Guide to the Secure Configuration of Debian 8

with profile Profile for ANSSI DAT-NT28 High (Enforced) Level
This profile contains items for GNU/Linux installations storing sensitive informations that can be accessible from unauthenticated or uncontroled networks.
This guide presents a catalog of security-relevant configuration settings for Debian 8. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the config_item="scap-security-guide" package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a italics="catalog, not a checklist," and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF italics="Profiles", which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for Debian 8, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Evaluation Characteristics

Evaluation targetrom
Benchmark URL/usr/share/xml/scap/ssg/content/ssg-debian8-ds.xml
Benchmark IDxccdf_org.ssgproject.content_benchmark_DEBIAN-8
Profile IDxccdf_org.ssgproject.content_profile_anssi_np_nt28_high
Started at2020-02-05T15:52:13
Finished at2020-02-05T15:52:13
Performed byaio

CPE Platforms

  • cpe:/o:debianproject:debian:8

Addresses

  • IPv4  127.0.0.1
  • IPv4  10.1.2.5
  • MAC  00:00:00:00:00:00
  • MAC  B8:27:EB:B5:B9:2A

Compliance and Scoring

There were no failed or uncertain rules. It seems that no action is necessary.

Rule results

0 passed
0 failed
0 other

Severity of failed rules

0 other
0 low
0 medium
0 high

Score

Scoring systemScoreMaximumPercent
urn:xccdf:scoring:default0.000000100.000000
0%

Rule Overview

Group rules by:
TitleSeverityResult
Guide to the Secure Configuration of Debian 8
Services
Deprecated services
Uninstall the nis packagelow
notapplicable
Uninstall the inet-based telnet serverhigh
notapplicable
Uninstall the ntpdate packagelow
notapplicable
Uninstall the ssl compliant telnet serverhigh
notapplicable
Uninstall the telnet serverhigh
notapplicable
Generic required services
Install the ntp servicehigh
notapplicable
Install the cron servicemedium
notapplicable
install the auditd servicemedium
notapplicable
Enable the ntpd servicehigh
notapplicable
Enable the auditd servicemedium
notapplicable
SSH Server
Configure OpenSSH Server if deployed
Allow Only SSH Protocol 2high
notapplicable
Disable SSH Access via Empty Passwordshigh
notapplicable
Set SSH Idle Timeout Intervalunknown
notapplicable
Set SSH Client Alive Countunknown
notapplicable
APT service configuration
Disable unauthenticated repositories in APT configurationunknown
notapplicable
Ensure that official distribution repositories are usedunknown
notapplicable
System Settings
Configure Syslog
Ensure Proper Configuration of Log Files
Ensure System Log Files Have Correct Permissionsmedium
notapplicable
Ensure Log Files Are Owned By Appropriate Usermedium
notapplicable
Ensure Log Files Are Owned By Appropriate Groupmedium
notapplicable
Configure <tt>rsyslogd</tt> to Accept Remote Messages If Acting as a Log Server
Enable syslog-ng Servicemedium
notapplicable
Ensure syslog-ng is Installedmedium
notapplicable
Ensure All Logs are Rotated by <tt>logrotate</tt>
Ensure Logrotate Runs Periodicallyunknown
notapplicable
Enable rsyslog Servicemedium
notapplicable
Ensure rsyslog is Installedmedium
notapplicable
Access Control using sudo
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticatemedium
notapplicable
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWDmedium
notapplicable
Hardening the filesystem
Partitioning
Ensure /home Located On Separate Partitionunknown
notapplicable
Ensure /tmp Located On Separate Partitionunknown
notapplicable
Ensure /var Located On Separate Partitionunknown
notapplicable
Ensure /var/log/audit Located On Separate Partitionunknown
notapplicable
Ensure /var/log Located On Separate Partitionunknown
notapplicable
filesystem rights management
Hardening the hardware usage
IOMMU configuration directiveunknown
notapplicable
File Permissions and Masks
Verify Permissions on Important Files and Directories
Verify Permissions and ownership on gshadow Filemedium
notapplicable
Verify Permissions and ownership on shadow Filemedium
notapplicable
Verify Permissions and ownership on group Filemedium
notapplicable
Verify Permissions and ownership on passwd Filemedium
notapplicable
Verify permissions on files containing sensitive informations about the system
Verify that local System.map file (if exists) is readable only by rootunknown
notapplicable
Restrict Programs from Dangerous Execution Patterns
Disable Core Dumps
Disable Core Dumps for SUID programsunknown
notapplicable
Enable ExecShield
Enable Randomized Layout of Virtual Address Spacemedium
notapplicable

Result Details

Uninstall the nis packagexccdf_org.ssgproject.content_rule_package_nis_removed lowCCE-

Uninstall the nis package

Rule IDxccdf_org.ssgproject.content_rule_package_nis_removed
Result
notapplicable
Time2020-02-05T15:52:13
Severitylow
Identifiers and References

Identifiers:  CCE-

Description

The support for Yellowpages should not be installed unless it is required.

