| NaN |
Version: 5.20111007 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE ID |
CCE Description |
CCE Parameters |
CCE Technical Mechanisms |
NaN |
NSA "Guide to the Secure Configuration of Red Hat Enterprise Linux 5" |
NSA "Guide to the Secure Configuration of Red Hat Enterprise Linux 5" - Revision 4, September 14, 2010 |
Old "Unix-CCE-DRAFT-2" ID |
| CCE-3416-5 |
The rhnsd service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 2.1.2.2, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4218-4 |
The yum-updatesd service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 2.1.2.3.2, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4209-3 |
The AIDE package should be installed or not as appropriate |
installed / uninstalled |
via yum |
NaN |
Section: 2.1.3.1.1, Value: installed |
NaN |
NaN |
| CCE-4249-9 |
The nodev option should be enabled or disabled as appropriate for all non-root partitions. |
enabled / disabled |
via /etc/fstab |
NaN |
Section: 2.2.1.1, Value: enabled |
NaN |
NaN |
| CCE-3522-0 |
The nodev option should be enabled or disabled as appropriate for all removable media. |
enabled / disabled |
via /etc/fstab |
NaN |
Section: 2.2.1.2, Value: enabled |
NaN |
Similar to CCE-U-170 |
| CCE-4275-4 |
The noexec option should be enabled or disabled as appropriate for all removable media. |
enabled / disabled |
via /etc/fstab |
NaN |
Section: 2.2.1.2, Value: enabled |
NaN |
Similar to CCE-U-170 |
| CCE-4042-8 |
The nosuid option should be enabled or disabled as appropriate for all removable media. |
enabled / disabled |
via /etc/fstab |
NaN |
Section: 2.2.1.2, Value: enabled |
NaN |
CCE-U-170 |
| CCE-3685-5 |
Console device ownership should be restricted to root-only as appropriate. |
root-only / not root-only |
via /etc/security/console.perms.d/50-default.perms |
NaN |
Section: 2.2.2.1, Value: root-only |
NaN |
NaN |
| CCE-4187-1 |
The USB device support module should be loaded or not as appropriate |
loaded / not loaded |
via /etc/modprobe.conf |
NaN |
Section: 2.2.2.2.1, Value: not loaded |
NaN |
NaN |
| CCE-4006-3 |
The USB device support module should be installed or not as appropriate |
installed / uninstalled |
via kernel |
NaN |
Section: 2.2.2.2.2, Value: uninstalled |
NaN |
NaN |
| CCE-4173-1 |
USB kernel support should be enabled or disabled as appropriate. |
enabled / disabled |
via /etc/grub.conf |
NaN |
Section: 2.2.2.2.3, Value: disabled |
NaN |
NaN |
| CCE-3944-6 |
The ability to boot from USB devices should be enabled or disabled as appropriate |
enabled / disabled |
via BIOS |
NaN |
Section: 2.2.2.2.4, Value: disabled |
NaN |
NaN |
| CCE-4072-5 |
The autofs service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 2.2.2.3, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4231-7 |
The GNOME automounter (gnome-volume-manager) should be enabled or disabled as appropriate |
enabled / disabled |
via gconftool-2 |
NaN |
Section: 2.2.2.4, Value: disabled |
NaN |
CCE-U-203 |
| CCE-3988-3 |
The /etc/shadow file should be owned by the appropriate group. |
group |
via chown |
NaN |
Section: 2.2.3.1, Value: root |
NaN |
CCE-U-23 |
| CCE-3883-6 |
The /etc/group file should be owned by the appropriate group. |
group |
via chown |
NaN |
Section: 2.2.3.1, Value: root |
NaN |
CCE-U-202 |
| CCE-3276-3 |
The /etc/group file should be owned by the appropriate user. |
user |
via chown |
NaN |
Section: 2.2.3.1, Value: root |
NaN |
CCE-U-201 |
| CCE-3932-1 |
File permissions for /etc/gshadow should be set correctly. |
permissions |
via chmod |
NaN |
Section: 2.2.3.1, Value: 400 |
NaN |
CCE-U-200 |
| CCE-4064-2 |
The /etc/gshadow file should be owned by the appropriate group. |
group |
via chown |
NaN |
Section: 2.2.3.1, Value: root |
NaN |
CCE-U-202 |
| CCE-4210-1 |
The /etc/gshadow file should be owned by the appropriate user. |
user |
via chown |
NaN |
Section: 2.2.3.1, Value: root |
NaN |
CCE-U-201 |
| CCE-3918-0 |
The /etc/shadow file should be owned by the appropriate user. |
user |
via chown |
NaN |
Section: 2.2.3.1, Value: root |
NaN |
CCE-U-22 |
| CCE-3566-7 |
File permissions for /etc/passwd should be set correctly. |
permissions |
via chmod |
NaN |
Section: 2.2.3.1, Value: 644 |
NaN |
CCE-U-19 |
| CCE-3958-6 |
The /etc/passwd file should be owned by the appropriate user. |
user |
via chown |
NaN |
Section: 2.2.3.1, Value: root |
NaN |
CCE-U-20 |
| CCE-3967-7 |
File permissions for /etc/group should be set correctly. |
permissions |
via chmod |
NaN |
Section: 2.2.3.1, Value: 644 |
NaN |
CCE-U-200 |
| CCE-3495-9 |
The /etc/passwd file should be owned by the appropriate group. |
group |
via chown |
NaN |
Section: 2.2.3.1, Value: root |
NaN |
CCE-U-21 |
| CCE-4130-1 |
File permissions for /etc/shadow should be set correctly. |
permissions |
via chmod |
NaN |
Section: 2.2.3.1, Value: 400 |
NaN |
CCE-U-24 |
| CCE-3399-3 |
The sticky bit should be set or not set as appropriate for all world-writable directories. |
set / not set |
via chmod |
NaN |
Section: 2.2.3.2, Value: set |
NaN |
CCE-U-171 |
| CCE-3795-2 |
The world-write permission should be enabled or disabled as appropriate for all files. |
enabled / disabled |
via chmod |
NaN |
Section: 2.2.3.3, Value: disabled |
NaN |
CCE-U-24 |
| CCE-4178-0 |
The sgid bit should be set or not set as appropriate for all files. |
set / not set |
via chmod |
NaN |
Section: 2.2.3.4, Value: not set |
NaN |
NaN |
| CCE-3324-1 |
The suid bit should be set or not set as appropriate for all files. |
set / not set |
via chmod |
NaN |
Section: 2.2.3.4, Value: not set |
NaN |
NaN |
| CCE-4223-4 |
All files should be owned by a user as appropriate |
user / none |
via chown |
NaN |
Section: 2.2.3.5, Value: user |
NaN |
NaN |
| CCE-3573-3 |
All files should be owned by a group as appropriate |
group / none |
via chgrp |
NaN |
Section: 2.2.3.5, Value: group |
NaN |
NaN |
| CCE-4220-0 |
The daemon umask should be set as appropriate |
permissions mask |
via /etc/sysconfig/init |
NaN |
Section: 2.2.4.1, Value: 027 |
NaN |
NaN |
| CCE-4225-9 |
Core dumps for all users should be enabled or disabled as appropriate |
enabled / disabled |
via /etc/security/limits.conf |
NaN |
Section: 2.2.4.2, Value: disabled |
NaN |
NaN |
| CCE-4247-3 |
Core dumps for setuid programs should be enabled or disabled as appropriate |
enabled / disabled |
via sysctl - fs.suid_dumpable |
NaN |
Section: 2.2.4.2, Value: disabled |
NaN |
NaN |
| CCE-4146-7 |
ExecShield randomized placement of virtual memory regions should be enabled or disabled as appropriate |
enabled / disabled |
via sysctl - kernel.randomize_va_space |
NaN |
Section: 2.2.4.3, Value: enabled |
NaN |
NaN |
| CCE-4168-1 |
ExecShield should be enabled or disabled as appropriate |
enabled / disabled |
via sysctl - kernel.exec-shield |
NaN |
Section: 2.2.4.3, Value: enabled |
NaN |
NaN |
| CCE-4172-3 |
Kernel support for the XD/NX processor feature should be enabled or disabled as appropriate |
enabled / disabled |
via kernel-PAE |
NaN |
Section: 2.2.4.4.2, Value: enabled |
NaN |
NaN |
| CCE-4177-2 |
The XD/NX processor feature should be enabled or disabled as appropriate in the BIOS |
enabled / disabled |
via BIOS |
NaN |
Section: 2.2.4.4.3, Value: enabled |
NaN |
NaN |
| CCE-3820-8 |
Logins through the specified virtual console interface should be enabled or disabled as appropriate |
enabled/disabled |
via /etc/securetty |
NaN |
Section: 2.3.1.1, Value: enabled |
NaN |
CCE-U-200 |
| CCE-3485-0 |
Logins through the specified virtual console device should be enabled or disabled as appropriate |
enabled/disabled |
via /etc/securetty |
NaN |
Section: 2.3.1.1, Value: enabled |
NaN |
CCE-U-200 |
| CCE-4111-1 |
Logins through the primary console device should be enabled or disabled as appropriate |
enabled/disabled |
via /etc/securetty |
NaN |
Section: 2.3.1.1, Value: enabled |
NaN |
CCE-U-200 |
| CCE-4256-4 |
Login prompts on serial ports should be enabled or disabled as appropriate. |
enabled/disabled |
via /etc/securetty |
NaN |
Section: 2.3.1.1, Value: enabled |
NaN |
CCE-U-155 |
| CCE-4274-7 |
Command access to the root account should be enabled or disabled as appropriate. |
enabled/disabled |
via pam |
NaN |
Section: 2.3.1.2, Value: enabled |
NaN |
CCE-U-15 |
| CCE-4044-4 |
Sudo privileges should granted or rejected to the wheel group as appropriate |
grant/reject |
vi /etc/sudoers |
NaN |
Section: 2.3.1.3, Value: granted |
NaN |
CCE-U-200 |
| CCE-3987-5 |
Login access to non-root system accounts should be enabled or disabled as appropriate |
enabled/disabled |
via /etc/passwd |
NaN |
Section: 2.3.1.4, Value: disabled |
NaN |
CCE-U-200 |
| CCE-4238-2 |
Login access to accounts without passwords should be enabled or disabled as appropriate |
enabled/disabled |
via /etc/shadow |
NaN |
Section: 2.3.1.5, Value: disabled |
NaN |
CCE-U-200 |
| CCE-4009-7 |
Anonymous root logins are enabled or disabled as appropriate |
enabled/disabled |
via /etc/passwd |
NaN |
Section: 2.3.1.6, Value: disabled |
NaN |
CCE-U-200 |
| CCE-4154-1 |
The password minimum length should be set appropriately |
length of password |
(1) via pam_cracklib (2) via pam_passwdqc |
NaN |
Section: 2.3.1.7, Value: 8 |
Section: 2.3.3.1.1 - Set Password Quality Requirements |
CCE-U-200 |
| CCE-4180-6 |
The "minimum password age" policy should meet minimum requirements. |
number of days |
via /etc/login.defs |
NaN |
Section: 2.3.1.7, Value: 7 |
NaN |
CCE-U-7 |
| CCE-4092-3 |
The "maximum password age" policy should meet minimum requirements. |
number of days |
via /etc/login.defs |
NaN |
Section: 2.3.1.7, Value: 180 |
NaN |
CCE-U-8 |
| CCE-4097-2 |
The password warn age should be set appropriately |
number of days |
via /etc/login.defs |
NaN |
Section: 2.3.1.7, Value: 8 |
NaN |
CCE-U-200 |
| CCE-4114-5 |
NIS file inclusions should be set appropriately in the /etc/passwd file |
allowed/not allowed |
via Text editor |
NaN |
Section: 2.3.1.8, Value: |
NaN |
CCE-U-200 |
| CCE-3762-2 |
DEPRECATED in favor of CCE-14113-5, CCE-14672-0, CCE-14712-4, CCE-14122-6. Was: The password strength should meet minimum requirements |
NaN |
NaN |
NaN |
Section: 2.3.3.1, Value: |
NaN |
CCE-U-200 |
| CCE-3410-8 |
The "account lockout threshold" policy should meet minimum requirements. |
number of attempts |
via PAM |
NaN |
Section: 2.3.3.2, Value: |
NaN |
CCE-U-4 |
| CCE-4185-5 |
The /usr/sbin/userhelper file should be owned by the appropriate group. |
group |
via chgrp |
NaN |
Section: 2.3.3.4, Value: usergroup |
NaN |
CCE-U-202 |
| CCE-3952-9 |
File permissions for /usr/sbin/userhelper should be set correctly. |
permissions |
via chmod |
NaN |
Section: 2.3.3.4, Value: 4710 |
NaN |
CCE-U-200 |
| CCE-3301-9 |
The PATH variable should be set correctly for user root |
path |
NaN |
NaN |
Section: 2.3.4.1, Value: |
NaN |
CCE-U-26 |
| CCE-4090-7 |
File permissions should be set correctly for the home directories for all user accounts. |
permissions |
NaN |
NaN |
Section: 2.3.4.2, Value: g-w,o-rwx |
NaN |
CCE-U-162 |
| CCE-3844-8 |
The default umask for all users should be set correctly for the bash shell |
umask |
umask |
NaN |
Section: 2.3.4.4, Value: 077 |
NaN |
CCE-U-31 |
| CCE-4227-5 |
The default umask for all users should be set correctly for the csh shell |
NaN |
NaN |
NaN |
Section: 2.3.4.4, Value: 077 |
NaN |
CCE-U-31 |
| CCE-3870-3 |
The default umask for all users should be set correctly |
NaN |
NaN |
NaN |
Section: 2.3.4.4, Value: 077 |
NaN |
CCE-U-31 |
| CCE-4144-2 |
The /etc/grub.conf file should be owned by the appropriate user. |
user |
via chown |
NaN |
Section: 2.3.5.2, Value: root |
NaN |
CCE-U-201 |
| CCE-3923-0 |
File permissions for /etc/grub.conf should be set correctly. |
permissions |
via chmod |
NaN |
Section: 2.3.5.2, Value: 600 |
NaN |
CCE-U-200 |
| CCE-3818-2 |
The grub boot loader should have password protection enabled or disabled as appropriate |
password |
via /etc/grub.conf |
NaN |
Section: 2.3.5.2, Value: |
NaN |
NaN |
| CCE-4197-0 |
The /etc/grub.conf file should be owned by the appropriate group. |
group |
via chown |
NaN |
Section: 2.3.5.2, Value: root |
NaN |
CCE-U-202 |
| CCE-4241-6 |
The requirement for a password to boot into single-user mode should be configured correctly. |
enabled/disabled |
via /etc/inittab |
NaN |
Section: 2.3.5.3, Value: enabled |
NaN |
CCE-U-1 |
| CCE-4245-7 |
The ability for users to perform interactive startups should be enabled or disabled as appropriate. |
enabled/disabled |
via /etc/sysconfig/init |
NaN |
Section: 2.3.5.4, Value: disabled |
NaN |
NaN |
| CCE-3689-7 |
The idle time-out value for the default /bin/tcsh shell should meet the minimum requirements. |
number of minutes |
via autolockout |
NaN |
Section: 2.3.5.5, Value: 10 |
NaN |
NaN |
| CCE-3707-7 |
The idle time-out value for the default /bin/bash shell should meet the minimum requirements. |
number of minutes |
via /etc/profile.d |
NaN |
Section: 2.3.5.5, Value: 10 |
NaN |
NaN |
| CCE-3315-9 |
The allowed period of inactivity gnome desktop lockout should be configured correctly. |
number of minutes |
via gconftool-2 |
NaN |
Section: 2.3.5.6.1, Value: 10 |
NaN |
CCE-U-6 |
| CCE-3910-7 |
The vlock package should be installed or not as appropriate |
number of minutes |
via gconftool-2 |
NaN |
Section: 2.3.5.6.1, Value: |
NaN |
NaN |
| CCE-4060-0 |
The system login banner text should be set correctly. |
banner text |
via /etc/motd |
NaN |
Section: 2.3.7.1, Value: |
NaN |
NaN |
| CCE-4188-9 |
The direct gnome login warning banner should be set correctly. |
banner text/xml |
via RHEL.xml |
NaN |
Section: 2.3.7.2, Value: |
NaN |
NaN |
| CCE-3977-6 |
SELinux should be enabled or disabled as appropriate |
enforcing / permissive / disabled |
via /etc/selinux/config |
NaN |
Section: 2.4.2, Value: enabled |
NaN |
NaN |
| CCE-3999-0 |
The SELinux state should be set appropriately. |
enforcing / permissive / disabled |
via /etc/selinux/config |
NaN |
Section: 2.4.2, Value: enforcing |
NaN |
NaN |
| CCE-3624-4 |
The SELinux policy should be set appropriately. |
targeted / strict / mls |
via /etc/selinux/config |
NaN |
Section: 2.4.2, Value: targeted |
NaN |
NaN |
| CCE-4254-9 |
The setroubleshoot service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 2.4.3.1, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4148-3 |
The setroubleshoot package should be installed or uninstalled as appropriate. |
installed / uninstalled |
via yum |
NaN |
Section: 2.4.3.1, Value: uninstalled |
NaN |
NaN |
| CCE-3668-1 |
The mcstrans service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 2.4.3.2, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4129-3 |
The restorecond service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 2.4.3.3, Value: enabled |
NaN |
CCE-U-203 |
| CCE-4151-7 |
The default setting for sending ICMP redirects should be enabled or disabled for network interfaces as appropriate. |
enabled / disabled |
via sysctl - net.ipv4.conf.default.send_redirects |
NaN |
Section: 2.5.1.1, Value: disabled |
NaN |
NaN |
| CCE-4155-8 |
Sending ICMP redirects should be enabled or disabled for all interfaces as appropriate. |
enabled / disabled |
via sysctl - net.ipv4.conf.all.send_redirects |
NaN |
Section: 2.5.1.1, Value: disabled |
NaN |
NaN |
| CCE-3561-8 |
IP forwarding should be enabled or disabled as appropriate. |
enabled / disabled |
via sysctl - net.ipv4.ip_forward |
NaN |
Section: 2.5.1.1, Value: disabled |
NaN |
CCE-U-134 |
| CCE-3472-8 |
Accepting "secure" ICMP redirects (those from gateways listed in the default gateways list) should be enabled or disabled for all interfaces as appropriate. |
enabled / disabled |
via sysctl - net.ipv4.conf.all.secure_redirects |
NaN |
Section: 2.5.1.2, Value: disabled |
NaN |
NaN |
| CCE-4217-6 |
Accepting ICMP redirects should be enabled or disabled for all interfaces as appropriate. |
enabled / disabled |
via sysctl - net.ipv4.conf.all.accept_redirects |
NaN |
Section: 2.5.1.2, Value: disabled |
NaN |
NaN |
| CCE-4133-5 |
Ignoring bogus ICMP responses to broadcasts should be enabled or disabled as appropriate. |
enabled / disabled |
via sysctl - net.ipv4.icmp_ignore_bogus_error_messages |
NaN |
Section: 2.5.1.2, Value: enabled |
NaN |
NaN |
| CCE-4265-5 |
Sending TCP syncookies should be enabled or disabled as appropriate. |
enabled / disabled |
via sysctl - net.ipv4.tcp_syncookies |
NaN |
Section: 2.5.1.2, Value: enabled |
NaN |
NaN |
| CCE-3644-2 |
Ignoring ICMP echo requests (pings) sent to broadcast / multicast addresses should be enabled or disabled as appropriate. |
enabled / disabled |
via sysctl - net.ipv4.icmp_echo_ignore_broadcasts |
NaN |
Section: 2.5.1.2, Value: enabled |
NaN |
NaN |
| CCE-4186-3 |
The default setting for accepting ICMP redirects should be enabled or disabled for network interfaces as appropriate. |
enabled / disabled |
via sysctl - net.ipv4.conf.default.accept_redirects |
NaN |
Section: 2.5.1.2, Value: disabled |
NaN |
NaN |
| CCE-4080-8 |
Performing source validation by reverse path should be enabled or disabled for all interfaces as appropriate. |
enabled / disabled |
via sysctl - net.ipv4.conf.all.rp_filter |
NaN |
Section: 2.5.1.2, Value: enabled |
NaN |
NaN |
| CCE-3339-9 |
The default setting for accepting "secure" ICMP redirects (those from gateways listed in the default gateways list) should be enabled or disabled for network interfaces as appropriate. |
enabled / disabled |
via sysctl - net.ipv4.conf.default.secure_redirects |
NaN |
Section: 2.5.1.2, Value: disabled |
NaN |
NaN |
| CCE-4320-8 |
Logging of "martian" packets (those with impossible addresses) should be enabled or disabled for all interfaces as appropriate. |
enabled / disabled |
via sysctl - net.ipv4.conf.all.log_martians |
NaN |
Section: 2.5.1.2, Value: enabled |
NaN |
NaN |
| CCE-3840-6 |
The default setting for performing source validation by reverse path should be enabled or disabled for network interfaces as appropriate. |
enabled / disabled |
via sysctl - net.ipv4.conf.default.rp_filter |
NaN |
Section: 2.5.1.2, Value: enabled |
NaN |
NaN |
| CCE-4091-5 |
The default setting for accepting source routed packets should be enabled or disabled for network interfaces as appropriate. |
enabled / disabled |
via sysctl - net.ipv4.conf.default.accept_source_route |
NaN |
Section: 2.5.1.2, Value: disabled |
NaN |
NaN |
| CCE-4236-6 |
Accepting source routed packets should be enabled or disabled for all interfaces as appropriate. |
enabled / disabled |
via sysctl - net.ipv4.conf.all.accept_source_route |
NaN |
Section: 2.5.1.2, Value: disabled |
NaN |
NaN |
| CCE-3628-5 |
All wireless devices should be enabled or disabled in the BIOS as appropriate. |
enabled / disabled |
via BIOS menus |
NaN |
Section: 2.5.2.2.1, Value: disabled |
NaN |
NaN |
| CCE-4276-2 |
All wireless interfaces should be enabled or disabled as appropriate. |
enabled / disabled |
via ifconfig |
NaN |
Section: 2.5.2.2.2, Value: disabled |
NaN |
NaN |
| CCE-4170-7 |
Device drivers for wireless devices should be included or excluded from the kernel as appropriate. |
included / excluded |
via modprobe |
NaN |
Section: 2.5.2.2.3, Value: excluded |
NaN |
NaN |
| CCE-3562-6 |
Automatic loading of the IPv6 kernel module should be enabled or disabled as appropriate. |
enabled / disabled |
via /etc/modprobe.conf |
NaN |
Section: 2.5.3.1.1, Value: disabled |
NaN |
NaN |
| CCE-3377-9 |
Global IPv6 initialization should be enabled or disabled as appropriate. |
enabled / disabled |
via /etc/sysconfig/network |
NaN |
Section: 2.5.3.1.2, Value: disabled |
NaN |
NaN |
| CCE-4296-0 |
IPv6 configuration should be enabled or disabled as appropriate for all interfaces. |
enabled / disabled |
via NETWORKING_IPV6 in /etc/sysconfig/network via IPV6INIT in /etc/sysconfig/network via IPV6INIT in /etc/sysconfig/network-scripts/ifcfg-<interface> |
NaN |
Section: 2.5.3.1.2, Value: disabled |
NaN |
NaN |
| CCE-3381-1 |
The default setting for IPv6 configuration should be enabled or disabled for network interfaces as appropriate. |
enabled / disabled |
via IPV6_AUTOCONF in /etc/sysconfig/network |
NaN |
Section: 2.5.3.1.2, Value: disabled |
NaN |
NaN |
| CCE-4269-7 |
Accepting IPv6 router advertisements should be enabled or disabled as appropriate for all network interfaces. |
enabled / disabled |
via sysctl -w net.ipv6.conf.default.accept_ra=1 |
NaN |
Section: 2.5.3.2.1, Value: disabled |
NaN |
NaN |
| CCE-4291-1 |
The default setting for accepting IPv6 router advertisements should be enabled or disabled for network interfaces as appropriate. |
enabled / disabled |
via IPV6_AUTOCONF in /etc/sysconfig/network |
NaN |
Section: 2.5.3.2.1, Value: disabled |
NaN |
NaN |
| CCE-4313-3 |
Accepting redirects from IPv6 routers should be enabled or disabled as appropriate for all network interfaces. |
enabled / disabled |
via sysctl -w net.ipv6.conf.default.accept_redirects=1 |
NaN |
Section: 2.5.3.2.1, Value: disabled |
NaN |
NaN |
| CCE-4198-8 |
The default setting for accepting redirects from IPv6 routers should be enabled or disabled for network interfaces as appropriate. |
enabled / disabled |
via IPV6_AUTOCONF in /etc/sysconfig/network |
NaN |
Section: 2.5.3.2.1, Value: disabled |
NaN |
NaN |
| CCE-3842-2 |
IPv6 privacy extensions should be configured appropriately for all interfaces. |
disabled / lightweight / rfc3041 (alias yes) |
via IPV6_PRIVACY in /etc/sysconfig/network-scripts/ifcfg-<interface> |
NaN |
Section: 2.5.3.2.3, Value: rfc3041 |
NaN |
NaN |
| CCE-4221-8 |
The default setting for accepting router preference via IPv6 router advertisement should be enabled or disabled for network interfaces as appropriate. |
enabled / disabled |
via sysctl - net.ipv6.conf.default.accept_ra_rtr_pref |
NaN |
Section: 2.5.3.2.5, Value: disabled |
NaN |
NaN |
| CCE-4137-6 |
The default number of global unicast IPv6 addresses allowed per network interface should be set appropriately. |
number |
via sysctl - net.ipv6.conf.default.max_addresses |
NaN |
Section: 2.5.3.2.5, Value: 1 |
NaN |
NaN |
| CCE-4159-0 |
The default number of IPv6 router solicitations for network interfaces to send should be set appropriately. |
number |
via sysctl - net.ipv6.conf.default.router_solicitations |
NaN |
Section: 2.5.3.2.5, Value: 0 |
NaN |
NaN |
| CCE-3895-0 |
The default number of IPv6 duplicate address detection solicitations for network interfaces to send per configured address should be set appropriately. |
number |
via sysctl - net.ipv6.conf.default.dad_transmits |
NaN |
Section: 2.5.3.2.5, Value: 0 |
NaN |
NaN |
| CCE-4287-9 |
The default setting for autoconfiguring network interfaces using prefix information in IPv6 router advertisements should be enabled or disabled as appropriate. |
enabled / disabled |
via sysctl - net.ipv6.conf.default.autoconf |
NaN |
Section: 2.5.3.2.5, Value: disabled |
NaN |
NaN |
| CCE-4058-4 |
The default setting for accepting prefix information via IPv6 router advertisement should be enabled or disabled for network interfaces as appropriate. |
enabled / disabled |
via sysctl - net.ipv6.conf.default.accept_ra_pinfo |
NaN |
Section: 2.5.3.2.5, Value: disabled |
NaN |
NaN |
| CCE-4128-5 |
The default setting for accepting a default router via IPv6 router advertisement should be enabled or disabled for network interfaces as appropriate. |
enabled / disabled |
via sysctl - net.ipv6.conf.default.accept_ra_defrtr |
NaN |
Section: 2.5.3.2.5, Value: disabled |
NaN |
NaN |
| CCE-4167-3 |
The ip6tables service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 2.5.5.1, Value: enabled |
NaN |
CCE-U-203 |
| CCE-4189-7 |
The iptables service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 2.5.5.1, Value: enabled |
NaN |
CCE-U-203 |
| CCE-3679-8 |
The syslog service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 2.6.1, Value: enabled |
NaN |
CCE-U-203 |
| CCE-3701-0 |
All syslog log files should be owned by the appropriate group. |
group |
via chown |
NaN |
Section: 2.6.1.2, Value: root |
NaN |
CCE-U-202? |
| CCE-4233-3 |
File permissions for all syslog log files should be set correctly. |
permissions |
via chmod |
NaN |
Section: 2.6.1.2, Value: 600 |
NaN |
CCE-U-200? |
| CCE-4366-1 |
All syslog log files should be owned by the appropriate user. |
user |
via chown |
NaN |
Section: 2.6.1.2, Value: root |
NaN |
CCE-U-201? |
| CCE-4260-6 |
Syslog logs should be sent to a remote loghost or not as appropriate |
sent / not sent |
via /etc/syslog.conf |
NaN |
Section: 2.6.1.3, Value: sent |
NaN |
NaN |
| CCE-3382-9 |
Syslogd should accept remote messages or not as appropriate |
accept / reject |
via /etc/sysconfig/syslog |
NaN |
Section: 2.6.1.4, Value: accept |
NaN |
CCE-U-131 |
| CCE-4182-2 |
The logrotate (syslog rotater) service should be enabled or disabled as appropriate. |
enabled / disabled |
via cron |
NaN |
Section: 2.6.1.5, Value: enabled |
NaN |
CCE-U-203 |
| CCE-4323-2 |
The logwatch service should be enabled or disabled as appropriate |
enabled / disabled |
via cron |
NaN |
Section: 2.6.1.6, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4292-9 |
The auditd service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 2.6.2.1, Value: enabled |
NaN |
CCE-U-203 |
| CCE-4234-1 |
The inetd service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.2.1, Value: disabled |
NaN |
CCE-U-72 |
| CCE-4252-3 |
The xinetd service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.2.1, Value: disabled |
NaN |
CCE-U-73 |
| CCE-4023-8 |
The inetd package should be installed or uninstalled as appropriate. |
installed / uninstalled |
via yum |
NaN |
Section: 3.2.1, Value: uninstalled |
NaN |
NaN |
| CCE-4164-0 |
The xinetd package should be installed or uninstalled as appropriate. |
installed / uninstalled |
via yum |
NaN |
Section: 3.2.1, Value: uninstalled |
NaN |
NaN |
| CCE-3390-2 |
The telnet service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.2.2, Value: disabled |
NaN |
CCE-U-104 |
| CCE-4330-7 |
The telnet-server package should be installed or uninstalled as appropriate. |
installed / uninstalled |
via yum |
NaN |
Section: 3.2.2, Value: uninstalled |
NaN |
NaN |
| CCE-3974-3 |
The rcp service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.2.3.1, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4141-8 |
The rsh service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.2.3.1, Value: disabled |
NaN |
CCE-U-83 |
| CCE-3537-8 |
The rlogin service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.2.3.1, Value: disabled |
NaN |
CCE-U-82 |
| CCE-4308-3 |
The rsh package should be installed or uninstalled as appropriate. |
installed / uninstalled |
via yum |
NaN |
Section: 3.2.3.1, Value: uninstalled |
NaN |
NaN |
| CCE-3705-1 |
The ypbind service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.2.4, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4348-9 |
The ypserv package should be installed or uninstalled as appropriate. |
installed / uninstalled |
via yum |
NaN |
Section: 3.2.4, Value: uninstalled |
NaN |
NaN |
| CCE-4273-9 |
The tftp service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.2.5, Value: disabled |
NaN |
CCE-U-118 |
| CCE-3916-4 |
The tftp-server package should be installed or uninstalled as appropriate. |
installed / uninstalled |
via yum |
NaN |
Section: 3.2.5, Value: uninstalled |
NaN |
NaN |
| CCE-3412-4 |
The firstboot service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.3.1, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4229-1 |
The gpm service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.3.2, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4123-6 |
The irqbalance service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.3.3, Value: enabled |
NaN |
CCE-U-203 |
| CCE-4286-1 |
The isdn service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.3.4, Value: disabled |
NaN |
CCE-U-203 |
| CCE-3425-6 |
The kdump service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.3.5, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4211-9 |
The kudzu service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.3.6, Value: disabled |
NaN |
CCE-U-203 |
| CCE-3854-7 |
The mdmonitor service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.3.7, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4356-2 |
The microcode_ctl service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.3.8, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4369-5 |
The network service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.3.9, Value: enabled |
NaN |
CCE-U-203 |
| CCE-4100-4 |
The pcscd service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.3.10, Value: disabled |
NaN |
CCE-U-203 |
| CCE-3455-3 |
The smartd service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.3.11, Value: enabled |
NaN |
CCE-U-203 |
| CCE-4421-4 |
The readahead_early service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.3.12, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4302-6 |
The readahead_later service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.3.12, Value: disabled |
NaN |
CCE-U-203 |
| CCE-3822-4 |
The messagebus service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.3.13.1, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4364-6 |
The haldaemon service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.3.13.2, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4355-4 |
The bluetooth service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.3.14.1, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4377-8 |
The hidd service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.3.14.2, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4289-5 |
The apmd service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.3.15.1, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4298-6 |
The acpid service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.3.15.2, Value: enabled |
NaN |
CCE-U-203 |
| CCE-4051-9 |
The cpuspeed service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.3.15.3, Value: enabled |
NaN |
CCE-U-203 |
| CCE-4324-0 |
The crond service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.4, Value: enabled |
NaN |
CCE-U-203 |
| CCE-4406-5 |
The anacron service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.4.1, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4428-9 |
The anacron package should be installed or uninstalled as appropriate. |
installed / uninstalled |
via yum |
NaN |
Section: 3.4.1, Value: uninstalled |
NaN |
NaN |
| CCE-4322-4 |
The /etc/cron.monthly file should be owned by the appropriate group. |
group |
via chown |
NaN |
Section: 3.4.2, Value: root |
NaN |
CCE-U-202 |
| CCE-4450-3 |
File permissions for /etc/cron.daily should be set correctly. |
permissions |
via chmod |
NaN |
Section: 3.4.2, Value: 700 |
NaN |
CCE-U-200 |
| CCE-4331-5 |
The /etc/cron.weekly file should be owned by the appropriate group. |
group |
via chown |
NaN |
Section: 3.4.2, Value: root |
NaN |
CCE-U-202 |
| CCE-3851-3 |
The /etc/crontab file should be owned by the appropriate user. |
user |
via chown |
NaN |
Section: 3.4.2, Value: root |
NaN |
CCE-U-201 |
| CCE-4379-4 |
The /etc/anacrontab file should be owned by the appropriate user. |
user |
via chown |
NaN |
Section: 3.4.2, Value: root |
NaN |
CCE-U-201 |
| CCE-4388-5 |
File permissions for /etc/crontab should be set correctly. |
permissions |
via chmod |
NaN |
Section: 3.4.2, Value: 600 |
NaN |
CCE-U-200 |
| CCE-4054-3 |
The /etc/cron.hourly file should be owned by the appropriate group. |
group |
via chown |
NaN |
Section: 3.4.2, Value: root |
NaN |
CCE-U-202 |
| CCE-4441-2 |
The /etc/cron.monthly file should be owned by the appropriate user. |
user |
via chown |
NaN |
Section: 3.4.2, Value: root |
NaN |
CCE-U-201 |
| CCE-4212-7 |
The /etc/cron.d file should be owned by the appropriate group. |
group |
via chown |
NaN |
Section: 3.4.2, Value: root |
NaN |
CCE-U-202 |
| CCE-4380-2 |
The /etc/cron.d file should be owned by the appropriate user. |
user |
via chown |
NaN |
Section: 3.4.2, Value: root |
NaN |
CCE-U-201 |
| CCE-3833-1 |
The /etc/cron.weekly file should be owned by the appropriate user. |
user |
via chown |
NaN |
Section: 3.4.2, Value: root |
NaN |
CCE-U-201 |
| CCE-3604-6 |
The /etc/anacrontab file should be owned by the appropriate group. |
group |
via chown |
NaN |
Section: 3.4.2, Value: root |
NaN |
CCE-U-202 |
| CCE-4106-1 |
File permissions for /etc/cron.hourly should be set correctly. |
permissions |
via chmod |
NaN |
Section: 3.4.2, Value: 700 |
NaN |
CCE-U-200 |
| CCE-3983-4 |
The /etc/cron.hourly file should be owned by the appropriate user. |
user |
via chown |
NaN |
Section: 3.4.2, Value: root |
NaN |
CCE-U-201 |
| CCE-3626-9 |
The /etc/crontab file should be owned by the appropriate group. |
group |
via chown |
NaN |
Section: 3.4.2, Value: root |
NaN |
CCE-U-202 |
| CCE-4022-0 |
The /etc/cron.daily file should be owned by the appropriate user. |
user |
via chown |
NaN |
Section: 3.4.2, Value: root |
NaN |
CCE-U-201 |
| CCE-4304-2 |
File permissions for /etc/anacrontab should be set correctly. |
permissions |
via chmod |
NaN |
Section: 3.4.2, Value: 600 |
NaN |
CCE-U-200 |
| CCE-4203-6 |
File permissions for /etc/cron.weekly should be set correctly. |
permissions |
via chmod |
NaN |
Section: 3.4.2, Value: 700 |
NaN |
CCE-U-200 |
| CCE-4251-5 |
File permissions for /etc/cron.monthly should be set correctly. |
permissions |
via chmod |
NaN |
Section: 3.4.2, Value: 700 |
NaN |
CCE-U-200 |
| CCE-3481-9 |
The /etc/cron.daily file should be owned by the appropriate group. |
group |
via chown |
NaN |
Section: 3.4.2, Value: root |
NaN |
CCE-U-202 |
| CCE-4250-7 |
File permissions for /etc/cron.d should be set correctly. |
permissions |
via chmod |
NaN |
Section: 3.4.2, Value: 700 |
NaN |
CCE-U-200 |
| CCE-4268-9 |
The sshd service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.5.1.1, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4272-1 |
SSH should be installed or uninstalled as appropriate |
installed / uninstalled |
via yum |
NaN |
Section: 3.5.1.1, Value: uninstalled |
NaN |
NaN |
| CCE-4295-2 |
Inbound connections to the ssh port should be allowed or denied as appropriate |
allow / deny |
/etc/sysconfig/iptables |
NaN |
Section: 3.5.1.2, Value: disabled |
NaN |
NaN |
| CCE-4325-7 |
SSH version 1 protocol support should be enabled or disabled as appropriate. |
permitted / not permitted |
via /etc/ssh/sshd_config |
NaN |
Section: 3.5.2.1, Value: not permitted |
NaN |
CCE-U-132 |
| CCE-3845-5 |
The SSH idle timout interval should be set to an appropriate value |
integer (seconds) |
via /etc/ssh/sshd_config |
NaN |
Section: 3.5.2.3, Value: no suggestion |
NaN |
NaN |
| CCE-4475-0 |
Emulation of the rsh command through the ssh server should be enabled or disabled as appropriate |
enabled / disabled |
via /etc/ssh/sshd_config |
NaN |
Section: 3.5.2.4, Value: disabled |
NaN |
NaN |
| CCE-4370-3 |
SSH host-based authentication should be enabled or disabled as appropriate |
enabled / disabled |
via /etc/ssh/sshd_config |
NaN |
Section: 3.5.2.5, Value: disabled |
NaN |
NaN |
| CCE-4387-7 |
Root login via SSH should be enabled or disabled as appropriate |
enabled / disabled |
via /etc/ssh/sshd_config |
NaN |
Section: 3.5.2.6, Value: disabled |
NaN |
NaN |
| CCE-3660-8 |
Remote connections from accounts with empty passwords should be enabled or disabled as appropriate |
enabled / disabled |
via /etc/ssh/sshd_config |
NaN |
Section: 3.5.2.7, Value: disabled |
NaN |
NaN |
| CCE-4431-3 |
SSH warning banner should be enabled or disabled as appropriate |
enabled / disabled |
via /etc/ssh/sshd_config |
NaN |
Section: 3.5.2.8, Value: enabled |
NaN |
NaN |
| CCE-4462-8 |
X Windows should be enabled or disabled at system boot as appropriate |
enabled / disabled |
via /etc/inittab |
NaN |
Section: 3.6.1.1, Value: disabled |
NaN |
NaN |
| CCE-4422-2 |
X Windows should be installed or removed as appropriate |
installed/removed |
via yum |
NaN |
Section: 3.6.1.2, Value: uninstalled |
NaN |
NaN |
| CCE-4303-4 |
DEPRECTATED in favor of CCE-4448-7 |
NaN |
NaN |
NaN |
Section: , Value: |
NaN |
NaN |
| CCE-4448-7 |
The xfs service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.6.1.3.1, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4074-1 |
X Windows System Listening for remote connections should be enabled or disabled as appropriate |
enabled / disabled |
via /etc/X11/xinit/xserverrc |
NaN |
Section: 3.6.1.3.2, Value: disabled |
NaN |
NaN |
| CCE-3717-6 |
Warning banners for gui login users should be enabled or disabled as appropriate |
enabled / disabled |
via /etc/gdm/custom.conf |
NaN |
Section: 3.6.2.1, Value: enabled |
NaN |
NaN |
| CCE-4365-3 |
The avahi-daemon service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.7.1.1, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4136-8 |
The Avahi daemon should be configured to serve via Ipv6 or not as appropriate |
serve / not serve |
via /etc/avahi/avahi-daemon.conf |
NaN |
Section: 3.7.2.1, Value: no suggestion |
NaN |
NaN |
| CCE-4409-9 |
The Avahi daemon should be configured to serve via Ipv4 or not as appropriate |
serve / not serve |
via /etc/avahi/avahi-daemon.conf |
NaN |
Section: 3.7.2.1, Value: no suggestion |
NaN |
NaN |
| CCE-4426-3 |
Avahi should be configured to accept packets with a TTL field not equal to 255 or not as appropriate |
accept / reject |
via /etc/avahi/avahi-daemon.conf |
NaN |
Section: 3.7.2.2, Value: reject |
NaN |
NaN |
| CCE-4193-9 |
Avahi should be configured to allow other stacks from binding to port 5353 or not as appropriate |
allow / disallow |
via /etc/avahi/avahi-daemon.conf |
NaN |
Section: 3.7.2.3, Value: disallow |
NaN |
NaN |
| CCE-4444-6 |
Avahi publishing of local information should be enabled or disabled as appropriate |
enabled / disabled |
via /etc/avahi/avahi-daemon.conf |
NaN |
Section: 3.7.2.4, Value: disabled |
NaN |
NaN |
| CCE-4352-1 |
Avahi publishing of local information by user applications should be enabled or disabled as appropriate |
enabled / disabled |
via /etc/avahi/avahi-daemon.conf |
NaN |
Section: 3.7.2.5, Value: disabled |
NaN |
NaN |
| CCE-4433-9 |
Avahi publishing of hardware information should be enabled or disabled as appropriate |
enabled / disabled |
via /etc/avahi/avahi-daemon.conf |
NaN |
Section: 3.7.2.5, Value: disabled |
NaN |
NaN |
| CCE-4451-1 |
Avahi publishing of workstation name should be enabled or disabled as appropriate |
enabled / disabled |
via /etc/avahi/avahi-daemon.conf |
NaN |
Section: 3.7.2.5, Value: disabled |
NaN |
NaN |
| CCE-4341-4 |
Avahi publishing of IP addresses should be enabled or disabled as appropriate |
enabled / disabled |
via /etc/avahi/avahi-daemon.conf |
NaN |
Section: 3.7.2.5, Value: disabled |
NaN |
NaN |
| CCE-4358-8 |
Avahi publishing of domain name should be enabled or disabled as appropriate |
enabled / disabled |
via /etc/avahi/avahi-daemon.conf |
NaN |
Section: 3.7.2.5, Value: disabled |
NaN |
NaN |
| CCE-4112-9 |
The cups service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.8.1, Value: disabled |
NaN |
CCE-U-203 |
| CCE-3755-6 |
CUPS service should be enabled or disabled as appropriate |
enabled/disabled |
via chkconfig |
NaN |
Section: 3.8.1, Value: disabled |
NaN |
NaN |
| CCE-3649-1 |
Firewall access to printing service should be enabled or disabled as appropriate |
enabled / disabled |
via /etc/sysconfig/iptables |
NaN |
Section: 3.8.2, Value: disabled |
NaN |
NaN |
| CCE-4420-6 |
Remote print browsing should be enabled or disabled as appropriate |
enabled / disabled |
via /etc/cups/cupsd.conf |
NaN |
Section: 3.8.3.1.1, Value: disabled |
NaN |
NaN |
| CCE-4407-3 |
CUPS should be allowed or denied the ability to listen for Incoming printer information as appropriate |
allow / deny |
via /etc/cups/cupsd.conf |
NaN |
Section: 3.8.3.1.1, Value: deny |
NaN |
NaN |
| CCE-4425-5 |
The hplip service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.8.4.1, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4191-3 |
The dhcp client service should be enabled or disabled as appropriate for each interface. |
enabled / disabled |
via /etc/sysconfig/network-scripts/ifcfg-IFACE |
NaN |
Section: 3.9.1, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4336-4 |
The dhcpd service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.9.3, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4464-4 |
The dhcp package should be installed or uninstalled as appropriate. |
installed / uninstalled |
via yum |
NaN |
Section: 3.9.3, Value: uninstalled |
NaN |
NaN |
| CCE-4257-2 |
The dynamic DNS feature of the DHCP server should be enabled or disabled as appropriate |
enabled / disabled |
via /etc/dhcpd.conf |
NaN |
Section: 3.9.4.1, Value: disabled |
NaN |
NaN |
| CCE-4403-2 |
DHCPDECLINE messages should be accepted or denied by the DHCP server as appropriate |
accepted / denied |
via /etc/dhcpd.conf |
NaN |
Section: 3.9.4.2, Value: denied |
NaN |
NaN |
| CCE-4345-5 |
BOOTP queries should be accepted or denied by the DHCP server as appropriate |
accepted / denied |
via /etc/dhcpd.conf |
NaN |
Section: 3.9.4.3, Value: denied |
NaN |
NaN |
| CCE-3724-2 |
Domain name server information should be sent or not sent by the DHCP server as appropriate. |
sent / not sent |
via /etc/dhcpd.conf |
NaN |
Section: 3.9.4.4, Value: not sent |
NaN |
NaN |
| CCE-4243-2 |
Default routers should be sent or not sent by the DHCP server as appropriate. |
sent / not sent |
via /etc/dhcpd.conf |
NaN |
Section: 3.9.4.4, Value: not sent |
NaN |
NaN |
| CCE-4389-3 |
Domain name should be sent or not sent by the DHCP server as appropriate. |
sent / not sent |
via /etc/dhcpd.conf |
NaN |
Section: 3.9.4.4, Value: not sent |
NaN |
NaN |
| CCE-3913-1 |
NIS domain should be sent or not sent by the DHCP server as appropriate. |
sent / not sent |
via /etc/dhcpd.conf |
NaN |
Section: 3.9.4.4, Value: not sent |
NaN |
NaN |
| CCE-4169-9 |
NIS servers should be sent or not sent by the DHCP server as appropriate. |
sent / not sent |
via /etc/dhcpd.conf |
NaN |
Section: 3.9.4.4, Value: not sent |
NaN |
NaN |
| CCE-4318-2 |
Time offset should be sent or not sent by the DHCP server as appropriate. |
sent / not sent |
via /etc/dhcpd.conf |
NaN |
Section: 3.9.4.4, Value: not sent |
NaN |
NaN |
| CCE-4319-0 |
NTP servers should be sent or not sent by the DHCP server as appropriate. |
sent / not sent |
via /etc/dhcpd.conf |
NaN |
Section: 3.9.4.4, Value: not sent |
NaN |
NaN |
| CCE-3733-3 |
dhcpd logging should be enabled or disabled as appropriate. |
enabled / disabled |
via /etc/syslog.conf |
NaN |
Section: 3.9.4.5, Value: enabled |
NaN |
NaN |
| CCE-4376-0 |
The ntpd service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.10.2.2.1, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4134-3 |
Network access to ntpd should be allowed or denied as appropriate |
allow / deny |
via /etc/ntp.conf |
NaN |
Section: 3.10.2.2.2, Value: deny |
NaN |
NaN |
| CCE-4385-1 |
A remote NTP Server for time synchronization should be specified or not as appropriate |
ip address |
via /etc/ntp.conf |
NaN |
Section: 3.10.2.2.3, Value: no suggestion |
NaN |
NaN |
| CCE-4032-9 |
OpenNTPD should be installed or uninstalled as appropriate |
installed / uninstalled |
via openntpd package |
NaN |
Section: 3.10.3.1, Value: no suggestion |
NaN |
NaN |
| CCE-4424-8 |
The ntp daemon should be enabled or disabled as appropriate |
enabled / disabled |
via /etc/rc.local |
NaN |
Section: 3.10.3.2.1, Value: enabled |
NaN |
NaN |
| CCE-3487-6 |
The ntp daemon synchronization server should be set appropriately |
local ntp server |
via /usr/local/etc/ntpd.conf |
NaN |
Section: 3.10.3.2.2, Value: ntp server |
NaN |
NaN |
| CCE-4416-4 |
The sendmail service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.11, Value: enabled |
NaN |
CCE-U-203 |
| CCE-4293-7 |
The listening sendmail daemon should be enabled or disabled as appropriate. |
enabled / disabled |
via /etc/sysconfig/sendmail |
NaN |
Section: 3.11.2.1, Value: disabled |
NaN |
CCE-U-203 |
| CCE-3501-4 |
The ldap service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.12.3.1, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4360-4 |
File permissions for /etc/pki/tls/CA/cacert.pem should be set correctly. |
permissions |
via chmod |
NaN |
Section: 3.12.3.4.2, Value: 644 |
NaN |
CCE-U-200 |
| CCE-4378-6 |
File permissions for /etc/pki/tls/ldap/serverkey.pem should be set correctly. |
permissions |
via chmod |
NaN |
Section: 3.12.3.4.2, Value: 755 |
NaN |
CCE-U-200 |
| CCE-4492-5 |
The /etc/pki/tls/ldap file should be owned by the appropriate user. |
user |
via chown |
NaN |
Section: 3.12.3.4.2, Value: root |
NaN |
CCE-U-201 |
| CCE-4263-0 |
File permissions for /etc/pki/tls/ldap/servercert.pem should be set correctly. |
permissions |
via chmod |
NaN |
Section: 3.12.3.4.2, Value: 755 |
NaN |
CCE-U-200 |
| CCE-3502-2 |
The /etc/pki/tls/ldap/serverkey.pem file should be owned by the appropriate user. |
user |
via chown |
NaN |
Section: 3.12.3.4.2, Value: root |
NaN |
CCE-U-201 |
| CCE-4449-5 |
The /etc/pki/tls/CA/cacert.pem file should be owned by the appropriate user. |
user |
via chown |
NaN |
Section: 3.12.3.4.2, Value: root |
NaN |
CCE-U-201 |
| CCE-4361-2 |
File permissions for /etc/pki/tls/ldap should be set correctly. |
permissions |
via chmod |
NaN |
Section: 3.12.3.4.2, Value: 755 |
NaN |
CCE-U-200 |
| CCE-4427-1 |
The /etc/pki/tls/CA/cacert.pem file should be owned by the appropriate group. |
group |
via chown |
NaN |
Section: 3.12.3.4.2, Value: root |
NaN |
CCE-U-202 |
| CCE-4321-6 |
The /etc/pki/tls/ldap/serverkey.pem file should be owned by the appropriate group. |
group |
via chown |
NaN |
Section: 3.12.3.4.2, Value: ldap |
NaN |
CCE-U-202 |
| CCE-4339-8 |
The /etc/pki/tls/ldap file should be owned by the appropriate group. |
group |
via chown |
NaN |
Section: 3.12.3.4.2, Value: root |
NaN |
CCE-U-202 |
| CCE-4105-3 |
The /etc/pki/tls/ldap/servercert.pem file should be owned by the appropriate user. |
user |
via chown |
NaN |
Section: 3.12.3.4.2, Value: root |
NaN |
CCE-U-201 |
| CCE-3718-4 |
The /etc/pki/tls/ldap/servercert.pem file should be owned by the appropriate group. |
group |
via chown |
NaN |
Section: 3.12.3.4.2, Value: ldap |
NaN |
CCE-U-202 |
| CCE-4484-2 |
The /var/lib/ldap/* files should be owned by the appropriate group. |
group |
via chown |
NaN |
Section: 3.12.3.7, Value: root |
NaN |
CCE-U-202 |
| CCE-4502-1 |
The /var/lib/ldap/* files should be owned by the appropriate user. |
user |
via chown |
NaN |
Section: 3.12.3.7, Value: ldap |
NaN |
CCE-U-201 |
| CCE-4396-8 |
The nfslock service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.13.1.1, Value: disabled |
NaN |
CCE-U-203 |
| CCE-3535-2 |
The rpcgssd service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.13.1.1, Value: disabled |
NaN |
CCE-U-203 |
| CCE-3568-3 |
The rpcidmapd service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.13.1.1, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4533-6 |
The netfs service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.13.1.2, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4550-0 |
The portmap service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.13.1.3, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4559-1 |
The lockd service should be configured to use a static port or a dynamic portmapper port for TCP as appropriate |
static / dynamic |
via /etc/sysconfig/nfs |
NaN |
Section: 3.13.2.3, Value: static |
NaN |
NaN |
| CCE-4015-4 |
The statd service should be configured to use an outgoing static port or an outgoing dynamic portmapper port as appropriate |
static / dynamic |
via /etc/sysconfig/nfs |
NaN |
Section: 3.13.2.3, Value: static |
NaN |
NaN |
| CCE-3667-3 |
The statd service should be configured to use a static port or a dynamic portmapper port as appropriate |
static / dynamic |
via /etc/sysconfig/nfs |
NaN |
Section: 3.13.2.3, Value: static |
NaN |
NaN |
| CCE-4310-9 |
The lockd service should be configured to use a static port or a dynamic portmapper port for UDP as appropriate |
static / dynamic |
via /etc/sysconfig/nfs |
NaN |
Section: 3.13.2.3, Value: static |
NaN |
NaN |
| CCE-4438-8 |
The mountd service should be configured to use a static port or a dynamic portmapper port as appropriate |
static / dynamic |
via /etc/sysconfig/nfs |
NaN |
Section: 3.13.2.3, Value: static |
NaN |
NaN |
| CCE-3579-0 |
The rquotad service should be configured to use a static port or a dynamic portmapper port as appropriate |
static / dynamic |
via /etc/sysconfig/nfs |
NaN |
Section: 3.13.2.3, Value: static |
NaN |
NaN |
| CCE-4473-5 |
The nfs service should be enabled or disabled as appropriate |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.13.3.1, Value: disabled |
NaN |
NaN |
| CCE-4491-7 |
The rpcsvcgssd service should be enabled or disabled as appropriate |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.13.3.1, Value: disabled |
NaN |
NaN |
| CCE-4368-7 |
The nodev option should be enabled or disabled for all NFS mounts as appropriate |
enabled / disabled |
via /etc/fstab |
NaN |
Section: 3.13.3.2, Value: enabled |
NaN |
NaN |
| CCE-4024-6 |
The nosuid option should be enabled or disabled for all NFS mounts as appropriate |
enabled / disabled |
via /etc/fstab |
NaN |
Section: 3.13.3.2, Value: enabled |
NaN |
NaN |
| CCE-4526-0 |
The noexec option should be enabled or disabled for all NFS mounts as appropriate |
enabled / disabled |
via /etc/fstab |
NaN |
Section: 3.13.3.2, Value: enabled |
NaN |
NaN |
| CCE-4544-3 |
Root squashing should be enabled or disabled as appropriate for all NFS shares |
enabled / disabled |
via /etc/exports |
NaN |
Section: 3.13.4.1.2, Value: enabled |
NaN |
NaN |
| CCE-4465-1 |
Restriction of NFS clients to privileged ports should be enabled or disabled as appropriate |
enabled / disabled |
via /etc/exports |
NaN |
Section: 3.13.4.1.3, Value: disabled |
NaN |
NaN |
| CCE-4350-5 |
Write access to NFS shares should be enabled or disabled as appropriate |
enabled / disabled |
via /etc/exports |
NaN |
Section: 3.13.4.1.4, Value: disabled |
NaN |
NaN |
| CCE-3578-2 |
The named service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.14.1, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4219-2 |
The bind package should be installed or uninstalled as appropriate. |
installed / uninstalled |
via yum |
NaN |
Section: 3.14.1, Value: uninstalled |
NaN |
NaN |
| CCE-3985-9 |
The /var/named/chroot/etc/named.conf file should be owned by the appropriate group. |
group |
via chown |
NaN |
Section: 3.14.3.2, Value: root |
NaN |
CCE-U-202 |
| CCE-4487-5 |
File permissions for /var/named/chroot/etc/named.conf should be set correctly. |
permissions |
via chmod |
NaN |
Section: 3.14.3.2, Value: 644 |
NaN |
CCE-U-200 |
| CCE-4258-0 |
The /var/named/chroot/etc/named.conf file should be owned by the appropriate user. |
user |
via chown |
NaN |
Section: 3.14.3.2, Value: root |
NaN |
CCE-U-201 |
| CCE-4399-2 |
LDAP's dynamic updates feature should be enabled or disabled as appropriate |
enabled / disabled |
via /etc/named.conf |
NaN |
Section: 3.14.4.5, Value: disabled |
NaN |
NaN |
| CCE-3919-8 |
The vsftpd service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.15.1, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4549-2 |
Logging of vsftpd transactions should be enabled or disabled as appropriate |
enabled / disabled |
via /etc/vsftpd.conf |
NaN |
Section: 3.15.3.1, Value: enabled |
NaN |
NaN |
| CCE-4554-2 |
A warning banner for all FTP users should be enabled or disabled as appropriate |
enabled / disabled |
via /etc/vsftpd.conf |
NaN |
Section: 3.15.3.2, Value: enabled |
NaN |
NaN |
| CCE-4443-8 |
Local user login to the vsftpd service should be enabled or disabled as appropriate |
enabled / disabled |
via /etc/vsftpd.conf |
NaN |
Section: 3.15.3.3.1, Value: disabled |
NaN |
NaN |
| CCE-4461-0 |
File uploads via vsftpd should be enabled or disabled as appropriate |
enabled / disabled |
via /etc/vsftpd.conf |
NaN |
Section: 3.15.3.4, Value: disabled |
NaN |
NaN |
| CCE-4338-0 |
The httpd service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.16.1, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4514-6 |
The httpd package should be installed or uninstalled as appropriate. |
installed / uninstalled |
via yum |
NaN |
Section: 3.16.1, Value: uninstalled |
NaN |
NaN |
| CCE-4346-3 |
The apache 2 server software should be installed or removed as appropriate |
installed / uninstalled |
via yum |
NaN |
Section: 3.16.2.1, Value: installed |
NaN |
NaN |
| CCE-4474-3 |
The apache2 server's ServerTokens value should be set appropriately |
text |
via /etc/httpd/conf/httpd.conf |
NaN |
Section: 3.16.3.1, Value: Prod |
NaN |
NaN |
| CCE-3756-4 |
The apache2 server's ServerSignature value should be set appropriately |
NaN |
via /etc/httpd/conf/httpd.conf |
NaN |
Section: 3.16.3.1, Value: Off |
NaN |
NaN |
| CCE-4509-6 |
File permissions for /etc/httpd/conf should be set correctly. |
permissions |
via chmod |
NaN |
Section: 3.16.5.1, Value: 750 |
NaN |
CCE-U-200 |
| CCE-4386-9 |
File permissions for /etc/httpd/conf/* should be set correctly. |
permissions |
via chmod |
NaN |
Section: 3.16.5.1, Value: 640 |
NaN |
CCE-U-200 |
| CCE-4029-5 |
File permissions for /usr/sbin/httpd should be set correctly. |
permissions |
via chmod |
NaN |
Section: 3.16.5.1, Value: 511 |
NaN |
CCE-U-200 |
| CCE-3581-6 |
The /etc/httpd/conf/* files should be owned by the appropriate group. |
NaN |
via chgrp |
NaN |
Section: 3.16.5.1, Value: apache |
NaN |
CCE-U-202 |
| CCE-4574-0 |
File permissions for /var/log/httpd should be set correctly. |
permissions |
via chmod |
NaN |
Section: 3.16.5.1, Value: 750 |
NaN |
CCE-U-200 |
| CCE-3847-1 |
The dovecot service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.17.1, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4239-0 |
The dovecot package should be installed or uninstalled as appropriate. |
installed / uninstalled |
via yum |
NaN |
Section: 3.17.1, Value: uninstalled |
NaN |
NaN |
| CCE-4384-4 |
Dovecot should be configured to support the imaps protocol or not as necessary |
support / not support |
via /etc/dovecot.conf |
NaN |
Section: 3.17.2.1, Value: not support |
NaN |
NaN |
| CCE-3887-7 |
Dovecot should be configured to support the pop3s protocol or not as necessary |
support / not support |
via /etc/dovecot.conf |
NaN |
Section: 3.17.2.1, Value: not support |
NaN |
NaN |
| CCE-4530-2 |
Dovecot should be configured to support the pop3 protocol or not as necessary |
support / not support |
via /etc/dovecot.conf |
NaN |
Section: 3.17.2.1, Value: not support |
NaN |
NaN |
| CCE-4547-6 |
Dovecot should be configured to support the imap protocol or not as necessary |
support / not support |
via /etc/dovecot.conf |
NaN |
Section: 3.17.2.1, Value: not support |
NaN |
NaN |
| CCE-4552-6 |
Dovecot plaintext authentication of clients should be enabled or disabled as necessary |
enabled / disabled |
via /etc/dovecot.conf |
NaN |
Section: 3.17.2.2.4, Value: disabled |
NaN |
NaN |
| CCE-4371-1 |
The Dovecot option to drop privileges to user before executing mail process should be enabled or not as appropriate |
enabled / disabled |
via /etc/dovecot.conf |
NaN |
Section: 3.17.2.3, Value: enabled |
NaN |
NaN |
| CCE-4410-7 |
The Dovecot option to spawn a new login process per connection should be enabled or not as appropriate |
enabled / disabled |
via /etc/dovecot.conf |
NaN |
Section: 3.17.2.3, Value: enabled |
NaN |
NaN |
| CCE-4551-8 |
The smb service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.18.1, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4556-7 |
The squid service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.19.1, Value: disabled |
NaN |
CCE-U-160 |
| CCE-4076-6 |
The squid package should be installed or uninstalled as appropriate. |
installed / uninstalled |
via yum |
NaN |
Section: 3.19.1, Value: uninstalled |
NaN |
NaN |
| CCE-4454-5 |
The Squid option to force FTP passive connections should be enabled or not as appropriate |
enabled / disabled |
via /etc/squid/squid.conf |
NaN |
Section: 3.19.2.2, Value: enabled |
NaN |
NaN |
| CCE-4353-9 |
The Squid max request HTTP header length should be set to an appropriate value |
data length |
via /etc/squid/squid.conf |
NaN |
Section: 3.19.2.2, Value: 20kb |
NaN |
NaN |
| CCE-4503-9 |
The Squid option to check for RFC compliant hostnames should be enabled or not as appropriate |
enabled / disabled |
via /etc/squid/squid.conf |
NaN |
Section: 3.19.2.2, Value: enabled |
NaN |
NaN |
| CCE-3585-7 |
The Squid option to ignore unknown nameservers should be enabled or not as appropriate |
enabled / disabled |
via /etc/squid/squid.conf |
NaN |
Section: 3.19.2.2, Value: enabled |
NaN |
NaN |
| CCE-4419-8 |
The Squid max reply HTTP header length should be set to an appropriate value |
data length |
via /etc/squid/squid.conf |
NaN |
Section: 3.19.2.2, Value: 20kb |
NaN |
NaN |
| CCE-3692-1 |
The Squid EUID should be set to an appropriate user |
user |
via /etc/squid/squid.conf |
NaN |
Section: 3.19.2.2, Value: squid |
NaN |
NaN |
| CCE-4459-4 |
The Squid option to perform FTP sanity checks should be enabled or not as appropriate |
enabled / disabled |
via /etc/squid/squid.conf |
NaN |
Section: 3.19.2.2, Value: enabled |
NaN |
NaN |
| CCE-4476-8 |
The Squid GUID should be set to an appropriate group |
group |
via /etc/squid/squid.conf |
NaN |
Section: 3.19.2.2, Value: squid |
NaN |
NaN |
| CCE-4181-4 |
The Squid option to show proxy client IP addresses in HTTP headers should be enabled or disabled as appropriate |
enabled / disabled |
via /etc/squid/squid.conf |
NaN |
Section: 3.19.2.3, Value: disabled |
NaN |
NaN |
| CCE-4577-3 |
The Squid option to log HTTP MIME headers should be enabled or disabled as appropriate |
enabled / disabled |
via /etc/squid/squid.conf |
NaN |
Section: 3.19.2.3, Value: enabled |
NaN |
NaN |
| CCE-4344-8 |
The Squid option to allow underscores in hostnames should be enabled or disabled as appropriate |
enabled / disabled |
via /etc/squid/squid.conf |
NaN |
Section: 3.19.2.3, Value: disabled |
NaN |
NaN |
| CCE-4494-1 |
The Squid option to suppress the httpd version string should be enabled or disabled as appropriate |
enabled / disabled |
via /etc/squid/squid.conf |
NaN |
Section: 3.19.2.3, Value: enabled |
NaN |
NaN |
| CCE-4511-2 |
Squid should be configured to allow gss-http traffic or not as appropriate |
allow / deny |
via /etc/squid/squid.conf |
NaN |
Section: 3.19.2.5, Value: deny |
NaN |
NaN |
| CCE-4529-4 |
Squid should be configured to allow https traffic or not as appropriate |
allow / deny |
via /etc/squid/squid.conf |
NaN |
Section: 3.19.2.5, Value: allow |
NaN |
NaN |
| CCE-3610-3 |
Squid should be configured to allow wais traffic or not as appropriate |
allow / deny |
via /etc/squid/squid.conf |
NaN |
Section: 3.19.2.5, Value: deny |
NaN |
NaN |
| CCE-4466-9 |
Squid should be configured to allow multiling http traffic or not as appropriate |
allow / deny |
via /etc/squid/squid.conf |
NaN |
Section: 3.19.2.5, Value: deny |
NaN |
NaN |
| CCE-4607-8 |
Squid should be configured to allow http traffic or not as appropriate |
allow / deny |
via /etc/squid/squid.conf |
NaN |
Section: 3.19.2.5, Value: allow |
NaN |
NaN |
| CCE-4255-6 |
Squid should be configured to allow ftp traffic or not as appropriate |
allow / deny |
via /etc/squid/squid.conf |
NaN |
Section: 3.19.2.5, Value: allow |
NaN |
NaN |
| CCE-4127-7 |
Squid should be configured to allow gopher traffic or not as appropriate |
allow / deny |
via /etc/squid/squid.conf |
NaN |
Section: 3.19.2.5, Value: deny |
NaN |
NaN |
| CCE-4519-5 |
Squid should be configured to allow filemaker traffic or not as appropriate |
allow / deny |
via /etc/squid/squid.conf |
NaN |
Section: 3.19.2.5, Value: deny |
NaN |
NaN |
| CCE-4413-1 |
Squid proxy access to localhost should be allowed or denied as appropriate |
allow / deny |
via /etc/squid/squid.conf |
NaN |
Section: 3.19.2.5, Value: deny |
NaN |
NaN |
| CCE-4373-7 |
Squid should be configured to allow http-mgmt traffic or not as appropriate |
allow / deny |
via /etc/squid/squid.conf |
NaN |
Section: 3.19.2.5, Value: deny |
NaN |
NaN |
| CCE-3765-5 |
The snmpd service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
Section: 3.20.1, Value: disabled |
NaN |
CCE-U-203 |
| CCE-4404-0 |
The net-smtp package should be installed or uninstalled as appropriate. |
installed / uninstalled |
via yum |
NaN |
Section: 3.20.1, Value: uninstalled |
NaN |
NaN |
| CCE-14113-5 |
The minimum number of digits required for new passwords should be set as appropriate. |
number of digits |
via pam_cracklib via pam_passwdqc |
NaN |
NaN |
Section: 2.3.3.1.1 - Set Password Quality Requirements |
NaN |
| CCE-14672-0 |
The minimum number of upper case characters required for new passwords should be set as appropriate. |
number of upper characters |
via pam_cracklib via pam_passwdqc |
NaN |
NaN |
Section: 2.3.3.1.1 - Set Password Quality Requirements |
NaN |
| CCE-14712-4 |
The minimum number of lower case characters required for new passwords should be set as appropriate. |
number of lower characters |
via pam_cracklib via pam_passwdqc |
NaN |
NaN |
Section: 2.3.3.1.1 - Set Password Quality Requirements |
NaN |
| CCE-14122-6 |
The minimum number of special characters required for new passwords should be set as appropriate. |
number of special characters |
via pam_cracklib via pam_passwdqc |
NaN |
NaN |
Section: 2.3.3.1.1 - Set Password Quality Requirements |
NaN |
| CCE-14412-1 |
The nodev option should be enabled or disabled as appropriate for /tmp. |
enabled / disabled |
via /etc/fstab |
NaN |
NaN |
Section: 2.2.1.3.1 - Add nodev Option to /tmp |
NaN |
| CCE-15007-8 |
The nodev option should be enabled or disabled for /dev/shm. |
enabled / disabled |
via /etc/fstab |
NaN |
NaN |
Section: 2.2.1.3.2 - Add nodev Option to /dev/shm |
NaN |
| CCE-14161-4 |
/tmp should be configured on an appropriate filesystem partition. |
partition |
via /etc/fstab |
NaN |
NaN |
Section: 2.1.1.1.1 - Create Separate Partition or Logical Volume for /tmp |
NaN |
| CCE-14777-7 |
/var should be configured on an appropriate filesystem partition. |
partition |
via /etc/fstab |
NaN |
NaN |
Section: 2.1.1.1.2 - Create Separate Partition or Logical Volume for /var |
NaN |
| CCE-14011-1 |
/var/log should be configured on an appropriate filesystem partition. |
partition |
via /etc/fstab |
NaN |
NaN |
Section: 2.1.1.1.3 - Create Separate Partition or Logical Volume for /var/log |
NaN |
| CCE-14171-3 |
/var/log/audit should be configured on an appropriate filesystem partition. |
partition |
via /etc/fstab |
NaN |
NaN |
Section: 2.1.1.1.4 - Create Separate Partition or Logical Volume for /var/log/audit |
NaN |
| CCE-14559-9 |
/home should be configured on an appropriate filesystem partition. |
partition |
via /etc/fstab |
NaN |
NaN |
Section: 2.1.1.1.5 - Create Separate Partition or Logical Volume for /home if Using Local Home Directories |
NaN |
| CCE-14440-2 |
The GPG Key for Red Hat Network should be installed or uninstalled as appropriate. |
installed / uninstalled |
via rpm |
NaN |
NaN |
Section: 2.1.2.1.1 - Ensure that GPG Key for Red Hat Network is Installed |
NaN |
| CCE-14914-6 |
Package signature checking should be globally activated or deactivated as appropriate. |
activated / deactivated |
/etc/yum.conf |
NaN |
NaN |
Section: 2.1.2.3.3 - Ensure Package Signature Checking is Globally Activated |
NaN |
| CCE-14813-0 |
Package signature checking should be activated or deactivated as appropriate for all configured repositories. |
activated / deactivated |
via all files in /etc/yum.repos.d |
NaN |
NaN |
Section: 2.1.2.3.4 - Ensure Package Signature Checking is Not Disabled For Any Repos |
NaN |
| CCE-14931-0 |
All installed software packages verify or do not verify against the package database. |
verify / don't verify |
via rpm |
NaN |
NaN |
Section: 2.1.3.2 - Verify Package Integrity Using RPM |
NaN |
| CCE-14940-1 |
The nosuid option should be enabled or disabled as appropriate for /tmp. |
enabled / disabled |
via /etc/fstab |
NaN |
NaN |
Section: 2.2.1.3.1 - Add nosuid Option to /tmp |
NaN |
| CCE-14927-8 |
The noexec option should be enabled or disabled as appropriate for /tmp. |
enabled / disabled |
via /etc/fstab |
NaN |
NaN |
Section: 2.2.1.3.1 - Add noexec Option to /tmp |
NaN |
| CCE-14306-5 |
The nosuid option should be enabled or disabled for /dev/shm. |
enabled / disabled |
via /etc/fstab |
NaN |
NaN |
Section: 2.2.1.3.2 - Add nosuid Option to /dev/shm |
NaN |
| CCE-14703-3 |
The noexec option should be enabled or disabled for /dev/shm. |
enabled / disabled |
via /etc/fstab |
NaN |
NaN |
Section: 2.2.1.3.2 - Add noexec Option to /dev/shm |
NaN |
| CCE-14584-7 |
/var/tmp should be configured on an appropriate filesystem partition. |
partition |
via /etc/fstab |
NaN |
NaN |
Section: 2.2.1.4 - Bind-mount /var/tmp to /tmp |
NaN |
| CCE-14089-7 |
Support for cramfs filesystems should be enabeld or disabled as appropriate. |
enabled / disabled |
(1) via /etc/modprobe.conf (2) via configuration file in /etc/modprobe.d (3) via MODPROBE_OPTIONS environment variable |
NaN |
NaN |
Section: 2.2.2.5 - Disable Mounting of Uncommon Filesystem Types |
NaN |
| CCE-14457-6 |
Support for freevxfs filesystems should be enabeld or disabled as appropriate. |
enabled / disabled |
(1) via /etc/modprobe.conf (2) via configuration file in /etc/modprobe.d (3) via MODPROBE_OPTIONS environment variable |
NaN |
NaN |
Section: 2.2.2.5 - Disable Mounting of Uncommon Filesystem Types |
NaN |
| CCE-15087-0 |
Support for hfs filesystems should be enabeld or disabled as appropriate. |
enabled / disabled |
(1) via /etc/modprobe.conf (2) via configuration file in /etc/modprobe.d (3) via MODPROBE_OPTIONS environment variable |
NaN |
NaN |
Section: 2.2.2.5 - Disable Mounting of Uncommon Filesystem Types |
NaN |
| CCE-14093-9 |
Support for hfsplus filesystems should be enabeld or disabled as appropriate. |
enabled / disabled |
(1) via /etc/modprobe.conf (2) via configuration file in /etc/modprobe.d (3) via MODPROBE_OPTIONS environment variable |
NaN |
NaN |
Section: 2.2.2.5 - Disable Mounting of Uncommon Filesystem Types |
NaN |
| CCE-14853-6 |
Support for jffs2 filesystems should be enabeld or disabled as appropriate. |
enabled / disabled |
(1) via /etc/modprobe.conf (2) via configuration file in /etc/modprobe.d (3) via MODPROBE_OPTIONS environment variable |
NaN |
NaN |
Section: 2.2.2.5 - Disable Mounting of Uncommon Filesystem Types |
NaN |
| CCE-14118-4 |
Support for squashfs filesystems should be enabeld or disabled as appropriate. |
enabled / disabled |
(1) via /etc/modprobe.conf (2) via configuration file in /etc/modprobe.d (3) via MODPROBE_OPTIONS environment variable |
NaN |
NaN |
Section: 2.2.2.5 - Disable Mounting of Uncommon Filesystem Types |
NaN |
| CCE-14871-8 |
Support for udf filesystems should be enabeld or disabled as appropriate. |
enabled / disabled |
(1) via /etc/modprobe.conf (2) via configuration file in /etc/modprobe.d (3) via MODPROBE_OPTIONS environment variable |
NaN |
NaN |
Section: 2.2.2.5 - Disable Mounting of Uncommon Filesystem Types |
NaN |
| CCE-14794-2 |
All world-writable directories should be owned by an appropriate user. |
user |
via chown |
NaN |
NaN |
Section: 2.2.3.6 - Verify that All World-Writable Directories Have Proper Ownership |
NaN |
| CCE-14300-8 |
Password hashes are shadowed or not shadowed for all accounts in /etc/passwd as appropriate. |
shadowed / not shadowed |
via /etc/password |
NaN |
NaN |
Section: 2.3.1.5.2 - Verify that All Account Password Hashes are Shadowed |
NaN |
| CCE-14675-3 |
NIS file inclusions should be set appropriately in the /etc/group file |
allowed / not allowed |
via /etc/group |
NaN |
NaN |
Section: 2.3.1.8 - Remove Legacy + Entries from Password Files |
NaN |
| CCE-14071-5 |
NIS file inclusions should be set appropriately in the /etc/shadow file |
allowed / not allowed |
via /etc/shadow |
NaN |
NaN |
Section: 2.3.1.8 - Remove Legacy + Entries from Password Files |
NaN |
| CCE-14701-7 |
The password strength parameters should require new passwords to differ from old ones by the appropriate minimum number of characters. |
number of characters |
via PAM |
NaN |
NaN |
Section: 2.3.3.1.1 - via PAM |
NaN |
| CCE-14063-2 |
The password hashing algorithm should be configured as appropriate. |
hashing algorithm |
via PAM |
NaN |
NaN |
Section: 2.3.3.5 - Upgrade Password Hashing Algorithm to SHA-512 |
NaN |
| CCE-14939-3 |
The "password reuse" policy should meet minimum requirements. |
number of passwords |
via PAM |
NaN |
NaN |
Section: 2.3.3.6 - Limit Password Reuse |
NaN |
| CCE-14340-4 |
Files with the setuid attribute enabled should be reviewed as appropriate to determine whether that condition is correct. |
(1) set of files to review (2) description of which files should be setuid |
via find |
NaN |
NaN |
Section: 2.2.3.4b - Find Unauthorized SUID/SGID System Executables |
NaN |
| CCE-14970-8 |
Files with the setgid attribute enabled should be reviewed as appropriate to determine whether that condition is correct. |
(1) set of files to review (2) description of which files should be setgid |
via find |
NaN |
NaN |
Section: 2.2.3.4a - Find Unauthorized SUID/SGID System Executables |
NaN |
| CCE-14957-5 |
The PATH variable for root includes or does not include any world-writable or group-writable directories as appropriate. |
Includes / does not include |
via echo $PATH |
NaN |
NaN |
Section: 2.3.4.1.2 - Ensure that no dangerous directories exist in root's path |
NaN |
| CCE-14107-7 |
The default umask for all users should be set correctly in /etc/login.defs |
umask |
via /etc/login.def |
NaN |
NaN |
Section: 2.3.4.4 - Ensure that Users Have Sensible Umask Values |
NaN |
| CCE-14860-1 |
DEPRECATED in favor of CCE-14107-7. Was: The default umask for all users should be set correctly in /etc/login.defs |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-14847-8 |
The default umask for all users should be set correctly in /etc/profile |
umask |
via /etc/profile |
NaN |
NaN |
Section: 2.3.4.4 - Ensure that Users Have Sensible Umask Values |
NaN |
| CCE-14604-3 |
The gnome desktop screensaver should be enabled or disabled as appropriate as a mandatory setting for all users. |
enabled / disabled |
(1) via gconftool-2 (2) via /etc/gconf/gconf.xml.mandatory |
NaN |
NaN |
Section: 2.3.5.6.1 - Configure GUI Screen Locking |
NaN |
| CCE-14023-6 |
The screen lock (password protection) function of the gnome desktop screensaver should be enabled or disabled as appropriate as a mandatory setting for all users. |
enabled / disabled |
(1) via gconftool-2 (2) via /etc/gconf/gconf.xml.mandatory |
NaN |
NaN |
Section: 2.3.5.6.1 - Configure GUI Screen Locking |
NaN |
| CCE-14735-5 |
The screen blanking function of the gnome desktop screensaver should be enabled or disabled as appropriate as a mandatory setting for all users. |
enabled / disabled |
(1) via gconftool-2 (2) via /etc/gconf/gconf.xml.mandatory |
NaN |
NaN |
Section: 2.3.5.6.1 - Configure GUI Screen Locking |
NaN |
| CCE-14991-4 |
The system includes or does not include any device files with the unlabeled SELinux type. |
includes / does not include |
via chmod |
NaN |
NaN |
Section: 2.4.5 - Check for Unlabeled Device Files |
NaN |
| CCE-15013-6 |
The system should act as a network sniffer or not as appropriate. |
yes / no |
via /proc/net/packet |
NaN |
NaN |
Section: 2.5.1.3 - Ensure System is Not Acting as a Network Sniffer |
NaN |
| CCE-14264-6 |
The default policy for iptables INPUT table should be set as appropriate. |
ACCEPT / DROP / QUEUE /RETURN |
via /etc/sysconfig/iptables |
NaN |
NaN |
Section: 2.5.5.3.1 - Change the Default Policies |
NaN |
| CCE-14268-7 |
Disable or enable support for DCCP as appropriate. |
enabled / disabled |
via /etc/modprobe.conf |
NaN |
NaN |
Section: 2.5.7.1 - Disable Support for DCCP |
NaN |
| CCE-14132-5 |
Disable or enable support for SCTP as appropriate. |
enabled / disabled |
via /etc/modprobe.conf |
NaN |
NaN |
Section: 2.5.7.2 - Disable Support for SCTP |
NaN |
| CCE-14027-7 |
Disable or enable support for RDS as appropriate. |
enabled / disabled |
via /etc/modprobe.conf |
NaN |
NaN |
Section: 2.5.7.3 - Disable Support for RDS |
NaN |
| CCE-14911-2 |
Disable or enable support for TIPC as appropriate. |
enabled / disabled |
via /etc/modprobe.conf |
NaN |
NaN |
Section: 2.5.7.4 - Disable Support for TIPC |
NaN |
| CCE-15026-8 |
The kernel arguments should enable or disable auditing early in the boot process as appropriate. |
enabled / disabled |
via grub.conf |
NaN |
NaN |
Section: 2.6.2.3 - Enable Auditing for Processes which Start Prior to the Audit Daemon |
NaN |
| CCE-14051-7 |
Auditing should be configured to record date and time modification events as appropriate. |
audit enabled / audit disabled |
via /etc/audit/audit.rules or auditctl |
NaN |
NaN |
Section: 2.6.2.4.1 - Records Events that Modify Date and Time Information |
NaN |
| CCE-14829-6 |
Auditing should be configured to record user/group information modification events as appropriate. |
audit enabled / audit disabled |
via /etc/audit/audit.rules or auditctl |
NaN |
NaN |
Section: 2.6.2.4.2 - Record Events that Modify User/Group Information |
NaN |
| CCE-14816-3 |
Auditing should be configured to record changes to the system network environment as appropriate. |
audit enabled / audit disabled |
via /etc/audit/audit.rules or auditctl |
NaN |
NaN |
Section: 2.6.2.4.3 - Record Events that Modify the System’s Network Environment |
NaN |
| CCE-14821-3 |
