Security Configuration Assessment Report
for CentOS_7_01

  • CIS-CAT Host IP Address: 127.0.0.1

CIS CentOS Linux 7 Benchmark v1.1.0

  • Level 1
  • Monday, November 9 2015 16:01:28

Report generated by the Center for Internet Security's Configuration Assessment Tool (CIS-CAT) v3.0.18.

For further information, please visit The Center for Internet Security or send an e-mail to feedback@cisecurity.org.

Copyright ©2015, The Center for Internet Security

Summary

Description Tests Scoring
Pass Fail Error Unkn. Score Max Percent
1 Install Updates, Patches and Additional Security Software 19 2 0 0 19.0 21.0 90%
1.1 Filesystem Configuration 13 1 0 0 13.0 14.0 93%
1.2 Configure Software Updates 2 0 0 0 2.0 2.0 100%
1.3 Advanced Intrusion Detection Environment (AIDE) 0 0 0 0 0.0 0.0 0%
1.4 Configure SELinux 0 0 0 0 0.0 0.0 0%
1.5 Secure Boot Settings 2 1 0 0 2.0 3.0 67%
1.6 Additional Process Hardening 2 0 0 0 2.0 2.0 100%
2 OS Services 17 0 0 0 17.0 17.0 100%
2.1 Remove Legacy Services 17 0 0 0 17.0 17.0 100%
3 Special Purpose Services 15 1 0 0 5.0 6.0 83%
4 Network Configuration and Firewalls 11 0 0 0 11.0 11.0 100%
4.1 Modify Network Parameters (Host Only) 2 0 0 0 2.0 2.0 100%
4.2 Modify Network Parameters (Host and Router) 6 0 0 0 6.0 6.0 100%
4.3 Wireless Networking 0 0 0 0 0.0 0.0 0%
4.4 IPv6 0 0 0 0 0.0 0.0 0%
4.4.1 Configure IPv6 0 0 0 0 0.0 0.0 0%
4.5 Install TCP Wrappers 2 0 0 0 2.0 2.0 100%
4.6 Uncommon Network Protocols 0 0 0 0 0.0 0.0 0%
5 Logging and Auditing 2 2 0 0 2.0 4.0 50%
5.1 Configure rsyslog 2 2 0 0 2.0 4.0 50%
5.2 Configure System Accounting (auditd) 0 0 0 0 0.0 0.0 0%
5.2.1 Configure Data Retention 0 0 0 0 0.0 0.0 0%
6 System Access, Authentication and Authorization 21 8 0 0 21.0 29.0 72%
6.1 Configure cron and anacron 7 4 0 0 7.0 11.0 64%
6.2 Configure SSH 13 1 0 0 13.0 14.0 93%
6.3 Configure PAM 1 2 0 0 1.0 3.0 33%
7 User Accounts and Environment 2 5 0 0 2.0 7.0 29%
7.1 Set Shadow Password Suite Parameters (/etc/login.defs) 0 3 0 0 0.0 3.0 0%
8 Warning Banners 2 0 0 0 2.0 2.0 100%
9 System Maintenance 28 2 0 0 28.0 30.0 93%
9.1 Verify System File Permissions 10 0 0 0 10.0 10.0 100%
9.2 Review User and Group Settings 18 2 0 0 18.0 20.0 90%
Total 117 20 0 0 107.0 127.0 84%

Note: Actual scores are subject to rounding errors. The sum of these values may not result in the exact overall score.

Profiles

This benchmark contains 2 profiles.The Level 1 profile was used for this assessment.

Title Description
Level 1

Items in this profile intend to:

  • be practical and prudent;
  • provide a clear security benefit; and
  • not inhibit the utility of the technology beyond acceptable means.
Show Profile XML
<Profile xmlns="http://checklists.nist.gov/xccdf/1.2"
         xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         id="xccdf_org.cisecurity.benchmarks_profile_Level_1">
   <title xml:lang="en">Level 1</title>
   <description xml:lang="en">
      <p xmlns="http://www.w3.org/1999/xhtml">Items in this profile intend to:</p>
      <ul xmlns="http://www.w3.org/1999/xhtml">
         <li>be practical and prudent;</li>
         <li>provide a clear security benefit; and</li>
         <li>not inhibit the utility of the technology beyond acceptable means.</li>
      </ul>
   </description>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1_Create_Separate_Partition_for_tmp"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2_Set_nodev_option_for_tmp_Partition"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3_Set_nosuid_option_for_tmp_Partition"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4_Set_noexec_option_for_tmp_Partition"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5_Create_Separate_Partition_for_var"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6_Bind_Mount_the_vartmp_directory_to_tmp"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.7_Create_Separate_Partition_for_varlog"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.8_Create_Separate_Partition_for_varlogaudit"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.9_Create_Separate_Partition_for_home"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.10_Add_nodev_Option_to_home"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.11_Add_nodev_Option_to_Removable_Media_Partitions"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.12_Add_noexec_Option_to_Removable_Media_Partitions"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.13_Add_nosuid_Option_to_Removable_Media_Partitions"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.14_Add_nodev_Option_to_devshm_Partition"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.15_Add_nosuid_Option_to_devshm_Partition"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.16_Add_noexec_Option_to_devshm_Partition"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.17_Set_Sticky_Bit_on_All_World-Writable_Directories"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.1_Verify_CentOS_GPG_Key_is_Installed"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.2_Verify_that_gpgcheck_is_Globally_Activated"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.3_Obtain_Software_Package_Updates_with_yum"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.4_Verify_Package_Integrity_Using_RPM"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.1_Set_UserGroup_Owner_on_bootgrub2grub.cfg"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.2_Set_Permissions_on_bootgrub2grub.cfg"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.3_Set_Boot_Loader_Password"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1_Restrict_Core_Dumps"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.2_Enable_Randomized_Virtual_Memory_Region_Placement"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.7_Use_the_Latest_OS_Release"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1_Remove_telnet-server"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.2_Remove_telnet_Clients"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.3_Remove_rsh-server"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.4_Remove_rsh" selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.5_Remove_NIS_Client"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.6_Remove_NIS_Server"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.7_Remove_tftp" selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.8_Remove_tftp-server"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.9_Remove_talk" selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.10_Remove_talk-server"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.12_Disable_chargen-dgram"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.13_Disable_chargen-stream"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.14_Disable_daytime-dgram"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.15_Disable_daytime-stream"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.16_Disable_echo-dgram"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.17_Disable_echo-stream"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.18_Disable_tcpmux-server"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.1_Set_Daemon_umask"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.2_Remove_the_X_Window_System"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.3_Disable_Avahi_Server"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.4_Disable_Print_Server_-_CUPS"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.5_Remove_DHCP_Server"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.6_Configure_Network_Time_Protocol_NTP"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.7_Remove_LDAP" selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.8_Disable_NFS_and_RPC"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.9_Remove_DNS_Server"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.10_Remove_FTP_Server"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.11_Remove_HTTP_Server"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.12_Remove_Dovecot_IMAP_and_POP3_services"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.13_Remove_Samba" selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.14_Remove_HTTP_Proxy_Server"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.15_Remove_SNMP_Server"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.16_Configure_Mail_Transfer_Agent_for_Local-Only_Mode"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.1_Disable_IP_Forwarding"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.2_Disable_Send_Packet_Redirects"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1_Disable_Source_Routed_Packet_Acceptance"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2_Disable_ICMP_Redirect_Acceptance"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.4_Log_Suspicious_Packets"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.5_Enable_Ignore_Broadcast_Requests"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.6_Enable_Bad_Error_Message_Protection"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.8_Enable_TCP_SYN_Cookies"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.3.1_Deactivate_Wireless_Interfaces"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.4.1.1_Disable_IPv6_Router_Advertisements"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.4.1.2_Disable_IPv6_Redirect_Acceptance"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.4.2_Disable_IPv6" selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.5.1_Install_TCP_Wrappers"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.5.2_Create_etchosts.allow"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.5.3_Verify_Permissions_on_etchosts.allow"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.5.4_Create_etchosts.deny"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.5.5_Verify_Permissions_on_etchosts.deny"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.6.1_Disable_DCCP" selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.6.2_Disable_SCTP" selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.6.3_Disable_RDS" selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.6.4_Disable_TIPC" selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.7_Enable_firewalld"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.1_Install_the_rsyslog_package"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.2_Activate_the_rsyslog_Service"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.3_Configure_etcrsyslog.conf"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.4_Create_and_Set_Permissions_on_rsyslog_Log_Files"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.5_Configure_rsyslog_to_Send_Logs_to_a_Remote_Log_Host"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.6_Accept_Remote_rsyslog_Messages_Only_on_Designated_Log_Hosts"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.3_Configure_logrotate"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.1_Enable_anacron_Daemon"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.2_Enable_crond_Daemon"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.3_Set_UserGroup_Owner_and_Permission_on_etcanacrontab"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.4_Set_UserGroup_Owner_and_Permission_on_etccrontab"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.5_Set_UserGroup_Owner_and_Permission_on_etccron.hourly"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.6_Set_UserGroup_Owner_and_Permission_on_etccron.daily"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.7_Set_UserGroup_Owner_and_Permission_on_etccron.weekly"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.8_Set_UserGroup_Owner_and_Permission_on_etccron.monthly"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.9_Set_UserGroup_Owner_and_Permission_on_etccron.d"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.10_Restrict_at_Daemon"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.11_Restrict_atcron_to_Authorized_Users"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.1_Set_SSH_Protocol_to_2"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.2_Set_LogLevel_to_INFO"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.3_Set_Permissions_on_etcsshsshd_config"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.4_Disable_SSH_X11_Forwarding"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.5_Set_SSH_MaxAuthTries_to_4_or_Less"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.6_Set_SSH_IgnoreRhosts_to_Yes"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.7_Set_SSH_HostbasedAuthentication_to_No"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.8_Disable_SSH_Root_Login"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.9_Set_SSH_PermitEmptyPasswords_to_No"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.10_Do_Not_Allow_Users_to_Set_Environment_Options"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.11_Use_Only_Approved_Cipher_in_Counter_Mode"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.12_Set_Idle_Timeout_Interval_for_User_Login"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.13_Limit_Access_via_SSH"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.14_Set_SSH_Banner"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.3.1_Upgrade_Password_Hashing_Algorithm_to_SHA-512"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.3.2_Set_Password_Creation_Requirement_Parameters_Using_pam_pwquality"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.3.3_Set_Lockout_for_Failed_Password_Attempts"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.3.4_Limit_Password_Reuse"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.4_Restrict_root_Login_to_System_Console"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.5_Restrict_Access_to_the_su_Command"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_7.1.1_Set_Password_Expiration_Days"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_7.1.2_Set_Password_Change_Minimum_Number_of_Days"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_7.1.3_Set_Password_Expiring_Warning_Days"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_7.2_Disable_System_Accounts"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_7.3_Set_Default_Group_for_root_Account"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_7.4_Set_Default_umask_for_Users"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_7.5_Lock_Inactive_User_Accounts"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_8.1_Set_Warning_Banner_for_Standard_Login_Services"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_8.2_Remove_OS_Information_from_Login_Warning_Banners"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_8.3_Set_GNOME_Warning_Banner"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.2_Verify_Permissions_on_etcpasswd"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.3_Verify_Permissions_on_etcshadow"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.4_Verify_Permissions_on_etcgshadow"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.5_Verify_Permissions_on_etcgroup"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.6_Verify_UserGroup_Ownership_on_etcpasswd"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.7_Verify_UserGroup_Ownership_on_etcshadow"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.8_Verify_UserGroup_Ownership_on_etcgshadow"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.9_Verify_UserGroup_Ownership_on_etcgroup"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.10_Find_World_Writable_Files"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.11_Find_Un-owned_Files_and_Directories"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.12_Find_Un-grouped_Files_and_Directories"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.13_Find_SUID_System_Executables"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.14_Find_SGID_System_Executables"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.1_Ensure_Password_Fields_are_Not_Empty"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.2_Verify_No_Legacy__Entries_Exist_in_etcpasswd_File"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.3_Verify_No_Legacy__Entries_Exist_in_etcshadow_File"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.4_Verify_No_Legacy__Entries_Exist_in_etcgroup_File"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.5_Verify_No_UID_0_Accounts_Exist_Other_Than_root"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.6_Ensure_root_PATH_Integrity"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.7_Check_Permissions_on_User_Home_Directories"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.8_Check_User_Dot_File_Permissions"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.9_Check_Permissions_on_User_.netrc_Files"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.10_Check_for_Presence_of_User_.rhosts_Files"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.11_Check_Groups_in_etcpasswd"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.12_Check_That_Users_Are_Assigned_Valid_Home_Directories"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.13_Check_User_Home_Directory_Ownership"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.14_Check_for_Duplicate_UIDs"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.15_Check_for_Duplicate_GIDs"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.16_Check_That_Reserved_UIDs_Are_Assigned_to_System_Accounts"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.17_Check_for_Duplicate_User_Names"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.18_Check_for_Duplicate_Group_Names"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.19_Check_for_Presence_of_User_.netrc_Files"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.20_Check_for_Presence_of_User_.forward_Files"
           selected="true"/>
</Profile>
Level 2

This profile extends the "Level 1" profile. Items in this profile exhibit one or more of the following characteristics:

  • are intended for environments or use cases where security is paramount.
  • acts as defense in depth measure.
  • may negatively inhibit the utility or performance of the technology.
Show Profile XML
<Profile xmlns="http://checklists.nist.gov/xccdf/1.2"
         xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         id="xccdf_org.cisecurity.benchmarks_profile_Level_2">
   <title xml:lang="en">Level 2</title>
   <description xml:lang="en">
      <p xmlns="http://www.w3.org/1999/xhtml">This profile extends the "Level 1" profile. Items in this profile exhibit one or more of the following characteristics:</p>
      <ul xmlns="http://www.w3.org/1999/xhtml">
         <li>are intended for environments or use cases where security is paramount.</li>
         <li>acts as defense in depth measure.</li>
         <li>may negatively inhibit the utility or performance of the technology.</li>
      </ul>
   </description>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1_Create_Separate_Partition_for_tmp"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2_Set_nodev_option_for_tmp_Partition"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3_Set_nosuid_option_for_tmp_Partition"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4_Set_noexec_option_for_tmp_Partition"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5_Create_Separate_Partition_for_var"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6_Bind_Mount_the_vartmp_directory_to_tmp"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.7_Create_Separate_Partition_for_varlog"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.8_Create_Separate_Partition_for_varlogaudit"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.9_Create_Separate_Partition_for_home"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.10_Add_nodev_Option_to_home"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.11_Add_nodev_Option_to_Removable_Media_Partitions"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.12_Add_noexec_Option_to_Removable_Media_Partitions"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.13_Add_nosuid_Option_to_Removable_Media_Partitions"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.14_Add_nodev_Option_to_devshm_Partition"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.15_Add_nosuid_Option_to_devshm_Partition"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.16_Add_noexec_Option_to_devshm_Partition"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.17_Set_Sticky_Bit_on_All_World-Writable_Directories"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.18_Disable_Mounting_of_cramfs_Filesystems"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.19_Disable_Mounting_of_freevxfs_Filesystems"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.20_Disable_Mounting_of_jffs2_Filesystems"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.21_Disable_Mounting_of_hfs_Filesystems"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.22_Disable_Mounting_of_hfsplus_Filesystems"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.23_Disable_Mounting_of_squashfs_Filesystems"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.24_Disable_Mounting_of_udf_Filesystems"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.1_Verify_CentOS_GPG_Key_is_Installed"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.2_Verify_that_gpgcheck_is_Globally_Activated"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.3_Obtain_Software_Package_Updates_with_yum"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.4_Verify_Package_Integrity_Using_RPM"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.3.1_Install_AIDE" selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.3.2_Implement_Periodic_Execution_of_File_Integrity"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.1_Ensure_SELinux_is_not_disabled_in_bootgrub2grub.cfg"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.2_Set_the_SELinux_State"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.3_Set_the_SELinux_Policy"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.4_Remove_SETroubleshoot"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.5_Remove_MCS_Translation_Service_mcstrans"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.6_Check_for_Unconfined_Daemons"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.1_Set_UserGroup_Owner_on_bootgrub2grub.cfg"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.2_Set_Permissions_on_bootgrub2grub.cfg"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.3_Set_Boot_Loader_Password"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1_Restrict_Core_Dumps"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.2_Enable_Randomized_Virtual_Memory_Region_Placement"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_1.7_Use_the_Latest_OS_Release"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1_Remove_telnet-server"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.2_Remove_telnet_Clients"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.3_Remove_rsh-server"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.4_Remove_rsh" selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.5_Remove_NIS_Client"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.6_Remove_NIS_Server"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.7_Remove_tftp" selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.8_Remove_tftp-server"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.9_Remove_talk" selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.10_Remove_talk-server"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.11_Remove_xinetd"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.12_Disable_chargen-dgram"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.13_Disable_chargen-stream"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.14_Disable_daytime-dgram"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.15_Disable_daytime-stream"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.16_Disable_echo-dgram"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.17_Disable_echo-stream"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.18_Disable_tcpmux-server"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.1_Set_Daemon_umask"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.2_Remove_the_X_Window_System"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.3_Disable_Avahi_Server"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.4_Disable_Print_Server_-_CUPS"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.5_Remove_DHCP_Server"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.6_Configure_Network_Time_Protocol_NTP"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.7_Remove_LDAP" selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.8_Disable_NFS_and_RPC"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.9_Remove_DNS_Server"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.10_Remove_FTP_Server"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.11_Remove_HTTP_Server"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.12_Remove_Dovecot_IMAP_and_POP3_services"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.13_Remove_Samba" selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.14_Remove_HTTP_Proxy_Server"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.15_Remove_SNMP_Server"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_3.16_Configure_Mail_Transfer_Agent_for_Local-Only_Mode"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.1_Disable_IP_Forwarding"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.2_Disable_Send_Packet_Redirects"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1_Disable_Source_Routed_Packet_Acceptance"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2_Disable_ICMP_Redirect_Acceptance"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.3_Disable_Secure_ICMP_Redirect_Acceptance"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.4_Log_Suspicious_Packets"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.5_Enable_Ignore_Broadcast_Requests"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.6_Enable_Bad_Error_Message_Protection"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.7_Enable_RFC-recommended_Source_Route_Validation"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.8_Enable_TCP_SYN_Cookies"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.3.1_Deactivate_Wireless_Interfaces"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.4.1.1_Disable_IPv6_Router_Advertisements"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.4.1.2_Disable_IPv6_Redirect_Acceptance"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.4.2_Disable_IPv6" selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.5.1_Install_TCP_Wrappers"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.5.2_Create_etchosts.allow"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.5.3_Verify_Permissions_on_etchosts.allow"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.5.4_Create_etchosts.deny"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.5.5_Verify_Permissions_on_etchosts.deny"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.6.1_Disable_DCCP" selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.6.2_Disable_SCTP" selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.6.3_Disable_RDS" selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.6.4_Disable_TIPC" selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_4.7_Enable_firewalld"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.1_Install_the_rsyslog_package"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.2_Activate_the_rsyslog_Service"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.3_Configure_etcrsyslog.conf"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.4_Create_and_Set_Permissions_on_rsyslog_Log_Files"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.5_Configure_rsyslog_to_Send_Logs_to_a_Remote_Log_Host"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.6_Accept_Remote_rsyslog_Messages_Only_on_Designated_Log_Hosts"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.1.1_Configure_Audit_Log_Storage_Size"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.1.2_Disable_System_on_Audit_Log_Full"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.1.3_Keep_All_Auditing_Information"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.2_Enable_auditd_Service"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.3_Enable_Auditing_for_Processes_That_Start_Prior_to_auditd"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.4_Record_Events_That_Modify_Date_and_Time_Information"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.5_Record_Events_That_Modify_UserGroup_Information"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.6_Record_Events_That_Modify_the_Systems_Network_Environment"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.7_Record_Events_That_Modify_the_Systems_Mandatory_Access_Controls"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.8_Collect_Login_and_Logout_Events"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.9_Collect_Session_Initiation_Information"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.10_Collect_Discretionary_Access_Control_Permission_Modification_Events"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.11_Collect_Unsuccessful_Unauthorized_Access_Attempts_to_Files"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.12_Collect_Use_of_Privileged_Commands"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.13_Collect_Successful_File_System_Mounts"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.14_Collect_File_Deletion_Events_by_User"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.15_Collect_Changes_to_System_Administration_Scope_sudoers"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.16_Collect_System_Administrator_Actions_sudolog"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.17_Collect_Kernel_Module_Loading_and_Unloading"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.18_Make_the_Audit_Configuration_Immutable"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_5.3_Configure_logrotate"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.1_Enable_anacron_Daemon"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.2_Enable_crond_Daemon"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.3_Set_UserGroup_Owner_and_Permission_on_etcanacrontab"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.4_Set_UserGroup_Owner_and_Permission_on_etccrontab"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.5_Set_UserGroup_Owner_and_Permission_on_etccron.hourly"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.6_Set_UserGroup_Owner_and_Permission_on_etccron.daily"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.7_Set_UserGroup_Owner_and_Permission_on_etccron.weekly"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.8_Set_UserGroup_Owner_and_Permission_on_etccron.monthly"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.9_Set_UserGroup_Owner_and_Permission_on_etccron.d"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.10_Restrict_at_Daemon"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.11_Restrict_atcron_to_Authorized_Users"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.1_Set_SSH_Protocol_to_2"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.2_Set_LogLevel_to_INFO"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.3_Set_Permissions_on_etcsshsshd_config"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.4_Disable_SSH_X11_Forwarding"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.5_Set_SSH_MaxAuthTries_to_4_or_Less"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.6_Set_SSH_IgnoreRhosts_to_Yes"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.7_Set_SSH_HostbasedAuthentication_to_No"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.8_Disable_SSH_Root_Login"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.9_Set_SSH_PermitEmptyPasswords_to_No"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.10_Do_Not_Allow_Users_to_Set_Environment_Options"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.11_Use_Only_Approved_Cipher_in_Counter_Mode"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.12_Set_Idle_Timeout_Interval_for_User_Login"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.13_Limit_Access_via_SSH"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.14_Set_SSH_Banner"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.3.1_Upgrade_Password_Hashing_Algorithm_to_SHA-512"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.3.2_Set_Password_Creation_Requirement_Parameters_Using_pam_pwquality"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.3.3_Set_Lockout_for_Failed_Password_Attempts"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.3.4_Limit_Password_Reuse"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.4_Restrict_root_Login_to_System_Console"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_6.5_Restrict_Access_to_the_su_Command"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_7.1.1_Set_Password_Expiration_Days"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_7.1.2_Set_Password_Change_Minimum_Number_of_Days"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_7.1.3_Set_Password_Expiring_Warning_Days"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_7.2_Disable_System_Accounts"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_7.3_Set_Default_Group_for_root_Account"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_7.4_Set_Default_umask_for_Users"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_7.5_Lock_Inactive_User_Accounts"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_8.1_Set_Warning_Banner_for_Standard_Login_Services"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_8.2_Remove_OS_Information_from_Login_Warning_Banners"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_8.3_Set_GNOME_Warning_Banner"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.1_Verify_System_File_Permissions"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.2_Verify_Permissions_on_etcpasswd"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.3_Verify_Permissions_on_etcshadow"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.4_Verify_Permissions_on_etcgshadow"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.5_Verify_Permissions_on_etcgroup"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.6_Verify_UserGroup_Ownership_on_etcpasswd"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.7_Verify_UserGroup_Ownership_on_etcshadow"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.8_Verify_UserGroup_Ownership_on_etcgshadow"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.9_Verify_UserGroup_Ownership_on_etcgroup"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.10_Find_World_Writable_Files"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.11_Find_Un-owned_Files_and_Directories"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.12_Find_Un-grouped_Files_and_Directories"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.13_Find_SUID_System_Executables"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.14_Find_SGID_System_Executables"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.1_Ensure_Password_Fields_are_Not_Empty"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.2_Verify_No_Legacy__Entries_Exist_in_etcpasswd_File"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.3_Verify_No_Legacy__Entries_Exist_in_etcshadow_File"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.4_Verify_No_Legacy__Entries_Exist_in_etcgroup_File"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.5_Verify_No_UID_0_Accounts_Exist_Other_Than_root"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.6_Ensure_root_PATH_Integrity"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.7_Check_Permissions_on_User_Home_Directories"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.8_Check_User_Dot_File_Permissions"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.9_Check_Permissions_on_User_.netrc_Files"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.10_Check_for_Presence_of_User_.rhosts_Files"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.11_Check_Groups_in_etcpasswd"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.12_Check_That_Users_Are_Assigned_Valid_Home_Directories"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.13_Check_User_Home_Directory_Ownership"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.14_Check_for_Duplicate_UIDs"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.15_Check_for_Duplicate_GIDs"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.16_Check_That_Reserved_UIDs_Are_Assigned_to_System_Accounts"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.17_Check_for_Duplicate_User_Names"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.18_Check_for_Duplicate_Group_Names"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.19_Check_for_Presence_of_User_.netrc_Files"
           selected="true"/>
   <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.20_Check_for_Presence_of_User_.forward_Files"
           selected="true"/>
</Profile>

