# (C) 2014 Tenable Network Security, Inc. # # This script is released under the Tenable Subscription License and # may not be used from within scripts released under another license # without authorization from Tenable Network Security, Inc. # # See the following licenses for details: # # http://static.tenable.com/prod_docs/Nessus_5_SLA_and_Subscription_Agreement.pdf # http://static.tenable.com/prod_docs/Subscription_Agreement.pdf # # @PROFESSIONALFEED@ # # $Revision: 1.3 $ # $Date: 2014/08/05 15:23:29 $ # # Description : This .audit file is written again the Center for Internet # Security benchmark for Red Hat Oracle Linux 5 written against # Red Hat Enterprise Linux 5, version 2.1.0. # https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf system : "Linux" type : FILE_CONTENT_CHECK description : "Oracle 5 is installed" file : "/etc/redhat-release" regex : "Red Hat Enterprise Linux Server release 5" expect : "Red Hat Enterprise Linux Server release 5" # Oracle Linux 5 version checking is done via redhat-release. /etc/oracle-release is not introduced until Oracle Linux 6 description : "CIS Red Hat EL 5 v2.1.0" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" info : "NOTE : Please read the .audit header for CIS_Red_Hat_EL5_v2.1.0.audit before running a compliance scan." info : "Please review the header notes as some queries may not behave as anticipated due to unique environmental variables that may be present on" info : "your system(s)." info : "Thank you." info : "Tenable Network Security, Inc." system : "Linux" type : FILE_CONTENT_CHECK description: "1.1.1 Create Separate Partition for /tmp" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : Yes" info : "Scorable Item : Yes" reference : "CCE|CCE-14161-4" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/fstab" regex : "^[\\s]*.*\\s+\/tmp\\s" expect : "^[\\s]*.*\\s+\/tmp\\s" system : "Linux" type : FILE_CONTENT_CHECK description: "1.1.2 Set nodev option for /tmp Partition" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-14412-1,CCE|CCE-14161-4" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/fstab" regex : "^[\\s]*.*\\s+\/tmp\\s" expect : "^[\\s]*.*\\s+\/tmp\\s.*,nodev" system : "Linux" type : FILE_CONTENT_CHECK description : "1.1.3 Set nosuid option for /tmp Partition" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-14940-1" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/fstab" regex : "^[\\s]*.*\\s+\/tmp\\s" expect : "^[\\s]*.*\\s+\/tmp\\s.*,nosuid" system : "Linux" type : FILE_CONTENT_CHECK description : "1.1.4 Set noexec option for /tmp Partition" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-14412-1" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/fstab" regex : "^[\\s]*.*\\s+\/tmp\\s" expect : "^[\\s]*.*\\s+\/tmp\\s.*,noexec" system : "Linux" type : FILE_CONTENT_CHECK description : "1.1.5 Create Separate Partition for /var" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : Yes" info : "Scorable Item : Yes" reference : "CCE|CCE-14777-7" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/fstab" regex : "^[\\s]*.*\\s+\/var\\s" expect : "^[\\s]*.*\\s+\/var\\s" system : "Linux" type : FILE_CONTENT_CHECK description : "1.1.6 Bind Mount the /var/tmp directory to /tmp" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-14584-7" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/fstab" regex : "^[\\s]*\/tmp\\s+\/var/tmp\\s+none\\s+.*" expect : "^[\\s]*\/tmp\\s+\/var/tmp\\s+none\\s+bind\\s+0\\s+0\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "1.1.7 Create Separate Partition for /var/log" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : Yes" info : "Scorable Item : Yes" reference : "CCE|CCE-14011-1" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/fstab" regex : "^[\\s]*.*\\s+\/var\/log\\s" expect : "^[\\s]*.*\\s+\/var\/log\\s" system : "Linux" type : FILE_CONTENT_CHECK description : "1.1.8 Create Separate Partition for /var/log/audit" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : Yes" info : "Scorable Item : Yes" reference : "CCE|CCE-14171-3" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/fstab" regex : "^[\\s]*.*\\s+\/var\/log/audit\\s" expect : "^[\\s]*.*\\s+\/var\/log/audit\\s" system : "Linux" type : FILE_CONTENT_CHECK description: "1.1.9 Create Separate Partition for /home" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : Yes" info : "Scorable Item : Yes" reference : "CCE|CCE-14559-9" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/fstab" regex : "^[\\s]*.*\\s+\/home\\s" expect : "^[\\s]*.*\\s+\/home\\s" system : "Linux" type : FILE_CONTENT_CHECK description: "1.1.10 Add nodev Option to /home" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4249-9" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/fstab" regex : "^[\\s]*.*\\s+\/home\\s" expect : "^[\\s]*.*\\s+\/home\\s.*,nodev" system : "Linux" type : FILE_CONTENT_CHECK description : "1.1.11 Add nodev Option to Removable Media Partitions" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : No" reference : "CCE|CCE-3522-0" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/fstab" regex : "^[\\s]*.*[\\s]+\/m.*\/(floppy|cdrom|corder)[\\s]" expect : "^[\\s]*.*[\\s]+\/m.*\/(floppy|cdrom|corder)[\\s].*,nodev" string_required: NO system : "Linux" type : FILE_CONTENT_CHECK description : "1.1.12 Add noexec Option to Removable Media Partitions" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : No" reference : "CCE|CCE-4275-4" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/fstab" regex : "^[\\s]*.*[\\s]+\/m.*\/(floppy|cdrom|corder)[\\s]" expect : "^[\\s]*.*[\\s]+\/m.*\/(floppy|cdrom|corder)[\\s].*,noexec" string_required: NO system : "Linux" type : FILE_CONTENT_CHECK description : "1.1.13 Add nosuid Option to Removable Media Partitions" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : No" reference : "CCE|CCE-4042-8" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/fstab" regex : "^[\\s]*.*[\\s]+\/m.*\/(floppy|cdrom|corder)[\\s]" expect : "^[\\s]*.*[\\s]+\/m.*\/(floppy|cdrom|corder)[\\s].*,nosuid" string_required: NO system : "Linux" type : FILE_CONTENT_CHECK description : "1.1.14 Add nodev Option to /dev/shm Partition" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-15007-8" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/fstab" regex : "^[\\s]*.*\\s+\/dev\/shm\\s" expect : "^[\\s]*.*\\s+\/dev\/shm\\s.*,nodev" system : "Linux" type : FILE_CONTENT_CHECK description : "1.1.15 Add nosuid Option to /dev/shm Partition" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-14306-5" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/fstab" regex : "^[\\s]*.*\\s+\/dev\/shm\\s" expect : "^[\\s]*.*\\s+\/dev\/shm\\s.*,nosuid" system : "Linux" type : FILE_CONTENT_CHECK description : "1.1.16 Add noexec Option to /dev/shm Partition" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-14927-8" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/fstab" regex : "^[\\s]*.