Rationale

NIS is the historical SUN service for central account management, more and more replaced by LDAP. NIS does not support efficiently security constraints, ACL, etc. and should not be used.

Uninstall the inet-based telnet serverxccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed highCCE-

Uninstall the inet-based telnet server

Rule IDxccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed
Result
notapplicable
Time2020-02-05T15:52:13
Severityhigh
Identifiers and References

Identifiers:  CCE-

References:  NT007(R03), AC-17(8), CM-7

Description

The inet-based telnet daemon should be uninstalled.

Rationale

telnet allows clear text communications, and does not protect any data transmission between client and server. Any confidential data can be listened and no integrity checking is made.

Uninstall the ntpdate packagexccdf_org.ssgproject.content_rule_package_ntpdate_removed lowCCE-

Uninstall the ntpdate package

Rule IDxccdf_org.ssgproject.content_rule_package_ntpdate_removed
Result
notapplicable
Time2020-02-05T15:52:13
Severitylow
Identifiers and References

Identifiers:  CCE-

Description

ntpdate is a historical ntp synchronization client for unixes. It sould be uninstalled.

Rationale

ntpdate is an old not security-compliant ntp client. It should be replaced by modern ntp clients such as ntpd, able to use cryptographic mechanisms integrated in NTP.

Uninstall the ssl compliant telnet serverxccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed highCCE-

Uninstall the ssl compliant telnet server

Rule IDxccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed
Result
notapplicable
Time2020-02-05T15:52:13
Severityhigh
Identifiers and References

Identifiers:  CCE-

References:  NT007(R02), AC-17(8), CM-7

Description

The telnet daemon, even with ssl support, should be uninstalled.

Rationale

telnet, even with ssl support, should not be installed. When remote shell is required, up-to-date ssh daemon can be used.

Uninstall the telnet serverxccdf_org.ssgproject.content_rule_package_telnetd_removed highCCE-

Uninstall the telnet server

Rule IDxccdf_org.ssgproject.content_rule_package_telnetd_removed
Result
notapplicable
Time2020-02-05T15:52:13
Severityhigh
Identifiers and References

Identifiers:  CCE-

References:  NT007(R03), AC-17(8), CM-7

Description

The telnet daemon should be uninstalled.

Rationale

telnet allows clear text communications, and does not protect any data transmission between client and server. Any confidential data can be listened and no integrity checking is made.

Install the ntp servicexccdf_org.ssgproject.content_rule_package_ntp_installed highCCE-

Install the ntp service

Rule IDxccdf_org.ssgproject.content_rule_package_ntp_installed
Result
notapplicable
Time2020-02-05T15:52:13
Severityhigh
Identifiers and References

Identifiers:  CCE-

References:  NT012(R03), CCI-000160, AU-8(1), Req-10.4

Description

The ntpd service should be installed.

Rationale

Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906.

Install the cron servicexccdf_org.ssgproject.content_rule_package_cron_installed mediumCCE-

Install the cron service

Rule IDxccdf_org.ssgproject.content_rule_package_cron_installed
Result
notapplicable
Time2020-02-05T15:52:13
Severitymedium
Identifiers and References

Identifiers:  CCE-

References:  NT28(R50), CM-7

Description

The Cron service should be installed.

Rationale

The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only.

install the auditd servicexccdf_org.ssgproject.content_rule_package_auditd_installed mediumCCE-

install the auditd service

Rule IDxccdf_org.ssgproject.content_rule_package_auditd_installed
Result
notapplicable
Time2020-02-05T15:52:13
Severitymedium
Identifiers and References

Identifiers:  CCE-

References:  NT28(R50)

Description

The auditd service should be installed.

Rationale

The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparision with potential local access control policy such as SELinux policy.

