Newer
Older
PASSES=0
FAILS=0
LOG=/dev/null
log_msg() {
if [ $1 -eq 0 ]; then
PASSES=$((PASSES+1))
if [ $SHOW_ALL_TESTS ]; then
echo "[PASS] $2"
fi
else
FAILS=$((FAILS+1))
echo "[FAIL] $2"
fi
}
output()
{
case "$1" in
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
SV-86845r2_rule) log_msg $2 'A FIPS 140-2 approved cryptographic algorithm must be used for SSH communications.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:SV-86845r2\n\nUnapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.\n\nOperating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.\n\nFIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system.\n\nCheck_content: Verify the operating system uses mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.\n\nNote: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2-approved cryptographic algorithms and hashes.\n\nThe location of the "sshd_config" file may vary if a different daemon is in use.\n\nInspect the "Ciphers" configuration with the following command:\n\n# grep -i ciphers /etc/ssh/sshd_config\nCiphers aes128-ctr,aes192-ctr,aes256-ctr\n\nIf any ciphers other than "aes128-ctr", "aes192-ctr", or "aes256-ctr" are listed, the "Ciphers" keyword is missing, or the retuned line is commented out, this is a finding.\n\nFixtext: Configure SSH to use FIPS 140-2 approved cryptographic algorithms.\n\nAdd the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor).\n\nCiphers aes128-ctr,aes192-ctr,aes256-ctr\n\nThe SSH service must be restarted for changes to take effect.\n\n######################\n\n' >> $LOG
fi
;;
SV-86849r2_rule) log_msg $2 'The Standard Notice must be displayed immediately prior to, or as part of, remote access logon prompts.'
if [ $2 -ne 0 ];then
printf '\n######################\n\n Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures that you have some clue as to when the last login happened, etc.\n\n.\n\n######################\n\n' >> $LOG
fi
;;
SV-86859r2_rule) log_msg $2 'All networked systems must use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nWithout protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. \n\nThis requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. \n\nProtecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.\n\nCheck_content: Verify SSH is loaded and active with the following command:\n\n# systemctl status sshd\n sshd.service - OpenSSH server daemon\n Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)\n Active: active (running) since Tue 2015-11-17 15:17:22 EST; 4 weeks 0 days ago\n Main PID: 1348 (sshd)\n CGroup: /system.slice/sshd.service\n ??1348 /usr/sbin/sshd -D\n\nIf "sshd" does not show a status of "active" and "running", this is a finding.\n\n######################\n\n' >> $LOG
fi
;;
SV-86861r2_rule) log_msg $2 'All network connections associated with SSH traffic must terminate at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nTerminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\n\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.\n\nCheck_content: Verify the operating system automatically terminates a user session after inactivity time-outs have expired.\n\nCheck for the value of the "ClientAlive" keyword with the following command:\n\n# grep -i clientalive /etc/ssh/sshd_config\n\nClientAliveInterval 600\n\nIf "ClientAliveInterval" is not set to "600" in "/etc/ ssh/sshd_config", and a lower value is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nFixtext: Configure the operating system to automatically terminate a user session after inactivity time-outs have expired or at shutdown.\n\nAdd the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nClientAliveInterval 600\n\nThe SSH service must be restarted for changes to take effect.\n\n######################\n\n' >> $LOG
fi
;;
SV-86863r2_rule) log_msg $2 'The SSH daemon must not allow authentication using RSA rhosts authentication.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nConfiguring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.\n\nCheck_content: Verify the SSH daemon does not allow authentication using RSA rhosts authentication.\n\nTo determine how the SSH daemons "RhostsRSAAuthentication" option is set, run the following command:\n\n# grep RhostsRSAAuthentication /etc/ssh/sshd_config\n\nRhostsRSAAuthentication yes\n\nIf the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.\n\nFixtext: Configure the SSH daemon to not allow authentication using RSA rhosts authentication.\n\nAdd the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes":\n\nRhostsRSAAuthentication yes\n\nThe SSH service must be restarted for changes to take effect.\n\n######################\n\n' >> $LOG
fi
;;
SV-86865r2_rule) log_msg $2 'All network connections associated with SSH traffic must terminate after a period of inactivity.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nTerminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\n\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.\n\nCheck_content: Verify the operating system automatically terminates a user session after inactivity time-outs have expired.\n\nCheck for the value of the "ClientAliveCountMax" keyword with the following command:\n\n# grep -i clientalivecount /etc/ssh/sshd_config\nClientAliveCountMax 0\n\nIf "ClientAliveCountMax" is not set to "0" in "/etc/ ssh/sshd_config", this is a finding.\n\nFixtext: Configure the operating system to automatically terminate a user session after inactivity time-outs have expired or at shutdown.\n\nAdd the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nClientAliveCountMax 0\n\nThe SSH service must be restarted for changes to take effect.\n\n######################\n\n' >> $LOG
fi
;;
SV-86867r2_rule) log_msg $2 'The SSH daemon must not allow authentication using rhosts authentication.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nConfiguring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.\n\nCheck_content: Verify the SSH daemon does not allow authentication using known hosts authentication.\n\nTo determine how the SSH daemons "IgnoreRhosts" option is set, run the following command:\n\n# grep -i IgnoreRhosts /etc/ssh/sshd_config\n\nIgnoreRhosts yes\n\nIf the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.\n\nFixtext: Configure the SSH daemon to not allow authentication using known hosts authentication.\n\nAdd the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes":\n\nIgnoreRhosts yes\n\n######################\n\n' >> $LOG
fi
;;
SV-86869r2_rule) log_msg $2 'The system must display the date and time of the last successful account logon upon an SSH logon.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nProviding users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.\n\nCheck_content: Verify SSH provides users with feedback on when account accesses last occurred.\n\nCheck that "PrintLastLog" keyword in the sshd daemon configuration file is used and set to "yes" with the following command:\n\n# grep -i printlastlog /etc/ssh/sshd_config\nPrintLastLog yes\n\nIf the "PrintLastLog" keyword is set to "no", is missing, or is commented out, this is a finding.\n\nFixtext: Configure SSH to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/sshd" or in the "sshd_config" file used by the system ("/etc/ssh/sshd_config" will be used in the example) (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor).\n\nAdd the following line to the top of "/etc/pam.d/sshd":\n\nsession required pam_lastlog.so showfailed\n\nOr modify the "PrintLastLog" line in "/etc/ssh/sshd_config" to match the following:\n\nPrintLastLog yes\n\nThe SSH service must be restarted for changes to "sshd_config" to take effect.\n\n######################\n\n' >> $LOG
fi
;;
SV-86871r2_rule) log_msg $2 'The system must not permit direct logons to the root account using remote access via SSH.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nEven though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system.\n\nCheck_content: Verify remote access using SSH prevents users from logging on directly as root.\n\nCheck that SSH prevents users from logging on directly as root with the following command:\n\n# grep -i permitrootlogin /etc/ssh/sshd_config\nPermitRootLogin no\n\nIf the "PermitRootLogin" keyword is set to "yes", is missing, or is commented out, this is a finding.\n\nFixtext: Configure SSH to stop users from logging on remotely as the root user.\n\nEdit the appropriate "/etc/ssh/sshd_config" file to uncomment or add the line for the "PermitRootLogin" keyword and set its value to "no" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nPermitRootLogin no\n\nThe SSH service must be restarted for changes to take effect.\n\n######################\n\n' >> $LOG
fi
;;
SV-86873r2_rule) log_msg $2 'The SSH daemon must not allow authentication using known hosts authentication.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nConfiguring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.\n\nCheck_content: Verify the SSH daemon does not allow authentication using known hosts authentication.\n\nTo determine how the SSH daemons "IgnoreUserKnownHosts" option is set, run the following command:\n\n# grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config\n\nIgnoreUserKnownHosts yes\n\nIf the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.\n\nFixtext: Configure the SSH daemon to not allow authentication using known hosts authentication.\n\nAdd the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes":\n\nIgnoreUserKnownHosts yes\n\nThe SSH service must be restarted for changes to take effect.\n\n######################\n\n' >> $LOG
fi
;;
SV-86875r2_rule) log_msg $2 'The SSH daemon must be configured to only use the SSHv2 protocol.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nSSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.\n\nCheck_content: Verify the SSH daemon is configured to only use the SSHv2 protocol.\n\nCheck that the SSH daemon is configured to only use the SSHv2 protocol with the following command:\n\n# grep -i protocol /etc/ssh/sshd_config\nProtocol 2\n#Protocol 1,2\n\nIf any protocol line other than "Protocol 2" is uncommented, this is a finding.\n\nFixtext: Remove all Protocol lines that reference version "1" in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). The "Protocol" line must be as follows:\n\nProtocol 2\n\nThe SSH service must be restarted for changes to take effect.\n\n######################\n\n' >> $LOG
fi
;;
SV-86877r2_rule) log_msg $2 'The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nDoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA.\n\nCheck_content: Verify the SSH daemon is configured to only use MACs employing FIPS 140-2-approved ciphers.\n\nNote: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2-approved cryptographic algorithms and hashes.\n\nCheck that the SSH daemon is configured to only use MACs employing FIPS 140-2-approved ciphers with the following command:\n\n# grep -i macs /etc/ssh/sshd_config\nMACs hmac-sha2-256,hmac-sha2-512\n\nIf any ciphers other than "hmac-sha2-256" or "hmac-sha2-512" are listed or the retuned line is commented out, this is a finding.\n\nFixtext: Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-256" and/or "hmac-sha2-512" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nMACs hmac-sha2-256,hmac-sha2-512\n\nThe SSH service must be restarted for changes to take effect.\n\n######################\n\n' >> $LOG
fi
;;
SV-86879r1_rule) log_msg $2 'The SSH public host key files must have mode 0644 or less permissive.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nIf a public host key file is modified by an unauthorized user, the SSH service may be compromised.\n\nCheck_content: Verify the SSH public host key files have mode "0644" or less permissive.\n\nNote: SSH public key files may be found in other directories on the system depending on the installation.\n\nThe following command will find all SSH public key files on the system:\n\n# find /etc/ssh -name \"*.pub\" -exec ls -lL {} \\;\n\n-rw-r--r-- 1 root wheel 618 Nov 28 06:43 ssh_host_dsa_key.pub\n-rw-r--r-- 1 root wheel 347 Nov 28 06:43 ssh_host_key.pub\n-rw-r--r-- 1 root wheel 238 Nov 28 06:43 ssh_host_rsa_key.pub\n\nIf any file has a mode more permissive than "0644", this is a finding.\n\nFixtext: Note: SSH public key files may be found in other directories on the system depending on the installation. \n\nChange the mode of public host key files under "/etc/ssh" to "0644" with the following command:\n\n# chmod 0644 /etc/ssh/*.key.pub\n\n######################\n\n' >> $LOG
fi
;;
SV-86881r1_rule) log_msg $2 'The SSH private host key files must have mode 0600 or less permissive.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nIf an unauthorized user obtains the private SSH host key file, the host could be impersonated.
