) scripts only checks to see if the service is in an offline or disabled state. If you
manually enable inetd(1M) with svcadm enable inetd and then disable it with svcadm disable inetd, the uninitialized
services should switch to disabled. This is a false positive and the Security Blanket team will be working with DISA to
resolve.
Tip: You can use the inetadm(1M) command to list all services dependent on the inetd(1M) daemon.
Excluding Directories from Scans
Starting in v3.0.3, Security Blanket provides the ability to exclude directories to prevent Security Blanket from scanning large file
systems. For example, a database server may have a SAN-mounted file system used only by the database. Or in a cluster configuration
many servers have the same shared storage mounted. Therefore, there is no need to have every server scan these file systems.
Currently, only the following modules will ignore directories identified in the master exclusion list:
• Secure Unowned Files
• Secure World Writable Directories
• Secure Netrc Files
• SecureWorldWritableFiles
• Correct Uneven File Permissions
• Home Directory Contents
• Restrict Write-Access on Man Pages
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
377
Specific Module Behavior
Figure B.2. Master Exclusion List
The /var/lib/security-blanket/files/excludedirs file is the list of directories to exclude. Each line is an
absolute path (must begin with /) of a directory to exclude. If a
line contains a wild card (asterisk or question mark), then the line
is ignored.
The process of building the master exclusion list is as follows:
• Load the exclude-dirs file, adding only absolute path
entries which contain no wildcards.
• Adds default list of directories to ignore which currently
include /proc and /selinux .
• If in a Solaris global zone, append the root path to each child
zone to the list.
• Load the /var/lib/security-blanket/files/
inclusion-fstypes which is a list of acceptable files
systems (i.e., ext3 or ufs). This is a simple text file which can
be edited by the system administrator.
• List all mounted file systems by examining the system's /
etc/mtab or /etc/mnttab ; then add any mount points of
non-acceptable file systems to the exclusion list. So, if nfs is
not listed as an acceptable file system type; each mount point
of nfs-mounted file systems will be added to the exclusion list.
Note, this could also include /tmp if it is mounted as a tempfs
and tempfs is not listed as an acceptable file system.
• Remove duplicates in the master exclusion list.
• Finally, remove any paths in which their parent has already
been listed. For example, if /opt and /opt/h is listed only /
opt will remain on the list.
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
378
Appendix C. Implementing a Password Policy
Password Aging
Establishing a password aging policy involves setting system parameters to automatically lock an account if the user has not changed
a password within a specified period. It also involves warning the user and giving them the opportunity to change the password before
it does expire. Finally, it includes establishing the number of times a password can be reused and the minimum amount of time before
a password can be changed again.
Table C.1. Password Aging - Configuration
Linux
Solaris
Security Blanket Module
PASS_MAX_DAYS
MAXWEEKS
Maximum Time Between Password Changes
/usr/bin/chage -I x useraccount
automatic
Expired Password Invalidation
PASS_MIN_DAYS
MINWEEKS
Minimum Delay Between Password Changes
PASS_WARN_AGE
WARNWEEKS
Password Expiration Warning
^password .* pam_unix.so remember=X HISTORY
Limit Password Reuse
Solaris configurations are made in the /etc/default/passwd file. Linux configurations are made in /etc/default/
login.defs except for the Limit Password Reuse module; which makes its change in /etc/pam.d/system-auth .
Password Length and Composition
Establishing a password length and composition policy involves setting system parameters to require users to have a minimum
password length as well as the combination of characters required. Longer and more complex passwords provide better protection
against brute-force attacks.
Table C.2. Password Length - Configuration
Linux
Solaris
Security Blanket Module
PASS_MIN_LENGTH
PASSLENGTH
Password Policy Length Minimum
Password field in /etc/shadow is not empty
No Empty Passwords
Linux configurations are made in /etc/login.defs and Solaris in /etc/default/passwd .