Enable the ntpd servicexccdf_org.ssgproject.content_rule_service_ntp_enabled highCCE-

Enable the ntpd service

Rule IDxccdf_org.ssgproject.content_rule_service_ntp_enabled
Result
notapplicable
Time2020-02-05T15:52:13
Severityhigh
Identifiers and References

Identifiers:  CCE-

References:  NT012(R03), CCI-000160, AU-8(1), Req-10.4

Description

The ntpd service should be enabled.

Rationale

Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906.

Enable the auditd servicexccdf_org.ssgproject.content_rule_service_auditd_enabled mediumCCE-

Enable the auditd service

Rule IDxccdf_org.ssgproject.content_rule_service_auditd_enabled
Result
notapplicable
Time2020-02-05T15:52:13
Severitymedium
Identifiers and References

Identifiers:  CCE-

References:  NT28(R50), CCI-000347, CCI-000157, CCI-000172, CCI-000880, CCI-001353, CCI-001462, CCI-001487, CCI-001115, CCI-001454, CCI-000067, CCI-000158, CCI-000831, CCI-001190, CCI-001312, CCI-001263, CCI-000130, CCI-000120, CCI-001589, AC-17(1), AU-1(b), AU-10, AU-12(a), AU-12(c), IR-5, Req-10

Description

The auditd service should be enabled.

Rationale

The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparision with potential local access control policy such as SELinux policy.

Allow Only SSH Protocol 2xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2 highCCE-

Allow Only SSH Protocol 2

Rule IDxccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2
Result
notapplicable
Time2020-02-05T15:52:13
Severityhigh
Identifiers and References

Identifiers:  CCE-

References:  NT007(R1), AC-17(7), IA-5(1)(c)

Description

Only SSH protocol version 2 connections should be permitted. The default setting in /etc/ssh/sshd_config is correct, and can be verified by ensuring that the following line appears:

Protocol 2

Rationale

SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used.

Disable SSH Access via Empty Passwordsxccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords highCCE-

Disable SSH Access via Empty Passwords

Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
Result
notapplicable
Time2020-02-05T15:52:13
Severityhigh
Identifiers and References

Identifiers:  CCE-

References:  NT007(R17), AC-3

Description

To explicitly disallow remote login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config:

PermitEmptyPasswords no
Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.

Rationale

Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.

Set SSH Idle Timeout Intervalxccdf_org.ssgproject.content_rule_sshd_set_idle_timeout unknownCCE-

Set SSH Idle Timeout Interval

Rule IDxccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
Result
notapplicable
Time2020-02-05T15:52:13
Severityunknown
Identifiers and References

Identifiers:  CCE-

References:  AC-2(5), SA-8, Req-8.1.8

Description

SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out.

To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as follows:

ClientAliveInterval interval
The timeout interval is given in seconds. To have a timeout of 15 minutes, set interval to 900.

If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.

Rationale

Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another.

Set SSH Client Alive Countxccdf_org.ssgproject.content_rule_sshd_set_keepalive unknownCCE-

Set SSH Client Alive Count

Rule IDxccdf_org.ssgproject.content_rule_sshd_set_keepalive
Result
notapplicable
Time2020-02-05T15:52:13
Severityunknown
Identifiers and References

Identifiers:  CCE-

References:  AC-2(5), SA-8

Description

To ensure the SSH idle timeout occurs precisely when the ClientAliveCountMax is set, edit /etc/ssh/sshd_config as follows:

ClientAliveCountMax 0

Rationale

This ensures a user login will be terminated as soon as the ClientAliveCountMax is reached.

Disable unauthenticated repositories in APT configurationxccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated unknown

Disable unauthenticated repositories in APT configuration

Rule IDxccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated
Result
notapplicable
Time2020-02-05T15:52:13
Severityunknown
Identifiers and References

References:  NT28(R15)

Description

Unauthenticated repositories should not be used for updates.

Rationale

Repositories hosts all packages that will be intsalled on the system during update. If a repository is not authenticated, the associated packages can't be trusted, and then should not be installed localy.

Ensure that official distribution repositories are usedxccdf_org.ssgproject.content_rule_apt_sources_list_official unknown

Ensure that official distribution repositories are used

Rule IDxccdf_org.ssgproject.content_rule_apt_sources_list_official
Result
notapplicable
Time2020-02-05T15:52:13
Severityunknown
Identifiers and References

References:  NT28(R15)

Description

Check that official Debian repositories, including security repository, are configured in apt.

Rationale

The Debian distribution deliver DSA (Debian Security Announce), through the official Debian security repository, to correct various vulnerabilities impacting the Debian packages. Using the official repositories is the best way to ensure that the Debian updates are integrated soon enough.