Check_content: Verify the SSH private host key files have mode "0600" or less permissive.\n\nThe following command will find all SSH private key files on the system:\n\n# find / -name \"*ssh_host*key\"\n\nCheck the mode of the private host key files under "/etc/ssh" file with the following command:\n\n# ls -lL /etc/ssh/*key\n-rw------- 1 root wheel 668 Nov 28 06:43 ssh_host_dsa_key\n-rw------- 1 root wheel 582 Nov 28 06:43 ssh_host_key\n-rw------- 1 root wheel 887 Nov 28 06:43 ssh_host_rsa_key\n\nIf any file has a mode more permissive than "0600", this is a finding.\n\nFixtext: Configure the mode of SSH private host key files under "/etc/ssh" to "0600" with the following command:\n\n# chmod 0600 /etc/ssh/ssh_host*key\n\n######################\n\n' >> $LOG
fi
;;
SV-86883r2_rule) log_msg $2 'The SSH daemon must not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nGSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system\u2019s GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.\n\nCheck_content: Verify the SSH daemon does not permit GSSAPI authentication unless approved.\n\nCheck that the SSH daemon does not permit GSSAPI authentication with the following command:\n\n# grep -i gssapiauth /etc/ssh/sshd_config\nGSSAPIAuthentication no\n\nIf the "GSSAPIAuthentication" keyword is missing, is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.\n\nFixtext: Uncomment the "GSSAPIAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no": \n\nGSSAPIAuthentication no\n\nThe SSH service must be restarted for changes to take effect.\n\nIf GSSAPI authentication is required, it must be documented, to include the location of the configuration file, with the ISSO.\n\n######################\n\n' >> $LOG
fi
;;
SV-86885r2_rule) log_msg $2 'The SSH daemon must not permit Kerberos authentication unless needed.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nKerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the systems Kerberos implementation. Vulnerabilities in the systems Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems not using this capability.\n\nCheck_content: Verify the SSH daemon does not permit Kerberos to authenticate passwords unless approved.\n\nCheck that the SSH daemon does not permit Kerberos to authenticate passwords with the following command:\n\n# grep -i kerberosauth /etc/ssh/sshd_config\nKerberosAuthentication no\n\nIf the "KerberosAuthentication" keyword is missing, or is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.\n\nFixtext: Uncomment the "KerberosAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no":\n\nKerberosAuthentication no\n\nThe SSH service must be restarted for changes to take effect.\n\nIf Kerberos authentication is required, it must be documented, to include the location of the configuration file, with the ISSO.\n\n######################\n\n' >> $LOG
fi
;;
SV-86887r2_rule) log_msg $2 'The SSH daemon must perform strict mode checking of home directory configuration files.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nIf other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.\n\nCheck_content: Verify the SSH daemon performs strict mode checking of home directory configuration files.\n\nThe location of the "sshd_config" file may vary if a different daemon is in use.\n\nInspect the "sshd_config" file with the following command:\n\n# grep -i strictmodes /etc/ssh/sshd_config\n\nStrictModes yes\n\nIf "StrictModes" is set to "no", is missing, or the returned line is commented out, this is a finding.\n\nFixtext: Uncomment the "StrictModes" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "yes":\n\nStrictModes yes\n\nThe SSH service must be restarted for changes to take effect.\n\n######################\n\n' >> $LOG
fi
;;
SV-86889r2_rule) log_msg $2 'The SSH daemon must use privilege separation.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nSSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.\n\nCheck_content: Verify the SSH daemon performs privilege separation.\n\nCheck that the SSH daemon performs privilege separation with the following command:\n\n# grep -i usepriv /etc/ssh/sshd_config\n\nUsePrivilegeSeparation sandbox\n\nIf the "UsePrivilegeSeparation" keyword is set to "no", is missing, or the retuned line is commented out, this is a finding.\n\nFixtext: Uncomment the "UsePrivilegeSeparation" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "sandbox" or "yes":\n\nUsePrivilegeSeparation sandbox\n\nThe SSH service must be restarted for changes to take effect.\n\n######################\n\n' >> $LOG
fi
;;
SV-86891r2_rule) log_msg $2 'The SSH daemon must not allow compression or must only allow compression after successful authentication.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nIf compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.\n\nCheck_content: Verify the SSH daemon performs compression after a user successfully authenticates.\n\nCheck that the SSH daemon performs compression after a user successfully authenticates with the following command:\n\n# grep -i compression /etc/ssh/sshd_config\nCompression delayed\n\nIf the "Compression" keyword is set to "yes", is missing, or the retuned line is commented out, this is a finding.\n\nFixtext: Uncomment the "Compression" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to "delayed" or "no":\n\nCompression no\n\nThe SSH service must be restarted for changes to take effect.\n\n######################\n\n' >> $LOG
fi
;;
SV-86927r2_rule) log_msg $2 'Dont allow remote X connections.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nThis system is not intended to support graphical output\n\n######################\n\n' >> $LOG
fi
;;
SV-81723r2_rule) log_msg $2 'Dont allow ssh agent forwarding'
if [ $2 -ne 0 ];then
printf '\n######################\n\nssh agent forwarding is not regarded as secure and can be hijacked\n\n######################\n\n' >> $LOG
fi
;;
SV-86724r2_rule) log_msg $2 'Dont allow pam_python.'
if [ $2 -ne 0 ];then
printf '\n######################\n\npam_python within /etc/pam.d/sshd could indicate a possible attack on ssh logins.\n\n######################\n\n' >> $LOG
fi
;;
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
V-38455) if [ "$3" = "en" ]; then
log_msg $2 'The system must use a separate file system for /tmp.'
else
log_msg $2 'tmp目录必须挂载为一个独立的文件系统分区。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000001\n\nVulnerability Discussion: The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.\n\nFix Text: The "/tmp" directory is a world-writable directory used for temporary file storage. Ensure it hasits own partition or logical volume at installation time, or migrate it using LVM.\n\n######################\n\n' >> $LOG
fi
;;
V-38456) if [ "$3" = "en" ]; then
log_msg $2 'The system must use a separate file system for /var.'
