| NSA SNAC Release 2 20 Dec 2007 (i731) For NSA_Lockdown Tools version 1.1-6 | Lockdown | Hardening | Manual process | Replace std package | Mods? | Notes | |
| 1 | Introduction | ||||||
| 1.1 | General Principles | ||||||
| 1.1.1 | Encrypt Transmitted Data Whenever Possible | ||||||
| 1.1.2 | Minimize Software to Minimize Vulnerability | ||||||
| 1.1.3 | Run Different Network Services on Separate Systems | ||||||
| 1.1.4 | Configure Security Tools to Improve System Robustness | ||||||
| 1.2 | How to Use This Guide | ||||||
| 1.2.1 | Read Sections Completely and in Order | ||||||
| 1.2.2 | Test in Non-Production Environment | ||||||
| 1.2.3 | Root Shell Environment Assumed | ||||||
| 1.2.4 | Formatting Conventions | ||||||
| 1.2.5 | Reboot Required | ||||||
| 2 | System-wide Configuration | ||||||
| 2.1 | Installing and Maintaining Software | ||||||
| 2.1.1 | Initial Installation Recommendations | ||||||
| 2.1.1.1 | Disk Partitioning | ||||||
| 2.1.1.2 | Boot Loader Configuration 2.3.5.2 | ||||||
| 2.1.1.3 | Network Devices 3.9.1 | ||||||
| 2.1.1.4 | Root Password | ||||||
| 2.1.1.5 | Software Packages | ||||||
| 2.1.1.6 | First-boot Configuration | ||||||
| 2.1.2 | Updating Software | ||||||
| 2.1.2.1 | Configure Connection to the RHN RPM Repositories | X | |||||
| 2.1.2.2 | Disable the rhnsd Daemon | X | NA for CentOS | ||||
| 2.1.2.3 | Obtain Software Package Updates with yum | X | |||||
| 2.1.2.3.2 | Remove yum-updatesd | X | |||||
| 2.1.2.3.2a | Add cron entry for daily yum run | X | |||||
| 2.1.3 | Software Integrity Checking | add | |||||
| 2.1.3.1 | Configure AIDE | X | |||||
| 2.2 | File Permissions and Masks | ||||||
| 2.2.1 | Restrict Partition Mount Options | ||||||
| 2.2.1.1 | Add nodev Option to Non-Root Local Partitions | X | |||||
| 2.2.1.2 | Add nodev, nosuid, and noexec Options to Removable Media Partitions | X | |||||
| 2.2.2 | Restrict Dynamic Mounting and Unmounting of Filesystems | ||||||
| 2.2.2.1 | Restrict Console Device Access | TD | |||||
| 2.2.2.2 | Disable USB Device Support | ||||||
| 2.2.2.2.1 | Disable ModprobeLoading of USB Storage Driver | X | |||||
| 2.2.2.3 | Disable the Automounter if Possible | X | |||||
| 2.2.2.4 | Disable GNOME Automounting if Possible | TD | Gnome | ||||
| 2.2.3 | Verify Permissions on Important Files and Directories | ||||||
| 2.2.3.1 | Verify Permissions on passwd, shadow, group and gshadow Files | X | |||||
| 2.2.3.2 | Verify that All World-Writable Directories Have Sticky Bits Set | report | |||||
| 2.2.3.3 | Find Unauthorized World-Writable Files | report | |||||
| 2.2.3.4 | Find Unauthorized SUID/SGID System Executables | report | |||||
| 2.2.3.5 | Find and Repair Unowned Files | report | |||||
| 2.2.4 | Restrict Programs from Dangerous Execution Patterns | ||||||
| 2.2.4.1 | Set Daemon umask | TD | |||||
| 2.2.4.2 | Disable Core Dumps | TD | |||||
| 2.2.4.3 | Enable ExecShield | TD | |||||
| 2.2.4.4 | Enable Execute Disable (XD) or No Execute (NX) Support on x86 Systems | report | |||||
| 2.3 | Account and Access Control | ||||||
| 2.3.1 | Protect Accounts by Restricting Password-Based Login | ||||||
| 2.3.1.1 | Restrict Root Logins to System Console | TD | |||||
| 2.3.1.2 | Limit su Access to the Root Account | TD | |||||
| 2.3.1.3 | Configure sudo to Improve Auditing of Root Access | TD | |||||
| 2.3.1.3a | Remove all NOPASSWD Directives | TD | |||||
| 2.3.1.4 | Block Shell and Login Access for Non-Root System Accounts | X | |||||
| 2.3.1.5 | Verify that No Accounts Have Empty Password Fields | report | |||||
| 2.3.1.6 | Verify that No Non-Root Accounts Have UID 0 | report | |||||
| 2.3.1.7 | Set Password Expiration Parameters | TD | X | yes | change must be manual | ||
| 2.3.1.8 | Remove Legacy ’+’ Entries from Password Files | TD | |||||
| 2.3.2 | Use Unix Groups to Enhance Security | ||||||
| 2.3.2.1 | Create a Unique Default Group for Each User | X | |||||
| 2.3.2.2 | Create and Maintain a Group Containing All Human Users | X | |||||
| 2.3.3 | Protect Accounts by Configuring PAM | ||||||
| 2.3.3.1 | Set Password Quality Requirements | TD | add | ||||
| 2.3.3.2 | Set Lockouts for Failed Password Attempts | TD | add reset to cron? | ||||
| 2.3.3.3 | Use pam deny.so to Quickly Deny Access to a Service | X | |||||
| 2.3.3.4 | Restrict Execution of userhelper to Console Users | X | |||||
| 2.3.4 | Secure Session Configuration Files for Login Accounts | ||||||
| 2.3.4.1 | Ensure that No Dangerous Directories Exist in Root’s Path | X | |||||
| 2.3.4.2 | Ensure that User Home Directories are not Group-Writable or World-Readable | X | |||||
| 2.3.4.3 | Ensure that User Dot-Files are not World-writable | X | |||||
| 2.3.4.4 | Ensure that Users Have Sensible Umask Values | TD | |||||
| 2.3.4.5 | Ensure that Users do not Have .netrc Files | report | |||||
| 2.3.5 | Protect Physical Console Access | ||||||
| 2.3.5.1 | Set BIOS Password | X | |||||
| 2.3.5.2 | Set Boot Loader Password | X | yes | set permissions only | |||
| 2.3.5.3 | Require Authentication for Single-User Mode | X | |||||
| 2.3.5.4 | Disable Interactive Boot | X | |||||
| 2.3.5.5 | Implement Inactivity Time-out for Login Shells | TD | |||||
| 2.3.5.6 | Configure Screen Locking | ||||||
| 2.3.5.6.1 | Configure Screen Locking GUI | TD | Gnome | ||||
| 2.3.5.6.2 | Configure Screen Locking Console | X | add | ||||
| 2.3.6 | Use a Centralized Authentication Service | X | |||||
| 2.3.7 | Warning Banners for System Accesses | ||||||
| 2.3.7.1 | Modify the System Login Banner | X | yes | also issue.net | |||
| 2.3.7.2 | Implement a GUI Warning Banner | X | |||||
| 2.4 | SELinux | ||||||
| 2.4.1 | How SELinux Works | ||||||
| 2.4.2 | Enable SELinux | report | |||||
| 2.4.3 | Disable Unnecessary SELinux Daemons | ||||||
| 2.4.3.1 | Disable and Remove SETroubleshoot if Possible | X | |||||
| 2.4.3.2 | Disable MCS Translation Service (mcstrans) if Possible | X | |||||
| 2.4.3.3 | Restorecon Service (restorecond) | X | keep as per 3.1.2 | ||||
| 2.4.4 | Check for Unconfined Daemons | report | |||||
| 2.4.5 | Debugging SELinux Policy Errors | ||||||
| 2.4.6 | Further Strengthening | ||||||
| 2.4.6.1 | Strengthen the Default SELinux Boolean Configuration | ||||||
| 2.4.6.2 | Use a Stronger Policy | ||||||
| 2.4.7 | SELinux References | ||||||
| 2.5 | Network Configuration and Firewalls | ||||||
| 2.5.1 | Kernel Parameters which Affect Networking | ||||||
| 2.5.1.1 | Network Parameters for Hosts Only | X | |||||
| 2.5.1.2 | Network Parameters for Hosts and Routers | N/A | |||||
| 2.5.2 | Wireless Networking | ||||||
| 2.5.2.1 | Remove Wireless Hardware if Possible | X | |||||
| 2.5.2.2.3 | Disable Wireless Through Software Configuration | TD | |||||
| 2.5.3 | IPv6 | ||||||
| 2.5.3.1.1 | Disable Support for IPv6 unless Needed | X | |||||
| 2.5.3.1.2 | Disable Interface Usage of IPv6 | X | yes | mod /etc/sysconfig/network only | |||
| 2.5.3.2 | Configure IPv6 Settings if Necessary | X | |||||
| 2.5.4 | TCP Wrapper | ||||||
| 2.5.4.1 | How TCP Wrapper Protects Services | ||||||
| 2.5.4.2 | Reject All Connections From Other Hosts if Appropriate | X | |||||
| 2.5.4.3 | Allow Connections Only From Hosts in This Domain if Appropriate | X | |||||