Table C.3. Password Composition - Configuration
Linux
Solaris
Security Blanket Module
lcredit=-1
MINLOWER
Password Policy Lowercase Minimum
dcredit=-2
MINDIGIT
Password Policy Numeric Minimum
ocredit=-2
MINSPECIAL
Password Policy Special Characters
ucredit=-1
MINUPPER
Password Policy Uppercase Minimum
Enforcing the Policy
Implementing a password aging and password length and composition policy applies to accounts when a new password is set. When
introducing a new policy or changing an existing one, current active accounts must adhere to the new policy. Since these accounts
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
379
Implementing a Password Policy
set the password prior to implementing the policy, they have inherited the previous policy. Security Blanket offers a module to Set
Password Aging on Active Accounts.
Consider disallowing the secure shell service from accepting empty passwords in conjunction with the No Empty Passwords module.
Security Blanket’s SSHD Disable Empty Passwords will ensure this policy is enforced.
Furthermore, consider disabling services which allow passwords to be transmitted over unencrypted network connections. Failure to
do so could result in disclosure of passwords. Consider using the following Security Blanket modules:
• Disable FTP (vsftpd)
• Disable FTP (gssftp)
• Disable Telnet
Finally, appropriate discretionary access controls should be applied to configuration files to prevent unauthorized changes to the
password policy. Consider using the following Security Blanket modules to secure configuration files:
• Password Perms
• System Configuration File Permissions
• Secure SUID/SGID Executables
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
380
Index
Symbols
.bashrc, 39, 59
.forward, 66, 67, 106, 166
.netrc, 294
.profile, 4, 7, 39, 59, 126, 129, 153, 277
.rhosts, 163, 165, 176
/bin/bash, 57
/boot, 11, 147, 198, 274, 290, 291
/dev, 3, 42, 106, 116, 131, 160, 249, 263, 273
/dev/null, 3, 106
/etc/.login, 39
/etc/at.deny, 293
/etc/cron.allow, 293
/etc/cron.d/at.deny, 293
/etc/cron.d/cron.allow, 293
/etc/cron.d/cron.deny, 293
/etc/cron.deny, 293
/etc/csh.login, 39
/etc/cups-autoconfig.conf, 131
/etc/default/inetinit, 75
/etc/default/login, 40, 149, 151
/etc/default/ndd, 61, 62, 64, 66, 69, 70, 78, 79, 202
/etc/default/passwd, 19, 20, 21, 22, 27, 28, 29, 31, 32, 34, 35
/etc/default/sulogin, 58
/etc/dfs/dfstab, 88
/etc/exports, 88, 95, 97
/etc/fstab, 273, 274, 275
/etc/ftpd/ftpusers, 99
/etc/ftpusers, 99
/etc/host.equiv, 165
/etc/init.d/syslog, 200
/etc/inittab, 57, 158, 284
/etc/issue, 175
/etc/issue.net, 175
/etc/modprobe.conf, 67, 71, 72, 73, 141, 147, 272, 287
/etc/motd, 281
/etc/pam.d/su, 45
/etc/passwd, 59, 103
/etc/profile, 39, 277
/etc/rmmount.conf, 273