else
log_msg $2 'var目录必须挂载为一个独立的文件系统分区。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000002\n\nVulnerability Discussion: Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the "/var" directory to contain world-writable directories, installed by other software packages.\n\nFix Text: The "/var" directory is used by daemons and other system services to store frequently-changing data. Ensure that "/var" has its own partition or logical volume at installation time, or migrate it using LVM.\n\n######################\n\n' >> $LOG
fi
;;
V-38463) if [ "$3" = "en" ]; then
log_msg $2 'The system must use a separate file system for /var/log.'
else
log_msg $2 '/var/log目录必须挂载为一个独立的文件系统分区。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000003\n\nVulnerability Discussion: Placing "/var/log" in its own partition enables better separation between log files and other files in "/var/".\n\nFix text: System logs are stored in the "/var/log" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.\n\n######################\n\n' >> $LOG
fi
;;
V-38467) if [ "$3" = "en" ]; then
log_msg $2 'The system must use a separate file system for the system audit data path.'
else
log_msg $2 '系统审计数据存放的路径必须为一个独立的文件系统分区。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000004\n\nVulnerability Discussion: Placing "/var/log/audit" in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.\n\nFix text: Audit logs are stored in the "/var/log/audit" directory. Ensure that it has its own partition or logical
volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to
store all audit logs that will be created by the auditing daemon.\n\n######################\n\n' >> $LOG
fi
;;
V-38470) if [ "$3" = "en" ]; then
log_msg $2 'The audit system must alert designated staff members when the audit storage volume approaches capacity.'
else
log_msg $2 '当审计存储卷空间不足时必须警告指定的工作人员。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000005\n\nVulnerability Discussion: Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.\n\nFix text: The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately:\n\n
space_left_action = [ACTION]\n\nPossible values for [ACTION] are described in the "auditd.conf" man page. These include:\n\n"ignore"\n"syslog"\n"email"\n"exec"\n"suspend"\n"single"\n"halt"\n\nSet this to "email" (instead of the default, which is "suspend") as it is more likely to get prompt attention. The"syslog" option is acceptable, provided the local log management infrastructure notifies an appropriate
administrator in a timely manner.\n\nRHEL-06-000521 ensures that the email generated through the operation "space_left_action" will be sent to
an administrator.\n\n######################\n\n' >> $LOG
fi
;;
V-38473) if [ "$3" = "en" ]; then
log_msg $2 'The system must use a separate file system for user home directories.'
else
log_msg $2 '用户的家目录(主目录)必须为一个独立的文件系统分区。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000007\n\nVulnerability Discussion: Ensuring that "/home" is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.\n\nFix text: If user home directories will be stored locally, create a separate partition for "/home" at installation time (or migrate it later using LVM). If "/home" will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later. \n\n######################\n\n' >> $LOG
fi
;;
V-38476) if [ "$3" = "en" ]; then
log_msg $2 'Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.' ##Ported
else
log_msg $2 '必须安装系统供应商提供的验证系统软件的完整性的加密证书。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000008\n\nVulnerability Discussion: The Debian GPG keys are necessary to cryptographically verify packages are from Debian.\n\nAt this checking script("scripts/check-apt-key.sh"). We check :\n\nDebian8/jessie archive key,security archive signing key,stable release key\nDebian 7/Wheezy archive key,stable key\nDebian 6/Squeeze archive key,stable key.\n\nFor the detial could vist the : https://ftp-master.debian.org/keys.html\n\nFix text: To ensure the system can cryptographically verify base software packages come from Debian,the Red Hat GPG keys must be installed properly. To install the Debian GPG keys, run:\n\napt-key add "KEY"\n\nAnyone could find the key at:https://ftp-master.debian.org/keys.html\n\n######################\n\n' >> $LOG
fi
;;
#wait for porting
V-38478) if [ "$3" = "en" ]; then
log_msg $2 'The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite.'
else
log_msg $2 'The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite.'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000009\n\nVulnerability Discussion: \n\nFix text: \n\n######################\n\n' >> $LOG
fi
;;
V-38481) if [ "$3" = "en" ]; then
log_msg $2 'System security patches and updates must be installed and up-to-date.' ##Ported
else
log_msg $2 '系统安全补丁及软件更新必须及时安装最新的版本。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000011\n\nVulnerability Discussion: Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities.\n\nFix text: If the system can connect to a Debian mirrors, run the following command to install updates:\n\n#apt-get update && apt-get upgrade\n\n######################\n\n' >> $LOG
fi
;;
#wait for porting
V-38483) if [ "$3" = "en" ]; then
log_msg $2 'The system package management tool must cryptographically verify the authenticity of system software packages during installation.'
else
log_msg $2 'The system package management tool must cryptographically verify the authenticity of system software packages during installation.'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000013\n\nVulnerability Discussion: \n\nFix text: \n\n######################\n\n' >> $LOG
fi
;;
#wait for porting
V-38487) if [ "$3" = "en" ]; then
log_msg $2 'The system package management tool must cryptographically verify the authenticity of all software packages during installation.'
else
log_msg $2 '在安装所有软件包时,系统的包管理工具必须对其进行加密验证以保证真实性。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000015\n\nVulnerability Discussion: Ensuring all packages cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering.\n\nFix text: \n\n######################\n\n' >> $LOG
fi
;;
V-38489) if [ "$3" = "en" ]; then
log_msg $2 'A file integrity tool must be installed.(tripwire)' ##Ported
else
log_msg $2 '必须安装文件完整性的工具。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000016\n\nVulnerability Discussion: The tripwire package must be installed if it is to be available for integrity checking.\n\nFix text: Install the tripwire package with the command:\n\n#apt-get install tripwire\n\n######################\n\n' >> $LOG
fi
;;
V-51337) if [ "$3" = "en" ]; then
log_msg $2 'The system must use a Linux Security Module at boot time.(AppArmor)' ##Ported
else
log_msg $2 '系统在启动时必须使用Linux安全模块。(AppArmor)。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000017\n\nVulnerability Discussion: Disabling a major host protection feature, such as Apparmor, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.\n\nFix text: Install the Apparmor package with the command:\n\n#apt-get install apparmor apparmor-profiles apparmor-utils\n\nAnd add \n\nGRUB_CMDLINE_LINUX=" apparmor=1 security=apparmor"\n\nTo/etc/default/grub\n\n#update-grub\n\n#reboot\n\nFor detial could visit:https://wiki.debian.org/AppArmor/HowToUse\n\n######################\n\n' >> $LOG
fi
;;
V-51391) if [ "$3" = "en" ]; then
log_msg $2 'A file integrity baseline must be created. Reset the tripwire from the administrator control panel under security settings.'
else
log_msg $2 '必须创建文件完整性基线。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000018\n\nVulnerability Discussion: For tripwire to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.\n\nFix text: Run "reset tripwire" from security settings on the administrator control panel.\n\n######################\n\n' >> $LOG
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
fi
;;
V-38491) if [ "$3" = "en" ]; then
log_msg $2 'There must be no .rhosts or hosts.equiv files on the system.'
else
log_msg $2 '.rhosts文件或hosts.equiv文件在系统必须不存在。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000019\n\nVulnerability Discussion: Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.\n\nFix text: The files "/etc/hosts.equiv" and "~/.rhosts" (in each user\047s home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location.\n\n#rm /etc/hosts.equiv\n\n#rm ~/.rhosts\n\n######################\n\n' >> $LOG
fi
;;
#wait for porting
V-51363) if [ "$3" = "en" ]; then
log_msg $2 'The system must use a Linux Security Module configured to enforce limits on system services.'
else
log_msg $2 '系统中必须使用一个Linux安全模块配置对系统服务及资源进行限制。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000020\n\nVulnerability Discussion: Setting the Apparmor state to enforcing ensures Apparmor is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges.\n\nFix text: \n\n######################\n\n' >> $LOG
fi
;;
#wait for porting
V-51369) if [ "$3" = "en" ]; then
log_msg $2 'The system must use a Linux Security Module configured to limit the privileges of system services.'
else
log_msg $2 'The system must use a Linux Security Module configured to limit the privileges of system services.'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000023\n\nVulnerability Discussion: \n\nFix text: \n\n######################\n\n' >> $LOG
fi
;;
#wait for porting
V-51379) if [ "$3" = "en" ]; then
log_msg $2 'All device files must be monitored by the system Linux Security Module.'