| 2.5.4.4 | Monitor Syslog for Relevant Connections and Failures | X | |||||
| 2.5.4.5 | Further Resources | ||||||
| 2.5.5 | Iptables and Ip6tables | X | |||||
| 2.5.5.1 | Inspect and Activate Default Rules | report | |||||
| 2.5.5.1a | Disable Ip6tables | X | yes | assume IPv6 disabled as per 2.5.3.1.1 | |||
| 2.5.5.2 | Understand the Default Ruleset | X | |||||
| 2.5.5.3 | Strengthen the Default Ruleset | ||||||
| 2.5.5.3.1 | Change Default Policies | TD | |||||
| 2.5.5.3.2 | Restrict ICMP Message Types | TD | yes | Ignore ICMPv6 rules | |||
| 2.5.5.3.3 | Remove IPsec Rules | TD | |||||
| 2.5.5.3.4 | Log and Drop Packets with Suspicious Source Addresses | TD | |||||
| 2.5.5.3.5 | Log and Drop All Other Packets | X | |||||
| 2.5.5.4 | Further Strengthening | ||||||
| 2.5.5.5 | Further Resources | ||||||
| 2.5.6 | Secure Sockets Layer Support | ||||||
| 2.5.6.1 | Create a CA to Sign Certificates | X | |||||
| 2.5.6.2 | Create SSL Certificates for Servers | X | |||||
| 2.5.6.3 | Enable Client Support | X | |||||
| 2.5.6.4 | Further Resources | ||||||
| 2.6 | Logging and Auditing | ||||||
| 2.6.1 | Configure Syslog | X | |||||
| 2.6.1.1 | Ensure All Important Messages are Captured | TD | |||||
| 2.6.1.2 | Confirm Existence and Permissions of System Log Files | TD | |||||
| 2.6.1.3 | Send Logs to a Remote Loghost | X | |||||
| 2.6.1.4 | Enable syslogd to Accept Remote Messages on Loghosts Only | TD | yes | assume log client only | |||
| 2.6.1.5 | Ensure All Logs are Rotated by logrotate | TD | |||||
| 2.6.1.6 | Monitor Suspicious Log Messages using Logwatch | X | |||||
| 2.6.2 | System Accounting with auditd | ||||||
| 2.6.2.1 | Enable the auditd Service | X | add | ||||
| 2.6.2.2 | Use aureport to Summarize Audit Logs | X | |||||
| 2.6.2.3 | Configure auditd for Sites with Further Auditing Requirements | X | |||||
| 3 | Services | ||||||
| 3.1 | Disable All Unneeded Services at Boot Time | ||||||
| 3.1.1 | Determine which Services are Enabled at Boot | report | |||||
| 3.1.2 | Guidance on Default Services | X | yes | keep ia32 microcode_ctl | |||
| 3.1.3 | Guidance for Unfamiliar Services | X | |||||
| 3.2 | Obsolete Services | ||||||
| 3.2.1 | Inetd and Xinetd | X | |||||
| 3.2.2 | Telnet | X | |||||
| 3.2.3 | Rlogin, Rsh, and Rcp | ||||||
| 3.2.3.1 | Remove the Rsh Server Commands from the System | X | |||||
| 3.2.3.2 | Remove .rhosts Support from PAM Configuration Files | report | |||||
| 3.2.4 | NIS | X | |||||
| 3.2.5 | TFTP Server | X | |||||
| 3.3 | Base Services | ||||||
| 3.3.1 | Installation Helper Service (firstboot) | X | |||||
| 3.3.2 | Console Mouse Service (gpm) | X | |||||
| 3.3.3 | Interrupt Distribution on Multiprocessor Systems (irqbalance) | X | yes | remove - assume single CPU | |||
| 3.3.4 | ISDN Support (isdn) | X | |||||
| 3.3.5 | Kdump Kernel Crash Analyzer (kdump) | X | |||||
| 3.3.6 | Kudzu Hardware Probing Utility (kudzu) | X | |||||
| 3.3.7 | Software RAID Monitor (mdmonitor) | X | |||||
| 3.3.8 | IA32 Microcode Utility (microcode ctl) | X | yes | keep - assume IA32 target | |||
| 3.3.9 | Network Service (network) | ||||||
| 3.3.9.1 | Disable All Networking if Not Needed | X | yes | assume network needed | |||
| 3.3.9.2 | Disable All External Network Interfaces if Not Needed | X | |||||
| 3.3.9.3 | Disable Zeroconf Networking | X | |||||
| 3.3.10 | Smart Card Support (pcscd) | X | |||||
| 3.3.11 | SMART Disk Monitoring Support (smartd) | X | keep - assume SMART drives | ||||
| 3.3.12 | Boot Caching (readahead early/readahead later) | X | |||||
| 3.3.13 | Application Support Services | ||||||
| 3.3.13.1 | D-Bus IPC Service (messagebus) | X | |||||
| 3.3.13.2.1 | HAL Daemon (haldaemon) | X | |||||
| 3.3.14 | Bluetooth Support | ||||||
| 3.3.14.1 | Bluetooth Host Controller Interface Daemon (bluetooth) | X | |||||
| 3.3.14.2 | Bluetooth Input Devices (hidd) | X | |||||
| 3.3.14.3 | Disable Bluetooth Kernel Modules | TD | |||||
| 3.3.15 | Power Management Support | ||||||
| 3.3.15.1 | Advanced Power Management Subsystem (apmd) | X | |||||
| 3.3.15.2 | Advanced Configuration and Power Interface (acpid) | X | keep | ||||
| 3.3.15.3 | CPU Throttling (cpuspeed) | X | keep | ||||
| 3.4 | Cron and At Daemons | X | yes | disable atd | |||
| 3.4.1 | Disable anacron if Possible | X | |||||
| 3.4.2 | Restrict Permissions on Files Used by cron | TD | yes | cron only | |||
| 3.4.3 | Restrict at and cron to Authorized Users | X | yes | cron only | |||
| 3.5 | SSH Server | ||||||
| 3.5.1 | Disable OpenSSH Server if Possible | ||||||
| 3.5.1.1 | Disable and Remove OpenSSH Software | skip | yes | allow sshd | |||
| 3.5.1.2 | Remove SSH Server iptables Firewall Exception | skip | yes | allow sshd | |||
| 3.5.2 | Configure OpenSSH Server if Necessary | ||||||
| 3.5.2.1 | Ensure Only Protocol 2 Connections Allowed | TD | |||||
| 3.5.2.2 | Limit Users’ SSH Access | X | |||||
| 3.5.2.3 | Set Idle Timeout Interval for User Logins | TD | |||||
| 3.5.2.4 | Disable .rhosts Files | TD | |||||
| 3.5.2.5 | Disable Host-Based Authentication | TD | |||||
| 3.5.2.6 | Disable root Login via SSH | TD | |||||
| 3.5.2.7 | Disable Empty Passwords | TD | |||||
| 3.5.2.8 | Enable a Warning Banner | X | |||||
| 3.5.2.9 | Strengthen Firewall Configuration if Possible | X | |||||
| 3.6 | X Window System | ||||||
| 3.6.1 | Disable X Windows if Possible | ||||||
| 3.6.1.1 | Disable X Windows at System Boot | TD | |||||
| 3.6.1.2 | Remove X Windows from the System if Possible | TD | |||||
| 3.6.1.3 | Lock Down X Windows startx Configuration if Necessary | ||||||
| 3.6.1.3.1 | Disable X Font Server xfs | X | |||||
| 3.6.1.3.2 | Disable X Window System Listening | TD | |||||
| 3.6.2 | Configure X Windows if Necessary | ||||||
| 3.6.2.1 | Create Warning Banners for GUI Login Users | X | |||||
| 3.7 | Avahi Server | ||||||
| 3.7.1 | Disable Avahi Server if Possible | ||||||
| 3.7.1.1 | Disable Avahi Server Software | X | |||||
| 3.7.1.2 | Remove Avahi Server iptables Firewall Exception | TD | |||||
| 3.7.2 | Configure Avahi if Necessary | ||||||
| 3.7.2.1 | Serve Only via Required Protocol | TD | |||||
| 3.7.2.2 | Check Responses’ TTL Field | TD | |||||
| 3.7.2.3 | Prevent Other Programs from Using Avahi’s Port | TD | |||||
| 3.7.2.4 | Disable Publishing if Possible | TD | |||||
| 3.7.2.5 | Restrict Published Information | TD | |||||
| 3.8 | Print Support | ||||||
| 3.8.1 | Disable the CUPS Service if Possible | X | |||||
| 3.8.2 | Disable Firewall Access to Printing Service if Possible | TD | |||||
| 3.8.3 | Configure the CUPS Service if Necessary | ||||||
| 3.8.3.1 | Limit Printer Browsing | ||||||
| 3.8.3.1.1 | Disable Printer Browsing Entirely if Possible | TD | |||||
| 3.8.3.1.2 | Limit Printer Browsing to a Particular Subnet if Possible | X | |||||
| 3.8.3.2 | Disable Print Server Capabilities if Possible | TD | |||||
| 3.8.3.3 | Limit Access to the Web Administration Interface | X | |||||
| 3.8.3.4 | Take Further Security Measures When Appropriate | X | |||||
| 3.8.4 | The HP Linux Imaging and Printing (HPLIP) Toolkit | ||||||
| 3.8.4.1 | Disable HPLIP Service if Possible | X | |||||
| 3.9 | DHCP | ||||||
| 3.9.1 | Disable DHCP Client if Possible | X | |||||
| 3.9.2 | Configure DHCP Client if necessary | ||||||
