STIG Configuration for IOP and BigInsights - IBM

STIG Configuration Red Hat System for IBM IOP/BigInsights

VERSION: 1.0.0 - November 2015

1. Introduction

1.1 OverviewThis document provides basic guidelines for IOP 4.1 and BigInsights 4.1 configuration on RHEL 6.x system in compliance with STIG (Security Technical Implementation Guide).

Testing was performed on RHEL 6.6 cluster. We used U_RedHat_6_V1R8_STIG_SCAP_1-1_Benchmark for scanning conformance/deviation from STIG. Recommendation should apply for the most part to any version of RHEL 6.x, with a minimum of RHEL 6.5. Validation comprised of installation, service check for IOP and basic/sanity run time of the IBM value-adds.

We used the open-scap tool to scan/validate security implementation. In this first implementation we focused on 178 select rules identified in this document.

1.2 What is STIGA Security Technical Implementation Guide or STIG is a methodology for standardized secure installationand maintenance of computer software and hardware. These guides when implemented 'lockdown' common and typically permissive software to further reduce vulnerabilities. The term was coined in 1998 by DISA which creates configuration documents in support of the United States Department of Defense (DoD). The implementation guidelines include recommended administrative processes and span the devices' lifecycle. STIG scanning software is used to implement / validate proper configuration.

See https://en.wikipedia.org/wiki/Security_Technical_Implementation_Guide

1.3 How to install and run open-scapWe use open-scap to scan for the STIG requirement. To install open-scap:

yum install openscapyum install openscaputilsyum install scapsecurityguide

Get Scap files:

wget http://iasecontent.disa.mil/stigs/zip/July2015/U_RedHat_6_V1R8_STIG_SCAP_11_Benchmark.zipunzip U_RedHat_6_V1R8_STIG_SCAP_11_Benchmark.zip

https://en.wikipedia.org/wiki/Defense_Information_Systems_Agency

http://iasecontent.disa.mil/stigs/zip/July2015/U_RedHat_6_V1R8_STIG_SCAP_1-1_Benchmark.zip

http://iasecontent.disa.mil/stigs/zip/July2015/U_RedHat_6_V1R8_STIG_SCAP_1-1_Benchmark.zip

https://en.wikipedia.org/wiki/Security_Technical_Implementation_Guide

https://en.wikipedia.org/wiki/United_States_Department_of_Defense

Run scan:

oscap xccdf eval profile MAC2_Sensitive report /tmp/report.html results /tmp/results.xmlcpe U_RedHat_6_V1R8_STIG_SCAP_11_Benchmarkcpedictionary.xml U_RedHat_6_V1R8_STIG_SCAP_11_Benchmarkxccdf.xml

Scan results can be found in the value for --report (in this case /tmp/report.html) and --results (/tmp/results.xml).

1.4 How to use this document and recommendationsThe document is organized in section concerning the different areas of the operating system to consider whenhardening. Each rule we enabled and tested is listed with some information on how best to remediate it. This information can also be found within the scan report or RHEL security guide. We have highlighted rules and any recommendations that you would need to consider.

We recommend that the following rules should not be enabled or examined closely as they will impact the ability to install, operate or support IOP/BigInsights:

• CCE-26444-0 The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets.

• CCE-26639-5, CCE-26635-8, CCE-26215-4, CCE-26436-6 and CCE-26557-9 Disk Partitioning • CCE-26647-8 Ensure gpgcheck Enabled For All Yum Package Repositories • CCE-26969-6 The system must use a Linux Security Module configured to enforce limits on system

services • CCE-26669-2 The system default umask in /etc/profile must be 077. • CCE-26917-5 The system default umask for the bash shell must be 077 • CCE-27291-4 Set Last Logon/Access Notification • CCE-27033-0 Process core dumps must be disabled unless needed

Additional rules listed in this document have been tested in our environment and unless specifically called out, it is safe to implement them according to the STIG recommendation.

1.5 References• http://scap-securityguide.rhcloud.com/RHEL6/output/rhel6-guide.html • http://iase.disa.mil/stigs/Pages/index.aspx

2. System Settings

2.1. Installing and Maintaining Software

2.1.1. Disk Partitioning

To ensure separation and protection of data top-level system directories should be placed on their own

http://iase.disa.mil/stigs/Pages/index.aspx

http://scap-securityguide.rhcloud.com/RHEL6/output/rhel6-guide.html

physical partition or logical volume. Default partitioning scheme creates separate logical volumes for /, /boot, and swap.

TIP: Ensure proper sizing (e.g. /tmp must be greater than 5GB. See Knowledge center). Ensure you explicitly select namenode, hdfs-dir, yarn and kafka-logs during IOP configuration. IOP will use any available partitions by default automatically.

The system must use a separate file system for /tmp.

The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.

Security identifiers

CCE-26435-8 CCI-000366

The system must use a separate file system for /var.

Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the "/var" directory to contain world-writable directories, installed by other software packages.


CCE-26639-5 CCI-000366

The system must use a separate file system for /var/log.

Placing "/var/log" in its own partition enables better separation between log files and other files in "/var/".


CCE-26215-4 CCI-000366

The system must use a separate file system for the system audit data path.

Placing "/var/log/audit" in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.


CCE-26436-6 CCI-000137

The system must use a separate file system for user home directories.

Ensuring that "/home" is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.


CCE-26557-9 CCI-000366

2.1.2. Updating Software

Make sure packages are cryptographically verified for RedHat system and any other RPMS.

The system package management tool must cryptographically verify the authenticity of system software packages during installation.

Ensuring the validity of packages' cryptographic signatures prior to installation ensures the provenance of thesoftware and protects against malicious tampering.


CCE-26709-6 CCI-000663

To install the Red Hat GPG key, run:

rhn_register

If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom, use the following command as the root user to import it into the keyring:

rpm import /media/cdrom/RPMGPGKEY

The system package management tool must cryptographically verify the authenticity of all software packages during installation.

Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering.


CCE-26647-8 CCI-000663

To ensure signature checking is not disabled for any repos, remove any lines from files in "/etc/yum.repos.d" of the form: gpgcheck=0

NOTE: The rule may fail because IOP .repo files have gpgcheck=0. The signature checking cannot be enabled for IOP/Vaue-adds packages. Ambari has full control of the IOP*.repo files and they are generated when services are being installed and/or being added. For increased security you can create a mirror of the IBM® hosted repository on a machine within your enterprise network and instruct Ambari to use that local repository. You can use this approach when internet access is restricted. For more details, please refer to the section "Creating a mirror repository for the IBM Open Platform with Apache Hadoop software" on the Knowledge Center.

2.1.3. Software Integrity Checking

A file integrity tool must be installed.

The AIDE package must be installed if it is to be available for integrity checking.


CCE-27024-9 CCI-001069

Install the AIDE package with the command:

yum install aide

2.2. File Permissions and Masks

2.2.1. Restrict Partition Mount Options

Not tested as part of the scope of this exercise.

2.2.2. Restrict Dynamic Mounting and Unmounting of Filesystems

Automated file system mounting tools must not be enabled unless needed.

All file systems that are required for the successful operation of the system should be explicitly listed in "/etc/fstab" by an administrator. New file systems should not be arbitrarily introduced via the automounter. The "autofs" daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as "/misc/cd". However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it is almost always possible to configure filesystem mounts statically by editing "/etc/fstab" rather than relying on the automounter.


CCE-26976-1 CCI-000366

The autofs service can be disabled with the following command:

chkconfig level 0123456 autofs off

The stop autofs if the service is running, run the following command:

service autofs stop

The operating system must enforce requirements for the connection of mobile devices to operating systems.

USB storage devices such as thumb drives can be used to introduce unauthorized software and other vulnerabilities. Support for these devices should be disabled and the devices themselves should be tightly

controlled.


CCE-27016-5 CCI-000086

To configure the system to prevent the usb-storage kernel module from being loaded, run the following command:

echo "install usbstorage /bin/false" > /etc/modprobe.d/usbstorage.conf

2.2.3. Verify Permissions on Important Files and Directories

The /etc/gshadow file must be owned by root.

The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.


CCE-27026-4 CCI-000366

To properly set the owner of /etc/gshadow, run the command:

chown root /etc/gshadow

The /etc/gshadow file must be group-owned by root.