/etc/samba/smb.conf, 96
/etc/securetty, 54
/etc/security/console.perms, 41, 275
/etc/security/policy.conf, 149
/etc/sfw/smb.conf, 96
/etc/shells, 59
/etc/ssh/ssh_config, 166
/etc/ssh/sshd_config, 169, 171, 172, 173, 174, 175, 176,
177, 178, 179, 180, 184
/etc/sysconfig/network, 74
/etc/sysconfig/nfs, 187
/etc/sysctl.conf, 62, 63, 64, 65, 68, 69, 70, 74, 75, 77, 286,
288
/etc/system, 13, 147, 289
Security Blanket® Modules Guide
/etc/vfstab, 273, 274
/etc/xinetd.d, 83, 100, 102, 105
/export/home, 274
/home, 274
/root, 55
/sbin/sh, 57, 88, 284
/sbin/sulogin, 57
/usr/home, 274
/var/log, 3, 10, 14, 15, 44, 265
/var/log/audit/audit.log, 3
/var/log/secure, 15
A
accept_redirects, 64
accept_source_route, 70
ACPI, 138
allow_url_fopen, 117
anongid, 88
apache2, 112, 115, 116, 117, 118
apmd, 146
ARP, 61, 199
arp_cleanup_interval, 61
audit.rules, 4, 7, 13
audit_control, 7
auditd, 3, 13
authlog, 15
authpriv, 15, 281
autofs, 90, 194, 195
Avahi, 138
avahi-daemon, 139
B
banner, 175, 278, 279, 280, 281, 291
bind, 80, 135, 199
bittorrent, 88
Bluetooth, 139, 140
bluez, 139
bluez-utils, 139
C
capi4linux, 159
CDE, 119, 132, 150, 196, 202, 280
Common Desktop Environment, 119, 150, 196
common-auth, 23
common-password, 19, 27, 28, 30, 31, 32, 34, 35
ConfigureNewPrinters, 131
console, 41, 54, 88, 121, 145, 160, 197, 203, 275
Core dumps, 283, 286
cpuspeed, 142
cracklib, 27, 28, 29, 31, 32, 34, 35
crontab, 3, 17, 215, 217, 223, 224, 225, 293
CSKsquid, 113, 114
CUPS, 130, 131, 132
cups-autoconfig, 131
cups-config-daemon, 131
cupsd.conf, 130
Export Controlled - See Sheet 1
381
Index
Cyrus, 107
cyrus-imapd, 107
D
dcredit, 32
denial-of-service, 62, 64, 65, 69, 75, 77
dfstab, 88
DHCP, 74, 81
dhcp-server, 81
dhcpd, 81
display_errors, 118
display_startup_errors, 118
DNS, 80
Dovecot, 108
E
ECN, 75
ExecShield, 288
ext2, 274
ext3, 274
F
FAIL_DELAY, 151
file_uploads, 115
Files and Directories
/bin/bash, 57
/boot, 11, 147, 198, 274, 290, 291
/dev, 3, 42, 106, 116, 131, 160, 249, 263, 273
/dev/null, 3, 106
/etc/.login, 39
/etc/at.deny, 293
/etc/cron.allow, 293
/etc/cron.d/at.deny, 293
/etc/cron.d/cron.allow, 293
/etc/cron.d/cron.deny, 293
/etc/cron.deny, 293
/etc/csh.login, 39
/etc/cups-autoconfig.conf, 131
/etc/default/inetinit, 75
/etc/default/login, 40, 149, 151
/etc/default/ndd, 61, 62, 64, 66, 69, 70, 78, 79, 202
/etc/default/passwd, 19, 20, 21, 22, 27, 28, 29, 31, 32, 34, 35
/etc/default/sulogin, 58
/etc/dfs/dfstab, 88
/etc/exports, 88, 95, 97
/etc/fstab, 273, 274, 275
/etc/ftpd/ftpusers, 99
/etc/ftpusers, 99
/etc/init.d/syslog, 200
/etc/inittab, 57, 158, 284
/etc/issue, 175
/etc/issue.net, 175
/etc/modprobe.conf, 147
/etc/motd, 281
/etc/pam.d/su, 45
/etc/passwd, 59, 103
Security Blanket® Modules Guide
/etc/profile, 39, 277
/etc/rmmount.conf, 273