| 3.9.2.1 | Minimize the DHCP-Configured Options | X | |||||
| 3.9.3 | Disable DHCP Server if possible | X | |||||
| 3.9.4 | Configure the DHCP Server if necessary | ||||||
| 3.9.4.1 | Do Not Use Dynamic DNS | TD | |||||
| 3.9.4.2 | Deny Decline Messages | TD | |||||
| 3.9.4.3 | Deny BOOTP Queries | TD | |||||
| 3.9.4.4 | Minimize Served Information | X | |||||
| 3.9.4.5 | Configure Logging 2.6.1.1 | TD | |||||
| 3.9.4.6 | Further Resources | ||||||
| 3.10 | Network Time Protocol | ||||||
| 3.10.1 | Select NTP Software | X | yes | use ntpd for client | |||
| 3.10.2 | Configure Reference NTP if Appropriate | ||||||
| 3.10.2.1 | Configure an NTP Client | ||||||
| 3.10.2.1.1 | Set Up Client NTP Configuration File | X | |||||
| 3.10.2.1.2 | Run NTP using Cron | TD | |||||
| 3.10.2.2 | Configure an NTP Server | ||||||
| 3.10.2.2.1 | Enable the NTP Daemon | TD | |||||
| 3.10.2.2.2 | Deny All Access to ntpd by Default | TD | |||||
| 3.10.2.2.3 | Specify a Remote NTP Server for Time Data | X | |||||
| 3.10.2.2.4 | Allow Legitimate NFS Clients to Access the Server | X | |||||
| 3.10.3 | Configure OpenNTPD if Appropriate | OpenNTP not supported | |||||
| 3.10.3.1 | Obtain NTP Software | ||||||
| 3.10.3.2 | Configure an SNTP Client | ||||||
| 3.10.3.3 | Configure an SNTP Server | ||||||
| 3.11 | Mail Transfer Agent | ||||||
| 3.11.1 | Select Mail Server Software and Configuration | X | yes | use sendmail | |||
| 3.11.2 | Configure SMTP For Mail Client | ||||||
| 3.11.2.1 | Disable the Listening Sendmail Daemon | TD | |||||
| 3.11.2.2 | Configure Mail Submission if Appropriate | X | |||||
| 3.11.3 | Strategies for MTA Security | ||||||
| 3.11.3.1 | Use Resource Limits to Mitigate Denial of Service | X | |||||
| 3.11.3.2 | Configure SMTP Greeting Banner | X | |||||
| 3.11.3.3 | Control Mail Relaying | X | |||||
| 3.11.4 | Configure Operating System to Protect Mail Server | ||||||
| 3.11.4.1 | Use Separate Hosts for External and Internal Mail if Possible | X | |||||
| 3.11.4.2 | Protect the MTA Host from User Access | X | |||||
| 3.11.4.3 | Restrict Remote Access to the Mail Spool | X | |||||
| 3.11.4.4 | Configure iptables to Allow Access to the Mail Server | X | |||||
| 3.11.4.5 | Verify System Logging and Log Permissions for Mail | TD | |||||
| 3.11.4.6 | Configure SSL Certificates for Use with SMTP AUTH | X | |||||
| 3.11.5 | Configure Sendmail Server if Necessary | X | |||||
| 3.11.5.1 | Limit Denial of Service Attacks | TD | |||||
| 3.11.5.2 | Configure SMTP Greeting Banner | X | |||||
| 3.11.5.3 | Control Mail Relaying | X | |||||
| 3.11.6 | Configure Postfix if Necessary | Postfix not supported | |||||
| 3.11.6.1 | Limit Denial of Service Attacks | ||||||
| 3.11.6.2 | Configure SMTP Greeting Banner | ||||||
| 3.11.6.3 | Control Mail Relaying | ||||||
| 3.11.6.4 | Require TLS for SMTP AUTH | ||||||
| 3.12 | LDAP | ||||||
| 3.12.1 | Use OpenLDAP to Provide LDAP Service if Possible | ||||||
| 3.12.2 | Configure OpenLDAP Clients | ||||||
| 3.12.2.1 | Configure the Appropriate LDAP Parameters for the Domain | X | |||||
| 3.12.2.2 | Configure LDAP to Use TLS for All Transactions | X | |||||
| 3.12.2.3 | Configure Authentication Services to Use OpenLDAP | X | |||||
| 3.12.3 | Configure OpenLDAP Server | ||||||
| 3.12.3.1 | Install OpenLDAP Server RPM | X | add | ||||
| 3.12.3.2 | Configure Domain-Specific Parameters | ||||||
| 3.12.3.3 | Configure an LDAP Root Password | ||||||
| 3.12.3.4 | Configure the LDAP Server to Require TLS for All Transactions | ||||||
| 3.12.3.5 | Install Account Information into the LDAP Database | ||||||
| 3.12.3.6 | Configure slapd to Protect Authentication Information | ||||||
| 3.12.3.7 | Correct Permissions on LDAP Server Files | TD | |||||
| 3.12.3.8 | Configure iptables to Allow Access to the LDAP Server | ||||||
| 3.12.3.9 | Configure Logging for LDAP | TD | |||||
| 3.13 | NFS and RPC | ||||||
| 3.13.1 | Disable All NFS Services if Possible | ||||||
| 3.13.1.1 | Disable Services Used Only by NFS | X | |||||
| 3.13.1.2 | Disable netfs if Possible | X | |||||
| 3.13.1.3 | Disable RPC Portmapper if Possible | X | |||||
| 3.13.2 | Configure All Machines which Use NFS | ||||||
| 3.13.2.1 | Make Each Machine a Client or a Server, not Both | X | |||||
| 3.13.2.2 | Restrict Access to the Portmapper | X | |||||
| 3.13.2.3 | Configure NFS Services to Use Fixed Ports | X | |||||
| 3.13.3 | Configure NFS Clients | ||||||
| 3.13.3.1 | Disable NFS Server Daemons | X | |||||
| 3.13.3.2 | Mount Remote Filesystems with Restrictive Options 2.2.1.2 | X | |||||
| 3.13.4 | Configure NFS Servers | ||||||
| 3.13.4.1 | Configure the Exports File Restrictively | ||||||
| 3.13.4.1.1 | Use Access Lists to Enforce Authorization Restrictions on Mounts | X | |||||
| 3.13.4.1.2 | Use Root-Squashing on All Exports | TD | |||||
| 3.13.4.1.3 | Restrict NFS Clients to Privileged Ports | TD | |||||
| 3.13.4.1.4 | Export Filesystems Read-Only if Possible | report | |||||
| 3.13.4.2 | Allow Legitimate NFS Clients to Access the Server | X | |||||
| 3.14 | DNS Server | ||||||
| 3.14.1 | Disable DNS Server if Possible | X | |||||
| 3.14.2 | Run the BIND9 Software if DNS Service is Needed | X | |||||
| 3.14.3 | Isolate DNS from Other Services | ||||||
| 3.14.3.1 | Run DNS Software on Dedicated Servers if Possible | X | |||||
| 3.14.3.2 | Run DNS Software in a chroot Jail | X | |||||
| 3.14.3.3 | Configure Firewalls to Protect the DNS Server | X | |||||
| 3.14.4 | Protect DNS Data from Tampering or Attack | ||||||
| 3.14.4.1 | Run Separate DNS Servers for External and Internal Queries if Possible | X | |||||
| 3.14.4.2 | Use Views to Partition External and Internal Information if Necessary | X | |||||
| 3.14.4.3 | Disable Zone Transfers from the Nameserver if Possible | X | |||||
| 3.14.4.4 | Authenticate Zone Transfers if Necessary | X | |||||
| 3.14.4.5 | Disable Dynamic Updates if Possible | X | |||||
| 3.15 | FTP Server | ||||||
| 3.15.1 | Disable vsftpd if Possible | X | |||||
| 3.15.2 | Use vsftpd to Provide FTP Service if Necessary | X | |||||
| 3.15.3 | Configure vsftpd Securely | ||||||
| 3.15.3.1 | Enable Logging of All FTP Transactions | TD | |||||
| 3.15.3.2 | Create Warning Banners for All FTP Users | TD | |||||
| 3.15.3.3 | Restrict the Set of Users Allowed to Access FTP | ||||||
| 3.15.3.3.1 | Restrict Access to Anonymous Users if Possible | TD | |||||
| 3.15.3.3.2 | Limit Users Allowed FTP Accesss if Necessary | X | |||||
| 3.15.3.4 | Disable FTP Uploads if Possible | TD | yes | assume upload not required | |||
| 3.15.3.5 | Place the FTP Home Directory on its Own Partition | X | |||||
| 3.15.3.6 | Configure Firewalls to Protect the FTP Server | TD | |||||
| 3.16 | Web Server | ||||||
| 3.16.1 | Disable Apache if Possible | X | |||||
| 3.16.2 | Install Apache if Necessary | ||||||
| 3.16.2.1 | Install Apache Software Safely | X | |||||
| 3.16.2.2 | Confirm Minimal Built-in Modules | report | |||||
| 3.16.3 | Secure the Apache Configuration | ||||||
| 3.16.3.1 | Restrict Information Leakage | TD | |||||
| 3.16.3.2 | Minimize Loadable Modules | report | |||||
| 3.16.3.2.1 | Apache Core Modules | TD | |||||
| 3.16.3.2.2 | HTTP Basic Authentication | TD | |||||
| 3.16.3.2.3 | HTTP Digest Authentication | TD | |||||