The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.


CCE-26975-3 CCI-000366

To properly set the group owner of /etc/gshadow, run the command:

chgrp root /etc/gshadow

The /etc/gshadow file must have mode 0000.

The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.


CCE-26951-4 CCI-000366

To properly set the permissions of /etc/gshadow, run the command:

chmod 0000 /etc/gshadow

The /etc/passwd file must be owned by root.

The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.


CCE-26953-0 CCI-000366

To properly set the owner of /etc/passwd, run the command:

chown root /etc/passwd

The /etc/passwd file must be group-owned by root.

The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.


CCE-26856-5 CCI-000366

To properly set the group owner of /etc/passwd, run the command:

chgrp root /etc/passwd

The /etc/passwd file must have mode 0644 or less permissive.

If the "/etc/passwd" file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.


CCE-26868-0 CCI-000366

To properly set the permissions of /etc/passwd, run the command:

chmod 0644 /etc/passwd

The /etc/group file must be owned by root.

The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.


CCE-26822-7 CCI-000366

To properly set the owner of /etc/group, run the command:

chown root /etc/group

The /etc/group file must be group-owned by root.



CCE-26930-8 CCI-000366

To properly set the group owner of /etc/group, run the command:

chgrp root /etc/group

The /etc/group file must have mode 0644 or less permissive.



CCE-26954-8 CCI-000366

To properly set the permissions of /etc/group, run the command:

chmod 644 /etc/group

The /etc/shadow file must be owned by root.

The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.


CCE-26947-2 CCI-000366

To properly set the owner of /etc/shadow, run the command:

chown root /etc/shadow

The /etc/shadow file must be group-owned by root.

The "/etc/shadow" file stores password hashes. Protection of this file is critical for system security.


CCE-26967-0 CCI-000366

To properly set the group owner of /etc/shadow, run the command:

chgrp root /etc/shadow

The /etc/shadow file must have mode 0000.

The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.


CCE-26992-8 CCI-000366

To properly set the permissions of /etc/shadow, run the command:

chmod 0000 /etc/shadow

Library files must be owned by root.

Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system.


CCE-27424-1 CCI-001499

NOTE: Post install the rule might fail because of the following files:

rwxrxrx ams:root /usr/lib/amshbase/bin/hadoop

rwrr ams:hadoop /usr/lib/python2.6/sitepackages/resource_monitoring/psutil/build/temp.linuxx86_642.6/psutil/_psutil_posix.o

rwrr ams:hadoop /usr/lib/python2.6/sitepackages/resource_monitoring/psutil/build/temp.linuxx86_642.6/psutil/_psutil_linux.o

rwxrxrx ams:hadoop /usr/lib/python2.6/sitepackages/resource_monitoring/psutil/build/lib.linuxx86_642.6/_psutil_linux.so

rwrr ams:hadoop /usr/lib/python2.6/sitepackages/resource_monitoring/psutil/build/lib.linuxx86_642.6/psutil/_pssunos.py

rwrr ams:hadoop /usr/lib/python2.6/sitepackages/resource_monitoring/psutil/build/lib.linuxx86_642.6/psutil/_compat.pyc

rwrr ams:hadoop /usr/lib/python2.6/sitepackages/resource_monitoring/psutil/build/lib.linuxx86_642.6/psutil/_psosx.py

rwrr ams:hadoop /usr/lib/python2.6/sitepackages/resource_monitoring/psutil/build/lib.linuxx86_642.6/psutil/_common.py

rwrr ams:hadoop /usr/lib/python2.6/sitepackages/resource_monitoring/psutil/build/lib.linuxx86_642.6/psutil/_compat.py

rwrr ams:hadoop /usr/lib/python2.6/sitepackages/resource_monitoring/psutil/build/lib.linuxx86_642.6/psutil/_psposix.pyc

rwrr ams:hadoop /usr/lib/python2.6/sitepackages/resource_monitoring/psutil/build/lib.linuxx86_642.6/psutil/__init__.py

rwrr ams:hadoop /usr/lib/python2.6/sitepackages/resource_monitoring/psutil/build/lib.linuxx86_642.6/psutil/_pswindows.py

rwrr ams:hadoop /usr/lib/python2.6/sitepackages/resource_monitoring/psutil/build/lib.linuxx86_642.6/psutil/_psbsd.py

rwrr ams:hadoop /usr/lib/python2.6/sitepackages/resource_monitoring/psutil/build/lib.linuxx86_642.6/psutil/__init__.pyc

rwrr ams:hadoop /usr/lib/python2.6/sitepackages/resource_monitoring/psutil/build/lib.linuxx86_642.6/psutil/_common.pyc

rwrr ams:hadoop /usr/lib/python2.6/sitepackages/resource_monitoring/psutil/build/lib.linuxx86_642.6/psutil/_pslinux.py

rwrr ams:hadoop /usr/lib/python2.6/sitepackages/resource_monitoring/psutil/build/lib.linuxx86_642.6/psutil/_pslinux.pyc

rwrr ams:hadoop /usr/lib/python2.6/sitepackages/resource_monitoring/psutil/build/lib.linuxx86_642.6/psutil/_psposix.py

rwxrxrx ams:hadoop /usr/lib/python2.6/sitepackages/resource_monitoring/psutil/build/lib.linuxx86_642.6/_psutil_posix.so

Ambari currently install files as part of the ambari metrics service under /usr/lib/python2.6/site-packages/. Changing permission will impact ambari to function properly.

All system command files must have mode 755 or less permissive.

System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.


CCE-27289-8 CCI-001499

NOTE: Post install the rule might fail because of the following files:

rwxrwxrx root:root /usr/bin/confselect

rwxrwxrx root:root /usr/bin/iopselect

Remediation: You can chmod 755 the files above.

All system command files must be owned by root.

System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.


CCE-27623-8 CCI-001499

NOTE: Post install the rule might fail because of the following files in /usr/iop/4.1.0.0/hive-hcatalog/bin:

rwxrxrx hive:hive common.sh

rwxrxrx hive:hive hcat

rwxrxrx hive:hive hcatcfg.py

rwxrxrx hive:hive hcat.distro

rwxrxrx hive:hive hcat.py

rwxrxrx hive:hive templeton.cmd

Hive currently install those files. Changing permission will impact HIVE to function properly.

The sticky bit must be set on all public directories.

Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure. The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, and by users for temporary file storage - such as /tmp - and for directories requiring global read/writeaccess.


CCE-26840-9 CCI-000366

NOTE: Post install the rule might fail because of the following directories:

drwxrwxrwx 2 spark hadoop 4096 Oct 25 18:22 /tmp/e90acc24971f48ed8f6553383eade00e_resources

drwxrwxrwx 2 spark hadoop 4096 Oct 25 18:22 /opt/tmp/e90acc24971f48ed8f6553383eade00e_resources

drwxrwxrwx 4 root root 4096 Oct 25 17:39 /var/lib/ambariagent/data/tmp

drwxrwxrwx 2 ams hadoop 4096 Oct 25 18:22 /var/lib/ambarimetricscollector/hbase/data/default/SYSTEM.CATALOG/8154c197b8c9f35f9e1eb8ba897506fc/0

drwxrwxrwx 2 ams hadoop 4096 Oct 25 18:22 /var/lib/ambarimetricscollector/hbase/data/default/METRIC_RECORD_DAILY/0594fc18df7d3fa2dc612f734e29894f/0

drwxrwxrwx 2 ams hadoop 4096 Oct 25 18:40 /var/lib/ambarimetricscollector/hbase/data/default/METRIC_AGGREGATE/6de1060ff55cefa8f91b60e79225b770/.tmp

drwxrwxrwx 2 ams hadoop 4096 Oct 25 18:40 /var/lib/ambarimetricscollector/hbase/data/default/METRIC_AGGREGATE/6de1060ff55cefa8f91b60e79225b770/0

drwxrwxrwx 2 ams hadoop 4096 Oct 25 18:22 /var/lib/ambarimetricscollector/hbase/data/default/SYSTEM.STATS/eb49b5d8a117c635751f30e12098467b/0

drwxrwxrwx 2 ams hadoop 4096 Oct 25 18:22 /var/lib/ambarimetricscollector/hbase/data/default/SYSTEM.SEQUENCE/607f22941385a9c7d19bba796bb58593/0