Assessment Results

w Benchmark Item Result
1 Install Updates, Patches and Additional Security Software
1.1 Filesystem Configuration
1.0 1.1.1 Create Separate Partition for /tmp Pass
1.0 1.1.2 Set nodev option for /tmp Partition Pass
1.0 1.1.3 Set nosuid option for /tmp Partition Pass
1.0 1.1.4 Set noexec option for /tmp Partition Fail
1.0 1.1.5 Create Separate Partition for /var Pass
1.0 1.1.6 Bind Mount the /var/tmp directory to /tmp Pass
1.0 1.1.7 Create Separate Partition for /var/log Pass
1.0 1.1.8 Create Separate Partition for /var/log/audit Pass
1.0 1.1.9 Create Separate Partition for /home Pass
1.0 1.1.10 Add nodev Option to /home Pass
1.0 1.1.14 Add nodev Option to /dev/shm Partition Pass
1.0 1.1.15 Add nosuid Option to /dev/shm Partition Pass
1.0 1.1.16 Add noexec Option to /dev/shm Partition Pass
1.0 1.1.17 Set Sticky Bit on All World-Writable Directories Pass
1.2 Configure Software Updates
1.0 1.2.1 Verify CentOS GPG Key is Installed Pass
1.0 1.2.2 Verify that gpgcheck is Globally Activated Pass
1.3 Advanced Intrusion Detection Environment (AIDE)
1.4 Configure SELinux
1.5 Secure Boot Settings
1.0 1.5.1 Set User/Group Owner on /boot/grub2/grub.cfg Pass
1.0 1.5.2 Set Permissions on /boot/grub2/grub.cfg Pass
1.0 1.5.3 Set Boot Loader Password Fail
1.6 Additional Process Hardening
1.0 1.6.1 Restrict Core Dumps Pass
1.0 1.6.2 Enable Randomized Virtual Memory Region Placement Pass
2 OS Services
2.1 Remove Legacy Services
1.0 2.1.1 Remove telnet-server Pass
1.0 2.1.2 Remove telnet Clients Pass
1.0 2.1.3 Remove rsh-server Pass
1.0 2.1.4 Remove rsh Pass
1.0 2.1.5 Remove NIS Client Pass
1.0 2.1.6 Remove NIS Server Pass
1.0 2.1.7 Remove tftp Pass
1.0 2.1.8 Remove tftp-server Pass
1.0 2.1.9 Remove talk Pass
1.0 2.1.10 Remove talk-server Pass
1.0 2.1.12 Disable chargen-dgram Pass
1.0 2.1.13 Disable chargen-stream Pass
1.0 2.1.14 Disable daytime-dgram Pass
1.0 2.1.15 Disable daytime-stream Pass
1.0 2.1.16 Disable echo-dgram Pass
1.0 2.1.17 Disable echo-stream Pass
1.0 2.1.18 Disable tcpmux-server Pass
3 Special Purpose Services
1.0 3.1 Set Daemon umask Fail
1.0 3.2 Remove the X Window System Pass
1.0 3.3 Disable Avahi Server Pass
0.0 3.4 Disable Print Server - CUPS Pass
1.0 3.5 Remove DHCP Server Pass
1.0 3.6 Configure Network Time Protocol (NTP) Pass
0.0 3.7 Remove LDAP Pass
0.0 3.8 Disable NFS and RPC Pass
0.0 3.9 Remove DNS Server Pass
0.0 3.10 Remove FTP Server Pass
0.0 3.11 Remove HTTP Server Pass
0.0 3.12 Remove Dovecot (IMAP and POP3 services) Pass
0.0 3.13 Remove Samba Pass
0.0 3.14 Remove HTTP Proxy Server Pass
0.0 3.15 Remove SNMP Server Pass
1.0 3.16 Configure Mail Transfer Agent for Local-Only Mode Pass
4 Network Configuration and Firewalls
4.1 Modify Network Parameters (Host Only)
1.0 4.1.1 Disable IP Forwarding Pass
1.0 4.1.2 Disable Send Packet Redirects Pass
4.2 Modify Network Parameters (Host and Router)
1.0 4.2.1 Disable Source Routed Packet Acceptance Pass
1.0 4.2.2 Disable ICMP Redirect Acceptance Pass
1.0 4.2.4 Log Suspicious Packets Pass
1.0 4.2.5 Enable Ignore Broadcast Requests Pass
1.0 4.2.6 Enable Bad Error Message Protection Pass
1.0 4.2.8 Enable TCP SYN Cookies Pass
4.3 Wireless Networking
4.4 IPv6
4.4.1 Configure IPv6
4.5 Install TCP Wrappers
1.0 4.5.3 Verify Permissions on /etc/hosts.allow Pass
1.0 4.5.5 Verify Permissions on /etc/hosts.deny Pass
4.6 Uncommon Network Protocols
1.0 4.7 Enable firewalld Pass
5 Logging and Auditing
5.1 Configure rsyslog
1.0 5.1.1 Install the rsyslog package Pass
1.0 5.1.2 Activate the rsyslog Service Pass
1.0 5.1.4 Create and Set Permissions on rsyslog Log Files Fail
1.0 5.1.5 Configure rsyslog to Send Logs to a Remote Log Host Fail
5.2 Configure System Accounting (auditd)
5.2.1 Configure Data Retention
6 System Access, Authentication and Authorization
6.1 Configure cron and anacron
1.0 6.1.1 Enable anacron Daemon Pass
1.0 6.1.2 Enable crond Daemon Pass
1.0 6.1.3 Set User/Group Owner and Permission on /etc/anacrontab Pass
1.0 6.1.4 Set User/Group Owner and Permission on /etc/crontab Pass
1.0 6.1.5 Set User/Group Owner and Permission on /etc/cron.hourly Fail
1.0 6.1.6 Set User/Group Owner and Permission on /etc/cron.daily Fail
1.0 6.1.7 Set User/Group Owner and Permission on /etc/cron.weekly Pass
1.0 6.1.8 Set User/Group Owner and Permission on /etc/cron.monthly Pass
1.0 6.1.9 Set User/Group Owner and Permission on /etc/cron.d Fail
1.0 6.1.10 Restrict at Daemon Pass
1.0 6.1.11 Restrict at/cron to Authorized Users Fail
6.2 Configure SSH
1.0 6.2.1 Set SSH Protocol to 2 Pass
1.0 6.2.2 Set LogLevel to INFO Pass
1.0 6.2.3 Set Permissions on /etc/ssh/sshd_config Pass
1.0 6.2.4 Disable SSH X11 Forwarding Pass
1.0 6.2.5 Set SSH MaxAuthTries to 4 or Less Pass
1.0 6.2.6 Set SSH IgnoreRhosts to Yes Pass
1.0 6.2.7 Set SSH HostbasedAuthentication to No Pass
1.0 6.2.8 Disable SSH Root Login Fail
1.0 6.2.9 Set SSH PermitEmptyPasswords to No Pass
1.0 6.2.10 Do Not Allow Users to Set Environment Options Pass
1.0 6.2.11 Use Only Approved Cipher in Counter Mode Pass
1.0 6.2.12 Set Idle Timeout Interval for User Login Pass
1.0 6.2.13 Limit Access via SSH Pass
1.0 6.2.14 Set SSH Banner Pass
6.3 Configure PAM
1.0 6.3.1 Upgrade Password Hashing Algorithm to SHA-512 Pass
1.0 6.3.2 Set Password Creation Requirement Parameters Using pam_pwquality Fail
1.0 6.3.4 Limit Password Reuse Fail
1.0 6.5 Restrict Access to the su Command Fail
7 User Accounts and Environment
7.1 Set Shadow Password Suite Parameters (/etc/login.defs)
1.0 7.1.1 Set Password Expiration Days Fail
1.0 7.1.2 Set Password Change Minimum Number of Days Fail
1.0 7.1.3 Set Password Expiring Warning Days Fail
1.0 7.2 Disable System Accounts Pass
1.0 7.3 Set Default Group for root Account Pass
1.0 7.4 Set Default umask for Users Fail
1.0 7.5 Lock Inactive User Accounts Fail
8 Warning Banners
1.0 8.1 Set Warning Banner for Standard Login Services Pass
1.0 8.2 Remove OS Information from Login Warning Banners Pass
9 System Maintenance
9.1 Verify System File Permissions
1.0 9.1.2 Verify Permissions on /etc/passwd Pass
1.0 9.1.3 Verify Permissions on /etc/shadow Pass
1.0 9.1.4 Verify Permissions on /etc/gshadow Pass
1.0 9.1.5 Verify Permissions on /etc/group Pass
1.0 9.1.6 Verify User/Group Ownership on /etc/passwd Pass
1.0 9.1.7 Verify User/Group Ownership on /etc/shadow Pass
1.0 9.1.8 Verify User/Group Ownership on /etc/gshadow Pass
1.0 9.1.9 Verify User/Group Ownership on /etc/group Pass
1.0 9.1.11 Find Un-owned Files and Directories Pass
1.0 9.1.12 Find Un-grouped Files and Directories Pass
9.2 Review User and Group Settings
1.0 9.2.1 Ensure Password Fields are Not Empty Pass
1.0 9.2.2 Verify No Legacy "+" Entries Exist in /etc/passwd File Pass
1.0 9.2.3 Verify No Legacy "+" Entries Exist in /etc/shadow File Pass
1.0 9.2.4 Verify No Legacy "+" Entries Exist in /etc/group File Pass
1.0 9.2.5 Verify No UID 0 Accounts Exist Other Than root Pass
1.0 9.2.6 Ensure root PATH Integrity Pass
1.0 9.2.7 Check Permissions on User Home Directories Pass
1.0 9.2.8 Check User Dot File Permissions Pass
1.0 9.2.9 Check Permissions on User .netrc Files Pass
1.0 9.2.10 Check for Presence of User .rhosts Files Pass
1.0 9.2.11 Check Groups in /etc/passwd Fail
1.0 9.2.12 Check That Users Are Assigned Valid Home Directories Fail
1.0 9.2.13 Check User Home Directory Ownership Pass
1.0 9.2.14 Check for Duplicate UIDs Pass
1.0 9.2.15 Check for Duplicate GIDs Pass
1.0 9.2.16 Check That Reserved UIDs Are Assigned to System Accounts Pass
1.0 9.2.17 Check for Duplicate User Names Pass
1.0 9.2.18 Check for Duplicate Group Names Pass
1.0 9.2.19 Check for Presence of User .netrc Files Pass
1.0 9.2.20 Check for Presence of User .forward Files Pass

Assessment Details

1 Install Updates, Patches and Additional Security Software

1.1 Filesystem Configuration

Directories that are used for system-wide functions can be further protected by placing them on separate partitions. This provides protection for resource exhaustion and enables the use of mounting options that are applicable to the directory's intended use. User's data can be stored on separate partitions and have stricter mount options. A user partition is a filesystem that has been established for use by the users and does not contain software for system operations. The directives in this section are easier to perform during initial system installation. If the system is already installed, it is recommended that a full backup be performed before repartitioning the system.

Note: If you are repartitioning a system that has already been installed, make sure the data has been copied over to the new partition, unmount it and then remove the data from the directory that was in the old partition. Otherwise it will still consume space in the old partition that will be masked when the new filesystem is mounted. For example, if a system is in single-user mode with no filesystems mounted and the administrator adds a lot of data to the /tmp directory, this data will still consume space in / once the /tmp filesystem is mounted unless it is removed first.

Pass

1.1.1 Create Separate Partition for /tmp

Description:

The /tmp directory is a world-writable directory used for temporary storage by all users and some applications.

Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.

For new installations, check the box to "Review and modify partitioning" and create a separate partition for /tmp.

For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions.

Ensure /tmp partition exists -- More
CIS-CAT expected to collect at least 1 matching Partition item, and found 1 item.
Mount Point: /tmp exists

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1_Create_Separate_Partition_for_tmp"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:32.495-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:32.495-06:00"
                    start-time="2015-11-09T16:01:32.452-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure /tmp partition exists"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10003"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10003"
                               type="partition_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="256151834">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="mount_point" value="/tmp"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1002"/>
      </check>
   </complex-check>
</rule-result>
Pass

1.1.2 Set nodev option for /tmp Partition

Description:

The nodev mount option specifies that the filesystem cannot contain special devices.

Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp.

Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information.

# mount -o remount,nodev /tmp



Ensure /tmp partition options Set Includes nodev (string) -- More
Check: All Must Pass
Mount Point: /tmp
CIS-CAT Expected (At least one of)... CIS-CAT Collected...
the Mount Options to be set to nodev rw
the Mount Options to be set to nodev nosuid
the Mount Options to be set to nodev nodev
the Mount Options to be set to nodev relatime
the Mount Options to be set to nodev attr2
the Mount Options to be set to nodev inode64
the Mount Options to be set to nodev noquota

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2_Set_nodev_option_for_tmp_Partition"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:32.146-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:32.146-06:00"
                    start-time="2015-11-09T16:01:32.087-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure /tmp partition options Set Includes nodev (string)"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10004"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10004"
                               type="partition_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10003">
                  <cis:evidence_item entity_check="at least one" itemref="1264782638">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="mount_point" value="/tmp"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="rw" dt="string" ev="nodev" name="mount_options" op="equals" result="false"/>
                     <cis:evidence_field cv="nosuid" dt="string" ev="nodev" name="mount_options" op="equals"
                                         result="false"/>
                     <cis:evidence_field cv="nodev" dt="string" ev="nodev" name="mount_options" op="equals"
                                         result="true"/>
                     <cis:evidence_field cv="relatime" dt="string" ev="nodev" name="mount_options" op="equals"
                                         result="false"/>
                     <cis:evidence_field cv="attr2" dt="string" ev="nodev" name="mount_options" op="equals"
                                         result="false"/>
                     <cis:evidence_field cv="inode64" dt="string" ev="nodev" name="mount_options" op="equals"
                                         result="false"/>
                     <cis:evidence_field cv="noquota" dt="string" ev="nodev" name="mount_options" op="equals"
                                         result="false"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1003"/>
      </check>
   </complex-check>
</rule-result>
Pass

1.1.3 Set nosuid option for /tmp Partition

Description:

The nosuid mount option specifies that the filesystem cannot contain set userid files.

Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp.

# mount -o remount,nosuid /tmp

Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). See the fstab(5) manual page for more information.

Ensure /tmp partition options Set Includes nosuid (string) -- More
Check: All Must Pass
Mount Point: /tmp
CIS-CAT Expected (At least one of)... CIS-CAT Collected...
the Mount Options to be set to nosuid rw
the Mount Options to be set to nosuid nosuid
the Mount Options to be set to nosuid nodev
the Mount Options to be set to nosuid relatime
the Mount Options to be set to nosuid attr2
the Mount Options to be set to nosuid inode64
the Mount Options to be set to nosuid noquota

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3_Set_nosuid_option_for_tmp_Partition"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:32.451-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:32.452-06:00"
                    start-time="2015-11-09T16:01:32.403-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure /tmp partition options Set Includes nosuid (string)"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10005"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10005"
                               type="partition_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10004">
                  <cis:evidence_item entity_check="at least one" itemref="1976053830">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="mount_point" value="/tmp"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="rw" dt="string" ev="nosuid" name="mount_options" op="equals" result="false"/>
                     <cis:evidence_field cv="nosuid" dt="string" ev="nosuid" name="mount_options" op="equals"
                                         result="true"/>
                     <cis:evidence_field cv="nodev" dt="string" ev="nosuid" name="mount_options" op="equals"
                                         result="false"/>
                     <cis:evidence_field cv="relatime" dt="string" ev="nosuid" name="mount_options" op="equals"
                                         result="false"/>
                     <cis:evidence_field cv="attr2" dt="string" ev="nosuid" name="mount_options" op="equals"
                                         result="false"/>
                     <cis:evidence_field cv="inode64" dt="string" ev="nosuid" name="mount_options" op="equals"
                                         result="false"/>
                     <cis:evidence_field cv="noquota" dt="string" ev="nosuid" name="mount_options" op="equals"
                                         result="false"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1004"/>
      </check>
   </complex-check>
</rule-result>
Fail

1.1.4 Set noexec option for /tmp Partition

Description:

The noexec mount option specifies that the filesystem cannot contain executable binaries.

Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp.

Edit the /etc/fstab file and add noexec to the fourth field (mounting options). See the fstab(5) manual page for more information.

# mount -o remount,noexec /tmp

Ensure /tmp partition options Set Includes noexec (string) -- Less
Check: All Must Pass
Mount Point: /tmp
CIS-CAT Expected (At least one of)... CIS-CAT Collected...
the Mount Options to be set to noexec rw
the Mount Options to be set to noexec nosuid
the Mount Options to be set to noexec nodev
the Mount Options to be set to noexec relatime
the Mount Options to be set to noexec attr2
the Mount Options to be set to noexec inode64
the Mount Options to be set to noexec noquota

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4_Set_noexec_option_for_tmp_Partition"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:32.956-06:00"
             version="1"
             weight="1.0">
   <result>fail</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:32.956-06:00"
                    start-time="2015-11-09T16:01:32.901-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure /tmp partition options Set Includes noexec (string)"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10006"
                               result="false"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10006"
                               type="partition_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10005">
                  <cis:evidence_item entity_check="at least one" itemref="71072132">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="mount_point" value="/tmp"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="rw" dt="string" ev="noexec" name="mount_options" op="equals" result="false"/>
                     <cis:evidence_field cv="nosuid" dt="string" ev="noexec" name="mount_options" op="equals"
                                         result="false"/>
                     <cis:evidence_field cv="nodev" dt="string" ev="noexec" name="mount_options" op="equals"
                                         result="false"/>
                     <cis:evidence_field cv="relatime" dt="string" ev="noexec" name="mount_options" op="equals"
                                         result="false"/>
                     <cis:evidence_field cv="attr2" dt="string" ev="noexec" name="mount_options" op="equals"
                                         result="false"/>
                     <cis:evidence_field cv="inode64" dt="string" ev="noexec" name="mount_options" op="equals"
                                         result="false"/>
                     <cis:evidence_field cv="noquota" dt="string" ev="noexec" name="mount_options" op="equals"
                                         result="false"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1005"/>
      </check>
   </complex-check>
</rule-result>
Pass

1.1.5 Create Separate Partition for /var

Description:

The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable.

Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition.

For new installations, check the box to "Review and modify partitioning" and create a separate partition for /var.

For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions.

Ensure /var partition exists -- More
CIS-CAT expected to collect at least 1 matching Partition item, and found 1 item.
Mount Point: /var exists

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5_Create_Separate_Partition_for_var"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:33.020-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:33.021-06:00"
                    start-time="2015-11-09T16:01:32.956-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure /var partition exists"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10007"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10007"
                               type="partition_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="865440348">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="mount_point" value="/var"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1006"/>
      </check>
   </complex-check>
</rule-result>
Pass

1.1.6 Bind Mount the /var/tmp directory to /tmp

Description:

The /var/tmp directory is normally a standalone directory in the /var file system. Binding /var/tmp to /tmp establishes an unbreakable link to /tmp that cannot be removed (even by the root user). It also allows /var/tmp to inherit the same mount options that /tmp owns, allowing /var/tmp to be protected in the same /tmp is protected. It will also prevent /var from filling up with temporary files as the contents of /var/tmp will actually reside in the file system containing /tmp.

All programs that use /var/tmp and /tmp to read/write temporary files will always be written to the /tmp file system, preventing a user from running the /var file system out of space or trying to perform operations that have been blocked in the /tmp filesystem.

# mount --bind /tmp /var/tmp

and edit the /etc/fstab file to contain the following line:

/tmp /var/tmp none bind 0 0

Ensure /etc/fstab contents pattern match $\s*/tmp\s+/var/tmp\s+none\s+bind\s+0\s+0\s*$ (string) -- More
CIS-CAT expected at least 1 matching text file content item to be collected, and found 1 item.
File: /etc/fstab exists
Pattern: $\s*/tmp\s+/var/tmp\s+none\s+bind\s+0\s+0\s*$
Match Text: /tmp /var/tmp none bind 0 0

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6_Bind_Mount_the_vartmp_directory_to_tmp"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:33.356-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:33.357-06:00"
                    start-time="2015-11-09T16:01:33.354-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure /etc/fstab contents pattern match $\s*/tmp\s+/var/tmp\s+none\s+bind\s+0\s+0\s*$ (string)"
                               negated="false"
                               ns="independent"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10008"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10008"
                               type="textfilecontent54_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="459204301">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="filepath" value="/etc/fstab"/>
                        <cis:evidence_item_pk_field name="path" value="/etc"/>
                        <cis:evidence_item_pk_field name="filename" value="fstab"/>
                        <cis:evidence_item_pk_field name="pattern" value="$\s*/tmp\s+/var/tmp\s+none\s+bind\s+0\s+0\s*$"/>
                        <cis:evidence_item_pk_field name="instance" value="1"/>
                        <cis:evidence_item_pk_field name="text" value=" /tmp /var/tmp none bind 0 0"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1007"
                       value-id="xccdf_org.cisecurity.benchmarks_value_1.1.6.1_var"/>
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1007"/>
      </check>
   </complex-check>
</rule-result>
Pass

1.1.7 Create Separate Partition for /var/log

Description:

The /var/log directory is used by system services to store log data .

There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data.

For new installations, check the box to "Review and modify partitioning" and create a separate partition for /var/log.

For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions.

Ensure /var/log partition exists -- More
CIS-CAT expected to collect at least 1 matching Partition item, and found 1 item.
Mount Point: /var/log exists

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_1.1.7_Create_Separate_Partition_for_varlog"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:31.033-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:31.033-06:00"
                    start-time="2015-11-09T16:01:30.971-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure /var/log partition exists"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10009"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10009"
                               type="partition_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="1506415844">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="mount_point" value="/var/log"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1008"/>
      </check>
   </complex-check>
</rule-result>
Pass

1.1.8 Create Separate Partition for /var/log/audit

Description:

The auditing daemon, auditd, stores log data in the /var/log/audit directory.

There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired.

For new installations, check the box to "Review and modify partitioning" and create a separate partition for /var/log/audit. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions.

Ensure /var/log/audit partition exists -- More
CIS-CAT expected to collect at least 1 matching Partition item, and found 1 item.
Mount Point: /var/log/audit exists

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_1.1.8_Create_Separate_Partition_for_varlogaudit"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:33.822-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:33.822-06:00"
                    start-time="2015-11-09T16:01:33.773-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure /var/log/audit partition exists"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10010"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10010"
                               type="partition_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="925516587">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="mount_point" value="/var/log/audit"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1009"/>
      </check>
   </complex-check>
</rule-result>
Pass

1.1.9 Create Separate Partition for /home

Description:

The /home directory is used to support disk storage needs of local users.

If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home.

For new installations, check the box to "Review and modify partitioning" and create a separate partition for /home.

For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions.

Ensure /home partition exists -- More
CIS-CAT expected to collect at least 1 matching Partition item, and found 1 item.
Mount Point: /home exists

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_1.1.9_Create_Separate_Partition_for_home"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:33.700-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:33.700-06:00"
                    start-time="2015-11-09T16:01:33.650-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure /home partition exists"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10011"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10011"
                               type="partition_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="1795323158">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="mount_point" value="/home"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1010"/>
      </check>
   </complex-check>
</rule-result>
Pass

1.1.10 Add nodev Option to /home

Description:

When set on a file system, this option prevents character and block special devices from being defined, or if they exist, from being used as character and block special devices.

Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices.

Note: The actions in the item refer to the /home partition. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well.

Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information.

# mount -o remount,nodev /home

Ensure /home partition options Set Includes nodev (string) -- More
Check: All Must Pass
Mount Point: /home
CIS-CAT Expected (At least one of)... CIS-CAT Collected...
the Mount Options to be set to nodev rw
the Mount Options to be set to nodev nodev
the Mount Options to be set to nodev relatime
the Mount Options to be set to nodev attr2
the Mount Options to be set to nodev inode64
the Mount Options to be set to nodev noquota

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_1.1.10_Add_nodev_Option_to_home"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:33.141-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:33.141-06:00"
                    start-time="2015-11-09T16:01:33.096-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure /home partition options Set Includes nodev (string)"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10012"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10012"
                               type="partition_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10006">
                  <cis:evidence_item entity_check="at least one" itemref="742916722">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="mount_point" value="/home"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="rw" dt="string" ev="nodev" name="mount_options" op="equals" result="false"/>
                     <cis:evidence_field cv="nodev" dt="string" ev="nodev" name="mount_options" op="equals"
                                         result="true"/>
                     <cis:evidence_field cv="relatime" dt="string" ev="nodev" name="mount_options" op="equals"
                                         result="false"/>
                     <cis:evidence_field cv="attr2" dt="string" ev="nodev" name="mount_options" op="equals"
                                         result="false"/>
                     <cis:evidence_field cv="inode64" dt="string" ev="nodev" name="mount_options" op="equals"
                                         result="false"/>
                     <cis:evidence_field cv="noquota" dt="string" ev="nodev" name="mount_options" op="equals"
                                         result="false"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1011"/>
      </check>
   </complex-check>
</rule-result>
Pass

1.1.14 Add nodev Option to /dev/shm Partition

Description:

The nodev mount option specifies that the /dev/shm (temporary filesystem stored in memory) cannot contain block or character special devices.

Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions.

Edit the /etc/fstab file and add nodev to the fourth field (mounting options of entries that have mount points that contain /dev/shm. See the fstab(5) manual page for more information.

# mount -o remount,nodev /dev/shm

Ensure /dev/shm partition options Set Includes nodev (string) -- More
Check: All Must Pass
Mount Point: /dev/shm
CIS-CAT Expected (At least one of)... CIS-CAT Collected...
the Mount Options to be set to nodev rw
the Mount Options to be set to nodev nosuid
the Mount Options to be set to nodev nodev
the Mount Options to be set to nodev noexec
the Mount Options to be set to nodev relatime

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_1.1.14_Add_nodev_Option_to_devshm_Partition"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:33.402-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:33.402-06:00"
                    start-time="2015-11-09T16:01:33.357-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure /dev/shm partition options Set Includes nodev (string)"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10013"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10013"
                               type="partition_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10007">
                  <cis:evidence_item entity_check="at least one" itemref="684276358">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="mount_point" value="/dev/shm"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="rw" dt="string" ev="nodev" name="mount_options" op="equals" result="false"/>
                     <cis:evidence_field cv="nosuid" dt="string" ev="nodev" name="mount_options" op="equals"
                                         result="false"/>
                     <cis:evidence_field cv="nodev" dt="string" ev="nodev" name="mount_options" op="equals"
                                         result="true"/>
                     <cis:evidence_field cv="noexec" dt="string" ev="nodev" name="mount_options" op="equals"
                                         result="false"/>
                     <cis:evidence_field cv="relatime" dt="string" ev="nodev" name="mount_options" op="equals"
                                         result="false"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1012"/>
      </check>
   </complex-check>
</rule-result>
Pass

1.1.15 Add nosuid Option to /dev/shm Partition

Description:

The nosuid mount option specifies that the /dev/shm (temporary filesystem stored in memory) will not execute setuid and setgid on executable programs as such, but rather execute them with the uid and gid of the user executing the program.

Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them.

Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain /dev/shm. See the fstab(5) manual page for more information.

# mount -o remount,nosuid /dev/shm

Ensure /dev/shm partition options Set Includes nosuid (string) -- More
Check: All Must Pass
Mount Point: /dev/shm
CIS-CAT Expected (At least one of)... CIS-CAT Collected...
the Mount Options to be set to nosuid rw
the Mount Options to be set to nosuid nosuid
the Mount Options to be set to nosuid nodev
the Mount Options to be set to nosuid noexec
the Mount Options to be set to nosuid relatime

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_1.1.15_Add_nosuid_Option_to_devshm_Partition"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:33.449-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:33.449-06:00"
                    start-time="2015-11-09T16:01:33.403-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure /dev/shm partition options Set Includes nosuid (string)"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10014"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10014"
                               type="partition_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10008">
                  <cis:evidence_item entity_check="at least one" itemref="1299865175">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="mount_point" value="/dev/shm"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="rw" dt="string" ev="nosuid" name="mount_options" op="equals" result="false"/>
                     <cis:evidence_field cv="nosuid" dt="string" ev="nosuid" name="mount_options" op="equals"
                                         result="true"/>
                     <cis:evidence_field cv="nodev" dt="string" ev="nosuid" name="mount_options" op="equals"
                                         result="false"/>
                     <cis:evidence_field cv="noexec" dt="string" ev="nosuid" name="mount_options" op="equals"
                                         result="false"/>
                     <cis:evidence_field cv="relatime" dt="string" ev="nosuid" name="mount_options" op="equals"
                                         result="false"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1013"/>
      </check>
   </complex-check>
</rule-result>
Pass

1.1.16 Add noexec Option to /dev/shm Partition

Description:

Set noexec on the shared memory partition to prevent programs from executing from there.

Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system.

Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain /dev/shm. See the fstab(5) manual page for more information.

# mount -o remount,noexec /dev/shm

Ensure /dev/shm partition options Set Includes noexec (string) -- More
Check: All Must Pass
Mount Point: /dev/shm
CIS-CAT Expected (At least one of)... CIS-CAT Collected...
the Mount Options to be set to noexec rw
the Mount Options to be set to noexec nosuid
the Mount Options to be set to noexec nodev
the Mount Options to be set to noexec noexec
the Mount Options to be set to noexec relatime

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_1.1.16_Add_noexec_Option_to_devshm_Partition"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:30.666-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:30.666-06:00"
                    start-time="2015-11-09T16:01:30.495-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure /dev/shm partition options Set Includes noexec (string)"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10015"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10015"
                               type="partition_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10009">
                  <cis:evidence_item entity_check="at least one" itemref="1996771451">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="mount_point" value="/dev/shm"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="rw" dt="string" ev="noexec" name="mount_options" op="equals" result="false"/>
                     <cis:evidence_field cv="nosuid" dt="string" ev="noexec" name="mount_options" op="equals"
                                         result="false"/>
                     <cis:evidence_field cv="nodev" dt="string" ev="noexec" name="mount_options" op="equals"
                                         result="false"/>
                     <cis:evidence_field cv="noexec" dt="string" ev="noexec" name="mount_options" op="equals"
                                         result="true"/>
                     <cis:evidence_field cv="relatime" dt="string" ev="noexec" name="mount_options" op="equals"
                                         result="false"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1014"/>
      </check>
   </complex-check>
</rule-result>
Pass

1.1.17 Set Sticky Bit on All World-Writable Directories

Description:

Setting the sticky bit on world writable directories prevents users from deleting or renaming files in that directory that are not owned by them.

This feature prevents the ability to delete or rename files in world writable directories (such as /tmp) that are owned by another user.

# df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null | xargs chmod a+t

Linux Custom Object "All World Writable Directories Have Sticky Bit Set" -- More
CIS-CAT did not expect to collect any file items, and found 0 items.
File: / does not exist

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_1.1.17_Set_Sticky_Bit_on_All_World-Writable_Directories"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:30.157-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:30.158-06:00"
                    start-time="2015-11-09T16:01:29.233-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="none_exist"
                               comment="Linux Custom Object &#34;All World Writable Directories Have Sticky Bit Set&#34;"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10016"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10016"
                               type="file_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="827753408">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="path" value="/"/>
                        <cis:evidence_item_pk_field name="filename" value="NIL"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1015"/>
      </check>
   </complex-check>
</rule-result>

1.2 Configure Software Updates

CentOS uses the yum command line tool to install and update software packages. Patch management procedures may vary widely between enterprises. Large enterprises may choose to install a CentOS update server that can be used in place of CentOS's servers, whereas a single deployment of a CentOS system may prefer to get updates from CentOS's servers. Updates can be performed automatically or manually, depending on the site's policy for patch management. Many large enterprises prefer to test patches on a non-production system before rolling out to production.

For the purpose of this benchmark, the requirement is to ensure that a patch management system is configured and maintained. The specifics on patch update procedures are left to the organization.

Pass

1.2.1 Verify CentOS GPG Key is Installed

Description:

CentOS cryptographically signs updates with a GPG key to verify that they are valid.

It is important to ensure that updates are obtained from a valid source to protect against spoofing that could lead to the inadvertent installation of malware on the system.

Compare the GPG key with the one from CentOS's web site at http://mirror.centos.org/centos/. The following command can be used to print the installed release key's fingerprint, which is actually contained in the file referenced below:

# gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

Ensure gpg-pubkey package is installed -- More
CIS-CAT expected to collect at least 1 matching RPM Package, and found 1 item.
Package Name: gpg-pubkey exists

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_1.2.1_Verify_CentOS_GPG_Key_is_Installed"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:33.772-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:33.772-06:00"
                    start-time="2015-11-09T16:01:33.700-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure gpg-pubkey package is installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10017"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10017"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="1639600090">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="name" value="gpg-pubkey"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1016"/>
      </check>
   </complex-check>
</rule-result>
Pass

1.2.2 Verify that gpgcheck is Globally Activated

Description:

The gpgcheck option, found in the main section of the /etc/yum.conf file determines if an RPM package's signature is always checked prior to its installation.

It is important to ensure that an RPM's package signature is always checked prior to installation to ensure that the software is obtained from a trusted source.

Edit the /etc/yum.conf file and set the gpgcheck to 1 as follows:

gpgcheck=1

Ensure /etc/yum.conf contents pattern match ^\s*gpgcheck=1\s*(#.*)?$ (string) -- More
CIS-CAT expected at least 1 matching text file content item to be collected, and found 1 item.
File: /etc/yum.conf exists
Pattern: ^\s*gpgcheck=1\s*(#.*)?$
Match Text: gpgcheck=1

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_1.2.2_Verify_that_gpgcheck_is_Globally_Activated"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:33.474-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:33.474-06:00"
                    start-time="2015-11-09T16:01:33.471-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure /etc/yum.conf contents pattern match ^\s*gpgcheck=1\s*(#.*)?$ (string)"
                               negated="false"
                               ns="independent"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10018"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10018"
                               type="textfilecontent54_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="2083996210">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="filepath" value="/etc/yum.conf"/>
                        <cis:evidence_item_pk_field name="path" value="/etc"/>
                        <cis:evidence_item_pk_field name="filename" value="yum.conf"/>
                        <cis:evidence_item_pk_field name="pattern" value="^\s*gpgcheck=1\s*(#.*)?$"/>
                        <cis:evidence_item_pk_field name="instance" value="1"/>
                        <cis:evidence_item_pk_field name="text" value="gpgcheck=1"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1017"
                       value-id="xccdf_org.cisecurity.benchmarks_value_1.2.2.1_var"/>
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1017"/>
      </check>
   </complex-check>
</rule-result>

1.3 Advanced Intrusion Detection Environment (AIDE)

AIDE is a file integrity checking tool, similar in nature to Tripwire. While it cannot prevent intrusions, it can detect unauthorized changes to configuration files by alerting when the files are changed. When setting up AIDE, decide internally what the site policy will be concerning integrity checking. Review the AIDE quick start guide and AIDE documentation before proceeding.

1.4 Configure SELinux

SELinux provides a Mandatory Access Control (MAC) system that greatly augments the default Discretionary Access Control (DAC) model. Under SELinux, every process and every object (files, sockets, pipes) on the system is assigned a security context, a label that includes detailed type information about the object. The kernel allows processes to access objects only if that access is explicitly allowed by the policy in effect. The policy defines transitions, so that a user can be allowed to run software, but the software can run under a different context than the user's default. This automatically limits the damage that the software can do to files accessible by the calling user. The user does not need to take any action to gain this benefit. For an action to occur, both the traditional DAC permissions must be satisfied as well as the SELinux MAC rules. The action will not be allowed if either one of these models does not permit the action. In this way, SELinux rules can only make a system's permissions more restrictive and secure. SELinux requires a complex policy to allow all the actions required of a system under normal operation. Three such policies have been designed for use with CentOS 7 and are included with the system: targeted, strict, and mls. These are described as follows:

  • targeted: consists mostly of Type Enforcement (TE) rules, and a small number of Role-Based Access Control (RBAC) rules. Targeted restricts the actions of many types of programs, but leaves interactive users largely unaffected.
  • strict: also uses TE and RBAC rules, but on more programs and more aggressively.
  • mls: implements Multi-Level Security (MLS), which introduces even more kinds of labels (sensitivity and category) and rules that govern access based on these.

This section provides guidance for the configuration of the targeted policy.

References:

  1. NSA SELinux resources:
    1. http://www.nsa.gov/research/selinux
    2. http://www.nsa.gov/research/selinux/list.shtml
  2. Fedora SELinux resources:
    1. FAQ: http://docs.fedoraproject.org/selinux-faq
    2. User Guide: http://docs.fedoraproject.org/selinux-user-guide
    3. Managing Services Guide: http://docs.fedoraproject.org/selinux-managing-confined-services-guide
  3. SELinux Project web page and wiki:
    1. http://www.selinuxproject.org
  4. Chapters 43-45 of Red Hat Enterprise Linux 5: Deployment Guide (Frank Mayer, Karl MacMillan and David Caplan),
  5. SELinux by Example: Using Security Enhanced Linux (Prentice Hall, August 6, 2006)

1.5 Secure Boot Settings

Pass

1.5.1 Set User/Group Owner on /boot/grub2/grub.cfg

Description:

Set the owner and group of /boot/grub2/grub.cfgto the root user.

Setting the owner and group to root prevents non-root users from changing the file.

# chown root:root /boot/grub2/grub.cfg

Ensure /boot/grub2/ is owned by user '0' group '0' -- More
File: /boot/grub2/grub.cfg
CIS-CAT Expected... CIS-CAT Collected...
the file's Group ID to be set to 0 0
the file's User ID to be set to 0 0

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_1.5.1_Set_UserGroup_Owner_on_bootgrub2grub.cfg"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:28.563-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:28.564-06:00"
                    start-time="2015-11-09T16:01:28.501-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure /boot/grub2/ is owned by user '0' group '0'"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10028"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10028"
                               type="file_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10012">
                  <cis:evidence_item itemref="767334039">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="filepath" value="/boot/grub2/grub.cfg"/>
                        <cis:evidence_item_pk_field name="path" value="/boot/grub2"/>
                        <cis:evidence_item_pk_field name="filename" value="grub.cfg"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="0" dt="int" ev="0" name="group_id" op="equals" result="true"/>
                     <cis:evidence_field cv="0" dt="int" ev="0" name="user_id" op="equals" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1027"/>
      </check>
   </complex-check>
</rule-result>
Pass

1.5.2 Set Permissions on /boot/grub2/grub.cfg

Description:

Set permission on the /boot/grub2/grub.cfg file to read and write for root only.

Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them.

# chmod og-rwx /boot/grub2/grub.cfg

Ensure all_exist /boot/grub2/grub.cfg has permission bits --------- and does not have permissions ---rwxrwx -- More
File: /boot/grub2/grub.cfg
CIS-CAT Expected... CIS-CAT Collected...
the file's Group Execute to be set to false false
the file's Other Read to be set to false false
the file's Other Execute to be set to false false
the file's Other Write to be set to false false
the file's Group Read to be set to false false
the file's Group Write to be set to false false

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_1.5.2_Set_Permissions_on_bootgrub2grub.cfg"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:32.196-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:32.196-06:00"
                    start-time="2015-11-09T16:01:32.185-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="all_exist"
                               comment="Ensure all_exist /boot/grub2/grub.cfg has permission bits --------- and does not have permissions ---rwxrwx"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10029"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10029"
                               type="file_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10013">
                  <cis:evidence_item itemref="1715785195">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="filepath" value="/boot/grub2/grub.cfg"/>
                        <cis:evidence_item_pk_field name="path" value="/boot/grub2"/>
                        <cis:evidence_item_pk_field name="filename" value="grub.cfg"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="gexec" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="oread" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="oexec" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="owrite" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="gread" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="gwrite" op="equals" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1028"/>
      </check>
   </complex-check>
</rule-result>
Fail

1.5.3 Set Boot Loader Password

Description:

Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters

Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time).

Create an encrypted password with grub-md5-crypt:

# grub2-mkpasswd-pbkdf2
Enter password: <password>
Reenter password: <password>
Your PBKDF2 is <encrypted-password>

Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file:

cat <<EOF
set superusers="<user-list>"
password_pbkdf2 <user> <encrypted-password>
EOF

Run the following to update the grub configuration:

# grub2-mkconfig -o /boot/grub2/grub.cfg

All of the following tests or sub-groups must pass:
Ensure /boot/grub2/grub.cfg contents pattern match ^set superusers=".*"\s*(?:#.*)?$ (string) -- Less
CIS-CAT expected at least 1 matching text file content item to be collected, and found 0 items.
File: /boot/grub2/grub.cfg does not exist
Pattern: ^set superusers=".*"\s*(?:#.*)?$
Match Text: No match found
Ensure /boot/grub2/grub.cfg contents pattern match ^password (string) -- Less
CIS-CAT expected at least 1 matching text file content item to be collected, and found 0 items.
File: /boot/grub2/grub.cfg does not exist
Pattern: ^password
Match Text: No match found

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_1.5.3_Set_Boot_Loader_Password"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:32.282-06:00"
             version="1"
             weight="1.0">
   <result>fail</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:32.282-06:00"
                    start-time="2015-11-09T16:01:32.277-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure /boot/grub2/grub.cfg contents pattern match ^set superusers=&#34;.*&#34;\s*(?:#.*)?$ (string)"
                               negated="false"
                               ns="independent"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10030"
                               result="false"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10030"
                               type="textfilecontent54_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="1265201192">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="filepath" value="/boot/grub2/grub.cfg"/>
                        <cis:evidence_item_pk_field name="path" value="/boot/grub2"/>
                        <cis:evidence_item_pk_field name="filename" value="grub.cfg"/>
                        <cis:evidence_item_pk_field name="pattern" value="^set superusers=&#34;.*&#34;\s*(?:#.*)?$"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure /boot/grub2/grub.cfg contents pattern match ^password (string)"
                               negated="false"
                               ns="independent"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10031"
                               result="false"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10031"
                               type="textfilecontent54_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="651088903">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="filepath" value="/boot/grub2/grub.cfg"/>
                        <cis:evidence_item_pk_field name="path" value="/boot/grub2"/>
                        <cis:evidence_item_pk_field name="filename" value="grub.cfg"/>
                        <cis:evidence_item_pk_field name="pattern" value="^password"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1029"
                       value-id="xccdf_org.cisecurity.benchmarks_value_1.5.3.1_var"/>
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1029"/>
      </check>
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1030"
                       value-id="xccdf_org.cisecurity.benchmarks_value_1.5.3.2_var"/>
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1030"/>
      </check>
   </complex-check>
</rule-result>

1.6 Additional Process Hardening

Pass

1.6.1 Restrict Core Dumps

Description:

A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user.

Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5)). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core.

Add the following line to the /etc/security/limits.conf file.

* hard core 0

Add the following line to the /etc/sysctl.conf file.

fs.suid_dumpable = 0

All of the following tests or sub-groups must pass:
Ensure 'fs.suid_dumpable' kernel parameter equals 0 (int) -- More
Check: All Must Pass
Kernel Parameter: fs.suid_dumpable
CIS-CAT Expected... CIS-CAT Collected...
the Kernel Parameter Name to be set to fs.suid_dumpable fs.suid_dumpable
the Kernel Parameter Value to be set to 0 0
Ensure /etc/security/limits.conf contents pattern match ^\s*\*\shard\score\s0(\s+#.*)?$ (string) -- More
CIS-CAT expected at least 1 matching text file content item to be collected, and found 1 item.
File: /etc/security/limits.conf exists
Pattern: ^\s*\*\shard\score\s0(\s+#.*)?$
Match Text: * hard core 0 # End of file

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1_Restrict_Core_Dumps"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:33.856-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:33.857-06:00"
                    start-time="2015-11-09T16:01:33.853-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure 'fs.suid_dumpable' kernel parameter equals 0 (int)"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10033"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10033"
                               type="sysctl_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10014">
                  <cis:evidence_item itemref="67523818">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="name" value="fs.suid_dumpable"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="fs.suid_dumpable" dt="string" ev="fs.suid_dumpable" name="name" op="equals"
                                         result="true"/>
                     <cis:evidence_field cv="0" dt="int" ev="0" name="value" op="equals" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure /etc/security/limits.conf contents pattern match ^\s*\*\shard\score\s0(\s+#.*)?$ (string)"
                               negated="false"
                               ns="independent"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10032"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10032"
                               type="textfilecontent54_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="1186031623">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="filepath" value="/etc/security/limits.conf"/>
                        <cis:evidence_item_pk_field name="path" value="/etc/security"/>
                        <cis:evidence_item_pk_field name="filename" value="limits.conf"/>
                        <cis:evidence_item_pk_field name="pattern" value="^\s*\*\shard\score\s0(\s+#.*)?$"/>
                        <cis:evidence_item_pk_field name="instance" value="1"/>
                        <cis:evidence_item_pk_field name="text" value="* hard core 0  # End of file"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1031"
                       value-id="xccdf_org.cisecurity.benchmarks_value_1.6.1.1_var"/>
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1031"/>
      </check>
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1032"
                       value-id="xccdf_org.cisecurity.benchmarks_value_1.6.1.2_var"/>
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1032"/>
      </check>
   </complex-check>
</rule-result>
Pass

1.6.2 Enable Randomized Virtual Memory Region Placement

Description:

Set the system flag to force randomized virtual memory region placement.

Randomly placing virtual memory regions will make it difficult for to write memory page exploits as the memory placement will be consistently shifting.

Add the following line to the /etc/sysctl.conf file.

kernel.randomize_va_space = 2

Ensure 'kernel.randomize_va_space' kernel parameter equals 2 (int) -- More
Check: All Must Pass
Kernel Parameter: kernel.randomize_va_space
CIS-CAT Expected... CIS-CAT Collected...
the Kernel Parameter Name to be set to kernel.randomize_va_space kernel.randomize_va_space
the Kernel Parameter Value to be set to 2 2

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_1.6.2_Enable_Randomized_Virtual_Memory_Region_Placement"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:31.086-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:31.086-06:00"
                    start-time="2015-11-09T16:01:31.084-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure 'kernel.randomize_va_space' kernel parameter equals 2 (int)"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10034"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10034"
                               type="sysctl_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10015">
                  <cis:evidence_item itemref="1498029262">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="name" value="kernel.randomize_va_space"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="kernel.randomize_va_space" dt="string" ev="kernel.randomize_va_space"
                                         name="name"
                                         op="equals"
                                         result="true"/>
                     <cis:evidence_field cv="2" dt="int" ev="2" name="value" op="equals" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1033"
                       value-id="xccdf_org.cisecurity.benchmarks_value_1.6.2.1_var"/>
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1033"/>
      </check>
   </complex-check>
</rule-result>

2 OS Services

While applying system updates and patches helps correct known vulnerabilities, one of the best ways to protect the system against as yet unreported vulnerabilities is to disable all services that are not required for normal system operation.This prevents the exploitation of vulnerabilities discovered at a later date. If a service is not enabled, it cannot be exploited.The actions in this section of the document provide guidance on what services can be safely disabled and under which circumstances, greatly reducing the number of possible threats to the resulting system.

2.1 Remove Legacy Services

The items in this section are intended to ensure that legacy services are not installed on the system. Some guidance includes directives to both disable and remove the service. There is no good reason to have these services on the system, even in a disabled state.

Note: The audit items in the section check to see if the packages are listed in the yum database and installed using rpm. It could be argued that someone may have installed them separately. However, this is also true for any other type of rogue software. It is beyond the scope of this benchmark to address software that is installed using non-standard methods and installation directories.

Pass

2.1.1 Remove telnet-server

Description:

The telnet-server package contains the telnetd daemon, which accepts connections from users from other systems via the telnet protocol.

The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions.

# yum erase telnet-server

Ensure telnet-server package is not installed -- More
CIS-CAT did not expect to collect any matching RPM Packages, and found 0 items.
Package Name: telnet-server does not exist

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1_Remove_telnet-server"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:31.321-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:31.321-06:00"
                    start-time="2015-11-09T16:01:31.295-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="none_exist"
                               comment="Ensure telnet-server package is not installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10035"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10035"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="2087055084">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="name" value="telnet-server"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1034"/>
      </check>
   </complex-check>
</rule-result>
Pass

2.1.2 Remove telnet Clients

Description:

The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol.

The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an authorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions.

# yum erase telnet

Ensure telnet package is not installed -- More
CIS-CAT did not expect to collect any matching RPM Packages, and found 0 items.
Package Name: telnet does not exist

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_2.1.2_Remove_telnet_Clients"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:30.766-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:30.766-06:00"
                    start-time="2015-11-09T16:01:30.742-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="none_exist"
                               comment="Ensure telnet package is not installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10036"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10036"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="97166877">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="name" value="telnet"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1035"/>
      </check>
   </complex-check>
</rule-result>
Pass

2.1.3 Remove rsh-server

Description:

The Berkeley rsh-server (rsh, rlogin, rcp) package contains legacy services that exchange credentials in clear-text.

These legacy service contain numerous security exposures and have been replaced with the more secure SSH package.

# yum erase rsh-server

Ensure rsh-server package is not installed -- More
CIS-CAT did not expect to collect any matching RPM Packages, and found 0 items.
Package Name: rsh-server does not exist

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_2.1.3_Remove_rsh-server"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:32.326-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:32.327-06:00"
                    start-time="2015-11-09T16:01:32.298-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="none_exist"
                               comment="Ensure rsh-server package is not installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10037"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10037"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="1703495570">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="name" value="rsh-server"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1036"/>
      </check>
   </complex-check>
</rule-result>
Pass

2.1.4 Remove rsh

Description:

The rsh package contains the client commands for the rsh services.

These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh, rcp and rlogin.

# yum erase rsh

Ensure rsh package is not installed -- More
CIS-CAT did not expect to collect any matching RPM Packages, and found 0 items.
Package Name: rsh does not exist

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_2.1.4_Remove_rsh"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:33.564-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:33.564-06:00"
                    start-time="2015-11-09T16:01:33.539-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="none_exist"
                               comment="Ensure rsh package is not installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10038"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10038"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="108010517">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="name" value="rsh"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1037"/>
      </check>
   </complex-check>
</rule-result>
Pass

2.1.5 Remove NIS Client

Description:

The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client (ypbind) was used to bind a machine to an NIS server and receive the distributed configuration files.

The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed.

# yum erase ypbind

Ensure ypbind package is not installed -- More
CIS-CAT did not expect to collect any matching RPM Packages, and found 0 items.
Package Name: ypbind does not exist

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_2.1.5_Remove_NIS_Client"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:33.845-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:33.845-06:00"
                    start-time="2015-11-09T16:01:33.822-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="none_exist"
                               comment="Ensure ypbind package is not installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10039"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10039"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="150797786">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="name" value="ypbind"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1038"/>
      </check>
   </complex-check>
</rule-result>
Pass

2.1.6 Remove NIS Server

Description:

The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files.

The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used

# yum erase ypserv

Ensure ypserv package is not installed -- More
CIS-CAT did not expect to collect any matching RPM Packages, and found 0 items.
Package Name: ypserv does not exist

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_2.1.6_Remove_NIS_Server"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:33.522-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:33.522-06:00"
                    start-time="2015-11-09T16:01:33.498-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="none_exist"
                               comment="Ensure ypserv package is not installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10040"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10040"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="5255865">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="name" value="ypserv"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1039"/>
      </check>
   </complex-check>
</rule-result>
Pass

2.1.7 Remove tftp

Description:

Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between machines. TFTP does not support authentication and can be easily hacked. The package tftp is a client program that allows for connections to a tftp server.

It is recommended that TFTP be removed, unless there is a specific need for TFTP (such as a boot server). In that case, use extreme caution when configuring the services.

# yum erase tftp

Ensure tftp package is not installed -- More
CIS-CAT did not expect to collect any matching RPM Packages, and found 0 items.
Package Name: tftp does not exist

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_2.1.7_Remove_tftp"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:28.364-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:28.365-06:00"
                    start-time="2015-11-09T16:01:28.333-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="none_exist"
                               comment="Ensure tftp package is not installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10041"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10041"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="1198951255">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="name" value="tftp"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1040"/>
      </check>
   </complex-check>
</rule-result>
Pass

2.1.8 Remove tftp-server

Description:

Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package tftp-server is the server package used to define and support a TFTP server.

TFTP does not support authentication nor does it ensure the confidentiality of integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services.

# yum erase tftp-server

Ensure tftp-server package is not installed -- More
CIS-CAT did not expect to collect any matching RPM Packages, and found 0 items.
Package Name: tftp-server does not exist

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_2.1.8_Remove_tftp-server"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:31.739-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:31.740-06:00"
                    start-time="2015-11-09T16:01:31.716-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="none_exist"
                               comment="Ensure tftp-server package is not installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10042"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10042"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="1511563324">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="name" value="tftp-server"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1041"/>
      </check>
   </complex-check>
</rule-result>
Pass

2.1.9 Remove talk

Description:

The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initialization of talk sessions) is installed by default.

The software presents a security risk as it uses unencrypted protocols for communication.

# yum erase talk

Ensure talk package is not installed -- More
CIS-CAT did not expect to collect any matching RPM Packages, and found 0 items.
Package Name: talk does not exist

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_2.1.9_Remove_talk"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:33.498-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:33.498-06:00"
                    start-time="2015-11-09T16:01:33.474-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="none_exist"
                               comment="Ensure talk package is not installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10043"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10043"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="559844914">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="name" value="talk"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1042"/>
      </check>
   </complex-check>
</rule-result>
Pass

2.1.10 Remove talk-server

Description:

The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default.

The software presents a security risk as it uses unencrypted protocols for communication.

# yum erase talk-server

Ensure talk-server package is not installed -- More
CIS-CAT did not expect to collect any matching RPM Packages, and found 0 items.
Package Name: talk-server does not exist

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_2.1.10_Remove_talk-server"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:29.233-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:29.233-06:00"
                    start-time="2015-11-09T16:01:29.207-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="none_exist"
                               comment="Ensure talk-server package is not installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10044"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10044"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="952172166">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="name" value="talk-server"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1043"/>
      </check>
   </complex-check>
</rule-result>
Pass

2.1.12 Disable chargen-dgram

Description:

chargen-dgram is a network service that responds with 0 to 512 ASCII characters for each datagram it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled.

Disabling this service will reduce the remote attack surface of the system.

Disable the chargen-dgram service by running the following command:

# chkconfig chargen-dgram off

Any of the following tests or sub-groups may pass:
Ensure chargen xinetd service on udp protocol is disabled -- More
Check: All Must Pass
No testable evidence items were collected. Any number of items (including none) are expected for this test. In this case, when no evidence items are collected, the test Passes.
Ensure xinetd package is not installed -- More
CIS-CAT did not expect to collect any matching RPM Packages, and found 0 items.
Package Name: xinetd does not exist

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_2.1.12_Disable_chargen-dgram"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:33.626-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:33.626-06:00"
                    start-time="2015-11-09T16:01:33.600-06:00">
         <cis:or>
            <cis:evidence_test check="all" check_existence="any_exist"
                               comment="Ensure chargen xinetd service on udp protocol is disabled"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10046"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10046"
                               type="xinetd_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10016"/>
            </cis:evidence_test>
            <cis:evidence_test check="all" check_existence="none_exist"
                               comment="Ensure xinetd package is not installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10047"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10047"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="995865919">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="name" value="xinetd"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:or>
      </cis:evidence>
   </metadata>
   <complex-check operator="OR">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1045"/>
      </check>
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1046"/>
      </check>
   </complex-check>
</rule-result>
Pass

2.1.13 Disable chargen-stream

Description:

chargen-stream is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled.

Disabling this service will reduce the remote attack surface of the system.

Disable the chargen-stream service by running the following command:

# chkconfig chargen-stream off

Any of the following tests or sub-groups may pass:
Ensure chargen xinetd service on tcp protocol is disabled -- More
Check: All Must Pass
No testable evidence items were collected. Any number of items (including none) are expected for this test. In this case, when no evidence items are collected, the test Passes.
Ensure xinetd package is not installed -- More
CIS-CAT did not expect to collect any matching RPM Packages, and found 0 items.
Package Name: xinetd does not exist

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_2.1.13_Disable_chargen-stream"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:33.169-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:33.169-06:00"
                    start-time="2015-11-09T16:01:33.144-06:00">
         <cis:or>
            <cis:evidence_test check="all" check_existence="any_exist"
                               comment="Ensure chargen xinetd service on tcp protocol is disabled"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10048"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10048"
                               type="xinetd_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10017"/>
            </cis:evidence_test>
            <cis:evidence_test check="all" check_existence="none_exist"
                               comment="Ensure xinetd package is not installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10049"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10049"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="548605787">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="name" value="xinetd"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:or>
      </cis:evidence>
   </metadata>
   <complex-check operator="OR">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1047"/>
      </check>
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1048"/>
      </check>
   </complex-check>
</rule-result>
Pass

2.1.14 Disable daytime-dgram

Description:

daytime-dgram is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled.

Disabling this service will reduce the remote attack surface of the system.

Disable the daytime-dgram service by running the following command:

# chkconfig daytime-dgram off

Any of the following tests or sub-groups may pass:
Ensure daytime xinetd service on udp protocol is disabled -- More
Check: All Must Pass
No testable evidence items were collected. Any number of items (including none) are expected for this test. In this case, when no evidence items are collected, the test Passes.
Ensure xinetd package is not installed -- More
CIS-CAT did not expect to collect any matching RPM Packages, and found 0 items.
Package Name: xinetd does not exist

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_2.1.14_Disable_daytime-dgram"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:33.650-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:33.650-06:00"
                    start-time="2015-11-09T16:01:33.626-06:00">
         <cis:or>
            <cis:evidence_test check="all" check_existence="any_exist"
                               comment="Ensure daytime xinetd service on udp protocol is disabled"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10050"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10050"
                               type="xinetd_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10018"/>
            </cis:evidence_test>
            <cis:evidence_test check="all" check_existence="none_exist"
                               comment="Ensure xinetd package is not installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10051"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10051"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="1171257523">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="name" value="xinetd"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:or>
      </cis:evidence>
   </metadata>
   <complex-check operator="OR">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1049"/>
      </check>
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1050"/>
      </check>
   </complex-check>
</rule-result>
Pass

2.1.15 Disable daytime-stream

Description:

daytime-stream is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled.

Disabling this service will reduce the remote attack surface of the system.

Disable the daytime-stream service by running the following command:

# chkconfig daytime-stream off

Any of the following tests or sub-groups may pass:
Ensure xinetd package is not installed -- More
CIS-CAT did not expect to collect any matching RPM Packages, and found 0 items.
Package Name: xinetd does not exist
Ensure daytime xinetd service on tcp protocol is disabled -- More
Check: All Must Pass
No testable evidence items were collected. Any number of items (including none) are expected for this test. In this case, when no evidence items are collected, the test Passes.

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_2.1.15_Disable_daytime-stream"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:32.898-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:32.898-06:00"
                    start-time="2015-11-09T16:01:32.872-06:00">
         <cis:or>
            <cis:evidence_test check="all" check_existence="none_exist"
                               comment="Ensure xinetd package is not installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10053"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10053"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="1346351880">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="name" value="xinetd"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
            <cis:evidence_test check="all" check_existence="any_exist"
                               comment="Ensure daytime xinetd service on tcp protocol is disabled"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10052"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10052"
                               type="xinetd_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10019"/>
            </cis:evidence_test>
         </cis:or>
      </cis:evidence>
   </metadata>
   <complex-check operator="OR">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1051"/>
      </check>
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1052"/>
      </check>
   </complex-check>
</rule-result>
Pass

2.1.16 Disable echo-dgram

Description:

echo-dgram is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled.

Disabling this service will reduce the remote attack surface of the system.