*\\s+\/dev\/shm\\s" expect : "^[\\s]*.*\\s+\/dev\/shm\\s.*,noexec" name : "find_world_writeable_directories" description : "1.1.17 Set Sticky Bit on All World-Writable Directories" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-3399-3" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" system : "Linux" type : FILE_CONTENT_CHECK description : "1.7 Use the Latest OS Release" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : Yes" info : "Scorable Item : No" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/redhat-release" regex : "^[^#]*Red Hat Enterprise Linux Server" expect : "5\.[4-9]" system : "Linux" type : FILE_CONTENT_CHECK description : "1.2.3 Verify that gpgcheck is Globally Activated" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-14914-6" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/yum.conf" regex : "^[\\s]*gpgcheck\\s*=" expect : "^[\\s]*gpgcheck\\s*=\\s*1\\s*$" # # system : "Linux" # type : CMD_EXEC # description : "1.2.7 Verify Package Integrity Using RPM" # info : "Configuration Level : Level-I" # info : "OS Default : N/A" # info : "Reboot Required : No" # info : "Scorable Item : No" # reference : "CCE|CCE-14931-0" # see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" # cmd : "/bin/rpm -qVa | /bin/awk '$2 != \"c\" { print $0 }'" # expect : "" # dont_echo_cmd : YES # severity : HIGH # system : "Linux" type : FILE_CHECK description: "1.5.1 Set User/Group Owner on /etc/grub.conf" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4144-2,CCE|CCE-4197-0" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/grub.conf" owner : "root" group : "root" system : "Linux" type : FILE_CHECK description: "1.5.2 Set Permissions on /etc/grub.conf" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : " CCE|CCE-3923-0" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/grub.conf" mask : "177" system : "Linux" type : FILE_CONTENT_CHECK description : "1.5.3 Set Boot Loader Password" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-3818-2" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/grub.conf" regex : "^[\\s]*password --md5 .+" expect : "password --md5 .+" system : "Linux" type : FILE_CONTENT_CHECK description : "1.5.4 Require Authentication for Single-User Mode" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4241-6" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/inittab" regex : "^[\\s]*~:S:wait:/sbin/sulogin" expect : "~:S:wait:/sbin/sulogin\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "1.5.5 Disable Interactive Boot" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : Yes" info : "Scorable Item : Yes" reference : "CCE|CCE-4245-7" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/sysconfig/init" regex : "^[\\s]*PROMPT\\s*=" expect : "^[\\s]*PROMPT\\s*=\\s*[nN][oO]\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "1.6.1 Restrict Core Dumps '/etc/security/limits.conf - * hard core 0'" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : Yes" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/security/limits.conf" regex : "^\\*\\s+hard\\s+core" expect : "^\\*\\s+hard\\s+core\\s+0\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "1.6.1 Restrict Core Dumps '/etc/sysctl.conf - fs.suid_dumpable = 0'" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : Yes" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/sysctl.conf" regex : "^[\\s]*fs.suid_dumpable\\s*=" expect : "^[\\s]*fs.suid_dumpable\\s*=\\s*0" system : "Linux" type : FILE_CONTENT_CHECK description : "1.6.2 Configure ExecShield 'kernel.exec-shield = 1'" info : "Configuration Level : Level-I" info : "OS Default : Yes" info : "Reboot Required : Yes" info : "Scorable Item : Yes" reference : "CCE|CCE-4168-1" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/sysctl.conf" regex : "^[\\s]*kernel\.exec-shield\\s" expect : "^[\\s]*kernel\.exec-shield\\s*=\\s*1\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "1.6.3 Enable Randomized Virtual Memory Region Placement 'kernel.randomize_va_space = 1'" info : "Configuration Level : Level-I" info : "OS Default : Yes" info : "Reboot Required : Yes" info : "Scorable Item : Yes" reference : "CCE|CCE-4146-7" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/sysctl.conf" regex : "^[\\s]*kernel\.randomize_va_space\\s*" expect : "^[\\s]*kernel\.randomize_va_space\\s*=\\s*2\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "1.6.5 Disable Prelink 'PRELINKING=no'" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/sysconfig/prelink" regex : "^[\\s]*PRELINKING\\s*=\\s*" expect : "^[\\s]*PRELINKING\\s*=\\s*no\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "1.7 Use the Latest OS Release" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : Yes" info : "Scorable Item : No" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/redhat-release" regex : "^[^#]*Red Hat Enterprise Linux Server" expect : "5\.[4-9]" system : "Linux" type : RPM_CHECK description : "2.1.1 Remove telnet-server" info : "Configuration Level : Level-I" info : "OS Default : disabled" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-3390-2,CCE|CCE-4330-7" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" rpm : "telnet-server-0.0.0-0" operator : "lt" system : "Linux" type : RPM_CHECK description : "2.1.2 Remove telnet Clients" info : "Configuration Level : Level-I" info : "OS Default : disabled" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-3390-2,CCE|CCE-4330-7" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" rpm : "telnet-0.0.0-0" operator : "lt" system : "Linux" type : RPM_CHECK description : "2.1.3 Remove rsh-server" info : "Configuration Level : Level-I" info : "OS Default : Not installed" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4308-3" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" rpm : "rsh-server-0.0.0-0" operator : "lt" system : "Linux" type : RPM_CHECK description : "2.1.4 Remove rsh" info : "Configuration Level : Level-I" info : "OS Default : Not installed" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4141-8,CCE|CCE-3974-3,CCE|CCE-3537-8" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" rpm : "rsh-0.0.0-0" operator : "lt" system : "Linux" type : RPM_CHECK description : "2.1.5 Remove NIS Client" info : "Configuration Level : Level-I" info : "OS Default : disabled" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-3705-1,CCE|CCE-4348-9" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" rpm : "ypbind-0.0.0-0" operator : "lt" system : "Linux" type : RPM_CHECK description : "2.1.6 Remove NIS Server" info : "Configuration Level : Level-I" info : "OS Default : disabled" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-3705-1,CCE|CCE-4348-9" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" rpm : "ypserv-0.0.0-0" operator : "lt" system : "Linux" type : RPM_CHECK description : "2.1.7 Remove tftp" info : "Configuration Level : Level-I" info : "OS Default : disabled" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4273-9,CCE|CCE-3916-4" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" rpm : "tftp-0.0.0-0" operator : "lt" system : "Linux" type : RPM_CHECK description : "2.1.8 Remove tftp-server" info : "Configuration Level : Level-I" info : "OS Default : disabled" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4273-9,CCE|CCE-3916-4" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" rpm : "tftp-server-0.0.0-0" operator : "lt" system : "Linux" type : RPM_CHECK description : "2.1.9 Remove talk" info : "Configuration Level : Level-I" info : "OS Default : Enabled" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" rpm : "talk-0.0.0-0" operator : "lt" system : "Linux" type : RPM_CHECK description : "2.1.10 Remove talk-server" info : "Configuration Level : Level-I" info : "OS Default : Not installed" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" rpm : "talk-server-0.0.0-0" operator : "lt" system : "Linux" type : XINETD_SVC description : "2.1.12 Disable chargen-dgram" info : "Configuration Level : Level-I" info : "OS Default : Disabled" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" service : "chargen-dgram" status : OFF system : "Linux" type : XINETD_SVC description : "2.1.13 Disable chargen-stream" info : "Configuration Level : Level-I" info : "OS Default : Disabled" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" service : "chargen-stream" status : OFF system : "Linux" type : XINETD_SVC description : "2.1.14 Disable daytime-dgram" info : "Configuration Level : Level-I" info : "OS Default : Disabled" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" service : "daytime-dgram" status : OFF system : "Linux" type : XINETD_SVC description : "2.1.15 Disable daytime-stream" info : "Configuration Level : Level-I" info : "OS Default : Disabled" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" service : "daytime-stream" status : OFF system : "Linux" type : XINETD_SVC description : "2.1.16 Disable echo-dgram" info : "Configuration Level : Level-I" info : "OS Default : Disabled" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" service : "echo-dgram" status : OFF system : "Linux" type : XINETD_SVC description : "2.1.17 Disable echo-stream" info : "Configuration Level : Level-I" info : "OS Default : Disabled" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" service : "echo-stream" status : OFF system : "Linux" type : XINETD_SVC description : "2.1.18 Disable tcpmux-server" info : "Configuration Level : Level-I" info : "OS Default : Disabled" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" service : "tcpmux-server" status : OFF system : "Linux" type : FILE_CONTENT_CHECK description : "3.2 Set Daemon umask" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/sysconfig/init" regex : "^[\\s]*umask\\s+027\\s*" expect : "^[\\s]*umask\\s+027\\s*$" system : "Linux" type : CHKCONFIG description : "3.1.1 Disable Avahi Server" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" service : "avahi-daemon" levels : "0123456" status : OFF system : "Linux" type : PROCESS_CHECK description : "avahi on" name : "avahi-daemon" status : ON system : "Linux" type : CMD_EXEC description : "3.1.3 Check Responses TTL Field 'check-response-ttl=yes'" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" cmd : "/bin/awk '/^[\\s]*\\[server\\]/,/check-response-ttl/' /etc/avahi/avahi-daemon.conf" expect : "^[\\s]*check-response-ttl=yes\\s*$" severity : HIGH dont_echo_cmd: YES system : "Linux" type : CMD_EXEC description : "3.1.4 Prevent Other Programs from Using Avahi's Port 'disallow-other-stacks=yes'" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : No" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" cmd : "/bin/awk '/^[\\s]*\\[server\\]/,/disallow-other-stacks/' /etc/avahi/avahi-daemon.conf" expect : "^[\\s]*disallow-other-stacks=yes\\s*$" severity : HIGH dont_echo_cmd: YES system : "Linux" type : CHKCONFIG description : "3.8 Disable NFS and RPC 'nfslock'" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : No" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" service : "nfslock" levels : "0123456" status : OFF system : "Linux" type : CHKCONFIG description : "3.8 Disable NFS and RPC 'rpcgssd'" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : No" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" service : "rpcgssd" levels : "0123456" status : OFF system : "Linux" type : CHKCONFIG description : "3.8 Disable NFS and RPC 'rpcidmapd'" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : No" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" service : "rpcidmapd" levels : "0123456" status : OFF system : "Linux" type : CHKCONFIG description : "3.8 Disable NFS and RPC 'portmap'" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : No" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" service : "portmap" levels : "0123456" status : OFF system : "Linux" type : RPM_CHECK description : "3.9 Remove DNS Server" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : No" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" rpm : "bind-0.0.0-0" operator : "lt" system : "Linux" type : RPM_CHECK description : "3.10 Remove FTP Server" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" rpm : "vsftpd-0.0.0-0" operator : "lt" system : "Linux" type : RPM_CHECK description : "3.12 Remove Dovecot (IMAP and POP3 services)" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : No" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" rpm : "dovecot-0.0.0-0" operator : "lt" system : "Linux" type : RPM_CHECK description : "3.13 Remove Samba" info : "Configuration Level : Level-I" info : "OS Default : Not installed" info : "Reboot Required : No" info : "Scorable Item : No" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" rpm : "samba-0.0.0-0" operator : "lt" system : "Linux" type : RPM_CHECK description : "3.14 Remove HTTP Proxy Server" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : No" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" rpm : "squid-0.0.0-0" operator : "lt" system : "Linux" type : RPM_CHECK description : "3.15 Remove SNMP Server" info : "Configuration Level : Level-I" info : "OS Default : Not Installed" info : "Reboot Required : No" info : "Scorable Item : No" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" rpm : "net-snmp-0.0.0-0" operator : "lt" system : "Linux" type : FILE_CONTENT_CHECK description : "3.16 Configure Mail Transfer Agent for Local-Only Mode 'O DaemonPortOptions=Port=smtp, Addr=127.0.0.1, Name=MTA'" info : "Configuration Level : Level-I" info : "OS Default : Yes" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/mail/sendmail.cf" regex : "^O[\\s]*DaemonPortOptions\\s*=" expect : "^O[\\s]*DaemonPortOptions\\s*=\\s*Port\\s*=\\s*smtp,\\s*Addr\\s*=\\s*127\.0\.0\.1,\\s*Name=MTA\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "4.1.1 Disable IP Forwarding 'net.ipv4.ip_forward = 0'" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-3561-8" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/sysctl.conf" regex : "^[\\s]*net\.ipv4\.ip_forward\\s*=" expect : "^[\\s]*net\.ipv4\.ip_forward\\s*=\\s*0\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "4.1.2 Disable Send Packet Redirects 'net.ipv4.conf.all.send_redirects = 0'" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4151-7,CCE|CCE-4155-8" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/sysctl.conf" regex : "^[\\s]*net\.ipv4\.conf\.all\.send_redirects\\s*=" expect : "^[\\s]*net\.ipv4\.conf\.all\.send_redirects\\s*=\\s*0\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "4.1.2 Disable Send Packet Redirects 'net.ipv4.conf.send_redirects = 0'" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4151-7,CCE|CCE-4155-8" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/sysctl.conf" regex : "^[\\s]*net\.ipv4\.conf\.default\.send_redirects\\s*=" expect : "^[\\s]*net\.ipv4\.conf\.default\.send_redirects\\s*=\\s*0\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "4.2.1 Disable Source Routed Packet Acceptance 'net.ipv4.conf.all.accept_source_route = 0'" info : "Configuration Level : Level-I" info : "OS Default : Yes" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4236-6,CCE|CCE-4091-5" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/sysctl.conf" regex : "^[\\s]*net\.ipv4\.conf\.all\.accept_source_route\\s*=" expect : "^[\\s]*net\.ipv4\.conf\.all\.accept_source_route\\s*=\\s*0\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "4.2.1 Disable Source Routed Packet Acceptance 'net.ipv4.conf.default.accept_source_route = 0'" info : "Configuration Level : Level-I" info : "OS Default : Yes" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4236-6,CCE|CCE-4091-5" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/sysctl.conf" regex : "^[\\s]*net\.ipv4\.conf\.default\.accept_source_route\\s*=" expect : "^[\\s]*net\.ipv4\.conf\.default\.accept_source_route\\s*=\\s*0\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "4.2.2 Disable ICMP Redirect Acceptance 'net.ipv4.conf.all.accept_redirects = 0'" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4217-6,CCE|CCE-4186-3" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/sysctl.conf" regex : "^[\\s]*net\.ipv4\.conf\.all\.accept_redirects\\s*=" expect : "^[\\s]*net\.ipv4\.conf\.all\.accept_redirects\\s*=\\s*0\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "4.2.2 Disable ICMP Redirect Acceptance 'net.ipv4.conf.default.accept_redirects = 0'" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4217-6,CCE|CCE-4186-3" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/sysctl.conf" regex : "^[\\s]*net\.ipv4\.conf\.default\.accept_redirects\\s*=" expect : "^[\\s]*net\.ipv4\.conf\.default\.accept_redirects\\s*=\\s*0\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "4.2.4 Log Suspicious Packets 'net.ipv4.conf.all.log_martians = 1'" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4320-8" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/sysctl.conf" regex : "^[\\s]*net\.ipv4\.conf\.all\.log_martians\\s*=" expect : "^[\\s]*net\.ipv4\.conf\.all\.log_martians\\s*=\\s*1\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "4.2.5 Enable Ignore Broadcast Requests 'net.ipv4.icmp_echo_ignore_broadcasts = 1'" info : "Configuration Level : Level-I" info : "OS Default : Yes" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-3644-2" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/sysctl.conf" regex : "^[\\s]*net\.ipv4\.icmp_echo_ignore_broadcasts\\s*=" expect : "^[\\s]*net\.ipv4\.icmp_echo_ignore_broadcasts\\s*=\\s*1\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "4.2.6 Enable Bad Error Message Protection 'net.ipv4.icmp_ignore_bogus_error_responses = 1'" info : "Configuration Level : Level-I" info : "OS Default : Yes" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4133-5" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/sysctl.conf" regex : "^[\\s]*net\.ipv4\.icmp_ignore_bogus_error_responses\\s*=" expect : "^[\\s]*net\.ipv4\.icmp_ignore_bogus_error_responses\\s*=\\s*1\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "4.2.8 Enable TCP SYN Cookies 'net.ipv4.tcp_syncookies = 1'" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4265-5" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/sysctl.conf" regex : "^[\\s]*net.ipv4.tcp_syncookies\\s*=" expect : "^[\\s]*net.ipv4.tcp_syncookies\\s*=\\s*1\\s*$" system : "Linux" type : CMD_EXEC description : "4.3.1 Deactivate Wireless Interfaces" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : No" reference : "CCE|CCE-4276-2" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" info : "NOTE : This query provides an informational output that requires manual verification." info : "NOTE : Per CIS, any wireless interface found should be downed :" info : " ifdown " info : "and the config script removed:" info : " rm /etc/sysconfig/network-scripts/ifcfg-" cmd : "/sbin/iwconfig" expect : "" dont_echo_cmd : YES severity : MEDIUM system : "Linux" type : FILE_CONTENT_CHECK description : "4.4.2 Disable IPv6 'options ipv6 disable=1'" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : Yes" info : "Scorable Item : No" reference : "CCE|CCE-3562-6" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/modprobe.conf" regex : "^[\\s]*options\\s+ipv6\\s" expect : "^[\\s]*options\\s+ipv6\\s+[\"]disable\\s*=\\s*1[\"]\\s*$" # # system : "Linux" # type : FILE_CONTENT_CHECK # description : "4.4.1.1 Disable IPv6 Router Advertisements 'net.ipv6.conf.default.accept_ra = 0'" # info : "Configuration Level : Level-I" # info : "OS Default : N/A" # info : "Reboot Required : No" # info : "Scorable Item : No" # reference : "CCE|CCE-4269-7" # see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" # file : "/etc/sysctl.conf" # regex : "^[\\s]*net\.ipv6\.conf\.default\.accept_ra\\s*=" # expect : "^[\\s]*net\.ipv6\.conf\.default\.accept_ra\\s*=\\s*0\\s*$" # # # system : "Linux" # type : FILE_CONTENT_CHECK # description : "4.4.1.2 Disable IPv6 Redirect Acceptance 'net.ipv6.conf.default.accept_redirect = 0'" # info : "Configuration Level : Level-I" # info : "OS Default : N/A" # info : "Reboot Required : No" # info : "Scorable Item : No" # reference : "CCE|CCE-4313-3" # see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" # file : "/etc/sysctl.conf" # regex : "^[\\s]*net\.ipv6\.conf\.default\.accept_redirects\\s*=" # expect : "^[\\s]*net\.ipv6\.conf\.default\.accept_redirects\\s*=\\s*0\\s*$" # system : "Linux" type : RPM_CHECK