Ensure System Log Files Have Correct Permissionsxccdf_org.ssgproject.content_rule_rsyslog_files_permissions medium

Ensure System Log Files Have Correct Permissions

Rule IDxccdf_org.ssgproject.content_rule_rsyslog_files_permissions
Result
notapplicable
Time2020-02-05T15:52:13
Severitymedium
Identifiers and References

References:  NT28(R36), 5.1.4, CCI-001314, SI-11, Req-10.5.1, Req-10.5.2

Description

The file permissions for all log files written by rsyslog should be set to 640, or more restrictive. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's permissions:

$ ls -l LOGFILE
If the permissions are not 640 or more restrictive, run the following command to correct this:
$ sudo chmod 0640 LOGFILE

Rationale

Log files can contain valuable information regarding system configuration. If the system log files are not protected unauthorized users could change the logged data, eliminating their forensic value.

Ensure Log Files Are Owned By Appropriate Userxccdf_org.ssgproject.content_rule_rsyslog_files_ownership medium

Ensure Log Files Are Owned By Appropriate User

Rule IDxccdf_org.ssgproject.content_rule_rsyslog_files_ownership
Result
notapplicable
Time2020-02-05T15:52:13
Severitymedium
Identifiers and References

References:  NT28(R46), NT28(R5), CCI-001314, AC-6, SI-11, Req-10.5.1, Req-10.5.2

Description

The owner of all log files written by rsyslog should be root. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's owner:

$ ls -l LOGFILE
If the owner is not root, run the following command to correct this:
$ sudo chown root LOGFILE

Rationale

The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.

Ensure Log Files Are Owned By Appropriate Groupxccdf_org.ssgproject.content_rule_rsyslog_files_groupownership medium

Ensure Log Files Are Owned By Appropriate Group

Rule IDxccdf_org.ssgproject.content_rule_rsyslog_files_groupownership
Result
notapplicable
Time2020-02-05T15:52:13
Severitymedium
Identifiers and References

References:  NT28(R46), NT28(R5), CCI-001314, AC-6, SI-11, Req-10.5.1, Req-10.5.2

Description

The group-owner of all log files written by rsyslog should be root. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's group owner:

$ ls -l LOGFILE
If the owner is not adm, run the following command to correct this:
$ sudo chgrp adm LOGFILE

Rationale

The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.

Enable syslog-ng Servicexccdf_org.ssgproject.content_rule_service_syslogng_enabled medium

Enable syslog-ng Service

Rule IDxccdf_org.ssgproject.content_rule_service_syslogng_enabled
Result
notapplicable
Time2020-02-05T15:52:13
Severitymedium
Identifiers and References

References:  NT28(R46), NT28(R5), 5.1.2, CCI-001311, CCI-001312, CCI-001557, CCI-001851, AU-4(1), AU-12

Description

The syslog-ng service (in replacement of rsyslog) provides syslog-style logging by default on Debian 8. The syslog-ng service can be enabled with the following command:

$ sudo chkconfig --level 2345 syslog-ng on

Rationale

The syslog-ng service must be running in order to provide logging services, which are essential to system administration.

Ensure syslog-ng is Installedxccdf_org.ssgproject.content_rule_package_syslogng_installed medium

Ensure syslog-ng is Installed

Rule IDxccdf_org.ssgproject.content_rule_package_syslogng_installed
Result
notapplicable
Time2020-02-05T15:52:13
Severitymedium
Identifiers and References

References:  NT28(R46), NT28(R5), 5.1.1, CCI-001311, CCI-001312, AU-9(2)

Description

syslog-ng can be installed in replacement of rsyslog. The syslog-ng-core package can be installed with the following command:

# apt-get install syslog-ng-core

Rationale

The syslog-ng-core package provides the syslog-ng daemon, which provides system logging services.

Ensure Logrotate Runs Periodicallyxccdf_org.ssgproject.content_rule_ensure_logrotate_activated unknown

Ensure Logrotate Runs Periodically

Rule IDxccdf_org.ssgproject.content_rule_ensure_logrotate_activated
Result
notapplicable
Time2020-02-05T15:52:13
Severityunknown
Identifiers and References

References:  CCI-000366, AU-9, Req-10.7

Description

The logrotate utility allows for the automatic rotation of log files. The frequency of rotation is specified in /etc/logrotate.conf, which triggers a cron task. To configure logrotate to run daily, add or correct the following line in /etc/logrotate.conf:

# rotate log files frequency
daily

Rationale

Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.