Disable the echo-dgram service by running the following command:

# chkconfig echo-dgram off

Any of the following tests or sub-groups may pass:
Ensure echo xinetd service on udp protocol is disabled -- More
Check: All Must Pass
No testable evidence items were collected. Any number of items (including none) are expected for this test. In this case, when no evidence items are collected, the test Passes.
Ensure xinetd package is not installed -- More
CIS-CAT did not expect to collect any matching RPM Packages, and found 0 items.
Package Name: xinetd does not exist

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_2.1.16_Disable_echo-dgram"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:33.908-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:33.908-06:00"
                    start-time="2015-11-09T16:01:33.884-06:00">
         <cis:or>
            <cis:evidence_test check="all" check_existence="any_exist"
                               comment="Ensure echo xinetd service on udp protocol is disabled"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10054"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10054"
                               type="xinetd_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10020"/>
            </cis:evidence_test>
            <cis:evidence_test check="all" check_existence="none_exist"
                               comment="Ensure xinetd package is not installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10055"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10055"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="1414317361">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="name" value="xinetd"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:or>
      </cis:evidence>
   </metadata>
   <complex-check operator="OR">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1053"/>
      </check>
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1054"/>
      </check>
   </complex-check>
</rule-result>
Pass

2.1.17 Disable echo-stream

Description:

echo-stream is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled.

Disabling this service will reduce the remote attack surface of the system.

Disable the echo-stream service by running the following command:

# chkconfig echo-stream off

Any of the following tests or sub-groups may pass:
Ensure xinetd package is not installed -- More
CIS-CAT did not expect to collect any matching RPM Packages, and found 0 items.
Package Name: xinetd does not exist
Ensure echo xinetd service on tcp protocol is disabled -- More
Check: All Must Pass
No testable evidence items were collected. Any number of items (including none) are expected for this test. In this case, when no evidence items are collected, the test Passes.

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_2.1.17_Disable_echo-stream"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:31.951-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:31.951-06:00"
                    start-time="2015-11-09T16:01:31.908-06:00">
         <cis:or>
            <cis:evidence_test check="all" check_existence="none_exist"
                               comment="Ensure xinetd package is not installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10057"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10057"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="1584380616">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="name" value="xinetd"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
            <cis:evidence_test check="all" check_existence="any_exist"
                               comment="Ensure echo xinetd service on tcp protocol is disabled"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10056"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10056"
                               type="xinetd_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10021"/>
            </cis:evidence_test>
         </cis:or>
      </cis:evidence>
   </metadata>
   <complex-check operator="OR">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1055"/>
      </check>
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1056"/>
      </check>
   </complex-check>
</rule-result>
Pass

2.1.18 Disable tcpmux-server

Description:

tcpmux-server is a network service that allows a client to access other network services running on the server. It is recommended that this service be disabled.

tcpmux-server can be abused to circumvent the server's host based firewall. Additionally, tcpmux-server can be leveraged by an attacker to effectively port scan the server.

Disable the tcpmux-server service by running the following command:

# chkconfig tcpmux-server off

Any of the following tests or sub-groups may pass:
Ensure xinetd package is not installed -- More
CIS-CAT did not expect to collect any matching RPM Packages, and found 0 items.
Package Name: xinetd does not exist
Ensure tcpmux xinetd service on tcp protocol is disabled -- More
Check: All Must Pass
No testable evidence items were collected. Any number of items (including none) are expected for this test. In this case, when no evidence items are collected, the test Passes.

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_2.1.18_Disable_tcpmux-server"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:32.185-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:32.185-06:00"
                    start-time="2015-11-09T16:01:32.159-06:00">
         <cis:or>
            <cis:evidence_test check="all" check_existence="none_exist"
                               comment="Ensure xinetd package is not installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10059"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10059"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="2019969921">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="name" value="xinetd"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
            <cis:evidence_test check="all" check_existence="any_exist"
                               comment="Ensure tcpmux xinetd service on tcp protocol is disabled"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10058"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10058"
                               type="xinetd_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10022"/>
            </cis:evidence_test>
         </cis:or>
      </cis:evidence>
   </metadata>
   <complex-check operator="OR">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1057"/>
      </check>
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1058"/>
      </check>
   </complex-check>
</rule-result>

3 Special Purpose Services

This section describes services that are installed on servers that specifically need to run these services. If any of these services are not required, it is recommended that they be disabled or deleted from the system to reduce the potential attack surface.

Fail

3.1 Set Daemon umask

Description:

Set the default umask for all processes started at boot time. The settings in umask selectively turn off default permission when a file is created by a daemon process.

Setting the umask to 027 will make sure that files created by daemons will not be readable, writable or executable by any other than the group and owner of the daemon process and will not be writable by the group of the daemon process. The daemon process can manually override these settings if these files need additional permission.

Add the following line to the /etc/sysconfig/init file.

umask 027

Ensure /etc/sysconfig/init contents pattern match ^\s*umask\s+027\s*(?:#.*)?$ (string) -- Less
CIS-CAT expected at least 1 matching text file content item to be collected, and found 0 items.
File: /etc/sysconfig/init does not exist
Pattern: ^\s*umask\s+027\s*(?:#.*)?$
Match Text: No match found

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_3.1_Set_Daemon_umask"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:31.865-06:00"
             version="1"
             weight="1.0">
   <result>fail</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:31.865-06:00"
                    start-time="2015-11-09T16:01:31.862-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure /etc/sysconfig/init contents pattern match ^\s*umask\s+027\s*(?:#.*)?$ (string)"
                               negated="false"
                               ns="independent"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10060"
                               result="false"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10060"
                               type="textfilecontent54_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="916191806">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="filepath" value="/etc/sysconfig/init"/>
                        <cis:evidence_item_pk_field name="path" value="/etc/sysconfig"/>
                        <cis:evidence_item_pk_field name="filename" value="init"/>
                        <cis:evidence_item_pk_field name="pattern" value="^\s*umask\s+027\s*(?:#.*)?$"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1059"
                       value-id="xccdf_org.cisecurity.benchmarks_value_3.1.1_var"/>
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1059"/>
      </check>
   </complex-check>
</rule-result>
Pass

3.2 Remove the X Window System

Description:

The X Window system provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Window system is typically used on desktops where users login, but not on servers where users typically do not login.

Unless your organization specifically requires graphical login access via the X Window System, remove the server to reduce the potential attack surface.

Change the default runlevel to multi user without X:

# cd /etc/lib/systemd/system/
# unlink default.target
# ln -s /usr/lib/systemd/system/multi-user.target default.target

Uninstall the X Window Server:

# yum remove xorg-x11-server-common

All of the following tests or sub-groups must pass:
Linux Custom Object "systemd Does Not Default To graphical.target" -- More
File: /usr/lib/systemd/system/multi-user.target
CIS-CAT Expected... CIS-CAT Collected...
the file's Filename to not be set to graphical.target multi-user.target
Ensure xorg-x11-server-common package is not installed -- More
CIS-CAT did not expect to collect any matching RPM Packages, and found 0 items.
Package Name: xorg-x11-server-common does not exist

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_3.2_Remove_the_X_Window_System"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:32.743-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:32.743-06:00"
                    start-time="2015-11-09T16:01:32.712-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="any_exist"
                               comment="Linux Custom Object &#34;systemd Does Not Default To graphical.target&#34;"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10062"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10062"
                               type="file_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10023">
                  <cis:evidence_item itemref="1978325770">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="filepath" value="/usr/lib/systemd/system/multi-user.target"/>
                        <cis:evidence_item_pk_field name="path" value="/etc/systemd/system"/>
                        <cis:evidence_item_pk_field name="filename" value="multi-user.target"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="multi-user.target" dt="string" ev="graphical.target" name="filename"
                                         op="not equal"
                                         result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
            <cis:evidence_test check="all" check_existence="none_exist"
                               comment="Ensure xorg-x11-server-common package is not installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10061"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10061"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="643157130">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="name" value="xorg-x11-server-common"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1060"/>
      </check>
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1061"/>
      </check>
   </complex-check>
</rule-result>
Pass

3.3 Disable Avahi Server

Description:

Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine.

Since servers are not normally used for printing, this service is not needed unless dependencies require it. If this is the case, disable the service to reduce the potential attack surface. If for some reason the service is required on the server, follow the recommendations in sub-sections 3.2.1 - 3.2.5 to secure it.

# systemctl disable avahi-daemon

Ensure systemd 'avahi-daemon.service' unit 'UnitFileState' property not equal enabled (string) -- More
Check: All Must Pass
Unit: avahi-daemon.service
Property: UnitFileState
CIS-CAT Expected... CIS-CAT Collected...
the Value to not be set to enabled

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_3.3_Disable_Avahi_Server"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:31.888-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:31.888-06:00"
                    start-time="2015-11-09T16:01:31.879-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure systemd 'avahi-daemon.service' unit 'UnitFileState' property not equal enabled (string)"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10063"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10063"
                               type="systemdunitproperty_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10024">
                  <cis:evidence_item itemref="1752683459">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="unit" value="avahi-daemon.service"/>
                        <cis:evidence_item_pk_field name="property" value="UnitFileState"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="" dt="string" ev="enabled" name="value" op="not equal" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1062"
                       value-id="xccdf_org.cisecurity.benchmarks_value_3.3.1_var"/>
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1062"/>
      </check>
   </complex-check>
</rule-result>
Pass

3.4 Disable Print Server - CUPS

Description:

The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability.

If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface.

systemctl disable cups

Ensure systemd 'cups.service' unit 'UnitFileState' property not equal enabled (string) -- More
Check: All Must Pass
Unit: cups.service
Property: UnitFileState
CIS-CAT Expected... CIS-CAT Collected...
the Value to not be set to enabled

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_3.4_Disable_Print_Server_-_CUPS"
             role="unscored"
             severity="unknown"
             time="2015-11-09T16:01:31.059-06:00"
             version="1"
             weight="0.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:31.059-06:00"
                    start-time="2015-11-09T16:01:31.045-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure systemd 'cups.service' unit 'UnitFileState' property not equal enabled (string)"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10064"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10064"
                               type="systemdunitproperty_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10025">
                  <cis:evidence_item itemref="1227927114">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="unit" value="cups.service"/>
                        <cis:evidence_item_pk_field name="property" value="UnitFileState"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="" dt="string" ev="enabled" name="value" op="not equal" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1063"
                       value-id="xccdf_org.cisecurity.benchmarks_value_3.4.1_var"/>
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1063"/>
      </check>
   </complex-check>
</rule-result>
Pass

3.5 Remove DHCP Server

Description:

The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses.

Unless a server is specifically set up to act as a DHCP server, it is recommended that this service be deleted to reduce the potential attack surface.

# yum erase dhcp

Ensure dhcp package is not installed -- More
CIS-CAT did not expect to collect any matching RPM Packages, and found 0 items.
Package Name: dhcp does not exist

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_3.5_Remove_DHCP_Server"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:33.588-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:33.588-06:00"
                    start-time="2015-11-09T16:01:33.565-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="none_exist"
                               comment="Ensure dhcp package is not installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10065"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10065"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="247411967">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="name" value="dhcp"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1064"/>
      </check>
   </complex-check>
</rule-result>
Pass

3.6 Configure Network Time Protocol (NTP)

Description:

The Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. The version of NTP delivered with CentOS can be found at http://www.ntp.org. NTP can be configured to be a client and/or a server.

It is recommended that physical systems and virtual guests lacking direct access to the physical host's clock be configured as NTP clients to synchronize their clocks (especially to support time sensitive security mechanisms like Kerberos). This also ensures log files have consistent time records across the enterprise, which aids in forensic investigations.

Set the following restrict parameters in /etc/ntp.conf:

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

Also, make sure /etc/ntp.conf has an NTP server specified:

server <ntp-server>

Note: <ntp-server> is the IP address or hostname of a trusted time server. Configuring an NTP server is outside the scope of this benchmark.

Ensure -u ntp:ntp in options in /etc/sysconfig/ntpd:

OPTIONS="-u ntp:ntp"



All of the following tests or sub-groups must pass:
Ensure /etc/sysconfig/ntpd contents pattern match ^\s*OPTIONS="[^"]*-u ntp:ntp[^"]*"\s*(?:#.*)?$ (string) -- More
CIS-CAT expected at least 1 matching text file content item to be collected, and found 1 item.
File: /etc/sysconfig/ntpd exists
Pattern: ^\s*OPTIONS="[^"]*-u ntp:ntp[^"]*"\s*(?:#.*)?$
Match Text: OPTIONS="-g -u ntp:ntp"
All of the following tests or sub-groups must pass:
Ensure /etc/ntp.conf contents pattern match ^\s*server\s+\S+ (string) -- More
CIS-CAT expected at least 1 matching text file content item to be collected, and found 1 item.
File: /etc/ntp.conf exists
Pattern: ^\s*server\s+\S+
Match Text: server 0.centos.pool.ntp.org
All of the following tests or sub-groups must pass:
Ensure /etc/ntp.conf contents pattern match ^\s*restrict\s+default(?=[^#]*\s+kod)(?=[^#]*\s+nomodify)(?=[^#]*\s+notrap)(?=[^#]*\s+nopeer)(?=[^#]*\s+noquery)(\s+kod|\s+nomodify|\s+notrap|\s+nopeer|\s+noquery)*\s*(?:#.*)?$ (string) -- More
CIS-CAT expected at least 1 matching text file content item to be collected, and found 1 item.
File: /etc/ntp.conf exists
Pattern: ^\s*restrict\s+default(?=[^#]*\s+kod)(?=[^#]*\s+nomodify)(?=[^#]*\s+notrap)(?=[^#]*\s+nopeer)(?=[^#]*\s+noquery)(\s+kod|\s+nomodify|\s+notrap|\s+nopeer|\s+noquery)*\s*(?:#.*)?$
Match Text: restrict default kod nomodify notrap nopeer noquery
Ensure /etc/ntp.conf contents pattern match ^\s*restrict\s+-6\s+default(?=[^#]*\s+kod)(?=[^#]*\s+nomodify)(?=[^#]*\s+notrap)(?=[^#]*\s+nopeer)(?=[^#]*\s+noquery)(\s+kod|\s+nomodify|\s+notrap|\s+nopeer|\s+noquery)*\s*(?:#.*)?$ (string) -- More
CIS-CAT expected at least 1 matching text file content item to be collected, and found 1 item.
File: /etc/ntp.conf exists
Pattern: ^\s*restrict\s+-6\s+default(?=[^#]*\s+kod)(?=[^#]*\s+nomodify)(?=[^#]*\s+notrap)(?=[^#]*\s+nopeer)(?=[^#]*\s+noquery)(\s+kod|\s+nomodify|\s+notrap|\s+nopeer|\s+noquery)*\s*(?:#.*)?$
Match Text: restrict -6 default kod nomodify notrap nopeer noquery # Permit all access over the loopback interface. This could

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_3.6_Configure_Network_Time_Protocol_NTP"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:33.598-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:33.598-06:00"
                    start-time="2015-11-09T16:01:33.588-06:00">
         <cis:and>
            <cis:and>
               <cis:and>
                  <cis:evidence_test check="all" check_existence="at_least_one_exists"
                                     comment="Ensure /etc/ntp.conf contents pattern match ^\s*restrict\s+default(?=[^#]*\s+kod)(?=[^#]*\s+nomodify)(?=[^#]*\s+notrap)(?=[^#]*\s+nopeer)(?=[^#]*\s+noquery)(\s+kod|\s+nomodify|\s+notrap|\s+nopeer|\s+noquery)*\s*(?:#.*)?$ (string)"
                                     negated="false"
                                     ns="independent"
                                     objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10066"
                                     result="true"
                                     testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10066"
                                     type="textfilecontent54_test">
                     <cis:evidence_object>
                        <cis:evidence_item itemref="1708519550">
                           <cis:evidence_item_pk status="exists">
                              <cis:evidence_item_pk_field name="filepath" value="/etc/ntp.conf"/>
                              <cis:evidence_item_pk_field name="path" value="/etc"/>
                              <cis:evidence_item_pk_field name="filename" value="ntp.conf"/>
                              <cis:evidence_item_pk_field name="pattern"
                                                          value="^\s*restrict\s+default(?=[^#]*\s+kod)(?=[^#]*\s+nomodify)(?=[^#]*\s+notrap)(?=[^#]*\s+nopeer)(?=[^#]*\s+noquery)(\s+kod|\s+nomodify|\s+notrap|\s+nopeer|\s+noquery)*\s*(?:#.*)?$"/>
                              <cis:evidence_item_pk_field name="instance" value="1"/>
                              <cis:evidence_item_pk_field name="text" value="restrict default kod nomodify notrap nopeer noquery "/>
                           </cis:evidence_item_pk>
                        </cis:evidence_item>
                     </cis:evidence_object>
                  </cis:evidence_test>
                  <cis:evidence_test check="all" check_existence="at_least_one_exists"
                                     comment="Ensure /etc/ntp.conf contents pattern match ^\s*restrict\s+-6\s+default(?=[^#]*\s+kod)(?=[^#]*\s+nomodify)(?=[^#]*\s+notrap)(?=[^#]*\s+nopeer)(?=[^#]*\s+noquery)(\s+kod|\s+nomodify|\s+notrap|\s+nopeer|\s+noquery)*\s*(?:#.*)?$ (string)"
                                     negated="false"
                                     ns="independent"
                                     objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10067"
                                     result="true"
                                     testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10067"
                                     type="textfilecontent54_test">
                     <cis:evidence_object>
                        <cis:evidence_item itemref="490940958">
                           <cis:evidence_item_pk status="exists">
                              <cis:evidence_item_pk_field name="filepath" value="/etc/ntp.conf"/>
                              <cis:evidence_item_pk_field name="path" value="/etc"/>
                              <cis:evidence_item_pk_field name="filename" value="ntp.conf"/>
                              <cis:evidence_item_pk_field name="pattern"
                                                          value="^\s*restrict\s+-6\s+default(?=[^#]*\s+kod)(?=[^#]*\s+nomodify)(?=[^#]*\s+notrap)(?=[^#]*\s+nopeer)(?=[^#]*\s+noquery)(\s+kod|\s+nomodify|\s+notrap|\s+nopeer|\s+noquery)*\s*(?:#.*)?$"/>
                              <cis:evidence_item_pk_field name="instance" value="1"/>
                              <cis:evidence_item_pk_field name="text"
                                                          value="restrict -6 default kod nomodify notrap nopeer noquery  # Permit all access over the loopback interface.  This could"/>
                           </cis:evidence_item_pk>
                        </cis:evidence_item>
                     </cis:evidence_object>
                  </cis:evidence_test>
               </cis:and>
               <cis:evidence_test check="all" check_existence="at_least_one_exists"
                                  comment="Ensure /etc/ntp.conf contents pattern match ^\s*server\s+\S+ (string)"
                                  negated="false"
                                  ns="independent"
                                  objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10068"
                                  result="true"
                                  testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10068"
                                  type="textfilecontent54_test">
                  <cis:evidence_object>
                     <cis:evidence_item itemref="252949715">
                        <cis:evidence_item_pk status="exists">
                           <cis:evidence_item_pk_field name="filepath" value="/etc/ntp.conf"/>
                           <cis:evidence_item_pk_field name="path" value="/etc"/>
                           <cis:evidence_item_pk_field name="filename" value="ntp.conf"/>
                           <cis:evidence_item_pk_field name="pattern" value="^\s*server\s+\S+"/>
                           <cis:evidence_item_pk_field name="instance" value="1"/>
                           <cis:evidence_item_pk_field name="text" value="server 0.centos.pool.ntp.org"/>
                        </cis:evidence_item_pk>
                     </cis:evidence_item>
                  </cis:evidence_object>
               </cis:evidence_test>
            </cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure /etc/sysconfig/ntpd contents pattern match ^\s*OPTIONS=&#34;[^&#34;]*-u ntp:ntp[^&#34;]*&#34;\s*(?:#.*)?$ (string)"
                               negated="false"
                               ns="independent"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10069"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10069"
                               type="textfilecontent54_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="2076414082">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="filepath" value="/etc/sysconfig/ntpd"/>
                        <cis:evidence_item_pk_field name="path" value="/etc/sysconfig"/>
                        <cis:evidence_item_pk_field name="filename" value="ntpd"/>
                        <cis:evidence_item_pk_field name="pattern" value="^\s*OPTIONS=&#34;[^&#34;]*-u ntp:ntp[^&#34;]*&#34;\s*(?:#.*)?$"/>
                        <cis:evidence_item_pk_field name="instance" value="1"/>
                        <cis:evidence_item_pk_field name="text" value="OPTIONS=&#34;-g -u ntp:ntp&#34; "/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <complex-check operator="AND">
         <complex-check operator="AND">
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
               <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1065"
                             value-id="xccdf_org.cisecurity.benchmarks_value_3.6.1_var"/>
               <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                                  name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1065"/>
            </check>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
               <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1066"
                             value-id="xccdf_org.cisecurity.benchmarks_value_3.6.2_var"/>
               <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                                  name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1066"/>
            </check>
         </complex-check>
         <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1067"
                          value-id="xccdf_org.cisecurity.benchmarks_value_3.6.3_var"/>
            <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                               name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1067"/>
         </check>
      </complex-check>
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1068"
                       value-id="xccdf_org.cisecurity.benchmarks_value_3.6.4_var"/>
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1068"/>
      </check>
   </complex-check>
</rule-result>
Pass

3.7 Remove LDAP

Description:

The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database. The default client/server LDAP application for CentOS is OpenLDAP.