/etc/samba/smb.conf, 96
/etc/securetty, 54
/etc/security/console.perms, 41, 275
/etc/security/policy.conf, 149
/etc/sfw/smb.conf, 96
/etc/shells, 59
/etc/ssh/ssh_config, 166
/etc/ssh/sshd_config, 169, 171, 172, 173, 174, 175,
176, 177, 178, 179, 180, 184
/etc/sysconfig/network, 74
/etc/sysconfig/nfs, 187
/etc/sysctl.conf, 62, 63, 64, 65, 68, 69, 70, 74, 75, 77, 286,
288
/etc/system, 13, 147, 289
/etc/vfstab, 273, 274
/etc/xinetd.d, 83, 100, 102, 105
/export/home, 274
/home, 274
/root, 55
/sbin/nologin, 59
/sbin/sh, 57, 88, 284
/sbin/sulogin, 57
/usr/home, 274
/var/log, 3, 10, 14, 15, 44, 265
/var/log/audit/audit.log, 3
/var/log/secure, 15
Finger, 157
Firefox, 123, 125, 126, 127, 128, 129
firstboot, 197
fsp, 89
fspd, 89
FTP, 11, 59, 89, 99, 100, 102, 104, 105
ftpusers, 99
G
gaim, 124
gcc, 244
GNOME, 152, 271
GPM, 197
grpck, 47
GRUB, 11, 147, 289, 290, 291
gss, 99, 187, 199
GSSAPIAuthentication, 166, 171
gssftp, 99
H
HAL, 131, 142
hal-cups-utils, 131
haldaemon, 38, 142
hidd, 139, 140
HostbasedAuthentication, 171
hplip, 130
httpd, 112
Export Controlled - See Sheet 1
382
Index
I
IA32, 143
ICMP, 64, 65, 66, 68, 77
icmp_echo_ignore_broadcasts, 77
IgnoreRhosts, 176
IMAP, 107, 108
imapd, 107
Inetd, 83
Infrared, 143
inittab, 57, 158, 284
INN, 230
innd, 84
insecure_locks, 95
ip6_ignore_redirect, 64
ip6_respond_to_echo_multicast, 78
ip6_send_redirects, 69
ip_forward, 66, 67, 70, 79
ip_forward_src_routed, 70
ip_ignore_redirect, 64
ip_ire_arp_interval, 62
ip_respond_to_address_mask_broadcast, 78
ip_respond_to_echo_broadcast, 78
ip_respond_to_echo_multicast, 78
ip_respond_to_timestamp, 78
ip_respond_to_timestamp_broadcast, 78
ip_send_redirects, 69
ipp-listener, 132
iptables, 82, 119, 120
ipv4_forwarding, 67
IrDA, 143
IRE_CACHE, 61
IRQ, 144
irq_balancer, 144
irqbalance, 144
ISDN, 159
isdn4k-utils, 159
J
Java, 125, 126, 127, 203
K
kdump, 285
Kerberos, 99, 134
KerberosAuthentication, 172
Kernel, 64, 69, 70, 78
kernel, 285
KPOP, 107
krb5-workstation, 100
Kudzu, 145
logrotate, 3
M
magic_quotes, 117
maillog, 14
maxrepeats, 27
MAXWEEKS, 21
mcstrans, 190
mdcomm, 209
mdmonitor, 286
mesg, 46, 53
metamh, 209
metmed, 209
MINSPECIAL, 34
MINUPPER, 35
MINWEEKS, 20, 22
modems, 102, 160
motd, 281
multicast, 77, 78
MySQL, 117, 119, 121
mysql-server, 120
MYSQL_HISTFILE, 121
mysqld, 120
N
named, 38, 80, 252
ndd, 61, 62, 64, 66, 69, 70, 78, 79, 202
net-snmp, 207
netcfg, 99
netfs, 92
News, 84, 230
NFS, 88, 90, 91, 92, 94, 97, 187, 188
nfs-kernel-server, 91
nfs-utils, 90, 91, 187
nfslock, 90
nfsnobody, 38, 88, 99
NIS, 25, 135, 136, 188
NIS+, 25, 135, 136, 188
NNTP, 84, 102, 107
nobody, 38, 42, 88, 99, 252
nobody4, 99
noexec_user_stack, 289
nousb, 147
nousbstorage, 147
NTP, 84, 102, 107
ntp, 238
O
ocredit, 34
L
P
lcredit, 28, 31