else
log_msg $2 'All device files must be monitored by the system Linux Security Module.'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000025\n\nVulnerability Discussion: \n\nFix text: \n\n######################\n\n' >> $LOG
fi
;;
V-38492) if [ "$3" = "en" ]; then
log_msg $2 'The system must prevent the root account from logging in from virtual consoles.'
else
log_msg $2 '必须禁止root帐号从虚拟控制台登录到系统。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000027\n\nVulnerability Discussion: Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account.\n\nFix text: To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in "/etc/securetty":\n\nvc/1\nvc/2\nvc/3\nvc/4\n\nNote: Virtual console entries are not limited to those listed above. Any lines starting with "vc/" followed by numerals should be removed.\n\n######################\n\n' >> $LOG
fi
;;
V-38494) if [ "$3" = "en" ]; then
log_msg $2 'The system must prevent the root account from logging in from serial consoles.'
else
log_msg $2 '必须禁止root帐号从串口控制台登录到系统。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000028\n\nVulnerability Discussion: Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account.\n\nFix text: To restrict root logins on serial ports, ensure lines of this form do not appear in "/etc/securetty":\n\nttyS0\n\nttyS1\n\nNote: Serial port entries are not limited to those listed above. Any lines starting with "ttyS" followed by numerals should be removed\n\n######################\n\n' >> $LOG
fi
;;
V-38496) if [ "$3" = "en" ]; then
log_msg $2 'Default operating system accounts, other than root, must be locked.'
else
log_msg $2 '除了root以外的默认的帐号,必须进行锁定。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000029\n\nVulnerability Discussion: Disabling authentication for default system accounts makes it more difficult for attackers to make use of them to compromise a system.\n\nFix text: Some accounts are not associated with a human user of the system, and exist to perform some administrative function. An attacker should not be able to log into these accounts.\n\nDisable logon access to these accounts with the command:\n\n#passwd -l [SYSACCT]\n\n######################\n\n' >> $LOG
fi
;;
V-38497) if [ "$3" = "en" ]; then
log_msg $2 'The system must not have accounts configured with blank or null passwords.' ##Ported
else
log_msg $2 '禁止帐号的密码配置为空密码。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000030\n\nVulnerability Discussion: If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.\n\nFix text: If an account is configured for password authentication but does not have an assigned password, it may be possible to log onto the account without authentication. Remove any instances of the "nullok" option in "/etc/pam.d/common-password" to prevent logons with empty passwords.\n\n######################\n\n' >> $LOG
fi
;;
V-38499) if [ "$3" = "en" ]; then
log_msg $2 'The /etc/passwd file must not contain password hashes.'
else
log_msg $2 '/etc/passwd文件必须不包含密码的哈希值。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000031\n\nVulnerability Discussion: The hashes for all user account passwords should be stored in the file "/etc/shadow" and never in "/etc/passwd", which is readable by all users.\n\nFix text: If any password hashes are stored in "/etc/passwd" (in the second field, instead of an "x"), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely. \n\n######################\n\n' >> $LOG
fi
;;
V-38500) if [ "$3" = "en" ]; then
log_msg $2 'The root account must be the only account having a UID of 0.'
else
log_msg $2 'root帐号的UID必须且仅为0。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000032\n\nVulnerability Discussion: An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper
configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.\n\nFix text: If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.\n\n######################\n\n' >> $LOG
fi
;;
V-38502) if [ "$3" = "en" ]; then
log_msg $2 'The /etc/shadow file must be owned by root.'
else
log_msg $2 '/etc/shadow文件必须所属于root用户。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000033\n\nVulnerability Discussion: The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.\n\nFix text: To properly set the owner of "/etc/shadow", run the command:\n\n#chown root /etc/shadow\n\n##################\n\n' >> $LOG
fi
;;
V-38503) if [ "$3" = "en" ]; then
log_msg $2 'The /etc/shadow file must be group-owned by root.'
else
log_msg $2 '/etc/shadow文件的所属组必须为root组。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000034\n\nVulnerability Discussion: The "/etc/shadow" file stores password hashes. Protection of this file is critical for system security.\n\nFix text: To properly set the group owner of "/etc/shadow", run the command:\n\n#chgrp root /etc/shadow\n\n######################\n\n' >> $LOG
fi
;;
V-38504) if [ "$3" = "en" ]; then
log_msg $2 'The /etc/shadow file must have mode 0000.'
else
log_msg $2 '/etc/shadow文件的权限必须为不可读写、不可执行。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000035\n\nVulnerability Discussion: The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.\n\nFix text: To properly set the permissions of "/etc/shadow", run the command:\n\n#chmod 0000 /etc/shadow\n\n######################\n\n' >> $LOG
fi
;;
V-38443) if [ "$3" = "en" ]; then
log_msg $2 'The /etc/gshadow file must be owned by root.'
else
log_msg $2 '/etc/gshadow文件必须的属于root用户。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000036\n\nVulnerability Discussion: The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.\n\nFix text: To properly set the owner of "/etc/gshadow", run the command:\n\n#chown root /etc/gshadow\n\n######################\n\n' >> $LOG
fi
;;
V-38448) if [ "$3" = "en" ]; then
log_msg $2 'The /etc/gshadow file must be group-owned by root.'
else
log_msg $2 '/etc/gshadow文件的组必须属于root组。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000037\n\nVulnerability Discussion: The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.\n\nFix text: To properly set the group owner of "/etc/gshadow", run the command:\n\n#chgrp root /etc/gshadow\n\n######################\n\n' >> $LOG
fi
;;
V-38449) if [ "$3" = "en" ]; then
log_msg $2 'The /etc/gshadow file must have mode 0000.'
else
log_msg $2 '/etc/gshadow的权限必须为不可读写、不可执行。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000038\n\nVulnerability Discussion: The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.\n\nFix text: To properly set the permissions of "/etc/gshadow", run the command:\n\n#chmod 0000 /etc/gshadow\n\n######################\n\n' >> $LOG
fi
;;
V-38450) if [ "$3" = "en" ]; then
log_msg $2 'The /etc/passwd file must be owned by root.'
else
log_msg $2 '/etc/passwd必须所属于root用户。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000039\n\nVulnerability Discussion: The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.\n\nFix text: To properly set the owner of "/etc/passwd", run the command:\n\n#chown root /etc/passwd\n\n######################\n\n' >> $LOG
fi
;;
V-38451) if [ "$3" = "en" ]; then
log_msg $2 'The /etc/passwd file must be group-owned by root.'
else
log_msg $2 '/etc/passwd文件的组属主必须为root组。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000040\n\nVulnerability Discussion: The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.\n\nFix text: To properly set the group owner of "/etc/passwd", run the command:\n\n#chgrp root /etc/passwd\n\n######################\n\n' >> $LOG
fi
;;
V-38457) if [ "$3" = "en" ]; then
log_msg $2 'The /etc/passwd file must have mode 0644 or less permissive.'
else
log_msg $2 '/etc/passwd文件的权限必须为root用户可读写、root组可读、其它用户可读的权限或更小的权限。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000041\n\nVulnerability Discussion: If the "/etc/passwd" file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.\n\nFix text: To properly set the permissions of "/etc/passwd", run the command:\n\n#chmod 0644 /etc/passwd\n\n######################\n\n' >> $LOG
fi
;;
V-38458) if [ "$3" = "en" ]; then
log_msg $2 'The /etc/group file must be owned by root.'
else
log_msg $2 '/etc/group文件必须属于root用户。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000042\n\nVulnerability Discussion: The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.\n\nFix text: To properly set the owner of "/etc/group", run the command:\n\n#chown root /etc/group\n\n######################\n\n' >> $LOG
fi
;;
V-38459) if [ "$3" = "en" ]; then
log_msg $2 'The /etc/group file must be group-owned by root.'
else
log_msg $2 '/etc/group文件的组属主必须属于root组。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000043\n\nVulnerability Discussion: The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.\n\nFix text: To properly set the group owner of "/etc/group", run the command:\n\n#chgrp root /etc/group\n\n######################\n\n' >> $LOG
fi
;;
V-38461) if [ "$3" = "en" ]; then
log_msg $2 'The /etc/group file must have mode 0644 or less permissive.'
else
log_msg $2 '/etc/group文件的权限必须为root用户可读写、root组可读、其它用户可读的权限或更小的权限。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000044\n\nVulnerability Discussion: The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.\n\nFix text: To properly set the permissions of "/etc/group", run the command:\n\n#chmod 0644 /etc/group\n\n######################\n\n' >> $LOG
fi
;;
V-38465) if [ "$3" = "en" ]; then
log_msg $2 'Library files must have mode 0755 or less permissive.'
