To do so, edit. Unless absolutely. These facilities may be. This command can be used to list the types of filesystems that are. If these filesystems are not required then they can be explicitly disabled.
This effectively prevents usage of this uncommon filesystem. Many utilities. Protection of this file is. Failure to give ownership of this file. If properly configured, the output should indicate the following owner:. Protection of this file is important for system security. If properly configured, the output should indicate the following group-owner. If properly configured, the output should indicate the following permissions:.
Protection of this file. Protection of this file is critical for system security. The file contains the list of. As such,. Kernel modules, which can be added to the kernel during runtime, are. All files in these directories. If any file in these. Restrictive permissions are necessary to protect the integrity of the system. Shared libraries are stored in the following directories:. To find shared libraries that are group-writable or world-writable,.
Kernel modules, which can be added to the kernel during runtime, are also. All files in these directories should be. If the directory, or any file in these. Proper ownership is necessary to protect the integrity of the system. For each of these directories, run the following command to find files not.
System executables are stored in the following directories by default:. All files in these directories should not be group-writable or world-writable. To find system executables that are group-writable or world-writable,. Without the sticky bit, any user with write access to a. Setting the sticky. In cases where. However, if a directory is used by a particular application,.
Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure. The only authorized public directories are those temporary directories supplied with the system,.
The setting is normally reserved for directories. To find world-writable directories that lack the sticky bit, run the following command:.
However, check with. Also, monitor for recurring world-writable files, as these may be. Data in world-writable files can be modified by any. In almost all circumstances, files can be. To find world-writable files, run the following command:. Following this, the files should be deleted or assigned to an.
Unowned files do not directly imply a security problem, but they are generally. They may. The files should be repaired so they.
The following command will discover and print any. If any world-writable directories are not. Allowing a user account to own a world-writable directory is.
The following command will discover and print world-writable directories that. These protections are applied at the system initialization or. In most cases, only software developers. The core dump files may. If access. The core dumps of setuid programs are further protected.
The default. The memory image could contain sensitive data and is generally useful. To verify that core dumps are disabled for all users, run the following command:. Disabling the ability for any. If fs. If this value is not the default value, investigate how it could have been. These features include random placement of the stack and other.
These protections are enabled by default and. Additionally, ASLR. Set runtime for kernel. If kernel. This section introduces. RHEL 6. Password-based login is vulnerable to. Therefore, mechanisms for accessing accounts by entering. Direct root logins should be allowed only for emergency use. In normal situations, the administrator should access the system. Discouraging administrators from accessing the. Locking down the channels through which.
These are likely to be deprecated in most environments, but may be retained. Root should also be prohibited from connecting. Other sections of this document. To restrict root logins through the deprecated virtual console devices,. Preventing direct root login to virtual console devices.
To check for virtual console entries which permit root login, run the. If any output is returned, then root logins over virtual console devices is permitted. Preventing direct root login to serial port interfaces. To check for serial port entries which permit root login,. If any output is returned, then root login over serial ports is permitted. If any account other than root has a UID of 0,. An account has root authority if it has a UID of 0.
Multiple accounts. Proper configuration of. To list all password file entries for accounts with UID 0, run the following command:. This should print only one line, for the user root. By default, password hashes for local accounts are stored. This file should be readable only by. However, it remains possible to misconfigure the system. Download size. Installed size. This package contains the basic content and manual pages explaining how the SCAP-security-guide works. It deploys man page and all various information about current SSG release.
First we install the following packages to use the openscap command-line tool: sudo apt-get install libopenscap8 python-openscap. We will also install the SCAP security guide: sudo apt install ssg-base ssg-debderived ssg-debian ssg-nondebian ssg-applications. It determines SCAP content type, specification version, date of creation, date of import and so on.
0コメント