If the server will not need to act as an LDAP client or server, it is recommended that the software be disabled to reduce the potential attack surface.

If LDAP is running on the system and is not needed, remove it as follows:

# yum erase openldap-servers
# yum erase openldap-clients

All of the following tests or sub-groups must pass:
Ensure openldap-servers package is not installed -- More
CIS-CAT did not expect to collect any matching RPM Packages, and found 0 items.
Package Name: openldap-servers does not exist
Ensure openldap-clients package is not installed -- More
CIS-CAT did not expect to collect any matching RPM Packages, and found 0 items.
Package Name: openldap-clients does not exist

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_3.7_Remove_LDAP"
             role="unscored"
             severity="unknown"
             time="2015-11-09T16:01:32.402-06:00"
             version="1"
             weight="0.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:32.402-06:00"
                    start-time="2015-11-09T16:01:32.350-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="none_exist"
                               comment="Ensure openldap-servers package is not installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10070"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10070"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="1969783850">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="name" value="openldap-servers"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
            <cis:evidence_test check="all" check_existence="none_exist"
                               comment="Ensure openldap-clients package is not installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10071"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10071"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="378795676">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="name" value="openldap-clients"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1069"/>
      </check>
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1070"/>
      </check>
   </complex-check>
</rule-result>
Pass

3.8 Disable NFS and RPC

Description:

The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network.

If the server does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface.

# systemctl disable nfslock
# systemctl disable rpcgssd
# systemctl disable rpcbind
# systemctl disable rpcidmapd
# systemctl disable rpcsvcgssd

All of the following tests or sub-groups must pass:
Ensure systemd 'nfslock' unit 'UnitFileState' property not equal enabled (string) -- More
Check: All Must Pass
Unit: nfslock
Property: UnitFileState
CIS-CAT Expected... CIS-CAT Collected...
the Value to not be set to enabled
All of the following tests or sub-groups must pass:
Ensure systemd 'rpcgssd' unit 'UnitFileState' property not equal enabled (string) -- More
Check: All Must Pass
Unit: rpcgssd
Property: UnitFileState
CIS-CAT Expected... CIS-CAT Collected...
the Value to not be set to enabled
All of the following tests or sub-groups must pass:
Ensure systemd 'rpcbind' unit 'UnitFileState' property not equal enabled (string) -- More
Check: All Must Pass
Unit: rpcbind
Property: UnitFileState
CIS-CAT Expected... CIS-CAT Collected...
the Value to not be set to enabled
All of the following tests or sub-groups must pass:
Ensure systemd 'rpcidmapd' unit 'UnitFileState' property not equal enabled (string) -- More
Check: All Must Pass
Unit: rpcidmapd
Property: UnitFileState
CIS-CAT Expected... CIS-CAT Collected...
the Value to not be set to enabled
Ensure systemd 'rpcsvcgssd' unit 'UnitFileState' property not equal enabled (string) -- More
Check: All Must Pass
Unit: rpcsvcgssd
Property: UnitFileState
CIS-CAT Expected... CIS-CAT Collected...
the Value to not be set to enabled

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_3.8_Disable_NFS_and_RPC"
             role="unscored"
             severity="unknown"
             time="2015-11-09T16:01:31.861-06:00"
             version="1"
             weight="0.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:31.861-06:00"
                    start-time="2015-11-09T16:01:31.834-06:00">
         <cis:and>
            <cis:and>
               <cis:and>
                  <cis:and>
                     <cis:evidence_test check="all" check_existence="at_least_one_exists"
                                        comment="Ensure systemd 'rpcidmapd' unit 'UnitFileState' property not equal enabled (string)"
                                        negated="false"
                                        ns="linux"
                                        objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10072"
                                        result="true"
                                        testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10072"
                                        type="systemdunitproperty_test">
                        <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10026">
                           <cis:evidence_item itemref="471925695">
                              <cis:evidence_item_pk status="exists">
                                 <cis:evidence_item_pk_field name="unit" value="rpcidmapd"/>
                                 <cis:evidence_item_pk_field name="property" value="UnitFileState"/>
                              </cis:evidence_item_pk>
                              <cis:evidence_field cv="" dt="string" ev="enabled" name="value" op="not equal" result="true"/>
                           </cis:evidence_item>
                        </cis:evidence_state>
                     </cis:evidence_test>
                     <cis:evidence_test check="all" check_existence="at_least_one_exists"
                                        comment="Ensure systemd 'rpcsvcgssd' unit 'UnitFileState' property not equal enabled (string)"
                                        negated="false"
                                        ns="linux"
                                        objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10073"
                                        result="true"
                                        testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10073"
                                        type="systemdunitproperty_test">
                        <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10027">
                           <cis:evidence_item itemref="1535581187">
                              <cis:evidence_item_pk status="exists">
                                 <cis:evidence_item_pk_field name="unit" value="rpcsvcgssd"/>
                                 <cis:evidence_item_pk_field name="property" value="UnitFileState"/>
                              </cis:evidence_item_pk>
                              <cis:evidence_field cv="" dt="string" ev="enabled" name="value" op="not equal" result="true"/>
                           </cis:evidence_item>
                        </cis:evidence_state>
                     </cis:evidence_test>
                  </cis:and>
                  <cis:evidence_test check="all" check_existence="at_least_one_exists"
                                     comment="Ensure systemd 'rpcbind' unit 'UnitFileState' property not equal enabled (string)"
                                     negated="false"
                                     ns="linux"
                                     objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10074"
                                     result="true"
                                     testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10074"
                                     type="systemdunitproperty_test">
                     <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10028">
                        <cis:evidence_item itemref="1305804855">
                           <cis:evidence_item_pk status="exists">
                              <cis:evidence_item_pk_field name="unit" value="rpcbind"/>
                              <cis:evidence_item_pk_field name="property" value="UnitFileState"/>
                           </cis:evidence_item_pk>
                           <cis:evidence_field cv="" dt="string" ev="enabled" name="value" op="not equal" result="true"/>
                        </cis:evidence_item>
                     </cis:evidence_state>
                  </cis:evidence_test>
               </cis:and>
               <cis:evidence_test check="all" check_existence="at_least_one_exists"
                                  comment="Ensure systemd 'rpcgssd' unit 'UnitFileState' property not equal enabled (string)"
                                  negated="false"
                                  ns="linux"
                                  objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10075"
                                  result="true"
                                  testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10075"
                                  type="systemdunitproperty_test">
                  <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10029">
                     <cis:evidence_item itemref="253028021">
                        <cis:evidence_item_pk status="exists">
                           <cis:evidence_item_pk_field name="unit" value="rpcgssd"/>
                           <cis:evidence_item_pk_field name="property" value="UnitFileState"/>
                        </cis:evidence_item_pk>
                        <cis:evidence_field cv="" dt="string" ev="enabled" name="value" op="not equal" result="true"/>
                     </cis:evidence_item>
                  </cis:evidence_state>
               </cis:evidence_test>
            </cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure systemd 'nfslock' unit 'UnitFileState' property not equal enabled (string)"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10076"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10076"
                               type="systemdunitproperty_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10030">
                  <cis:evidence_item itemref="606984289">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="unit" value="nfslock"/>
                        <cis:evidence_item_pk_field name="property" value="UnitFileState"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="" dt="string" ev="enabled" name="value" op="not equal" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <complex-check operator="AND">
         <complex-check operator="AND">
            <complex-check operator="AND">
               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                  <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1071"
                                value-id="xccdf_org.cisecurity.benchmarks_value_3.8.4_var"/>
                  <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                                     name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1071"/>
               </check>
               <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                  <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1072"
                                value-id="xccdf_org.cisecurity.benchmarks_value_3.8.5_var"/>
                  <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                                     name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1072"/>
               </check>
            </complex-check>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
               <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1073"
                             value-id="xccdf_org.cisecurity.benchmarks_value_3.8.3_var"/>
               <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                                  name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1073"/>
            </check>
         </complex-check>
         <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1074"
                          value-id="xccdf_org.cisecurity.benchmarks_value_3.8.2_var"/>
            <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                               name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1074"/>
         </check>
      </complex-check>
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1075"
                       value-id="xccdf_org.cisecurity.benchmarks_value_3.8.1_var"/>
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1075"/>
      </check>
   </complex-check>
</rule-result>
Pass

3.9 Remove DNS Server

Description:

The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network.

Unless a server is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface.

# yum erase bind

Ensure bind package is not installed -- More
CIS-CAT did not expect to collect any matching RPM Packages, and found 0 items.
Package Name: bind does not exist

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_3.9_Remove_DNS_Server"
             role="unscored"
             severity="unknown"
             time="2015-11-09T16:01:28.500-06:00"
             version="1"
             weight="0.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:28.500-06:00"
                    start-time="2015-11-09T16:01:28.474-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="none_exist"
                               comment="Ensure bind package is not installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10077"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10077"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="92311110">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="name" value="bind"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1076"/>
      </check>
   </complex-check>
</rule-result>
Pass

3.10 Remove FTP Server

Description:

The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files.

FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface.

# yum erase vsftpd

Ensure vsftpd package is not installed -- More
CIS-CAT did not expect to collect any matching RPM Packages, and found 0 items.
Package Name: vsftpd does not exist

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_3.10_Remove_FTP_Server"
             role="unscored"
             severity="unknown"
             time="2015-11-09T16:01:33.353-06:00"
             version="1"
             weight="0.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:33.353-06:00"
                    start-time="2015-11-09T16:01:33.324-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="none_exist"
                               comment="Ensure vsftpd package is not installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10078"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10078"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="201891156">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="name" value="vsftpd"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1077"/>
      </check>
   </complex-check>
</rule-result>
Pass

3.11 Remove HTTP Server

Description:

HTTP or web servers provide the ability to host web site content. The default HTTP server shipped with CentOS Linux is Apache.

Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface.

# yum erase httpd

Ensure httpd package is not installed -- More
CIS-CAT did not expect to collect any matching RPM Packages, and found 0 items.
Package Name: httpd does not exist

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_3.11_Remove_HTTP_Server"
             role="unscored"
             severity="unknown"
             time="2015-11-09T16:01:33.883-06:00"
             version="1"
             weight="0.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:33.883-06:00"
                    start-time="2015-11-09T16:01:33.859-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="none_exist"
                               comment="Ensure httpd package is not installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10079"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10079"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="1153453878">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="name" value="httpd"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1078"/>
      </check>
   </complex-check>
</rule-result>
Pass

3.12 Remove Dovecot (IMAP and POP3 services)

Description:

Dovecot is an open source IMAP and POP3 server for Linux based systems.

Unless POP3 and/or IMAP servers are to be provided to this server, it is recommended that the service be deleted to reduce the potential attack surface.

# yum erase dovecot

Ensure dovecot package is not installed -- More
CIS-CAT did not expect to collect any matching RPM Packages, and found 0 items.
Package Name: dovecot does not exist

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_3.12_Remove_Dovecot_IMAP_and_POP3_services"
             role="unscored"
             severity="unknown"
             time="2015-11-09T16:01:31.996-06:00"
             version="1"
             weight="0.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:31.997-06:00"
                    start-time="2015-11-09T16:01:31.968-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="none_exist"
                               comment="Ensure dovecot package is not installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10080"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10080"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="712880731">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="name" value="dovecot"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1079"/>
      </check>
   </complex-check>
</rule-result>
Pass

3.13 Remove Samba

Description:

The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems.

If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface.

# yum erase samba

Ensure samba package is not installed -- More
CIS-CAT did not expect to collect any matching RPM Packages, and found 0 items.
Package Name: samba does not exist

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_3.13_Remove_Samba"
             role="unscored"
             severity="unknown"
             time="2015-11-09T16:01:31.083-06:00"
             version="1"
             weight="0.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:31.084-06:00"
                    start-time="2015-11-09T16:01:31.059-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="none_exist"
                               comment="Ensure samba package is not installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10081"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10081"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="1274634318">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="name" value="samba"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1080"/>
      </check>
   </complex-check>
</rule-result>
Pass

3.14 Remove HTTP Proxy Server

Description:

The default HTTP proxy package shipped with CentOS Linux is squid.

If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface.

# yum erase squid

Ensure squid package is not installed -- More
CIS-CAT did not expect to collect any matching RPM Packages, and found 0 items.
Package Name: squid does not exist

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_3.14_Remove_HTTP_Proxy_Server"
             role="unscored"
             severity="unknown"
             time="2015-11-09T16:01:33.192-06:00"
             version="1"
             weight="0.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:33.192-06:00"
                    start-time="2015-11-09T16:01:33.169-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="none_exist"
                               comment="Ensure squid package is not installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10082"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10082"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="400830507">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="name" value="squid"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1081"/>
      </check>
   </complex-check>
</rule-result>
Pass

3.15 Remove SNMP Server

Description:

The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system.

The SNMP server communicates using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used.

# yum erase net-snmp

Ensure net-snmp package is not installed -- More
CIS-CAT did not expect to collect any matching RPM Packages, and found 0 items.
Package Name: net-snmp does not exist

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_3.15_Remove_SNMP_Server"
             role="unscored"
             severity="unknown"
             time="2015-11-09T16:01:30.957-06:00"
             version="1"
             weight="0.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:30.958-06:00"
                    start-time="2015-11-09T16:01:30.932-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="none_exist"
                               comment="Ensure net-snmp package is not installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10083"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10083"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="2043440600">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="name" value="net-snmp"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1082"/>
      </check>
   </complex-check>
</rule-result>
Pass

3.16 Configure Mail Transfer Agent for Local-Only Mode

Description:

Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail. By default, the MTA is set to loopback mode on CentOS.

The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems.

Edit /etc/postfix/main.cf and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below.

inet_interfaces = localhost

# Execute the following command to restart postfix
# service postfix restart

Linux Custom Object "No Servers Listening On Port 25" -- More
CIS-CAT did not expect to collect any matching items, and found 0 items.
Protocol: .*, Local Address: ^(?!127\.0\.0\.1|::1).*$, Local Port: 25 does not exist

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_3.16_Configure_Mail_Transfer_Agent_for_Local-Only_Mode"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:28.325-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:28.325-06:00"
                    start-time="2015-11-09T16:01:28.282-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="none_exist"
                               comment="Linux Custom Object &#34;No Servers Listening On Port 25&#34;"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10084"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10084"
                               type="inetlisteningservers_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="796237037">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="protocol" value=".*"/>
                        <cis:evidence_item_pk_field name="local_address" value="^(?!127\.0\.0\.1|::1).*$"/>
                        <cis:evidence_item_pk_field name="local_port" value="25"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1083"/>
      </check>
   </complex-check>
</rule-result>

4 Network Configuration and Firewalls

This section provides guidance for secure network and firewall configuration.

4.1 Modify Network Parameters (Host Only)

The following network parameters determine if the system is to act as a host only. A system is considered host only if the system has a single interface, or has multiple interfaces but will not be configured as a router.

Pass

4.1.1 Disable IP Forwarding

Description:

The net.ipv4.ip_forward flag is used to tell the server whether it can forward packets or not. If the server is not to be used as a router, set the flag to 0.

Setting the flag to 0 ensures that a server with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router.

Set the net.ipv4.ip_forward parameter to 0 in /etc/sysctl.conf:

net.ipv4.ip_forward=0

Modify active kernel parameters to match:

# /sbin/sysctl -w net.ipv4.ip_forward=0
# /sbin/sysctl -w net.ipv4.route.flush=1

Ensure 'net.ipv4.ip_forward' kernel parameter equals 0 (int) -- More
Check: All Must Pass
Kernel Parameter: net.ipv4.ip_forward
CIS-CAT Expected... CIS-CAT Collected...
the Kernel Parameter Name to be set to net.ipv4.ip_forward net.ipv4.ip_forward
the Kernel Parameter Value to be set to 0 0

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_4.1.1_Disable_IP_Forwarding"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:28.468-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:28.469-06:00"
                    start-time="2015-11-09T16:01:28.366-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure 'net.ipv4.ip_forward' kernel parameter equals 0 (int)"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10085"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10085"
                               type="sysctl_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10031">
                  <cis:evidence_item itemref="340433788">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="name" value="net.ipv4.ip_forward"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="net.ipv4.ip_forward" dt="string" ev="net.ipv4.ip_forward" name="name"
                                         op="equals"
                                         result="true"/>
                     <cis:evidence_field cv="0" dt="int" ev="0" name="value" op="equals" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1084"
                       value-id="xccdf_org.cisecurity.benchmarks_value_4.1.1.1_var"/>
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1084"/>
      </check>
   </complex-check>
</rule-result>
Pass

4.1.2 Disable Send Packet Redirects

Description:

ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects.

An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system.

Set the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0 in /etc/sysctl.conf:

net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects= 0

Modify active kernel parameters to match:

# /sbin/sysctl -w net.ipv4.conf.all.send_redirects =0
# /sbin/sysctl -w net.ipv4.conf.default.send_redirects =0
# /sbin/sysctl -w net.ipv4.route.flush=1

All of the following tests or sub-groups must pass:
Ensure 'net.ipv4.conf.default.send_redirects' kernel parameter equals 0 (int) -- More
Check: All Must Pass
Kernel Parameter: net.ipv4.conf.default.send_redirects
CIS-CAT Expected... CIS-CAT Collected...
the Kernel Parameter Name to be set to net.ipv4.conf.default.send_redirects net.ipv4.conf.default.send_redirects
the Kernel Parameter Value to be set to 0 0
Ensure 'net.ipv4.conf.all.send_redirects' kernel parameter equals 0 (int) -- More
Check: All Must Pass
Kernel Parameter: net.ipv4.conf.all.send_redirects
CIS-CAT Expected... CIS-CAT Collected...
the Kernel Parameter Name to be set to net.ipv4.conf.all.send_redirects net.ipv4.conf.all.send_redirects
the Kernel Parameter Value to be set to 0 0

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_4.1.2_Disable_Send_Packet_Redirects"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:33.539-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:33.539-06:00"
                    start-time="2015-11-09T16:01:33.536-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure 'net.ipv4.conf.default.send_redirects' kernel parameter equals 0 (int)"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10087"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10087"
                               type="sysctl_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10033">
                  <cis:evidence_item itemref="1875263726">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="name" value="net.ipv4.conf.default.send_redirects"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="net.ipv4.conf.default.send_redirects" dt="string"
                                         ev="net.ipv4.conf.default.send_redirects"
                                         name="name"
                                         op="equals"
                                         result="true"/>
                     <cis:evidence_field cv="0" dt="int" ev="0" name="value" op="equals" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure 'net.ipv4.conf.all.send_redirects' kernel parameter equals 0 (int)"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10086"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10086"
                               type="sysctl_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10032">
                  <cis:evidence_item itemref="1660429344">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="name" value="net.ipv4.conf.all.send_redirects"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="net.ipv4.conf.all.send_redirects" dt="string"
                                         ev="net.ipv4.conf.all.send_redirects"
                                         name="name"
                                         op="equals"
                                         result="true"/>
                     <cis:evidence_field cv="0" dt="int" ev="0" name="value" op="equals" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1085"
                       value-id="xccdf_org.cisecurity.benchmarks_value_4.1.2.1_var"/>
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1085"/>
      </check>
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1086"
                       value-id="xccdf_org.cisecurity.benchmarks_value_4.1.2.2_var"/>
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1086"/>
      </check>
   </complex-check>
</rule-result>

4.2 Modify Network Parameters (Host and Router)

The following network parameters determine if the system is to act as a router. A system acts as a router if it has at least two interfaces and is configured to perform routing functions.

Pass

4.2.1 Disable Source Routed Packet Acceptance

Description:

In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used.

Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this server was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the server as a way to reach the private address servers. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing.

Set the net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route parameters to 0 in /etc/sysctl.conf:

net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route =0

Modify active kernel parameters to match:

# /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0
# /sbin/sysctl -w net.ipv4.conf.default.accept_source_route=0
# /sbin/sysctl -w net.ipv4.route.flush=1

All of the following tests or sub-groups must pass:
Ensure 'net.ipv4.conf.all.accept_source_route' kernel parameter equals 0 (int) -- More
Check: All Must Pass
Kernel Parameter: net.ipv4.conf.all.accept_source_route
CIS-CAT Expected... CIS-CAT Collected...
the Kernel Parameter Name to be set to net.ipv4.conf.all.accept_source_route net.ipv4.conf.all.accept_source_route
the Kernel Parameter Value to be set to 0 0
Ensure 'net.ipv4.conf.default.accept_source_route' kernel parameter equals 0 (int) -- More
Check: All Must Pass
Kernel Parameter: net.ipv4.conf.default.accept_source_route
CIS-CAT Expected... CIS-CAT Collected...
the Kernel Parameter Name to be set to net.ipv4.conf.default.accept_source_route net.ipv4.conf.default.accept_source_route
the Kernel Parameter Value to be set to 0 0

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1_Disable_Source_Routed_Packet_Acceptance"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:32.272-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:32.272-06:00"
                    start-time="2015-11-09T16:01:32.269-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure 'net.ipv4.conf.all.accept_source_route' kernel parameter equals 0 (int)"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10088"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10088"
                               type="sysctl_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10034">
                  <cis:evidence_item itemref="968779462">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="name" value="net.ipv4.conf.all.accept_source_route"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="net.ipv4.conf.all.accept_source_route" dt="string"
                                         ev="net.ipv4.conf.all.accept_source_route"
                                         name="name"
                                         op="equals"
                                         result="true"/>
                     <cis:evidence_field cv="0" dt="int" ev="0" name="value" op="equals" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure 'net.ipv4.conf.default.accept_source_route' kernel parameter equals 0 (int)"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10089"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10089"
                               type="sysctl_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10035">
                  <cis:evidence_item itemref="1398270407">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="name" value="net.ipv4.conf.default.accept_source_route"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="net.ipv4.conf.default.accept_source_route" dt="string"
                                         ev="net.ipv4.conf.default.accept_source_route"
                                         name="name"
                                         op="equals"
                                         result="true"/>
                     <cis:evidence_field cv="0" dt="int" ev="0" name="value" op="equals" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1087"
                       value-id="xccdf_org.cisecurity.benchmarks_value_4.2.1.1_var"/>
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1087"/>
      </check>
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1088"
                       value-id="xccdf_org.cisecurity.benchmarks_value_4.2.1.2_var"/>
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1088"/>
      </check>
   </complex-check>
</rule-result>
Pass

4.2.2 Disable ICMP Redirect Acceptance

Description:

ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables.

Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured.

Set the net.ipv4.conf.all.accept_redirects and net.ipv4.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf:

net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0

Modify active kernel parameters to match:

# /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0
# /sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0
# /sbin/sysctl -w net.ipv4.route.flush=1

All of the following tests or sub-groups must pass:
Ensure 'net.ipv4.conf.all.accept_redirects' kernel parameter equals 0 (int) -- More
Check: All Must Pass
Kernel Parameter: net.ipv4.conf.all.accept_redirects
CIS-CAT Expected... CIS-CAT Collected...
the Kernel Parameter Name to be set to net.ipv4.conf.all.accept_redirects net.ipv4.conf.all.accept_redirects
the Kernel Parameter Value to be set to 0 0
Ensure 'net.ipv4.conf.default.accept_redirects' kernel parameter equals 0 (int) -- More
Check: All Must Pass
Kernel Parameter: net.ipv4.conf.default.accept_redirects
CIS-CAT Expected... CIS-CAT Collected...
the Kernel Parameter Name to be set to net.ipv4.conf.default.accept_redirects net.ipv4.conf.default.accept_redirects
the Kernel Parameter Value to be set to 0 0

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2_Disable_ICMP_Redirect_Acceptance"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:31.325-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:31.326-06:00"
                    start-time="2015-11-09T16:01:31.322-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure 'net.ipv4.conf.all.accept_redirects' kernel parameter equals 0 (int)"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10090"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10090"
                               type="sysctl_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10036">
                  <cis:evidence_item itemref="1015860141">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="name" value="net.ipv4.conf.all.accept_redirects"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="net.ipv4.conf.all.accept_redirects" dt="string"
                                         ev="net.ipv4.conf.all.accept_redirects"
                                         name="name"
                                         op="equals"
                                         result="true"/>
                     <cis:evidence_field cv="0" dt="int" ev="0" name="value" op="equals" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure 'net.ipv4.conf.default.accept_redirects' kernel parameter equals 0 (int)"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10091"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10091"
                               type="sysctl_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10037">
                  <cis:evidence_item itemref="223853254">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="name" value="net.ipv4.conf.default.accept_redirects"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="net.ipv4.conf.default.accept_redirects" dt="string"
                                         ev="net.ipv4.conf.default.accept_redirects"
                                         name="name"
                                         op="equals"
                                         result="true"/>
                     <cis:evidence_field cv="0" dt="int" ev="0" name="value" op="equals" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1089"
                       value-id="xccdf_org.cisecurity.benchmarks_value_4.2.2.1_var"/>
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1089"/>
      </check>
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1090"
                       value-id="xccdf_org.cisecurity.benchmarks_value_4.2.2.2_var"/>
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1090"/>
      </check>
   </complex-check>
</rule-result>
Pass

4.2.4 Log Suspicious Packets

Description:

When enabled, this feature logs packets with un-routable source addresses to the kernel log.

Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server.

Set the net.ipv4.conf.all.log_martians and net.ipv4.conf.default.log_martians parameters to 1 in /etc/sysctl.conf:

net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1

Modify active kernel parameters to match:

# /sbin/sysctl -w net.ipv4.conf.all.log_martians=1
# /sbin/sysctl -w net.ipv4.conf.default.log_martians=1
# /sbin/sysctl -w net.ipv4.route.flush=1

All of the following tests or sub-groups must pass:
Ensure 'net.ipv4.conf.all.log_martians' kernel parameter equals 1 (int) -- More
Check: All Must Pass
Kernel Parameter: net.ipv4.conf.all.log_martians
CIS-CAT Expected... CIS-CAT Collected...
the Kernel Parameter Name to be set to net.ipv4.conf.all.log_martians net.ipv4.conf.all.log_martians
the Kernel Parameter Value to be set to 1 1
Ensure 'net.ipv4.conf.default.log_martians' kernel parameter equals 1 (int) -- More
Check: All Must Pass
Kernel Parameter: net.ipv4.conf.default.log_martians
CIS-CAT Expected... CIS-CAT Collected...
the Kernel Parameter Name to be set to net.ipv4.conf.default.log_martians net.ipv4.conf.default.log_martians
the Kernel Parameter Value to be set to 1 1

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_4.2.4_Log_Suspicious_Packets"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:30.399-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:30.399-06:00"
                    start-time="2015-11-09T16:01:30.395-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure 'net.ipv4.conf.all.log_martians' kernel parameter equals 1 (int)"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10094"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10094"
                               type="sysctl_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10040">
                  <cis:evidence_item itemref="242312817">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="name" value="net.ipv4.conf.all.log_martians"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="net.ipv4.conf.all.log_martians" dt="string"
                                         ev="net.ipv4.conf.all.log_martians"
                                         name="name"
                                         op="equals"
                                         result="true"/>
                     <cis:evidence_field cv="1" dt="int" ev="1" name="value" op="equals" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure 'net.ipv4.conf.default.log_martians' kernel parameter equals 1 (int)"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10095"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10095"
                               type="sysctl_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10041">
                  <cis:evidence_item itemref="2049101272">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="name" value="net.ipv4.conf.default.log_martians"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="net.ipv4.conf.default.log_martians" dt="string"
                                         ev="net.ipv4.conf.default.log_martians"
                                         name="name"
                                         op="equals"
                                         result="true"/>
                     <cis:evidence_field cv="1" dt="int" ev="1" name="value" op="equals" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1093"
                       value-id="xccdf_org.cisecurity.benchmarks_value_4.2.4.1_var"/>
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1093"/>
      </check>
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1094"
                       value-id="xccdf_org.cisecurity.benchmarks_value_4.2.4.2_var"/>
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1094"/>
      </check>
   </complex-check>
</rule-result>
Pass

4.2.5 Enable Ignore Broadcast Requests

Description:

Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses.

Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied.

Set the net.ipv4.icmp_echo_ignore_broadcasts parameter to 1 in /etc/sysctl.conf:

net.ipv4.icmp_echo_ignore_broadcasts=1

Modify active kernel parameters to match:

# /sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
# /sbin/sysctl -w net.ipv4.route.flush=1

Ensure 'net.ipv4.icmp_echo_ignore_broadcasts' kernel parameter equals 1 (int) -- More
Check: All Must Pass
Kernel Parameter: net.ipv4.icmp_echo_ignore_broadcasts
CIS-CAT Expected... CIS-CAT Collected...
the Kernel Parameter Name to be set to net.ipv4.icmp_echo_ignore_broadcasts net.ipv4.icmp_echo_ignore_broadcasts
the Kernel Parameter Value to be set to 1 1

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_4.2.5_Enable_Ignore_Broadcast_Requests"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:30.769-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:30.769-06:00"
                    start-time="2015-11-09T16:01:30.767-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure 'net.ipv4.icmp_echo_ignore_broadcasts' kernel parameter equals 1 (int)"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10096"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10096"
                               type="sysctl_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10042">
                  <cis:evidence_item itemref="226710403">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="name" value="net.ipv4.icmp_echo_ignore_broadcasts"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="net.ipv4.icmp_echo_ignore_broadcasts" dt="string"
                                         ev="net.ipv4.icmp_echo_ignore_broadcasts"
                                         name="name"
                                         op="equals"
                                         result="true"/>
                     <cis:evidence_field cv="1" dt="int" ev="1" name="value" op="equals" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1095"
                       value-id="xccdf_org.cisecurity.benchmarks_value_4.2.5.1_var"/>
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1095"/>
      </check>
   </complex-check>
</rule-result>
Pass

4.2.6 Enable Bad Error Message Protection

Description:

Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages.

Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages.

Set the net.ipv4.icmp_ignore_bogus_error_responses parameter to 1 in /etc/sysctl.conf:

net.ipv4.icmp_ignore_bogus_error_responses=1

Modify active kernel parameters to match:

# /sbin/sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
# /sbin/sysctl -w net.ipv4.route.flush=1

Ensure 'net.ipv4.icmp_ignore_bogus_error_responses' kernel parameter equals 1 (int) -- More
Check: All Must Pass
Kernel Parameter: net.ipv4.icmp_ignore_bogus_error_responses
CIS-CAT Expected... CIS-CAT Collected...
the Kernel Parameter Name to be set to net.ipv4.icmp_ignore_bogus_error_responses net.ipv4.icmp_ignore_bogus_error_responses
the Kernel Parameter Value to be set to 1 1

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_4.2.6_Enable_Bad_Error_Message_Protection"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:33.858-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:33.859-06:00"
                    start-time="2015-11-09T16:01:33.857-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure 'net.ipv4.icmp_ignore_bogus_error_responses' kernel parameter equals 1 (int)"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10097"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10097"
                               type="sysctl_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10043">
                  <cis:evidence_item itemref="667310607">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="name" value="net.ipv4.icmp_ignore_bogus_error_responses"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="net.ipv4.icmp_ignore_bogus_error_responses" dt="string"
                                         ev="net.ipv4.icmp_ignore_bogus_error_responses"
                                         name="name"
                                         op="equals"
                                         result="true"/>
                     <cis:evidence_field cv="1" dt="int" ev="1" name="value" op="equals" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1096"
                       value-id="xccdf_org.cisecurity.benchmarks_value_4.2.6.1_var"/>
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1096"/>
      </check>
   </complex-check>
</rule-result>
Pass

4.2.8 Enable TCP SYN Cookies

Description:

When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the server to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue.

Attackers use SYN flood attacks to perform a denial of service attacked on a server by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the server to keep accepting valid connections, even if under a denial of service attack.

Set the net.ipv4.tcp_syncookies parameter to 1 in /etc/sysctl.conf:

net.ipv4.tcp_syncookies=1

Modify active kernel parameters to match:

# /sbin/sysctl -w net.ipv4.tcp_syncookies=1
# /sbin/sysctl -w net.ipv4.route.flush=1

Ensure 'net.ipv4.tcp_syncookies' kernel parameter equals 1 (int) -- More
Check: All Must Pass
Kernel Parameter: net.ipv4.tcp_syncookies
CIS-CAT Expected... CIS-CAT Collected...
the Kernel Parameter Name to be set to net.ipv4.tcp_syncookies net.ipv4.tcp_syncookies
the Kernel Parameter Value to be set to 1 1

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_4.2.8_Enable_TCP_SYN_Cookies"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:32.497-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:32.497-06:00"
                    start-time="2015-11-09T16:01:32.496-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure 'net.ipv4.tcp_syncookies' kernel parameter equals 1 (int)"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10100"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10100"
                               type="sysctl_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10046">
                  <cis:evidence_item itemref="1925564927">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="name" value="net.ipv4.tcp_syncookies"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="net.ipv4.tcp_syncookies" dt="string" ev="net.ipv4.tcp_syncookies"
                                         name="name"
                                         op="equals"
                                         result="true"/>
                     <cis:evidence_field cv="1" dt="int" ev="1" name="value" op="equals" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1099"
                       value-id="xccdf_org.cisecurity.benchmarks_value_4.2.8.1_var"/>
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1099"/>
      </check>
   </complex-check>
</rule-result>

4.3 Wireless Networking

4.4 IPv6

IPv6 is a networking protocol that supersedes IPv4. It has more routable addresses and has built in security

4.4.1 Configure IPv6

If IPv6 is to be used, follow this section of the benchmark to configure IPv6.

4.5 Install TCP Wrappers

Pass

4.5.3 Verify Permissions on /etc/hosts.allow

Description:

The /etc/hosts.allow file contains networking information that is used by many applications and therefore must be readable for these applications to operate.

It is critical to ensure that the /etc/hosts.allow file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions.

If the permissions of the /etc/hosts.allow file are incorrect, run the following command to correct them:

# /bin/chmod 644 /etc/hosts.allow

Ensure /etc/hosts.allow has permission bits rw-r--r-- and does not have permissions --x-wx-wx -- More
File: /etc/hosts.allow
CIS-CAT Expected... CIS-CAT Collected...
the file's Owner Write to be set to true true
the file's Group Execute to be set to false false
the file's Other Read to be set to true true
the file's Owner Execute to be set to false false
the file's Other Execute to be set to false false
the file's Other Write to be set to false false
the file's Owner Read to be set to true true
the file's Group Read to be set to true true
the file's Group Write to be set to false false

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_4.5.3_Verify_Permissions_on_etchosts.allow"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:31.753-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:31.753-06:00"
                    start-time="2015-11-09T16:01:31.740-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="all_exist"
                               comment="Ensure /etc/hosts.allow has permission bits rw-r--r-- and does not have permissions --x-wx-wx"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10101"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10101"
                               type="file_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10047">
                  <cis:evidence_item itemref="914516131">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="filepath" value="/etc/hosts.allow"/>
                        <cis:evidence_item_pk_field name="path" value="/etc"/>
                        <cis:evidence_item_pk_field name="filename" value="hosts.allow"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="true" dt="boolean" ev="true" name="uwrite" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="gexec" op="equals" result="true"/>
                     <cis:evidence_field cv="true" dt="boolean" ev="true" name="oread" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="uexec" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="oexec" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="owrite" op="equals" result="true"/>
                     <cis:evidence_field cv="true" dt="boolean" ev="true" name="uread" op="equals" result="true"/>
                     <cis:evidence_field cv="true" dt="boolean" ev="true" name="gread" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="gwrite" op="equals" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1100"/>
      </check>
   </complex-check>
</rule-result>
Pass

4.5.5 Verify Permissions on /etc/hosts.deny

Description:

The /etc/hosts.deny file contains network information that is used by many system applications and therefore must be readable for these applications to operate.

It is critical to ensure that the /etc/hosts.deny file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions.

If the permissions of the /etc/hosts.deny file are incorrect, run the following command to correct them:

# /bin/chmod 644 /etc/hosts.deny

Ensure all_exist /etc/hosts.deny has permission bits rw-r--r-- and does not have permissions --x-wx-wx -- More
File: /etc/hosts.deny
CIS-CAT Expected... CIS-CAT Collected...
the file's Owner Write to be set to true true
the file's Group Execute to be set to false false
the file's Other Read to be set to true true
the file's Owner Execute to be set to false false
the file's Other Execute to be set to false false
the file's Other Write to be set to false false
the file's Owner Read to be set to true true
the file's Group Read to be set to true true
the file's Group Write to be set to false false

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_4.5.5_Verify_Permissions_on_etchosts.deny"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:32.349-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:32.349-06:00"
                    start-time="2015-11-09T16:01:32.327-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="all_exist"
                               comment="Ensure all_exist /etc/hosts.deny has permission bits rw-r--r-- and does not have permissions --x-wx-wx"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10102"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10102"
                               type="file_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10048">
                  <cis:evidence_item itemref="997800694">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="filepath" value="/etc/hosts.deny"/>
                        <cis:evidence_item_pk_field name="path" value="/etc"/>
                        <cis:evidence_item_pk_field name="filename" value="hosts.deny"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="true" dt="boolean" ev="true" name="uwrite" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="gexec" op="equals" result="true"/>
                     <cis:evidence_field cv="true" dt="boolean" ev="true" name="oread" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="uexec" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="oexec" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="owrite" op="equals" result="true"/>
                     <cis:evidence_field cv="true" dt="boolean" ev="true" name="uread" op="equals" result="true"/>
                     <cis:evidence_field cv="true" dt="boolean" ev="true" name="gread" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="gwrite" op="equals" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1101"/>
      </check>
   </complex-check>
</rule-result>

4.6 Uncommon Network Protocols

CentOS Linux supports several network protocols that are not commonly used. If these protocols are not needed, it is recommended that they be disabled in the kernel.

Pass

4.7 Enable firewalld

Description:

IPtables is an application that allows a system administrator to configure the IP tables, chains and rules provided by the Linux kernel firewall. The firewalld service provides a dynamic firewall allowing changes to be made at anytime without disruptions cause by reloading.

A firewall provides extra protection for the Linux system by limiting communications in and out of the box to specific addresses and ports.

# systemctl enable firewalld

Ensure systemd 'firewalld' unit 'UnitFileState' property equals enabled (string) -- More
Check: All Must Pass
Unit: firewalld
Property: UnitFileState
CIS-CAT Expected... CIS-CAT Collected...
the Value to be set to enabled enabled

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_4.7_Enable_firewalld"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:33.471-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:33.471-06:00"
                    start-time="2015-11-09T16:01:33.461-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure systemd 'firewalld' unit 'UnitFileState' property equals enabled (string)"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10103"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10103"
                               type="systemdunitproperty_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10049">
                  <cis:evidence_item itemref="1945809107">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="unit" value="firewalld"/>
                        <cis:evidence_item_pk_field name="property" value="UnitFileState"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="enabled" dt="string" ev="enabled" name="value" op="equals" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1102"
                       value-id="xccdf_org.cisecurity.benchmarks_value_4.7.1_var"/>
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1102"/>
      </check>
   </complex-check>
</rule-result>

5 Logging and Auditing

The items in this section describe how to configure logging, log monitoring, and auditing, using tools included with CentOS 7.

It is recommended that rsyslog be used for logging (with logwatch providing summarization) and auditd be used for auditing (with aureport providing summarization) to automatically monitor logs for intrusion attempts and other suspicious system behavior.

In addition to the local log files created by the steps in this section, it is also recommended that sites collect copies of their system logs on a secure, centralized log server via an encrypted connection. Not only does centralized logging help sites correlate events that may be occurring on multiple systems, but having a second copy of the system log information may be critical after a system compromise where the attacker has modified the local log files on the affected system(s). If a log correlation system is deployed, configure it to process the logs described in this section.

Because it is often necessary to correlate log information from many different systems (particularly after a security incident) it is recommended that the time be synchronized among systems and devices connected to the local network. The standard Internet protocol for time synchronization is the Network Time Protocol (NTP), which is supported by most network-ready devices. See the ntpd(8) manual page for more information on configuring NTP.

It is important that all logs described in this section be monitored on a regular basis and correlated to determine trends. A seemingly innocuous entry in one log could be more significant when compared to an entry in another log.

Note on log file permissions: There really isn't a "one size fits all" solution to the permissions on log files. Many sites utilize group permissions so that administrators who are in a defined security group, such as "wheel" do not have to elevate privileges to root in order to read log files. Also, if a third party log aggregation tool is used, it may need to have group permissions to read the log files, which is preferable to having it run setuid to root. Therefore, there are two remediation and audit steps for log file permissions. One is for systems that do not have a secured group method implemented that only permits root to read the log files (root:root 600). The other is for sites that do have such a setup and are designated as root:securegrp 640 where securegrp is the defined security group (in some cases wheel).

5.1 Configure rsyslog

The rsyslog software is recommended as a replacement for the default syslogd daemon and provides improvements over syslogd, such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server.

Pass

5.1.1 Install the rsyslog package

Description:

The rsyslog package is a third party package that provides many enhancements to syslog, such as multi-threading, TCP communication, message filtering and data base support.

The security enhancements of rsyslog such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server) justify installing and configuring the package.

# yum install rsyslog

Ensure rsyslog package is installed -- More
CIS-CAT expected to collect at least 1 matching RPM Package, and found 1 item.
Package Name: rsyslog exists

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_5.1.1_Install_the_rsyslog_package"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:33.095-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:33.095-06:00"
                    start-time="2015-11-09T16:01:33.021-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure rsyslog package is installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10104"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10104"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="1396752935">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="name" value="rsyslog"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1103"/>
      </check>
   </complex-check>
</rule-result>
Pass

5.1.2 Activate the rsyslog Service

Description:

The systemctl command can be used to ensure that the rsyslog service is turned on.

If the rsyslog service is not activated the system will not have a syslog service running.

# systemctl enable rsyslog

Ensure systemd 'rsyslog.service' unit 'UnitFileState' property equals enabled (string) -- More
Check: All Must Pass
Unit: rsyslog.service
Property: UnitFileState
CIS-CAT Expected... CIS-CAT Collected...
the Value to be set to enabled enabled

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_5.1.2_Activate_the_rsyslog_Service"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:33.923-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:33.923-06:00"
                    start-time="2015-11-09T16:01:33.917-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure systemd 'rsyslog.service' unit 'UnitFileState' property equals enabled (string)"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10105"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10105"
                               type="systemdunitproperty_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10050">
                  <cis:evidence_item itemref="1252115558">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="unit" value="rsyslog.service"/>
                        <cis:evidence_item_pk_field name="property" value="UnitFileState"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="enabled" dt="string" ev="enabled" name="value" op="equals" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1104"
                       value-id="xccdf_org.cisecurity.benchmarks_value_5.1.2.1_var"/>
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1104"/>
      </check>
   </complex-check>
</rule-result>
Fail

5.1.4 Create and Set Permissions on rsyslog Log Files

Description:

A log file must already exist for rsyslog to be able to write to it.