else
log_msg $2 '库文件的权限必须为root用户可读写可执行、root组可读与执行、其它用户可读可执行的权限或更小的权限。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000045\n\nVulnerability Discussion: Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system.\n\nFix text: ystem-wide shared library files, which are linked to executables during process load time or run
time, are stored in the following directories by default:\n\n/lib\n/lib64\n/usr/lib\n/usr/lib64\n\nIf any file in these directories is found to be group-writable or world-writable, correct its permission with the following command:\n\n#chmod go-w [FILE]\n\n######################\n\n' >> $LOG
fi
;;
V-38466) if [ "$3" = "en" ]; then
log_msg $2 'Library files must be owned by root.'
else
log_msg $2 '库文件的属主必须为root用户。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000046\n\nVulnerability Discussion: Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system.\n\nFix text: System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:\n\n/lib\n/lib64\n/usr/lib\n/usr/lib64\n\nIf any file in these directories is found to be owned by a user other than root, correct its ownership with the following command:\n\n#chown root [FILE]\n\n######################\n\n' >> $LOG
fi
find -L /lib \! -user root -exec ls -l {} \; | grep -v '> /dev/null'
find -L /lib64 \! -user root -exec ls -l {} \;
find -L /usr/lib -path /usr/lib/prosody -prune -o \! -user root -exec ls -l {} \;
if [ -d /usr/lib64 ]; then
find -L /usr/lib64 \! -user root -exec ls -l {} \;
fi
;;
V-38469) if [ "$3" = "en" ]; then
log_msg $2 'All system command files must have mode 755 or less permissive.'
else
log_msg $2 '所有的系统命令文件的权限必须为root用户可读写可执行、root组可读与执行、其它用户可读可执行的权限或更小的权限。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000047\n\nVulnerability Discussion: System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.\n\nFix text: System executables are stored in the following directories by default:\n\n/bin\n/usr/bin\n/usr/local/bin\n/sbin\n/usr/sbin\n/usr/local/sbin\n\nIf any file in these directories is found to be group-writable or world-writable, correct its permission with the following command:\n\n#chmod go-w [FILE]\n\n######################\n\n' >> $LOG
fi
;;
V-38472) find -L /bin \! -user root -exec ls -l {} \;
find -L /usr/bin \! -user root -exec ls -l {} \;
find -L /usr/local/bin \! -user root -exec ls -l {} \;
find -L /sbin \! -user root -exec ls -l {} \;
find -L /usr/sbin \! -user root -exec ls -l {} \;
find -L /usr/local/sbin \! -user root -exec ls -l {} \;
if [ "$3" = "en" ]; then
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
log_msg $2 'All system command files must be owned by root.'
else
log_msg $2 '所有系统命令文件的属主必须为root用户。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000048\n\nVulnerability Discussion: System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.\n\nFix text: System executables are stored in the following directories by default:\n\n/bin\n/usr/bin\n/usr/local/bin\n/sbin\n/usr/sbin\n/usr/local/sbin\n\nIf any file [FILE] in these directories is found to be owned by a user other than root, correct its ownership with the following command:\n\n#chown root [FILE]\n\n######################\n\n' >> $LOG
fi
;;
V-38475) if [ "$3" = "en" ]; then
log_msg $2 'The system must require passwords to contain a minimum of 14 characters.'
else
log_msg $2 "登录系统的密码必须包含一个至少14个字符。"
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000025\n\nVulnerability Discussion: Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result.\n\nWhile it does not negate the password length requirement, it is preferable to migrate from a password-based authentication scheme to a stronger one based on PKI (public key infrastructure).\n\nFix text: To specify password length requirements for new accounts, edit the file "/etc/login.defs" and add or correct the following lines:\n\nPASS_MIN_LEN 14\n\nThe DoD requirement is "14". If a program consults "/etc/login.defs" and also another PAM module (such as"pam_cracklib") during a password change operation, then the most restrictive must be satisfied.\n\n######################\n\n' >> $LOG
fi
;;
V-38477) if [ "$3" = "en" ]; then
log_msg $2 'Users must not be able to change passwords more than once every 24 hours.'
else
log_msg $2 "用户在24小时内不能够再次修改密码。"
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000051\n\nVulnerability Discussion: Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.\n\nFix text: To specify password minimum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately:\n\nPASS_MIN_DAYS [DAYS]\n\nA value of 1 day is considered sufficient for many environments. The DoD requirement is 1.\n\n######################\n\n' >> $LOG
fi
;;
V-38479) if [ "$3" = "en" ]; then
log_msg $2 'User passwords must be changed at least every 60 days.'
else
log_msg $2 "用户密码必须至少每60天进行修改。"
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000053\n\nVulnerability Discussion: Setting the password maximum age ensures users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.\n\nFix text: To specify password maximum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately:\n\nPASS_MAX_DAYS [DAYS]\n\nThe DoD requirement is 60.\n\n######################\n\n' >> $LOG
fi
;;
V-38480) if [ "$3" = "en" ]; then
log_msg $2 'Users must be warned 7 days in advance of password expiration.'
else
log_msg $2 "必须在密码无效的7天前对用户进行警告。"
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000054\n\nVulnerability Discussion: Setting the password warning age enables users to make the change at a practical time.\n\nFix text: To specify how many days prior to password expiration that a warning will be issued to users, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately:\n\nPASS_WARN_AGE [DAYS]\n\nThe DoD requirement is 7.\n\n######################\n\n' >> $LOG
fi
;;
V-38482) if [ "$3" = "en" ]; then
log_msg $2 'The system must require passwords to contain at least one numeric character.'
else
log_msg $2 "密码必须包含1个数值字符。"
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000056\n\nVulnerability Discussion: Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.\n\nFix text: The pam_cracklib module\047s "dcredit" parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Add "dcredit=-1" after pam_cracklib.so to require use of a digit in passwords. \n\n######################\n\n' >> $LOG
fi
;;
V-38569) if [ "$3" = "en" ]; then
log_msg $2 'The system must require passwords to contain at least one uppercase alphabetic character.'
else
log_msg $2 "密码必须包含至少1个大写字母字符。"
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000057\n\nVulnerability Discussion: Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space.\n\nFix text: The pam_cracklib module\047s "ucredit=" parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. Add "ucredit=-1" after pam_cracklib.so to require use of an uppercase character in passwords. \n\n######################\n\n' >> $LOG
fi
;;
V-38570) if [ "$3" = "en" ]; then
log_msg $2 'The system must require passwords to contain at least one special character.'
else
log_msg $2 "密码必须包含至少1个特殊字符。"
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000058\n\nVulnerability Discussion: Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.\n\nFix text: The pam_cracklib module\047s "ocredit=" parameter controls requirements for usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. Add "ocredit=-1" after pam_cracklib.so to require use of a special character in passwords.\n\n######################\n\n' >> $LOG
fi
;;
V-38571) if [ "$3" = "en" ]; then
log_msg $2 'The system must require passwords to contain at least one lowercase alphabetic character.'
else
log_msg $2 "密码必须包含至少1个小写的字母字符。"
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000059\n\nVulnerability Discussion: Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.\n\nFix text: The pam_cracklib module\047s "lcredit=" parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each lowercase character. Add "lcredit=-1" after pam_cracklib.so to require use of a lowercase character in passwords. \n\n######################\n\n' >> $LOG
fi
;;
V-38572) if [ "$3" = "en" ]; then
log_msg $2 'The system must require at least four characters be changed between the old and new passwords during a password change.'
else
log_msg $2 "系统要求在修改密码的时候旧的密码与新的密码之间必须有至少4个字符进行了修改。"
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000060\n\nVulnerability Discussion: Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.\n\nFix text: The pam_cracklib module\047s "difok" parameter controls requirements for usage of different characters during a password change. Add "difok=[NUM]" after pam_cracklib.so to require differing characters when changing passwords, substituting [NUM] appropriately. The DoD requirement is 4. \n\n######################\n\n' >> $LOG
fi
;;
V-38573) if [ "$3" = "en" ]; then
log_msg $2 'The system must disable accounts after ten consecutive unsuccessful logon attempts.'