| 3.16.3.2.4 | mod_rewrite | TD | |||||
| 3.16.3.2.5 | LDAP Support | TD | |||||
| 3.16.3.2.6 | Server Side Includes | TD | |||||
| 3.16.3.2.7 | MIME Magic | TD | |||||
| 3.16.3.2.8 | WebDAV (Distributed Authoring and Versioning) | TD | |||||
| 3.16.3.2.9 | Server Activity Status | TD | |||||
| 3.16.3.2.10 | Web Server Configuration Display | TD | |||||
| 3.16.3.2.11 | URL Correction on Misspelled Entries | TD | |||||
| 3.16.3.2.12 | User-specific directories | TD | |||||
| 3.16.3.2.13 | Proxy Support | TD | |||||
| 3.16.3.2.14 | Cache Support | TD | |||||
| 3.16.3.2.15 | CGI Support (and Related Modules) | TD | yes | enable CGI | |||
| 3.16.3.2.16 | Various Optional Components | TD | |||||
| 3.16.3.3 | Minimize Configuration Files Included | TD | yes | enable only SSL and PHP | |||
| 3.16.3.4 | Directory Restrictions | ||||||
| 3.16.3.4.1 | Restrict Root Directory | TD | |||||
| 3.16.3.4.2 | Restrict Web Directory | TD | |||||
| 3.16.3.4.3 | Restrict Other Critical Directories | X | |||||
| 3.16.3.5 | Configure Authentication if Applicable | X | |||||
| 3.16.3.6 | Limit Available Methods | TD | |||||
| 3.16.4 | Use Appropriate Modules to Improve Apache’s Security | ||||||
| 3.16.4.1 | Deploy mod ssl | X | |||||
| 3.16.4.2 | Deploy mod security | TD | add | ||||
| 3.16.4.3 | Use Denial-of-Service Protection Modules | X | |||||
| 3.16.4.4 | Configure Supplemental Modules Appropriately | X | |||||
| 3.16.5 | Configure Operating System to Protect Web Server | ||||||
| 3.16.5.1 | Restrict File and Directory Access | TD | |||||
| 3.16.5.2 | Configure iptables to Allow Access to the Web Server | TD | |||||
| 3.16.5.3 | Run Apache in a chroot Jail if Possible | X | |||||
| 3.16.6 | Additional Resources | ||||||
| 3.17 | IMAP and POP3 Server | ||||||
| 3.17.1 | Disable Dovecot if Possible | X | |||||
| 3.17.2 | Configure Dovecot if Necessary | ||||||
| 3.17.2.1 | Support Only the Necessary Protocols | X | |||||
| 3.17.2.2 | Enable SSL Support | X | |||||
| 3.17.2.3 | Enable Dovecot Options to Protect Against Code Flaws | TD | |||||
| 3.17.2.4 | Allow IMAP Clients to Access the Server | TD | |||||
| 3.18 | Samba (SMB) Microsoft Windows File Sharing Server | ||||||
| 3.18.1 | Disable Samba if Possible | X | |||||
| 3.18.2 | Configure Samba if Necessary | ||||||
| 3.18.2.1 | Testing the Samba Configuration File | report | |||||
| 3.18.2.2 | Choosing the Appropriate security Parameter | X | |||||
| 3.18.2.3 | Disable Guest Access and Local Login Support | TD | |||||
| 3.18.2.4 | Disable Root Access | TD | |||||
| 3.18.2.5 | Set the Allowed Authentication Negotiation Levels | TD | |||||
| 3.18.2.6 | Let Domain Controllers Create Machine Trust Accounts On-the-Fly | TD | |||||
| 3.18.2.7 | Restrict Access to the [IPC$] Share | X | |||||
| 3.18.2.8 | Restrict File Sharing | X | |||||
| 3.18.2.9 | Restrict Printer Sharing | X | |||||
| 3.18.2.10 | Configure iptables to Allow Access to the Samba Server | X | |||||
| 3.18.3 | Avoid the Samba Web Administration Tool (SWAT) | X | |||||
| 3.19 | Proxy Server | ||||||
| 3.19.1 | Disable Squid if Possible | X | |||||
| 3.19.2 | Configure Squid if Necessary | ||||||
| 3.19.2.1 | Listen on Uncommon Port | X | |||||
| 3.19.2.2 | Verify Default Secure Settings | TD | |||||
| 3.19.2.3 | Change Default Insecure Settings | TD | |||||
| 3.19.2.4 | Configure Authentication if Applicable | X | |||||
| 3.19.2.5 | Access Control Lists (ACL) | X | |||||
| 3.19.2.6 | Configure Internet Cache Protocol (ICP) if Necessary | X | |||||
| 3.19.2.7 | Configure iptables to Allow Access to the Proxy Server | X | |||||
| 3.19.2.8 | Forward Log Messages to Syslog Daemon | TD | |||||
| 3.19.2.9 | Do Not Run as Root | X | |||||
| 3.20 | SNMP Server | ||||||
| 3.20.1 | Disable SNMP Server if Possible | X | |||||
| 3.20.2 | Configure SNMP Server if Necessary | X | |||||
| NSA SNAC Release 2 20 Dec 2007 (i731) For NSA_Lockdown Tools version 1.1-6 | Lockdown | Hardening | Mods? | Notes | ||
| 1 | 2.1.2.2 | Disable the rhnsd Daemon | X | NA for CentOS | ||
| 2 | 2.1.2.3.2 | Remove yum-updatesd | X | |||
| 3 | 2.2.2.1 | Restrict Console Device Access | TD | |||
| 4 | 2.2.2.2.1 | Disable ModprobeLoading of USB Storage Driver | X | |||
| 5 | 2.2.2.3 | Disable the Automounter if Possible | X | |||
| 6 | 2.2.2.4 | Disable GNOME Automounting if Possible | TD | Gnome | ||
| 7 | 2.2.3.1 | Verify Permissions on passwd, shadow, group and gshadow Files | X | |||
| 8 | 2.2.4.1 | Set Daemon umask | TD | |||
| 9 | 2.2.4.2 | Disable Core Dumps | TD | |||
| 10 | 2.2.4.3 | Enable ExecShield | TD | |||
| 11 | 2.3.1.1 | Restrict Root Logins to System Console | TD | |||
| 12 | 2.3.1.2 | Limit su Access to the Root Account | TD | |||
| 13 | 2.3.1.3 | Configure sudo to Improve Auditing of Root Access | TD | |||
| 14 | 2.3.1.3a | Remove all NOPASSWD Directives | TD | |||
| 15 | 2.3.1.7 | Set Password Expiration Parameters | TD | yes | change must be manual | |
| 16 | 2.3.1.8 | Remove Legacy ’+’ Entries from Password Files | TD | |||
| 17 | 2.3.3.1 | Set Password Quality Requirements | TD | |||
| 18 | 2.3.3.2 | Set Lockouts for Failed Password Attempts | TD | add reset to cron? | ||
| 19 | 2.3.4.2 | Ensure that User Home Directories are not Group-Writable or World-Readable | X | |||
| 20 | 2.3.4.3 | Ensure that User Dot-Files are not World-writable | X | |||
| 21 | 2.3.4.4 | Ensure that Users Have Sensible Umask Values | TD | |||
| 22 | 2.3.5.2 | Set Boot Loader Password | X | yes | set permissions only | |
| 23 | 2.3.5.3 | Require Authentication for Single-User Mode | X | |||
| 24 | 2.3.5.4 | Disable Interactive Boot | X | |||
| 25 | 2.3.5.5 | Implement Inactivity Time-out for Login Shells | TD | |||
| 26 | 2.3.5.6.1 | Configure Screen Locking GUI | TD | Gnome | ||
| 27 | 2.4.3.1 | Disable and Remove SETroubleshoot if Possible | X | |||
| 28 | 2.4.3.2 | Disable MCS Translation Service (mcstrans) if Possible | X | |||
| 29 | 2.4.3.3 | Restorecon Service (restorecond) | X | keep as per 3.1.2 | ||
| 30 | 2.5.1.1 | Network Parameters for Hosts Only | X | |||
| 31 | 2.5.2.2.3 | Disable Wireless Through Software Configuration | TD | |||
| 32 | 2.5.3.1.1 | Disable Support for IPv6 unless Needed | X | |||
| 33 | 2.5.3.1.2 | Disable Interface Usage of IPv6 | X | yes | mod /etc/sysconfig/network only | |
| 34 | 2.5.5.1a | Disable Ip6tables | X | yes | assume IPv6 disabled as per 2.5.3.1.1 | |
| 35 | 2.5.5.3.1 | Change Default Policies | TD | |||
| 36 | 2.5.5.3.2 | Restrict ICMP Message Types | TD | yes | Ignore ICMPv6 rules | |
| 37 | 2.5.5.3.3 | Remove IPsec Rules | TD | |||
| 38 | 2.5.5.3.4 | Log and Drop Packets with Suspicious Source Addresses | TD | |||
| 39 | 2.6.1.1 | Ensure All Important Messages are Captured | TD | |||
| 40 | 2.6.1.2 | Confirm Existence and Permissions of System Log Files | TD | |||
| 41 | 2.6.1.4 | Enable syslogd to Accept Remote Messages on Loghosts Only | TD | yes | assume log client only | |
| 42 | 2.6.1.5 | Ensure All Logs are Rotated by logrotate | TD | |||
| 43 | 3.1.2 | Guidance on Default Services | X | yes | keep ia32 microcode_ctl | |
| 44 | 3.2.1 | Inetd and Xinetd | X | |||
| 45 | 3.2.2 | Telnet | X | |||
| 46 | 3.2.3.1 | Remove the Rsh Server Commands from the System | X | |||