LDAP, 135
LOCK_AFTER_RETRIES, 149
log_errors, 118
login.defs, 20, 22, 29, 151
PAM, 29, 41
pam-config, 19, 27, 28, 30, 31, 32, 34, 35
pam.d, 18, 23, 27, 28, 30, 31, 32, 34, 35, 45, 163
pam_console, 41
pam_cracklib.so, 27, 28, 30, 31, 32, 34, 35
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
383
Index
pam_rhosts, 163
pam_rhosts_auth, 163
pam_tally, 149
pam_unix.so, 18
pam_wheel.so, 45
PASS_MAX_DAYS, 20
PASS_MIN_DAYS, 20, 22
PASS_MIN_LENGTH, 30
passmgmt, 38
PASSREQ, 58
passwd, 19, 20, 21, 22, 25, 27, 28, 29, 31, 32, 34, 35, 38, 59,
103, 137
password, 18, 19, 20, 22, 23, 26, 27, 28, 29, 31, 32, 33, 35,
36, 38, 45, 57, 117, 119, 120, 121, 128, 149, 164, 169, 240, 290,
291, 294
PATH, 277
pcmcia-cs, 147
pcscd, 188
Pentium, 143
PermitEmptyPasswords, 169
PermitRootLogin, 174, 179
PHP, 115, 116, 117
upload_max_filesize, 115
php.ini, 115, 116, 117
Pidgin, 124
portmap, 199
PostgreSQL, 120
postgresql-server, 121
powerd, 146
proxy_arp, 68
pwck, 47
R
RAID, 286
register_globals, 117
rexec, 160, 161, 162
rhosts, 163, 176
RhostsAuthentication, 173
RhostsRSAAuthentication, 173
rlogin, 160, 161, 162, 163
routed, 70, 85
rp_filter, 74
RPC, 187, 188, 199
rpc.ugidd, 94
rpcbind, 199
rpcsec_gss, 199
rpcsvcgssd, 199
rsh, 43, 160, 161, 162, 163, 252, 265
rsyslog.conf, 10, 14, 15
S
SACK, 75
Samba, 95, 96
samba-common, 96
scsa2usb, 147
secure_redirects, 65
Security Blanket® Modules Guide
securetty, 54
SELinux, 190, 191, 192
send_redirects, 63, 69
sendmail, 106, 109, 110
serial ports, 160
setroubleshoot, 191
SGID, 251
shadow, 257
Shutdown, 128
SLEEPTIME, 151
Smart Card, 188
smartd, 147
SMB, 93
smtp, 109
smurf, 66, 77
SNMP, 207, 208
snmpd, 207, 208
Solaris packages
SUNWaccu, 17
SUNWapchr, 112
SUNWbind, 80
SUNWbnuu, 103
SUNWcsr, 212
SUNWcsu, 83
SUNWdhcsr, 81
SUNWdtdmn, 196
SUNWftpr, 99
SUNWgssc, 187
SUNWkrbr, 134
SUNWmconr, 203
SUNWnfscr, 90
SUNWnfssr, 91
SUNWnisr, 136
SUNWsmbar, 93, 96
SUNWsquidr, 113, 114
SUNWtnetr, 164
SUNWwbcor, 210
SUNWwebminu, 211
SUNWxwfs, 86
SUNWypr, 137
Solaris services
svc:/application/database/mysql:default, 120
svc:/application/database/mysql:mysql-csk, 120
svc:/application/database/mysql:mysql32-csk, 120
svc:/application/database/postgresql, 121
svc:/application/database/postgresql:version_81, 121
svc:/application/database/postgresql:version_82, 121
svc:/application/graphical-login/cde-login:default, 158
svc:/application/management/seaport:default, 207
svc:/application/management/sma:default, 207
svc:/application/management/snmpdx:default, 207
svc:/application/management/wbem, 210
svc:/application/management/webmin:default, 211
svc:/application/x11/x11-server, 166
svc:/application/x11/xfs:default, 86
svc:/network/dhcp-server:default, 81
svc:/network/dns/server:default, 80
Export Controlled - See Sheet 1