description : "4.5.1 Install TCP Wrappers" info : "Configuration Level : Level-I" info : "OS Default : Not installed" info : "Reboot Required : No" info : "Scorable Item : No" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" rpm : "tcp_wrappers-0.0.0-0" operator : "gt" required : YES system : "Linux" type : FILE_CHECK description : "4.5.3 Verify Permissions on /etc/hosts.allow" info : "Configuration Level : Level-I" info : "OS Default : Installed" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/hosts.allow" owner : "root" group : "root" mask : "133" system : "Linux" type : FILE_CHECK description : "4.5.5 Verify Permissions on /etc/hosts.deny" info : "Configuration Level : Level-I" info : "OS Default : Installed" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/hosts.deny" owner : "root" group : "root" mask : "133" system : "Linux" type : CHKCONFIG description : "4.7 Enable IPtables" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4189-7" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" service : "iptables" levels : "2345" status : ON # # system : "Linux" # type : CHKCONFIG # description : "4.8 Enable IP6tables" # info : "Configuration Level : Level-I" # info : "OS Default : N/A" # info : "Reboot Required : No" # info : "Scorable Item : No" # reference : "CCE|CCE-4167-3" # see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" # service : "ip6tables" # levels : "2345" # status : ON # system : "Linux" type : FILE_CONTENT_CHECK description : "4.6.1 Disable DCCP 'install dccp /bin/true'" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : Yes" info : "Scorable Item : No" reference : "CCE|CCE-14268-7" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/modprobe.conf" regex : "^[\\s]*install\\s+dccp\\s" expect : "^[\\s]*install\\s+dccp\\s+/bin/true\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "4.6.2 Disable SCTP 'install sctp /bin/true'" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : Yes" info : "Scorable Item : No" reference : "CCE|CCE-14132-5" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/modprobe.conf" regex : "^[\\s]*install\\s+sctp\\s" expect : "^[\\s]*install\\s+sctp\\s+/bin/true\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "4.6.3 Disable RDS 'install rds /bin/true'" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : Yes" info : "Scorable Item : No" reference : "CCE|CCE-14027-7" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/modprobe.conf" regex : "^[\\s]*install\\s+rds\\s" expect : "^[\\s]*install\\s+rds\\s+/bin/true\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "4.6.4 Disable TIPC 'install tipc /bin/true'" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : Yes" info : "Scorable Item : No" reference : "CCE|CCE-14911-2" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/modprobe.conf" regex : "^[\\s]*install\\s+tipc\\s" expect : "^[\\s]*install\\s+tipc\\s+/bin/true\\s*$" system : "Linux" type : RPM_CHECK description : "5.2.1 Install the rsyslog package" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : No" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" rpm : "rsyslog-0.0.0-0" operator : "gt" required : YES type : CHKCONFIG description : "5.2.2 Activate the rsyslog Service 'syslog'" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : No" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" service : "syslog" levels : "123456" status : OFF type : CHKCONFIG description : "5.2.2 Activate the rsyslog Service 'rsyslog'" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : No" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" service : "rsyslog" levels : "2345" status : ON system : "Linux" type : FILE_CONTENT_CHECK description : "5.2.3 Configure /etc/rsyslog.conf 'auth,user /var/log/messages'" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : No" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/rsyslog.conf" regex : "^[\\s]*auth,user\.\\*\\s" expect : "^[\\s]*auth,user\.\\*\\s+\\/var\\/log\\/messages\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "5.2.3 Configure /etc/rsyslog.conf 'kern /var/log/kern.log'" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : No" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/rsyslog.conf" regex : "^[\\s]*kern\.\\*\\s" expect : "^[\\s]*kern\.\\*\\s+\\/var\\/log\\/kern\.log\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "5.2.3 Configure /etc/rsyslog.conf 'daemon /var/log/daemon.log'" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : No" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/rsyslog.conf" regex : "^[\\s]*daemon\.\\*\\s" expect : "^[\\s]*daemon\.\\*\\s+\\/var\\/log\\/daemon\.log\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "5.2.3 Configure /etc/rsyslog.conf 'syslog /var/log/syslog'" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : No" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/rsyslog.conf" regex : "^[\\s]*syslog\.\\*\\s" expect : "^[\\s]*syslog\.\\*\\s+\\/var\\/log\\/syslog\.log\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "5.2.3 Configure /etc/rsyslog.conf 'lpr,news,uucp,local0,local1,local2,local3,local4,local5,local6 /var/log/unused.log'" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : No" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/rsyslog.conf" regex : "^[\\s]*lpr,news,uucp,local0,local1,local2,local3,local4,local5,local6\.\\*\\s" expect : "^[\\s]*lpr,news,uucp,local0,local1,local2,local3,local4,local5,local6\.\\*\\s+\\/var\\/log\\/unused\.log\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "5.2.6 Accept Remote rsyslog Messages Only on Designated Log Hosts '$ModLoad imtcp.so'" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : No" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/rsyslog.conf" regex : "^[\\s]*[\$]ModLoad\\s" expect : "^[\\s]*[\$]ModLoad\\s+imtcp\.so\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "5.2.6 Accept Remote rsyslog Messages Only on Designated Log Hosts '$InputTCPServerRun 514'" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : No" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/rsyslog.conf" regex : "^[\\s]*[\$]InputTCPServerRun\\s" expect : "^[\\s]*[\$]InputTCPServerRun\\s+514\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "5.4 Configure logrotate - '/var/log/messages'" info : "Configuration Level : Level-I" info : "OS Default : Yes" info : "Reboot Required : No" info : "Scorable Item : No" reference : "CCE|CCE-4182-2" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/logrotate.d/syslog" regex : "[\\s]*/var/log/messages" expect : "[\\s]*/var/log/messages\\s*" system : "Linux" type : FILE_CONTENT_CHECK description : "5.4 Configure logrotate - '/var/log/secure'" info : "Configuration Level : Level-I" info : "OS Default : Yes" info : "Reboot Required : No" info : "Scorable Item : No" reference : "CCE|CCE-4182-2" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/logrotate.d/syslog" regex : "[\\s]*/var/log/secure" expect : "[\\s]*/var/log/secure\\s*" system : "Linux" type : FILE_CONTENT_CHECK description : "5.4 Configure logrotate - '/var/log/maillog'" info : "Configuration Level : Level-I" info : "OS Default : Yes" info : "Reboot Required : No" info : "Scorable Item : No" reference : "CCE|CCE-4182-2" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/logrotate.d/syslog" regex : "[\\s]*/var/log/maillog" expect : "[\\s]*/var/log/maillog\\s*" system : "Linux" type : FILE_CONTENT_CHECK description : "5.4 Configure logrotate - '/var/log/spooler'" info : "Configuration Level : Level-I" info : "OS Default : Yes" info : "Reboot Required : No" info : "Scorable Item : No" reference : "CCE|CCE-4182-2" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/logrotate.d/syslog" regex : "[\\s]*/var/log/spooler" expect : "[\\s]*/var/log/spooler\\s*" system : "Linux" type : FILE_CONTENT_CHECK description : "5.4 Configure logrotate - '/var/log/boot.log'" info : "Configuration Level : Level-I" info : "OS Default : Yes" info : "Reboot Required : No" info : "Scorable Item : No" reference : "CCE|CCE-4182-2" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/logrotate.d/syslog" regex : "[\\s]*/var/log/boot.log" expect : "[\\s]*/var/log/boot.log\\s*" system : "Linux" type : FILE_CONTENT_CHECK description : "5.4 Configure logrotate - '/var/log/cron'" info : "Configuration Level : Level-I" info : "OS Default : Yes" info : "Reboot Required : No" info : "Scorable Item : No" reference : "CCE|CCE-4182-2" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/logrotate.d/syslog" regex : "[\\s]*/var/log/cron" expect : "[\\s]*/var/log/cron\\s*" type : CHKCONFIG description : "6.1.2 Enable cron Daemon" info : "Configuration Level : Level-I" info : "OS Default : Enabled" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4324-0" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" service : "crond" levels : "2345" status : ON system : "Linux" type : FILE_CHECK description : "6.1.3 Set User/Group Owner and Permission on /etc/anacrontab" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/anacrontab" owner : "root" group : "root" mask : "077" system : "Linux" type : FILE_CHECK description : "6.1.4 Set User/Group Owner and Permission on /etc/crontab" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-3626-9,CCE|CCE-3851-3,CCE|CCE-4388-5" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/crontab" owner : "root" group : "root" mask : "077" system : "Linux" type : FILE_CHECK description : "6.1.5 Set User/Group Owner and Permission on /etc/cron.hourly" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4054-3,CCE|CCE-3983-4,CCE|CCE-4106-1" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/cron.hourly" owner : "root" group : "root" mask : "077" system : "Linux" type : FILE_CHECK description : "6.1.6 Set User/Group Owner and Permission on /etc/cron.daily" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-3481-9,CCE|CCE-4022-0,CCE|CCE-4450-3" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/cron.daily" owner : "root" group : "root" mask : "077" system : "Linux" type : FILE_CHECK description : "6.1.7 Set User/Group Owner and Permission on /etc/cron.weekly" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4331-5,CCE|CCE-3833-1,CCE|CCE-4203-6" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/cron.weekly" owner : "root" group : "root" mask : "077" system : "Linux" type : FILE_CHECK description : "6.1.8 Set User/Group Owner and Permission on /etc/cron.monthly" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4322-4,CCE|CCE-4441-2,CCE|CCE-4251-5" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/cron.monthly" owner : "root" group : "root" mask : "077" system : "Linux" type : FILE_CHECK description : "6.1.9 Set User/Group Owner and Permission on /etc/cron.d" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4212-7,CCE|CCE-4380-2,CCE|CCE-4250-7" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/cron.d" owner : "root" group : "root" mask : "077" system : "Linux" type : FILE_CONTENT_CHECK description : "6.2.1 Set SSH Protocol to 2" info : "Configuration Level : Level-I" info : "OS Default : Yes" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4245-7" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/ssh/sshd_config" regex : "^[\\s]*Protocol\\s" expect : "^[\\s]*Protocol\\s+2\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "6.2.2 Set LogLevel to INFO" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/ssh/sshd_config" regex : "^[\\s]*LogLevel\\s" expect : "^[\\s]*LogLevel\\s+[iI][nN][fF][oO]\\s*$" system : "Linux" type : FILE_CHECK description : "6.2.3 Set Permissions on /etc/ssh/sshd_config" info : "Configuration Level : Level-I" info : "OS Default : Yes" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-3958-6,CCE|CCE-3495-9" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/ssh/sshd_config" owner : "root" group : "root" mask : "133" system : "Linux" type : FILE_CONTENT_CHECK description : "6.2.4 Disable SSH X11 Forwarding" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/ssh/sshd_config" regex : "^[\\s]*X11Forwarding\\s" expect : "^[\\s]*X11Forwarding\\s+[nN][oO]\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "6.2.5 Set SSH MaxAuthTries to 3 or Less" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/ssh/sshd_config" regex : "^[\\s]*MaxAuthTries\\s" expect : "^[\\s]*MaxAuthTries\\s+[1-3]\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "6.2.6 Set SSH IgnoreRhosts to Yes" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4250-7" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/ssh/sshd_config" regex : "^[\\s]*IgnoreRhosts\\s" expect : "^[\\s]*IgnoreRhosts\\s+[yY][eE][sS]\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "6.2.7 Set SSH HostbasedAuthentication to No" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4251-5" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/ssh/sshd_config" regex : "^[\\s]*HostbasedAuthentication\\s" expect : "^[\\s]*HostbasedAuthentication\\s+[nN][oO]\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "6.2.8 Disable SSH Root Login" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4252-3" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/ssh/sshd_config" regex : "^[\\s]*PermitRootLogin\\s" expect : "^[\\s]*PermitRootLogin\\s+[nN][oO]\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "6.2.9 Set SSH PermitEmptyPasswords to No" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4256-4" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/ssh/sshd_config" regex : "^[\\s]*PermitEmptyPasswords\\s" expect : "^[\\s]*PermitEmptyPasswords\\s+[nN][oO]\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "6.2.10 Do Not Allow Users to Set Environment