| 47 | 3.2.4 | NIS | X | |||
| 48 | 3.2.5 | TFTP Server | X | |||
| 49 | 3.3.1 | Installation Helper Service (firstboot) | X | |||
| 50 | 3.3.2 | Console Mouse Service (gpm) | X | |||
| 51 | 3.3.3 | Interrupt Distribution on Multiprocessor Systems (irqbalance) | X | yes | remove - assume single CPU | |
| 52 | 3.3.4 | ISDN Support (isdn) | X | |||
| 53 | 3.3.5 | Kdump Kernel Crash Analyzer (kdump) | X | |||
| 54 | 3.3.6 | Kudzu Hardware Probing Utility (kudzu) | X | |||
| 55 | 3.3.7 | Software RAID Monitor (mdmonitor) | X | |||
| 56 | 3.3.8 | IA32 Microcode Utility (microcode ctl) | X | yes | keep - assume IA32 target | |
| 57 | 3.3.9.3 | Disable Zeroconf Networking | X | |||
| 58 | 3.3.10 | Smart Card Support (pcscd) | X | |||
| 59 | 3.3.11 | SMART Disk Monitoring Support (smartd) | X | keep - assume SMART drives | ||
| 60 | 3.3.12 | Boot Caching (readahead early/readahead later) | X | |||
| 61 | 3.3.13.1 | D-Bus IPC Service (messagebus) | X | |||
| 62 | 3.3.13.2.1 | HAL Daemon (haldaemon) | X | |||
| 63 | 3.3.14.1 | Bluetooth Host Controller Interface Daemon (bluetooth) | X | |||
| 64 | 3.3.14.2 | Bluetooth Input Devices (hidd) | X | |||
| 65 | 3.3.14.3 | Disable Bluetooth Kernel Modules | TD | |||
| 66 | 3.3.15.1 | Advanced Power Management Subsystem (apmd) | X | |||
| 67 | 3.3.15.2 | Advanced Configuration and Power Interface (acpid) | X | keep | ||
| 68 | 3.3.15.3 | CPU Throttling (cpuspeed) | X | keep | ||
| 69 | 3.4 | Cron and At Daemons | X | yes | disable atd | |
| 70 | 3.4.1 | Disable anacron if Possible | X | |||
| 71 | 3.4.2 | Restrict Permissions on Files Used by cron | TD | yes | cron only | |
| 72 | 3.5.2.1 | Ensure Only Protocol 2 Connections Allowed | TD | |||
| 73 | 3.5.2.3 | Set Idle Timeout Interval for User Logins | TD | |||
| 74 | 3.5.2.4 | Disable .rhosts Files | TD | |||
| 75 | 3.5.2.5 | Disable Host-Based Authentication | TD | |||
| 76 | 3.5.2.6 | Disable root Login via SSH | TD | |||
| 77 | 3.5.2.7 | Disable Empty Passwords | TD | |||
| 78 | 3.6.1.1 | Disable X Windows at System Boot | TD | |||
| 79 | 3.6.1.2 | Remove X Windows from the System if Possible | TD | |||
| 80 | 3.6.1.3.1 | Disable X Font Server xfs | X | |||
| 81 | 3.6.1.3.2 | Disable X Window System Listening | TD | |||
| 82 | 3.7.1.1 | Disable Avahi Server Software | X | |||
| 83 | 3.7.1.2 | Remove Avahi Server iptables Firewall Exception | TD | |||
| 84 | 3.7.2.1 | Serve Only via Required Protocol | TD | |||
| 85 | 3.7.2.2 | Check Responses’ TTL Field | TD | |||
| 86 | 3.7.2.3 | Prevent Other Programs from Using Avahi’s Port | TD | |||
| 87 | 3.7.2.4 | Disable Publishing if Possible | TD | |||
| 88 | 3.7.2.5 | Restrict Published Information | TD | |||
| 89 | 3.8.1 | Disable the CUPS Service if Possible | X | |||
| 90 | 3.8.2 | Disable Firewall Access to Printing Service if Possible | TD | |||
| 91 | 3.8.3.1.1 | Disable Printer Browsing Entirely if Possible | TD | |||
| 92 | 3.8.3.2 | Disable Print Server Capabilities if Possible | TD | |||
| 93 | 3.8.4.1 | Disable HPLIP Service if Possible | X | |||
| 94 | 3.9.3 | Disable DHCP Server if possible | X | |||
| 95 | 3.9.4.1 | Do Not Use Dynamic DNS | TD | |||
| 96 | 3.9.4.2 | Deny Decline Messages | TD | |||
| 97 | 3.9.4.3 | Deny BOOTP Queries | TD | |||
| 98 | 3.9.4.5 | Configure Logging 2.6.1.1 | TD | |||
| 99 | 3.10.2.1.2 | Run NTP using Cron | TD | |||
| 100 | 3.10.2.2.1 | Enable the NTP Daemon | TD | |||
| 101 | 3.10.2.2.2 | Deny All Access to ntpd by Default | TD | |||
| 102 | 3.11.2.1 | Disable the Listening Sendmail Daemon | TD | |||
| 103 | 3.11.4.5 | Verify System Logging and Log Permissions for Mail | TD | |||
| 104 | 3.11.5.1 | Limit Denial of Service Attacks | TD | |||
| 105 | 3.12.3.7 | Correct Permissions on LDAP Server Files | TD | |||
| 106 | 3.12.3.9 | Configure Logging for LDAP | TD | |||
| 107 | 3.13.1.1 | Disable Services Used Only by NFS | X | |||
| 108 | 3.13.1.2 | Disable netfs if Possible | X | |||
| 109 | 3.13.1.3 | Disable RPC Portmapper if Possible | X | |||
| 110 | 3.13.3.1 | Disable NFS Server Daemons | X | |||
| 111 | 3.13.4.1.2 | Use Root-Squashing on All Exports | TD | |||
| 112 | 3.13.4.1.3 | Restrict NFS Clients to Privileged Ports | TD | |||
| 113 | 3.14.1 | Disable DNS Server if Possible | X | |||
| 114 | 3.15.1 | Disable vsftpd if Possible | X | |||
| 115 | 3.15.3.1 | Enable Logging of All FTP Transactions | TD | |||
| 116 | 3.15.3.2 | Create Warning Banners for All FTP Users | TD | |||
| 117 | 3.15.3.3.1 | Restrict Access to Anonymous Users if Possible | TD | |||
| 118 | 3.15.3.4 | Disable FTP Uploads if Possible | TD | yes | assume upload not required | |
| 119 | 3.15.3.6 | Configure Firewalls to Protect the FTP Server | TD | |||
| 120 | 3.16.1 | Disable Apache if Possible | X | |||
| 121 | 3.16.3.1 | Restrict Information Leakage | TD | |||
| 122 | 3.16.3.2.1 | Apache Core Modules | TD | |||
| 123 | 3.16.3.2.2 | HTTP Basic Authentication | TD | |||
| 124 | 3.16.3.2.3 | HTTP Digest Authentication | TD | |||
| 125 | 3.16.3.2.4 | mod_rewrite | TD | |||
| 126 | 3.16.3.2.5 | LDAP Support | TD | |||
| 127 | 3.16.3.2.6 | Server Side Includes | TD | |||
| 128 | 3.16.3.2.7 | MIME Magic | TD | |||
| 129 | 3.16.3.2.8 | WebDAV (Distributed Authoring and Versioning) | TD | |||
| 130 | 3.16.3.2.9 | Server Activity Status | TD | |||
| 131 | 3.16.3.2.10 | Web Server Configuration Display | TD | |||
| 132 | 3.16.3.2.11 | URL Correction on Misspelled Entries | TD | |||
| 133 | 3.16.3.2.12 | User-specific directories | TD | |||
| 134 | 3.16.3.2.13 | Proxy Support | TD | |||
| 135 | 3.16.3.2.14 | Cache Support | TD | |||
| 136 | 3.16.3.2.15 | CGI Support (and Related Modules) | TD | yes | enable CGI | |
| 137 | 3.16.3.2.16 | Various Optional Components | TD | |||
| 138 | 3.16.3.3 | Minimize Configuration Files Included | TD | yes | enable only SSL and PHP | |
| 139 | 3.16.3.4.1 | Restrict Root Directory | TD | |||
| 140 | 3.16.3.4.2 | Restrict Web Directory | TD | |||
| 141 | 3.16.3.6 | Limit Available Methods | TD | |||
| 142 | 3.16.4.2 | Deploy mod security | TD | add | ||
| 143 | 3.16.5.1 | Restrict File and Directory Access | TD | |||
| 144 | 3.16.5.2 | Configure iptables to Allow Access to the Web Server | TD | |||
| 145 | 3.17.1 | Disable Dovecot if Possible | X | |||
| 146 | 3.17.2.3 | Enable Dovecot Options to Protect Against Code Flaws | TD | |||
| 147 | 3.17.2.4 | Allow IMAP Clients to Access the Server | TD | |||
| 148 | 3.18.1 | Disable Samba if Possible | X | |||
| 149 | 3.18.2.3 | Disable Guest Access and Local Login Support | TD | |||
| 150 | 3.18.2.4 | Disable Root Access | TD | |||
| 151 | 3.18.2.5 | Set the Allowed Authentication Negotiation Levels | TD | |||
| 152 | 3.18.2.6 | Let Domain Controllers Create Machine Trust Accounts On-the-Fly | TD | |||
| 153 | 3.19.1 | Disable Squid if Possible | X | |||
| 154 | 3.19.2.2 | Verify Default Secure Settings | TD | |||
| 155 | 3.19.2.3 | Change Default Insecure Settings | TD | |||
| 156 | 3.19.2.8 | Forward Log Messages to Syslog Daemon | TD | |||
| 157 | 3.20.1 | Disable SNMP Server if Possible | X |
| NSA SNAC Release 2 20 Dec 2007 (i731) | Core | GUI | VM | Xen | Notes | |
| 2 | System-wide Configuration | |||||