384
Index
svc:/network/http:apache2, 112
svc:/network/http:squid-csk, 113, 114
svc:/network/inetd:default, 83
svc:/network/ldap/client:default, 135
svc:/network/nfs/cbd:default, 91
svc:/network/nfs/client:default, 90
svc:/network/nfs/mapid:default, 91
svc:/network/nfs/nlockmgr:default, 90
svc:/network/nfs/rquota:default, 90
svc:/network/nfs/server:default, 91
svc:/network/nfs/status:default, 90
svc:/network/nis/client:default, 136
svc:/network/nis/passwd:default, 137
svc:/network/nis/server:default, 137
svc:/network/nis/update:default, 137
svc:/network/nis/xfr:default, 137
svc:/network/rpc/bind:default, 199
svc:/network/rpc/cde-calendar-manager, 196
svc:/network/rpc/cde-ttdbserver:tcp, 119
svc:/network/rpc/gss:default, 187
svc:/network/rpc/keyserv:default, 188
svc:/network/rpc/mdcomm:default, 209
svc:/network/rpc/meta:default, 209
svc:/network/rpc/metamed:default, 209
svc:/network/rpc/metamh:default, 209
svc:/network/rpc/nisplus:default, 137
svc:/network/rpc/smserver:default, 275
svc:/network/samba:default, 93
svc:/network/security/ktkt_warn:default, 134
svc:/network/smtp:sendmail, 109
svc:/network/telnet:default, 164
svc:/network/uucp:default, 103
svc:/system/cron:default, 212
svc:/system/device/mpxio-upgrade:default,
svc:/system/filesystem/autofs:default, 90
svc:/system/filesystem/volfs:default, 275
svc:/system/mdmonitor:default,
svc:/system/metainit:default,
svc:/system/power:default, 146
svc:/system/sar:default, 17
svc:/system/webconsole:console, 203
Solaris Volume Manager, 208, 209
SQL, 117, 119, 120, 121
Squid, 113
ssh, 38, 166, 169, 171, 172, 173, 174, 175, 176,
177, 178, 179, 180, 184
ssh_config, 166
sshd, 38, 169, 171, 172, 173, 174, 175, 176, 177, 178,
179, 180, 184
sshd_config, 169, 171, 172, 173, 174, 175, 176, 177,
178, 179, 180, 184
SSL, 29, 107, 108, 125, 126
SUID, 251, 286
SUNWaccu, 17
SUNWapchr, 112
SUNWbind, 80
SUNWbnuu, 103
Security Blanket® Modules Guide
SUNWcsr, 212
SUNWcsu, 83
SUNWdhcsr, 81
SUNWdtdmn, 196
SUNWftpr, 99
SUNWgssc, 187
SUNWkrbr, 134
SUNWmconr, 203
SUNWnfscr, 90
SUNWnfssr, 91
SUNWnisr, 136
SUNWsmbar, 93, 96, 96
SUNWsquidr, 113, 114
SUNWtnetr, 164
SUNWwbcor, 210
SUNWwebminu, 211
SUNWxwfs, 86
SUNWypr, 137
svc:/application/database/mysql:default, 120
svc:/application/database/mysql:mysql-csk, 120
svc:/application/database/mysql:mysql32-csk, 120
svc:/application/database/postgresql, 121
svc:/application/database/postgresql:version_81, 121
svc:/application/database/postgresql:version_82, 121
svc:/application/graphical-login/cde-login:default, 158
svc:/application/management/seaport:default, 207
svc:/application/management/sma:default, 207
svc:/application/management/snmpdx:default, 207
svc:/application/management/wbem, 210
svc:/application/management/webmin:default, 211