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
else
log_msg $2 "系统必须在连续3次失败的登录尝试后禁用帐号。"
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000061\n\nVulnerability Discussion: Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.\n\nFix text: To configure the system to lock out accounts after a number of incorrect logon attempts using\npam_tally2.so\n\nAdd the following lines immediately below the "pam_unix.so" statement in the AUTH section of"/etc/pam.d/common-auth"\n\nauth required pam_tally2.so even_deny_root deny=3 unlock_time=604800 \n\nNote that any updates made to "/etc/pam.d/common-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used. \n\n######################\n\n' >> $LOG
fi
;;
V-38574) if [ "$3" = "en" ]; then
log_msg $2 'The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth).'
else
log_msg $2 '系统必须使用FIPS 140-2认可的加密哈希算法生成帐号密码哈希值。(system-auth)'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000062\n\nVulnerability Discussion: Using a stronger hashing algorithm makes password cracking attacks more difficult.\n\nFix text: In "/etc/pam.d/common-password", among potentially other files, the "password" section of the files control which PAM modules execute during a password change. Set the "pam_unix.so" module in the "password" section to include the argument "sha512", as shown below: \n\npassword sufficient pam_unix.so sha512 [other arguments...]\n\nThis will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.\n\nNote that any updates made to "/etc/pam.d/common-password" will be overwritten by the "authconfig" program. The "authconfig" program should not be used. \n\n######################\n\n' >> $LOG
fi
;;
V-38576) if [ "$3" = "en" ]; then
log_msg $2 'The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs).'
else
log_msg $2 '系统必须使用FIPS 140-2认可的加密哈希算法生成帐号密码哈希值。(login.defs)'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000063\n\nVulnerability Discussion: Using a stronger hashing algorithm makes password cracking attacks more difficult.\n\nFix text: In "/etc/login.defs", add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm:\n\nENCRYPT_METHOD SHA512\n\n######################\n\n' >> $LOG
fi
;;
V-38577) if [ "$3" = "en" ]; then
log_msg $2 'The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf).'
else
log_msg $2 '系统必须使用FIPS 140-2认可的加密哈希算法生成帐号密码哈希值。(libuser.conf)'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000064\n\nVulnerability Discussion: Using a stronger hashing algorithm makes password cracking attacks more difficult.\n\nFix text: In "/etc/libuser.conf", add or correct the following line in its "[defaults]" section to ensure the system will use the SHA-512 algorithm for password hashing:\n\ncrypt_style = sha512 \n\n######################\n\n' >> $LOG
fi
;;
V-78252) log_msg $2 'netcat (nc) should not be installed on this system'
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:WTF-05-000179\n\nHaving netcat present makes life extra convenient for anyone breaking into your system.\nMake them do the work of installing it or downloading it, which increases the defensive possibilities.\n\n######################\n\n' >> $LOG
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
V-38579) if [ "$3" = "en" ]; then
log_msg $2 'The system boot loader configuration file(s) must be owned by root.'
else
log_msg $2 '系统的启动加载器配置文件的属主必须为root用户。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000065\n\nVulnerability Discussion: Only root should be able to modify important boot parameters.\n\nFix text: The file "/boot/grub/grub.cfg" should be owned by the "root" user to prevent destruction or modification of the file. To properly set the owner of "/boot/grub/grub.cfg", run the command:\n\nchown root /boot/grub/grub.cfg\n\n######################\n\n' >> $LOG
fi
;;
V-38581) if [ "$3" = "en" ]; then
log_msg $2 'The system boot loader configuration file(s) must be group-owned by root.'
else
log_msg $2 '系统的启动加载器配置文件所属组必须属于root组。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000066\n\nVulnerability Discussion: The "root" group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.\n\nFix text: The file "/boot/grub/grub.cfg" should be group-owned by the "root" group to prevent destruction or modification of the file. To properly set the group owner of "/boot/grub/grub.cfg", run the command:\n\nchgrp root /boot/grub/grub.cfg\n\n######################\n\n' >> $LOG
fi
;;
V-38583) if [ "$3" = "en" ]; then
log_msg $2 'The system boot loader configuration file(s) must have mode 0600 or less permissive.'
else
log_msg $2 '系统启动加载器的配置文件必须为仅使root用户具有读写的权限,其他用户无任何权限或更小的权限控制。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000067\n\nVulnerability Discussion: Proper permissions ensure that only the root user can modify important boot parameters.\n\nFix text: File permissions for "/boot/grub/grub.cfg" should be set to 600, which is the default. To properly set the permissions of "/boot/grub/grub.cfg", run the command:\n\n#chmod 600 /boot/grub/grub.cfg\n\nBoot partitions based on VFAT, NTFS, or other non-standard configurations may require alternative measures.\n\n######################\n\n' >> $LOG
fi
;;
V-38585) if [ "$3" = "en" ]; then
log_msg $2 'The system boot loader must require authentication.'
else
log_msg $2 '系统启动加载器必须需要验证。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000068\n\nVulnerability Discussion: Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.\n\nFix text: The grub boot loader should have password protection enabled to protect boot-time settings. To do
so, select a password and then generate a hash from it by running the following command:\n\n#grub-mkpasswd-pbkdf2\n\nWhen prompted to enter a password, insert the following line into "/etc/default/grub" immediately after the header comments.And run the following command:\n\n#grub-mkconfig\n\nTo generating configuration file(s)\n\n######################\n\n' >> $LOG
fi
;;
V-38590) if [ "$3" = "en" ]; then
log_msg $2 'The system must allow locking of the console screen in text mode.'
else
log_msg $2 '系统必须能够在文本模式下对终端屏幕进行锁定。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000071\n\nVulnerability Discussion: Installing "screen" ensures a console locking capability is available for users who may need to suspend console logins.\n\nFix text: To enable console screen locking when in text mode, install the "screen" package:\n\n#apt-get install screen\n\nInstruct users to begin new terminal sessions with the following command:\n\n$ screen\n\nThe console can now be locked with the following key combination:\n\nctrl+a x\n\n######################\n\n' >> $LOG
fi
;;
V-38596) if [ "$3" = "en" ]; then
log_msg $2 'The system must implement virtual address space randomization.'
else
log_msg $2 '系统必须使虚拟地址空间随机化功能生效。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000078\n\nVulnerability Discussion: Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process\047s address space during
an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return oriented programming (ROP) techniques.\n\nFix text: \n\n######################\n\n' >> $LOG
fi
;;
V-38600) if [ "$3" = "en" ]; then
log_msg $2 'The system must not send ICMPv4 redirects by default.'
else
log_msg $2 '系统默认情况下必须不进行ICMPV4重定向消息。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000080\n\nVulnerability Discussion: Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.\n\nFix text: To set the runtime status of the "net.ipv4.conf.default.send_redirects" kernel parameter, run the following command:\n\n# sysctl -w net.ipv4.conf.default.send_redirects=0\n\nIf this is not the system\047s default value, add the following line to "/etc/sysctl.conf":\n\nnet.ipv4.conf.default.send_redirects = 0 \n\n######################\n\n' >> $LOG
fi
;;
V-38601) if [ "$3" = "en" ]; then
log_msg $2 'The system must not send ICMPv4 redirects from any interface.'
else
log_msg $2 '系统必须从任何接口都不能发送ICMPv4重定向消息。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000081\n\nVulnerability Discussion: Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.\n\nFix text: \n\nTo set the runtime status of the "net.ipv4.conf.all.send_redirects" kernel parameter, run the following command:\n\n# sysctl -w net.ipv4.conf.all.send_redirects=0\n\nIf this is not the system\047s default value, add the following line to "/etc/sysctl.conf":\n\nnet.ipv4.conf.all.send_redirects = 0\n\n######################\n\n' >> $LOG
fi
;;
V-38511) if [ "$3" = "en" ]; then
log_msg $2 'IP forwarding for IPv4 must not be enabled, unless the system is a router.'
else
log_msg $2 'IPv4的IP转发功能必须没有开启,除非此系统本身是作为路由器进行使用。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000082\n\nVulnerability Discussion: IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.\n\nFix text: To set the runtime status of the "net.ipv4.ip_forward" kernel parameter, run the following command:\n\n# sysctl -w net.ipv4.ip_forward=0\n\nIf this is not the system\047s default value, add the following line to "/etc/sysctl.conf":\n\nnet.ipv4.ip_forward = 0\n\n######################\n\n' >> $LOG
fi
;;
V-38523) if [ "$3" = "en" ]; then
log_msg $2 'The system must not accept IPv4 source-routed packets on any interface.'
else
log_msg $2 '系统必须不接受来自任何接口的IPv4的源路径包。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000083\n\nVulnerability Discussion: Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.\n\nFix text: To set the runtime status of the "net.ipv4.conf.all.accept_source_route" kernel parameter, run the following command: \n\n# sysctl -w net.ipv4.conf.all.accept_source_route=0\n\nIf this is not the system\047s default value, add the following line to "/etc/sysctl.conf":\n\nnet.ipv4.conf.all.accept_source_route = 0 \n\n######################\n\n' >> $LOG
fi
;;
V-38524) if [ "$3" = "en" ]; then
log_msg $2 'The system must not accept ICMPv4 redirect packets on any interface.'