| 2.1 | Installing and Maintaining Software | |||||
| 2.1.1 | Initial Installation Recommendations | X | X | X | X | Use Kickstart |
| 2.1.1.1 | Disk Partitioning | Not Supported | ||||
| 2.1.1.2 | Boot Loader Configuration 2.3.5.2 | TD | TD | TD | TD | Encrypt password |
| 2.1.1.3 | Network Devices 3.9.1 | X | X | X | X | No DHCP |
| 2.1.1.4 | Root Password | TD | TD | TD | TD | Stronger password |
| 2.1.1.5 | Software Packages | X | X | X | X | |
| 2.1.1.6 | First-boot Configuration | X | X | X | X | SELinux, Firewall, OJ user |
| 2.1.2 | Updating Software | |||||
| 2.1.2.1 | Configure Connection to the RHN RPM Repositories | Not Supported for CentOS | ||||
| 2.1.2.2 | Disable the rhnsd Daemon | Not Supported for CentOS | ||||
| 2.1.2.3 | Obtain Software Package Updates with yum | |||||
| 2.1.2.3.2 | Remove yum-updatesd | X | X | X | X | |
| 2.1.2.3.2a | Add cron entry for daily yum run | |||||
| 2.1.3 | Software Integrity Checking | |||||
| 2.1.3.1 | Configure AIDE | |||||
| 2.2 | File Permissions and Masks | |||||
| 2.2.1 | Restrict Partition Mount Options | |||||
| 2.2.1.1 | Add nodev Option to Non-Root Local Partitions | |||||
| 2.2.1.2 | Add nodev, nosuid, and noexec Options to Removable Media Partitions | |||||
| 2.2.2 | Restrict Dynamic Mounting and Unmounting of Filesystems | |||||
| 2.2.2.1 | Restrict Console Device Access | TD | TD | TD | TD | |
| 2.2.2.2 | Disable USB Device Support | |||||
| 2.2.2.2.1 | Disable ModprobeLoading of USB Storage Driver | X | X | X | X | |
| 2.2.2.3 | Disable the Automounter if Possible | X | X | X | X | |
| 2.2.2.4 | Disable GNOME Automounting if Possible | N/A | TD | N/A | N/A | |
| 2.2.3 | Verify Permissions on Important Files and Directories | |||||
| 2.2.3.1 | Verify Permissions on passwd, shadow, group and gshadow Files | X | X | X | X | |
| 2.2.3.2 | Verify that All World-Writable Directories Have Sticky Bits Set | report | report | report | report | |
| 2.2.3.3 | Find Unauthorized World-Writable Files | report | report | report | report | |
| 2.2.3.4 | Find Unauthorized SUID/SGID System Executables | report | report | report | report | |
| 2.2.3.5 | Find and Repair Unowned Files | report | report | report | report | |
| 2.2.4 | Restrict Programs from Dangerous Execution Patterns | |||||
| 2.2.4.1 | Set Daemon umask | TD | TD | TD | TD | |
| 2.2.4.2 | Disable Core Dumps | TD | TD | TD | TD | |
| 2.2.4.3 | Enable ExecShield | TD | TD | TD | TD | |
| 2.2.4.4 | Enable Execute Disable (XD) or No Execute (NX) Support on x86 Systems | report | report | report | report | |
| 2.3 | Account and Access Control | |||||
| 2.3.1 | Protect Accounts by Restricting Password-Based Login | |||||
| 2.3.1.1 | Restrict Root Logins to System Console | TD | TD | TD | TD | |
| 2.3.1.2 | Limit su Access to the Root Account | TD | TD | TD | TD | |
| 2.3.1.3 | Configure sudo to Improve Auditing of Root Access | TD | TD | TD | TD | |
| 2.3.1.3a | Remove all NOPASSWD Directives | TD | TD | TD | TD | |
| 2.3.1.4 | Block Shell and Login Access for Non-Root System Accounts | man | man | man | man | |
| 2.3.1.5 | Verify that No Accounts Have Empty Password Fields | report | report | report | report | |
| 2.3.1.6 | Verify that No Non-Root Accounts Have UID 0 | report | report | report | report | |
| 2.3.1.7 | Set Password Expiration Parameters | TD | TD | TD | TD | |
| 2.3.1.8 | Remove Legacy ’+’ Entries from Password Files | TD | TD | TD | TD | |
| 2.3.2 | Use Unix Groups to Enhance Security | |||||
| 2.3.2.1 | Create a Unique Default Group for Each User | man | man | man | man | |
| 2.3.2.2 | Create and Maintain a Group Containing All Human Users | man | man | man | man | |
| 2.3.3 | Protect Accounts by Configuring PAM | |||||
| 2.3.3.1 | Set Password Quality Requirements | TD | TD | TD | TD | |
| 2.3.3.2 | Set Lockouts for Failed Password Attempts | TD | TD | TD | TD | |
| 2.3.3.3 | Use pam deny.so to Quickly Deny Access to a Service | man | man | man | man | |
| 2.3.3.4 | Restrict Execution of userhelper to Console Users | man | man | man | man | |
| 2.3.4 | Secure Session Configuration Files for Login Accounts | |||||
| 2.3.4.1 | Ensure that No Dangerous Directories Exist in Root’s Path | man | man | man | man | |
| 2.3.4.2 | Ensure that User Home Directories are not Group-Writable or World-Readable | X | X | X | X | |
| 2.3.4.3 | Ensure that User Dot-Files are not World-writable | X | X | X | X | |
| 2.3.4.4 | Ensure that Users Have Sensible Umask Values | TD | TD | TD | TD | |
| 2.3.4.5 | Ensure that Users do not Have .netrc Files | report | report | report | report | |
| 2.3.5 | Protect Physical Console Access | |||||
| 2.3.5.1 | Set BIOS Password | man | man | man | man | |
| 2.3.5.2 | Set Boot Loader Password | X | X | X | X | |
| 2.3.5.3 | Require Authentication for Single-User Mode | X | X | X | X | |
| 2.3.5.4 | Disable Interactive Boot | X | X | X | X | |
| 2.3.5.5 | Implement Inactivity Time-out for Login Shells | TD | TD | TD | TD | |
| 2.3.5.6 | Configure Screen Locking | |||||
| 2.3.5.6.1 | Configure Screen Locking GUI | TD | TD | TD | TD | |
| 2.3.5.6.2 | Configure Screen Locking Console | man | man | man | man | |
| 2.3.6 | Use a Centralized Authentication Service | man | man | man | man | |
| 2.3.7 | Warning Banners for System Accesses | |||||
| 2.3.7.1 | Modify the System Login Banner | man | man | man | man | |
| 2.3.7.2 | Implement a GUI Warning Banner | man | man | man | man | |
| 2.4 | SELinux | |||||
| 2.4.1 | How SELinux Works | |||||
| 2.4.2 | Enable SELinux | report | report | report | report | |
| 2.4.3 | Disable Unnecessary SELinux Daemons | |||||
| 2.4.3.1 | Disable and Remove SETroubleshoot if Possible | X | X | X | X | |
| 2.4.3.2 | Disable MCS Translation Service (mcstrans) if Possible | X | X | X | X | |
| 2.4.3.3 | Restorecon Service (restorecond) | X | X | X | X | |
| 2.4.4 | Check for Unconfined Daemons | report | report | report | report | |
| 2.4.5 | Debugging SELinux Policy Errors | |||||
| 2.4.6 | Further Strengthening | |||||
| 2.4.6.1 | Strengthen the Default SELinux Boolean Configuration | |||||
| 2.4.6.2 | Use a Stronger Policy | |||||
| 2.4.7 | SELinux References | |||||
| 2.5 | Network Configuration and Firewalls | |||||
| 2.5.1 | Kernel Parameters which Affect Networking | |||||
| 2.5.1.1 | Network Parameters for Hosts Only | X | X | X | X | |
| 2.5.1.2 | Network Parameters for Hosts and Routers | |||||
| 2.5.2 | Wireless Networking | |||||
| 2.5.2.1 | Remove Wireless Hardware if Possible | man | man | man | man | |
| 2.5.2.2.3 | Disable Wireless Through Software Configuration | TD | TD | TD | TD | |
| 2.5.3 | IPv6 | |||||
| 2.5.3.1.1 | Disable Support for IPv6 unless Needed | X | X | X | X | |
| 2.5.3.1.2 | Disable Interface Usage of IPv6 | X | X | X | X | |
| 2.5.3.2 | Configure IPv6 Settings if Necessary | man | man | man | man | |
| 2.5.4 | TCP Wrapper | |||||
| 2.5.4.1 | How TCP Wrapper Protects Services | |||||
| 2.5.4.2 | Reject All Connections From Other Hosts if Appropriate | man | man | man | man | |
| 2.5.4.3 | Allow Connections Only From Hosts in This Domain if Appropriate | man | man | man | man | |
| 2.5.4.4 | Monitor Syslog for Relevant Connections and Failures | man | man | man | man | |
| 2.5.4.5 | Further Resources | |||||