drwxrwxrwx 2 ams hadoop 4096 Oct 25 18:22 /var/lib/ambarimetricscollector/hbase/data/default/SYSTEM.SEQUENCE/7bbf0acc8f8477bcad8cf609d25da275/0

drwxrwxrwx 2 ams hadoop 4096 Oct 25 18:22 /var/lib/ambarimetricscollector/hbase/data/default/METRIC_RECORD_HOURLY/3d7653f1aa9b4dab3fc92075abc879cc/0

drwxrwxrwx 2 ams hadoop 4096 Oct 25 18:22 /var/lib/ambarimetricscollector/hbase/data/default/METRIC_AGGREGATE_HOURLY/eb30602b7157a6419b94b85a4766449e/0

drwxrwxrwx 2 ams hadoop 4096 Oct 25 18:41 /var/lib/ambarimetricscollector/hbase/data/default/METRIC_RECORD/f2786f7bfb74e9f5ac8c37320326dfa3/.tmp

drwxrwxrwx 2 ams hadoop 4096 Oct 25 18:41 /var/lib/ambarimetricscollector/hbase/data/default/METRIC_RECORD/f2786f7bfb74e9f5ac8c37320326dfa3/0

drwxrwxrwx 2 ams hadoop 4096 Oct 25 18:22 /var/lib/ambarimetricscollector/hbase/data/default/METRIC_RECORD_MINUTE/84108e3ab50a6e0f498ff02a15bd2aa5/0

drwxrwxrwx 2 ams hadoop 4096 Oct 25 18:22 /var/lib/ambarimetricscollector/hbase/data/default/METRIC_AGGREGATE_DAILY/f8386926a9665c7aaa52980b3e318c8b/0

drwxrwxrwx 2 ams hadoop 4096 Oct 25 18:21 /var/lib/ambarimetricscollector/hbase/data/hbase/namespace/f1a525f8162df03aa06283382ffa36cb/info

These directories are dynamically created and used during normal operation of different components. Changing permission will impact operation of IOP.

All public directories must be owned by a system account.

Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.


CCE-26642-9 CCI-000366

Prior to install, you should ensure the rule is applied. After you install the rule might fail because of the following directories:

drwxrwxrwt hive:hive /usr/iop/4.1.0.0/hive/metastore

drwxrwxrwx spark:hadoop /tmp/e90acc24971f48ed8f6553383eade00e_resources

drwxrwxrwx spark:hadoop /opt/tmp/e90acc24971f48ed8f6553383eade00e_resources

drwxrwxrwt mapred:hadoop /var/lib/hadoopmapreduce/cache

drwxrwxrwt hdfs:hadoop /var/lib/hadoophdfs/cache

drwxrwxrwt yarn:hadoop /var/lib/hadoopyarn/cache

drwxrwxrwx ams:hadoop /var/lib/ambarimetricscollector/hbase/data/default/SYSTEM.CATALOG/8154c197b8c9f35f9e1eb8ba897506fc/.tmp

drwxrwxrwx ams:hadoop /var/lib/ambarimetricscollector/hbase/data/default/SYSTEM.CATALOG/8154c197b8c9f35f9e1eb8ba897506fc/0

drwxrwxrwx ams:hadoop /var/lib/ambarimetricscollector/hbase/data/default/METRIC_RECORD_DAILY/0594fc18df7d3fa2dc612f734e29894f/0

drwxrwxrwx ams:hadoop /var/lib/ambarimetricscollector/hbase/data/default/METRIC_AGGREGATE/6de1060ff55cefa8f91b60e79225b770/.tmp

drwxrwxrwx ams:hadoop /var/lib/ambarimetricscollector/hbase/data/default/METRIC_AGGREGATE/6de1060ff55cefa8f91b60e79225b770/0

drwxrwxrwx ams:hadoop /var/lib/ambarimetricscollector/hbase/data/default/SYSTEM.STATS/eb49b5d8a117c635751f30e12098467b/0

drwxrwxrwx ams:hadoop /var/lib/ambarimetricscollector/hbase/data/default/SYSTEM.SEQUENCE/607f22941385a9c7d19bba796bb58593/0

drwxrwxrwx ams:hadoop /var/lib/ambarimetricscollector/hbase/data/default/SYSTEM.SEQUENCE/7bbf0acc8f8477bcad8cf609d25da275/0

drwxrwxrwx ams:hadoop /var/lib/ambarimetricscollector/hbase/data/default/METRIC_RECORD_HOURLY/3d7653f1aa9b4dab3fc92075abc879cc/0

drwxrwxrwx ams:hadoop /var/lib/ambarimetricscollector/hbase/data/default/METRIC_AGGREGATE_HOURLY/eb30602b7157a6419b94b85a4766449e/0

drwxrwxrwx ams:hadoop /var/lib/ambarimetricscollector/hbase/data/default/METRIC_RECORD/f2786f7bfb74e9f5ac8c37320326dfa3/.tmp

drwxrwxrwx ams:hadoop /var/lib/ambarimetricscollector/hbase/data/default/METRIC_RECORD/f2786f7bfb74e9f5ac8c37320326dfa3/0

drwxrwxrwx ams:hadoop /var/lib/ambarimetricscollector/hbase/data/default/METRIC_RECORD_MINUTE/84108e3ab50a6e0f498ff02a15bd2aa5/.tmp

drwxrwxrwx ams:hadoop /var/lib/ambarimetricscollector/hbase/data/default/METRIC_RECORD_MINUTE/84108e3ab50a6e0f498ff02a15bd2aa5/0

drwxrwxrwx ams:hadoop /var/lib/ambarimetricscollector/hbase/data/default/METRIC_AGGREGATE_DAILY/f8386926a9665c7aaa52980b3e318c8b/0

drwxrwxrwx ams:hadoop /var/lib/ambarimetricscollector/hbase/data/hbase/meta/1588230740/.tmp

drwxrwxrwx ams:hadoop /var/lib/ambarimetricscollector/hbase/data/hbase/namespace/f1a525f8162df03aa06283382ffa36cb/.tmp

drwxrwxrwx ams:hadoop /var/lib/ambarimetricscollector/hbase/data/hbase/namespace/f1a525f8162df03aa06283382ffa36cb/info

drwxrwxrwt mapred:hadoop /var/lib/hadoopmapreduce/cache

drwxrwxrwt hdfs:hadoop /var/lib/hadoophdfs/cache

drwxrwxrwt yarn:hadoop /var/lib/hadoopyarn/cache

These are temporary directories created and used during normal operation of different components. Changing ownership may interfere with the operation of Hadoop, HBase.

2.2.4. Restrict Programs from Dangerous Execution Patterns

The system default umask for daemons must be 027 or 022.

The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions.


CCE-27031-4 CCI-000366

To properly set the umask for daemons run the following script:

var_umask_for_daemons="022"grep q ^umask /etc/init.d/functions && \sed i "s/umask.*/umask $var_umask_for_daemons/g" /etc/init.d/functionsif ! [ $? eq 0 ]; then echo "umask $var_umask_for_daemons" >> /etc/init.d/functionsfi

Process core dumps must be disabled unless needed.

A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.


CCE-27033-0 CCI-000366

DO NOT APPLY: In addition to root, it is very important for service users (hdfs, hbase, bigsql, hive, etc.) that they be able to create core dumps in order to troubleshoot process, database or hardware issue. Disablingthis would prevent IBM support from identifying a problem and will more than likely result in prolonged system outages.

2.3. SELinuxDO NOT APPLY: SELinux is not supported for Hadoop cluster. Enabling SELinux would cause IOP/BigInsights to malfunction.

IOP/BigInsights is not generally changed, configured, or accessed in the way that most Linux servers are accessed. All administration (besides stop, start, and software upgrades) can be accomplished from remote hosts or via the administration tool. If there are specific concerns about configuration or mandatory access control, customers are urged to completely restrict logging into the host and log a PMR with IBM Support.

The system must use a Linux Security Module at boot time.

Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.


CCE-26956-3 CCI-000366

The system must use a Linux Security Module configured to enforce limits on system services.

Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processesto the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges.


CCE-26969-6 CCI-000366

The SELinux state should be set to "enforcing" at system boot time. In the file "/etc/selinux/config", add or correct the following line to configure the system to boot into enforcing mode: SELINUX=enforcing

The system must use a Linux Security Module configured to limit the privileges of system services.

Setting the SELinux policy to "targeted" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.


CCE-26875-5 CCI-000366

2.4. Account and Access Control

2.4.1. Protect Accounts by Restricting Password-Based Login

The system must require passwords to contain a minimum of 14 characters.

Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result. While it does not negate the password length requirement, it is preferable to migrate from a password-based authentication scheme to a stronger one based on PKI (public key infrastructure).


CCE-27002-5 CCI-000205

To specify password length requirements for new accounts, edit the file /etc/login.defs and add or correct the following lines:

PASS_MIN_LEN 14

The DoD requirement is 14. The FISMA requirement is 12. If a program consults /etc/login.defs andalso another PAM module (such as pam_cracklib) during a password change operation, then the most restrictive must be satisfied. See PAM section for more information about enforcing password quality requirements.

Users must not be able to change passwords more than once every 24 hours.

Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.


CCE-27013-2 CCI-000198

To specify password minimum age for new accounts, edit the file /etc/login.defs and add or correct the following line, replacing DAYS appropriately:

PASS_MIN_DAYS DAYS

A value of 1 day is considered for sufficient for many environments. The DoD requirement is 1.

User passwords must be changed at least every 60 days.

Setting the password maximum age ensures users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.


CCE-26985-2 CCI-000199

To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line, replacing DAYS appropriately:

PASS_MAX_DAYS DAYS

A value of 180 days is sufficient for many environments. The DoD requirement is 60.

Users must be warned 7 days in advance of password expiration.

Setting the password warning age enables users to make the change at a practical time.


CCE-26988-6 CCI-000366

To specify how many days prior to password expiration that a warning will be issued to users, edit the file /etc/login.defs and add or correct the following line, replacing DAYS appropriately:

PASS_WARN_AGE DAYS

The DoD requirement is 7.

The system must prevent the root account from logging in from virtual consoles.

Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account.


CCE-26855-7 CCI-000770

To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in /etc/securetty:

vc/1vc/2vc/3vc/4

The system must prevent the root account from logging in from serial consoles.

Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account.


CCE-27047-0 CCI-000770

The system must not have accounts configured with blank or null passwords.

If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.


CCE-27038-9 CCI-000366

If an account is configured for password authentication but does not have an assigned password, it may be possible to log onto the account without authentication.

Remove any instances of the "nullok" option in "/etc/pam.d/systemauth" to prevent logons with empty passwords.

The /etc/passwd file must not contain password hashes.

The hashes for all user account passwords should be stored in the file "/etc/shadow" and never in "/etc/passwd", which is readable by all users.


CCE-26476-2 CCI-000366

If any password hashes are stored in /etc/passwd (in the second field, instead of an x), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely.

The root account must be the only account having a UID of 0.

An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunityfor potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.


CCE-26971-2 CCI-000366

Accounts must be locked upon 35 days of inactivity.

Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.


CCE-27283-1 CCI-000017

To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in /etc/default/useradd, substituting NUM_DAYS appropriately:

INACTIVE=NUM_DAYS

A value of 35 is recommended.

The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity.

Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.


CCE-27283-1 CCI-000795

To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in /etc/default/useradd, substituting NUM_DAYS appropriately:

INACTIVE=NUM_DAYS

A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then95 days could elapse until the account would be automatically disabled. See the useradd man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.

2.4.2. Protect Accounts by Configuring PAM

The system must require passwords to contain at least one numeric character.

Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.


CCE-26374-9 CCI-000194

The pam_cracklib module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Add dcredit=-1 after pam_cracklib.so to require use of a digit in passwords.

The system must disable accounts after excessive login failures within a 15-minute interval.

Locking out user accounts after a number of incorrect attempts within a specific period of time prevents direct password guessing attacks.


CCE-27215-3 CCI-001452

Utilizing pam_faillock.so, the fail_interval directive configures the system to lock out accounts after a number of incorrect login attempts.

Add the following fail_interval directives to pam_faillock.so immediately below the pam_env.so statement in /etc/pam.d/system-auth and /etc/pam.d/password-auth:

auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900

auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900

The system must require passwords to contain at least one uppercase alphabetic character.

Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space.


CCE-26601-5 CCI-000192

The pam_cracklib module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. Add ucredit=-1 after pam_cracklib.so to require use of an upper case character in passwords.

The system must require passwords to contain at least one special character.

Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.


CCE-26409-3 CCI-001619

The pam_cracklib module's ocredit= parameter controls requirements for usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. Add ocredit=-1 after pam_cracklib.so to require use of a special character in passwords.

The system must require passwords to contain at least one lowercase alphabetic character.

Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.


CCE-26631-2 CCI-000193

The pam_cracklib module's lcredit= parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each lowercase character. Add lcredit=-1 after pam_cracklib.so to require use of a lowercase character in passwords.

The system must require at least four characters be changed between the old and new passwords during a password change.

Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.


CCE-26615-5 CCI-000195

The pam_cracklib module's difok parameter controls requirements for usage of different characters during a password change. Add difok=NUM after pam_cracklib.so to require differing characters when changing passwords, substituting NUM appropriately. The DoD requirement is 4.

The system must disable accounts after three consecutive unsuccessful logon attempts.

Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.


CCE-26844-1 CCI-000044

To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so:

Add the following lines immediately below the pam_unix.so statement in AUTH section of both /etc/pam.d/system-auth and /etc/pam.d/password-auth:



The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth).

Using a stronger hashing algorithm makes password cracking attacks more difficult.


CCE-26303-8 CCI-000803

In /etc/pam.d/system-auth, the password section of the file controls which PAM modules executeduring a password change. Set the pam_unix.so module in the password section to include the argument sha512, as shown below:

password sufficient pam_unix.so sha512 other arguments...

This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.

The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs).



CCE-27228-6 CCI-000803

The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf).



CCE-27229-4 CCI-000803

In /etc/libuser.conf, add or correct the following line in its [defaults] section to ensure the system will use the SHA-512 algorithm for password hashing:

crypt_style = sha512


The system must require administrator action to unlock an account locked by excessive failed login attempts.

Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations.


CCE-27110-6 CCI-000047

To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so:

Add the following lines immediately below the pam_env.so statement in /etc/pam.d/system-auth:



The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access.

Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.


CCE-27291-4 CCI-000366

To configure the system to notify users of last logon/access using pam_lastlog, add the following line immediately after session required pam_limits.so:

session required pam_lastlog.so showfailed

DO NOT APPLY: If set to showfailed, ambari install and service check might fail. You can set to silent if needed.

2.4.3. Secure Session Configuration Files for Login Accounts

The system default umask in /etc/login.defs must be 077.

The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.


CCE-26371-5 CCI-000366

To ensure the default umask controlled by /etc/login.defs is set properly, add or correct the UMASK setting in /etc/login.defs to read as follows:

UMASK 077

The system default umask for the csh shell must be 077.



CCE-27034-8 CCI-000366

The system default umask in /etc/profile must be 077.



CCE-26669-2 CCI-000366

To ensure the default umask controlled by "/etc/profile" is set properly, add or correct the "umask" setting in "/etc/profile" to read as follows:

umask 077

DO NOT APPLY: Ambari requires umask default to be 022 or 027.

The system default umask for the bash shell must be 077.



CCE-26917-5

CCI-000366

DO NOT APPLY: Big SQL will fail to install.

The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.

Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions.


CCE-27457-1 CCI-000054

2.4.4. Protect Physical Console Access

The system boot loader configuration file(s) must be owned by root.

Only root should be able to modify important boot parameters.


CCE-26995-1 CCI-000366

The system boot loader configuration file(s) must be group-owned by root.

The "root" group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.


CCE-27022-3 CCI-000366

The system boot loader configuration file(s) must have mode 0600 or less permissive.

Proper permissions ensure that only the root user can modify important boot parameters.


CCE-26949-8 CCI-000366

File permissions for /boot/grub/grub.conf should be set to 600, which is the default. To properly set the permissions of /boot/grub/grub.conf, run the command:

chmod 600 /boot/grub/grub.conf

The system boot loader must require authentication.

Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.


CCE-26911-8 CCI-000213

The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command:

grubcrypt sha512

When prompted to enter a password, insert the following line into /etc/grub.conf immediately after theheader comments. (Use the output from grub-crypt as the value of password-hash):

password encrypted passwordhash

NOTE: To meet FISMA Moderate, the bootloader password MUST differ from the root password.

The system must require authentication upon booting into single-user and maintenance modes.

This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.


CCE-27040-5 CCI-000213

The system must not permit interactive boot.

Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening systemsecurity.


CCE-27043-9 CCI-000213

To disable the ability for users to perform interactive startups, edit the file /etc/sysconfig/init. Add or correct the line:

PROMPT=no

The PROMPT option allows the console user to perform an interactive system startup, in which it is possible to select the set of services which are started on boot.

The system must allow locking of the console screen in text mode.

Installing "screen" ensures a console locking capability is available for users who may need to suspend console logins.


CCE-26940-7 CCI-000058

To enable console screen locking, install the screen package:

yum install screen

Instruct users to begin new terminal sessions with the following command:

screen

The console can now be locked with the following key combination:

ctrl+a x

The graphical desktop environment must set the idle timeout to no more than 15 minutes.

Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby.


CCE-26828-4 CCI-000057

Run the following command to set the idle time-out value for inactivity in the GNOME desktop to 15 minutes:

gconftool2 direct configsource xml:readwrite:/etc/gconf/gconf.xml.mandatory type int set /apps/gnomescreensaver/idle_delay 15

The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment.

Enabling idle activation of the screen saver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area.


CCE-26600-7 CCI-000057

Run the following command to activate the screensaver in the GNOME desktop after a period of inactivity:

gconftool2 direct configsource xml:readwrite:/etc/gconf/gconf.xml.mandatory type bool set /apps/gnomescreensaver/idle_activation_enabled true

The graphical desktop environment must have automatic lock enabled.

Enabling the activation of the screen lock after an idle period ensures password entry will be required in order to access the system, preventing access by passersby.


CCE-26235-2 CCI-000057

Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated:

# gconftool2 direct configsource xml:readwrite:/etc/gconf/gconf.xml.mandatory type bool set /apps/gnomescreensaver/lock_enabled true

The system must display a publicly-viewable pattern during a graphical desktop environment session lock.

Setting the screensaver mode to blank-only conceals the contents of the display from passersby.


CCE-26638-7 CCI-000060

Run the following command to set the screensaver mode in the GNOME desktop to a blank screen:

# gconftool2 direct configsource xml:readwrite:/etc/gconf/gconf.xml.mandatory type string set /apps/gnomescreensaver/mode blankonly

2.4.5. Warning Banners for System Accesses

A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.

An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.


CCE-27195-7 CCI-000050

To enable displaying a login warning banner in the GNOME Display Manager's login screen, run the following command:

sudo u gdm gconftool2 type bool set /apps/gdm/simplegreeter/banner_message_enable true

2.5. Network Configuration and Firewalls

2.5.a. Disable Zeroconf Networking


2.5.b. Ensure System is Not Acting as a Network Sniffer

The system should not be acting as a network sniffer, which can capture all traffic on the network to which it is connected. Run the following to determine if any interface is running in promiscuous mode:

$ ip link | grep PROMISC

If any results are returned, then a sniffing process (such as tcpdump or Wireshark) is likely to be using the interface and this should be investigated.

2.5.3. Disable Unused Interfaces

Network interfaces expand the attack surface of the system. Unused interfaces are not monitored or controlled, and should be disabled.

2.5.4. Kernel Parameters Which Affect Networking

IP forwarding for IPv4 must not be enabled, unless the system is a router.

IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.


CCE-26866-4 CCI-000366

To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command:

sysctl w net.ipv4.ip_forward=0

If this is not the system's default value, add the following line to /etc/sysctl.conf:

net.ipv4.ip_forward = 0

The system must not accept IPv4 source-routed packets on any interface.

Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.


CCE-27037-1 CCI-000366

To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command:

sysctl w net.ipv4.conf.all.accept_source_route=0


net.ipv4.conf.all.accept_source_route = 0


The system must not accept ICMPv4 redirect packets on any interface.

Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required.


CCE-27027-2 CCI-000366

To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command:

sysctl w net.ipv4.conf.all.accept_redirects=0


net.ipv4.conf.all.accept_redirects = 0

Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required.

The system must not accept ICMPv4 secure redirect packets on any interface.

Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.


CCE-26854-0 CCI-000366

To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command:

sysctl w net.ipv4.conf.all.secure_redirects=0


net.ipv4.conf.all.secure_redirects = 0


The system must log Martian packets.

The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.


CCE-27066-0 CCI-000366

To set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter, run the following command:

sysctl w net.ipv4.conf.all.log_martians=1


net.ipv4.conf.all.log_martians = 1

The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.

The system must not accept IPv4 source-routed packets by default.



CCE-26983-7 CCI-000366

To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command:

sysctl w net.ipv4.conf.default.accept_source_route=0


net.ipv4.conf.default.accept_source_route = 0


The system must not accept ICMPv4 secure redirect packets by default.



CCE-26831-8 CCI-000366

To set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter, run the following command:

sysctl w net.ipv4.conf.default.secure_redirects=0


net.ipv4.conf.default.secure_redirects = 0


The system must ignore ICMPv4 redirect messages by default.

This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.


CCE-27015-7 CCI-000366

To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command:

sysctl w net.ipv4.conf.default.accept_redirects=0


net.ipv4.conf.default.accept_redirects = 0

This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

The system must not respond to ICMPv4 sent to a broadcast address.

Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly moredifficult to enumerate on the network.


CCE-26883-9 CCI-000366

To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command:

sysctl w net.ipv4.icmp_echo_ignore_broadcasts=1


net.ipv4.icmp_echo_ignore_broadcasts = 1

Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly moredifficult to enumerate on the network.

The system must ignore ICMPv4 bogus error responses.

Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.


CCE-26993-6 CCI-000366

To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command:

sysctl w net.ipv4.icmp_ignore_bogus_error_responses=1


net.ipv4.icmp_ignore_bogus_error_responses = 1

Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.

The system must be configured to use TCP syncookies when experiencing a TCP SYN flood.

A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with

connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.


CCE-27053-8 CCI-001095

To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command:

sysctl w net.ipv4.tcp_syncookies=1


net.ipv4.tcp_syncookies = 1

A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.

The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.

Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.


CCE-26979-5 CCI-000366

To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command:

sysctl w net.ipv4.conf.all.rp_filter=1


net.ipv4.conf.all.rp_filter = 1


The system must use a reverse-path filter for IPv4 network traffic when possible by default.

Enabling reverse path filtering drops packets with source addresses that should not have been able to be

received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.


CCE-26915-9 CCI-000366

To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command:

sysctl w net.ipv4.conf.default.rp_filter=1


net.ipv4.conf.default.rp_filter = 1


The system must not send ICMPv4 redirects by default.

Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.


CCE-27001-7 CCI-000366

To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command:

sysctl w net.ipv4.conf.default.send_redirects=0


net.ipv4.conf.default.send_redirects = 0


The system must not send ICMPv4 redirects from any interface.



CCE-27004-1 CCI-000366

To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command:

sysctl w net.ipv4.conf.all.send_redirects=0


net.ipv4.conf.all.send_redirects = 0


2.5.5. Wireless Networking

The Bluetooth service must be disabled.

Disabling the "bluetooth" service prevents the system from attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range.


CCE-27081-9 CCI-000085

2.5.6. IPv6

NOTE: Hadoop Cluster currently do not support IPv6 (should be disabled) and requires IPv4.

The IPv6 protocol handler must not be bound to the network stack unless needed.

Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation.


CCE-27153-6 CCI-000366

To prevent the IPv6 kernel module (ipv6) from loading the IPv6 networking stack, add the following line to/etc/modprobe.d/disabled.conf (or another file in /etc/modprobe.d):

options ipv6 disable=1

This permits the IPv6 module to be loaded (and thus satisfy other modules that depend on it), while disablingsupport for the IPv6 protocol.

Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation.

The system must ignore ICMPv6 redirects by default.

An illicit ICMP redirect message could result in a man-in-the-middle attack.


CCE-27166-8 CCI-000366

To disable interface usage of IPv6, add or correct the following lines in /etc/sysconfig/network:

NETWORKING_IPV6=no

IPV6INIT=no

2.5.7. iptables and ip6tables

NOTE: Prior to IOP/Value-Adds installation should disable iptables.

# Stop the iptableschkconfig iptables offservice iptables stop

# Disable and stop the firewall deamonsystemctl disable firewalldservice firewalld stop

NOTE: Based on the complexity of the HADOOP cluster, setting up ip-tables rules can be a time consuming endeavor. Please refer to the following links for details on ports that need to be open and available.

1. Default ports created during typical IOP installation 2. Default Ports created by a typical BigInsights value-add services installation

If needed consider working with IBM service/support based on your specific requirements.

We also recommend using dual network setup to have master services in a public network and worker services in a private network for a more secure cluster. See Setting up Dual Network for IOP in the IBM Knowledge Center for more details.

The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.

The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.


CCE-27018-1 CCI-001100

The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets.

In "iptables" the default policy is applied only after all the applicable rules in the table are examined for a

http://www-01.ibm.com/support/knowledgecenter/SSPT3X_4.1.0/com.ibm.swg.im.infosphere.biginsights.install.doc/doc/inst_setupdual.html?lang=en

https://www-01.ibm.com/support/knowledgecenter/SSPT3X_4.1.0/com.ibm.swg.im.infosphere.biginsights.install.doc/doc/inst_val_ports.html%23reference_igw_hyj_ns?lang=en

https://www-01.ibm.com/support/knowledgecenter/SSPT3X_4.1.0/com.ibm.swg.im.infosphere.biginsights.install.doc/doc/inst_otherports.html?lang=en

match. Setting the default policy to "DROP" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted.


CCE-26444-0 CCI-000066

To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in "/etc/sysconfig/iptables":

:INPUT DROP [0:0]

The system must employ a local IPv4 firewall.

The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.


CCE-27018-1 CCI-001118

2.5.8. Transport Layer Security Support


2.5.9. Uncommon Network Protocols

The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.

Disabling DCCP protects the system against exploitation of any flaws in its implementation.


CCE-26448-1 CCI-000382

The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the dccp kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install dccp /bin/false

The Stream Control Transmission Protocol (SCTP) must be disabled unless required.

Disabling SCTP protects the system against exploitation of any flaws in its implementation.


CCE-26410-1 CCI-000382

The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the sctp kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install sctp /bin/false

Disabling SCTP protects the system against exploitation of any flaws in its implementation.

The Reliable Datagram Sockets (RDS) protocol must be disabled unless required.

Disabling RDS protects the system against exploitation of any flaws in its implementation.


CCE-26239-4 CCI-000382

The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high- bandwidth, low-latency communications between nodes in a cluster. To configure the system to preventthe rds kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install rds /bin/false

Disabling RDS protects the system against exploitation of any flaws in its implementation.

The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required.

Disabling TIPC protects the system against exploitation of any flaws in its implementation.


CCE-26696-5 CCI-000382

The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the tipc kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install tipc /bin/false

Disabling TIPC protects the system against exploitation of any flaws in its implementation.

2.5.10. IPSec Support

The system must provide VPN connectivity for communications over untrusted networks.

Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network.


CCE-27626-1 CCI-001130

2.6. Configure Syslog

2.6.a. Ensure rsyslog is Installed

Rsyslog is installed by default. The rsyslog service can be installed with the following command:

yum install rsyslog

2.6.b. Enable rsyslog Service

The rsyslog service can be enabled with the following command:

chkconfig level 0123456 rsyslog on

Start rsyslog service if not currently running with the following command:

service rsyslog start

2.6.c. Disable Logwatch on Clients if a Logserver Exists


2.6.4. Ensure Proper Configuration of Log Files

All rsyslog-generated log files must be owned by root.

The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.


CCE-26812-8 CCI-001314

The owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" typically all appear in "/var/log". Run the following command to inspect the file's owner: $ ls -l [LOGFILE].

NOTE: Post install on HIVE metastore host the rule might fail because mysqld.log is not owned by root:

rwr 1 mysql mysql 2159 Oct 16 16:15 mysqld.log

To address create a new directory /var/log/mysql and changed the location of the log in mysql configuration file /etc/my.cnf as follows:

logerror=/var/log/mysql/mysqld.log

2.6.5. Rsyslog Logs Sent To Remote Host

The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited.

A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.


CCE-26801-1 CCI-001348

To configure rsyslog to send logs to a remote log server loghost.example.com using UDP protocol, add the following line to /etc/rsyslog.conf:

*.* @loghost.example.com

To configure rsyslog to send logs to a remote log server loghost.example.com using TCP protocol, add the following line to /etc/rsyslog.conf:

*.* @@loghost.example.com

To configure rsyslog to send logs to a remote log server loghost.example.com using RELP protocol, add the following line to /etc/rsyslog.conf:

*.* :omrelp:loghost.example.com

The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components.

A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.


CCE-26801-1 CCI-000169

2.6.6. Configure rsyslogd to Accept Remote Messages If Acting as a Log Server


2.6.7. Ensure All Logs are Rotated by logrotate


2.6.8. Configure Logwatch on the Central Log Server


2.7. System Accounting with auditd

2.7.a. Enable auditd Service

The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command:

chkconfig level 2345 auditd on

Ensuring the auditd service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.

Security Identifiers

CCE-27058-7

chkconfig level 0123456 auditd on

service auditd start

2.7.b. Enable Auditing for Processes Which Start Prior to the Audit Daemon

Auditing must be enabled at boot by setting a kernel parameter.

Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although "auditd" takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.


CCE-26785-6 CCI-000169

To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to the kernel line in /etc/grub.conf:

kernel /vmlinuzversion ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1

2.7.3. Configure auditd Data Retention

The audit system must alert designated staff members when the audit storage volume approaches capacity.

Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.


CCE-27238-5 CCI-000138

Edit the file /etc/audit/auditd.conf. Modify the following line, substituting ACTION appropriately:

space_left_action = ACTION

Possible values for ACTION are described in the auditd.conf man page. These include:

• ignore

• syslog

• email

• exec

• suspend

• single

• halt

Set this to email (instead of the default, which is suspend) as it is more likely to get prompt attention. Acceptable values also include suspend, single, and halt.

The system must set a maximum audit log file size.

The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.


CCE-27550-3 CCI-000366

Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting the correct value for STOREMB:

max_log_file = STOREMB

Set the value to 6 (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.

The system must retain enough rotated audit logs to cover the required log retention period.

The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.


CCE-27522-2

CCI-000366

Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting NUMLOGS with the correct value:

num_logs = NUMLOGS

Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.

The audit system must identify staff members to receive notifications of audit log storage volume capacity issues.

Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.


CCE-27241-9 CCI-000139

Add or correct the following line in /etc/audit/auditd.conf to ensure that administrators are notified via email for those situations:

action_mail_acct = root

Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.

The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low.

Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.


CCE-27239-3 CCI-000366

Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately:

admin_space_left_action = ACTION

Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include suspend and halt.

2.7.4. Configure auditd Rules for Comprehensive Auditing

After making changes to audit rules the new rules can be activated by restaring audit as follow:

service auditd restart

Audit log files must be owned by root.

If non-privileged users can write to audit logs, audit trails can be modified or destroyed.


CCE-27244-3 CCI-000162

chown root /var/log

Audit log files must have mode 0640 or less permissive.

If users can write to audit logs, audit trails can be modified or destroyed.


CCE-27243-5 CCI-000163

chmod 0640 audit_files

The audit system must be configured to audit all attempts to alter system time through settimeofday

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.


CCE-27203-9 CCI-000169

On a 64-bit system, add the following to /etc/audit/audit.rules:

a always,exit F arch=b64 S settimeofday k audit_time_rules

The audit system must be configured to audit all attempts to alter system time through stime.



CCE-27169-2

CCI-000169

On a 64-bit system, the "-S stime" is not necessary. The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:

a always,exit F arch=b64 S adjtimex S settimeofday S clock_settime k audit_time_rules

The audit system must be configured to audit all attempts to alter system time through clock_settime



CCE-27170-0 CCI-000169

On a 64-bit system, add the following to /etc/audit/audit.rules:

a always,exit F arch=b64 S clock_settime k audit_time_rules

The audit system must be configured to audit all attempts to alter system time through /etc/localtime



CCE-27172-6 CCI-000169

Add the following to /etc/audit/audit.rules:

w /etc/localtime p wa k audit_time_rules

The operating system must automatically audit account creation

In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.


CCE-26664-3 CCI-000018, CCI-001403, CCI-001404, CCI-001405

Add the following to /etc/audit/audit.rules, in order to capture events that modify account changes:

w /etc/group p wa k audit_account_changes

w /etc/passwd p wa k audit_account_changes

w /etc/gshadow p wa k audit_account_changes

w /etc/shadow p wa k audit_account_changes

w /etc/security/opasswd p wa k audit_account_changes

The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux).

The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.


CCE-26657-7 CCI-000366


w /etc/selinux/ p wa k MACpolicy

The audit system must be configured to audit all discretionary access control permission modifications using chmod.

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.


CCE-26280-8 CCI-000172


a always,exit F arch=b64 S chmod F auid>=500 F auid!=4294967295 kperm_mod

The audit system must be configured to audit all discretionary access control permission modifications using chown.



CCE-27173-4 CCI-000172


a always,exit F arch=b64 S chown F auid>=500 F auid!=4294967295 k perm_mod

The audit system must be configured to audit all discretionary access control permission modifications using fchmod.



CCE-27174-2 CCI-000172


a always,exit F arch=b64 S fchmod F auid>=500 F auid!=4294967295 k perm_mod

The audit system must be configured to audit all discretionary access control permission modifications using fchmodat.



CCE-27175-9 CCI-000172


a always,exit F arch=b64 S fchmodat F auid>=500 F auid!=4294967295k perm_mod

The audit system must be configured to audit all discretionary access control permission modifications using fchown.



CCE-27177-5 CCI-000172


a always,exit F arch=b64 S fchown F auid>=500 F auid!=4294967295 k perm_mod

The audit system must be configured to audit all discretionary access control permission modifications using fchownat.



CCE-27178-3 CCI-000172


a always,exit F arch=b64 S fchownat F auid>=500 F auid!=4294967295k perm_mod

The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr.



CCE-27179-1

CCI-000172


a always,exit F arch=b64 S fremovexattr F auid>=500 F auid!=4294967295 k perm_mod

The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr.



CCE-27180-9 CCI-000172


a always,exit F arch=b64 S fsetxattr F auid>=500 F auid!=4294967295 k perm_mod

The audit system must be configured to audit all discretionary access control permission modifications using lchown.



CCE-27181-7 CCI-000172


a always,exit F arch=b64 S lchown F auid>=500 F auid!=4294967295 k perm_mod

The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr.



CCE-27182-5 CCI-000172


a always,exit F arch=b64 S lremovexattr F auid>=500 F auid!=4294967295 k perm_mod

The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr.



CCE-27183-3 CCI-000172


a always,exit F arch=b64 S lsetxattr F auid>=500 F auid!=4294967295 k perm_mod

The audit system must be configured to audit all discretionary access control permission modifications using removexattr.



CCE-27184-1 CCI-000172


-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

The audit system must be configured to audit all discretionary access control permission modifications using setxattr.



CCE-27185-8 CCI-000172


a always,exit F arch=b64 S setxattr F auid>=500 F auid!=4294967295k perm_mod

The audit system must be configured to audit successful file system mounts.

The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.


CCE-26573-6 CCI-000172


a always,exit F arch=b64 S mount F auid>=500 F auid!=4294967295 k export

The audit system must be configured to audit user deletions of files and programs.

Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail

could aid in system troubleshooting, as well as detecting malicious processes that attempt to delete log files to conceal their presence.


CCE-26651-0 CCI-000172


a always,exit F arch=b64 S unlink S unlinkat S rename S renameat F auid>=500 F auid!=4294967295 k delete

The audit system must be configured to audit changes to the /etc/sudoers file.

The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.


CCE-26662-7 CCI-000172


w /etc/sudoers p wa k actions

The audit system must be configured to audit the loading and unloading of dynamic kernel modules.

The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.


CCE-26611-4 CCI-000172


w /sbin/insmode p x k modules

w /sbin/rmmode p x k modules

w /sbin/modeprobe p x k modules

a always,exit f arch=b64 S init_module S delete_module k modules

The audit system must be configured to audit all attempts to alter system time through adjtimex.

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes

to the system time should be audited.


CCE-26242-8 CCI-000169


a always,exit F arch=b64 k S adjtimex S settimeofday S clock_settime k audit_time_rules

3. Services

3.1. Obsolete ServicesThis section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or severely limiting the service has been the best available guidance for some time. As a result of this, many of these services are not installed as part of RHEL 6 by default.

Organizations which are running these services should switch to more secure equivalents as soon as possible.If it remains absolutely necessary to run one of these services for legacy reasons, care should be taken to restrict the service as much as possible, for instance by configuring host firewall software such as iptables to restrict access to the vulnerable service to only those remote hosts which have a known need to use it.

There must be no .rhosts or hosts.equiv files on the system.

Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.


CCE-27270-8 CCI-001436

Remove .rhosts (found on user home directory) and hosts.equiv from the system

find -type f -name .rhosts | xargs rm -f

rm -f /etc/hosts.equiv

The xinetd service must be disabled if no network services utilizing it are enabled.

The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself.


CCE-27046-2 CCI-000382

Disable xinetd on the system by executing the following command

chkconfig xinetd off

The xinetd service must be uninstalled if no network services utilizing it are enabled.

Removing the "xinetd" package decreases the risk of the xinetd service's accidental (or intentional) activation.


CCE-27005-8 CCI-000382

Remove the xinetd service by executing the following command

yum erase xinetd

The telnet daemon must not be running.

The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks. Mitigation: If an enabled telnet daemon is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.


CCE-26836-7 CCI-000888

Disable telnet daemon executing the following

chkconfig telnet off

The telnet-server package must not be installed.

Removing the "telnet-server" package decreases the risk of the unencrypted telnet service's accidental (or intentional) activation. Mitigation: If the telnet-server package is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.


CCE-27073-6 CCI-000381

Remove telnet-server by executing the following

yum erase telnetserver

The rshd service must not be running.

The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.


CCE-26994-4 CCI-000068

Disable rsh service by executing the following

chkconfig rsh off

The rsh-server package must not be installed.

The "rsh-server" package provides several obsolete and insecure network services. Removing it decreases therisk of those services' accidental (or intentional) activation.


CCE-27062-9 CCI-000381

Remove rsh-server by executing the following

yum erase rshserver

The rexecd service must not be running.

The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.


CCE-27208-8 CCI-000068

Disable rexec service by executing the following

chkconfig rexec off

The rlogind service must not be running.

The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.


CCE-26865-6 CCI-001436

Disable rlogin service by executing the following

chkconfig rlogin off

The ypserv package must not be installed.

Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.


CCE-27079-3 CCI-000381

Remove ypserv by executing the following

yum erase ypserv

The ypbind service must not be running.

Disabling the "ypbind" service ensures the system is not acting as a client in a NIS or NIS+ domain.


CCE-26894-6 CCI-000382

Disable ypbind service by executing the following

chkconfig ypbind off

The tftp-server package must not be installed unless required.

Removing the "tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services.


CCE-26946-4 CCI-000381

Remove tftp-server by executing the following

yum erase tftpserver

The TFTP daemon must operate in secure mode which provides access only to a single directory on thehost file system.

Using the "-s" option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally specified directory reduces the risk of sharing files which should remain private.


CCE-27272-4 CCI-000366

Ensure /etc/xinetd.d/tftp contains the -s command line argument like so

server_args = s /var/lib/tftpboot

3.2. Base Services

The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite.

Although systems management and patching is extremely important to system security, management by a system outside the enterprise enclave is not desirable for some environments. However, if the system is beingmanaged by RHN or RHN Satellite Server the "rhnsd" daemon can remain on.


CCE-26846-6 CCI-000382

Disable rhnsd service by executing the following command

chkconfig rhnsd off

The Automatic Bug Reporting Tool (abrtd) service must not be running.

Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the local machine, as well as sensitive information from within a process's address space or registers.


CCE-27247-6 CCI-000382

Disable abrtd service by executing the following command

chkconfig abrtd off

The ntpdate service must not be running.

The "ntpdate" service may only be suitable for systems which are rebooted frequently enough that clock drift does not cause problems between reboots. In any event, the functionality of the ntpdate service is now available in the ntpd program and should be considered deprecated.


CCE-27256-7 CCI-000382

Disable the ntpdate service by executing the following command

chkconfig ntpdate off

The oddjobd service must not be running.

The "oddjobd" service may provide necessary functionality in some environments but it can be disabled if it is not needed. Execution of tasks by privileged programs, on behalf of unprivileged ones, has traditionally been a source of privilege escalation security issues.


CCE-27257-5 CCI-000382

Disable the oddjobd service by executing the following command

chkconfig oddjobd off

The qpidd service must not be running.

The qpidd service is automatically installed when the "base" package selection is selected during installation. The qpidd service listens for network connections which increases the attack surface of the system. If the system is not intended to receive AMQP traffic then the "qpidd" service is not needed and should be disabled or removed.


CCE-26928-2 CCI-000382

Disable the qpidd service by executing the following command

chkconfig qpidd off

The rdisc service must not be running.

General-purpose systems typically have their network and routing information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information.


CCE-27261-7 CCI-000382

Disable the rdisc service by executing the following command

chkconfig rdisc off

The netconsole service must be disabled unless required.

The "netconsole" service is not necessary unless there is a need to debug kernel panics, which is not common.


CCE-27254-2 CCI-000382

Disable the netconsole service by executing the following command

chkconfig netconsole off

3.3. Cron and At Daemons

The cron service must be running.

Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.


CCE-27070-2 CCI-000366

Disable the crond service by executing the following command

chkconfig level 2345 crond on

The atd service must be disabled.

The "atd" service could be used by an unsophisticated insider to carry out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with "at" or "batch" is not common.


CCE-27249-2 CCI-000382

Disable the atd service by executing the following command

chkconfig atd off

3.4. SSH Server

The SSH daemon must be configured to use only the SSHv2 protocol.

SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be

used.


CCE-27072-8 CCI-000774

Verify that /etc/ssh/sshd_config contains the following line Protocol 2 by executing

cat /etc/ssh/sshd_config | grep Protocol

The SSH daemon must set a timeout interval on idle sessions.

Causing idle users to be automatically logged out guards against compromises one system leading trivially tocompromises on another.


CCE-26919-1 CCI-001133

Set an idle timeout interval, edit /etc/ssh/sshd_config to contain the following

ClientAliveInterval interval

The timeout interval is given in seconds.

The SSH daemon must set a timeout count on idle sessions.

This ensures a user login will be terminated as soon as the "ClientAliveCountMax" is reached.


CCE-26282-4 CCI-000879

Edit /etc/ssh/sshd_config to contain the following

ClientAliveCountMax 0

The SSH daemon must ignore .rhosts files.

SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.


CCE-27124-7 CCI-000766

To verify this behavior is disabled, modify /etc/ssh/sshd_config to contain the following

IgnoreRhosts yes

The SSH daemon must not allow host-based authentication.

SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.


CCE-27091-8 CCI-000766

To disable host-based authentication, modify /etc/ssh/sshd_config to contain the following

HostbasedAuthentication no

The system must not permit root logins using remote access programs such as ssh.

Permitting direct root login reduces auditable information about who ran privileged commands on the systemand also allows direct attack attempts on root's password.


CCE-27100-7 CCI-000770

To disable root login via SSH, modify /etc/ssh/sshd_config to contain the following

PermitRootLogin no

The SSH daemon must not allow authentication using an empty password.

Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.


CCE-26887-0 CCI-000766

To disallow remote login from accounts with empty passwords, modify /etc/ssh/sshd_config to contain the following

PermitEmptyPasswords no

The SSH daemon must be configured with the Department of Defense (DoD) login banner.

The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.


CCE-27112-2 CCI-000048

To enable the warning banner and ensure it is consistent across the system, modify /etc/ssh/sshd_config to contain the following

Banner /etc/issue

The SSH daemon must not permit user environment settings.

SSH environment options potentially allow users to bypass access restriction in some configurations.


CCE-27201-3 CCI-001414

To ensure users are not able to present environment options to the SSH daemon, modify /etc/ssh/sshd_config to contain the following

PermitUserEnvironment no

3.5. X Window System

X Windows must not be enabled unless required.

Unnecessary services should be disabled to decrease the attack surface of the system.


CCE-27119-7 CCI-001436

To disable X Windows, modify /etc/inittab to contain the following

id:3:initdefault:

This will prevent X server from automatic startup.

The xorg-x11-server-common (X Windows) package must not be installed, unless required.

Unnecessary packages should not be installed to decrease the attack surface of the system.


CCE-27198-1 CCI-000366

Removing all packages which constitute the X Window System ensures users or malicious software cannot start X. To do so, run the following command

yum groupremove "X Window System"

3.6. Avahi Server

The avahi service must be disabled.

Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted.


CCE-27087-6 CCI-000366

Disable avahi-daemon be executing the following

chkconfig avahidaemon off

3.7. Print SupportNot tested as part of the scope of this exercise.

3.8. DHCP

The DHCP client must be disabled if not needed.

DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances.


CCE-27021-5 CCI-000366

For each interface [IFACE] on the system (e.g. eth0), edit /etc/sysconfig/network-scripts/ifcfg-[IFACE] and make the following changes.

Correct the BOOTPROTO line to read:

BOOTPROTO=none

Add or correct the following lines, substituting the appropriate values based on your site's addressing scheme:

NETMASK=[local LAN netmask]

IPADDR=[assigned IP address]

GATEWAY=[local LAN default gateway]

3.9. Network Time Protocol

The system clock must be synchronized continuously, or at least daily.

Enabling the "ntpd" service ensures that the "ntpd" service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client(and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accuratelogs and auditing possible security breaches.


CCE-27093-4 CCI-000160

Enable the ntpd service by executing the following command

chkconfig level 2345 ntpd on

The system clock must be synchronized to an authoritative DoD time source.

Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlatecomputer events with real time events. Using a trusted NTP server provided by your organization is recommended.


CCE-27098-3 CCI-000160

Specify a remote NTP server for time synchronization by modifying /etc/ntp.conf to contain the following

server ntpserver

where ntpserver can be the IP or hostname of the remote NTP server.

3.10. Mail Server Software

Mail relaying must be restricted.

This ensures "postfix" accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack.


CCE-26780-7 CCI-000382

Modify /etc/postfix/main.cf to contain the following

inet_interfaces = localhost

The postfix service must be enabled for mail delivery.

Local mail delivery is essential to some system maintenance and notification tasks.


CCE-26325-1 CCI-000366

Enable the postfix service by executing the following command

chkconfig level 2345 postfix on

The sendmail package must be removed.

The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead.


CCE-27515-6 CCI-000366

Remove the sendmail package by executing the following command

yum erase sendmail

3.11. LDAP

The openldap-servers package must not be installed unless required.

Unnecessary packages should not be installed to decrease the attack surface of the system.


CCE-26858-1 CCI-000366

Remove the openldap-servers package by executing the following command

yum erase openldapservers

3.12. NFS and RPCNot tested as part of the scope of this exercise.

3.13. DNS ServerNot tested as part of the scope of this exercise.

3.14. FTP ServerNot tested as part of the scope of this exercise.

3.15. Web ServerNot tested as part of the scope of this exercise.

3.16. IMAP and POP3 ServerNot tested as part of the scope of this exercise.

3.17. Samba(SMB) Microsoft Windows File Sharing Server

The system must use SMB client signing for connecting to samba servers using smbclient.

Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.


CCE-26328-5 CCI-000366

To require samba clients running smbclient to use packet signing, add the following to the [global] section of the Samba configuration file, /etc/samba/smb.conf

client signing = mandatory

3.18. Proxy ServerNot tested as part of the scope of this exercise.

3.19. SNMP ServerNot tested as part of the scope of this exercise.

STIG Configuration for IOP and BigInsights - IBM

Documents

Transcript of STIG Configuration for IOP and BigInsights - IBM