else
log_msg $2 '系统必须不接受任意接口的ICMPv4重定向包。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000084\n\nVulnerability Discussion: Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required.\n\nFix text: To set the runtime status of the "net.ipv4.conf.all.accept_redirects" kernel parameter, run the following command:\n\n# sysctl -w net.ipv4.conf.all.accept_redirects=0\n\nIf this is not the system\047s default value, add the following line to "/etc/sysctl.conf":\n\nnet.ipv4.conf.all.accept_redirects = 0 \n\n######################\n\n' >> $LOG
fi
;;
V-38526) if [ "$3" = "en" ]; then
log_msg $2 'The system must not accept ICMPv4 secure redirect packets on any interface.'
else
log_msg $2 '系统必须不接受任意接口的ICMPv4安全重定向包。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000086\n\nVulnerability Discussion: Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.\n\nFix text: To set the runtime status of the "net.ipv4.conf.all.secure_redirects" kernel parameter, run the following command:\n\n# sysctl -w net.ipv4.conf.all.secure_redirects=0\n\nIf this is not the system\047s default value, add the following line to "/etc/sysctl.conf":\n\nnet.ipv4.conf.all.secure_redirects = 0 \n\n######################\n\n' >> $LOG
fi
;;
V-38528) if [ "$3" = "en" ]; then
log_msg $2 'The system must log Martian packets.'
else
log_msg $2 '系统必须记录具有不可能地址的包。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000088\n\nVulnerability Discussion: The presence of "martian" packets (which have impossible addresses) as well asspoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.\n\nFix text: To set the runtime status of the "net.ipv4.conf.all.log_martians" kernel parameter, run the following command:\n\n# sysctl -w net.ipv4.conf.all.log_martians=1\n\nIf this is not the system\047s default value, add the following line to "/etc/sysctl.conf":\n\nnet.ipv4.conf.all.log_martians = 1\n\n######################\n\n' >> $LOG
fi
;;
V-38529) if [ "$3" = "en" ]; then
log_msg $2 'The system must not accept IPv4 source-routed packets by default.'
else
log_msg $2 '系统必须不接受默认的IPv4的源路由包。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000089\n\nVulnerability Discussion: Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.\n\nFix text: To set the runtime status of the "net.ipv4.conf.default.accept_source_route" kernel parameter, run the following command:\n\n# sysctl -w net.ipv4.conf.default.accept_source_route=0\n\nIf this is not the system\047s default value, add the following line to "/etc/sysctl.conf":\n\nnet.ipv4.conf.default.accept_source_route = 0 \n\n######################\n\n' >> $LOG
fi
;;
V-38532) if [ "$3" = "en" ]; then
log_msg $2 'The system must not accept ICMPv4 secure redirect packets by default.'
else
log_msg $2 '系统必须不接受ICMPv4默认的安全重定向包。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000090\n\nVulnerability Discussion: Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.\n\nFix text: To set the runtime status of the "net.ipv4.conf.default.secure_redirects" kernel parameter, run the following command:\n\n# sysctl -w net.ipv4.conf.default.secure_redirects=0\n\nIf this is not the system\047s default value, add the following line to "/etc/sysctl.conf":\n\nnet.ipv4.conf.default.secure_redirects = 0\n\n######################\n\n' >> $LOG
fi
;;
V-38533) if [ "$3" = "en" ]; then
log_msg $2 'The system must ignore ICMPv4 redirect messages by default.'
else
log_msg $2 '系统必须忽略默认的ICMPv4的重定向消息。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000091\n\nVulnerability Discussion: This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.\n\nFix text: To set the runtime status of the "net.ipv4.conf.default.accept_redirects" kernel parameter, run the following command:\n\n# sysctl -w net.ipv4.conf.default.accept_redirects=0\n\nIf this is not the system\047s default value, add the following line to "/etc/sysctl.conf":\n\nnet.ipv4.conf.default.accept_redirects = 0 \n\n######################\n\n' >> $LOG
fi
;;
V-38535) if [ "$3" = "en" ]; then
log_msg $2 'The system must not respond to ICMPv4 sent to a broadcast address.'
else
log_msg $2 '系统必须不响应ICMPv4发送的一个广播地址。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000092\n\nVulnerability Discussion: The system must not respond to ICMPv4 sent to a broadcast address.\n\nFix text: Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.\n\nTo set the runtime status of the "net.ipv4.icmp_echo_ignore_broadcasts" kernel parameter, run the following command:\n\n# sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1\n\nIf this is not the system\047s default value, add the following line to "/etc/sysctl.conf":\n\nnet.ipv4.icmp_echo_ignore_broadcasts = 1 \n\n######################\n\n' >> $LOG
fi
;;
V-38537) if [ "$3" = "en" ]; then
log_msg $2 'The system must ignore ICMPv4 bogus error responses.'
else
log_msg $2 '系统必须忽略ICMPv4伪造的错误的回应。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000093\n\nVulnerability Discussion: Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.\n\nFix text: To set the runtime status of the "net.ipv4.icmp_ignore_bogus_error_responses" kernel parameter, run the following command:\n\n# sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1\n\nIf this is not the system\047s default value, add the following line to "/etc/sysctl.conf":\n\nnet.ipv4.icmp_ignore_bogus_error_responses = 1 \n\n######################\n\n' >> $LOG
fi
;;
V-38539) if [ "$3" = "en" ]; then
log_msg $2 'The system must be configured to use TCP syncookies when experiencing a TCP SYN flood.'
else
log_msg $2 '系统必须配置synccookies防止TCP SYN洪水攻击。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000095\n\nVulnerability Discussion: A TCP SYN flood attack can cause a denial of service by filling a system\047s TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.\n\nFix text: To set the runtime status of the "net.ipv4.tcp_syncookies" kernel parameter, run the following command:\n\n# sysctl -w net.ipv4.tcp_syncookies=1\n\nIf this is not the system\047s default value, add the following line to "/etc/sysctl.conf":\n\nnet.ipv4.tcp_syncookies = 1 \n\n######################\n\n' >> $LOG
fi
;;
V-38542) if [ "$3" = "en" ]; then
log_msg $2 'The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.'
else
log_msg $2 '系统必须使用一个反向路径过滤器对IPv4网络流量进行过滤。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000096\n\nVulnerability Discussion: Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.\n\nFix text: To set the runtime status of the "net.ipv4.conf.all.rp_filter" kernel parameter, run the following command:\n\n# sysctl -w net.ipv4.conf.all.rp_filter=1\n\nIf this is not the system\047s default value, add the following line to "/etc/sysctl.conf":\n\nnet.ipv4.conf.all.rp_filter = 1\n\n######################\n\n' >> $LOG
fi
;;
V-38544) if [ "$3" = "en" ]; then
log_msg $2 'The system must use a reverse-path filter for IPv4 network traffic when possible by default.'
else
log_msg $2 '系统默认情况下必须使用一个反向路径过滤器对IPv4网络传输流量进行过滤。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000097\n\nVulnerability Discussion: Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.\n\nFix text: To set the runtime status of the "net.ipv4.conf.default.rp_filter" kernel parameter, run the following command:\n\n# sysctl -w net.ipv4.conf.default.rp_filter=1\n\nIf this is not the system\047s default value, add the following line to "/etc/sysctl.conf":\n\nnet.ipv4.conf.default.rp_filter = 1\n\n######################\n\n' >> $LOG
fi
;;
V-38546) if [ "$3" = "en" ]; then
log_msg $2 'The IPv6 protocol handler must not be bound to the network stack unless needed.'
else
log_msg $2 'IPv6协议处理器必须没有参与网络协议栈的处理,除非需要对IPv6进行处理。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000098\n\nVulnerability Discussion: Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation.\n\nFix text: To disable IPv6 networking stack ,add the following line to "/etc/default/grub"\n\nFind the line that contain "GRUB_CMDLINE_LINUX_DEFAULT":\n\nGRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
\n\nAdd "ipv6.disable=1" to the boot option, then save your grub file:\n\nGRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash"\n\nsudo update-grub\n\nFor more details You could visit:http://askubuntu.com/questions/309461/how-to-disable-ipv6-permanently\n\n######################\n\n' >> $LOG
fi
;;
V-38548) if [ "$3" = "en" ]; then
log_msg $2 'The system must ignore ICMPv6 redirects by default.'
else
log_msg $2 '系统必须忽略默认的ICMPv6重定向包。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000099\n\nVulnerability Discussion: An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nFix text: To set the runtime status of the "net.ipv6.conf.default.accept_redirects" kernel parameter, run the following command:\n\n# sysctl -w net.ipv6.conf.default.accept_redirects=0\n\nIf this is not the system\047s default value, add the following line to "/etc/sysctl.conf":\n\nnet.ipv6.conf.default.accept_redirects = 0\n\n######################\n\n' >> $LOG
fi
;;
V-38513) if [ "$3" = "en" ]; then
log_msg $2 'The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets.'
else
log_msg $2 '系统本地IPv4防火墙必须实现拒绝全部数据包,允许对于例外包按例外策略进行接收。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000120\n\nVulnerability Discussion: In "iptables" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to "DROP" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted.\n\nFix text: To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, you could use following command:\n\n#iptables -P INPUT DROP\n\n######################\n\n' >> $LOG
fi
;;
V-38514) if [ "$3" = "en" ]; then
log_msg $2 'The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.'
else
log_msg $2 '数据报拥塞控制协议必须设置为失效,除非需要。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000124\n\nVulnerability Discussion: Disabling DCCP protects the system against exploitation of any flaws in its implementation.\n\nFix text: The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the "dccp" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d":\n\ninstall dccp /bin/true\n\n######################\n\n' >> $LOG
fi
;;
V-38515) if [ "$3" = "en" ]; then
log_msg $2 'The Stream Control Transmission Protocol (SCTP) must be disabled unless required.'
else
log_msg $2 '流控制传输协议必须设置为失效,除非需要。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000125\n\nVulnerability Discussion: Disabling SCTP protects the system against exploitation of any flaws in its implementation.\n\nFix text: The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the "sctp" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d":\n\ninstall sctp /bin/true \n\n######################\n\n' >> $LOG
fi
;;
V-38516) if [ "$3" = "en" ]; then
log_msg $2 'The Reliable Datagram Sockets (RDS) protocol must be disabled unless required.'
else
log_msg $2 '可靠数据报套接字协议必须设置为失效,除非需要。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000126\n\nVulnerability Discussion: \n\nFix text: Disabling RDS protects the system against exploitation of any flaws in its implementation.\n\nThe Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high-bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the "rds" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d":\n\ninstall rds /bin/true \n\n######################\n\n' >> $LOG
fi
;;
V-38517) if [ "$3" = "en" ]; then
log_msg $2 'The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required.'
else
log_msg $2 '除非所要求的透明進程間通信(TIPC)协议必须被禁止。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000127\n\nVulnerability Discussion: Disabling TIPC protects the system against exploitation of any flaws in its implementation.\n\nFix text: The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the "tipc" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d":\n\ninstall tipc /bin/true \n\n######################\n\n' >> $LOG
fi
;;
V-38518) if [ "$3" = "en" ]; then
log_msg $2 'All rsyslog-generated log files must be owned by root.'
else
log_msg $2 '系统生成的所有日志文件的属主必须为root用户。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000133\n\nVulnerability Discussion: The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.\n\nFix text: The owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file\047s owner:\n\n$ ls -l [LOGFILE]\n\nIf the owner is not "root", run the following command to correct this:\n\n# chown root [LOGFILE]\n\n######################\n\n' >> $LOG
fi
;;
V-38519) if [ "$3" = "en" ]; then
log_msg $2 'All rsyslog-generated log files must be group-owned by root.'
else
log_msg $2 '系统生成的所有日志文件的属组必须为root组。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000134\n\nVulnerability Discussion: The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.\n\nFix text: The group-owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file\047s group owner:\n\n$ ls -l [LOGFILE]\n\nIf the owner is not "root", run the following command to correct this:\n\n# chgrp root [LOGFILE]\n\n######################\n\n' >> $LOG
fi
;;
V-38623) if [ "$3" = "en" ]; then
log_msg $2 'All rsyslog-generated log files must have mode 0600 or less permissive.'
else
log_msg $2 '系统生成的所有日志文件的权限必须为仅为root用户可读写或更小的权限。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000135\n\nVulnerability Discussion: Log files can contain valuable information regarding system configuration. If the system log files are not protected, unauthorized users could change the logged data, eliminating their forensic value.\n\nFix text: The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file\047s permissions:\n\n$ ls -l [LOGFILE]\n\nIf the permissions are not 600 or more restrictive, run the following command to correct this:\n\n# chmod 0600 [LOGFILE] \n\n######################\n\n' >> $LOG
fi
;;
V-38520) if [ "$3" = "en" ]; then
log_msg $2 'The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited.'
else
log_msg $2 '操作系统必须按周期备份审计记录到不同的系统。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000136\n\nVulnerability Discussion: A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.\n\nFix text: To configure rsyslog to send logs to a remote log server, open "/etc/rsyslog.conf" and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting "[loghost.example.com]" appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments.\nTo use UDP for log message delivery:\n\n*.* @[loghost.example.com]\n\nTo use TCP for log message delivery:\n\n*.* @@[loghost.example.com]\n\nTo use RELP for log message delivery:\n\n*.* :omrelp:[loghost.example.com] \n\n######################\n\n' >> $LOG
fi
;;
V-38521) if [ "$3" = "en" ]; then
log_msg $2 'The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components.'
else
log_msg $2 '操作系统必须支持集中管理的组织所定义的信息系统组件生成的审计记录的内容的要求。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000137\n\nVulnerability Discussion: A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.\n\nFix text: To configure rsyslog to send logs to a remote log server, open "/etc/rsyslog.conf" and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting "[loghost.example.com]" appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments.\nTo use UDP for log message delivery:\n\n*.* @[loghost.example.com]\n\nTo use TCP for log message delivery:\n\n*.* @@[loghost.example.com]\n\nTo use RELP for log message delivery:\n\n*.* :omrelp:[loghost.example.com] \n\n######################\n\n' >> $LOG
fi
;;
V-38624) if [ "$3" = "en" ]; then
log_msg $2 'System logs must be rotated daily.'
else
log_msg $2 '系统日志必须进行日常的滚动记录。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000138\n\nVulnerability Discussion: Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.\n\nFix text: The "logrotate" service should be installed or reinstalled if it is not installed and operating properly, by running the following command:\n\n#apt-get install logrotate\n\n######################\n\n' >> $LOG
fi
;;
V-38628) if [ "$3" = "en" ]; then
log_msg $2 'The operating system must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event.'
else
log_msg $2 '操作系统必须产生含有足够的信息来建立与该事件相关联的任何用户/主体的身份审核记录。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000145\n\nVulnerability Discussion: Ensuring the "auditd" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.\n\nFix text: The "auditd" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The "auditd" service can be enabled with the following commands:\n\n#update-rc.d auditd defaults\n# service auditd start \n\n######################\n\n' >> $LOG
fi
;;
V-38631) if [ "$3" = "en" ]; then
log_msg $2 'The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods.'
else
log_msg $2 '操作系统必须采用自动化的机制来促进远程接入方式监视和控制。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000148\n\nVulnerability Discussion: The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods.\n\nFix text: The "auditd" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The "auditd" service can be enabled with the following commands:\n\n#update-rc.d auditd defaults\n# service auditd start \n\n######################\n\n' >> $LOG
fi
;;
V-38632) if [ "$3" = "en" ]; then
log_msg $2 'The operating system must produce audit records containing sufficient information to establish what type of events occurred.'
else
log_msg $2 '操作系统必须生产含有足够的信息来确定发生了什么类型的事件的审计记录。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000154\n\nVulnerability Discussion: Ensuring the "auditd" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.\n\nFix text: The "auditd" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The "auditd" service can be enabled with the following commands:\n\n#update-rc.d auditd defaults\n# service auditd start \n\n######################\n\n' >> $LOG
fi
;;
V-38636) if [ "$3" = "en" ]; then
log_msg $2 'The system must retain enough rotated audit logs to cover the required log retention period.'
else
log_msg $2 '该系统必须保留足够的轮转审计日志覆盖所需的日志保留期限。'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:RHEL-06-000159\n\nVulnerability Discussion: The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.\n\nFix text: Determine how many log files "auditd" should retain when it rotates logs. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [NUMLOGS] with the correct value:\n\nnum_logs = [NUMLOGS]\n\nSet the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.\n\n######################\n\n' >> $LOG
fi
;;
V-38633) if [ "$3" = "en" ]; then
log_msg $2 'The system must set a maximum audit log file size.'
else
log_msg $2 '系统必须设置最大的审计日志文件的大小。'
fi