Options 'PermitUserEnvironment no'" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4265-5" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/ssh/sshd_config" regex : "^[\\s]*PermitUserEnvironment\\s" expect : "^[\\s]*PermitUserEnvironment\\s+[nN][oO]\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "6.2.11 Use Only Approved Ciphers in Counter Mode 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr'" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4269-7" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/ssh/sshd_config" regex : "^[\\s]*Ciphers\\s" expect : "^[\\s]*Ciphers\\s+[aA][eE][sS]128-[cC][tT][rR],[aA][eE][sS]192-[cC][tT][rR],[aA][eE][sS]256-[cC][tT][rR]\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "6.2.12 Set Idle Timeout Interval for User Login 'ClientAliveInterval <= 900'" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : No" reference : "CCE|CCE-4247-3" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/ssh/sshd_config" regex : "^[\\s]*ClientAliveInterval\\s" expect : "^[\\s]*ClientAliveInterval\\s+([1-9]|[1-9][0-9]|[1-8][0-9][0-9]|900)\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "6.2.12 Set Idle Timeout Interval for User Login 'ClientAliveCountMax'" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : No" reference : "CCE|CCE-4247-3" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/ssh/sshd_config" regex : "^[\\s]*ClientAliveCountMax\\s" expect : "^[\\s]*ClientAliveCountMax\\s+0\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "6.2.15 Enable SSH UsePrivilegeSeparation 'UsePrivilegeSeparation yes'" info : "Configuration Level : Level-I" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/ssh/sshd_config" regex : "^[\\s]*UsePrivilegeSeparation\\s" expect : "^[\\s]*UsePrivilegeSeparation\\s+yes" system : "Linux" type : FILE_CONTENT_CHECK description : "6.3.1 Set Password Creation Requirement Parameters Using pam_cracklib 'password required'" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/pam.d/system-auth" regex : "^[\\s]*password\\s+required\\s+pam_cracklib\.so\\s" expect : "^[\\s]*password\\s+required\\s+pam_cracklib\.so\\s+try_first_pass\\s+retry=3\\s+minlen=8\\s+dcredit=-1\\s+ucredit=-1\\s+ocredit=-1\\s+lcredit=-1\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "6.3.2 Set Lockout for Failed Password Attempts 'auth required pam_tally2.so deny=3 onerr=fail'" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : No" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/pam.d/system-auth" regex : "^[\\s]*auth\\s+required\\s+pam_tally2.so\\s" expect : "^[\\s]*auth\\s+required\\s+pam_tally2.so\\s+deny=3\\s+onerr=fail\\s*$" system : "Linux" type : CMD_EXEC description : "6.3.4 Upgrade Password Hashing Algorithm to SHA-512" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" cmd : "/usr/sbin/authconfig --test | /bin/grep hashing" expect : "[sS][hH][aA]512" dont_echo_cmd : YES severity : HIGH system : "Linux" type : FILE_CONTENT_CHECK description : "6.3.5 Limit Password Reuse 'password sufficient pam_unix.o remember=24'" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/pam.d/system-auth" regex : "^[\\s]*password\\s+sufficient\\s+pam_unix.so\\s" expect : "^[\\s]*password\\s+sufficient\\s+pam_unix.so\\s+.*\\s+remember=24\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "6.5 Restrict Access to the su Command '/etc/pam.d/su - auth required pam_wheel.so use_uid'" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/pam.d/su" regex : "^[\\s]*auth\\s+required\\s+pam_wheel.so\\s" expect : "^[\\s]*auth\\s+required\\s+pam_wheel.so\\s+use_uid\\s*$" system : "Linux" type : CMD_EXEC description : "6.5 Restrict Access to the su Command '/etc/group - wheel:x:10:root, '" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" cmd : "/bin/grep ^wheel: /etc/group" expect : "^wheel:x:10:root(,|$)" dont_echo_cmd : YES severity : HIGH system : "Linux" type : GRAMMAR_CHECK description: "7.2 Disable System Accounts" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4060-0" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/passwd" regex : "^[A-Za-z0-9_-]+:x:([1-9]:|[0-9][0-9]:|[0-4][0-9]{2}:)[0-9]+:[-A-Za-z0-9_ \/-]*:[-A-Za-z0-9_\/-]+:/sbin/nologin" system : "Linux" type : GRAMMAR_CHECK description: "9.2.17 Check That Reserved UIDs Are Assigned to System Accounts" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/passwd" regex : "^[A-Za-z0-9_-]+:x:([0-9]{4,}|[5-9][0-9]{2}):[0-9]+:[-A-Za-z0-9_ \/-]*:[-A-Za-z0-9_\/]+:.*" regex : "^root:x:0:0:root:/root:/bin/bash" name : "min_password_age" description : "7.1.2 Set Password Change Minimum Number of Days '1+'" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" value : "1..MAX" system : "Linux" type : FILE_CONTENT_CHECK description : "7.1.3 Set Password Expiring Warning Days 'PASS_WARN_AGE >= 14'" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/login.defs" regex : "^[\\s]*PASS_WARN_AGE\\s+" expect : "^[\\s]*PASS_WARN_AGE\\s+([1-9]|1[0-4]?)\\s*$" system : "Linux" type : CMD_EXEC description : "7.3 Set Default Group for root Account" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4060-0" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" cmd : "/usr/bin/id -g root" expect : "^0$" dont_echo_cmd : YES severity : HIGH system : "Linux" type : FILE_CONTENT_CHECK description : "7.4 Set Default umask for Users '/etc/bashrc - umask 077'" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4060-0" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/bashrc" regex : "^[\\s]*[uU][mM][aA][sS][kK]\\s" expect : "^[\\s]*[uU][mM][aA][sS][kK]\\s+=\\s+077\\s*$" system : "Linux" type : FILE_CONTENT_CHECK description : "7.4 Set Default umask for Users '/etc/profile - umask 077'" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4060-0" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/profile" regex : "^[\\s]*[uU][mM][aA][sS][kK]\\s" expect : "^[\\s]*[uU][mM][aA][sS][kK]\\s+077\\s*$" system : "Linux" type : CMD_EXEC description : "7.5 Lock Inactive User Accounts 'INACTIVE=120'" info : "Configuration Level : Level-I" info : "OS Default : No" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4060-0" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" cmd : "/usr/sbin/useradd -D | /bin/grep INACTIVE" expect : "^INACTIVE=120$" dont_echo_cmd : YES severity : HIGH system : "Linux" type : FILE_CHECK description: "9.1.2 Verify Permissions on /etc/passwd" info : "Configuration Level : Level-I" info : "OS Default : Yes" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-3566-7" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/passwd" mask : "133" system : "Linux" type : FILE_CHECK description: "9.1.6 Verify User/Group Ownership on /etc/passwd" info : "Configuration Level : Level-I" info : "OS Default : Yes" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-3958-6,CCE|CCE-3495-9" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/passwd" owner : "root" group : "root" system : "Linux" type : FILE_CHECK description: "9.1.3 Verify Permissions on /etc/shadow" info : "Configuration Level : Level-I" info : "OS Default : Yes" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4130-1" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/shadow" mask : "377" system : "Linux" type : FILE_CHECK description: "9.1.7 Verify User/Group Ownership on /etc/shadow" info : "Configuration Level : Level-I" info : "OS Default : Yes" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-3918-0,CCE|CCE-3988-3" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/shadow" owner : "root" group : "root" system : "Linux" type : FILE_CHECK description: "9.1.4 Verify Permissions on /etc/gshadow" info : "Configuration Level : Level-I" info : "OS Default : Yes" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-3932-1" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/gshadow" mask : "377" system : "Linux" type : FILE_CHECK description: "9.1.8 Verify User/Group Ownership on /etc/gshadow" info : "Configuration Level : Level-I" info : "OS Default : Yes" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4210-1,CCE|CCE-4064-2" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/gshadow" owner : "root" group : "root" system : "Linux" type : FILE_CHECK description: "9.1.5 Verify Permissions on /etc/group" info : "Configuration Level : Level-I" info : "OS Default : Yes" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-3967-7" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/group" mask : "133" system : "Linux" type : FILE_CHECK description: "9.1.9 Verify User/Group Ownership on /etc/group" info : "Configuration Level : Level-I" info : "OS Default : Yes" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-3276-3,CCE|CCE-3883-6" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/group" owner : "root" group : "root" name : "find_world_writeable_files" description : "9.1.10 Find World Writable ob体育s" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : No" reference : "CCE|CCE-3795-2,CCE|CCE-14794-2" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" name : "find_orphan_files" description: "9.1.11 Find Un-owned ob体育s and Directories" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4223-4" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" name : "find_orphan_files" description: "9.1.12 Find Un-grouped ob体育s and Directories" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-3573-3" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" system : "Linux" type : CMD_EXEC description : "9.2.1 Ensure Password Fields are Not Empty" info : "Configuration Level : Level-I" info : "OS Default : Yes" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4238-2" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" cmd : "/bin/cat /etc/shadow | /bin/awk -F : '($2 == \"\") { print $1 \" does not have a password.\"}'" expect : "" dont_echo_cmd : YES severity : HIGH system : "Linux" type : FILE_CONTENT_CHECK_NOT description : "9.2.2 Verify No Legacy '+' Entries Exist in /etc/passwd ob体育" info : "Configuration Level : Level-I" info : "OS Default : Yes" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4114-5" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/passwd" regex : "^[\\s]*\\+:" expect : "^[\\s]*\\+:" system : "Linux" type : FILE_CONTENT_CHECK_NOT description : "9.2.3 Verify No Legacy '+' Entries Exist in /etc/shadow ob体育" info : "Configuration Level : Level-I" info : "OS Default : Yes" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-14071-5" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/shadow" regex : "^[\\s]*\\+:" expect : "^[\\s]*\\+:" system : "Linux" type : FILE_CONTENT_CHECK_NOT description : "9.2.4 Verify No Legacy '+' Entries Exist in /etc/group ob体育" info : "Configuration Level : Level-I" info : "OS Default : Yes" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-14675-3" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/group" regex : "^[\\s]*\\+:" expect : "^[\\s]*\\+:" name : "passwd_zero_uid" description : "9.2.5 Verify No UID 0 Accounts Exist Other Than root" info : "Configuration Level : Level-I" info : "OS Default : Yes" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4009-7" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" name : "accounts_bad_home_permissions" description : "9.2.7 Check Permissions on User Home Directories" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4090-7" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" mask : "027" name : "accounts_bad_home_permissions" description: "9.2.14 Check User Home Directory Ownership" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" reference : "CCE|CCE-4090-7" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" system : "Linux" type : FILE_CHECK description : "9.2.8 Check User Dot ob体育 Permissions" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "~/.*" mask : "0002" system : "Linux" type : FILE_CHECK description : "9.2.9 Check Permissions on User .netrc ob体育s" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "~/.netrc" mask : "0077" system : "Linux" type : FILE_CHECK_NOT description : "9.2.10 Check for Presence of User .rhosts ob体育s" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "~/.rhosts" name : "passwd_invalid_gid" description : "9.2.11 Check Groups in /etc/passwd" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" name : "accounts_without_home_dir" description: "9.2.12 Check That Users Are Assigned Home Directories" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" name : "accounts_without_home_dir" description: "9.2.13 Check That Defined Home Directories Exist" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" name : "passwd_duplicate_uid" description : "9.2.15 Check for Duplicate UIDs" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" name : "group_duplicate_gid" description : "9.2.16 Check for Duplicate GIDs" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" name : "passwd_duplicate_username" description : "9.2.18 Check for Duplicate User Names" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" name : "group_duplicate_name" description : "9.2.19 Check for Duplicate Group Names" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" system : "Linux" type : FILE_CHECK_NOT description : "9.2.20 Check for Presence of User .netrc ob体育s" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "~/.netrc" system : "Linux" type : FILE_CHECK_NOT description : "9.2.21 Check for Presence of User .forward ob体育s" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : No" info : "Scorable Item : Yes" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "~/.forward" description :"Oracle 5 is not installed on target" info :"Oracle 5 is not installed on target"