svc:/application/x11/x11-server, 166
svc:/application/x11/xfs:default, 86
svc:/network/dhcp-server:default, 81
svc:/network/dns/server:default, 80
svc:/network/http:apache2, 112
svc:/network/http:squid-csk, 113, 114
svc:/network/inetd:default, 83
svc:/network/ldap/client:default, 135
svc:/network/nfs/cbd:default, 91
svc:/network/nfs/client:default, 90
svc:/network/nfs/mapid:default, 91
svc:/network/nfs/nlockmgr:default, 90
svc:/network/nfs/rquota:default, 90
svc:/network/nfs/server:default, 91
svc:/network/nfs/status:default, 90
svc:/network/nis/client:default, 136
svc:/network/nis/passwd:default, 137
svc:/network/nis/server:default, 137
svc:/network/nis/update:default, 137
svc:/network/nis/xfr:default, 137
svc:/network/rpc/bind:default, 199
svc:/network/rpc/cde-calendar-manager, 196
svc:/network/rpc/cde-ttdbserver:tcp, 119
svc:/network/rpc/gss:default, 187
svc:/network/rpc/keyserv:default, 188
svc:/network/rpc/mdcomm:default, 209
svc:/network/rpc/meta:default, 209
Export Controlled - See Sheet 1
385
Index
svc:/network/rpc/metamed:default, 209
svc:/network/rpc/metamh:default, 209
svc:/network/rpc/nisplus:default, 137
svc:/network/rpc/smserver:default, 275
svc:/network/samba:default, 93
svc:/network/security/ktkt_warn:default, 134
svc:/network/smtp:sendmail, 109
svc:/network/telnet:default, 164
svc:/network/uucp:default, 103
svc:/system/device/mpxio-upgrade:default,
svc:/system/filesystem/autofs:default, 90
svc:/system/filesystem/volfs:default, 275
svc:/system/mdmonitor:default,
svc:/system/metainit:default,
svc:/system/power:default, 146
svc:/system/sar:default, 17
svc:/system/webconsole:console, 203
SVM, 208, 209
sysconfig, 200
sysctl.conf, 62, 63, 64, 65, 67, 68, 69, 70, 74, 75, 77, 260,
286, 288
syslog-ng.conf, 10, 14, 15
syslog.conf, 10, 14, 15
SYSLOGD_OPTIONS, 200
sysstat, 17
System Services, 200
system-auth, 18, 23, 27, 28, 30, 31, 32, 34, 35,
sysvinit, 146
T
tcp_conn_req_max_q, 62
tcp_conn_req_max_q0, 62
tcp_max_syn_backlog, 62
tcp_rev_src_routes, 70
TCP_STRONG_ISS, 75
tcp_syncookies, 75
tcpdump, 85
Telnet, 164, 291
telnet-server, 164
TFTP, 102, 105
TIMEOUT, 154
TLS, 126
TMOUT, 154
Transport Layer Security, 126
Tux, 114
V
vsftpd, 12, 99, 100
vsftpd.conf, 12
W
WBEM, 210
Webmin, 211
wheel, 45, 54, 218, 220, 244
world writable, 253
world-writable, 255
X
X11, 155, 165, 177
X11Forwarding, 177
XFS, 86
xinetd, 83, 100, 102, 105
xorg-x11-xfs, 86
XScreenSaver, 155
Y
ypbind, 135
yppasswdd, 137
ypserv, 137
Z
z/IPL, 11, 147, 290, 292
zeroconfig, 73
zSeries, 11, 147, 290, 292
zsmon, 160
U
ucredit, 35
umask, 39, 104, 194
upload_max_filesize, 115
USB, 147
use_uid, 45
usermod, 38
UUCP, 102
Security Blanket® Modules Guide
Export Controlled - See Sheet 1
386

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz