libopenscap1 0.8.0-4build1 / usr / share / openscap / scap-rhel6-xccdf.xml

<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="RHEL-6" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 xccdf-1.1.4.xsd" resolved="0" xml:lang="en-US">
  <status date="2011-04-13">draft</status>
  <title xml:lang="en-US">Guidance for Securing Red Hat Enterprise Linux 6</title>
  <description xml:lang="en-US">This guide has been created to assist IT professionals in effectively securing
		systems running Red Hat Enterprise Linux</description>
  <platform idref="cpe:/o:redhat:enterprise_linux:6"/>
  <version>0.2</version>
  <model system="urn:xccdf:scoring:default"/>
  <model system="urn:xccdf:scoring:flat"/>
  <Profile id="RHEL6-Default">
    <title xml:lang="en-US">RHEL 6 Profile For Default Installation</title>
    <description xml:lang="en-US">XCCDF profile for evaluation of RHEL 6 updates.
			This profile is designed for evaluation of default configuration of a 
			fresh installation of RHEL 6 system. It should be executed for every 
			RHEL 6 update. Additional security hardening of the system should be 
			done prior to deploying it in a production environment.
			All enabled XCCDF rules should pass.
		</description>
    <select idref="rule-1005" selected="true"/>
    <select idref="rule-1007" selected="true"/>
    <select idref="rule-1008" selected="true"/>
    <select idref="rule-1010" selected="true"/>
    <select idref="rule-1011" selected="true"/>
    <select idref="rule-1012" selected="true"/>
    <select idref="rule-1013" selected="true"/>
    <select idref="rule-1014" selected="true"/>
    <select idref="rule-1015" selected="true"/>
    <select idref="rule-1016" selected="true"/>
    <select idref="rule-1017" selected="true"/>
    <select idref="rule-1018" selected="true"/>
    <select idref="rule-1019" selected="true"/>
    <select idref="rule-1020" selected="true"/>
    <select idref="rule-1021" selected="true"/>
    <select idref="rule-1022" selected="true"/>
    <select idref="rule-1023" selected="true"/> 
    <select idref="rule-1024" selected="true"/> 
    <select idref="rule-1025" selected="true"/> 
    <select idref="rule-1026" selected="true"/> 
    <select idref="rule-1027" selected="true"/> 
    <select idref="rule-1028" selected="true"/> 
    <refine-value idref="var-1029" selector="022"/>
    <select idref="rule-1029" selected="true"/>
    <select idref="rule-1031" selected="true"/>
    <select idref="rule-1032" selected="true"/>
    <select idref="rule-1033" selected="true"/>
    <select idref="rule-1035" selected="true"/>
    <select idref="rule-1036" selected="true"/>
    <select idref="rule-1039" selected="true"/>
    <select idref="rule-1040" selected="true"/>
    <select idref="rule-1041" selected="true"/>
    <refine-value idref="var-1042" selector="0_days"/>
    <select idref="rule-1042" selected="true"/>
    <refine-value idref="var-1043" selector="99999_days"/>
    <select idref="rule-1043" selected="true"/>
    <select idref="rule-1044" selected="true"/>
    <select idref="rule-1045" selected="true"/>
    <select idref="rule-1055" selected="true"/>
    <select idref="rule-1056" selected="true"/>
    <refine-value idref="var-1059" selector="002"/>
    <select idref="rule-1059" selected="true"/>
    <select idref="rule-1060" selected="true"/>
    <select idref="rule-1061" selected="true"/>
    <select idref="rule-1063" selected="true"/>
    <select idref="rule-1064" selected="true"/>
    <select idref="rule-1065" selected="true"/>
    <select idref="rule-1066" selected="true"/>
    <select idref="rule-1079" selected="true"/>
    <select idref="rule-1080" selected="true"/>
    <select idref="rule-1081" selected="true"/>
    <select idref="rule-1083" selected="true"/>
    <select idref="rule-1087" selected="true"/>
    <refine-value idref="var-1089" selector="enabled"/>
    <select idref="rule-1089" selected="true"/>
    <select idref="rule-1090" selected="true"/>
    <select idref="rule-1091" selected="true"/>
    <refine-value idref="var-1088" selector="enabled"/>
    <select idref="rule-1092" selected="true"/>
    <select idref="rule-1093" selected="true"/>
    <select idref="rule-1094" selected="true"/>
    <select idref="rule-1095" selected="true"/>
    <select idref="rule-1096" selected="true"/>
    <select idref="rule-1097" selected="true"/>
    <select idref="rule-1099" selected="true"/>
    <refine-value idref="var-1103" selector="3"/>
    <select idref="rule-1103" selected="true"/>
    <refine-value idref="var-1104" selector="yes"/>
    <select idref="rule-1104" selected="true"/>
    <refine-value idref="var-1105" selector="yes"/>
    <select idref="rule-1105" selected="true"/>
    <refine-value idref="var-1106" selector="yes"/>
    <select idref="rule-1106" selected="true"/>
    <refine-value idref="var-1107" selector="yes"/>
    <select idref="rule-1107" selected="true"/>
    <refine-value idref="var-1108" selector="1"/>
    <select idref="rule-1108" selected="true"/>
    <refine-value idref="var-1109" selector="16"/>
    <select idref="rule-1109" selected="true"/>
    <select idref="rule-1111" selected="true"/>
    <select idref="rule-1112" selected="true"/>
    <select idref="rule-1120" selected="true"/>
    <select idref="rule-1121" selected="true"/>
    <select idref="rule-1122" selected="true"/>
    <select idref="rule-1125" selected="true"/>
    <select idref="rule-1126" selected="true"/>
    <select idref="rule-1127" selected="true"/>
  </Profile>
  <Group id="gr-intro" hidden="false">
    <title xml:lang="en-US">Introduction</title>
    <description xml:lang="en-US"> The purpose of this guide is to provide security
			configuration recommendations for the Red Hat Enterprise Linux (RHEL) 6 operating
			system. The guidance provided here is applicable to desktop systems. Recommended
			settings for the basic operating system are provided, as well as for many commonly-used
			services that the system can host in a network environment.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
			<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The guide is intended for system administrators. Readers are assumed to
			possess basic system administration skills for Unix-like systems, as well as some
			familiarity with Red Hat's documentation and administration conventions. Some
			instructions within this guide are complex. All directions should be followed completely
			and with understanding of their effects in order to avoid serious adverse effects on the
			system and its security. </description>
  </Group>
  <Group id="gr-principles" hidden="false">
    <title xml:lang="en-US">General Principles</title>
    <description xml:lang="en-US"> The following general principles motivate much of the
				advice in this guide and should also influence any configuration decisions that are
				not explicitly covered.</description>
    <Group id="gr-principles-1" hidden="false" weight="10.000000">
      <title xml:lang="en-US">Encrypt Transmitted Data Whenever Possible</title>
      <description xml:lang="en-US"> Data transmitted over a network, whether wired or
					wireless, is susceptible to passive monitoring. Whenever practical solutions for
					encrypting such data exist, they should be applied. Even if data is expected to
					be transmitted only over a local network, it should still be encrypted.
					Encrypting authentication data, such as passwords, is particularly important.
					Networks of RHEL machines can and should be configured so that no unencrypted
					authentication data is ever transmitted between machines.</description>
    </Group>
    <Group id="gr-principles-2" hidden="false">
      <title xml:lang="en-US">Minimize Software to Minimize Vulnerability</title>
      <description xml:lang="en-US"> The simplest way to avoid vulnerabilities in software
					is to avoid installing that software. On RHEL, the RPM Package Manager
					(originally Red Hat Package Manager, abbreviated RPM) allows detailed
					management of the set of software packages installed on a system. Installed
					software contributes to system vulnerability in several ways. Packages that
					include setuid programs may provide local attackers a potential path to
					privilege escalation. Packages that include network services may give this
					opportunity to network-based attackers. Packages that include programs which are
					predictably executed by local users (e.g. after graphical login) may provide
					opportunities for trojan horses or other attack code to be run undetected. The
					number of software packages installed on a system can almost always be
					significantly pruned to include only the software for which there is an
					environmental or operational need.</description>
    </Group>
    <Group id="gr-principles-3" hidden="false">
      <title xml:lang="en-US">Run Different Network Services on Separate Systems</title>
      <description xml:lang="en-US"> Whenever possible, a server should be dedicated to
					serving exactly one network service. This limits the number of other services
					that can be compromised in the event that an attacker is able to successfully
					exploit a software flaw in one network service.</description>
    </Group>
    <Group id="gr-principles-4" hidden="false">
      <title xml:lang="en-US">Configure Security Tools to Improve System Robustness</title>
      <description xml:lang="en-US"> Several tools exist which can be effectively used to
					improve a system's resistance to and detection of unknown attacks. These tools
					can improve robustness against attack at the cost of relatively little
					configuration effort. In particular, this guide recommends and discusses the use
					of Iptables for host-based firewalling, SELinux for protection against
					vulnerable services, and a logging and auditing infrastructure for detection of
					problems.</description>
    </Group>
    <Group id="gr-principles-5" hidden="false">
      <title xml:lang="en-US">Least Privilege</title>
      <description xml:lang="en-US"> Grant the least privilege necessary for user accounts
					and software to perform tasks. For example, do not allow users except those that
					need administrator access to use sudo. Another example is to limit logins on
					server systems to only those administrators who need to log into them in order
					to perform administration tasks. Using SELinux also follows the principle of
					least privilege: SELinux policy can confine software to perform only actions on
					the system that are specifically allowed. This can be far more restrictive than
					the actions permissible by the traditional Unix permissions model.</description>
    </Group>
  </Group>
  <Group id="gr-configuration" hidden="false">
    <title xml:lang="en-US">System-wide Configuration</title>
    <Group id="gr-software" hidden="false">
      <title xml:lang="en-US">Installing and Maintaining Software</title>
      <description xml:lang="en-US"> The following sections contain information on
				security-relevant choices during the initial operating system installation process
				and the setup of software updates.</description>
      <Group id="gr-installation" hidden="false">
        <title xml:lang="en-US">Initial Installation Recommendations</title>
        <description xml:lang="en-US"> The recommendations here apply to a clean
					installation of the system, where any previous installations are wiped out. The
					sections presented here are in the same order that the installer presents, but
					only installation choices with security implications are covered. Many of the
					configuration choices presented here can also be applied after the system is
					installed. The choices can also be automatically applied via Kickstart
					files.</description>
        <Group id="gr-installation-1" hidden="false">
          <title xml:lang="en-US">Disk Partitioning</title>
          <description xml:lang="en-US"> Some system directories should be placed on their
						own partitions (or logical volumes). This allows for better separation and
						protection of data. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The installer’s default partitioning scheme
						creates separate partitions (or logical volumes) for /, /boot, and swap.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>If starting with any of the default layouts, check the box to
								“Review and modify partitioning.” This allows for the easy creation
								of additional logical volumes inside the volume group already
								created, though it may require making /’s logical volume smaller to
								create space. In general, using logical volumes is preferable to
								using partitions because they can be more easily adjusted
								later.</xhtml:li>
							<xhtml:li>If creating a custom layout, create the partitions mentioned
								in the previous paragraph (which the installer will require anyway),
								as well as separate ones described in the following
								sections.</xhtml:li>
						</xhtml:ul>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If a system has already been installed, and the default
						partitioning scheme was used, it is possible but nontrivial to modify it to
						create separate logical volumes for the directories listed above. The
						Logical Volume Manager (LVM) makes this possible. See the LVM HOWTO at
						http://tldp.org/HOWTO/LVM-HOWTO/ for more detailed information on LVM. </description>
          <Group id="gr-installation-1.1" hidden="false">
            <title xml:lang="en-US">Create Separate Partition or Logical Volume for /tmp</title>
            <description xml:lang="en-US"> The /tmp directory is a world-writable
							directory used for temporary file storage. Ensure that it has its own
							partition or logical volume.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Because software may need to use /tmp to temporarily store
							large files, ensure that it is of adequate size. For a modern,
							general-purpose system, 10GB should be adequate. Smaller or larger sizes
							could be used, depending on the availability of space on the drive and
							the system’s operating requirements </description>
            <Rule id="rule-1000" selected="false" weight="10.000000">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Ensure that /tmp has its own partition or logical volume</title>
              <description xml:lang="en-US">The /tmp directory is a world-writable
								directory used for temporary file storage. Ensure that it has its own
								partition or logical volume.</description>
              <ident system="http://cce.mitre.org">CCE-14161-4</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1000" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-installation-1.2" hidden="false">
            <title xml:lang="en-US">Create Separate Partition or Logical Volume for /var</title>
            <description xml:lang="en-US"> The /var directory is used by daemons and
							other system services to store frequently-changing data. It is not
							uncommon for the /var directory to contain world-writable directories,
							installed by other software packages. Ensure that /var has its own
							partition or logical volume.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Because the yum package manager and other software uses /var
							to temporarily store large files, ensure that it is of adequate size. For
							a modern, general-purpose system, 10GB should be adequate. </description>
            <Rule id="rule-1001" selected="false" weight="10.000000" severity="low">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Ensure that /var has its own partition or logical volume</title>
              <description xml:lang="en-US">The /var directory is used by daemons and
								other system services to store frequently-changing data. It is not
								uncommon for the /var directory to contain world-writable
								directories, installed by other software packages. Ensure that /var
								has its own partition or logical volume.</description>
              <ident system="http://cce.mitre.org">CCE-14777-7</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1001" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-installation-1.3" hidden="false">
            <title xml:lang="en-US">Create Separate Partition or Logical Volume for /var/log</title>
            <description xml:lang="en-US"> System logs are stored in the /var/log
							directory. Ensure that it has its own partition or logical volume.
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> See 2.6 for more information about logging and
							auditing.</description>
            <Rule id="rule-1002" selected="false" weight="10.000000">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Ensure that /var/log has its own partition or logical volume</title>
              <description xml:lang="en-US"> System logs are stored in the /var/log
								directory. Ensure that it has its own partition or logical
								volume.</description>
              <ident system="http://cce.mitre.org">CCE-14011-1</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1002" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-installation-1.4" hidden="false">
            <title xml:lang="en-US">Create Separate Partition or Logical Volume for /var/log/audit</title>
            <description xml:lang="en-US"> Audit logs are stored in the /var/log/audit
							directory. Ensure that it has its own partition or logical volume. Make
							absolutely certain that it is large enough to store all audit logs that
							will be created by the auditing daemon.</description>
            <Rule id="rule-1003" selected="false" weight="10.000000">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Ensure that /var/log/audit has its own partition or logical volume</title>
              <description xml:lang="en-US"> Audit logs are stored in the
								/var/log/audit directory. Ensure that it has its own partition or
								logical volume. Make absolutely certain that it is large enough to
								store all audit logs that will be created by the auditing
								daemon.</description>
              <ident system="http://cce.mitre.org">CCE-14171-3</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1003" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-installation-1.5" hidden="false">
            <title xml:lang="en-US">Create Separate Partition or Logical Volume for	/home if Using Local Home Directories</title>
            <description xml:lang="en-US"> If user home directories will be stored
							locally, create a separate partition for /home. If /home will be mounted
							from another system such as an NFS server, then creating a separate
							partition is not necessary at this time, and the mountpoint can instead
							be configured later.</description>
            <Rule id="rule-1004" selected="false" weight="10.000000" severity="low">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Ensure that /home has its own partition or logical volume</title>
              <description xml:lang="en-US"> If user home directories will be stored
								locally, create a separate partition for /home. If /home will be
								mounted from another system such as an NFS server, then creating a
								separate partition is not necessary at this time, and the mountpoint
								can instead be configured later.</description>
              <ident system="http://cce.mitre.org">CCE-14559-9</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1004" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
        </Group>
        <Group id="gr-installation-2" hidden="false">
          <title xml:lang="en-US">Boot Loader Configuration</title>
          <description xml:lang="en-US"> Check the box to "Use a boot loader password" and
						create a password. Once this password is set, anyone who wishes to change
						the boot loader configuration will need to enter it. Assigning a boot loader password 
						prevents a local user with physical access from altering the boot loader configuration 
						at system startup. </description>
        </Group>
        <Group id="gr-installation-3" hidden="false">
          <title xml:lang="en-US">First-boot Configuration</title>
          <description xml:lang="en-US"> The system presents more configuration options
						during the first boot after installation. For the screens listed, implement
						the security-related recommendations:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li> Set Up Software Updates - If the system is
							connected to the Internet now, click 'Yes, I'd like to register now.'
							This will require a connection to either the Red Hat Network servers or
							their proxies or satellites.</xhtml:li>
							<xhtml:li> Create User - If the system
							will require a local user account, it can be created here. Even if the
							system will be using a network-wide authentication system, 
							do not click on the 'Use Network Login...' button.
							Manually applying configuration later is preferable.</xhtml:li>
							<xhtml:li> Kdump - Leave Kdump
							off unless the feature is required, such as for kernel development and
							testing.</xhtml:li>
							<xhtml:li> Firewall - Leave set to 'Enabled.' Only check the 'Trusted
							Services' that this system needs to serve. Uncheck the default selection
							of SSH if the system does not need to serve SSH.</xhtml:li>
							<xhtml:li> SELinux - Leave SELinux set to 'Enforcing' mode.</xhtml:li>
						</xhtml:ul>
					</description>
        </Group>
      </Group>
      <Group id="gr-updating" hidden="false">
        <title xml:lang="en-US">Updating Software</title>
        <description xml:lang="en-US"> The yum command line tool is used to install and
					update software packages. Yum replaces the up2date utility used in previous
					system releases. The system also provides PackageKit, which is  a graphical package manager.
					It consists of several graphical interfaces that can be opened from the GNOME panel menu, 
					or from the Notification Area when PackageKit alerts you that updates are available. 
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> It is recommended that these tools be used to keep systems up to
					date with the latest security patches. </description>
        <Group id="gr-updating-1" hidden="false">
          <title xml:lang="en-US">Ensure Red Hat GPG Keys are Installed</title>
          <description xml:lang="en-US"> To ensure that the system can
							cryptographically verify update packages (and also connect to the Red
							Hat Network to receive them if desired) run the following command to
							ensure that the system has the Red Hat GPG keys properly installed:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ rpm -q gpg-pubkey</xhtml:code>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The command should return the strings:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gpg-pubkey-fd431d51-4ae0493b</xhtml:code>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gpg-pubkey-2fa658e0-45700c69</xhtml:code>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							corresponding to these keys:
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gpg(Red Hat, Inc. (release key 2) &lt;security@redhat.com&gt;)</xhtml:code>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gpg(Red Hat, Inc. (auxiliary key) &lt;security@redhat.com&gt;)</xhtml:code></description>
          <Rule id="rule-1005" selected="false" weight="10.000000">
            <status date="2010-07-01">draft</status>
            <title xml:lang="en-US">Red Hat GPG Keys are Installed</title>
            <description xml:lang="en-US">The GPG keys should be installed.</description>
            <ident system="http://cce.mitre.org">CCE-14440-2</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1005" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-updating-2" hidden="false">
          <title xml:lang="en-US">Configure Connection to the RHN RPM Repositories</title>
          <description xml:lang="en-US">
						<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml" class="block"> The first step in configuring a system for updates
							is to register with the Red Hat Network (RHN). For most systems, this is
							done during the initial installation. Successfully registered systems
							will appear on the RHN web site. If the system is not listed, run the
							Red Hat Subscription Manager tool, which can be found in the
							<xhtml:b>System =&gt; Administration</xhtml:b> menu in the top management bar.
							or on the command line: </xhtml:p>
							
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># subscription-manager register --username admin-example --password secret
							</xhtml:code>
							
							<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> Follow the prompts on the screen. If successful, the system
							will appear on the RHN web site and be subscribed to one or more
							software update channels. Additionally, a new daemon, rhnsd, will be
							enabled.</xhtml:p>

						<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml" class="block"> If the system will not have access to the Internet, it will not
						be able to directly subscribe to the RHN update repository. Updates will
						have to be downloaded from the RHN web site manually. The command line tool
						yum and the graphical front-end PackageKit can be configured to handle
						this situation. </xhtml:p> </description>
        </Group>
        <Group id="gr-updating-3" hidden="false">
          <title xml:lang="en-US">Disable the rhnsd Daemon</title>
          <description xml:lang="en-US"> The rhnsd daemon polls the Red Hat Network web
						site for scheduled actions. Unless it is actually necessary to schedule
						updates remotely through the RHN website, it is recommended that the service
						be disabled.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The rhnsd daemon is enabled by default, but until the system has
						been registered with the Red Hat Network, it will not run. However, once the
						registration process is complete, the rhnsd daemon will run in the
						background and periodically call the rhn check utility. It is the rhn check
						utility that communicates with the Red Hat Network web site.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This utility is not required for the system to be able to access
						and install system updates. Once the system has been registered, either use
						the provided yum-updatesd service or create a cron job to automatically
						apply updates. </description>
          <Rule id="rule-1006" selected="false" weight="10.000000" severity="low">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Disable the rhnsd Daemon</title>
            <description xml:lang="en-US">The rhnsd service should be disabled.</description>
            <ident system="http://cce.mitre.org">CCE-3416-5</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1006" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-updating-4" hidden="false">
          <title xml:lang="en-US">Obtain Software Package Updates with yum</title>
          <description xml:lang="en-US"> The yum update utility can be run by hand from
						the command line, called through one of the provided front-end tools, or
						configured to run automatically at specified intervals.</description>
          <Group id="gr-updating-4.1" hidden="false">
            <title xml:lang="en-US">Manually Update Packages Where Appropriate</title>
            <description xml:lang="en-US"> The following command prints a list of
							packages that need to be updated:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum check-update</xhtml:code>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To actually install these updates, run:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum update</xhtml:code>
						</description>
          </Group>
          <Group id="gr-updating-4.2" hidden="false">
            <title xml:lang="en-US">Configure Automatic Update Retrieval and Installation with Cron</title>
            <description xml:lang="en-US"> Create the file yum.cron, make it executable, and place it
							in /etc/cron.daily:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
							#!/bin/sh <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							/usr/bin/yum -R 120 -e 0 -d 0 -y update yum <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							/usr/bin/yum -R 10 -e 0 -d 0 -y update  <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							</xhtml:code>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This particular script instructs yum to update any packages
							it finds. Placing the script in /etc/cron.daily ensures its daily
							execution. To only apply updates once a week, place the script in
							/etc/cron.weekly instead. </description>
          </Group>
          <Group id="gr-updating-4.3" hidden="false">
            <title xml:lang="en-US">Ensure Package Signature Checking is Globally Activated</title>
            <description xml:lang="en-US"> The gpgcheck option should be used to ensure
							that checking of an RPM package’s signature always occurs prior to its installation.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To force yum to check package signatures before installing
							them, ensure that the following line appears in /etc/yum.conf in the
							[main] section:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> gpgcheck=1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						</description>
            <Rule id="rule-1007" selected="false" weight="10.000000">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">gpgcheck is Globally Activated</title>
              <description xml:lang="en-US"> The gpgcheck option should be used to ensure that checking
								of an RPM package’s signature always occurs prior to its installation.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
								<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>To force yum to check package signatures before
								installing them, ensure that the following line appears in
								/etc/yum.conf in the [main] section: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
								<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> gpgcheck=1</description>
              <ident system="http://cce.mitre.org">CCE-14914-6</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1007" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-updating-4.4" hidden="false">
            <title xml:lang="en-US">Ensure Package Signature Checking is Not Disabled For Any Repos</title>
            <description xml:lang="en-US"> To ensure that signature checking is not
							disabled for any repos, ensure that the following line DOES NOT appear
							in any repo configuration files in /etc/yum.repos.d or elsewhere:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> gpgcheck=0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						</description>
            <Rule id="rule-1008" selected="false" weight="10.000000">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Package Signature Checking is Not Disabled For Any Repos</title>
              <description xml:lang="en-US"> To ensure that signature checking is not disabled for any
								repos, ensure that the following line DOES NOT appear in any repo
								configuration files in /etc/yum.repos.d or elsewhere:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
								<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>gpgcheck=0</description>
              <ident system="http://cce.mitre.org">CCE-14813-0</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1008" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-updating-4.5" hidden="false">
            <title xml:lang="en-US">Ensure Repodata Signature Checking is Globally Activated</title>
            <description xml:lang="en-US"> The repo_gpgcheck option should be used to
							ensure that checking of a signature on repodata is performed prior to
							using it.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To force yum to check the signature on repodata sent by a
							repository prior to using it, ensure that the following line appears in
							/etc/yum.conf in the [main] section:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> repo_gpgcheck=1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						</description>
          </Group>
          <Group id="gr-updating-4.6" hidden="false">
            <title xml:lang="en-US">Ensure Repodata Signature Checking is Not Disabled For Any Repos</title>
            <description xml:lang="en-US"> To ensure that signature checking is not
							disabled for any repos, ensure that the following line DOES NOT appear
							in any repo configuration files in /etc/yum.repos.d or elsewhere:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> repo_gpgcheck=0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Note: Red Hat’s repositories support signatures on repodata,
							but some public repositories do not. If a repository does not support
							signature checking on repodata, then this risk must be weighed against
							the value of using the repository. </description>
          </Group>
        </Group>
      </Group>
      <Group id="gr-integrity" hidden="false">
        <title xml:lang="en-US">Software Integrity Checking</title>
        <description xml:lang="en-US"> 	Integrity checking cannot prevent intrusions into your
					system, but can detect that they have occurred. Any integrity checking software 
					should be configured before the	system is deployed and able to provides services 
					to users. Ideally, the integrity checking database would be built before the system 
					is connected to any network, though this may prove impractical due to registration 
					and software updates. </description>
        <Group id="gr-integrity-1" hidden="false">
          <title xml:lang="en-US">Verify Package Integrity Using RPM</title>
          <description xml:lang="en-US"> The RPM package management system includes the
						ability to verify the integrity of installed packages by comparing the
						installed files with information about the files taken from the package
						metadata stored in the RPM database. Although an attacker could corrupt the
						RPM database (analogous to attacking the AIDE database as described above),
						this check can still reveal modification of important files.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To determine which files on the system differ from what is
						expected by the RPM database:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># rpm -Va<xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> A “c” in the second column indicates that a file is a
						configuration file (and may be expected to change). In order to exclude
						configuration files from this list, run: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># rpm -Va | awk '$2!="c" {print $0}'<xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The man page rpm(8) describes the format of the output. Any files
						that do not match the expected output demand further investigation if the
						system is being seriously examined. This check could also be run as a cron
						job. </description>
          <Rule id="rule-1009" selected="false" weight="10.000000">
            <status date="2010-07-01">draft</status>
            <title xml:lang="en-US">Package Integrity is correct according to package management system</title>
            <description xml:lang="en-US">Verify the integrity of installed packages by comparing the
							installed files with information about the files taken from the package
							metadata stored in the RPM database.</description>
            <ident system="http://cce.mitre.org">CCE-14931-0</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:tst:1009" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
      </Group>
    </Group>
    <Group id="gr-permissions" hidden="false">
      <title xml:lang="en-US">File Permissions and Masks</title>
      <description xml:lang="en-US"> <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> Traditional Unix security relies heavily on file and
				directory permissions to prevent unauthorized users from reading or modifying files
				to which they should not have access. Adhere to the principle of least privilege —
				configure each file, directory, and filesystem to allow only the access needed in
				order for that file to serve its purpose. </xhtml:p>
				<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> However, Linux systems contain a large number of files, so it is often
				prohibitively time-consuming to ensure that every file on a machine has exactly the
				permissions needed. This section introduces several permission restrictions which
				are almost always appropriate for system security, and which are easy to test and
				correct. </xhtml:p> 
				<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> Note: Several of the commands in this section search filesystems for
				files or directories with certain characteristics, and are intended to be run on
				every local ext2, ext3 or ext4 partition on a given machine. When the variable 
				<xhtml:em xmlns:xhtml="http://www.w3.org/1999/xhtml">PART</xhtml:em> appears in one of the commands below, it means that
				the command is intended to be run repeatedly, with the name of each local partition
				substituted for <xhtml:em xmlns:xhtml="http://www.w3.org/1999/xhtml">PART</xhtml:em> in turn. </xhtml:p>

				<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> The following command prints a list of ext2, ext3 and ext4 partitions on a
				given machine: </xhtml:p>
				<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ mount -t ext2,ext3,ext4 | awk '{print $3}'</xhtml:code>
				<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> If your site uses a local filesystem type other than those, you
				will need to modify this command. </xhtml:p> </description>
      <Group id="gr-verify-files" hidden="false">
        <title xml:lang="en-US">Verify Permissions on Important Files and Directories</title>
        <description xml:lang="en-US"> Permissions for many files on a system should be set
					to conform to system policy. This section discusses important permission
					restrictions which should be checked on a regular basis to ensure that
					no harmful discrepancies have arisen.</description>
        <Group id="gr-verify-shadow" hidden="false">
          <title xml:lang="en-US">Verify Permissions on passwd, shadow, group and gshadow Files</title>
          <description xml:lang="en-US"> Many utilities need read access to the passwd file in order to
						function properly, but read access to the shadow file allows malicious
						attacks against system passwords, and should never be enabled.</description>
          <Rule id="rule-1010" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">User ownership of 'shadow' file</title>
            <description xml:lang="en-US">The /etc/shadow file should be owned by root.</description>
            <ident system="http://cce.mitre.org">CCE-3918-0</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1010" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1011" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Group ownership of 'shadow' file</title>
            <description xml:lang="en-US">The /etc/shadow file should be owned by root.</description>
            <ident system="http://cce.mitre.org">CCE-3988-3</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1011" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1012" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">User ownership of 'group' file</title>
            <description xml:lang="en-US">The /etc/group file should be owned by root.</description>
            <ident system="http://cce.mitre.org">CCE-3276-3</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1012" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1013" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Group ownership of 'group' file</title>
            <description xml:lang="en-US">The /etc/group file should be owned by root.</description>
            <ident system="http://cce.mitre.org">CCE-3883-6</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1013" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1014" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">User ownership of 'gshadow' file</title>
            <description xml:lang="en-US">The /etc/gshadow file should be owned by root.</description>
            <ident system="http://cce.mitre.org">CCE-4210-1</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1014" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1015" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Group ownership of 'gshadow' file</title>
            <description xml:lang="en-US">The /etc/gshadow file should be owned by root.</description>
            <ident system="http://cce.mitre.org">CCE-4064-2</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1015" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1016" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">User ownership of 'passwd' file</title>
            <description xml:lang="en-US">The /etc/passwd file should be owned by root.</description>
            <ident system="http://cce.mitre.org">CCE-3958-6</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1016" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1017" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Group ownership of 'passwd' file</title>
            <description xml:lang="en-US">The /etc/passwd file should be owned by root.</description>
            <ident system="http://cce.mitre.org">CCE-3495-9</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1017" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1018" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Permissions on 'shadow' file</title>
            <description xml:lang="en-US">File permissions for /etc/shadow should be set
							correctly.</description>
            <ident system="http://cce.mitre.org">CCE-4130-1</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1018" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1019" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Permissions on 'group' file</title>
            <description xml:lang="en-US">File permissions for /etc/group should be set
							correctly.</description>
            <ident system="http://cce.mitre.org">CCE-3967-7</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1019" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1020" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Permissions on 'gshadow' file</title>
            <description xml:lang="en-US">File permissions for /etc/gshadow should be set
							correctly.</description>
            <ident system="http://cce.mitre.org">CCE-3932-1</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1020" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1021" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Permissions on 'passwd' file</title>
            <description xml:lang="en-US">File permissions for /etc/passwd should be set
							correctly.</description>
            <ident system="http://cce.mitre.org">CCE-3566-7</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1021" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-verify-sticky" hidden="false">
          <title xml:lang="en-US">Verify that All World-Writable Directories Have Sticky Bits Set</title>
          <description xml:lang="en-US"> When the so-called 'sticky bit' is set on a
						directory, only the owner of a given file may remove that file from the
						directory. Without the sticky bit, any user with write access to a directory
						may remove any file in the directory. Setting the sticky bit prevents users
						from removing each other's files. In cases where there is no reason for a
						directory to be world-writable, a better solution is to remove that
						permission rather than to set the sticky bit. However, if a directory is
						used by a particular application, consult that application's documentation
						instead of blindly changing modes.</description>
          <Rule id="rule-1022" selected="false" weight="10.000000" severity="low">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">All World-Writable Directories Have Sticky Bits Set</title>
            <description xml:lang="en-US">The sticky bit should be set for all world-writable
							directories.</description>
            <ident system="http://cce.mitre.org">CCE-3399-3</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1022" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-verify-fwritable" hidden="false">
          <title xml:lang="en-US">Find Unauthorized World-Writable Files</title>
          <description xml:lang="en-US"> Data in world-writable files can be modified by
						any user on the system. In almost all circumstances, files can be configured
						using a combination of user and group permissions to support whatever
						legitimate access is needed without the risk caused by world-writable files. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> It is generally a good idea to remove global (other) write
						access to a file when it is discovered. However, check with documentation
						for specific applications before making changes. Also, monitor for recurring
						world-writable files, as these may be symptoms of a misconfigured
						application or user account. </description>
          <Rule id="rule-1023" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Unauthorized World-Writable Files</title>
            <description xml:lang="en-US">The world-write permission should be disabled for all
							files.</description>
            <ident system="http://cce.mitre.org">CCE-3795-2</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1023" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-verify-suid" hidden="false">
          <title xml:lang="en-US">Find Unauthorized SUID/SGID System Executables</title>
          <description xml:lang="en-US"> <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> The following command discovers and prints any
						setuid or setgid files on local partitions. Run it once for each local
						partition: </xhtml:p>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"> find PART -xdev \( -perm -4000 -o -perm -2000 \) -type f -print </xhtml:code>
						<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> If the file does not require a setuid or setgid bit, then these bits can be removed with the command: </xhtml:p>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"> chmod -s file </xhtml:code>
						<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> The following table contains all setuid and setgid files which
						are expected to be on a stock system. To reduce system risk, the packages containing these files may be removed
						in some cases; alternatively, the setuid or setgid bit on these
						files may be disabled to reduce system risk if only an administrator
						requires their functionality. </xhtml:p>

						<xhtml:table xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:tr>
								<xhtml:th>File</xhtml:th>
								<xhtml:th>Set-UID</xhtml:th>
								<xhtml:th>Set-GID</xhtml:th>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/bin/cgexec</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>cgred</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/bin/fusermount</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/bin/mount</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/bin/ping6</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/bin/ping</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/bin/su</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/bin/umount</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/lib64/dbus-1/dbus-daemon-launch-helper</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/lib/dbus-1/dbus-daemon-launch-helper</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/sbin/mount.ecryptfs_private</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/sbin/mount.nfs</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/sbin/netreport</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>root</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/sbin/pam_timestamp_check</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/sbin/unix_chkpwd</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/at</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/chage</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/chfn</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/chsh</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/crontab</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>root</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/gnomine</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>games</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/gpasswd</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/iagno</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>games</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/kgrantpty</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/kpac_dhcp_helper</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/ksu</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/locate</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>slocate</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/lockfile</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>mail</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/newgrp</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/newrole</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/passwd</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/pkexec</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/rcp</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/rlogin</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/rsh</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/same-gnome</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>games</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/screen</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>screen</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/sperl5.10.1</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/ssh-agent</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>nobody</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/staprun</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/sudoedit</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/sudo</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/wall</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>tty</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/write</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>tty</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/Xorg</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib64/amanda/calcsize</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib64/amanda/dumper</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib64/amanda/killpgrp</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib64/amanda/planner</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib64/amanda/rundump</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib64/amanda/runtar</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib64/nspluginwrapper/plugin-config</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib64/vte/gnome-pty-helper</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>utmp</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/amanda/calcsize</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/amanda/dumper</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/amanda/killpgrp</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/amanda/planner</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/amanda/rundump</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/amanda/runtar</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/libexec/kde4/kdesud</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>root</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/libexec/mc/cons.saver</xhtml:td>
								<xhtml:td>vcsa</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/libexec/openssh/ssh-keysign</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/libexec/polkit-1/polkit-agent-helper-1</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/libexec/pt_chown</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/libexec/pulse/proximity-helper</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/libexec/utempter/utempter</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>utmp</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/mailman/cgi-bin/admindb</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>mailman</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/mailman/cgi-bin/admin</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>mailman</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/mailman/cgi-bin/confirm</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>mailman</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/mailman/cgi-bin/create</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>mailman</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/mailman/cgi-bin/edithtml</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>mailman</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/mailman/cgi-bin/listinfo</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>mailman</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/mailman/cgi-bin/options</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>mailman</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/mailman/cgi-bin/private</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>mailman</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/mailman/cgi-bin/rmlist</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>mailman</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/mailman/cgi-bin/roster</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>mailman</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/mailman/cgi-bin/subscribe</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>mailman</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/mailman/mail/mailman</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>mailman</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/nspluginwrapper/plugin-config</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/vte/gnome-pty-helper</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>utmp</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/sbin/amcheck</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/sbin/lockdev</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>lock</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/sbin/postdrop</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>postdrop</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/sbin/postqueue</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>postdrop</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/sbin/sendmail.sendmail</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>smmsp</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/sbin/seunshare</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/sbin/suexec</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/sbin/userhelper</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/sbin/usernetctl</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
						</xhtml:table>
					</description>
          <Rule id="rule-1024" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Unauthorized SGID System Executables</title>
            <description xml:lang="en-US">The sgid bit should not be set for all files.</description>
            <ident system="http://cce.mitre.org">CCE-14340-4</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1024" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1025" selected="false" weight="10.000000" severity="high">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Unauthorized SUID System Executables</title>
            <description xml:lang="en-US">The suid bit should not be set for all files.</description>
            <ident system="http://cce.mitre.org">CCE-14340-4</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1025" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-verify-unowned" hidden="false">
          <title xml:lang="en-US">Find and Repair Unowned Files</title>
          <description xml:lang="en-US"> <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> The following command will discover and print any
						files on local partitions which do not belong to a valid user and a valid
						group. Run it once for each local partition PART: </xhtml:p>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># find PART
							-xdev \( -nouser -o -nogroup \) -print </xhtml:code>
						<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> If this command
						prints any results, investigate each reported file and either assign it to
						an appropriate user and group or remove it. Unowned files are not directly
						exploitable, but they are generally a sign that something is wrong with some
						system process. They may be caused by an intruder, by incorrect software
						installation or draft software removal, or by failure to remove all files
						belonging to a deleted account. The files should be repaired so that they
						will not cause problems when accounts are created in the future, and the
						problem which led to unowned files should be discovered and
						addressed.</xhtml:p> </description>
          <Rule id="rule-1026" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Files unowned by any user</title>
            <description xml:lang="en-US">All files should be owned by a user</description>
            <ident system="http://cce.mitre.org">CCE-4223-4</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1026" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1027" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Files unowned by any group</title>
            <description xml:lang="en-US">All files should be owned by a group</description>
            <ident system="http://cce.mitre.org">CCE-3573-3</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1027" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-verify-dwritable" hidden="false">
          <title xml:lang="en-US">Verify that All World-Writable Directories Have Proper Ownership</title>
          <description xml:lang="en-US"> Locate any directories in local partitions which
						are world-writable and ensure that they are owned by root or another system
						account. The following command will discover and print these (assuming only
						system accounts have a uid lower than 500). Run it once for each local
						partition PART:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># find PART -xdev -type d -perm -0002 -uid +500
							-print<xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If this command produces any output, investigate why the current
						owner is not root or another system account.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Allowing a user account to own a world-writeable directory is
						undesirable because it allows the owner of that directory to remove or
						replace any files that may be placed in the directory by other
						users.</description>
          <Rule id="rule-1028" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">draft</status>
            <title xml:lang="en-US">World writable directories not owned by a system account</title>
            <description xml:lang="en-US">All world writable directories should be owned by a system
							user</description>
            <ident system="http://cce.mitre.org">CCE-14794-2</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1028" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
      </Group>
      <Group id="gr-restrict" hidden="false">
        <title xml:lang="en-US">Restrict Programs from Dangerous Execution Patterns</title>
        <description xml:lang="en-US"> The recommendations in this section provide broad
					protection against information disclosure or other misbehavior. These
					protections are applied at the system initialization or kernel level, and defend
					against certain types of badly-configured or compromised programs.</description>
        <Group id="gr-restrict-umask" hidden="false">
          <title xml:lang="en-US">Set Daemon umask</title>
          <description xml:lang="en-US"> <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> The file /etc/rc.d/init.d/functions
						which is used by most or all shell scripts in the /etc/init.d directory, set an umask. 
						The system umask
						must be set to at least 022, or daemon processes may create world-writable
						files. The more restrictive setting 027 protects files, including temporary
						files and log files, from unauthorized reading by unprivileged users on the
						system. </xhtml:p>
						<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> If a particular daemon needs a less restrictive umask, consider
						editing the startup script or sysconfig file of that daemon to make a
						specific exception.</xhtml:p> </description>
          <Value id="var-1029" operator="equals" type="string">
            <title xml:lang="en-US">daemon umask</title>
            <description xml:lang="en-US">Enter umask for daemons</description>
            <value>027</value>
            <value selector="022">022</value>
            <value selector="027">027</value>
          </Value>
          <Rule id="rule-1029" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Daemon umask setting</title>
            <description xml:lang="en-US">The daemon umask should be set as appropriate</description>
            <ident system="http://cce.mitre.org">CCE-4220-0</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1029" value-id="var-1029"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1029" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-restrict-dumps" hidden="false">
          <title xml:lang="en-US">Disable Core Dumps</title>
          <description xml:lang="en-US"> <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> A core dump file is the memory image of an
						executable program when it was terminated by the operating system due to
						errant behavior. In most cases, only software developers would legitimately
						need to access these files. The core dump files may also contain sensitive
						information, or unnecessarily occupy large amounts of disk space. </xhtml:p>
					<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> By default, the system sets a soft limit to stop the creation of
						core dump files for all users. However, compliance with
						this limit is voluntary; it is a default intended only to protect users from
						the annoyance of generating unwanted core files. Users can increase the
						allowed core file size up to the hard limit, which is unlimited by default.
						Once a hard limit is set in /etc/security/limits.conf, </xhtml:p>
				        <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"> *               hard    core            0 </xhtml:code> 
					<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml">
						the user cannot increase that limit within his own session. If access to core dumps
						is required, consider restricting them to only certain users or groups. See
						the limits.conf man page for more information. </xhtml:p>  </description>
          <Rule id="rule-1030" selected="false" weight="10.000000" severity="low">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Disable Core Dumps for all users</title>
            <description xml:lang="en-US">Core dumps for all users should be disabled</description>
            <ident system="http://cce.mitre.org">CCE-4225-9</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1030" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group> 

         <Group id="gr-restrict-SUID_Dumps" hidden="false">
            <title xml:lang="en-US">Ensure SUID Core Dumps are Disabled</title>
            <description xml:lang="en-US"> <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> The sysctl variable fs.suid_dumpable 
            					controls whether the kernel allows core dumps from these programs at all. It
						should be checked to ensure that it has not been enabled at any time during
						system operation. To check this, issue the command: </xhtml:p>
					    <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># sysctl fs.suid_dumpable </xhtml:code>
					    <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> The output should indicate that the setting is 0. (Use of
						the -n option causes output to consist of only the value, which may make
						automated checking easier.) </xhtml:p> </description>
          <Rule id="rule-1031" selected="false" weight="10.000000" severity="low">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Disable Core Dumps for SUID programs</title>
            <description xml:lang="en-US">Core dumps for setuid programs should be disabled</description>
            <ident system="http://cce.mitre.org">CCE-4247-3</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1031" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
         </Group>
        <Group id="gr-restrict-execshield" hidden="false">
          <title xml:lang="en-US">Enable ExecShield</title>
          <description xml:lang="en-US"> <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> ExecShield comprises a number of kernel features
						to provide protection against buffer overflows. These features include
						random placement of the stack and other memory regions, prevention of
						execution in memory that should only hold data, and special handling of text
						buffers. This protection is enabled by default, but the sysctl variables
						kernel.exec-shield and kernel.randomize va space should be checked to ensure
						that it has not been disabled. </xhtml:p>
					<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml">	To check that
							ExecShield (including random placement of virtual memory regions) is
							currently running, issue the following commands: </xhtml:p>

					<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># sysctl kernel.exec-shield </xhtml:code>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># sysctl kernel.randomize_va_space </xhtml:code>
					<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> The output should indicate that the
							setting of kernel.exec-shield is 1 and the setting of kernel.randomize_va_space is 2.
							(Use of the -n option causes output to consist of only the
							value, which may make automated checking easier.) </xhtml:p> </description>
            <Value id="var-1033" operator="equals" type="string">
              <title xml:lang="en-US">kernel.randomize_va_space</title>
              <description xml:lang="en-US">Enter whether virtual address space should be randomized</description>
              <value>2</value>
              <value selector="enabled_with_heap">2</value>
              <value selector="enabled_without_heap">1</value>
              <value selector="disabled">0</value>
            </Value>
          <Rule id="rule-1032" selected="false" weight="10.000000">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">ExecShield is enabled (runtime)</title>
            <description xml:lang="en-US">ExecShield should be enabled</description>
            <ident system="http://cce.mitre.org">CCE-4168-1</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1032" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1033" selected="false" weight="10.000000">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">ExecShield randomized placement of virtual memory regions is enabled (runtime)</title>
            <description xml:lang="en-US">ExecShield randomized placement of virtual memory regions
							should be enabled</description>
            <ident system="http://cce.mitre.org">CCE-4146-7</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1033" value-id="var-1033"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1033" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
      </Group>
    </Group>
    <Group id="gr-accounts" hidden="false">
      <title xml:lang="en-US">Account and Access Control</title>
      <description xml:lang="en-US"> In traditional Unix security, if an attacker gains shell
				access to a certain login account, he can perform any action or access any file to
				which that account has access. Therefore, making it more difficult for unauthorized
				people to gain shell access to accounts, particularly to privileged accounts, is a
				necessary part of securing a system. This section introduces mechanisms for
				restricting access to accounts..</description>
      <Group id="gr-accounts-login" hidden="false">
        <title xml:lang="en-US">Protect Accounts by Restricting Password-Based Login</title>
        <description xml:lang="en-US"> Conventionally, Unix shell accounts are accessed by
					providing a username and password to a login program, which tests these values
					for correctness using the /etc/passwd and /etc/shadow files. Password-based
					login is vulnerable to guessing of weak passwords, and to sniffing and
					man-in-the-middle attacks against passwords entered over a network or at an
					insecure console. Therefore, mechanisms for accessing accounts by entering
					usernames and passwords should be restricted to those which are operationally
					necessary.</description>
        <Group id="gr-accounts-login.1" hidden="false">
          <title xml:lang="en-US">Restrict Root Logins to System Console</title>
          <description xml:lang="en-US"> Edit the file /etc/securetty. Ensure that the
						file contains only the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>The primary system console device:
								<xhtml:br/>console</xhtml:li>
							<xhtml:li>The virtual console devices: <xhtml:br/>tty1 tty2 tty3 tty4
								tty5 tty6 ... </xhtml:li>
							<xhtml:li>If required by your organization, the deprecated virtual
								console interface may be retained for backwards
								compatibility:<xhtml:br/>vc/1 vc/2 vc/3 vc/4 vc/5 vc/6
								...</xhtml:li>
							<xhtml:li>If required by your organization, the serial consoles may be
								added:<xhtml:br/> ttyS0 ttyS1</xhtml:li>
						</xhtml:ul> Direct root logins should be allowed only for emergency use. In
						normal situations, the administrator should access the system via a unique
						unprivileged account, and use su or sudo to execute privileged commands.
						Discouraging administrators from accessing the root account directly ensures
						an audit trail in organizations with multiple administrators. Locking down
						the channels through which root can connect directly reduces opportunities
						for password-guessing against the root account. The login program uses the
						file /etc/securetty to determine which interfaces should allow root logins.
						The virtual devices /dev/console and /dev/tty* represent the system consoles
						(accessible via the Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a
						default installation). The default securetty file also contains /dev/vc/*.
						These are likely to be deprecated in most environments, but may be retained
						for compatibility. Root should also be prohibited from connecting via
						network protocols. </description>
          <Rule id="rule-1034" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Root logins to virtual console are not permited</title>
            <description xml:lang="en-US">Root logins through the virtual console devices should be
							disabled</description>
            <ident system="http://cce.mitre.org">CCE-3485-0</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1034" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1035" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Root logins to serial ports are not permited</title>
            <description xml:lang="en-US">Root logins on serial ports should be disabled.</description>
            <ident system="http://cce.mitre.org">CCE-4256-4</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1035" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-accounts-login.2" hidden="false">
          <title xml:lang="en-US">Configure su to Restrict the Root Access</title>
          <description xml:lang="en-US">
						<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>Ensure that the group wheel exists, and that the usernames of
								all administrators who should be allowed to execute commands as root
								are members of that group. <xhtml:br/>
								<xhtml:br/>
								<xhtml:code># grep ^wheel /etc/group</xhtml:code>
							</xhtml:li>
							<xhtml:li>Edit the file /etc/pam.d/su. Add, uncomment, or correct the
								line: <xhtml:br/>
								<xhtml:code>auth required pam_wheel.so use_uid</xhtml:code>
							</xhtml:li>
						</xhtml:ol> The su command allows a user to gain the privileges of another
						user by entering the password for that user's account. It is desirable to
						restrict the root user so that only known administrators are ever allowed to
						access the root account. This restricts password-guessing against the root
						account by unauthorized users or by accounts which have been compromised. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> By convention, the group wheel contains all users who are
						allowed to run privileged commands. The PAM module pam_wheel.so is used to
						restrict root access to this set of users.</description>
          <Rule id="rule-1036" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">The 'wheel' group should exist</title>
            <description xml:lang="en-US">Ensure that the group wheel exists</description>
            <ident system="http://cce.mitre.org">CCE-14088-9</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1036" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1037" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Access to the root account via su is restricted to the wheel group</title>
            <description xml:lang="en-US">Command access to the root account should be restricted to the
							wheel group.</description>
            <ident system="http://cce.mitre.org">CCE-15047-4</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1037" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-accounts-login.3" hidden="false">
          <title xml:lang="en-US">Configure sudo to Improve Auditing of Root Access</title>
          <description xml:lang="en-US">
						<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>Ensure that the group wheel exists, and that the usernames of
								all administrators who should be allowed to execute commands as root
								are members of that group. <xhtml:br/>
								<xhtml:br/>
								<xhtml:code># grep ^wheel /etc/group</xhtml:code>
							</xhtml:li>
							<xhtml:li>Edit the file /etc/sudoers. Add, uncomment, or correct the
								line: <xhtml:br/>
								<xhtml:br/> %wheel ALL=(ALL) ALL</xhtml:li>
						</xhtml:ol>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The sudo command allows fine-grained control over which users
						can execute commands using other accounts. The primary benefit of sudo when
						configured as above is that it provides an audit trail of every command run
						by a privileged user. It is possible for a malicious administrator to
						circumvent this restriction, but, if there is an established procedure that
						all root commands are run using sudo, then it is easy for an auditor to
						detect unusual behavior when this procedure is not followed. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Editing /etc/sudoers by hand can be dangerous, since a
						configuration error may make it impossible to access the root account
						remotely. The recommended means of editing this file is using the visudo
						command, which checks the file's syntax for correctness before allowing it
						to be saved.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Note that sudo allows any attacker who gains access to the
						password of an administrator account to run commands as root. This is a
						downside which must be weighed against the benefits of increased audit
						capability and of being able to heavily restrict the use of the high-value
						root password (which can be logistically difficult to change often). As a
						basic precaution, never use the NOPASSWD directive, which would allow anyone
						with access to an administrator account to execute commands as root without
						knowing the administrator's password. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The sudo command has many options which can be used to further
						customize its behavior. See the sudoers(5) man page for
						details.</description>
        </Group>
        <Group id="gr-accounts-login.4" hidden="false">
          <title xml:lang="en-US">Block Shell and Login Access for Non-Root System Accounts</title>
          <description xml:lang="en-US"> Using /etc/passwd, obtain a listing of all users,
						their UIDs, and their shells, for instance by running: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd<xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Identify the system accounts from this listing. These will
						primarily be the accounts with UID numbers less than 500, other than root.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> For each identified system account SYSACCT , lock the account: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># usermod -L SYSACCT <xhtml:br/>
						</xhtml:code> and disable its shell: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># usermod -s /sbin/nologin SYSACCT <xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> These are the accounts which are not associated with a human
						user of the system, but which exist to perform some administrative function.
						Make it more difficult for an attacker to use these accounts by locking
						their passwords and by setting their shells to some non-valid shell. The
						default non-valid shell is /sbin/nologin, but any command which will
						exit with a failure status and disallow execution of any further commands,
						such as /bin/false or /dev/null, will work.</description>
          <warning xml:lang="en-US" override="false" category="functionality">Do not perform the steps in
						this section on the root account. Doing so might cause the system to become
						inaccessible.</warning>
          <Rule id="rule-1038" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Login Access for Non-Root System Accounts is blocked</title>
            <description xml:lang="en-US">Login access to non-root system accounts should be
							disabled</description>
            <ident system="http://cce.mitre.org">CCE-3987-5</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1038" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>

        <Group id="gr-accounts-login.5" hidden="false">
            <title xml:lang="en-US">Verify that No Accounts Have Empty Password Fields</title>
            <description xml:lang="en-US"> <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> If an account has an empty password, 
            					anybody may log in and run commands with the privileges of that account. Accounts 
            					with empty passwords should never be used in operational environments. </xhtml:p>
					    <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> Run the command: </xhtml:p>
					    <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># awk -F: '($2 == "") {print}' /etc/shadow </xhtml:code>
					    <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> If this produces any output, fix the problem by locking each
						account or by setting a password. </xhtml:p> </description>
            <Rule id="rule-1039" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">No Accounts Have Empty Password Fields</title>
              <description xml:lang="en-US">Login access to accounts without passwords should be
								disabled</description>
              <ident system="http://cce.mitre.org">CCE-4238-2</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1039" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
        </Group>

        <Group id="gr-accounts-login.6" hidden="false">
            <title xml:lang="en-US">Verify that All Account Password Hashes are Shadowed</title>
            <description xml:lang="en-US"> <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> The hashes for all user account 
            					passwords should be stored in the file /etc/shadow and never in /etc/passwd, which 
            					is readable by all users. </xhtml:p>
					    <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> To ensure that no password hashes are stored
							in /etc/passwd, the following command should have no output: </xhtml:p>
					    <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># awk -F: '($2 != "x") {print}' /etc/passwd </xhtml:code>
						</description>
            <Rule id="rule-1040" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">All Account Password Hashes are Shadowed</title>
              <description xml:lang="en-US">Check that passwords are shadowed</description>
              <ident system="http://cce.mitre.org">CCE-14300-8</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1040" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
        </Group>

        <Group id="gr-accounts-login.7" hidden="false">
          <title xml:lang="en-US">Verify that No Non-Root Accounts Have UID 0</title>
          <description xml:lang="en-US"> <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> In general, the best practice solution for auditing use of the
						root account is to restrict the set of cases in which root must be accessed
						anonymously by requiring use of su or sudo in almost all cases. Some sites
						choose to have more than one account with UID 0 in order to differentiate
						between administrators, but this practice may have unexpected side effects,
						and is therefore not recommended. </xhtml:p>


					<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> This command will print all password file entries
						for accounts with UID 0: </xhtml:p>
					<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># awk -F: '($3 == "0") {print}' /etc/passwd </xhtml:code>
					<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> This should print only one line, for the user root. If any other
						lines appear, ensure that these additional UID-0 accounts are authorized,
						and that there is a good reason for them to exist. </xhtml:p> </description>
          <Rule id="rule-1041" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">No Non-Root Accounts Have UID 0</title>
            <description xml:lang="en-US">Anonymous root logins should be disabled</description>
            <ident system="http://cce.mitre.org">CCE-4009-7</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1041" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>

        <Group id="gr-accounts-login.8" hidden="false">
          <title xml:lang="en-US">Set Password Expiration Parameters</title>
          <description xml:lang="en-US"> Edit the file /etc/login.defs to specify password
						expiration settings for new accounts. Add or correct the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PASS_MAX_DAYS=180</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> 
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PASS_MIN_DAYS=7</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PASS_WARN_AGE=7</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						For each existing human user USER , modify the current expiration settings to match these: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
						# chage -M 180 -m 7 -W 7 USER<xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Users should be forced to change their passwords, in order to
						decrease the utility of compromised passwords. However, the need to change
						passwords often should be balanced against the risk that users will reuse or
						write down passwords if forced to change them too often. Forcing password
						changes every 90-360 days, depending on the environment, is recommended. Set
						the appropriate value as PASS_MAX_DAYS and apply it to existing accounts
						with the -M flag. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The PASS_MIN_DAYS (-m) setting prevents password changes for 7
						days after the first change, to discourage password cycling. If you use this
						setting, train users to contact an administrator for an emergency password
						change in case a new password becomes compromised. The PASS_WARN_AGE (-W)
						setting gives users 7 days of warnings at login time that their passwords
						are about to expire.</description>
          <Value id="var-1042" operator="equals" type="string">
            <title xml:lang="en-US">Minimum password age</title>
            <description xml:lang="en-US">Enter minimum duration before allowing a
							password change</description>
            <value>7</value>
            <value selector="0_days">0</value>
            <value selector="1_day">1</value>
            <value selector="7_days">7</value>
          </Value>
          <Value id="var-1043" operator="equals" type="string">
            <title xml:lang="en-US">Maximum password age</title>
            <description xml:lang="en-US">Enter age before which a password must be
							changed</description>
            <value>180</value>
            <value selector="0_days">0</value>
            <value selector="30_days">30</value>
            <value selector="60_days">60</value>
            <value selector="90_days">90</value>
            <value selector="120_days">120</value>
            <value selector="150_days">150</value>
            <value selector="180_days">180</value>
            <value selector="99999_days">99999</value>
          </Value>
          <Value id="var-1044" operator="equals" type="string">
            <title xml:lang="en-US">Password warn age</title>
            <description xml:lang="en-US"> The number of days warning given before a
							password expires. A zero means warning is given only upon the day of
							expiration, a negative value means no warning is given. If not
							specified, no warning will be provided.</description>
            <value>7</value>
            <value selector="7_days">7</value>
            <value selector="8_days">8</value>
            <value selector="14_days">14</value>
          </Value>
          <Rule id="rule-1042" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Minimum password age</title>
            <description xml:lang="en-US">The minimum password age should be set
							appropriately</description>
            <ident system="http://cce.mitre.org">CCE-4180-6</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1042" value-id="var-1042"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1042" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1043" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Maximum password age</title>
            <description xml:lang="en-US">The maximum password age should be set to: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1043"/>
						</description>
            <ident system="http://cce.mitre.org">CCE-4092-3</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1043" value-id="var-1043"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1043" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1044" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Password warn age</title>
            <description xml:lang="en-US">The password warn age should be set to: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1044"/>
						</description>
            <ident system="http://cce.mitre.org">CCE-4097-2</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1044" value-id="var-1044"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1044" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
      </Group>


      <Group id="gr-accounts-pam" hidden="false">
        <title xml:lang="en-US">Protect Accounts by Configuring PAM</title>
        <description xml:lang="en-US"> PAM, or Pluggable Authentication Modules, is a system
					which implements modular authentication for Linux programs. PAM is
					well-integrated into Linux's authentication architecture, making it difficult to
					remove, but it can be configured to minimize your system's exposure to
					unnecessary risk. This section contains guidance on how to accomplish that, and
					how to ensure that the modules used by your PAM configuration do what they are
					supposed to do. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> PAM is implemented as a set of shared objects which are loaded and
					invoked whenever an application wishes to authenticate a user. Typically, the
					application must be running as root in order to take advantage of PAM.
					Traditional privileged network listeners (e.g. sshd) or SUID programs (e.g.
					sudo) already meet this requirement. An SUID root application, userhelper, is
					provided so that programs which are not SUID or privileged themselves can still
					take advantage of PAM. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> PAM looks in the directory /etc/pam.d for application-specific
					configuration information. For instance, if the program login attempts to
					authenticate a user, then PAM's libraries follow the instructions in the file
					/etc/pam.d/login to determine what actions should be taken. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>One very important file in /etc/pam.d is /etc/pam.d/system-auth. This
					file, which is included by many other PAM configuration files, defines 'default'
					system authentication measures. Modifying this file is a good way to make
					far-reaching authentication changes, for instance when implementing a
					centralized authentication service. Another important file is password-auth. It contains just the same
					things as system-auth except modules that make sense only for local
					services are removed (used for sshd for example)</description>
        <warning xml:lang="en-US"> Be careful when making changes to PAM's configuration
					files. The syntax for these files is complex, and modifications can have
					unexpected consequences. The default configurations shipped with applications
					should be sufficient for most users. </warning>
        <warning xml:lang="en-US"> Running authconfig or system-config-authentication will
					re-write the PAM configuration files, destroying any manually made changes and
					replacing them with a series of system defaults. The reference to the
					configuration file syntax can be found at
					http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-file.html. </warning>
        <Group id="gr-accounts-pam.1" hidden="false">
          <title xml:lang="en-US">Set Password Quality Requirements</title>
          <description xml:lang="en-US"> The default pam_cracklib PAM module provides
						strength checking for passwords. It performs a number of checks, such as
						making sure passwords are not similar to dictionary words, are of at least a
						certain length, are not the previous password reversed, and are not simply a
						change of case from the previous password. It can also require passwords to
						be in certain character classes.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The pam_passwdqc PAM module provides the ability to enforce even
						more stringent password strength requirements. It is provided in an RPM of
						the same name. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The man pages pam_cracklib(8) and pam_passwdqc(8) provide
						information on the capabilities and configuration of each. </description>

          <Group id="gr-accounts-pam.1.1" hidden="false">
            <title xml:lang="en-US">Password Quality Requirements Set By pam_cracklib module</title>
            <description xml:lang="en-US"> The default pam_cracklib PAM module provides
                                                strength checking for passwords. It performs a number of checks, such as
                                                making sure passwords are not similar to dictionary words, are of at least a
                                                certain length, are not the previous password reversed, and are not simply a
                                                change of case from the previous password. It can also require passwords to
                                                be in certain character classes. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						For example to configure pam_cracklib to require at least one uppercase	character, 
						lowercase character, digit, and other (special) character, locate the following line in 
						/etc/pam.d/system-auth and /etc/pam.d/password-auth:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> 
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
						password requisite pam_cracklib.so try_first_pass retry=3 <xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> and then alter it to read:
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> 

						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
						password required pam_cracklib.so try_first_pass retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0<xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If necessary, modify the arguments to ensure compliance with
 						your organization’s security policy. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						The man page pam_cracklib(8) provide information on the capabilities and configuration.
						</description> 
            <warning xml:lang="en-US">Note that the password quality requirements are not enforced for the root account for some reason. </warning>
            <Value id="var-1045" type="number">
              <title xml:lang="en-US">retry</title>
              <description xml:lang="en-US">Number of retry attempts before erroring out</description>
              <value>3</value>
              <value selector="1">1</value>
              <value selector="2">2</value>
              <value selector="3">3</value>
            </Value>
            <Value id="var-1046" type="number">
              <title xml:lang="en-US">minlen</title>
              <description xml:lang="en-US">Minimum number of characters in password</description>
              <value>12</value>
              <value selector="6">6</value>
              <value selector="8">8</value>
              <value selector="10">10</value>
              <value selector="12">12</value>
              <value selector="14">14</value>
              <value selector="15">15</value>
            </Value>
            <Value id="var-1047" type="number">
              <title xml:lang="en-US">dcredit</title>
              <description xml:lang="en-US">Mininum number of digits in	password</description>
              <value>-2</value>
              <value selector="2">-2</value>
              <value selector="1">-1</value>
              <value selector="0">0</value>
            </Value>
            <Value id="var-1049" type="number">
              <title xml:lang="en-US">ocredit</title>
              <description xml:lang="en-US">Mininum number of other (special characters) in password</description>
              <value>-2</value>
              <value selector="2">-2</value>
              <value selector="1">-1</value>
              <value selector="0">0</value>
            </Value>
            <Value id="var-1050" type="number">
              <title xml:lang="en-US">lcredit</title>
              <description xml:lang="en-US">Mininum number of lower case in password</description>
              <value>-2</value>
              <value selector="2">-2</value>
              <value selector="1">-1</value>
              <value selector="0">0</value>
            </Value>
            <Value id="var-1048" type="number">
              <title xml:lang="en-US">ucredit</title>
              <description xml:lang="en-US">Mininum number of upper case in
								password</description>
              <value>-2</value>
              <value selector="2">-2</value>
              <value selector="1">-1</value>
              <value selector="0">0</value>
            </Value>
            <Value id="var-1051" type="number">
              <title xml:lang="en-US">difok</title>
              <description xml:lang="en-US">Mininum number of characters not present
								in old password</description>
              <warning xml:lang="en-US">Keep this high for short passwords</warning>
              <value>5</value>
              <value selector="2">2</value>
              <value selector="3">3</value>
              <value selector="4">4</value>
              <value selector="5">5</value>
            </Value>
            <Rule id="rule-1045" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Password retry Requirements</title>
              <description xml:lang="en-US">The password retry should meet minimum
								requirements</description>
              <ident system="http://cce.mitre.org">CCE-15054-0</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1045" value-id="var-1045"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1045" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1046" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Password minlen Requirements</title>
              <description xml:lang="en-US">The password minlen should meet minimum
								requirements</description>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1046" value-id="var-1046"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1046" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1047" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">The password strength parameters should require a minimum number of digits</title>
              <description xml:lang="en-US">The password dcredit should meet minimum
								requirements</description>
              <ident system="http://cce.mitre.org">CCE-14113-5</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1047" value-id="var-1047"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1047" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1048" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">The password strength parameters should require a minimum number of uppercase characters</title>
              <description xml:lang="en-US">The password ucredit should meet minimum
								requirements</description>
              <ident system="http://cce.mitre.org">CCE-14672-0</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1048" value-id="var-1048"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1048" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1049" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">The password strength parameters should require a minimum number of special characters</title>
              <description xml:lang="en-US">The password strength parameters should require a minimum number of special characters</description>
              <ident system="http://cce.mitre.org">CCE-14122-6</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1049" value-id="var-1049"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1049" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1050" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Set Password lcredit Requirements</title>
              <description xml:lang="en-US">The password strength parameters should require a minimum number of lowercase characters</description>
              <ident system="http://cce.mitre.org">CCE-14712-4</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1050" value-id="var-1050"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1050" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1051" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">The password strength parameters should require new passwords to difer from old ones by a minimum number of characters</title>
              <description xml:lang="en-US">The password difok should meet minimum
								requirements</description>
              <ident system="http://cce.mitre.org">CCE-14701-7</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1051" value-id="var-1051"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1051" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-accounts-pam.1.2" hidden="false">
            <title xml:lang="en-US">Set Password Quality Requirements, if using pam_passwdqc</title>
            <description xml:lang="en-US"> If password strength stronger than that
							guaranteed by pam_cracklib is required, configure PAM to use pam_passwdqc.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To activate pam_passwdqc, locate the following line in /etc/pam.d/system-auth:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> password requisite pam_cracklib.so try_first_pass retry=3<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> and then replace it with the line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> password requisite pam_passwdqc.so min=disabled,disabled,16,12,8<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If necessary, modify the arguments
							(min=disabled,disabled,16,12,8) to ensure compliance with your
							organization’s security policy. Configuration options are described in
							the man page pam_passwdqc(8) and also in
							/usr/share/doc/pam_passwdqc-version. The minimum lengths provided here
							supercede that specified by the argument PASS_MIN_LEN in login.defs.
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The options given in the example above set a minimum length
							for each of the password “classes” that pam_passwdqc recognizes. Setting
							a particular minimum value to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">disabled</xhtml:code>
							will stop users from choosing a
							password that falls into that category alone. </description>
	    <!-- The individual values do not have a generic meaning that is likely to make sense outside of pam_passwdqc, so this test only allows verifying
		 a policy specifically designed for pam_passwdqc. -->
            <Value id="var-1052" type="string">
              <title xml:lang="en-US">pam_passwdqc min</title>
              <description xml:lang="en-US">"min" parameter for pam_passwdqc</description>
              <value>disabled,disabled,16,12,8</value>
            </Value>
            <Rule id="rule-1052" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">The password strength parameters should be configured using pam_passwdqc</title>
              <description xml:lang="en-US">pam_passwdqc "min" should be configured as described by the policy</description>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1052" value-id="var-1052"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1052" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
        </Group>
        <Group id="gr-accounts-pam.2" hidden="false">
          <title xml:lang="en-US">Set Lockouts for Failed Password Attempts</title>
          <description xml:lang="en-US"> The pam_tally2 PAM module provides the capability
						to lock out user accounts after a number of failed login attempts. Its
						documentation is available in the man page pam_tally2(8). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If locking out accounts after a number of incorrect login
						attempts is required by your security policy, implement use of pam_tally2.so
						for the relevant PAM-aware programs such as login, sshd, and vsftpd. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Find the following line in /etc/pam.d/system-auth: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> auth sufficient pam_unix.so nullok try_first_pass <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> and then change it so that it reads as follows: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> auth required pam_unix.so nullok try_first_pass <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> In the same file, comment out or delete the lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> auth requisite pam_succeed_if.so uid &gt;= 500 quiet <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						auth required pam_deny.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						After changing /etc/pam.d/system-auth as described above, perform the same set of changes in /etc/pam.d/password-auth as well.
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To enforce password lockout, add the following to the individual
						programs' configuration files in /etc/pam.d. First, add to end of the auth
						lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> auth required pam_tally2.so deny=5 onerr=fail <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Second, add to the end of the account lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> account required pam_tally2.so<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Adjust the deny argument to conform to your system security
						policy. The pam_tally2 utility can be used to unlock user accounts as
						follows: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># /sbin/pam_tally2 --user username --reset <xhtml:br/>
						</xhtml:code>
					</description>
          <warning xml:lang="en-US"> Locking out user accounts presents the risk of a
						denial-of-service attack. The security policy regarding system lockout must
						weigh whether the risk of such a denial-of-service attack outweighs the
						benefits of thwarting password guessing attacks. The pam_tally2 utility can
						be run from a cron job on a hourly or daily basis to try and offset this
						risk. </warning>
	  <!-- Not tested, this needs to be tested in files specific for each service, and coordinated editing of several PAM configuration items is required. -->
        </Group>
        <Group id="gr-accounts-pam.3" hidden="false">
          <title xml:lang="en-US">Use pam_deny.so to Quickly Deny Access to a Service</title>
          <description xml:lang="en-US"> In order to deny access to a service SVCNAME via
						PAM, edit the file /etc/pam.d/SVCNAME . Prepend this line to the beginning
						of the file: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> auth requisite pam_deny.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Under most circumstances, there are better ways to disable a
						service than to deny access via PAM. However, this should suffice as a way
						to quickly make a service unavailable to future users (existing sessions
						which have already been authenticated, are not affected). The requisite tag
						tells PAM that, if the named module returns failure, authentication should
						fail, and PAM should immediately stop processing the configuration file. The
						pam_deny.so module always returns failure regardless of its
						input.</description>
        </Group>
        <Group id="gr-accounts-pam.4" hidden="false">
          <title xml:lang="en-US">Ensure the Password Hashing Algorithm is SHA-512</title>
          <description xml:lang="en-US"> The default algorithm for storing password hashes
						in /etc/shadow is SHA-512, but a weaker algorithm could have been configured.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> In order to configure the system to use the SHA-512 algorithm,
						issue the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># /usr/sbin/authconfig --passalgo=sha512 --update<xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> When users changes their passwords, hashes for the new passwords
						will be generated using the SHA-512 algorithm.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> </description>
          <Value id="var-1053" operator="equals" type="string">
            <title xml:lang="en-US">Password hashing algorithm</title>
            <description xml:lang="en-US">Enter /etc/shadow password hashing
							algorithm</description>
            <value>sha512</value>
            <value selector="MD5">md5</value>
            <value selector="SHA-256">sha256</value>
            <value selector="SHA-512">sha512</value>
          </Value>
          <Rule id="rule-1053" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">draft</status>
            <title xml:lang="en-US">Password hashing algorithm</title>
            <description xml:lang="en-US">The password hashing algorithm should be set to
		    <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1053"/></description>
            <ident system="http://cce.mitre.org">CCE-14063-2</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1053" value-id="var-1053"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1053" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-accounts-pam.5" hidden="false">
          <title xml:lang="en-US">Limit Password Reuse</title>
          <description xml:lang="en-US"> Do not allow users to reuse recent passwords.
						This can be accomplished by using the remember option for the pam_unix PAM
						module. In order to prevent a user from re-using any of his or her last 5
						passwords, locate the <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"> password requisite pam_cracklib.so ... </xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> or <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">password requisite pam_passwdqc.so ... </xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>line in /etc/pam.d/system-auth,
						and add the following line immediately below:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"> password requisite pam_pwhistory.so use_authtok remember=5 </xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Old (and thus no longer valid) passwords are stored in the file
						/etc/security/opasswd. </description>
          <Value id="var-1054" operator="equals" type="number">
            <title xml:lang="en-US">remember</title>
            <description xml:lang="en-US"> The last n passwords for each user are saved
							in /etc/security/opasswd in order to force password change history and
							keep the user from alternating between the same password too frequently. </description>
            <value>5</value>
            <value selector="0">0</value>
            <value selector="5">5</value>
            <value selector="10">10</value>
          </Value>
          <Rule id="rule-1054" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">draft</status>
            <title xml:lang="en-US">Limit password reuse</title>
            <description xml:lang="en-US">The passwords to remember should be set to: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1054"/>
						</description>
            <ident system="http://cce.mitre.org">CCE-14939-3</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1054" value-id="var-1054"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1054" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
      </Group>
      <Group id="gr-accounts-config" hidden="false">
        <title xml:lang="en-US">Secure Session Configuration Files for Login Accounts</title>
        <description xml:lang="en-US"> When a user logs into a Unix account, the system
					configures the user's session by reading a number of files. Many of these files
					are located in the user's home directory, and may have weak permissions as a
					result of user error or misconfiguration. If an attacker can modify or even read
					certain types of account configuration information, he can often gain full
					access to the affected user's account. Therefore, it is important to test and
					correct configuration file permissions for interactive accounts, particularly
					those of privileged users such as root or system administrators.</description>
        <Group id="gr-accounts-config.1" hidden="false">
          <title xml:lang="en-US">Ensure that No Dangerous Directories Exist in Root's Path</title>
          <description xml:lang="en-US"> The active path of the root account can be
						obtained by starting a new root shell and running: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># echo $PATH </xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>This will produce a colon-separated list of directories in the
						path. For each directory DIR in the path, ensure that DIR is not equal to a
						single . character. Also ensure that there are no 'empty' elements in the
						path, such as in these examples: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PATH=:/bin</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PATH=/bin:</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PATH=/bin::/sbin</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> These empty elements have the same effect as a single .
						character. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> For each element in the path, run: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -ld DIR <xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> and ensure that write permissions are disabled for group and
						other. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> It is important to prevent root from executing unknown or
						untrusted programs, since such programs could contain malicious code.
						Therefore, root should not run programs installed by unprivileged users.
						Since root may often be working inside untrusted directories, the .
						character, which represents the current directory, should never be in the
						root path, nor should any directory which can be written to by an
						unprivileged or semi-privileged (system) user. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> It is a good practice for administrators to always execute
						privileged commands by typing the full path to the command.</description>
          <Rule id="rule-1055" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">No Dangerous Directories Exist in Root's PATH variable</title>
            <description xml:lang="en-US">The PATH variable should be set correctly for user
							root</description>
            <ident system="http://cce.mitre.org">CCE-3301-9</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1055" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1056" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">The PATH variable for root does not include any world-writable or group-writable directories</title>
            <description xml:lang="en-US">Check each directory in root's path and make use it does not
							grant write permission to group and other</description>
            <ident system="http://cce.mitre.org">CCE-14957-5</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1056" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-accounts-config.2" hidden="false">
          <title xml:lang="en-US">Ensure that User Home Directories are not Group-Writable or World-Readable</title>
          <description xml:lang="en-US"> For each human user USER of the system, view the
						permissions of the user's home directory: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -ld /home/USER <xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Ensure that the directory is not group-writable and that it is
						not world-readable. If necessary, repair the permissions:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chmod g-w /home/USER</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chmod o-rwx /home/USER</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> User home directories contain many configuration files which
						affect the behavior of a user's account. No user should ever have write
						permission to another user's home directory. Group shared directories can be
						configured in subdirectories or elsewhere in the filesystem if they are
						needed. Typically, user home directories should not be world-readable. If a
						subset of users need read access to one another's home directories, this can
						be provided using groups.</description>
          <warning xml:lang="en-US">This section recommends modifying user home
						directories. Notify your user community, and solicit input if appropriate,
						before making this type of change. </warning>
          <Rule id="rule-1057" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">User Home Directories are not Group-Writable or World-Readable</title>
            <description xml:lang="en-US">File permissions should be set correctly for the home
							directories for all user accounts.</description>
            <ident system="http://cce.mitre.org">CCE-4090-7</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1057" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-accounts-config.3" hidden="false">
          <title xml:lang="en-US">Ensure that User Dot-Files are not World-writable</title>
          <description xml:lang="en-US"> For each human user USER of the system, view the
						permissions of all dot-files in the user's home directory: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -ld /home/USER/.[A-Za-z0-9]* <xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Ensure that none of these files are group- or world-writable.
						Correct each misconfigured file FILE by executing: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chmod go-w /home/USER/FILE <xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> A user who can modify another user's configuration files can
						likely execute commands with the other user's privileges, including stealing
						data, destroying files, or launching further attacks on the
						system.</description>
          <warning xml:lang="en-US">This section recommends modifying user home
						directories. Notify your user community, and solicit input if appropriate,
						before making this type of change. </warning>
          <Rule id="rule-1058" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">User Home Directories are not Group-Writable or World-Readable</title>
            <description xml:lang="en-US">File permissions should be set correctly for the home
							directories for all user accounts.</description>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1058" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-accounts-config.4" hidden="false">
          <title xml:lang="en-US">Ensure that Users Have Sensible Umask Values</title>
          <description xml:lang="en-US">
						<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>Edit the global configuration files /etc/profile, /etc/bashrc,
								and /etc/csh.cshrc. Add or correct the line: <xhtml:br/>
								<xhtml:br/> umask 077</xhtml:li>
							<xhtml:li>Edit the user definitions file /etc/login.defs. Add or correct
								the line:<xhtml:br/>
								<xhtml:br/> UMASK 077 </xhtml:li>
							<xhtml:li>View the additional configuration files /etc/csh.login and
								/etc/profile.d/*, and ensure that none of these files redefine the
								umask to a more permissive value unless there is a good reason for
								it.</xhtml:li>
							<xhtml:li>Edit the root shell configuration files /root/.bashrc,
								/root/.bash profile, /root/.cshrc, and /root/.tcshrc. Add or correct
								the line: <xhtml:br/>
								<xhtml:br/> umask 077 </xhtml:li>
						</xhtml:ol> With a default umask setting of 077, files and directories
						created by users will not be readable by any other user on the system. Users
						who wish to make specific files group- or world-readable can accomplish this
						using the chmod command. Additionally, users can make all their files
						readable to their group by default by setting a umask of 027 in their shell
						configuration files. If default per-user groups exist (that is, if every
						user has a default group whose name is the same as that user's username and
						whose only member is the user), then it may even be safe for users to select
						a umask of 007, making it very easy to intentionally share files with group
						s of which the user is a member. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> In addition, it may be necessary to change root's umask
						temporarily in order to install software or files which must be readable by
						other users, or to change the default umasks of certain service accounts
						such as the FTP user. However, setting a restrictive default protects the
						files of users who have not taken steps to make their files more available,
						and preventing files from being inadvertently shared.</description>
          <warning xml:lang="en-US">This sections recommends modifying user home
						directories. Notify your user community, and solicit input if appropriate,
						before making this type of change. </warning>
          <Value id="var-1059" operator="equals" type="string">
            <title xml:lang="en-US">Default user umask</title>
            <description xml:lang="en-US">Enter default user umask</description>
            <value>022</value>
            <value selector="002">002</value>
            <value selector="007">007</value>
            <value selector="022">022</value>
            <value selector="027">027</value>
            <value selector="077">077</value>
          </Value>
          <Value id="var-1061" operator="equals" type="string">
            <title xml:lang="en-US">umask for shadow-utils</title>
            <description xml:lang="en-US">Enter default user umask</description>
            <value>077</value>
            <value selector="007">007</value>
            <value selector="022">022</value>
            <value selector="027">027</value>
            <value selector="077">077</value>
          </Value>
          <Rule id="rule-1059" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">The default umask for all users is set correctly in /etc/bashrc</title>
            <description xml:lang="en-US">The default umask for all users for the bash shell should be
							set to: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1059"/>
						</description>
            <ident system="http://cce.mitre.org">CCE-3844-8</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1059" value-id="var-1059"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1059" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1060" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">The default umask for all users is set correctly in /etc/csh.cshrc</title>
            <description xml:lang="en-US">The default umask for all users for the csh shell should be set
							to: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1059"/>
						</description>
            <ident system="http://cce.mitre.org">CCE-4227-5</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1059" value-id="var-1059"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1060" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1061" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">The default umask for all users is set correctly in /etc/login.defs</title>
            <description xml:lang="en-US">The default umask for all users should be set to: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1061"/>
						</description>
            <ident system="http://cce.mitre.org">CCE-14107-7</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1061" value-id="var-1061"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1061" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1062" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">The default umask for all users is set correctly in /etc/profile</title>
            <description xml:lang="en-US">The default umask for all users should be set to: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1059"/>
						</description>
            <ident system="http://cce.mitre.org">CCE-14847-8</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1059" value-id="var-1059"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1062" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-accounts-config.5" hidden="false">
          <title xml:lang="en-US">Ensure that Users do not Have .netrc Files</title>
          <description xml:lang="en-US"> For each human user USER of the system, ensure
						that the user has no .netrc file. The command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -l /home/USER/.netrc <xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> should return the error 'No such file or directory'. If any user
						has such a file, approach that user to discuss removing this file. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The .netrc file is a configuration file used to make unattended
						logins to other systems via FTP. When this file exists, it frequently
						contains unencrypted passwords which may be used to attack other
						systems.</description>
          <warning xml:lang="en-US">This section recommends modifying user home
						directories. Notify your user community, and solicit input if appropriate,
						before making this type of change. </warning>
          <Rule id="rule-1063" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">draft</status>
            <title xml:lang="en-US">No ~/.netrc files exist</title>
            <description xml:lang="en-US">No user's home directory should contain a .netrc file</description>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1063" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
      </Group>
      <Group id="gr-accounts-physical" hidden="false">
        <title xml:lang="en-US">Protect Physical Console Access</title>
        <description xml:lang="en-US"> It is impossible to fully protect a system from an
					attacker with physical access, so securing the space in which the system is
					located should be considered a necessary step. However, there are some steps
					which, if taken, make it more difficult for an attacker to quickly or
					undetectably modify a system from its console.</description>
        <Group id="gr-accounts-physical.1" hidden="false">
          <title xml:lang="en-US">Set BIOS Password</title>
          <description xml:lang="en-US"> The BIOS (on x86 systems) is the first code to
						execute during system startup and controls many important system parameters,
						including which devices the system will try to boot from, and in which
						order. Assign a password to prevent any unauthorized changes to the BIOS
						configuration. The exact steps will vary depending on your machine, but are
						likely to include:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>Reboot the machine.</xhtml:li>
							<xhtml:li>Press the appropriate key during the initial boot screen (F2
								is typical)</xhtml:li>
							<xhtml:li>Navigate the BIOS configuration menu to add a
								password.</xhtml:li>
						</xhtml:ol> The exact process will be system-specific and the system's
						hardware manual may provide detailed instructions. This password should
						prevent attackers with physical access from attempting to change important
						parameters.
						However, an attacker with physical access can usually clear the BIOS
						password. The password should be written down and stored in a
						physically-secure location, such as a safe, in the event that it is
						forgotten and must be retrieved.</description>
        </Group>
        <Group id="gr-accounts-physical.2" hidden="false">
          <title xml:lang="en-US">Boot Loader Password</title>
          <description xml:lang="en-US"> During the boot process, the boot loader is
						responsible for starting the execution of the kernel and passing options to
						it. The boot loader allows for the selection of different kernels – possibly
						on different partitions or media. Options it can pass to the kernel include
						'single-user mode,' which provides root access without any authentication,
						and the ability to disable SELinux. To prevent local users from modifying
						the boot parameters and endangering security, the boot loader configuration
						should be protected with a password. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The default RHEL boot loader for x86 systems is called GRUB. To
						protect its configuration: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>Select a password and then generate a hash from it by running: <xhtml:br/>
								<xhtml:br/>
								<xhtml:code># grub-crypt --sha-512 </xhtml:code>
							</xhtml:li>
							<xhtml:li>Insert the following line into /boot/grub/grub.conf immediately
								after the header comments. (Use the output from grub-crypt as
								the value of password-hash ): <xhtml:br/>
								<xhtml:br/>
								<xhtml:code>password --encrypted password-hash </xhtml:code>
							</xhtml:li>
							<xhtml:li>Verify the permissions on /boot/grub/grub.conf (which is a symlink
								to ../boot/grub/grub.conf): <xhtml:br/>
								<xhtml:br/>
								<xhtml:code> # chown root:root /boot/grub/grub.conf</xhtml:code><xhtml:br/>
								<xhtml:code> # chmod 600 /boot/grub/grub.conf</xhtml:code>
							</xhtml:li>
						</xhtml:ol> Boot loaders for other platforms should offer a similar password
						protection feature.</description>
          <Value id="var-1064" operator="equals" type="string">
            <title xml:lang="en-US">User that owns /boot/grub/grub.conf</title>
            <description xml:lang="en-US">Choose user that should own
							/boot/grub/grub.conf</description>
	    <value>0</value>
            <value selector="root">0</value>
          </Value>
          <Value id="var-1065" operator="equals" type="string">
            <title xml:lang="en-US">Group that owns /boot/grub/grub.conf</title>
            <description xml:lang="en-US">Choose group that should own
							/boot/grub/grub.conf</description>
	    <value>0</value>
            <value selector="root">0</value>
          </Value>
          <Rule id="rule-1064" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Boot Loader user owner</title>
            <description xml:lang="en-US">Boot Loader configuration file should be owned by root.</description>
            <ident system="http://cce.mitre.org">CCE-4144-2</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1064" value-id="var-1064"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1064" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1065" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Boot Loader group owner</title>
            <description xml:lang="en-US">Boot Loader configuration file should be owned by group
							root.</description>
            <ident system="http://cce.mitre.org">CCE-4197-0</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1065" value-id="var-1065"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1065" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1066" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Permissions on boot loader</title>
            <description xml:lang="en-US">Boot Loader configuration file permissions should be set
							correctly.</description>
            <ident system="http://cce.mitre.org">CCE-3923-0</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1066" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1067" selected="false" weight="10.000000" severity="high">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Enable Boot Loader Password</title>
            <description xml:lang="en-US">The grub boot loader should have sha-512 password protection
							enabled</description>
            <ident system="http://cce.mitre.org">CCE-3818-2</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1067" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-accounts-physical.3" hidden="false">
          <title xml:lang="en-US">Require Authentication for Single-User Mode</title>
          <description xml:lang="en-US"> Single-user mode is intended as a system recovery
						method, providing a single user root access to the system by providing a
						boot option at startup. By default, no authentication is performed if
						single-user mode is selected. This provides a trivial mechanism of bypassing
						security on the machine and gaining root access. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To require entry of the root password even if the system is
						started in single-user mode, change the SINGLE value in /etc/sysconfig/init as follows:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
	                                        <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">SINGLE=/sbin/sulogin</xhtml:code></description>
          <Rule id="rule-1068" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Require Authentication for Single-User Mode</title>
            <description xml:lang="en-US">A password should be required to boot into single-user mode.</description>
            <ident system="http://cce.mitre.org">CCE-4241-6</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1068" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-accounts-physical.4" hidden="false">
          <title xml:lang="en-US">Disable Interactive Boot</title>
          <description xml:lang="en-US"> Edit the file /etc/sysconfig/init. Add or correct
						the setting:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> PROMPT=no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The PROMPT option allows the console user
						to perform an interactive system startup, in which it is possible to select
						the set of services which are started on boot. Using interactive boot, the
						console user could disable auditing, firewalls, or other services, weakening
						system security.</description>
          <Rule id="rule-1069" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Disable Interactive Boot</title>
            <description xml:lang="en-US">The ability for users to perform interactive startups should be
							disabled.</description>
            <ident system="http://cce.mitre.org">CCE-4245-7</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1069" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-accounts-physical.5" hidden="false">
          <title xml:lang="en-US">Implement Inactivity Time-out for Login Shells</title>
          <description xml:lang="en-US"> If the system does not run X Windows, then the
						login shells can be configured to automatically log users out after a period
						of inactivity. The following instructions are not practical for systems
						which run X Windows, as they will close terminal windows in the X
						environment. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To implement a 15-minute idle time-out for the default /bin/bash
						shell, create a new file tmout.sh in the directory /etc/profile.d with the
						following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> TMOUT=900 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> readonly TMOUT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> export TMOUT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To implement a 15-minute idle time-out for the tcsh shell,
						create a new file autologout.csh in the directory /etc/profile.d with the
						following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> set -r autologout=15 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Similar actions should be taken for any other login shells used. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The example time-out here of 15 minutes should be adjusted to
						whatever your security policy requires. The readonly line for bash and the
						-r option for tcsh can be omitted if policy allows users to override the
						value. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The automatic shell logout only occurs when the shell is the
						foreground process. If, for example, a vi session is left idle, then
						automatic logout would not occur. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> When logging in through a remote connection, as with SSH, it may
						be more effective to set the timeout value directly through that service.</description>
          <Value id="var-1070" operator="equals" type="number">
            <title xml:lang="en-US">Inactivity timeout</title>
            <description xml:lang="en-US">Choose allowed duration of inactive SSH
							connections, shells, and X sessions</description>
            <value>15</value>
            <value selector="0_minutes">0</value>
            <value selector="10_minutes">10</value>
            <value selector="15_minutes">15</value>
          </Value>
          <Rule id="rule-1070" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Enforce an inactivity timeout for Bourne shells</title>
            <description xml:lang="en-US">Bourne shells should be closed after <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1070"/> minutes of inactivity.</description>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1070" value-id="var-1070"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1070" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1071" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Enforce an inactivity timeout for C shells</title>
            <description xml:lang="en-US">C shells should be closed after <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1070"/> minutes of inactivity.</description>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1070" value-id="var-1070"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1071" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-accounts-physical.6" hidden="false">
          <title xml:lang="en-US">Configure Screen Locking</title>
          <description xml:lang="en-US"> When a user must temporarily leave an account
						logged-in, screen locking should be employed to prevent passersby from
						abusing the account. User education and training is particularly important
						for screen locking to be effective. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> A policy should be implemented that trains all users to lock the
						screen when they plan to temporarily step away from a logged-in account.
						Automatic screen locking is only meant as a safeguard for those cases where
						a user forgot to lock the screen.</description>
          <Group id="gr-accounts-physical.6.1" hidden="false">
            <title xml:lang="en-US">Configure GUI Screen Locking</title>
            <description xml:lang="en-US"> In the default GNOME desktop, the screen can
							be locked by choosing Lock Screen from the System menu. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The gconftool-2 program can be used to enforce mandatory
							screen locking settings for the default GNOME environment. Run the
							following commands to enforce idle activation of the screen saver,
							screen locking, a blank-screen screensaver, and 15-minute idle
							activation time: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
							# gconftool-2 --direct
							--config-source	xml:readwrite:/etc/gconf/gconf.xml.mandatory
							--type bool
							--set /apps/gnome-screensaver/idle_activation_enabled true
							</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
							# gconftool-2 --direct
							--config-source	xml:readwrite:/etc/gconf/gconf.xml.mandatory
							--type bool
							--set /apps/gnome-screensaver/lock_enabled true
							</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
							# gconftool-2 --direct
							--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory
							--type string
							--set /apps/gnome-screensaver/mode blank-only
							</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
							# gconftool-2 --direct
							--config-source	xml:readwrite:/etc/gconf/gconf.xml.mandatory
							--type int
							--set /desktop/gnome/session/idle_delay 15
							</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The default setting of 15 minutes for idle activation is
							reasonable for many office environments, but the setting should conform
							to whatever policy is defined. The screensaver mode blank-only is
							selected to conceal the contents of the display from passersby. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Because users should be trained to lock the screen when they
							step away from the computer, the automatic locking feature is only meant
							as a backup. The Lock Screen icon from the System menu can also be
							dragged to the taskbar in order to facilitate even more convenient
							screen-locking. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The root account cannot be screen-locked, but this should
							have no practical effect as the root account should never be used to log
							into an X Windows environment, and should only be used to for direct
							login via console in emergency circumstances. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> For more information about configuring GNOME screensaver,
							see http://live.gnome.org/GnomeScreensaver. For more information about
							enforcing preferences in the GNOME environment using the GConf
							configuration system, see http://www.gnome.org/projects/gconf and the
							man page gconftool-2(1).</description>
            <Rule id="rule-1072" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">Implement Inactivity Time-out for GNOME</title>
              <description xml:lang="en-US">The idle time-out value for GNOME
								desktop lockout should be 15 minutes</description>
              <ident system="http://cce.mitre.org">CCE-3315-9</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1070" value-id="var-1070"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1072" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1073" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">The gnome desktop screensaver should be enabled.</title>
              <description xml:lang="en-US">Idle activation of the screen saver should be
								enabled</description>
              <ident system="http://cce.mitre.org">CCE-14604-3</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1073" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1074" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">Lock the screensaver with a password</title>
              <description xml:lang="en-US">The screensaver should ask for a password</description>
              <ident system="http://cce.mitre.org">CCE-14023-6</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1074" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1075" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">Implement blank screen saver</title>
              <description xml:lang="en-US">The screen saver should be blank</description>
              <ident system="http://cce.mitre.org">CCE-14735-5</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1075" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-accounts-physical.6.2" hidden="false">
            <title xml:lang="en-US">Configure Console Screen Locking</title>
            <description xml:lang="en-US"> A console screen locking mechanism is
							provided in the vlock package, which is not installed by default. If the
							ability to lock console screens is necessary, install the vlock package: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum install vlock <xhtml:br/>
							</xhtml:code>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Instruct users to invoke the program when necessary, in
							order to prevent passersby from abusing their login: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ vlock <xhtml:br/>
							</xhtml:code>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The -a option can be used to prevent switching to other
							virtual consoles.</description>
            <Rule id="rule-1076" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">Configure console screen locking</title>
              <description xml:lang="en-US">The vlock package should be installed</description>
              <ident system="http://cce.mitre.org">CCE-3910-7</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1076" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
        </Group>
        <Group id="gr-accounts-physical.7" hidden="false">
          <title xml:lang="en-US">Disable Unnecessary Ports</title>
          <description xml:lang="en-US"> Though unusual, some systems may be managed only
						remotely and yet also exposed to risk from attackers with direct physical
						access to them. In these cases, reduce an attacker’s access to the system by
						disabling unnecessary external ports (e.g. USB, FireWire, NIC) in the
						system’s BIOS.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Disable ports on the system which are not necessary for normal
						system operation. The exact steps will vary depending on your machine, but
						are likely to include: <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>Reboot the machine.</xhtml:li>
							<xhtml:li>Press the appropriate key during the initial boot screen (F2
								is typical). </xhtml:li>
							<xhtml:li>Navigate the BIOS conguration menu to disable ports, such as
								USB, FireWire, and NIC.</xhtml:li>
						</xhtml:ol>
					</description>
          <warning xml:lang="en-US">Disabling USB ports is particularly unusual and will
						cause problems for important input devices such as keyboards or mice
						attached to the system.</warning>
        </Group>
      </Group>
      <Group id="gr-accounts-centralized" hidden="false">
        <title xml:lang="en-US">Use a Centralized Authentication Service</title>
        <description xml:lang="en-US"> A centralized authentication service is any method of
					maintaining central control over account and authentication data and of keeping
					this data synchronized between machines. Such services can range in complexity
					from a script which pushes centrally-generated password files out to all
					machines, to a managed scheme such as LDAP or Kerberos. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If authentication information is not centrally managed, it quickly
					becomes inconsistent, leading to out-of-date credentials and forgotten accounts
					which should have been deleted. In addition, many older protocols (such as NFS)
					make use of the UID to identify users over a network. This is not a good
					practice, and these protocols should be avoided if possible. However, since most
					sites must still make use of some older protocols, having consistent UIDs and
					GIDs site-wide is a significant benefit. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Centralized authentication services do have the disadvantage that
					authentication information must be transmitted over a network, leading to a risk
					that credentials may be intercepted or manipulated. Therefore, these services
					must be deployed carefully. The following precautions should be taken when
					configuring any authentication service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
						<xhtml:li>Ensure that authentication information and any sensitive account
							information are never sent over the network unencrypted.</xhtml:li>
						<xhtml:li>Ensure that the root account has a local password, to allow
							recovery in case of network outage or authentication server
							failure.</xhtml:li>
					</xhtml:ul> This guide recommends the use of LDAP. Kerberos is also
					a good choice for a centralized authentication service, but a description of its
					configuration is beyond the scope of this guide. The NIS service is not
					recommended, and should be considered obsolete. </description>
      </Group>
      <Group id="gr-accounts-banners" hidden="false">
        <title xml:lang="en-US">Warning Banners for System Accesses</title>
        <description xml:lang="en-US"> Each system should expose as little information about
					itself as possible. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> System banners, which are typically displayed just before a login
					prompt, give out information about the service or the host's operating system.
					This might include the distribution name and the system kernel version, and the
					particular version of a network service. This information can assist intruders
					in gaining access to the system as it can reveal whether the system is running
					vulnerable software. Most network services can be configured to limit what
					information is displayed. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Many organizations implement security policies that require a system
					banner provide notice of the system's ownership, provide warning to unauthorized
					users, and remind authorized users of their consent to monitoring.</description>
        <Value id="var-1077" operator="equals" type="string">
          <title xml:lang="en-US">login banner verbiage</title>
          <description xml:lang="en-US">Enter an appropriate login banner for your
					organization</description>
	  <value/>
        </Value>
        <Group id="gr-accounts-banners.1" hidden="false">
          <title xml:lang="en-US">Modify the System Login Banner</title>
          <description xml:lang="en-US"> The contents of the file /etc/issue are displayed
						on the screen just above the login prompt for users logging directly into a
						terminal. Remote login programs such as SSH or FTP can be configured to
						display /etc/issue as well.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> By default, the system will display the version of the OS, the
						kernel version, and the host name. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Edit /etc/issue. Replace the default text with a message
						compliant with the local site policy or a legal disclaimer.</description>
          <Rule id="rule-1077" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Modify the System Login Banner</title>
            <description xml:lang="en-US">The system login banner text should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1077"/>
						</description>
            <ident system="http://cce.mitre.org">CCE-4060-0</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1077" value-id="var-1077"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1077" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-accounts-banners.2" hidden="false">
          <title xml:lang="en-US">Implement a GUI Warning Banner</title>
          <description xml:lang="en-US"> In the default graphical environment, users
						logging directly into the system are greeted with a login screen provided by
						the GNOME display manager. The warning banner should be displayed in this
						graphical environment for these users.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						Configure the banner using the following commands:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
						# gconftool-2 --direct
						--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory
						--type bool
						--set /apps/gdm/simple-greeter/banner_message_enable true
						</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
						# gconftool-2 --direct
						--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory
						--type string
						--set /apps/gdm/simple-greeter/banner_message_text 'YOUR_TEXT'
						</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
	  </description>
          <Rule id="rule-1078" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Implement a GUI Warning Banner</title>
            <description xml:lang="en-US">The direct gnome login warning banner text should be set
							appropriately</description>
            <ident system="http://cce.mitre.org">CCE-4188-9</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1077" value-id="var-1077"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1078" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
      </Group>
    </Group>
    <Group id="gr-selinux" hidden="false">
      <title xml:lang="en-US">SELinux</title>
      <description xml:lang="en-US"> SELinux is a feature of the Linux kernel which can be
				used to guard against misconfigured or compromised programs. SELinux enforces the
				idea that programs should be limited in what files they can access and what actions
				they can take. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
				<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The default SELinux policy, as configured on RHEL6,
				should be usable on almost any RHEL
				machine with minimal configuration and a small amount of system administrator
				training. This policy prevents system services — including most of the common
				network-visible services such as mail servers, ftp servers, and DNS servers — from
				accessing files which those services have no valid reason to access. This action
				alone prevents a huge amount of possible damage from network attacks against
				services, from trojaned software, and so forth. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
				<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This guide recommends that SELinux be enabled using the default
				(targeted) policy on every RHEL system, unless that system has requirements which
				make a stronger policy appropriate.</description>
      <Group id="gr-selinux-intro" hidden="false">
        <title xml:lang="en-US">How SELinux Works</title>
        <description xml:lang="en-US"> In the traditional Linux/Unix security model, known
					as Discretionary Access Control (DAC), processes run under a user and group
					identity, and enjoy that user and group's access rights to all files and other
					objects on the system. This system brings with it a number of security problems,
					most notably: that processes frequently do not need and should not have the full
					rights of the user who ran them; that user and group access rights are not very
					granular, and may require administrators to allow too much access in order to
					allow the access that is needed; that the Unix filesystem contains many
					resources (such as temporary directories and world-readable files) which are
					accessible to users who have no legitimate reason to access them; and that
					legitimate users can easily provide open access to their own resources through
					confusion or carelessness. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> SELinux provides a Mandatory Access Control (MAC) system that
					greatly augments the DAC model. Under SELinux, every process and every object
					(e.g. file, socket, pipe) on the system is given a security context, a label
					which include detailed type information about the object. The kernel allows
					processes to access objects only if that access is explicitly allowed by the
					policy in effect. The policy defines transitions, so that a user can be allowed
					to run software, but the software can run under a different context than the
					user's default. This automatically limits the damage that the software can do to
					files accessible by the calling user — the user does not need to take any action
					to gain this benefit. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> For an action to occur, both the traditional DAC permissions must be
					satisifed as well as SELinux's MAC rules. If either do not permit the action,
					then it will not be allowed. In this way, SELinux rules can only make a system's
					permissions more restrictive and secure. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> SELinux requires a complex policy in order to allow all the actions
					required of a system under normal operation. Three such policies have been
					designed for use with RHEL6, and are included with the system. In increasing
					order of power and complexity, they are: targeted, strict (which is newly not provided
					as an individual package but is part of targeted policy package. The process
					of making strict policy is described later) and mls. The targeted
					SELinux policy consists mostly of Type Enforcement (TE) rules, and a small
					number of Role-Based Access Control (RBAC) rules. It restricts the actions of
					many types of programs, but leaves interactive users largely unaffected. The
					strict policy also uses TE and RBAC rules, but on more programs and more
					aggressively. The mls policy implements Multi-Level Security (MLS), which
					introduces even more kinds of labels — sensitivity and category — and rules that
					govern access based on these. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The remainder of this section provides guidance for the
					configuration of the targeted policy and the administration of systems under
					this policy. Some pointers will be provided for readers who are interested in
					further strengthening their systems by using one of the stricter policies
					provided with RHEL6 or in writing their own policy.</description>
      </Group>
      <Group id="gr-selinux-enable" hidden="false">
        <title xml:lang="en-US">Enable SELinux</title>
        <description xml:lang="en-US"> The SELinux is enabled by default on RHEL6. The file /etc/selinux/config should contain
					the following lines for targeted policy: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">SELINUX=enforcing </xhtml:code> 
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">SELINUXTYPE=targeted </xhtml:code>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Edit the file /boot/grub/grub.conf. Ensure that the following arguments DO
					NOT appear on any kernel command line in the file: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">selinux=0 </xhtml:code> or
					<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">enforcing=0 </xhtml:code>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The directive SELINUX=enforcing enables SELinux at boot time. If
					SELinux is causing a lot of problems or preventing the system from booting, it
					is possible to boot into the warning-only mode SELINUX=permissive for debugging
					purposes. Make certain to change the mode back to enforcing after debugging, set
					the filesystems to be relabeled for consistency using the command touch
					/.autorelabel, and reboot. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> However, the RHEL6 default SELinux configuration should be
					sufficiently reasonable that most systems will boot without serious problems.
					Some applications that require deep or unusual system privileges, may not be compatible with SELinux in its default
					configuration. However, this should be uncommon, and SELinux's application
					support continues to improve. In other cases, SELinux may reveal unusual or
					insecure program behavior by design. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The directive SELINUXTYPE=targeted configures SELinux to use the
					default targeted policy.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The SELinux boot mode specified in /etc/selinux/config can be
					overridden by command-line arguments passed to the kernel. It is necessary to
					check grub.conf to ensure that this has not been done and to protect the
					bootloader against unauthorized configuration change.</description>
        <Value id="var-1080" operator="equals" type="string">
          <title xml:lang="en-US">SELinux state</title>
          <description xml:lang="en-US"> enforcing - SELinux security policy is enforced.
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> permissive - SELinux prints warnings instead of
						enforcing.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> disabled - SELinux is fully disabled. </description>
          <value>enforcing</value>
          <value selector="enforcing">enforcing</value>
          <value selector="permissive">permissive</value>
          <value selector="disabled">disabled</value>
        </Value>
        <Value id="var-1081" operator="equals" type="string">
          <title xml:lang="en-US">SELinux policy</title>
          <description xml:lang="en-US"> Type of policy in use. Possible values
						are:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> targeted - Only targeted network daemons are
						protected.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> strict - Full SELinux protection.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> mls -
						Multi-level security</description>
          <value>targeted</value>
          <value selector="targeted">targeted</value>
          <value selector="strict">strict</value>
          <value selector="mls">mls</value>
        </Value>
        <Group id="gr-selinux-enable.1" hidden="false">
          <title xml:lang="en-US">Ensure SELinux is Properly Enabled</title>
          <description xml:lang="en-US"> Run the command:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ /usr/sbin/sestatus<xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If the system is properly configured, the output should indicate:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>SELinux status: enabled</xhtml:li>
							<xhtml:li>Current mode: enforcing</xhtml:li>
							<xhtml:li>Mode from config file: enforcing</xhtml:li>
							<xhtml:li>Policy from config file: targeted</xhtml:li>
						</xhtml:ul>
					</description>
        </Group>
        <Rule id="rule-1079" selected="false" weight="10.000000" severity="medium">
          <status date="2010-07-01">accepted</status>
          <title xml:lang="en-US">SELinux should NOT be disabled in /boot/grub/grub.conf.</title>
          <description xml:lang="en-US">SELinux should NOT be disabled in /boot/grub/grub.conf. Check that
						selinux=0 is not found</description>
          <ident system="http://cce.mitre.org">CCE-3977-6</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:org.open-scap.rhel6:def:1079" href="scap-rhel6-oval.xml"/>
          </check>
        </Rule>
        <Rule id="rule-1080" selected="false" weight="10.000000" severity="medium">
          <status date="2010-07-01">draft</status>
          <title xml:lang="en-US">Proper SELinux state</title>
          <description xml:lang="en-US">The SELinux state should be set appropriately</description>
          <ident system="http://cce.mitre.org">CCE-3999-0</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-export export-name="oval:org.open-scap.rhel6:var:1080" value-id="var-1080"/>
            <check-content-ref name="oval:org.open-scap.rhel6:def:1080" href="scap-rhel6-oval.xml"/>
          </check>
        </Rule>
        <Rule id="rule-1081" selected="false" weight="10.000000" severity="medium">
          <status date="2010-07-01">accepted</status>
          <title xml:lang="en-US">Proper SELinux policy</title>
          <description xml:lang="en-US">The SELinux policy should be set appropriately.</description>
          <ident system="http://cce.mitre.org">CCE-3624-4</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-export export-name="oval:org.open-scap.rhel6:var:1081" value-id="var-1081"/>
            <check-content-ref name="oval:org.open-scap.rhel6:def:1081" href="scap-rhel6-oval.xml"/>
          </check>
        </Rule>
      </Group>
      <Group id="gr-selinux-daemons" hidden="false">
        <title xml:lang="en-US">Disable Unnecessary SELinux Daemons</title>
        <description xml:lang="en-US"> Several daemons are installed by default as part of
					the RHEL6 SELinux support mechanism. These daemons may improve the system's
					ability to enforce SELinux policy in a useful fashion, but may also represent
					unnecessary code running on the machine, increasing system risk. If these
					daemons are available in your RHEL6 installation and are not needed on your system, 
					they should be disabled.</description>
        <Group id="gr-selinux-daemons.1" hidden="false">
          <title xml:lang="en-US">Remove SETroubleshoot if Possible</title>
          <description xml:lang="en-US"> Is there a mission-critical reason to allow users
						to view SELinux denial information using the sealert GUI? If not, 
						remove the setroubleshoot packages:
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ yum remove setroubleshoot-\*<xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The setroubleshoot, 
						which is newly D-Bus system service, is a facility for notifying the
						desktop user of SELinux denials in a user-friendly fashion. SELinux errors
						may provide important information about intrusion attempts in progress, or
						may give information about SELinux configuration problems which are
						preventing correct system operation. In order to maintain a secure and
						usable SELinux installation, error logging and notification is necessary. 
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> However, 
						setroubleshoot is a service which has complex
						functionality, which runs a daemon and uses D-Bus to distribute information
						which may be sensitive, or even to allow users to modify SELinux settings. 
						This guide recommends removing setroubleshoot and using the kernel audit functionality
						to monitor SELinux's behavior.</description>

          <Rule id="rule-1082" selected="false" weight="10.000000" severity="low">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Remove SETroubleshoot</title>
            <description xml:lang="en-US">The setroubleshoot-server package should not be installed.</description>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1082" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-selinux-daemons.2" hidden="false">
          <title xml:lang="en-US">Disable MCS Translation Service (mcstrans) if Possible</title>
          <description xml:lang="en-US"> Unless there is some overriding need for the
						convenience of category label translation, disable the MCS translation
						service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig mcstrans off <xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The mcstransd daemon provides the category label translation
						information defined in /etc/selinux/targeted/setrans.conf to client
						processes which request this information.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Category labelling is unlikely to be used except in sites with
						special requirements. Therefore, it should be disabled in order to reduce
						the amount of potentially vulnerable code running on the system.</description>
          <Rule id="rule-1083" selected="false" weight="10.000000" severity="low">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Disable MCS Translation Service (mcstrans) if Possible</title>
            <description xml:lang="en-US">The mcstrans service should be disabled.</description>
            <ident system="http://cce.mitre.org">CCE-3668-1</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1083" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-selinux-daemons.3" hidden="false">
          <title xml:lang="en-US">Restorecon Service (restorecond)</title>
          <description xml:lang="en-US"> The restorecond daemon monitors a list of files
						which are frequently created or modified on running systems, and whose
						SELinux contexts are not set correctly. It looks for creation events related
						to files listed either in /etc/selinux/restorecond.conf or restorecond_user.conf , 
						and sets the contexts ofthose files when they are discovered.
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The restorecond program is fairly 						 simple, so it brings low risk,
						but, in its default configuration, does not add much value to a system. An
						automated program such as restorecond may be used to monitor problematic
						files for context problems, or system administrators may be trained to check
						file contexts of newly-created files using the command ls -lZ, and to repair
						contexts manually using the restorecon command. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This guide makes no recommendation either for or against the use
						of restorecond.</description>
        </Group>
      </Group>
      <Group id="gr-selinux-unconfined" hidden="false">
        <title xml:lang="en-US">Check for Unconfined Daemons</title>
        <description xml:lang="en-US"> Daemons that SELinux policy does not know about will
					inherit the context of the parent process. Because daemons are launched during
					startup and descend from the init process, they inherit the initrc_t context.
					This is a problem because it may cause AVC denials, or it could allow privileges
					that the daemon does not require. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To check for unconfined daemons, run the following command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
					# ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'
					<xhtml:br/>
					</xhtml:code>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> It should produce no output in a well-configured
					system.</description>
      </Group>
      <Group id="gr-selinux-unlabeled" hidden="false">
        <title xml:lang="en-US">Check for Unlabeled Device Files</title>
        <description xml:lang="en-US"> Device files are used for communication with important
					system resources. SELinux contexts should exist for these. If a device file is
					not labeled, then misconfiguration is likely.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To check for unlabeled device files, run the following command:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -Z /dev | grep unlabeled_t<xhtml:br/>
					</xhtml:code>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> It should produce no output in a well-configured
					system.</description>
      </Group>
      <Group id="gr-selinux-debugging" hidden="false">
        <title xml:lang="en-US">Debugging SELinux Policy Errors</title>
        <description xml:lang="en-US"> SELinux's default policies have improved
					significantly over time, and most systems should have few problems using the
					targeted SELinux policy. However, policy problems may still occasionally prevent
					accesses which should be allowed. This is especially true if your site runs any
					custom or heavily modified applications. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This section gives some brief guidance on discovering and repairing
					SELinux-related access problems. Guidance given here is necessarily draft, but
					should provide a starting point for debugging. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If you suspect that a permission error or other failure may be
					caused by SELinux (and are certain that misconfiguration of the traditional Unix
					permissions are not the cause of the problem), search the audit logs for AVC
					events: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ausearch -m AVC,USER_AVC -sv no <xhtml:br/>
					</xhtml:code>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The output of this command will be a set of events. The timestamp,
					along with the comm and pid fields, should indicate which line describes the
					problem. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Look up the context under which the process is running. Assuming the
					process ID is PID , find the context by running: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ps -p PID -Z <xhtml:br/>
					</xhtml:code>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The AVC denial message should identify the offending file or
					directory. The name field should contain the filename (not the full pathname by
					default), and the ino field can be used to search by inode, if necessary.
					Assuming the file is FILE , find its SELinux context: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -Z FILE <xhtml:br/>
					</xhtml:code>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> An administrator should suspect an SELinux misconfiguration whenever
					a program gets a 'permission denied' error but the standard Unix permissions
					appear to be correct, or a program fails mysteriously on a task which seems to
					involve file access or network communication. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> As described earlier, SELinux augments each process with a
					context providing detailed type information about that process. The contexts
					under which processes run may be referred to as subject contexts. Similarly,
					each filesystem object is given a context. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The targeted policy consists of a set of rules, each of which allows
					a subject type to perform some operation on a given object type. The kernel
					stores information about these access decisions in an structure known as an
					Access Vector Cache (AVC), so authorization decisions made by the system are
					audited with the type AVC. It is also possible for userspace modules to
					implement their own policies based on SELinux, and these decisions are audited
					with the type USER_AVC. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> AVC denials are logged by the kernel audit facility (see Section
					2.6.2 for configuration guidance on this subsystem) and may also be visible via
					setroubleshoot. This guide recommends the use of the audit userspace utilities
					to find AVC errors. It is possible to manually locate these errors by looking in
					the file /var/log/audit/audit.log or in /var/log/messages (depending on the
					syslog configuration in effect), but the ausearch tool allows finegrained
					searching on audit event types, which may be necessary if system call auditing
					is enabled as well. The command line above tells ausearch to look for kernel or
					userspace AVC messages (-m AVC,USER AVC) where the access attempt did not
					succeed (-sv no). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If an AVC denial occurs when it should not have, the problem is
					generally one of the following: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
						<xhtml:li>The program is running with the wrong subject context. This could
							happen as a result of an incorrect context on the program's executable
							file, which could happen if 3rd party software is installed and not
							given appropriate SELinux file contexts. </xhtml:li>
						<xhtml:li>The file has the wrong object context because the current file's
							context does not match the specification. This can occur when files are
							created or modified in certain ways. It is not atypical for
							configuration files to get the wrong contexts after a system
							configuration change performed by an administrator. To repair the file,
							use the command: <xhtml:br/>
							<xhtml:br/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
							# restorecon -v FILE
							</xhtml:code>
							<xhtml:br/>This should produce output indicating that the file's
							context has been changed. The /usr/bin/chcon program can be used to
							manually change a file's context, but this is problematic because the
							change will not persist if it does not agree with the policy-defined
							contexts applied by restorecon.</xhtml:li>
						<xhtml:li>The file has the wrong object context because the specification is
							either incorrect or does not match the way the file is being used on
							this system. In this case, it will be necessary to change the system
							file contexts. <xhtml:br/>
							<xhtml:br/> Run the system-config-selinux tool, and go to the 'File
							Labeling' menu. This will give a list of files and wildcards
							corresponding to file labelling rules on the system. Add a rule which
							maps the file in question to the desired context. As an alternative,
							file contexts can be modified from the command line using the
							semanage(8) tool.</xhtml:li>
						<xhtml:li>The program and file have the correct contexts, but the policy
							should allow some operation between those two contexts which is
							currently not allowed. In this case, it will be necessary to modify the
							SELinux policy. <xhtml:br/>
							<xhtml:br/> Run the system-config-selinux tool, and go to the 'Boolean'
							menu. If your configuration is supported, but is not the Red Hat
							default, then there will be a boolean allowing real-time modification of
							the SELinux policy to fix the problem. Browse through the items in this
							menu, looking for one which is related to the service which is not
							working. As an alternative, SELinux booleans can be modified from the
							command line using the getsebool(8) and setsebool(8) tools. <xhtml:br/>
							<xhtml:br/> If there is no boolean, it will be necessary to create and
							load a policy module. A simple way to build a policy module is to use
							the audit2allow tool. This tool can take input in the format of AVC
							denial messages, and generate syntactically correct Type Enforcement
							rules which would be sufficient to prevent those denials. For example,
							to generate and display rules which would allow all kernel denials seen
							in the past fitfteen minutes, run: <xhtml:br/>
							<xhtml:br/>
							<xhtml:code># ausearch -m AVC -sv no -ts recent | audit2allow
								<xhtml:br/>
							</xhtml:code>
							<xhtml:br/> It is possible to use audit2allow to directly create a
							module package suitable for loading into the kernel policy. To do this,
							invoke audit2allow with the -M flag: <xhtml:br/>
							<xhtml:br/>
							<xhtml:code># ausearch -m AVC -sv no -ts recent | audit2allow -M
								localmodule <xhtml:br/>
							</xhtml:code>
							<xhtml:br/> If this is successful, several lines of output should
							appear. Review the generated TE rules in the file localmodule .te and
							ensure that they express what you wish to allow. <xhtml:br/>
							<xhtml:br/> The file localmodule .pp should also have been created. This
							file is a policy module package that can be loaded into the kernel. To
							do so, use system-config-selinux, go to the 'Policy Module' menu and use
							the 'Add' button to enable your module package in SELinux, or load it
							from the command line using semodule(8): <xhtml:br/>
							<xhtml:br/>
							<xhtml:code># semodule -i localmodule .pp <xhtml:br/>
							</xhtml:code>
							<xhtml:br/>In RHEL5, if you created a local policy, you needed to 
							switch to permissive mode globally to better debugging sometimes. 
							This is no longer needed in RHEL6. The permissive domains was 
							implemented which means only a domain can become permissive. <xhtml:br/>
							<xhtml:br/>
							<xhtml:code>semanage -a permissive DOMAIN<xhtml:br/>
							</xhtml:code>
							<xhtml:br/> Section 45.2 of [9] covers this procedure in
							detail.</xhtml:li>
					</xhtml:ul>
				</description>
      </Group>
      <Group id="gr-selinux-strengthening" hidden="false">
        <title xml:lang="en-US">Further Strengthening</title>
        <description xml:lang="en-US"> The recommendations up to this point have discussed
					how to configure and maintain a system under the default configuration of the
					targeted policy, which constrains only the actions of daemons and system
					software. This guide strongly recommends that any site which is not currently
					using SELinux at all transition to the targeted policy, to gain the substantial
					security benefits provided by that policy.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> However, the default policy provides only a subset of the full
					security gains available from using SELinux. In particular, the SELinux policy
					is also capable of constraining the actions of interactive users, of providing
					compartmented access by sensitivity level (MLS) and/or category (MCS), and of
					restricting certain types of system actions using booleans beyond the RHEL6
					defaults. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This section introduces other uses of SELinux which may be possible,
					and provides links to some outside resources about their use. Detailed
					description of how to implement these steps is beyond the scope of this
					guide.</description>
        <Group id="gr-selinux-strengthening.1" hidden="false">
          <title xml:lang="en-US">Strengthen the Default SELinux Boolean Configuration</title>
          <description xml:lang="en-US"> SELinux booleans are used to enable or disable
						segments of policy to comply with site policy. Booleans may apply to the
						entire system or to an individual daemon. For instance, the boolean allow
						execstack, if enabled, allows programs to make part of their stack memory
						region executable. The boolean ftp home dir allows ftpd processes to 
						access user home directories,
						and applies only to daemons which implement FTP. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The command <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ getsebool -a
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ semanage boolean -l <xhtml:br/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> lists the values of all SELinux booleans on the system. Section
						2.4.5 discussed loosening boolean values in order to debug functionality
						problems which occur under more restrictive defaults. It is also useful to
						examine and strengthen the boolean settings, to disable functionality which
						is not required by legitimate programs on your system, but which might be
						symptomatic of an attack. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> See the manpages booleans(8), 
						getsebool(8), setsebool(8) and semanage(8) for
						general information about booleans. There are also manual pages for several
						subsystems which discuss the use of SELinux with those systems. Examples
						include ftpd selinux(8), httpd selinux(8), and nfs_selinux(8). Another good
						reference is the html documentation distributed with the selinux-policy RPM.
						This documentation is stored under <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> /usr/share/doc/selinux-policy-version/html/ <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The pages global tunables.html and global booleans.html may be
						useful when examining booleans.</description>
        </Group>
        <Group id="gr-selinux-strengthening.2" hidden="false">
          <title xml:lang="en-US">Use a Stronger Policy</title>
          <description xml:lang="en-US"> Using a stronger policy can greatly enhance
						security, but will generally require customization to be compatible with the
						particular system's purpose, and this may be costly or time consuming. Under
						the targeted policy, interactive processes are given the type unconfined t,
						so interactive users are not constrained by SELinux even if they attempt to
						take strange or malicious actions.
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> 
						Previously, in RHEL5, we had strict policy 
						which could be installed using selinux-policy-strict package. In RHEL6, we combine 
						strict and targeted policy together. There exist two SELinux policy modules - 
						unconfined.pp and unconfineduser.pp policy modules.  These two modules are optional,  
						and removing it gives you the equivalent of strict policy.
						Firstly, you can just remove unconfined.pp policy module. You will be closer to strict 
						policy but this leaves only user domains unconfined, along with some domains
						that do not make sense to confine (anaconda, firstboot, kernel,rpm) and also 
						unconfined_t user will be exist.

						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># semodule -d unconfined</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># seinfo -aunconfined_domain_type -x | tail -n +2 | wc -l</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>

						Then you can disable all unconfined domains by disabling unconfineduser 
						module which is equal strict policy. In this case, you need to setup all 
						your users as confined users, before removing the unconfineduser module 
						using semanage tool

						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># semanage login -m -s staff_u root</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># semanage login -m -s staff_u __default__</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># semanage user -d unconfined_u</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># semanage user -m -R "staff_r system_r sysadm_r" staff_u</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># semodule -d unconfineduser</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						Note: One of the RHEL6 features are Confined Users. This means, 
						unconfined.pp and unconfineduser.pp policy modules can be used  
						and an user can be confined even so. All this magic lie in adding login 
						mappings between linux users and SELinux confined users.
						
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># semanage login -a -s user_u -r s0-s0:c0.c1023 USERNAME1</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># semanage login -a -s staff_u -r s0-s0:c0.c1023 USERNAME2</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>The mls policy type can be used to enforce sensitivity or category labelling, 
						and requires site-specific configuration of these labels in order to be useful. 
						To use this policy, install the appropriate policy module:
						
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum install selinux-policy-mls</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						Then edit /etc/selinux/config and correct the line:
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>	
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
						SELINUXTYPE=mls</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>	
						Configure the system to boot into run level 3 by default: 
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
						sed -i "s/^id:5:initdefault:/id:3:initdefault:/g" /etc/inittab
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						Note: Switching between policies typically requires the entire disk to be 
						relabelled, so that files get the appropriate SELinux contexts under 
						the new policy. Add autorelabel flag

						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">touch /.autorelabel; reboot</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						and boot with the additional grub command-line options
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
						enforcing=0</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> 
						to relabel the disk, then reboot normally. 
						</description>
						
        </Group>
      </Group>
      <Group id="gr-selinux-references" hidden="false">
        <title xml:lang="en-US">SELinux References</title>
        <description xml:lang="en-US">
					<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
						<xhtml:li>NSA SELinux resources:<xhtml:br/>
							<xhtml:ul>
								<xhtml:li>Web page: http://www.nsa.gov/selinux/</xhtml:li>
								<xhtml:li>Mailing list: selinux@tycho.nsa.gov <xhtml:br/> List
									information at:
									http://www.nsa.gov/selinux/info/list.cfm</xhtml:li>
							</xhtml:ul>
						</xhtml:li>
						<xhtml:li>Fedora SELinux resources:<xhtml:br/>
							<xhtml:ul>
								<xhtml:li>FAQ: http://docs.fedoraproject.org/selinux-faq/</xhtml:li>
								<xhtml:li>Wiki: http://fedoraproject.org/wiki/SELinux/</xhtml:li>
								<xhtml:li>Mailing list: fedora-selinux-list@redhat.com <xhtml:br/>
									List information at:
									https://www.redhat.com/mailman/listinfo/fedora-selinux-list</xhtml:li>
							</xhtml:ul>
						</xhtml:li>
						<xhtml:li>Chapters 43–45 of Red Hat Enterprise Linux 5: Deployment Guide
							[9]</xhtml:li>
						<xhtml:li>The book SELinux by Example: Using Security Enhanced Linux
							[13]</xhtml:li>
					</xhtml:ul>
				</description>
      </Group>
    </Group>
    <Group id="gr-networking" hidden="false">
      <title xml:lang="en-US">Network Configuration and Firewalls</title>
      <description xml:lang="en-US"> Most machines must be connected to a network of some
				sort, and this brings with it the substantial risk of network attack. This section
				discusses the security impact of decisions about networking which must be made when
				configuring a system. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
				<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This section also discusses firewalls, network access controls, and
				other network security frameworks, which allow system-level rules to be written that
				can limit attackers' ability to connect to your system. These rules can specify that
				network traffic should be allowed or denied from certain IP addresses, hosts, and
				networks. The rules can also specify which of the system's network services are
				available to particular hosts or networks.</description>
      <Group id="gr-networking-sysctl" hidden="false">
        <title xml:lang="en-US">Kernel Parameters which Affect Networking</title>
        <description xml:lang="en-US"> The sysctl utility is used to set a number of
					parameters which affect the operation of the Linux kernel. Several of these
					parameters are specific to networking, and the configuration options in this
					section are recommended.</description>
        <Group id="gr-networking-sysctl.1" hidden="false">
          <title xml:lang="en-US">Network Parameters for Hosts Only</title>
          <description xml:lang="en-US"> Is this system going to be used as a firewall or
						gateway to pass IP traffic between different networks? <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If not,
						edit the file /etc/sysctl.conf and add or correct the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">net.ipv4.ip forward = 0</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">net.ipv4.conf.all.send_redirects = 0</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">net.ipv4.conf.default.send_redirects = 0</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> These settings disable hosts from performing network
						functionality which is only appropriate for routers.</description>
          <Rule id="rule-1084" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Default setting for sending ICMP redirects is configured to be disabled (runtime)</title>
            <description xml:lang="en-US">The default setting for sending ICMP redirects should be
							disabled for network interfaces.</description>
            <ident system="http://cce.mitre.org">CCE-4151-7</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1084" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1085" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Sending ICMP redirects for all interfaces is configured to be disabled</title>
            <description xml:lang="en-US">Sending ICMP redirects should be disabled for all
							interfaces.</description>
            <ident system="http://cce.mitre.org">CCE-4155-8</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1085" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1086" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">IP forwarding is configured to be disabled</title>
            <description xml:lang="en-US">IP forwarding should be disabled.</description>
            <ident system="http://cce.mitre.org">CCE-3561-8</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1086" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-networking-sysctl.2" hidden="false">
          <title xml:lang="en-US">Network Parameters for Hosts and Routers</title>
          <description xml:lang="en-US"> Edit the file /etc/sysctl.conf and add or correct
						the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> net.ipv4.conf.all.accept_source_route = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						net.ipv4.conf.all.accept_redirects = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						net.ipv4.conf.all.secure_redirects = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						net.ipv4.conf.all.log_martians = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						net.ipv4.conf.default.accept_source_route = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						net.ipv4.conf.default.accept_redirects = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						net.ipv4.conf.default.secure_redirects = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						net.ipv4.conf.default.log_martians = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						net.ipv4.icmp_echo_ignore_broadcasts = 1<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						net.ipv4.icmp_ignore_bogus_error_responses = 1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						net.ipv4.tcp_syncookies = 1<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> net.ipv4.conf.all.rp_filter = 1
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> net.ipv4.conf.default.rp_filter = 1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> These options improve Linux's ability to defend against certain
						types of IPv4 protocol attacks. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The accept source route, accept redirects, and secure redirects
						options are turned off to disable IPv4 protocol features which are
						considered to have few legitimate uses and to be easy to abuse. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The net.ipv4.conf.all.log martians option logs several types of
						suspicious packets, such as spoofed packets, source-routed packets, and
						redirects. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The icmp echo ignore broadcasts icmp ignore bogus error messages
						options protect against ICMP attacks. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The tcp syncookies option uses a cryptographic feature called
						SYN cookies to allow machines to continue to accept legitimate connections
						when faced with a SYN flood attack. See [12] for further information on this
						option. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The rp filter option enables RFC-recommended source validation.
						It should not be used on machines which are routers for very complicated
						networks, but is helpful for end hosts and routers serving small networks. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> For more information on any of these, see the kernel source
						documentation file /Documentation/networking/ip-sysctl.txt.</description>
          <Value id="var-1087" operator="equals" type="string">
            <title xml:lang="en-US">net.ipv4.conf.*.accept_source_route</title>
            <description xml:lang="en-US">Accept source routing?</description>
            <value>0</value>
            <value selector="enabled">1</value>
            <value selector="disabled">0</value>
          </Value>
          <Value id="var-1088" operator="equals" type="string">
            <title xml:lang="en-US">net.ipv4.conf.*.accept_redirects</title>
            <description xml:lang="en-US">Accept ICMP Redirects?</description>
            <value>0</value>
            <value selector="enabled">1</value>
            <value selector="disabled">0</value>
          </Value>
          <Value id="var-1089" operator="equals" type="string">
            <title xml:lang="en-US">net.ipv4.conf.*.secure_redirects</title>
            <description xml:lang="en-US">Accept redirects from gateways known in routing table?</description>
            <value>0</value>
            <value selector="enabled">1</value>
            <value selector="disabled">0</value>
          </Value>
          <Value id="var-1090" operator="equals" type="string">
            <title xml:lang="en-US">net.ipv4.conf.*.log_martians</title>
            <description xml:lang="en-US">Log Spoofed Packets, Source Routed Packets, Redirect Packets?</description>
            <value>0</value>
            <value selector="enabled">1</value>
            <value selector="disabled">0</value>
          </Value>
          <Value id="var-1095" operator="equals" type="string">
            <title xml:lang="en-US">net.ipv4.icmp_echo_ignore_broadcast</title>
            <description xml:lang="en-US">Ignore all ICMP ECHO and TIMESTAMP requests
                                                        sent to it via broadcast/multicast</description>
            <value>1</value>
            <value selector="enabled">1</value>
            <value selector="disabled">0</value>
          </Value>
          <Value id="var-1096" operator="equals" type="string">
            <title xml:lang="en-US">net.ipv4.icmp_ignore_bogus_error_messages</title>
            <description xml:lang="en-US">Enable to prevent certain types of
                                                        attacks</description>
            <value>1</value>
            <value selector="enabled">1</value>
            <value selector="disabled">0</value>
          </Value>
          <Value id="var-1097" operator="equals" type="string">
            <title xml:lang="en-US">net.ipv4.tcp_syncookie</title>
            <description xml:lang="en-US">Enable to turn on TCP SYN Cookie
                                                        Protection</description>
            <value>1</value>
            <value selector="enabled">1</value>
            <value selector="disabled">0</value>
          </Value>
          <Value id="var-1098" operator="equals" type="string">
            <title xml:lang="en-US">net.ipv4.conf.*.rp_filter</title>
            <description xml:lang="en-US">Enable to enforce sanity checking, also called
                                                        ingress filtering or egress filtering. The point is to drop a packet if
                                                        the source and destination IP addresses in the IP header do not make
                                                        sense when considered in light of the physical interface on which it
                                                        arrived. </description>
            <value>1</value>
            <value selector="enabled">1</value>
            <value selector="disabled">0</value>
          </Value>
          <Rule id="rule-1087" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Accepting source routed packets for all interfaces is configured (runtime)</title>
            <description xml:lang="en-US">Accepting source routed packets should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1087"/> for all interfaces as
							appropriate.</description>
            <ident system="http://cce.mitre.org">CCE-4236-6</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1087" value-id="var-1087"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1087" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1088" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Accepting ICMP redirects for all interfaces is configured (runtime)</title>
            <description xml:lang="en-US">Accepting ICMP redirects should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1088"/> for all interfaces as
							appropriate.</description>
            <ident system="http://cce.mitre.org">CCE-4217-6</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1088" value-id="var-1088"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1088" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1089" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Accepting "secure" ICMP redirects for all interfaces is configured (runtime)</title>
            <description xml:lang="en-US">Accepting "secure" ICMP redirects (those from gateways listed
							in the default gateways list) should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1089"/> for all interfaces as
							appropriate.</description>
            <ident system="http://cce.mitre.org">CCE-3472-8</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1089" value-id="var-1089"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1089" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1090" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Logging of "martian" packets for all interfaces is configured (runtime)</title>
            <description xml:lang="en-US">Logging of "martian" packets (those with impossible addresses)
							should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1090"/> for all interfaces as
							appropriate.</description>
            <ident system="http://cce.mitre.org">CCE-4320-8</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1090" value-id="var-1090"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1090" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1091" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Default accepting of source routed packets is configured (runtime)</title>
            <description xml:lang="en-US">The default setting for accepting source routed packets should
							be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1087"/> for all interfaces as
							appropriate.</description>
            <ident system="http://cce.mitre.org">CCE-4091-5</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1087" value-id="var-1087"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1091" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1092" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Default accepting ICMP redirects is configured (runtime)</title>
            <description xml:lang="en-US">The default setting for accepting ICMP redirects should be:
								<sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1088"/> for all interfaces as
							appropriate.</description>
            <ident system="http://cce.mitre.org">CCE-4186-3</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1088" value-id="var-1088"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1092" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1093" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Default accepting of "secure" ICMP redirects is configured (runtime)</title>
            <description xml:lang="en-US">The default setting for accepting "secure" ICMP redirects
							(those from gateways listed in the default gateways list) should be:
								<sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1089"/> for all interfaces as
							appropriate.</description>
            <ident system="http://cce.mitre.org">CCE-3339-9</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1089" value-id="var-1089"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1093" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1094" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Default logging of "martian" packets for all interfaces is configured (runtime)</title>
            <description xml:lang="en-US">Logging of "martian" packets (those with impossible addresses)
							should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1090"/> for all interfaces as
							appropriate.</description>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1090" value-id="var-1090"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1094" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1095" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Ignoring ICMP echo requests is configured (runtime)</title>
            <description xml:lang="en-US">Ignoring ICMP echo requests (pings) sent to broadcast /
							multicast addresses should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1095"/>
							for all interfaces as appropriate.</description>
            <ident system="http://cce.mitre.org">CCE-3644-2</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1095" value-id="var-1095"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1095" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1096" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Ignoring bogus ICMP responses is configured (runtime)</title>
            <description xml:lang="en-US">Ignoring bogus ICMP responses to broadcasts should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1096"/> for all interfaces as
							appropriate.</description>
            <ident system="http://cce.mitre.org">CCE-4133-5</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1096" value-id="var-1096"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1096" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1097" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Sending TCP syncookies is configured (runtime)</title>
            <description xml:lang="en-US">Sending TCP syncookies should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1097"/> for all interfaces as
							appropriate.</description>
            <ident system="http://cce.mitre.org">CCE-4265-5</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1097" value-id="var-1097"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1097" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1098" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Performing source validation by reverse path is configured (runtime)</title>
            <description xml:lang="en-US">Performing source validation by reverse path should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1098"/> for all interfaces as
							appropriate.</description>
            <ident system="http://cce.mitre.org">CCE-4080-8</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1098" value-id="var-1098"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1098" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1099" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">The default setting for performing source validation by reverse path is configured (runtime)</title>
            <description xml:lang="en-US">The default setting for performing source validation by reverse
							path should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1098"/> for all
							interfaces as appropriate.</description>
            <ident system="http://cce.mitre.org">CCE-3840-6</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1098" value-id="var-1098"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1099" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
      </Group>
      <Group id="gr-networking-wifi" hidden="false">
        <title xml:lang="en-US">Wireless Networking</title>
        <description xml:lang="en-US"><xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml">Wireless networking (sometimes referred to as 802.11
					or Wi-Fi) presents a serious security risk to sensitive or classified systems
					and networks. Wireless networking hardware is much more likely to be included in
					laptop or portable systems than desktops or servers. Bluetooth serves a different purpose
					and possesses a much shorter range, but it still presents serious security
					risks. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Removal of hardware is the only way to absolutely ensure that the
					wireless capability remains disabled. If it is completely impractical to remove
					the wireless hardware, and site policy still allows the device to enter
					sensitive spaces, every effort to disable the capability via software should be
					made. In general, acquisition policy should include provisions to prevent the
					purchase of equipment that will be used in sensitive spaces and includes
					wireless capabilities.</xhtml:p>

					<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml">
					If it is impossible to remove the wireless
					hardware from the device in question, disable as much of it as possible
					through software. Note that software methods do not prevent malicious
					software or careless system administrators from re-activating the devices with absolute certainty.
					</xhtml:p></description>
        <Group id="gr-networking-wifi.1" hidden="false">
          <title xml:lang="en-US">Remove Wireless Hardware if Possible</title>
          <description xml:lang="en-US"> Identifying the wireless hardware is the first
						step in removing it. The system's hardware manual should contain information
						on its wireless capabilities. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Wireless hardware included with a laptop typically takes the
						form of a mini-PCI card or PC card. Other forms include devices which plug
						into USB or Ethernet ports, but these should be readily apparent and easy to
						remove from the base system. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> A PC Card (originally called a PCMCIA card) is designed to be
						easy to remove, though it may be hidden when inserted into the system.
						Frequently, there will be one or more buttons near the card slot that, when
						pressed, eject the card from the system. If no card is ejected, the slot is
						empty. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> A mini-PCI card is approximately credit-card sized and typically
						accessible via a removable panel on the underside of the laptop. Removing
						the panel may require simple tools. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> In addition to manually inspecting the hardware, it is also
						possible to query the system for its installed hardware devices. The
						commands /sbin/lspci and /sbin/lsusb will show a list of all recognized
						devices on their respective buses, and this may indicate the presence of a
						wireless device.</description>
        </Group>
	<Group id="gr-networking-wifi.2" hidden="false">
	  <title xml:lang="en-US">Disable Wireless in BIOS</title>
	  <description xml:lang="en-US"> Some laptops that include built-in wireless
						      support offer the ability to disable the device through the BIOS. This
						      is system-specific; consult your hardware manual or explore the BIOS
						      setup during boot.</description>
	</Group>
	<Group id="gr-networking-wifi.3" hidden="false">
	  <title xml:lang="en-US">Deactivate Wireless Interfaces</title>
	  <description xml:lang="en-US"> Deactivating the wireless interfaces should
						      prevent normal usage of the wireless capability. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						      <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> First, identify the interfaces available with the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						      <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						      <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ip link ls <xhtml:br/>
						      </xhtml:code>
						      <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Additionally,the following command may also be used to
						      determine whether wireless support ('extensions') is included for a
						      particular interface, though this may not always be a clear indicator: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						      <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						      <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># iwconfig <xhtml:br/>
						      </xhtml:code>
						      <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> After identifying any wireless interfaces (which may have
						      names like wlan0, ath0, wifi0, or eth0), deactivate the interface with
						      the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						      <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						      <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ip link set interface down <xhtml:br/>
						      </xhtml:code>
						      <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> These changes will only last until the next reboot. To
						      disable the interface for future boots, locate its configuration file /etc/sysconfig/network-scripts/ifcfg-interface and add or replace configuration directives to match the following:
						      <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						      <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ONBOOT=no</xhtml:code>
						      <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						      <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">USERCTL=no</xhtml:code>
						      <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						      <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">NM_CONTROLLED=no</xhtml:code>
						      <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					      </description>
	  <Rule id="rule-1100" selected="false" weight="10.000000" severity="medium">
	    <status date="2010-07-01">accepted</status>
	    <title xml:lang="en-US">Deactivate Wireless Interfaces</title>
	    <description xml:lang="en-US">All wireless interfaces should be disabled.</description>
	    <ident system="http://cce.mitre.org">CCE-4276-2</ident>
	    <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
	      <check-content-ref name="oval:org.open-scap.rhel6:def:1100" href="scap-rhel6-oval.xml"/>
	    </check>
	  </Rule>
	</Group>
      </Group>
      <Group id="gr-networking-ipv6" hidden="false">
        <title xml:lang="en-US">IPv6</title>
        <description xml:lang="en-US"> The system includes support for Internet Protocol
					version 6. A major and often-mentioned improvement over IPv4 is its enormous
					increase in the number of available addresses. Another important feature is its
					support for automatic configuration of many network settings.</description>
        <Group id="gr-networking-ipv6.1" hidden="false">
          <title xml:lang="en-US">Disable Support for IPv6 unless Needed</title>
          <description xml:lang="en-US"> Because the IPv6 networking code is relatively
						new and complex, it is particularly important that it be disabled unless
						needed. Despite configuration that suggests support for IPv6 has been
						disabled, link-local IPv6 address autoconfiguration occurs even when only an
						IPv4 address is assigned. The only way to effectively prevent execution of
						the IPv6 networking stack is to prevent the kernel from loading the IPv6
						kernel module.</description>
          <Group id="gr-networking-ipv6.1.1" hidden="false">
            <title xml:lang="en-US">Disable Automatic Loading of IPv6 Kernel Module</title>
            <description xml:lang="en-US"> To prevent the IPv6 kernel module (ipv6) from
							being loaded, create /etc/modprobe.d/ipv6.conf with the following content: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> install ipv6 /bin/true <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> When the kernel requests the ipv6 module, this line will
							direct the system to run the program /bin/true instead.</description>
            <Rule id="rule-1101" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">Disable Automatic Loading of IPv6 Kernel Module</title>
              <description xml:lang="en-US">Automatic loading of the IPv6 kernel module should be
								disabled.</description>
              <ident system="http://cce.mitre.org">CCE-3562-6</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1101" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-networking-ipv6.1.2" hidden="false">
            <title xml:lang="en-US">Disable Interface Usage of IPv6</title>
            <description xml:lang="en-US"> To prevent configuration of IPv6 for all
							interfaces, add or correct the following line in
							/etc/sysconfig/network: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> IPV6INIT=no<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> For each network interface IFACE , add or correct the
							following lines in /etc/sysconfig/network-scripts/ifcfg-IFACE as an
							additional prevention mechanism:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> IPV6INIT=no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If it becomes necessary later to configure IPv6, only the
							interfaces requiring it should be enabled.</description>
          </Group>
        </Group>
        <Group id="gr-networking-ipv6.2" hidden="false">
          <title xml:lang="en-US">Configure IPv6 Settings if Necessary</title>
          <description xml:lang="en-US"> A major feature of IPv6 is the extent to which
						systems implementing it can automatically configure their networking devices
						using information from the network. From a security perspective, manually
						configuring important configuration information is always preferable to
						accepting it from the network in an unauthenticated fashion.</description>
          <Group id="gr-networking-ipv6.2.1" hidden="false">
            <title xml:lang="en-US">Disable Automatic Configuration</title>
            <description xml:lang="en-US"> Disable the system's acceptance of router
							advertisements and redirects by adding or correcting the following line
							in /etc/sysconfig/network (note that this does not disable sending
							router solicitations): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> IPV6_AUTOCONF=no</description>
            <Value id="var-1102" operator="equals" type="string">
              <title xml:lang="en-US">IPV6_AUTOCONF</title>
              <description xml:lang="en-US">Default setting for IPv6 autoconfiguration</description>
              <value>no</value>
              <value selector="enabled">yes</value>
              <value selector="disabled">no</value>
            </Value>
            <Rule id="rule-1102" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">Configure IPv6 autoconfiguration</title>
              <description xml:lang="en-US">The default setting for IPv6 autoconfiguration should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1102"/>.</description>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1102" value-id="var-1102"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1102" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-networking-ipv6.2.2" hidden="false">
            <title xml:lang="en-US">Manually Assign Global IPv6 Address</title>
            <description xml:lang="en-US"> To manually assign an IP address for an
							interface IFACE, edit the file /etc/sysconfig/network-scripts/
							ifcfg-IFACE. Add or correct the following line (substituting the correct
							IPv6 address): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> IPV6ADDR=2001:0DB8::ABCD/64 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Manually assigning an IP address is preferable to accepting
							one from routers or from the network otherwise. The example address here
							is an IPv6 address reserved for documentation purposes, as defined by
							RFC3849.</description>
          </Group>
          <Group id="gr-networking-ipv6.2.3" hidden="false">
            <title xml:lang="en-US">Use Privacy Extensions for Address if Necessary</title>
            <description xml:lang="en-US"> To introduce randomness into the automatic
							generation of IPv6 addresses, add or correct the following line in
							/etc/sysconfig/network-scripts/ifcfg-IFACE: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> IPV6_PRIVACY=rfc3041<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Automatically-generated IPv6 addresses are based on the
							underlying hardware (e.g. Ethernet) address, and so it becomes possible
							to track a piece of hardware over its lifetime using its traffic. If it
							is important for a system's IP address to not trivially reveal its
							hardware address, this setting should be applied.</description>
          </Group>
          <Group id="gr-networking-ipv6.2.4" hidden="false">
            <title xml:lang="en-US">Manually Assign IPv6 Router Address</title>
            <description xml:lang="en-US"> Edit the file
							/etc/sysconfig/network-scripts/ifcfg-IFACE , and add or correct the
							following line (substituting your gateway IP as appropriate):<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> IPV6_DEFAULTGW=2001:0DB8::0001 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Router addresses should be manually set and not accepted via
							any autoconfiguration or router advertisement.</description>
          </Group>
          <Group id="gr-networking-ipv6.2.5" hidden="false">
            <title xml:lang="en-US">Limit Network-Transmitted Configuration</title>
            <description xml:lang="en-US"> Add the following lines to /etc/sysctl.conf
							to limit the configuration information requested from other systems, and
							accepted from the network:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> net.ipv6.conf.default.router_solicitations = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							net.ipv6.conf.default.accept_ra_rtr_pref = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							net.ipv6.conf.default.accept_ra_pinfo = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							net.ipv6.conf.default.accept_ra_defrtr = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							net.ipv6.conf.default.autoconf = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							net.ipv6.conf.default.dad_transmits = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							net.ipv6.conf.default.max_addresses = 1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The router solicitations setting determines how many router
							solicitations are sent when bringing up the interface. If addresses are
							statically assigned, there is no need to send any solicitations. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The accept_ra_pinfo setting controls whether the system will
							accept prefix info from the router. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The accept_ra_defrtr setting controls whether the system
							will accept Hop Limit settings from a router advertisement. Setting it
							to 0 prevents a router from changing your default IPv6 Hop Limit for
							outgoing packets. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The autoconf setting controls whether router advertisements
							can cause the system to assign a global unicast address to an interface. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The dad_transmits setting determines how many neighbor
							solicitations to send out per address (global and link-local) when
							bringing up an interface to ensure the desired address is unique on the
							network. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The max_addresses setting determines how many global unicast
							IPv6 addresses can be assigned to each interface. The default is 16, but
							it should be set to exactly the number of statically configured global
							addresses required.</description>
	    <Value id="var-1103" operator="equals" type="number">
              <title xml:lang="en-US">net.ipv6.conf.default.router_solicitations</title>
              <description xml:lang="en-US">Number of router solicitations to send</description>
              <value>0</value>
              <value selector="0">0</value>
              <value selector="3">3</value>
            </Value>
	    <Value id="var-1104" operator="equals" type="number">
              <title xml:lang="en-US">net.ipv6.conf.default.accept_ra_rtr_pref</title>
              <description xml:lang="en-US">Whether to accept router preference from router advertisements</description>
              <value>0</value>
              <value selector="no">0</value>
              <value selector="yes">1</value>
            </Value>
	    <Value id="var-1105" operator="equals" type="number">
              <title xml:lang="en-US">net.ipv6.conf.default.accept_ra_pinfo</title>
              <description xml:lang="en-US">Whether to accept prefix information from router advertisements</description>
              <value>0</value>
              <value selector="no">0</value>
              <value selector="yes">1</value>
            </Value>
	    <Value id="var-1106" operator="equals" type="number">
              <title xml:lang="en-US">net.ipv6.conf.default.accept_ra_defrtr</title>
              <description xml:lang="en-US">Whether to accept default router information from router advertisements</description>
              <value>0</value>
              <value selector="no">0</value>
              <value selector="yes">1</value>
            </Value>
	    <Value id="var-1107" operator="equals" type="number">
              <title xml:lang="en-US">net.ipv6.conf.default.autoconf</title>
              <description xml:lang="en-US">Whether to autoconfigure addresses from router advertisements</description>
              <value>0</value>
              <value selector="no">0</value>
              <value selector="yes">1</value>
            </Value>
	    <Value id="var-1108" operator="equals" type="number">
              <title xml:lang="en-US">net.ipv6.conf.default.dad_transmits</title>
              <description xml:lang="en-US">Number of duplicate address detection probes to send</description>
              <value>0</value>
              <value selector="0">0</value>
              <value selector="1">1</value>
            </Value>
	    <Value id="var-1109" operator="equals" type="number">
              <title xml:lang="en-US">net.ipv6.conf.default.max_addresses</title>
              <description xml:lang="en-US">Maximum number of autoconfigured addresses</description>
              <value>1</value>
              <value selector="1">1</value>
              <value selector="16">16</value>
            </Value>
            <Rule id="rule-1103" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">Configure number of sent router solicitations</title>
              <description xml:lang="en-US">The default number of sent router solicitations should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1103"/> for
								all interfaces.</description>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1103" value-id="var-1103"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1103" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1104" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">Configure whether to accept router preference</title>
              <description xml:lang="en-US">Router preference should be accepted by default: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1104"/></description>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1104" value-id="var-1104"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1104" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1105" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">Configure whether to accept path information</title>
              <description xml:lang="en-US">Path information should be accepted by default: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1105"/></description>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1105" value-id="var-1105"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1105" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1106" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">Configure whether to accept default router information</title>
              <description xml:lang="en-US">Default router information should be accepted by default: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1106"/></description>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1106" value-id="var-1106"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1106" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1107" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">Configure whether to autoconfigure addresses</title>
              <description xml:lang="en-US">Addresses should be autoconfigured by default: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1107"/></description>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1107" value-id="var-1107"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1107" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1108" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">Configure number of duplicate address detection probes</title>
              <description xml:lang="en-US">Number of duplicate address detection probes should be by default: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1108"/></description>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1108" value-id="var-1108"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1108" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1109" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">Configure maximum number of autoconfigured addresses</title>
              <description xml:lang="en-US">Maximum number of autoconfigured addresses be by default: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1109"/></description>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1109" value-id="var-1109"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1109" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
        </Group>
      </Group>
      <Group id="gr-networking-libwrap" hidden="false">
        <title xml:lang="en-US">TCP Wrapper</title>
        <description xml:lang="en-US"> TCP Wrapper is a library which provides simple access
					control and standardized logging for supported applications which accept
					connections over a network. Historically, TCP Wrapper was used to support inetd
					services. Now that inetd is deprecated, TCP Wrapper supports
					only services which were built to make use of the libwrap library. To determine
					whether a given executable daemon /path/to/daemon supports TCP Wrapper, check
					the documentation, or run: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ ldd /path/to/daemon | grep libwrap.so <xhtml:br/>
					</xhtml:code>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If this command returns any output, then the daemon probably
					supports TCP Wrapper. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> An alternative to TCP Wrapper support is packet filtering using
					iptables. Note that iptables works at the network level, while TCP Wrapper works
					at the application level. This means that iptables filtering is more efficient
					and more resistant to flaws in the software being protected, but TCP Wrapper
					provides support for logging, banners, and other application-level tricks which
					iptables cannot provide.</description>
        <Group id="gr-networking-libwrap.1" hidden="false">
          <title xml:lang="en-US">How TCP Wrapper Protects Services</title>
          <description xml:lang="en-US"> TCP Wrapper provides access control for the
						system's network services using two configuration files. When a connection
						is attempted: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>The file /etc/hosts.allow is searched for a rule matching the
								connection. If one is found, the connection is allowed. </xhtml:li>
							<xhtml:li>Otherwise, the file /etc/hosts.deny is searched for a rule
								matching the connection. If one is found, the connection is
								rejected. </xhtml:li>
							<xhtml:li>If no matching rules are found in either file, then the
								connection is allowed. By default, TCP Wrapper does not block access
								to any services. </xhtml:li>
						</xhtml:ol>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> In the simplest case, each rule in /etc/hosts.allow and
						/etc/hosts.deny takes the form: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> daemon : client <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> where daemon is the name of the server process for which the
						connection is destined, and client is the partial or full hostname or IP
						address of the client. It is valid for daemon and client to contain one
						item, a comma-separated list of items, or a special keyword like ALL, which
						matches any service or client. (See the hosts_access(5) manpage for a list
						of other keywords.) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Note: Partial hostnames start at the root domain and are
						delimited by the . character. So the client machine host03.dev.example.com,
						with IP address 10.7.2.3, could be matched by any of the specifications: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> .example.com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> .dev.example.com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						10.7.2.</description>
        </Group>
        <Group id="gr-networking-libwrap.2" hidden="false">
          <title xml:lang="en-US">Reject All Connections From Other Hosts if Appropriate</title>
          <description xml:lang="en-US"> Restrict all connections to non-public services
						to localhost only. Suppose pubsrv1 and pubsrv2 are the names of daemons
						which must be accessed remotely. Configure TCP Wrapper as follows. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Edit /etc/hosts.allow. Add the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> pubsrv1 ,pubsrv2 : ALL<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> ALL: localhost <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Edit /etc/hosts.deny. Add the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> ALL: ALL <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> These rules deny connections to all TCP Wrapper enabled services
						from any host other than localhost, but allow connections from anywhere to
						the services which must be publicly accessible. (If no public services
						exist, the first line in /etc/hosts.allow may be omitted.)</description>
            <Rule id="rule-1110" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Reject Connections in TCP Wrapper by Default</title>
              <description xml:lang="en-US">TCP wrapper should be configured to reject connections that were not explicitly allowed</description>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1110" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
        </Group>
        <Group id="gr-networking-libwrap.3" hidden="false">
          <title xml:lang="en-US">Allow Connections Only From Hosts in This Domain if Appropriate</title>
          <description xml:lang="en-US"> For each daemon, domainsrv , which only needs to
						be contacted from inside the local domain, example.com , configure TCP
						Wrapper to deny remote connections. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Edit /etc/hosts.allow. Add the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> domainsrv : .example.com<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Edit /etc/hosts.deny. Add the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> domainsrv : ALL <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> There are many possible examples of services which need to
						communicate only within the local domain. If a machine is a local compute
						server, it may be necessary for users to connect via SSH from their desktop
						workstations, but not from outside the domain. In that case, you should
						protect the daemon sshd using this method. As another example, RPC-based
						services such as NFS might be enabled within the domain only, in which case
						the daemon portmap should be protected. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					</description>
          <warning xml:lang="en-US">Note: This example protects only the service domainsrv
						. No filtering is done on other services unless a line is entered into
						/etc/hosts.deny which refers to those services by name, or which restricts
						the special service ALL.</warning>
        </Group>
        <Group id="gr-networking-libwrap.4" hidden="false">
          <title xml:lang="en-US">Monitor Syslog for Relevant Connections and Failures</title>
          <description xml:lang="en-US"> Ensure that the following line exists in
						/etc/rsyslog.conf. (This is the default, so it is likely to be correct if the
						configuration has not been modified): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> authpriv.* /var/log/secure <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Configure logwatch or other log monitoring tools to periodically
						summarize failed connections reported by TCP Wrapper at the facility
						authpriv.info. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> By default, TCP Wrapper audits all rejected connections at the
						facility authpriv, level info. In the log file, TCP Wrapper rejections will
						contain the substring: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> daemon [pid ]: refused connect from ipaddr <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> These lines can be used to detect malicious scans, and to debug
						failures resulting from an incorrect TCP Wrapper configuration. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If appropriate, it is possible to change the syslog facility and
						level used by a given TCP Wrapper rule by adding the severity option to each
						desired configuration line in /etc/hosts.deny: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> daemon : client : severity facility.level <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> By default, successful connections are not logged by TCP
						Wrapper.</description>
        </Group>
        <Group id="gr-networking-libwrap.5" hidden="false">
          <title xml:lang="en-US">Further Resources</title>
          <description xml:lang="en-US"> For more information about TCP Wrapper, see the
						tcpd(8) and hosts_access(5) manpages and the documentation directory
						/usr/share/doc/tcp_wrappers-version. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Some information may be available from the Tools section of the
						author's website, http://www.porcupine.org, and from the RHEL6 Security
						Guide.</description>
        </Group>
      </Group>
      <Group id="gr-networking-iptables" hidden="false">
        <title xml:lang="en-US">Iptables and Ip6tables</title>
        <description xml:lang="en-US"> A host-based firewall called Netfilter is included as
					part of the Linux kernel distributed with the system. It is activated by
					default. This firewall is controlled by the program iptables, and the entire
					capability is frequently referred to by this name. An analogous program called
					ip6tables handles filtering for IPv6. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Unlike TCP Wrappers, which depends on the network server program to
					support and respect the rules written, Netfilter filtering occurs at the kernel
					level, before a program can even process the data from the network packet. As
					such, any program on the system is affected by the rules written. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This section provides basic information about strengthening the
					iptables and ip6tables configurations included with the system. For more
					complete information that may allow the construction of a sophisticated ruleset
					tailored to your environment, please consult the references at the end of this
					section.</description>
        <Group id="gr-networking-iptables.1" hidden="false">
          <title xml:lang="en-US">Inspect and Activate Default Rules</title>
          <description xml:lang="en-US"> View the currently-enforced iptables rules by
						running the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># iptables -nL --line-numbers <xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The command is analogous for the ip6tables program. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If the firewall does not appear to be active (i.e., no rules
						appear), activate it and ensure that it starts at boot by issuing the
						following commands (and analogously for ip6tables): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># service iptables restart</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig iptables on</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The default iptables rules are: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">Chain INPUT (policy ACCEPT)</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">num  target     prot opt source               destination</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">5    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">Chain FORWARD (policy ACCEPT)</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">num  target     prot opt source               destination</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">Chain OUTPUT (policy ACCEPT)</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">num  target     prot opt source               destination</xhtml:code>


						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The ip6tables default
						rules are similar, with its input rules 2 and 5 and forward rule 1
						reflecting protocol naming and addressing differences.</description>
          <Rule id="rule-1111" selected="false" weight="10.000000" severity="high">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">ip6tables service is enabled</title>
            <description xml:lang="en-US">The ip6tables service should be enabled.</description>
            <ident system="http://cce.mitre.org">CCE-4167-3</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1111" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1112" selected="false" weight="10.000000" severity="high">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">iptables service is enabled</title>
            <description xml:lang="en-US">The iptables service should be enabled.</description>
            <ident system="http://cce.mitre.org">CCE-4189-7</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1112" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-networking-iptables.2" hidden="false">
          <title xml:lang="en-US">Understand the Default Ruleset</title>
          <description xml:lang="en-US"> Understanding and creating firewall rules can be
						a challenging activity, filled with corner cases and difficult-to debug
						problems. Because of this, administrators should develop a thorough
						understanding of the default ruleset before carefully modifying it. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The default ruleset is divided into three sections, each of which
						is called a chain: INPUT, FORWARD and OUTPUT. Each of these chains
						is built-in. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>The INPUT chain is activated on packets destined for (i.e.,
								addressed to) the system. </xhtml:li>
							<xhtml:li>The OUTPUT chain is activated on packets which are originating
								from the system. </xhtml:li>
							<xhtml:li>The FORWARD chain is activated for packets that the system
								will process and send through another interface, if so configured. </xhtml:li>
						</xhtml:ul>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> A packet starts at the first rule in the appropriate chain and
						proceeds until it matches a rule. If a match occurs, then control will jump
						to the specified target. The default ruleset uses the built-in targets
						ACCEPT and REJECT. Jumping to the target ACCEPT means to allow the packet
						through, while REJECT means to drop the packet and send an error message to
						the sending host. A related target called DROP means to drop the packet
						without even sending an error message. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The default policy for all of the built-in chains (shown after
						their names in the rule output above) is set to ACCEPT. This means that if
						no rules in the chain match the packets, they are allowed through. Because
						no rules at all are written for the OUTPUT chain, this means that iptables
						does not stop any packets originating from the system.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>The INPUT chain tries to match, in order, the following
						rules for both iptables and ip6tables: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>Rule 1, allows inbound packets that are
								part of a session initiated by the system.</xhtml:li>
							<xhtml:li>Rule 2 explicitly allows all icmp packet types.</xhtml:li>
							<xhtml:li>Rule 3 appears to accept all packets. However, this appears
								true only because the rules are not presented in verbose mode.
								Executing the command <xhtml:br/>
								<xhtml:br/>
								<xhtml:code># iptables -vnL --line-numbers <xhtml:br/>
								</xhtml:code>
								<xhtml:br/> reveals that this rule applies only to the loopback (lo)
								interface (see column in), while all other rules apply to all
								interfaces. Thus, packets not coming from the loopback interface do
								not match and proceed to the next rule. </xhtml:li>
							<xhtml:li>Rule 4 allows inbound connections in tcp
								port 22, which is the SSH protocol. </xhtml:li>
							<xhtml:li>Rule 5 rejects all other packets and
								sends an error message to the sender. Because this is the last rule
								and matches any packet, it effectively prevents any packet from
								reaching the chain's default ACCEPT target. Preventing the
								acceptance of any packet that is not explicitly allowed is proper
								design for a firewall.</xhtml:li>
						</xhtml:ul>
					</description>
        </Group>
        <Group id="gr-networking-iptables.3" hidden="false">
          <title xml:lang="en-US">Strengthen the Default Ruleset</title>
          <description xml:lang="en-US"> The default rules can be strengthened. The system
						scripts that activate the firewall rules expect them to be defined in the
						configuration files iptables and ip6tables in the directory /etc/sysconfig.
						Many of the lines in these files are similar to the command line arguments
						that would be provided to the programs /sbin/iptables or /sbin/ip6tables –
						but some are quite different. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The following recommendations describe how to strengthen the
						default ruleset configuration file. An alternative to editing this
						configuration file is to create a shell script that makes calls to the
						iptables program to load in rules, and then invokes
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">service iptables save</xhtml:code> to
						write those loaded rules to /etc/sysconfig/iptables.  If the construction of the default ruleset meets
						your requirements, system-config-firewall-tui may be used to customize it, to the extent the tool allows it.
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The following alterations can be made directly to
						/etc/sysconfig/iptables and /etc/sysconfig/ip6tables. Instructions apply to
						both unless otherwise noted. Language and address conventions for regular
						iptables are used throughout this section; configuration for ip6tables will
						be either analogous or explicitly covered.</description>
          <warning xml:lang="en-US">The program system-config-firewall-tui automatically adjusts /etc/sysconfig/iptables . This program is only
						useful if the construction of the default ruleset meets your security requirements. Otherwise,
						this program should not be used to make changes to the firewall
						configuration because it re-writes the saved configuration file. </warning>
          <Group id="gr-networking-iptables.3.1" hidden="false">
            <title xml:lang="en-US">Change the Default Policies</title>
            <description xml:lang="en-US"> Change the default policy to DROP (from
							ACCEPT) for the INPUT and FORWARD built-in chains: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> *filter <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> :INPUT DROP [0:0] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> :FORWARD
							DROP [0:0] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Changing the default policy in this way implements proper
							design for a firewall, i.e. any packets which are not explicitly
							permitted should not be accepted.</description>
            <Rule id="rule-1113" selected="false" weight="10.000000" severity="high">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">The default policy for ip*tables INPUT table should be set appropriately</title>
              <description xml:lang="en-US">Change the default policy to DROP (from ACCEPT) for the
								INPUT built-in chain.</description>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1113" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1114" selected="false" weight="10.000000" severity="high">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">The default policy for ip*tables FORWARD table should be set appropriately</title>
              <description xml:lang="en-US">Change the default policy to DROP (from ACCEPT) for the
								FORWARD built-in chain.</description>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1114" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-networking-iptables.3.2" hidden="false">
            <title xml:lang="en-US">Restrict ICMP Message Types</title>
            <description xml:lang="en-US"> In /etc/sysconfig/iptables, the accepted ICMP
							messages types can be restricted. To accept only ICMP echo reply,
							destination unreachable, and time exceeded messages, remove the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -p icmp -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> and insert the lines:
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To allow the system to respond to pings, also insert the
							following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Ping responses can also be limited to certain networks or
							hosts by using the -s option in the previous rule. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Because IPv6 depends so heavily on ICMPv6, it is preferable
							to deny the ICMPv6 packets you know you don't need (e.g. ping requests)
							in /etc/sysconfig/ip6tables, while letting everything else through: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If you are going to statically configure the
							machine's address, it should ignore Router Advertisements which could
							add another IPv6 address to the interface or alter important network
							settings: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j DROP
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Restricting other ICMPv6 message types in
							/etc/sysconfig/ip6tables is not recommended because the operation of
							IPv6 depends heavily on ICMPv6. Thus, more care must be taken when
							blocking ICMPv6 types.</description>
            <Rule id="rule-1115" selected="false" weight="10.000000" severity="high">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">Restrict ICMP message types</title>
              <description xml:lang="en-US">Accept only some ICMP messages in the INPUT built-in chain.</description>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1115" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-networking-iptables.3.3" hidden="false">
            <title xml:lang="en-US">Log and Drop Packets with Suspicious Source Addresses</title>
            <description xml:lang="en-US"> Packets with non-routable source addresses
							should be rejected, as they may indicate spoofing. Because the modified
							policy will reject non-matching packets, you only need to add these
							rules if you are interested in also logging these spoofing or suspicious
							attempts before they are dropped. If you do choose to log various
							suspicious traffic, add identical rules with a target of DROP after each
							LOG. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To log and then drop these IPv4 packets, insert the
							following rules in /etc/sysconfig/iptables (excepting any that are
							intentionally used): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP
							SPOOF A: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -i eth0 -s 172.16.0.0/12 -j LOG
							--log-prefix "IP DROP SPOOF B: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -i eth0 -s
							192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF C: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A
							INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST D: "
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP
							SPOOF E: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -i eth0 -d 127.0.0.0/8 -j LOG
							--log-prefix "IP DROP LOOPBACK: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Similarly, you might wish to log packets containing some
							IPv6 reserved addresses if they are not expected on your network: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -i eth0 -s ::1 -j LOG --log-prefix "IPv6 DROP
							LOOPBACK: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s 2002:E000::/20 -j LOG --log-prefix
							"IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s 2002:7F00::/24 -j LOG
							--log-prefix "IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s
							2002:0000::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A
							INPUT -s 2002:FF00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s 2002:0A00::/24 -j LOG --log-prefix "IPv6 6to4
							TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s 2002:AC10::/28 -j LOG --log-prefix
							"IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s 2002:C0A8::/32 -j LOG
							--log-prefix "IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If you are not expecting to see site-local multicast or
							auto-tunneled traffic, you can log those: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s FF05::/16 -j LOG --log-prefix "IPv6 SITE-LOCAL
							MULTICAST: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s ::0.0.0.0/96 -j LOG --log-prefix
							"IPv4 COMPATIBLE IPv6 ADDR: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If you wish to block multicasts to all link-local nodes
							(e.g. if you are not using router autoconfiguration and do not plan to
							have any services that multicast to the entire local network), you can
							block the link-local all-nodes multicast address (before accepting
							incoming ICMPv6): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -d FF02::1 -j LOG --log-prefix "Link-local
							All-Nodes Multicast: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> However, if you're going to allow IPv4 compatible IPv6
							addresses (of the form ::0.0.0.0/96), you should then consider logging
							the non-routable IPv4-compatible addresses: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s ::0.0.0.0/104 -j LOG --log-prefix "IP
							NON-ROUTABLE ADDR: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s ::127.0.0.0/104 -j LOG
							--log-prefix "IP DROP LOOPBACK: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s
							::224.0.0.0.0/100 -j LOG --log-prefix "IP DROP MULTICAST D: "
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s ::255.0.0.0/104 -j LOG --log-prefix "IP
							BROADCAST: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If you are not expecting to see any IPv4 (or
							IPv4-compatible) traffic on your network, consider logging it before it
							gets dropped: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s ::FFFF:0.0.0.0/96 -j LOG --log-prefix "IPv4
							MAPPED IPv6 ADDR: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s 2002::/16 -j LOG
							--log-prefix "IPv6 6to4 ADDR: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The following rule will log all traffic originating from a
							site-local address, which is deprecated address space: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s FEC0::/10 -j LOG --log-prefix "SITE-LOCAL
							ADDRESS TRAFFIC: "</description>
          </Group>
          <Group id="gr-networking-iptables.3.4" hidden="false">
            <title xml:lang="en-US">Log and Drop All Other Packets</title>
            <description xml:lang="en-US"> To log before dropping all packets that are
							not explicitly accepted by previous rules, change the final lines from <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -j REJECT --reject-with icmp-host-prohibited
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> COMMIT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> to <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -j LOG
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -j DROP
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> COMMIT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The rule to log all dropped packets must be used with care.
							Chatty but otherwise non-malicious network protocols (e.g. NetBIOS) may
							result in voluminous logs; insertion of earlier rules to explicitly drop
							their packets without logging may be appropriate.</description>
            <Rule id="rule-1116" selected="false" weight="10.000000" severity="high">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">Log and Drop All Other Packets</title>
              <description xml:lang="en-US">Log and drop packets that were not explicitly drop in the INPUT built-in chain.</description>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1116" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
        </Group>
        <Group id="gr-networking-iptables.4" hidden="false">
          <title xml:lang="en-US">Further Strengthening</title>
          <description xml:lang="en-US"> Further strengthening, particularly as a result
						of customization to a particular environment, is possible for the iptables
						rules. Consider the following options, though their practicality depends on
						the network environment and usage scenario: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>Restrict outgoing traffic. As shown above, the OUTPUT chain's
								default policy can be changed to DROP, and rules can be written to
								specifically allow only certain types of outbound traffic. Such a
								policy could prevent casual usage of insecure protocols such as ftp
								and telnet, or even disrupt spyware. However, it would still not
								prevent a sophisticated user or program from using a proxy to
								circumvent the intended effects, and many client programs even try
								to automatically tunnel through port 80 to avoid such
								restrictions.</xhtml:li>
							<xhtml:li>SYN flood protection. SYN flood protection can be provided by
								iptables, but might run into limiting issues for servers. For
								example, the iplimit match can be used to limit simultaneous
								connections from a given host or class. Similarly, the recent match
								allows the firewall to deny additional connections from any host
								within a given period of time (e.g. more than 3 –state NEW
								connections on port 22 within a minute to prevent dictionary login
								attacks). <xhtml:br/>
								<xhtml:br/> A more precise option for DoS protection is using TCP
								SYN cookies.</xhtml:li>
						</xhtml:ul>
					</description>
        </Group>
        <Group id="gr-networking-iptables.5" hidden="false">
          <title xml:lang="en-US">Further Resources</title>
          <description xml:lang="en-US"> More complex, restrictive, and powerful rulesets
						can be created, but this requires careful customization that relies on
						knowledge of the particular environment. The following resources provide
						more detailed information: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>The iptables(8) man page </xhtml:li>
							<xhtml:li>The Netfilter Project's documentation at
								http://www.netfilter.org</xhtml:li>
							<xhtml:li>The Red Hat Enterprise Linux 6 Security Guide</xhtml:li>
						</xhtml:ul>
					</description>
        </Group>
      </Group>
      <Group id="gr-networking-tls" hidden="false">
        <title xml:lang="en-US">Transport Layer Security Support</title>
        <description xml:lang="en-US"> The Transport Layer Security (TLS) protocol provides
					encrypted and authenticated network communications, and many network services
					include support for it. Using TLS is recommended, especially to avoid any
					plaintext transmission of sensitive data, even over a local network. The three primary TLS
					implementations included with the system are GnuTLS, NSS and OpenSSL. Older
					versions of TLS were called Secure Sockets Layer (SSL).<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> TLS uses public key cryptography to provide authentication and
					encryption. Public key cryptography involves two keys, one called the public key
					and the other called the private key. These keys are mathematically related such
					that data encrypted with one key can only be decrypted by the other, and vice
					versa. As their names suggest, public keys can be distributed to anyone while a
					private key must remain known only to its owner. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> TLS uses certificates, which are files that hold cryptographic data:
					a public key, and a signature of that public key. In TLS authentication, a
					server presents a client with its certificate as a means of demonstrating that
					it is who it claims it is. If everything goes correctly, the client can verify
					the server's certificate by determining that the signature inside the
					certificate could only have been generated by a third party whom the client
					trusts. This third party is called a Certificate Authority (CA). Each client
					system should also have certificates from trusted CAs, and the client uses these
					CA certificates to verify the authenticity of the server's certificate. After
					authenticating a server using its certificate and a CA certificate, TLS provides
					encryption by using the server certificate to securely negotiate a shared secret
					key. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If your server must communicate using TLS with systems that might
					not be able to securely accept a new CA certificate prior to any TLS
					communication, then paying an established CA (whose certificates your clients
					already have) to sign your server certificates is recommended. The steps for
					doing this vary by vendor. Once the signed certificates have been obtained,
					configuration of the services is the same whether they were purchased from a
					vendor or signed by your own CA.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> For setting up an internal network and encrypting local traffic,
					creating your own CA to sign X.509 certificates can be appropriate. The major
					steps in this process are: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
						<xhtml:li>Create a CA to sign certificates </xhtml:li>
						<xhtml:li>Create X.509 certificates for servers using that CA</xhtml:li>
						<xhtml:li>Enable client support by distributing the CA's
							certificate</xhtml:li>
					</xhtml:ol>
				</description>
        <Group id="gr-networking-tls.1" hidden="false">
          <title xml:lang="en-US">Create a CA to Sign Certificates</title>
          <description xml:lang="en-US"> The following instructions apply to OpenSSL. The security of certificates depends on the
						security of the CA that signed them, so performing these steps on a secure
						machine is critical. The system used as a CA should be physically secure and
						not connected to any network. It should receive any certificate signing
						requests (CSRs) via removable media and output certificates onto removable
						media. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The script /etc/pki/tls/misc/CA is included to assist in the
						process of setting up a CA. This script uses many settings in
						/etc/pki/tls/openssl.cnf. The settings in this file can be changed to suit
						your needs and allow easier selection of default settings, particularly in
						the [req distinguished name] section. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To create the CA: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cd /etc/pki/tls/misc</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ./CA -newca</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>When prompted, press enter to create a new CA key with the
								default name cakey.pem.</xhtml:li>
							<xhtml:li>When prompted, enter a password that will protect the private
								key, then enter the same password again to verify it.</xhtml:li>
							<xhtml:li>At the prompts, fill out as much of the CA information as is
								relevant for your site. You must specify a common name, or
								generation of the CA certificate will fail. </xhtml:li>
							<xhtml:li>Next, you will be prompted for the password, so that the
								script can re-open the private key in order to write the
								certificate.</xhtml:li>
						</xhtml:ul>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This step performs the following actions: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>creates the directory /etc/pki/CA (by default), which contains
								files necessary for the operation of a certificate authority. These
								are:</xhtml:li>
							<xhtml:ul>
								<xhtml:li>serial, which contains the current serial number for
									certificates signed by the CA</xhtml:li>
								<xhtml:li>index.txt, which is a text database file that contains
									information about certificates signed</xhtml:li>
								<xhtml:li>crl, which is a directory for holding revoked
									certificates</xhtml:li>
								<xhtml:li>private, a directory which stores the CA's private
									key</xhtml:li>
							</xhtml:ul>
							<xhtml:li>creates a public-private key pair for the CA in the file
								/etc/pki/CA/private/cakey.pem. The private key must be kept private
								in order to ensure the security of the certificates the CA will
								later sign.</xhtml:li>
							<xhtml:li>signs the public key (using the corresponding private key, in
								a process called self-signing) to create the CA certificate, which
								is then stored in /etc/pki/CA/cacert.pem. </xhtml:li>
							<xhtml:li/>
						</xhtml:ul>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> When the CA later signs a server certificate using its private
						key, it means that it is vouching for the authenticity of that server. A
						client can then use the CA's certificate (which contains its public key) to
						verify the authenticity of the server certificate. To accomplish this, it is
						necessary to distribute the CA certificate to any clients.</description>
        </Group>
        <Group id="gr-networking-tls.2" hidden="false">
          <title xml:lang="en-US">Create X.509 Certificates for Servers</title>
          <description xml:lang="en-US"> Creating an X.509 certificate for a server involves
						the following steps: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>A public-private key pair for the server must be
								generated.</xhtml:li>
							<xhtml:li>A certificate signing request (CSR) must be created from the
								key pair.</xhtml:li>
							<xhtml:li>The CSR must be signed by a certificate authority (CA) to
								create the server certificate.</xhtml:li>
							<xhtml:li>The server certificate and keys must be installed on the
								server. </xhtml:li>
						</xhtml:ol>
					</description>
        </Group>
        <Group id="gr-networking-tls.3" hidden="false">
          <title xml:lang="en-US">Enable Client Support</title>
          <description xml:lang="en-US"> The system ships with certificates from
						well-known commercial CAs. If your server certificates were signed by one of
						these established CAs, then this step is not necessary since the clients
						should include the CA certificate already. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If your servers use certificates signed by your own CA, some
						user applications will warn that the server's certificate cannot be verified
						because the CA is not recognized. Other applications may simply fail to
						accept the certificate and refuse to operate, or continue operating without
						ever having properly verified the server certificate. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To avoid this warning, and properly authenticate the servers,
						your CA certificate must be exported to every application on every client
						system that will be connecting to an TLS-enabled server.</description>
          <Group id="gr-networking-tls.3.1" hidden="false">
            <title xml:lang="en-US">Adding a Trusted CA for Firefox</title>
            <description xml:lang="en-US"> Firefox needs to have a certificate from the
							CA that signed the web server's certificate, so that it can authenticate
							the web server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To import a new CA certificate into Firefox 3.6:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
								<xhtml:li>Launch Firefox and choose Preferences from the Edit menu. </xhtml:li>
								<xhtml:li>Click the Advanced button.</xhtml:li>
								<xhtml:li>Select the Encryption pane.</xhtml:li>
								<xhtml:li>Click the View Certificates button.</xhtml:li>
								<xhtml:li>Click the Authorities tab. </xhtml:li>
								<xhtml:li>Click the Import button at the bottom of the
									screen.</xhtml:li>
								<xhtml:li>Navigate to the CA certificate and import it.</xhtml:li>
							</xhtml:ol>
						</description>
          </Group>
          <Group id="gr-networking-tls.3.2" hidden="false">
            <title xml:lang="en-US">Adding a Trusted CA for Thunderbird</title>
            <description xml:lang="en-US"> Thunderbird needs to have a certificate from
							the CA that signed the mail server's certificates, so that it can
							authenticate the mail server(s).<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To import a new CA certificate into Thunderbird 3: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
								<xhtml:li>Launch Thunderbird and choose Preferences from the
									Edit menu.</xhtml:li>
								<xhtml:li>Click the Advanced button.</xhtml:li>
								<xhtml:li>Select the Certificates tab</xhtml:li>
								<xhtml:li>Click the View Certificates button.</xhtml:li>
								<xhtml:li>Select the Authorities tab.</xhtml:li>
								<xhtml:li>Click the Import button at the bottom of the
									screen.</xhtml:li>
								<xhtml:li>Navigate to the CA certificate and import it. Determine
									whether the CA should be used to identify web sites, e-mail
									users, and software developers and trust it for each
									accordingly.</xhtml:li>
							</xhtml:ol>
						</description>
          </Group>
          <Group id="gr-networking-tls.3.3" hidden="false">
            <title xml:lang="en-US">Adding a Trusted CA for Evolution</title>
            <description xml:lang="en-US"> The Evolution e-mail client needs to have a
							certificate from the CA that signed the mail server's certificates, so
							that it can authenticate the mail server(s). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To import a new CA certificate into Evolution: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
								<xhtml:li>Launch Evolution and choose Preferences from the Edit
									menu.</xhtml:li>
								<xhtml:li>Select Certificates from the icon list on the
									left.</xhtml:li>
								<xhtml:li>Select the Authorities tab.</xhtml:li>
								<xhtml:li>Click the Import button.</xhtml:li>
								<xhtml:li>Navigate to the CA certificate and import it.</xhtml:li>
							</xhtml:ol>
						</description>
          </Group>
        </Group>
        <Group id="gr-networking-tls.4" hidden="false">
          <title xml:lang="en-US">Further Resources</title>
          <description xml:lang="en-US">
						<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>The OpenSSL Project home page at
								http://www.openssl.org</xhtml:li>
							<xhtml:li>The openssl(1) man page</xhtml:li>
						</xhtml:ul>
					</description>
        </Group>
      </Group>
      <Group id="gr-networking.7" hidden="false">
        <title xml:lang="en-US">Uncommon Network Protocols</title>
        <description xml:lang="en-US"> The system includes support for several network
					protocols which are not commonly used. Although security vulnerabilities in
					kernel networking code are not frequently discovered, the consequences can be
					dramatic. Ensuring uncommon network protocols are disabled reduces the system’s
					risk to attacks targeted at its implementation of those protocols.</description>
        <Group id="gr-networking.7.1" hidden="false">
          <title xml:lang="en-US">Disable Support for DCCP</title>
          <description xml:lang="en-US"> To prevent the DCCP kernel module from being
						loaded, create /etc/modprobe.d/dccp.conf with the following content:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">install dccp /bin/true<xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The Datagram Congestion Control Protocol (DCCP) is a relatively
						new transport layer protocol, designed to support streaming media and
						telephony.</description>
          <Rule id="rule-1117" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">draft</status>
            <title xml:lang="en-US">Disable Support for DCCP</title>
            <description xml:lang="en-US">Support for DCCP should be disabled.</description>
            <ident system="http://cce.mitre.org">CCE-14268-7</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1117" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-networking.7.2" hidden="false">
          <title xml:lang="en-US">Disable Support for SCTP</title>
          <description xml:lang="en-US"> To prevent the SCTP kernel module from being
						loaded, create /etc/modprobe.d/sctp.conf with the following content:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">install sctp /bin/true<xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The Stream Control Transmission Protocol (SCTP) is a transport
						layer protocol, designed to support the idea of message-oriented
						communication, with several streams of messages within one
						connection.</description>
          <Rule id="rule-1118" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">draft</status>
            <title xml:lang="en-US">Disable Support for SCTP</title>
            <description xml:lang="en-US">Support for SCTP should be disabled.</description>
            <ident system="http://cce.mitre.org">CCE-14132-5</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1118" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-networking.7.3" hidden="false">
          <title xml:lang="en-US">Disable Support for RDS</title>
          <description xml:lang="en-US"> To prevent the RDS kernel module from being
						loaded, create /etc/modprobe.d/rds.conf with the following content:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">install rds /bin/true<xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The Reliable Datagram Sockets (RDS) protocol is a transport
						layer protocol designed to provide reliable high-bandwidth, low-latency
						communications between nodes in a cluster.</description>
          <Rule id="rule-1119" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">draft</status>
            <title xml:lang="en-US">Disable Support for RDS</title>
            <description xml:lang="en-US">Support for RDS should be disabled.</description>
            <ident system="http://cce.mitre.org">CCE-14027-7</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1119" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
      </Group>
    </Group>
    <Group id="gr-logs" hidden="false">
      <title xml:lang="en-US">Logging and Auditing</title>
      <description xml:lang="en-US"> Successful local or network attacks on systems do not
				necessarily leave clear evidence of what happened. It is necessary to build a
				configuration in advance that collects this evidence, both in order to determine
				that something anomalous has occurred, and in order to respond appropriately. In
				addition, a well-configured logging and audit infrastructure will show evidence of
				any misconfiguration which might leave the system vulnerable to attack. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
				<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Logging and auditing take different approaches to collecting data. A
				logging infrastructure provides a framework for individual programs running on the
				system to report whatever events are considered interesting: the sshd program may
				report each successful or failed login attempt, while the sendmail program may
				report each time it sends an e-mail on behalf of a local or remote user. An auditing
				infrastructure, on the other hand, reports each instance of certain low-level
				events, such as entry to the setuid system call, regardless of which program caused
				the event to occur. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
				<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Auditing has the advantage of being more comprehensive, but the
				disadvantage of reporting a large amount of information, most of which is
				uninteresting. Logging (particularly using a standard framework like syslog) has the
				advantage of being compatible with a wide variety of client applications, and of
				reporting only information considered important by each application, but the
				disadvantage that the information reported is not consistent between applications. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
				<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> A robust infrastructure will perform both logging and auditing, and will
				use configurable automated methods of summarizing the reported data, so that system
				administrators can remove or compress reports of events known to be uninteresting in
				favor of alert monitoring for events known to be interesting. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
				<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This section discusses how to configure logging, log monitoring, and
				auditing, using tools included with RHEL6. It is recommended that rsyslog be used for
				logging, with logwatch providing summarization, and that auditd be used for
				auditing, with aureport providing summarization.</description>
      <Group id="gr-logs-syslog" hidden="false">
        <title xml:lang="en-US">Configure Rsyslog</title>
        <description xml:lang="en-US"> Rsyslog is an enhanced, multi-threaded syslog daemon.
		This section discusses how to configure rsyslog for best
		effect, and how to use tools provided with the system to maintain and monitor
		your logs.</description>
        <Rule id="rule-1120" selected="false" weight="10.000000" severity="medium">
          <status date="2010-07-01">accepted</status>
          <title xml:lang="en-US">Rsyslog service is enabled</title>
          <description xml:lang="en-US">The rsyslog service should be enabled.</description>
          <ident system="http://cce.mitre.org">CCE-3679-8</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:org.open-scap.rhel6:def:1120" href="scap-rhel6-oval.xml"/>
          </check>
        </Rule>
        <Group id="gr-logs-syslog.1" hidden="false">
          <title xml:lang="en-US">Ensure All Important Messages are Captured</title>
          <description xml:lang="en-US">
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The default RHEL6 rsyslog configuration stores the facilities
						authpriv, cron, and mail in named logs. This guide describes the
						implementation of the following configuration, but any configuration which
						stores the important facilities and is usable by the administrators will suffice:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>Store each of the facilities kern, daemon, and syslog in its
								own log, so that it will be easy to access information about
								messages from those facilities. </xhtml:li>
							<xhtml:li>Restrict the information stored in /var/log/messages to only
								the facilities auth and user, and store all messages from those
								facilities. Messages can easily become cluttered otherwise. </xhtml:li>
							<xhtml:li>Store information about all facilities which should not be in
								use at this site in a file called /var/log/unused.log. If any
								messages are logged to this file at some future point, this may be
								an indication that an unknown service is running, and should be
								investigated. In addition, if news and uucp are not in use at this
								site, remove the directive from the default syslog.conf which stores
								those facilities. </xhtml:li>
						</xhtml:ul>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Making use of the local facilities is also recommended. Specific
						configuration is beyond the scope of this guide, but applications such as
						SSH can easily be configured to log to a local facility which is not being
						used for anything else. If this is done, reconfigure /etc/syslog.conf to
						store this facility in an appropriate named log or in /var/log/messages,
						rather than in /var/log/unused.log.</description>
        </Group>
        <Group id="gr-logs-syslog.2" hidden="false">
          <title xml:lang="en-US">Confirm Existence and Permissions of System Log	Files</title>
          <description xml:lang="en-US"> For each log file LOGFILE referenced in
						/etc/rsyslog.conf, run the commands: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># touch LOGFILE</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chown root:root LOGFILE</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chmod 0600 LOGFILE</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Some logs may contain
						sensitive information, so it is better to restrict permissions so that only
						administrative users can read or write logfiles.</description>
          <Value id="var-1121" operator="equals" type="string">
            <title xml:lang="en-US">User that owns log files</title>
            <description xml:lang="en-US">Specify user owner of all logfiles specified
							in /etc/rsyslog.conf.</description>
            <value>0</value>
            <value selector="root">0</value>
          </Value>
          <Value id="var-1122" operator="equals" type="string">
            <title xml:lang="en-US">Group that owns log files</title>
            <description xml:lang="en-US">Specify group owner of all logfiles specified
							in /etc/rsyslog.conf.</description>
            <value>0</value>
            <value selector="root">0</value>
          </Value>
          <Rule id="rule-1121" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">User ownership of System Log Files</title>
            <description xml:lang="en-US">All syslog log files should be owned by user <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1121"/>.</description>
            <ident system="http://cce.mitre.org">CCE-4366-1</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1121" value-id="var-1121"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1121" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1122" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Group ownership of System Log Files</title>
            <description xml:lang="en-US">All syslog log files should be group owned group <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1122"/>.</description>
            <ident system="http://cce.mitre.org">CCE-3701-0</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1122" value-id="var-1122"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1122" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1123" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Permissions on System Log Files</title>
            <description xml:lang="en-US">File permissions for all syslog log files should be set
							correctly.</description>
            <ident system="http://cce.mitre.org">CCE-4233-3</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1123" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-logs-syslog.3" hidden="false">
          <title xml:lang="en-US">Syslog logs should be sent to a remote loghost</title>
          <description xml:lang="en-US">
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If system logs are to be useful in detecting malicious
						activities, it is necessary to send logs to a remote server. An intruder who
						has compromised the root account on a machine may delete the log entries
						which indicate that the system was attacked before they are seen by an
						administrator. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
          </description>
          <Rule id="rule-1124" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Send Logs to a Remote Loghost</title>
            <description xml:lang="en-US">Syslog logs should be sent to a remote loghost</description>
            <ident system="http://cce.mitre.org">CCE-4260-6</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1124" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-logs-syslog.4" hidden="false">
          <title xml:lang="en-US">Rsyslog shouldn't be run in a compatibility mode</title>
          <description xml:lang="en-US">Rsyslog can be run in a compatibility mode which simulates the behavior of its older versions.
		The version to be compatible with is specified with a command line option. It is advisable to run the daemon in a mode
		that matches its current version. Using an older mode may alter your configuration in an unexpected way.
		The mode can be configured by changing the value of the SYSLOGD_OPTIONS variable in /etc/sysconfig/rsyslog.
		</description>
          <Rule id="rule-1125" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Rsyslog shouldn't be run in a compatibility mode</title>
            <description xml:lang="en-US">An appropriate compatibility mode, that matches the daemons current version should be specified
		using the SYSLOGD_OPTION variable in /etc/sysconfig/rsyslog.
		</description>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1125" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-logs-syslog.5" hidden="false">
          <title xml:lang="en-US">Ensure All Logs are Rotated by logrotate</title>
          <description xml:lang="en-US"> Edit the file /etc/logrotate.d/syslog. Find the
						first line, which should look like this: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> /var/log/messages /var/log/secure /var/log/maillog
						/var/log/spooler /var/log/boot.log /var/log/cron { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Edit this line so that it contains a one-space-separated listing
						of each log file referenced in /etc/rsyslog.conf. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> All logs in use
						on a system must be rotated regularly, or the log files will consume disk
						space over time, eventually interfering with system operation. The file
						/etc/logrotate.d/syslog is the configuration file used by the logrotate
						program to maintain all log files written by syslog. By default, it rotates
						logs weekly and stores four archival copies of each log. These settings can
						be modified by editing /etc/logrotate.conf, but the defaults are sufficient
						for purposes of this guide. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Note that logrotate is run nightly by the cron job
						/etc/cron.daily/logrotate. If particularly active logs need to be rotated
						more often than once a day, some other mechanism must be used.</description>
          <Rule id="rule-1126" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">All Logs are Rotated by logrotate</title>
            <description xml:lang="en-US">The logrotate (syslog rotater) service should be
							enabled.</description>
            <ident system="http://cce.mitre.org">CCE-4182-2</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1126" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-logs-syslog.6" hidden="false">
          <title xml:lang="en-US">Monitor Suspicious Log Messages using Logwatch</title>
          <description xml:lang="en-US"> The system includes an extensible program called
						Logwatch for reporting on unusual items in syslog. Logwatch is valuable
						because it provides a parser for the syslog entry format and a number of
						signatures for types of lines which are considered to be mundane or
						noteworthy. Logwatch has a number of downsides: the signatures can be
						inaccurate and are not always categorized consistently, and you must be able
						to program in Perl in order to customize the signature database. However, it
						is recommended that all Linux sites which do not have time to deploy a
						third-party log monitoring application run Logwatch in its default
						configuration. This provides some useful information about system activity
						in exchange for very little administrator effort. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This guide recommends that Logwatch be run only on the central
						logserver, if your site has one, in order to focus administrator attention
						by sending all daily logs in a single e-mail.</description>
          <Group id="gr-logs-syslog.6.1" hidden="false">
            <title xml:lang="en-US">Configure Logwatch on the Central Log Server</title>
            <description xml:lang="en-US"> Is this machine the central log server? If
							so, edit the file /etc/logwatch/conf/logwatch.conf. Add or correct the
							following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">HostLimit = no</xhtml:code>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">SplitHosts = yes</xhtml:code>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">MultiEmail = no</xhtml:code>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">Service = -zz-disk_space</xhtml:code>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> On a central logserver, you want Logwatch to summarize all
							syslog entries, including those which did not originate on the logserver
							itself. The HostLimit setting tells Logwatch to report on all hosts, not
							just the one on which it is running. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If SplitHosts is set, Logwatch will separate entries by
							hostname. This makes the report longer but significantly more usable. If
							it is not set, then Logwatch will not report which host generated a
							given log entry, and that information is almost always necessary. If
							MultiEmail is set, then each host's information will be sent in a
							separate e-mail message. This is a matter of preference.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The Service directive -zz-disk space tells Logwatch not to
							run the zz-disk space report, which reports on free disk space. Since
							all log monitoring is being done on the central logserver, the disk
							space listing will always be that of the logserver, regardless of which
							host is being monitored. This is confusing, so disable that service.
							Note that this does mean that Logwatch will not monitor disk usage
							information. Many workarounds are possible, such as running df on each
							host daily via cron and sending the output to syslog so that it will be
							reported to the logserver.</description>
          </Group>
          <Group id="gr-logs-syslog.6.2" hidden="false">
            <title xml:lang="en-US">Remove Logwatch on Clients if a Logserver Exists</title>
            <description xml:lang="en-US"> Does your site have a central logserver which
							has been configured to report on logs received from all systems? If so: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum remove logwatch<xhtml:br/>
							</xhtml:code>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If no logserver exists, it will be necessary for each
							machine to run Logwatch individually. Using a central logserver provides
							the security and reliability benefits discussed earlier, and also makes
							monitoring logs easier and less time-intensive for
							administrators.</description>
          </Group>
        </Group>
      </Group>
      <Group id="gr-logs-audit" hidden="false">
        <title xml:lang="en-US">System Accounting with auditd</title>
        <description xml:lang="en-US"> The audit service is the current Linux recommendation
					for kernel-level auditing. By default, the service records SELinux AVC
					denials and certain types of security-relevant events such as system logins,
					account modifications, and authentication events performed by programs such as
					sudo. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Under its default configuration, auditd has modest disk space
					requirements, and should not noticeably impact system performance. The audit
					service, in its default configuration, is strongly recommended for all sites,
					regardless of whether they are running SELinux. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> DoD or federal networks often have substantial auditing requirements
					and auditd can be configured to meet these requirements.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Typical DoD requirements include:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
						<xhtml:li>Ensure Auditing is Configured to Collect Certain System Events <xhtml:ul>
								<xhtml:li>Information on the Use of Print Command (unsuccessful and
									successful)</xhtml:li>
								<xhtml:li>Startup and Shutdown Events (unsuccessful and
									successful)</xhtml:li>
							</xhtml:ul>
						</xhtml:li>
						<xhtml:li>Ensure the auditing software can record the following for each
							audit event: <xhtml:ul>
								<xhtml:li>Date and time of the event</xhtml:li>
								<xhtml:li>Userid that initiated the event</xhtml:li>
								<xhtml:li>Type of event</xhtml:li>
								<xhtml:li>Success or failure of the event</xhtml:li>
								<xhtml:li>For I&amp;A events, the origin of the request (e.g.,
									terminal ID)</xhtml:li>
								<xhtml:li>For events that introduce an object into a user’s address
									space, and for object deletion events, the name of the object,
									and in MLS systems, the objects security level.</xhtml:li>
							</xhtml:ul>
						</xhtml:li>
						<xhtml:li>Ensure files are backed up no less than weekly onto a different
							system than the system being audited or backup media.</xhtml:li>
						<xhtml:li>Ensure old logs are closed out and new audit logs are started
							daily</xhtml:li>
						<xhtml:li>Ensure the configuration is immutable. With the -e 2 setting a
							reboot will be required to change any audit rules.</xhtml:li>
						<xhtml:li>Ensure that the audit data files have permissions of 640, or more
							restrictive.</xhtml:li>
					</xhtml:ul>
				</description>
        <Group id="gr-logs-audit.1" hidden="false">
          <title xml:lang="en-US">Enable the auditd Service</title>
          <description xml:lang="en-US"> Ensure that the auditd service is enabled (this
						is the default): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig auditd on <xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> By default, auditd logs only SELinux denials, which are helpful
						for debugging SELinux and discovering intrusion attempts, and certain types
						of security events, such as modifications to user accounts (useradd, passwd,
						etc), login events, and calls to sudo. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Data is stored in /var/log/audit/audit.log. By default, auditd
						rotates 4 logs by size (5MB), retaining a maximum of 20MB of data in total,
						and refuses to write entries when the disk is too full. This minimizes the
						risk of audit data filling its partition and impacting other services.
						However, it is possible to lose audit data if the system is
						busy.</description>
          <Rule id="rule-1127" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Auditd service is enabled</title>
            <description xml:lang="en-US">The auditd service should be enabled.</description>
            <ident system="http://cce.mitre.org">CCE-4292-9</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1127" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-logs-audit.2" hidden="false">
          <title xml:lang="en-US">Configure auditd Data Retention</title>
          <description xml:lang="en-US">
						<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>Determine STOREMB , the amount of audit data (in megabytes)
								which should be retained in each log file. Edit the file
								/etc/audit/auditd.conf. Add or modify the following line:<xhtml:br/>
								<xhtml:br/> max_log_file = STOREMB</xhtml:li>
							<xhtml:li>Use a dedicated partition (or logical volume) for log files. It
								is straightforward to create such a partition or logical volume
								during system installation time. The partition should be larger than
								the maximum space which auditd will ever use, which is the maximum
								size of each log file (max log file) multiplied by the number of log
								files (num logs). Ensure the partition is mounted on
								/var/log/audit.</xhtml:li>
							<xhtml:li>If your site requires that the machine be disabled when
								auditing cannot be performed, configure auditd to halt the system
								when disk space for auditing runs low. Edit /etc/audit/auditd.conf,
								and add or correct the following lines:<xhtml:br/>
								<xhtml:br/> space_left_action = email<xhtml:br/> action_mail_acct =
								root<xhtml:br/> admin_space_left_action = halt<xhtml:br/>
							</xhtml:li>
						</xhtml:ul> The default action to take when the logs reach their maximum
						size is to rotate the log files, discarding the oldest one. If it is more
						important to retain all possible auditing information, even if that opens
						the possibility of running out of space and taking the action defined by
						admin space left action, add or correct the line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> max_log_file_action = keep_logs<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> By default, auditd retains 4 log files of size 5Mb apiece. For a
						busy system or a system which is thoroughly auditing system activity, this
						is likely to be insufficient.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The log file size needed will depend heavily on what types of
						events are being audited. First configure auditing to log all the events of
						interest. Then monitor the log size manually for a while to determine what
						file size will allow you to keep the required data for the correct time period.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Using a dedicated partition for /var/log/audit prevents the
						auditd logs from disrupting system functionality if they fill the partition, and, more
						importantly, prevents other activity in /var from filling the partition and
						stopping the audit trail. (The audit logs are size-limited and therefore
						unlikely to grow without bound unless configured to do so.) Some machines may
						have requirements that no actions occur which cannot be audited. If this is
						the case, then auditd can be configured to halt the machine if it runs out of space.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Note: Since older logs are rotated, configuring auditd this way
						does not prevent older logs from being rotated away before they can be
						viewed. </description>
          <warning xml:lang="en-US">If your system is configured to halt when logging
						cannot be performed, make sure this can never happen under normal
						circumstances! Ensure that /var/log/audit is on its own partition, and
						that this partition is larger than the maximum amount of data auditd will
						retain normally.</warning>
        </Group>
        <Group id="gr-logs-audit.3" hidden="false">
          <title xml:lang="en-US">Enable Auditing for Processes Which Start Prior to the Audit Daemon</title>
          <description xml:lang="en-US"> To ensure that all processes can be audited, even
						those which start prior to the audit daemon, add the argument audit=1 to the
						kernel line in /boot/grub/grub.conf, in the manner below:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00
						rhgb quiet audit=1<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Each process on the system carries an ”auditable” flag which
						indicates whether its activities can be audited. Although auditd takes care
						of enabling this for all processes which launch after it does, adding the
						kernel argument ensures that it is set for every process during boot. </description>
          <Rule id="rule-1128" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">draft</status>
            <title xml:lang="en-US">Enable Auditing for Processes Which Start Prior to the Audit Daemon</title>
            <description xml:lang="en-US"> To ensure that all processes can be audited, even those which
							start prior to the audit daemon, add the argument audit=1 to the kernel
							line in /boot/grub/grub.conf</description>
            <ident system="http://cce.mitre.org">CCE-15026-8</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1128" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-logs-audit.4" hidden="false">
          <title xml:lang="en-US">Configure auditd Rules for Comprehensive Auditing</title>
          <description xml:lang="en-US"> The auditd program can perform comprehensive
						monitoring of system activity. This section describes recommended
						configuration settings for comprehensive auditing, but a full description of
						the auditing system’s capabilities is beyond the scope of this guide. The
						mailing list linux-audit@redhat.com may be a good source of further information.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The audit subsystem supports extensive collection of events, including:
						<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>Tracing of arbitrary system calls (identified by name or
								number) on entry or exit.</xhtml:li>
							<xhtml:li>Filtering by PID, UID, call success, system call argument
								(with some limitations), etc.</xhtml:li>
							<xhtml:li>Monitoring of specific files for modifications to the file’s
								contents or metadata.</xhtml:li>
						</xhtml:ul>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Auditing rules are controlled in the file /etc/audit/audit.rules.
						Add rules to it to meet the auditing requirements for your organization.
						Each line in /etc/audit/audit.rules represents a series of arguments that
						can be passed to auditctl and can be individually tested as such. See
						documentation in /usr/share/doc/audit-<xhtml:i xmlns:xhtml="http://www.w3.org/1999/xhtml">version</xhtml:i> and in the related man pages
						for more details.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Recommended audit rules are provided in
						/usr/share/doc/audit-<xhtml:i xmlns:xhtml="http://www.w3.org/1999/xhtml">version</xhtml:i>/stig.rules. In order to activate those rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cp /usr/share/doc/audit-<xhtml:i xmlns:xhtml="http://www.w3.org/1999/xhtml">version</xhtml:i>/stig.rules
							/etc/audit/audit.rules<xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> and then edit /etc/audit/audit.rules and comment out the lines
						containing arch= which are not appropriate for your system’s architecture.
						Then review and understand the following rules, ensuring rules are activated
						as needed for the appropriate architecture.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> After reviewing all the rules, reading the following sections,
						and editing as needed, activate the new rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># service auditd restart</xhtml:code>
					</description>
          <Group id="gr-logs-audit.4.1" hidden="false">
            <title xml:lang="en-US">Records Events that Modify Date and Time Information</title>
            <description xml:lang="en-US"> Add the following to /etc/audit/audit.rules,
							setting ARCH to either b32 or b64 as appropriate for your system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a always,exit -F arch=ARCH -S adjtimex -S settimeofday -S
							stime -k time-change<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a always,exit -F arch=ARCH -S
							clock_settime -k time-change<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /etc/localtime -p wa -k
							time-change </description>
            <Rule id="rule-1129" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Records Events that Modify Date and Time Information</title>
              <description xml:lang="en-US">Audit rules about time</description>
              <ident system="http://cce.mitre.org">CCE-14051-7</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1129" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-logs-audit.4.2" hidden="false">
            <title xml:lang="en-US">Record Events that Modify User/Group Information</title>
            <description xml:lang="en-US"> Add the following to /etc/audit/audit.rules,
							in order to capture events that modify account changes:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /etc/group -p wa -k identity<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /etc/passwd -p
							wa -k identity<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /etc/gshadow -p wa -k identity<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							-w /etc/shadow -p wa -k identity<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /etc/security/opasswd -p
							wa -k identity </description>
            <Rule id="rule-1130" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Record Events that Modify User/Group Information</title>
              <description xml:lang="en-US">Audit rules about User/Group Information</description>
              <ident system="http://cce.mitre.org">CCE-14829-6</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1130" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-logs-audit.4.3" hidden="false">
            <title xml:lang="en-US">Record Events that Modify the System’s Network Environment</title>
            <description xml:lang="en-US"> Add the following to /etc/audit/audit.rules,
							setting ARCH to either b32 or b64 as appropriate for your system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a exit,always -F arch=ARCH -S sethostname -S setdomainname
							-k system-locale<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /etc/issue -p wa -k
							system-locale<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /etc/issue.net -p wa -k
							system-locale<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /etc/hosts -p wa -k system-locale<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							-w /etc/sysconfig/network -p wa -k system-locale<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						</description>
            <Rule id="rule-1131" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Record Events that Modify the System’s Network Environment</title>
              <description xml:lang="en-US">Audit rules about the System’s Network
								Environment</description>
              <ident system="http://cce.mitre.org">CCE-14816-3</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1131" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-logs-audit.4.4" hidden="false">
            <title xml:lang="en-US">Record Events that Modify the System’s Mandatory Access Controls</title>
            <description xml:lang="en-US"> Add the following to /etc/audit/audit.rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /etc/selinux/ -p wa -k MAC-policy </description>
            <Rule id="rule-1132" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Record Events that Modify the System’s Mandatory Access Controls</title>
              <description xml:lang="en-US">Audit rules about the System’s Mandatory Access
								Controls</description>
              <ident system="http://cce.mitre.org">CCE-14821-3</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1132" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-logs-audit.4.5" hidden="false">
            <title xml:lang="en-US">Ensure auditd Collects Logon and Logout	Events</title>
            <description xml:lang="en-US"> At a minimum the audit system should collect
							login info for all users and root. Add the following to /etc/audit/audit.rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /var/log/tallylog -p wa -k logins
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /var/log/faillock/ -p wa -k logins
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /var/log/lastlog -p wa -k logins </description>
            <Rule id="rule-1133" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Auditd Collects Logon and Logout Events</title>
              <description xml:lang="en-US">Audit rules about the Logon and Logout Events</description>
              <ident system="http://cce.mitre.org">CCE-14904-7</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1133" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-logs-audit.4.6" hidden="false">
            <title xml:lang="en-US">Ensure auditd Collects Process and Session Initiation Information</title>
            <description xml:lang="en-US"> At a minimum the audit system should collect
							process information for all users and root. Add the following to /etc/audit/audit.rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /var/run/utmp -p wa -k session<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w
							/var/log/btmp -p wa -k session<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /var/log/wtmp -p wa -k
							session </description>
            <Rule id="rule-1134" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Ensure auditd Collects Process and Session Initiation Information</title>
              <description xml:lang="en-US">Audit rules about the Process and Session Initiation
								Information</description>
              <ident system="http://cce.mitre.org">CCE-14679-5</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1134" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-logs-audit.4.7" hidden="false">
            <title xml:lang="en-US">Ensure auditd Collects Discretionary Access Control Permission Modification Events</title>
            <description xml:lang="en-US"> At a minimum the audit system should collect
							file permission changes for all users and root. Add the following to
							/etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate
							for your system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a always,exit -F arch=ARCH -S chmod -S fchmod -S fchmodat
							-F auid&gt;=500 -F auid!=4294967295 -k perm_mod<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a
							always,exit -F arch=ARCH -S chown -S fchown -S fchownat -S lchown -F
							auid&gt;=500 -F auid!=4294967295 -k perm_mod<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a
							always,exit -F arch=ARCH -S setxattr -S lsetxattr -S fsetxattr -S
							removexattr -S lremovexattr -S fremovexattr -F auid&gt;=500 -F
							auid!=4294967295 -k perm_mod </description>
            <Rule id="rule-1135" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Ensure auditd Collects Discretionary Access Control Permission Modification Events</title>
              <description xml:lang="en-US">Audit rules about the Discretionary Access Control
								Permission Modification Events</description>
              <ident system="http://cce.mitre.org">CCE-14058-2</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1135" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-logs-audit.4.8" hidden="false">
            <title xml:lang="en-US">Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)</title>
            <description xml:lang="en-US"> At a minimum the audit system should collect
							unauthorized file accesses for all users and root. Add the following to
							/etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate
							for your system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a always,exit -F arch=ARCH -S creat -S open -S openat -S
							truncate -S ftruncate -F exit=-EACCES -F auid&gt;=500 -F
							auid!=4294967295 -k access<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a always,exit -F arch=ARCH -S
							creat -S open -S openat -S truncate -S ftruncate -F
							exit=-EPERM -F auid&gt;=500 -F auid!=4294967295 -k access </description>
            <Rule id="rule-1136" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)</title>
              <description xml:lang="en-US">Audit rules about the Unauthorized Access Attempts to Files
								(unsuccessful)</description>
              <ident system="http://cce.mitre.org">CCE-14917-9</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1136" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-logs-audit.4.9" hidden="false">
            <title xml:lang="en-US">Ensure auditd Collects Information on the Use of Privileged Commands</title>
            <description xml:lang="en-US"> At a minimum the audit system should collect
							the execution of privileged commands for all users and root. Find all set-uid programs by running
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">find /bin -type f -perm -04000 2>/dev/null</xhtml:code>
							and for each such program, add a rule similar to the
							following to /etc/audit/audit.rules, replacing /bin/ping by path to the program in question:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a always,exit -F path=/bin/ping -F perm=x -F auid&gt;=500 -F
							auid!=4294967295 -k privileged </description>
            <Rule id="rule-1137" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Ensure auditd Collects Information on the Use of Privileged Commands</title>
              <description xml:lang="en-US">Audit rules about the Information on the Use of Privileged
								Commands</description>
              <ident system="http://cce.mitre.org">CCE-14296-8</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1137" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-logs-audit.4.10" hidden="false">
            <title xml:lang="en-US">Ensure auditd Collects Information on Exporting to Media (successful)</title>
            <description xml:lang="en-US"> At a minimum the audit system should collect
							media exportation events for all users and root. Add the following to
							/etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate
							for your system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a always,exit -F arch=ARCH -S mount -F auid&gt;=500 -F
							auid!=4294967295 -k export </description>
            <Rule id="rule-1138" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Ensure auditd Collects Information on Exporting to Media	(successful)</title>
              <description xml:lang="en-US">Audit rules about the Information on Exporting to Media
								(successful)</description>
              <ident system="http://cce.mitre.org">CCE-14569-8</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1138" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-logs-audit.4.11" hidden="false">
            <title xml:lang="en-US">Ensure auditd Collects Files Deletion Events by User (successful and unsuccessful)</title>
            <description xml:lang="en-US"> At a minimum the audit system should collect
							file deletion events for all users and root. Add the following to
							/etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate
							for your system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename
							-S renameat -F auid&gt;=500 -F auid!=4294967295 -k delete </description>
            <Rule id="rule-1139" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Ensure auditd Collects Files Deletion Events by User (successful	and unsuccessful)</title>
              <description xml:lang="en-US">Audit rules about the Files Deletion Events by User
								(successful and unsuccessful)</description>
              <ident system="http://cce.mitre.org">CCE-14820-5</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1139" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-logs-audit.4.12" hidden="false">
            <title xml:lang="en-US">Ensure auditd Collects System Administrator Actions</title>
            <description xml:lang="en-US"> At a minimum the audit system should collect
							administrator actions for all users and root.  Append the following line to /etc/pam.d/system-auth and /etc/pam.d/password-auth:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							session   required pam_tty_audit.so disable=* enable=root
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> and the following line to /etc/pam.d/sudo and /etc/pam.d/sudo-i:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							session required pam_tty_audit.so open_only enable=root
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>Also add the following to /etc/audit/audit.rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /etc/sudoers -p wa -k actions</description>
            <Rule id="rule-1140" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Ensure auditd Collects System Administrator Actions</title>
              <description xml:lang="en-US">Audit rules about the System Administrator
								Actions</description>
              <ident system="http://cce.mitre.org">CCE-14824-7</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1140" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-logs-audit.4.13" hidden="false">
            <title xml:lang="en-US">Ensure auditd Collects Information on Kernel Module Loading and Unloading</title>
            <description xml:lang="en-US"> Add the following to /etc/audit/audit.rules
							in order to capture kernel module loading and unloading events:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /sbin/insmod -p x -k modules<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /sbin/rmmod -p
							x -k modules<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /sbin/modprobe -p x -k modules<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a
							always,exit -F arch=ARCH -S init_module -S delete_module -k modules<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						</description>
            <Rule id="rule-1141" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Ensure auditd Collects Information on Kernel Module Loading and Unloading</title>
              <description xml:lang="en-US">Audit rules about the Information on Kernel Module Loading
								and Unloading</description>
              <ident system="http://cce.mitre.org">CCE-14688-6</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1141" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-logs-audit.4.14" hidden="false">
            <title xml:lang="en-US">Make the auditd Configuration Immutable</title>
            <description xml:lang="en-US"> Add the following to /etc/audit/audit.rules
							in order to make the configuration immutable:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -e 2<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> With this setting, a reboot will be required to change any
							audit rules. </description>
            <Rule id="rule-1142" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Make the auditd Configuration Immutable</title>
              <description xml:lang="en-US">Force a reboot to change audit rules</description>
              <ident system="http://cce.mitre.org">CCE-14692-8</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1142" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
        </Group>
      </Group>
    </Group>
  </Group>
</Benchmark>