Enable rsyslog Servicexccdf_org.ssgproject.content_rule_service_rsyslog_enabled medium

Enable rsyslog Service

Rule IDxccdf_org.ssgproject.content_rule_service_rsyslog_enabled
Result
notapplicable
Time2020-02-05T15:52:13
Severitymedium
Identifiers and References

References:  NT28(R46), NT28(R5), 5.1.2, CCI-001311, CCI-001312, CCI-001557, CCI-001851, AU-4(1), AU-12

Description

The rsyslog service provides syslog-style logging by default on Debian 8. The rsyslog service can be enabled with the following command:

$ sudo chkconfig --level 2345 rsyslog on

Rationale

The rsyslog service must be running in order to provide logging services, which are essential to system administration.

Ensure rsyslog is Installedxccdf_org.ssgproject.content_rule_package_rsyslog_installed medium

Ensure rsyslog is Installed

Rule IDxccdf_org.ssgproject.content_rule_package_rsyslog_installed
Result
notapplicable
Time2020-02-05T15:52:13
Severitymedium
Identifiers and References

References:  NT28(R46), NT28(R5), 5.1.1, CCI-001311, CCI-001312, AU-9(2)

Description

Rsyslog is installed by default. The rsyslog package can be installed with the following command:

# apt-get install rsyslog

Rationale

The rsyslog package provides the rsyslog daemon, which provides system logging services.

Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticatexccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate medium

Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate

Rule IDxccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
Result
notapplicable
Time2020-02-05T15:52:13
Severitymedium
Identifiers and References

References:  NT28(R5), CCI-002038, IA-11, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158

Description

The sudo !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the !authenticate option does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.

Rationale

Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.

Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWDxccdf_org.ssgproject.content_rule_sudo_remove_nopasswd medium

Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD

Rule IDxccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Result
notapplicable
Time2020-02-05T15:52:13
Severitymedium
Identifiers and References

References:  NT28(R5), CCI-002038, IA-11, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158

Description

The sudo NOPASSWD tag, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the NOPASSWD tag does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.

Rationale

Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.

Ensure /home Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_home unknown

Ensure /home Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_home
Result
notapplicable
Time2020-02-05T15:52:13
Severityunknown
Identifiers and References

References:  NT28(R12), CCI-001208, SC-32

Description

If user home directories will be stored locally, create a separate partition for /home at installation time (or migrate it later using LVM). If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.

Rationale

Ensuring that /home is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.

Ensure /tmp Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_tmp unknown

Ensure /tmp Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_tmp
Result
notapplicable
Time2020-02-05T15:52:13
Severityunknown
Identifiers and References

References:  NT28(R12), SC-32

Description

The /tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM (when non-ephemeral is needed) or use tmpfs if possible.

Rationale

The /tmp partition is used as temporary storage by many programs. Placing /tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.

Ensure /var Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var unknown

Ensure /var Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_var
Result
notapplicable
Time2020-02-05T15:52:13
Severityunknown
Identifiers and References

References:  NT28(R12), SC-32

Description

The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM.

Rationale

Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the /var directory to contain world-writable directories installed by other software packages.

Ensure /var/log/audit Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log_audit unknown

Ensure /var/log/audit Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_var_log_audit
Result
notapplicable
Time2020-02-05T15:52:13
Severityunknown
Identifiers and References

References:  AU-4, AU-9, SC-32

Description

Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.

Rationale

Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.

Ensure /var/log Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log unknown

Ensure /var/log Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_var_log
Result
notapplicable
Time2020-02-05T15:52:13
Severityunknown
Identifiers and References

References:  NT28(R12), NT28(R47), AU-9, SC-32

Description

System logs are stored in the /var/log directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.

Rationale

Placing /var/log in its own partition enables better separation between log files and other files in /var/.

IOMMU configuration directivexccdf_org.ssgproject.content_rule_grub2_enable_iommu_force unknown

IOMMU configuration directive

Rule IDxccdf_org.ssgproject.content_rule_grub2_enable_iommu_force
Result
notapplicable
Time2020-02-05T15:52:13
Severityunknown
Identifiers and References

References:  NT28(R11)

Description

On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some of the system critical units such as the memory.

Rationale

On x86 architectures, activating the I/OMMU prevents the system from arbritrary accesses potentially made by hardware devices.