Auditing should be configured to record changes to the system's mandatory access controls as appropriate. |
audit enabled / audit disabled |
via /etc/audit/audit.rules or auditctl |
NaN |
NaN |
Section: 2.6.2.4.4 - Record Events that Modify the System’s Mandatory Access Controls |
NaN |
| CCE-14904-7 |
Auditing should be configured to record logon and logout events as appropriate. |
audit enabled / audit disabled |
via /etc/audit/audit.rules or auditctl |
NaN |
NaN |
Section: 2.6.2.4.5 - Audit Logon and Logout Events |
NaN |
| CCE-14679-5 |
Auditing should be configured to record process and session initiation events as appropriate. |
audit enabled / audit disabled |
via /etc/audit/audit.rules or auditctl |
NaN |
NaN |
Section: 2.6.2.4.6 - Audit Process and Session initiation |
NaN |
| CCE-14058-2 |
Auditing should be configured to record changes to discretionary access control permissions as appropriate. |
audit enabled / audit disabled |
via /etc/audit/audit.rules or auditctl |
NaN |
NaN |
Section: 2.6.2.4.7 - Audit Discretionary Access Control Permissions for Changes |
NaN |
| CCE-14917-9 |
Auditing should be configured to record unauthorized attempts to access files as appropriate. |
audit enabled / audit disabled |
via /etc/audit/audit.rules or auditctl |
NaN |
NaN |
Section: 2.6.2.4.8 - Audit for Unauthorized Attempts to Access Files |
NaN |
| CCE-14296-8 |
Auditing should be configured to record use of privileged commands as appropriate. |
audit enabled / audit disabled |
via /etc/audit/audit.rules or auditctl |
NaN |
NaN |
Section: 2.6.2.4.9 - Audit for the Use of Privileged Commands |
NaN |
| CCE-14569-8 |
Auditing should be configured to record data export to media events as appropriate. |
audit enabled / audit disabled |
via /etc/audit/audit.rules or auditctl |
NaN |
NaN |
Section: 2.6.2.4.10 - Audit for Exporting Data to Media |
NaN |
| CCE-14820-5 |
Auditing should be configured to record file and program deletion events as appropriate. |
audit enabled / audit disabled |
via /etc/audit/audit.rules or auditctl |
NaN |
NaN |
Section: 2.6.2.4.11 - Audit for Files and Programs Deleted by the User |
NaN |
| CCE-14824-7 |
Auditing should be configured to record administrator and security personnel action events as appropriate. |
audit enabled / audit disabled |
via /etc/audit/audit.rules or auditctl |
NaN |
NaN |
Section: 2.6.2.4.12 - Audit All Administrator and Security Personnel Actions |
NaN |
| CCE-14688-6 |
Auditing should be configured to record kernel module loading and unloading events as appropriate. |
audit enabled / audit disabled |
via /etc/audit/audit.rules or auditctl |
NaN |
NaN |
Section: 2.6.2.4.13 - Ensure auditd Collects Information on Kernel Module Loading and Unloading |
NaN |
| CCE-14692-8 |
Auditing should be configured to make auditd configuration immutable as appropriate. |
audit enabled / audit disabled |
via /etc/audit/audit.rules or auditctl |
NaN |
NaN |
Section: 2.6.2.4.14 - Make auditd configuration immutable |
NaN |
| CCE-14948-4 |
Bluetooth kernel modules should be enabled or disabled as appropriate. |
enabled / disabled |
via /etc/modprobe.conf |
NaN |
NaN |
Section: 3.3.14.3 - Disable Bluetooth Kernel Modules |
NaN |
| CCE-14825-4 |
The isdn4k-utils package should installed or uninstalled as appropriate. |
installed / uninstalled |
via yum |
NaN |
NaN |
Section: 3.3.4 - ISDN Support (isdn) |
NaN |
| CCE-14054-1 |
Zeroconf networking should be enabled or disabled as appropriate. |
enabled / disabled |
via /etc/sysconfig/network |
NaN |
NaN |
Section: 3.3.9.3 - Disable Zeroconf Networking |
NaN |
| CCE-14466-7 |
The at daemon should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
NaN |
Section: 3.4.3 - Disable at service if Possible |
NaN |
| CCE-14061-6 |
The SSH 'keep alive' message count should be set to an appropriate value. |
number of messages |
via /etc/ssh/sshd_config |
NaN |
NaN |
Section: 3.5.2.3 - Set Idle Timeout Interval for User Logins |
NaN |
| CCE-14716-5 |
Users should be allowed or not allowed to set environment options for SSH as appropriate. |
allowed / not allowed |
via /etc/ssh/sshd_config |
NaN |
NaN |
Section: 3.5.2.9 - Do Not Allow Users to Set Environment Options |
NaN |
| CCE-14491-5 |
Appropriate ciphers should be used for SSH. |
approved ciphers |
via /etc/ssh/sshd_config |
NaN |
NaN |
Section: 3.5.2.10 - Use Only Approved Ciphers |
NaN |
| CCE-14495-6 |
The sendmail package should be installed or uninstalled as appropriate. |
installed / uninstalled |
via yum |
NaN |
NaN |
Section: 3.11.1.1 - Select Postfix as Mail Server Software |
NaN |
| CCE-14068-1 |
The postfix package should be installed or uninstalled as appropriate. |
installed / uninstalled |
via yum |
NaN |
NaN |
Section: 3.11.1.1 - Select Postfix as Mail Server Software |
NaN |
| CCE-15018-5 |
Postfix network listening should be enabled or disabled for as appropriate. |
enabled / disabled |
via /etc/postfix/main.cf |
NaN |
NaN |
Section: 3.11.2.1.1 - Disable Postfix Network Listening |
NaN |
| CCE-14894-0 |
LDAP client requires or does not require LDAP servers to use TLS for SSL communications as appropriate. |
requires / does not require |
via /etc/ldap.conf |
NaN |
NaN |
Section: 3.12.2.2 - Configure LDAP to Use TLS for All Transactions |
NaN |
| CCE-14881-7 |
The vsftpd package should be installed or uninstalled as appropriate. |
installed / uninstalled |
via yum |
NaN |
NaN |
Section: 3.15.1 - Disable vsftpd if Possible |
NaN |
| CCE-14075-6 |
Client SMB packet signing should be required or not required for smbclient as appropriate. |
required / not required |
via /etc/samba/smb.conf |
NaN |
NaN |
Section: 3.18.2.10 - Require Client SMB Packet Signing, if using smbclient |
NaN |
| CCE-15029-2 |
Client SMB packet signing should be required or not required for mount.cifs as appropriate. |
required / not required |
via /etc/fstab |
NaN |
NaN |
Section: 3.18.2.11 - Require Client SMB Packet Signing, if using mount.cifs |
NaN |
| CCE-14081-4 |
The net-snmpd package should be installed or uninstalled as appropriate. |
installed / uninstalled |
via yum |
NaN |
NaN |
Section: 3.20.1 - Disable SNMP Server if Possible |
NaN |
| CCE-14088-9 |
The 'wheel' group should exist or not as appropriate |
exist / not exist |
via /etc/group |
NaN |
NaN |
Section: 2.3.1.2 - Limit su Access to the Root Account |
NaN |
| CCE-15047-4 |
Access to the root account via su should be restricted to the wheel group or not as appropriate. |
restricted / not restricted |
via /etc/pam.d/su |
NaN |
NaN |
Section: 2.3.1.2 - Limit su Access to the Root Account |
NaN |
| CCE-15054-0 |
The number of times a user is prompted to provide a new password if it fails to meet configured password strength requirements (also known as the retry value) should be set appropriately. |
number of retry attempts |
(1) via pam_cracklib (2) via pam_passwdqc |
NaN |
NaN |
Section: 2.3.3.1.1 - Set Password Quality Requirements |
NaN |
| CCE-17742-8 |
The rsyslog package should be installed or uninstalled as appropriate. |
installed / uninstalled |
via yum |
NaN |
NaN |
Section: 2.6.1.2.1 - Install the rsyslog Package |
NaN |
| CCE-17698-2 |
The rsyslog service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
NaN |
Section: 2.6.1.2.2 - Ensure the rsyslog Service is Activated |
NaN |
| CCE-18095-0 |
File permissions for all rsyslog log files should be set correctly. |
permissions |
via chmod |
NaN |
NaN |
Section: 2.6.1.2.4 - Confirm Existence and Permissions of Log Files |
NaN |
| CCE-18240-2 |
All rsyslog log files should be owned by the appropriate group. |
group |
via chown |
NaN |
NaN |
Section: 2.6.1.2.4 - Confirm Existence and Permissions of Log Files |
NaN |
| CCE-17857-4 |
All rsyslog log files should be owned by the appropriate user. |
user |
via chown |
NaN |
NaN |
Section: 2.6.1.2.4 - Confirm Existence and Permissions of Log Files |
NaN |
| CCE-17248-6 |
Rsyslog logs should be sent to a remote loghost or not as appropriate. |
sent / not sent |
via /etc/rsyslog.conf |
NaN |
NaN |
Section: 2.6.1.2.5 - Send Logs to a Remote Host Using Reliable Transport |
NaN |
| CCE-17639-6 |
Rsyslog should accept remote messages or not as appropriate. |
accept / reject |
via /etc/rsyslog.conf |
NaN |
NaN |
Section: 2.6.1.2.6 - Enable rsyslog to Accept Remote Messages on Loghosts Only |
NaN |
| CCE-18031-5 |
The ipsec-tools package should be installed or uninstalled as appropriate. |
installed / uninstalled |
via yum |
NaN |
NaN |
Section: 2.5.8.1.2 - Remove the ipsec-tools Package |
NaN |
| CCE-17250-2 |
The pam_ccreds package should be installed or uninstalled as appropriate. |
installed / uninstalled |
via yum |
NaN |
NaN |
Section: 2.3.3.7 - Remove the pam_ccreds Package |
NaN |
| CCE-18151-1 |
The talk-server package should be installed or uninstalled as appropriate. |
installed / uninstalled |
via yum |
NaN |
NaN |
Section: 3.2.6.1 - Remove the talk-server Package |
NaN |
| CCE-18200-6 |
The talk package should be installed or uninstalled as appropriate. |
installed / uninstalled |
via yum |
NaN |
NaN |
Section: 3.2.6.2 - Remove the talk Package |
NaN |
| CCE-18244-4 |
The irda service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
NaN |
Section: 3.3.16.1 - Disable the irda Service if Possible |
NaN |
| CCE-17504-2 |
The irda-utils package should be installed or uninstalled as appropriate. |
installed / uninstalled |
via yum |
NaN |
NaN |
Section: 3.3.16.2 - Remove the irda-utils Package if Possible |
NaN |
| CCE-18037-2 |
The firewall should allow or reject access to the avahi service. |
accept / reject |
via /etc/sysconfig/iptables |
NaN |
NaN |
Section: 3.7.1.2 - Remove Avahi Server iptables Firewall Exception |
NaN |
| CCE-18156-0 |
The rawdevices service should be enabled or disabled as appropriate. |
enabled / disabled |
via chkconfig |
NaN |
NaN |
Section: 3.3.17.1 - Disable rawdevices Service |
NaN |
| CCE-17816-0 |
The libuser library "login_defs" variable should be set correctly in libuser.conf. |
path to login.defs |
via /etc/libuser.conf |
NaN |
NaN |
Section: 2.3.1.7.1 - Ensure Libuser Uses Settings from login.defs |
NaN |
| CCE-18412-7 |
User accounts may or may not be inactivated a specified number of days after account expiration. |
number of days |
via /etc/default/useradd |
NaN |
NaN |
Section: 2.3.1.9, Value: 30 |
NaN |
| CCE-18455-6 |
The IPv6 protocol should be enabled or disabed as appropriate. |
enabled / disabled |
via modprobe.conf |
NaN |
NaN |
Section: 2.5.3.1.3, Value: 1 |
NaN |