Mapping | CCE | Rule Title | Description | Rationale | Variable Setting |
BP28(R1) | CCE-83385-5 | Uninstall DHCP Server Package |
If the system does not need to act as a DHCP server,
the dhcp package can be uninstalled.
The dhcp-server package can be removed with the following command:
$ sudo yum erase dhcp-server |
Removing the DHCP server ensures that it cannot be easily or accidentally reactivated and disrupt network operation. | |
BP28(R1) | CCE-82184-3 | Uninstall rsh-server Package |
The rsh-server package can be removed with the following command:
$ sudo yum erase rsh-server |
The rsh-server service provides unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. If a privileged user were to login using this service, the privileged user password could be compromised. The rsh-server package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation. | |
BP28(R1) | CCE-82183-5 | Uninstall rsh Package | The rsh package contains the client commands for the rsh services | These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh,rcp, and rlogin. | |
BP28(R1) | CCE-81039-0 | Uninstall Sendmail Package |
Sendmail is not the default mail transfer agent and is
not installed by default.
The sendmail package can be removed with the following command:
$ sudo yum erase sendmail |
The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead. | |
BP28(R1) | CCE-82180-1 | Uninstall talk-server Package |
The talk-server package can be removed with the following command: $ sudo yum erase talk-server |
The talk software presents a security risk as it uses unencrypted protocols for communications. Removing the talk-server package decreases the risk of the accidental (or intentional) activation of talk services. | |
BP28(R1) | CCE-80848-5 | Uninstall talk Package |
The talk package contains the client program for the
Internet talk protocol, which allows the user to chat with other users on
different systems. Talk is a communication program which copies lines from one
terminal to the terminal of another user.
The talk package can be removed with the following command:
$ sudo yum erase talk |
The talk software presents a security risk as it uses unencrypted protocols for communications. Removing the talk package decreases the risk of the accidental (or intentional) activation of talk client program. | |
BP28(R1) | CCE-82182-7 | Uninstall telnet-server Package |
The telnet-server package can be removed with the following command:
$ sudo yum erase telnet-server |
It is detrimental for operating systems to provide, or install by default,
functionality exceeding requirements or mission objectives. These
unnecessary capabilities are often overlooked and therefore may remain
unsecure. They increase the risk to the platform by providing additional
attack vectors.
The telnet service provides an unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised. Removing the telnet-server package decreases the risk of the telnet service's accidental (or intentional) activation. |
|
BP28(R1) | CCE-80849-3 | Remove telnet Clients | The telnet client allows users to start connections to other systems via the telnet protocol. | The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in Red Hat Enterprise Linux 8. | |
BP28(R1) | CCE-82436-7 | Uninstall tftp-server Package |
The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server |
Removing the tftp-server package decreases the risk of the accidental
(or intentional) activation of tftp services.
If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the Information Systems Securty Manager (ISSM), restricted to only authorized personnel, and have access control rules established. |
|
BP28(R1) | CCE-83590-0 | Remove tftp Daemon | Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between systems. TFTP does not support authentication and can be easily hacked. The package tftp is a client program that allows for connections to a tftp server. | It is recommended that TFTP be removed, unless there is a specific need for TFTP (such as a boot server). In that case, use extreme caution when configuring the services. | |
BP28(R1) | CCE-80850-1 | Uninstall xinetd Package |
The xinetd package can be removed with the following command:
$ sudo yum erase xinetd |
Removing the xinetd package decreases the risk of the xinetd service's accidental (or intentional) activation. | |
BP28(R1) | CCE-82181-9 | Remove NIS Client | The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client (ypbind) was used to bind a system to an NIS server and receive the distributed configuration files. | The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed. | |
BP28(R1) | CCE-82432-6 | Uninstall ypserv Package |
The ypserv package can be removed with the following command:
$ sudo yum erase ypserv |
The NIS service provides an unencrypted authentication service which does not provide for the confidentiality and integrity of user passwords or the remote session. Removing the ypserv package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services. | |
BP28(R5) | CCE-88248-0 | Enable authselect | Configure user authentication setup to use the authselect tool. If authselect profile is selected, the rule will enable the sssd profile. | Authselect is a successor to authconfig. It is a tool to select system authentication and identity sources from a list of supported profiles instead of letting the administrator manually build the PAM stack. That way, it avoids potential breakage of configuration, as it ships several tested profiles that are well tested and supported to solve different use-cases. | var_authselect_profile=sssd |
BP28(R5) NT28(R46) |
CCE-80847-7 | Ensure rsyslog is Installed |
Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ sudo yum install rsyslog |
The rsyslog package provides the rsyslog daemon, which provides system logging services. | |
BP28(R5) NT28(R46) |
CCE-80886-5 | Enable rsyslog Service |
The rsyslog service provides syslog-style logging by default on Red Hat Enterprise Linux 8.