Verify Permissions and ownership on gshadow Filexccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow medium

Verify Permissions and ownership on gshadow File

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow
Result
notapplicable
Time2020-02-05T15:52:13
Severitymedium
Identifiers and References

References:  NT28(R36), AC-6

Description

To properly set the permissions of /etc/gshadow, run the command:

$ sudo chmod 0640 /etc/gshadow
To properly set the owner of /etc/gshadow, run the command:
$ sudo chown root /etc/gshadow 
To properly set the group owner of /etc/gshadow, run the command:
$ sudo chgrp shadow /etc/gshadow 

Rationale

The /etc/shadow file contains group password hashes. Protection of this file is critical for system security.

Verify Permissions and ownership on shadow Filexccdf_org.ssgproject.content_rule_file_permissions_etc_shadow medium

Verify Permissions and ownership on shadow File

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_etc_shadow
Result
notapplicable
Time2020-02-05T15:52:13
Severitymedium
Identifiers and References

References:  NT28(R36), AC-6, Req-8.7.c

Description

To properly set the permissions of /etc/shadow, run the command:

$ sudo chmod 0640 /etc/shadow
To properly set the owner of /etc/shadow, run the command:
$ sudo chown root /etc/shadow 
To properly set the group owner of /etc/shadow, run the command:
$ sudo chgrp shadow /etc/shadow 

Rationale

The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.

Verify Permissions and ownership on group Filexccdf_org.ssgproject.content_rule_file_permissions_etc_group medium

Verify Permissions and ownership on group File

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_etc_group
Result
notapplicable
Time2020-02-05T15:52:13
Severitymedium
Identifiers and References

References:  AC-6

Description

To properly set the permissions of /etc/passwd, run the command:

$ sudo chmod 0644 /etc/passwd
To properly set the owner of /etc/passwd, run the command:
$ sudo chown root /etc/passwd 
To properly set the group owner of /etc/passwd, run the command:
$ sudo chgrp root /etc/passwd 

Rationale

The /etc/shadow file contains information about the groups that are configured on the system. Protection of this file is critical for system security.

Verify Permissions and ownership on passwd Filexccdf_org.ssgproject.content_rule_file_permissions_etc_passwd medium

Verify Permissions and ownership on passwd File

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_etc_passwd
Result
notapplicable
Time2020-02-05T15:52:13
Severitymedium
Identifiers and References

References:  AC-6

Description

To properly set the permissions of /etc/passwd, run the command:

$ sudo chmod 0644 /etc/passwd
To properly set the owner of /etc/passwd, run the command:
$ sudo chown root /etc/passwd 
To properly set the group owner of /etc/passwd, run the command:
$ sudo chgrp root /etc/passwd 

Rationale

The /etc/shadow file contains information about the users that are configured on the system. Protection of this file is critical for system security.

Verify that local System.map file (if exists) is readable only by rootxccdf_org.ssgproject.content_rule_file_permissions_systemmap unknown

Verify that local System.map file (if exists) is readable only by root

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_systemmap
Result
notapplicable
Time2020-02-05T15:52:13
Severityunknown
Identifiers and References

References:  NT28(R13)

Description

Files containing sensitive informations should be protected by restrictive permissions. Most of the time, there is no need that these files need to be read by any non-root user To properly set the permissions of /boot/System.map-*, run the command:

$ sudo chmod 0600 /boot/System.map-*
To properly set the owner of /boot/System.map-*, run the command:
$ sudo chown root /boot/System.map-* 

Rationale

The System.map file contains information about kernel symbols and can give some hints to generate local exploitation.

Disable Core Dumps for SUID programsxccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable unknown

Disable Core Dumps for SUID programs

Rule IDxccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable
Result
notapplicable
Time2020-02-05T15:52:13
Severityunknown
Identifiers and References

References:  NT28(R23), 1.6.1, SI-11

Description

To set the runtime status of the fs.suid_dumpable kernel parameter, run the following command:

$ sudo sysctl -w fs.suid_dumpable=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
fs.suid_dumpable = 0

Rationale

The core dump of a setuid program is more likely to contain wve data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data.

Enable Randomized Layout of Virtual Address Spacexccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space medium

Enable Randomized Layout of Virtual Address Space

Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space
Result
notapplicable
Time2020-02-05T15:52:13
Severitymedium
Identifiers and References

References:  NT28(R23), 1.6.1, SC-30(2)

Description

To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command:

$ sudo sysctl -w kernel.randomize_va_space=2
If this is not the system's default value, add the following line to /etc/sysctl.conf:
kernel.randomize_va_space = 2

Rationale

Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.

Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.