| 2.5.5 | Iptables and Ip6tables | X | X | X | X | |
| 2.5.5.1 | Inspect and Activate Default Rules | report | report | report | report | |
| 2.5.5.1a | Disable Ip6tables | X | X | X | X | |
| 2.5.5.2 | Understand the Default Ruleset | man | man | man | man | |
| 2.5.5.3 | Strengthen the Default Ruleset | |||||
| 2.5.5.3.1 | Change Default Policies | TD | TD | TD | TD | |
| 2.5.5.3.2 | Restrict ICMP Message Types | TD | TD | TD | TD | |
| 2.5.5.3.3 | Remove IPsec Rules | TD | TD | TD | TD | |
| 2.5.5.3.4 | Log and Drop Packets with Suspicious Source Addresses | TD | TD | TD | TD | |
| 2.5.5.3.5 | Log and Drop All Other Packets | man | man | man | man | |
| 2.5.5.4 | Further Strengthening | |||||
| 2.5.5.5 | Further Resources | |||||
| 2.5.6 | Secure Sockets Layer Support | |||||
| 2.5.6.1 | Create a CA to Sign Certificates | man | man | man | man | |
| 2.5.6.2 | Create SSL Certificates for Servers | man | man | man | man | |
| 2.5.6.3 | Enable Client Support | man | man | man | man | |
| 2.5.6.4 | Further Resources | |||||
| 2.6 | Logging and Auditing | |||||
| 2.6.1 | Configure Syslog | X | X | X | X | |
| 2.6.1.1 | Ensure All Important Messages are Captured | TD | TD | TD | TD | |
| 2.6.1.2 | Confirm Existence and Permissions of System Log Files | TD | TD | TD | TD | |
| 2.6.1.3 | Send Logs to a Remote Loghost | man | man | man | man | |
| 2.6.1.4 | Enable syslogd to Accept Remote Messages on Loghosts Only | TD | TD | TD | TD | |
| 2.6.1.5 | Ensure All Logs are Rotated by logrotate | TD | TD | TD | TD | |
| 2.6.1.6 | Monitor Suspicious Log Messages using Logwatch | man | man | man | man | |
| 2.6.2 | System Accounting with auditd | |||||
| 2.6.2.1 | Enable the auditd Service | man | man | man | man | |
| 2.6.2.2 | Use aureport to Summarize Audit Logs | man | man | man | man | |
| 2.6.2.3 | Configure auditd for Sites with Further Auditing Requirements | man | man | man | man | |
| 3 | Services | |||||
| 3.1 | Disable All Unneeded Services at Boot Time | |||||
| 3.1.1 | Determine which Services are Enabled at Boot | report | report | report | report | |
| 3.1.2 | Guidance on Default Services | X | X | X | X | |
| 3.1.3 | Guidance for Unfamiliar Services | man | man | man | man | |
| 3.2 | Obsolete Services | |||||
| 3.2.1 | Inetd and Xinetd | X | X | X | X | |
| 3.2.2 | Telnet | X | X | X | X | |
| 3.2.3 | Rlogin, Rsh, and Rcp | |||||
| 3.2.3.1 | Remove the Rsh Server Commands from the System | X | X | X | X | |
| 3.2.3.2 | Remove .rhosts Support from PAM Configuration Files | report | report | report | report | |
| 3.2.4 | NIS | X | X | X | X | |
| 3.2.5 | TFTP Server | X | X | X | X | |
| 3.3 | Base Services | |||||
| 3.3.1 | Installation Helper Service (firstboot) | X | X | X | X | |
| 3.3.2 | Console Mouse Service (gpm) | X | X | X | X | |
| 3.3.3 | Interrupt Distribution on Multiprocessor Systems (irqbalance) | X | X | X | X | |
| 3.3.4 | ISDN Support (isdn) | X | X | X | X | |
| 3.3.5 | Kdump Kernel Crash Analyzer (kdump) | X | X | X | X | |
| 3.3.6 | Kudzu Hardware Probing Utility (kudzu) | X | X | X | X | |
| 3.3.7 | Software RAID Monitor (mdmonitor) | X | X | X | X | |
| 3.3.8 | IA32 Microcode Utility (microcode ctl) | X | X | X | X | |
| 3.3.9 | Network Service (network) | |||||
| 3.3.9.1 | Disable All Networking if Not Needed | X | X | X | X | |
| 3.3.9.2 | Disable All External Network Interfaces if Not Needed | man | man | man | man | |
| 3.3.9.3 | Disable Zeroconf Networking | X | X | X | X | |
| 3.3.10 | Smart Card Support (pcscd) | X | X | X | X | |
| 3.3.11 | SMART Disk Monitoring Support (smartd) | X | X | X | X | |
| 3.3.12 | Boot Caching (readahead early/readahead later) | X | X | X | X | |
| 3.3.13 | Application Support Services | |||||
| 3.3.13.1 | D-Bus IPC Service (messagebus) | X | X | X | X | |
| 3.3.13.2.1 | HAL Daemon (haldaemon) | X | X | X | X | |
| 3.3.14 | Bluetooth Support | |||||
| 3.3.14.1 | Bluetooth Host Controller Interface Daemon (bluetooth) | X | X | X | X | |
| 3.3.14.2 | Bluetooth Input Devices (hidd) | X | X | X | X | |
| 3.3.14.3 | Disable Bluetooth Kernel Modules | TD | TD | TD | TD | |
| 3.3.15 | Power Management Support | |||||
| 3.3.15.1 | Advanced Power Management Subsystem (apmd) | X | X | X | X | |
| 3.3.15.2 | Advanced Configuration and Power Interface (acpid) | X | X | X | X | |
| 3.3.15.3 | CPU Throttling (cpuspeed) | X | X | X | X | |
| 3.4 | Cron and At Daemons | X | X | X | X | |
| 3.4.1 | Disable anacron if Possible | X | X | X | X | |
| 3.4.2 | Restrict Permissions on Files Used by cron | TD | TD | TD | TD | |
| 3.4.3 | Restrict at and cron to Authorized Users | man | man | man | man | |
| 3.5 | SSH Server | |||||
| 3.5.1 | Disable OpenSSH Server if Possible | |||||
| 3.5.1.1 | Disable and Remove OpenSSH Software | skip | 0 | 0 | ||
| 3.5.1.2 | Remove SSH Server iptables Firewall Exception | skip | 0 | 0 | ||
| 3.5.2 | Configure OpenSSH Server if Necessary | |||||
| 3.5.2.1 | Ensure Only Protocol 2 Connections Allowed | TD | TD | TD | TD | |
| 3.5.2.2 | Limit Users’ SSH Access | man | man | man | man | |
| 3.5.2.3 | Set Idle Timeout Interval for User Logins | TD | TD | TD | TD | |
| 3.5.2.4 | Disable .rhosts Files | TD | TD | TD | TD | |
| 3.5.2.5 | Disable Host-Based Authentication | TD | TD | TD | TD | |
| 3.5.2.6 | Disable root Login via SSH | TD | TD | TD | TD | |
| 3.5.2.7 | Disable Empty Passwords | TD | TD | TD | TD | |
| 3.5.2.8 | Enable a Warning Banner | man | man | man | man | |
| 3.5.2.9 | Strengthen Firewall Configuration if Possible | man | man | man | man | |
| 3.6 | X Window System | |||||
| 3.6.1 | Disable X Windows if Possible | |||||
| 3.6.1.1 | Disable X Windows at System Boot | TD | TD | TD | TD | |
| 3.6.1.2 | Remove X Windows from the System if Possible | TD | TD | TD | TD | |
| 3.6.1.3 | Lock Down X Windows startx Configuration if Necessary | |||||
| 3.6.1.3.1 | Disable X Font Server xfs | X | X | X | X | |
| 3.6.1.3.2 | Disable X Window System Listening | TD | TD | TD | TD | |
| 3.6.2 | Configure X Windows if Necessary | |||||
| 3.6.2.1 | Create Warning Banners for GUI Login Users | man | man | man | man | |
| 3.7 | Avahi Server | |||||
| 3.7.1 | Disable Avahi Server if Possible | |||||
| 3.7.1.1 | Disable Avahi Server Software | X | X | X | X | |
| 3.7.1.2 | Remove Avahi Server iptables Firewall Exception | TD | TD | TD | TD | |
| 3.7.2 | Configure Avahi if Necessary | |||||
| 3.7.2.1 | Serve Only via Required Protocol | TD | TD | TD | TD | |
| 3.7.2.2 | Check Responses’ TTL Field | TD | TD | TD | TD | |
| 3.7.2.3 | Prevent Other Programs from Using Avahi’s Port | TD | TD | TD | TD | |
| 3.7.2.4 | Disable Publishing if Possible | TD | TD | TD | TD | |
| 3.7.2.5 | Restrict Published Information | TD | TD | TD | TD | |
| 3.8 | Print Support | |||||
| 3.8.1 | Disable the CUPS Service if Possible | X | X | X | X | |
| 3.8.2 | Disable Firewall Access to Printing Service if Possible | TD | TD | TD | TD | |
| 3.8.3 | Configure the CUPS Service if Necessary | |||||
| 3.8.3.1 | Limit Printer Browsing | |||||
| 3.8.3.1.1 | Disable Printer Browsing Entirely if Possible | TD | TD | TD | TD | |
| 3.8.3.1.2 | Limit Printer Browsing to a Particular Subnet if Possible | man | man | man | man | |