It is important to ensure that log files exist and have the correct permissions to ensure that sensitive rsyslog data is archived and protected.

For sites that have not implemented a secure admin group:

Create the /var/log/ directory and for each <logfile> listed in the /etc/rsyslog.conf file, perform the following commands:

# touch <logfile>
# chown root:root <logfile>
# chmod og-rwx <logfile>

For sites that have implemented a secure admin group:

Create the /var/log/ directory and for each <logfile> listed in the /etc/rsyslog.conf file, perform the following commands (where is the name of the security group):

# touch <logfile>
# chown root:<securegrp> <logfile>
# chmod g-wx,o-rwx<logfile>

Linux Custom Object "rsyslog Log Files Have Correct Permissions" -- Less
File: /var/log/messages
CIS-CAT Expected... CIS-CAT Collected...
the file's Group Execute to be set to false false
the file's Other Read to be set to false false
the file's Other Execute to be set to false false
the file's Other Write to be set to false false
the file's Group Write to be set to false false
File: /var/log/secure
CIS-CAT Expected... CIS-CAT Collected...
the file's Group Execute to be set to false false
the file's Other Read to be set to false false
the file's Other Execute to be set to false false
the file's Other Write to be set to false false
the file's Group Write to be set to false false
File: /var/log/cron
CIS-CAT Expected... CIS-CAT Collected...
the file's Group Execute to be set to false false
the file's Other Read to be set to false false
the file's Other Execute to be set to false false
the file's Other Write to be set to false false
the file's Group Write to be set to false false
File: /var/log/spooler
CIS-CAT Expected... CIS-CAT Collected...
the file's Group Execute to be set to false false
the file's Other Read to be set to false false
the file's Other Execute to be set to false false
the file's Other Write to be set to false false
the file's Group Write to be set to false false
File: /var/log/boot.log
CIS-CAT Expected... CIS-CAT Collected...
the file's Group Execute to be set to false false
the file's Other Read to be set to false true
the file's Other Execute to be set to false false
the file's Other Write to be set to false false
the file's Group Write to be set to false false

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_5.1.4_Create_and_Set_Permissions_on_rsyslog_Log_Files"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:31.292-06:00"
             version="1"
             weight="1.0">
   <result>fail</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:31.293-06:00"
                    start-time="2015-11-09T16:01:31.253-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Linux Custom Object &#34;rsyslog Log Files Have Correct Permissions&#34;"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10106"
                               result="false"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10106"
                               type="file_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10051">
                  <cis:evidence_item itemref="732704646">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="filepath" value="/var/log/messages"/>
                        <cis:evidence_item_pk_field name="path" value="/var/log"/>
                        <cis:evidence_item_pk_field name="filename" value="messages"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="gexec" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="oread" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="oexec" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="owrite" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="gwrite" op="equals" result="true"/>
                  </cis:evidence_item>
                  <cis:evidence_item itemref="1984639359">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="filepath" value="/var/log/secure"/>
                        <cis:evidence_item_pk_field name="path" value="/var/log"/>
                        <cis:evidence_item_pk_field name="filename" value="secure"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="gexec" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="oread" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="oexec" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="owrite" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="gwrite" op="equals" result="true"/>
                  </cis:evidence_item>
                  <cis:evidence_item itemref="1711479855">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="filepath" value="/var/log/cron"/>
                        <cis:evidence_item_pk_field name="path" value="/var/log"/>
                        <cis:evidence_item_pk_field name="filename" value="cron"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="gexec" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="oread" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="oexec" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="owrite" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="gwrite" op="equals" result="true"/>
                  </cis:evidence_item>
                  <cis:evidence_item itemref="1550515567">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="filepath" value="/var/log/spooler"/>
                        <cis:evidence_item_pk_field name="path" value="/var/log"/>
                        <cis:evidence_item_pk_field name="filename" value="spooler"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="gexec" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="oread" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="oexec" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="owrite" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="gwrite" op="equals" result="true"/>
                  </cis:evidence_item>
                  <cis:evidence_item itemref="1750388328">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="filepath" value="/var/log/boot.log"/>
                        <cis:evidence_item_pk_field name="path" value="/var/log"/>
                        <cis:evidence_item_pk_field name="filename" value="boot.log"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="gexec" op="equals" result="true"/>
                     <cis:evidence_field cv="true" dt="boolean" ev="false" name="oread" op="equals" result="false"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="oexec" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="owrite" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="gwrite" op="equals" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1105"/>
      </check>
   </complex-check>
</rule-result>
Fail

5.1.5 Configure rsyslog to Send Logs to a Remote Log Host

Description:

The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead.

Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system

Edit the /etc/rsyslog.conf file and add the following line (where logfile.example.com is the name of your central log host).

*.* @@loghost.example.com

# Execute the following command to restart rsyslogd
# pkill -HUP rsyslogd

Note: The double "at" sign (@@) directs rsyslog to use TCP to send log messages to the server, which is a more reliable transport mechanism than the default UDP protocol.

Ensure /etc/rsyslog.conf contents pattern match ^\*\.\*\s+@ (string) -- Less
CIS-CAT expected at least 1 matching text file content item to be collected, and found 0 items.
File: /etc/rsyslog.conf does not exist
Pattern: ^\*\.\*\s+@
Match Text: No match found

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_5.1.5_Configure_rsyslog_to_Send_Logs_to_a_Remote_Log_Host"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:30.337-06:00"
             version="1"
             weight="1.0">
   <result>fail</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:30.337-06:00"
                    start-time="2015-11-09T16:01:30.331-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure /etc/rsyslog.conf contents pattern match ^\*\.\*\s+@ (string)"
                               negated="false"
                               ns="independent"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10108"
                               result="false"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10107"
                               type="textfilecontent54_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="458573988">
                     <cis:evidence_item_pk status="does not exist">
                        <cis:evidence_item_pk_field name="filepath" value="/etc/rsyslog.conf"/>
                        <cis:evidence_item_pk_field name="path" value="/etc"/>
                        <cis:evidence_item_pk_field name="filename" value="rsyslog.conf"/>
                        <cis:evidence_item_pk_field name="pattern" value="^\*\.\*\s+@"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1106"
                       value-id="xccdf_org.cisecurity.benchmarks_value_5.1.5.1_var"/>
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1106"/>
      </check>
   </complex-check>
</rule-result>

5.2 Configure System Accounting (auditd)

System auditing, through auditd, allows system administrators to monitor their systems such that they can detect unauthorized access or modification of data. By default, auditd will audit SELinux AVC denials, system logins, account modifications, and authentication events. Events will be logged to /var/log/audit/audit.log. The recording of these events will use a modest amount of disk space on a system. If significantly more events are captured, additional on system or off system storage may need to be allocated.

Note: For 64 bit systems that have arch as a rule parameter, you will need two rules: one for 64 bit and one for 32 bit systems. For 32 bit systems, only one rule is needed.

5.2.1 Configure Data Retention

When auditing, it is important to carefully configure the storage requirements for audit logs. By default, auditd will max out the log files at 5MB and retain only 4 copies of them. Older versions will be deleted. It is possible on a system that the 20 MBs of audit logs may fill up the system causing loss of audit data. While the recommendations here provide guidance, check your site policy for audit storage requirements.

6 System Access, Authentication and Authorization

6.1 Configure cron and anacron

Pass

6.1.1 Enable anacron Daemon

Description:

The anacron daemon is used on systems that are not up 24x7. The anacron daemon will execute jobs that would have normally been run had the system not been down.

Cron jobs may include critical security or administrative functions that need to run on a regular basis. Use this daemon on machines that are not up 24x7, or if there are jobs that need to be executed after the system has been brought back up after a maintenance window.

# yum install cronie-anacron

Note: NSA Guidance recommends disabling anacron for systems that are intended to be up 24X7, with the rationale that unnecessary software should be disabled to reduce risk. However, even systems that are designed to be up at all times can experience downtime that could prevent important system maintenance jobs from running. Review the requirements for your site to determine your appropriate risk level.

Ensure cronie-anacron package is installed -- More
CIS-CAT expected to collect at least 1 matching RPM Package, and found 1 item.
Package Name: cronie-anacron exists

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_6.1.1_Enable_anacron_Daemon"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:31.715-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:31.715-06:00"
                    start-time="2015-11-09T16:01:31.633-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure cronie-anacron package is installed"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10167"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10165"
                               type="rpminfo_test">
               <cis:evidence_object>
                  <cis:evidence_item itemref="1183113783">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="name" value="cronie-anacron"/>
                     </cis:evidence_item_pk>
                  </cis:evidence_item>
               </cis:evidence_object>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1164"/>
      </check>
   </complex-check>
</rule-result>
Pass

6.1.2 Enable crond Daemon

Description:

The crond daemon is used to execute batch jobs on the system.

While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run and crond is used to execute them.

# systemctl enable crond

Ensure systemd 'crond.service' unit 'UnitFileState' property equals enabled (string) -- More
Check: All Must Pass
Unit: crond.service
Property: UnitFileState
CIS-CAT Expected... CIS-CAT Collected...
the Value to be set to enabled enabled

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_6.1.2_Enable_crond_Daemon"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:32.158-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:32.158-06:00"
                    start-time="2015-11-09T16:01:32.147-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="at_least_one_exists"
                               comment="Ensure systemd 'crond.service' unit 'UnitFileState' property equals enabled (string)"
                               negated="false"
                               ns="linux"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10168"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10166"
                               type="systemdunitproperty_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10062">
                  <cis:evidence_item itemref="1644045145">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="unit" value="crond.service"/>
                        <cis:evidence_item_pk_field name="property" value="UnitFileState"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="enabled" dt="string" ev="enabled" name="value" op="equals" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-export export-name="oval:org.cisecurity.benchmarks.o_centos_centos:var:1165"
                       value-id="xccdf_org.cisecurity.benchmarks_value_6.1.2.1_var"/>
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1165"/>
      </check>
   </complex-check>
</rule-result>
Pass

6.1.3 Set User/Group Owner and Permission on /etc/anacrontab

Description:

The /etc/anacrontab file is used by anacron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and is the only user that can read and write the file.

This file contains information on what system jobs are run by anacron. Write access to these files could provide unprivileged users with the ability to elevate their privileges. Read access to these files could provide users with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access.

# chown root:root /etc/anacrontab
# chmod og-rwx /etc/anacrontab

All of the following tests or sub-groups must pass:
Ensure /etc/anacrontab is owned by user '0' group '0' -- More
File: /etc/anacrontab
CIS-CAT Expected... CIS-CAT Collected...
the file's Group ID to be set to 0 0
the file's User ID to be set to 0 0
Ensure /etc/anacrontab has permission bits --------- and does not have permissions ---rwxrwx -- More
File: /etc/anacrontab
CIS-CAT Expected... CIS-CAT Collected...
the file's Group Execute to be set to false false
the file's Other Read to be set to false false
the file's Other Execute to be set to false false
the file's Other Write to be set to false false
the file's Group Read to be set to false false
the file's Group Write to be set to false false

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_6.1.3_Set_UserGroup_Owner_and_Permission_on_etcanacrontab"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:31.248-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:31.248-06:00"
                    start-time="2015-11-09T16:01:31.087-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="all_exist"
                               comment="Ensure /etc/anacrontab is owned by user '0' group '0'"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10170"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10168"
                               type="file_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10064">
                  <cis:evidence_item itemref="1579934421">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="filepath" value="/etc/anacrontab"/>
                        <cis:evidence_item_pk_field name="path" value="/etc"/>
                        <cis:evidence_item_pk_field name="filename" value="anacrontab"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="0" dt="int" ev="0" name="group_id" op="equals" result="true"/>
                     <cis:evidence_field cv="0" dt="int" ev="0" name="user_id" op="equals" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
            <cis:evidence_test check="all" check_existence="all_exist"
                               comment="Ensure /etc/anacrontab has permission bits --------- and does not have permissions ---rwxrwx"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10169"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10167"
                               type="file_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10063">
                  <cis:evidence_item itemref="766547370">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="filepath" value="/etc/anacrontab"/>
                        <cis:evidence_item_pk_field name="path" value="/etc"/>
                        <cis:evidence_item_pk_field name="filename" value="anacrontab"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="gexec" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="oread" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="oexec" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="owrite" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="gread" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="gwrite" op="equals" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1166"/>
      </check>
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1167"/>
      </check>
   </complex-check>
</rule-result>
Pass

6.1.4 Set User/Group Owner and Permission on /etc/crontab

Description:

The /etc/crontab file is used by cron to control its own jobs. The commands in this item make here sure that root is the user and group owner of the file and is the only user that can read and write the file.

This file contains information on what system jobs are run by cron. Write access to these files could provide unprivileged users with the ability to elevate their privileges. Read access to these files could provide users with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access.

# chown root:root /etc/crontab
# chmod og-rwx /etc/crontab

All of the following tests or sub-groups must pass:
Ensure /etc/crontab has permission bits --------- and does not have permissions ---rwxrwx -- More
File: /etc/crontab
CIS-CAT Expected... CIS-CAT Collected...
the file's Group Execute to be set to false false
the file's Other Read to be set to false false
the file's Other Execute to be set to false false
the file's Other Write to be set to false false
the file's Group Read to be set to false false
the file's Group Write to be set to false false
Ensure /etc/crontab is owned by user '0' group '0' -- More
File: /etc/crontab
CIS-CAT Expected... CIS-CAT Collected...
the file's Group ID to be set to 0 0
the file's User ID to be set to 0 0

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_6.1.4_Set_UserGroup_Owner_and_Permission_on_etccrontab"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:31.579-06:00"
             version="1"
             weight="1.0">
   <result>pass</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:31.579-06:00"
                    start-time="2015-11-09T16:01:31.535-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="all_exist"
                               comment="Ensure /etc/crontab has permission bits --------- and does not have permissions ---rwxrwx"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10171"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10169"
                               type="file_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10065">
                  <cis:evidence_item itemref="1049393356">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="filepath" value="/etc/crontab"/>
                        <cis:evidence_item_pk_field name="path" value="/etc"/>
                        <cis:evidence_item_pk_field name="filename" value="crontab"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="gexec" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="oread" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="oexec" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="owrite" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="gread" op="equals" result="true"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="gwrite" op="equals" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
            <cis:evidence_test check="all" check_existence="all_exist"
                               comment="Ensure /etc/crontab is owned by user '0' group '0'"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10172"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10170"
                               type="file_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10066">
                  <cis:evidence_item itemref="1742971967">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="filepath" value="/etc/crontab"/>
                        <cis:evidence_item_pk_field name="path" value="/etc"/>
                        <cis:evidence_item_pk_field name="filename" value="crontab"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="0" dt="int" ev="0" name="group_id" op="equals" result="true"/>
                     <cis:evidence_field cv="0" dt="int" ev="0" name="user_id" op="equals" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1168"/>
      </check>
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1169"/>
      </check>
   </complex-check>
</rule-result>
Fail

6.1.5 Set User/Group Owner and Permission on /etc/cron.hourly

Description:

This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory.

Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls.

# chown root:root /etc/cron.hourly
# chmod og-rwx /etc/cron.hourly

All of the following tests or sub-groups must pass:
Ensure /etc/cron.hourly/ is owned by user '0' group '0' -- More
File: /etc/cron.hourly
CIS-CAT Expected... CIS-CAT Collected...
the file's Group ID to be set to 0 0
the file's User ID to be set to 0 0
Ensure /etc/cron.hourly/ has permission bits --------- and does not have permissions ---rwxrwx -- Less
File: /etc/cron.hourly
CIS-CAT Expected... CIS-CAT Collected...
the file's Group Execute to be set to false true
the file's Other Read to be set to false true
the file's Other Execute to be set to false true
the file's Other Write to be set to false false
the file's Group Read to be set to false true
the file's Group Write to be set to false false

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_6.1.5_Set_UserGroup_Owner_and_Permission_on_etccron.hourly"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:29.183-06:00"
             version="1"
             weight="1.0">
   <result>fail</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:29.184-06:00"
                    start-time="2015-11-09T16:01:29.131-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="all_exist"
                               comment="Ensure /etc/cron.hourly/ is owned by user '0' group '0'"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10174"
                               result="true"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10172"
                               type="file_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10068">
                  <cis:evidence_item itemref="1497149485">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="filepath" value="/etc/cron.hourly"/>
                        <cis:evidence_item_pk_field name="path" value="/etc/cron.hourly"/>
                        <cis:evidence_item_pk_field name="filename" value="NIL"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="0" dt="int" ev="0" name="group_id" op="equals" result="true"/>
                     <cis:evidence_field cv="0" dt="int" ev="0" name="user_id" op="equals" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
            <cis:evidence_test check="all" check_existence="all_exist"
                               comment="Ensure /etc/cron.hourly/ has permission bits --------- and does not have permissions ---rwxrwx"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10173"
                               result="false"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10171"
                               type="file_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10067">
                  <cis:evidence_item itemref="678494348">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="filepath" value="/etc/cron.hourly"/>
                        <cis:evidence_item_pk_field name="path" value="/etc/cron.hourly"/>
                        <cis:evidence_item_pk_field name="filename" value="NIL"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="true" dt="boolean" ev="false" name="gexec" op="equals" result="false"/>
                     <cis:evidence_field cv="true" dt="boolean" ev="false" name="oread" op="equals" result="false"/>
                     <cis:evidence_field cv="true" dt="boolean" ev="false" name="oexec" op="equals" result="false"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="owrite" op="equals" result="true"/>
                     <cis:evidence_field cv="true" dt="boolean" ev="false" name="gread" op="equals" result="false"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="gwrite" op="equals" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
         </cis:and>
      </cis:evidence>
   </metadata>
   <complex-check operator="AND">
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1170"/>
      </check>
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
         <check-content-ref href="CIS_CentOS_Linux_7_Benchmark_v1.1.0-oval.xml"
                            name="oval:org.cisecurity.benchmarks.o_centos_centos:def:1171"/>
      </check>
   </complex-check>
</rule-result>
Fail

6.1.6 Set User/Group Owner and Permission on /etc/cron.daily

Description:

The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory.

Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls.

# chown root:root /etc/cron.daily
# chmod og-rwx /etc/cron.daily

All of the following tests or sub-groups must pass:
Ensure /etc/cron.daily/ has permission bits --------- and does not have permissions ---rwxrwx -- Less
File: /etc/cron.daily
CIS-CAT Expected... CIS-CAT Collected...
the file's Group Execute to be set to false true
the file's Other Read to be set to false true
the file's Other Execute to be set to false true
the file's Other Write to be set to false false
the file's Group Read to be set to false true
the file's Group Write to be set to false false
Ensure /etc/cron.daily/ is owned by user '0' group '0' -- More
File: /etc/cron.daily
CIS-CAT Expected... CIS-CAT Collected...
the file's Group ID to be set to 0 0
the file's User ID to be set to 0 0

Show Rule Result XML
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             idref="xccdf_org.cisecurity.benchmarks_rule_6.1.6_Set_UserGroup_Owner_and_Permission_on_etccron.daily"
             role="full"
             severity="unknown"
             time="2015-11-09T16:01:31.447-06:00"
             version="1"
             weight="1.0">
   <result>fail</result>
   <metadata>
      <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0"
                    end-time="2015-11-09T16:01:31.447-06:00"
                    start-time="2015-11-09T16:01:31.417-06:00">
         <cis:and>
            <cis:evidence_test check="all" check_existence="all_exist"
                               comment="Ensure /etc/cron.daily/ has permission bits --------- and does not have permissions ---rwxrwx"
                               negated="false"
                               ns="unix"
                               objref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10175"
                               result="false"
                               testref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10173"
                               type="file_test">
               <cis:evidence_state steref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10069">
                  <cis:evidence_item itemref="1531181915">
                     <cis:evidence_item_pk status="exists">
                        <cis:evidence_item_pk_field name="filepath" value="/etc/cron.daily"/>
                        <cis:evidence_item_pk_field name="path" value="/etc/cron.daily"/>
                        <cis:evidence_item_pk_field name="filename" value="NIL"/>
                     </cis:evidence_item_pk>
                     <cis:evidence_field cv="true" dt="boolean" ev="false" name="gexec" op="equals" result="false"/>
                     <cis:evidence_field cv="true" dt="boolean" ev="false" name="oread" op="equals" result="false"/>
                     <cis:evidence_field cv="true" dt="boolean" ev="false" name="oexec" op="equals" result="false"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="owrite" op="equals" result="true"/>
                     <cis:evidence_field cv="true" dt="boolean" ev="false" name="gread" op="equals" result="false"/>
                     <cis:evidence_field cv="false" dt="boolean" ev="false" name="gwrite" op="equals" result="true"/>
                  </cis:evidence_item>
               </cis:evidence_state>
            </cis:evidence_test>
            <cis:evidence_test check="all" check_existence="all_exist"
                               comment="Ensure /etc/cron.daily/ is owned by user '0' group '0'"
                               negated="false"
                               ns="unix"