The rsyslog service can be enabled with the following command:
$ sudo systemctl enable rsyslog.service |
The rsyslog service must be running in order to provide logging services, which are essential to system administration. | |
BP28(R5) BP28(R59) |
CCE-82202-3 | Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate | The sudo !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the !authenticate option does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. |
Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. |
|
BP28(R5) BP28(R59) |
CCE-82197-5 | Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD | The sudo NOPASSWD tag, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the NOPASSWD tag does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. |
Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. |
|
BP28(R8) | CCE-82494-6 | Configure dnf-automatic to Install Available Updates Automatically | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. The automated installation of updates ensures that recent security patches are applied in a timely manner. | |
BP28(R8) | CCE-82267-6 | Configure dnf-automatic to Install Only Security Updates | To configure dnf-automatic to install only security updates automatically, set upgrade_type to security under [commands] section in /etc/dnf/automatic.conf. | By default, dnf-automatic installs all available updates. Reducing the amount of updated packages only to updates that were issued as a part of a security advisory increases the system stability. | |
BP28(R8) | CCE-82985-3 | Install dnf-automatic Package |
The dnf-automatic package can be installed with the following command:
$ sudo yum install dnf-automatic |
dnf-automatic is an alternative command line interface (CLI) to dnf upgrade suitable for automatic, regular execution. | |
BP28(R08) | CCE-80865-9 | Ensure Software Patches Installed |
If the system is joined to the Red Hat Network, a Red Hat Satellite Server,
or a yum server, run the following command to install updates:
$ sudo yum updateIf the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using rpm. NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates. |
Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. | |
BP28(R8) | CCE-82360-9 | Enable dnf-automatic Timer |
The dnf-automatic timer can be enabled with the following command:
$ sudo systemctl enable dnf-automatic.timer |
The dnf-automatic is an alternative command line interface (CLI) to dnf upgrade with specific facilities to make it suitable to be executed automatically and regularly from systemd timers, cron jobs and similar. The tool is controlled by dnf-automatic.timer SystemD timer. | |
BP28(R15) | CCE-80790-9 | Ensure gpgcheck Enabled In Main yum Configuration |
The gpgcheck option controls whether
RPM packages' signatures are always checked prior to installation.
To configure yum to check package signatures before installing
them, ensure the following line appears in /etc/yum.conf in
the [main] section:
gpgcheck=1 |
Changes to any software components can have significant effects on the
overall security of the operating system. This requirement ensures the
software has not been tampered with and that it has been provided by a
trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA). |
|
BP28(R15) | CCE-80791-7 | Ensure gpgcheck Enabled for Local Packages | yum should be configured to verify the signature(s) of local packages prior to installation. To configure yum to verify signatures of local packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf. |
Changes to any software components can have significant effects to the overall security
of the operating system. This requirement ensures the software has not been tampered and
has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. |
|
BP28(R15) | CCE-80792-5 | Ensure gpgcheck Enabled for All yum Package Repositories |
To ensure signature checking is not disabled for
any repos, remove any lines from files in /etc/yum.repos.d of the form:
gpgcheck=0 |
Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA)." | |
BP28(R15) | CCE-80795-8 | Ensure Red Hat GPG Key Installed |
To ensure the system can cryptographically verify base software packages
come from Red Hat (and to connect to the Red Hat Network to receive them),
the Red Hat GPG key must properly be installed. To install the Red Hat GPG
key, run:
$ sudo subscription-manager registerIf the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom, use the following command as the root user to import it into the keyring: $ sudo rpm --import /media/cdrom/RPM-GPG-KEYAlternatively, the key may be pre-loaded during the RHEL installation. In such cases, the key can be installed by running the following command: sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release |
Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat. | |
BP28(R18) | CCE-80647-1 | Set Password Maximum Age |
To specify password maximum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MAX_DAYS 90A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is 90. |
Any password, no matter how complex, can eventually be cracked. Therefore, passwords
need to be changed periodically. If the operating system does not limit the lifetime
of passwords and force users to change their passwords, there is the risk that the
operating system passwords could be compromised.
Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise. |
var_accounts_maximum_age_login_defs=90 |
BP28(R18) | CCE-80653-9 | Ensure PAM Enforces Password Requirements - Minimum Digit Characters | The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords. |
Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space. |
|
BP28(R18) | CCE-80655-4 | Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters | The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords. |
Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space. |
|
BP28(R18) | CCE-80656-2 | Ensure PAM Enforces Password Requirements - Minimum Length | The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen=18 after pam_pwquality to set minimum password length requirements. |
The shorter the password, the lower the number of possible combinations
that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. |
var_password_pam_minlen=18 |
BP28(R18) | CCE-80663-8 | Ensure PAM Enforces Password Requirements - Minimum Special Characters | The pam_pwquality module's ocredit= parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each special character. Modify the ocredit setting in /etc/security/pwquality.conf to equal 1 to require use of a special character in passwords. |
Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space. |
var_password_pam_ocredit=1 |
BP28(R18) | CCE-80665-3 | Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters | The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords. |
Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. |
|
BP28(R18) | CCE-80666-1 | Limit Password Reuse | Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. | Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. | |
BP28(R18) | CCE-80667-9 | Lock Accounts After Failed Password Attempts | This rule configures the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account. | |
BP28(R18) | CCE-80668-7 | Configure the root Account for Failed Password Attempts | This rule configures the system to lock out the root account after a number of incorrect login attempts using pam_faillock.so. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account. | |
BP28(R18) | CCE-80669-5 | Set Interval For Counting Failed Password Attempts | Utilizing pam_faillock.so, the fail_interval directive configures the system to lock out an account after a number of incorrect login attempts within a specified time period. | By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. | |
BP28(R18) | CCE-80670-3 | Set Lockout Time for Failed Password Attempts | This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts using pam_faillock.so. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid any errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version. If unlock_time is set to 0, manual intervention by an administrator is required to unlock a user. This should be done using the faillock tool. | By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. | |
BP28(R32) | CCE-83403-6 | Set number of Password Hashing Rounds - password-auth |
Configure the number or rounds for the password hashing algorithm. This can be
accomplished by using the rounds option for the pam_unix PAM module.
In file /etc/pam.d/password-auth append rounds=65536 to the pam_unix.so entry, as shown below: password sufficient pam_unix.so ...existing_options... rounds=65536The system's default number of rounds is 5000. |
Using a higher number of rounds makes password cracking attacks more difficult. | var_password_pam_unix_rounds=65536 |
BP28(R32) | CCE-83386-3 | Set number of Password Hashing Rounds - system-auth |
Configure the number or rounds for the password hashing algorithm. This can be
accomplished by using the rounds option for the pam_unix PAM module.
In file /etc/pam.d/system-auth append rounds=65536 to the pam_unix.so entry, as shown below: password sufficient pam_unix.so ...existing_options... rounds=65536The system's default number of rounds is 5000. |
Using a higher number of rounds makes password cracking attacks more difficult. | var_password_pam_unix_rounds=65536 |
BP28(R32) | CCE-80893-1 | Set PAM''s Password Hashing Algorithm |
The PAM system service can be configured to only store encrypted
representations of passwords. In "/etc/pam.d/system-auth", the
password section of the file controls which PAM modules execute
during a password change. Set the pam_unix.so module in the
password section to include the argument sha512, as shown
below:
password sufficient pam_unix.so sha512 other arguments... This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. |
Passwords need to be protected at all times, and encryption is the standard
method for protecting passwords. If passwords are not encrypted, they can
be plainly read (i.e., clear text) and easily compromised. Passwords that
are encrypted with a weak algorithm are no more protected than if they are
kepy in plain text.
This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult. |
|
BP28(R37) BP28(R38) |
CCE-80816-2 | Ensure All SGID Executables Are Authorized | The SGID (set group id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SGID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SGID files. This configuration check considers authorized SGID files which were installed via RPM. It is assumed that when an individual has sudo access to install an RPM and all packages are signed with an organizationally-recognized GPG key, the software should be considered an approved package on the system. Any SGID file not deployed through an RPM will be flagged for further review. | Executable files with the SGID permission run with the privileges of the owner of the file. SGID files of uncertain provenance could allow for unprivileged users to elevate privileges. The presence of these files should be strictly controlled on the system. | |
BP28(R37) BP28(R38) |
CCE-80817-0 | Ensure All SUID Executables Are Authorized | The SUID (set user id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SUID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SUID files. This configuration check considers authorized SUID files which were installed via RPM. It is assumed that when an individual has sudo access to install an RPM and all packages are signed with an organizationally-recognized GPG key, the software should be considered an approved package on the system. Any SUID file not deployed through an RPM will be flagged for further review. | Executable files with the SUID permission run with the privileges of the owner of the file. SUID files of uncertain provenance could allow for unprivileged users to elevate privileges. The presence of these files should be strictly controlled on the system. |