| 3.8.3.2 | Disable Print Server Capabilities if Possible | TD | TD | TD | TD | |
| 3.8.3.3 | Limit Access to the Web Administration Interface | man | man | man | man | |
| 3.8.3.4 | Take Further Security Measures When Appropriate | man | man | man | man | |
| 3.8.4 | The HP Linux Imaging and Printing (HPLIP) Toolkit | |||||
| 3.8.4.1 | Disable HPLIP Service if Possible | X | X | X | X | |
| 3.9 | DHCP | |||||
| 3.9.1 | Disable DHCP Client if Possible | man | man | man | man | |
| 3.9.2 | Configure DHCP Client if necessary | |||||
| 3.9.2.1 | Minimize the DHCP-Configured Options | man | man | man | man | |
| 3.9.3 | Disable DHCP Server if possible | X | X | X | X | |
| 3.9.4 | Configure the DHCP Server if necessary | |||||
| 3.9.4.1 | Do Not Use Dynamic DNS | TD | TD | TD | TD | |
| 3.9.4.2 | Deny Decline Messages | TD | TD | TD | TD | |
| 3.9.4.3 | Deny BOOTP Queries | TD | TD | TD | TD | |
| 3.9.4.4 | Minimize Served Information | man | man | man | man | |
| 3.9.4.5 | Configure Logging 2.6.1.1 | TD | TD | TD | TD | |
| 3.9.4.6 | Further Resources | |||||
| 3.10 | Network Time Protocol | |||||
| 3.10.1 | Select NTP Software | X | X | X | X | |
| 3.10.2 | Configure Reference NTP if Appropriate | |||||
| 3.10.2.1 | Configure an NTP Client | |||||
| 3.10.2.1.1 | Set Up Client NTP Configuration File | man | man | man | man | |
| 3.10.2.1.2 | Run NTP using Cron | TD | TD | TD | TD | |
| 3.10.2.2 | Configure an NTP Server | |||||
| 3.10.2.2.1 | Enable the NTP Daemon | TD | TD | TD | TD | |
| 3.10.2.2.2 | Deny All Access to ntpd by Default | TD | TD | TD | TD | |
| 3.10.2.2.3 | Specify a Remote NTP Server for Time Data | man | man | man | man | |
| 3.10.2.2.4 | Allow Legitimate NFS Clients to Access the Server | man | man | man | man | |
| 3.10.3 | Configure OpenNTPD if Appropriate | |||||
| 3.10.3.1 | Obtain NTP Software | |||||
| 3.10.3.2 | Configure an SNTP Client | |||||
| 3.10.3.3 | Configure an SNTP Server | |||||
| 3.11 | Mail Transfer Agent | |||||
| 3.11.1 | Select Mail Server Software and Configuration | X | X | X | X | |
| 3.11.2 | Configure SMTP For Mail Client | |||||
| 3.11.2.1 | Disable the Listening Sendmail Daemon | TD | TD | TD | TD | |
| 3.11.2.2 | Configure Mail Submission if Appropriate | man | man | man | man | |
| 3.11.3 | Strategies for MTA Security | |||||
| 3.11.3.1 | Use Resource Limits to Mitigate Denial of Service | man | man | man | man | |
| 3.11.3.2 | Configure SMTP Greeting Banner | man | man | man | man | |
| 3.11.3.3 | Control Mail Relaying | man | man | man | man | |
| 3.11.4 | Configure Operating System to Protect Mail Server | |||||
| 3.11.4.1 | Use Separate Hosts for External and Internal Mail if Possible | man | man | man | man | |
| 3.11.4.2 | Protect the MTA Host from User Access | man | man | man | man | |
| 3.11.4.3 | Restrict Remote Access to the Mail Spool | man | man | man | man | |
| 3.11.4.4 | Configure iptables to Allow Access to the Mail Server | man | man | man | man | |
| 3.11.4.5 | Verify System Logging and Log Permissions for Mail | TD | TD | TD | TD | |
| 3.11.4.6 | Configure SSL Certificates for Use with SMTP AUTH | man | man | man | man | |
| 3.11.5 | Configure Sendmail Server if Necessary | man | man | man | man | |
| 3.11.5.1 | Limit Denial of Service Attacks | TD | TD | TD | TD | |
| 3.11.5.2 | Configure SMTP Greeting Banner | man | man | man | man | |
| 3.11.5.3 | Control Mail Relaying | man | man | man | man | |
| 3.11.6 | Configure Postfix if Necessary | |||||
| 3.11.6.1 | Limit Denial of Service Attacks | |||||
| 3.11.6.2 | Configure SMTP Greeting Banner | |||||
| 3.11.6.3 | Control Mail Relaying | |||||
| 3.11.6.4 | Require TLS for SMTP AUTH | |||||
| 3.12 | LDAP | |||||
| 3.12.1 | Use OpenLDAP to Provide LDAP Service if Possible | |||||
| 3.12.2 | Configure OpenLDAP Clients | |||||
| 3.12.2.1 | Configure the Appropriate LDAP Parameters for the Domain | man | man | man | man | |
| 3.12.2.2 | Configure LDAP to Use TLS for All Transactions | man | man | man | man | |
| 3.12.2.3 | Configure Authentication Services to Use OpenLDAP | man | man | man | man | |
| 3.12.3 | Configure OpenLDAP Server | |||||
| 3.12.3.1 | Install OpenLDAP Server RPM | man | man | man | man | |
| 3.12.3.2 | Configure Domain-Specific Parameters | |||||
| 3.12.3.3 | Configure an LDAP Root Password | |||||
| 3.12.3.4 | Configure the LDAP Server to Require TLS for All Transactions | |||||
| 3.12.3.5 | Install Account Information into the LDAP Database | |||||
| 3.12.3.6 | Configure slapd to Protect Authentication Information | |||||
| 3.12.3.7 | Correct Permissions on LDAP Server Files | TD | TD | TD | TD | |
| 3.12.3.8 | Configure iptables to Allow Access to the LDAP Server | |||||
| 3.12.3.9 | Configure Logging for LDAP | TD | TD | TD | TD | |
| 3.13 | NFS and RPC | |||||
| 3.13.1 | Disable All NFS Services if Possible | |||||
| 3.13.1.1 | Disable Services Used Only by NFS | X | X | X | X | |
| 3.13.1.2 | Disable netfs if Possible | X | X | X | X | |
| 3.13.1.3 | Disable RPC Portmapper if Possible | X | X | X | X | |
| 3.13.2 | Configure All Machines which Use NFS | |||||
| 3.13.2.1 | Make Each Machine a Client or a Server, not Both | man | man | man | man | |
| 3.13.2.2 | Restrict Access to the Portmapper | man | man | man | man | |
| 3.13.2.3 | Configure NFS Services to Use Fixed Ports | man | man | man | man | |
| 3.13.3 | Configure NFS Clients | |||||
| 3.13.3.1 | Disable NFS Server Daemons | X | X | X | X | |
| 3.13.3.2 | Mount Remote Filesystems with Restrictive Options 2.2.1.2 | man | man | man | man | |
| 3.13.4 | Configure NFS Servers | |||||
| 3.13.4.1 | Configure the Exports File Restrictively | |||||
| 3.13.4.1.1 | Use Access Lists to Enforce Authorization Restrictions on Mounts | man | man | man | man | |
| 3.13.4.1.2 | Use Root-Squashing on All Exports | TD | TD | TD | TD | |
| 3.13.4.1.3 | Restrict NFS Clients to Privileged Ports | TD | TD | TD | TD | |
| 3.13.4.1.4 | Export Filesystems Read-Only if Possible | report | report | report | report | |
| 3.13.4.2 | Allow Legitimate NFS Clients to Access the Server | man | man | man | man | |
| 3.14 | DNS Server | |||||
| 3.14.1 | Disable DNS Server if Possible | X | X | X | X | |
| 3.14.2 | Run the BIND9 Software if DNS Service is Needed | man | man | man | man | |
| 3.14.3 | Isolate DNS from Other Services | |||||
| 3.14.3.1 | Run DNS Software on Dedicated Servers if Possible | man | man | man | man | |
| 3.14.3.2 | Run DNS Software in a chroot Jail | man | man | man | man | |
| 3.14.3.3 | Configure Firewalls to Protect the DNS Server | man | man | man | man | |
| 3.14.4 | Protect DNS Data from Tampering or Attack | |||||
| 3.14.4.1 | Run Separate DNS Servers for External and Internal Queries if Possible | man | man | man | man | |
| 3.14.4.2 | Use Views to Partition External and Internal Information if Necessary | man | man | man | man | |
| 3.14.4.3 | Disable Zone Transfers from the Nameserver if Possible | man | man | man | man | |
| 3.14.4.4 | Authenticate Zone Transfers if Necessary | man | man | man | man | |
| 3.14.4.5 | Disable Dynamic Updates if Possible | man | man | man | man | |
| 3.15 | FTP Server | |||||
| 3.15.1 | Disable vsftpd if Possible | X | X | X | X | |
| 3.15.2 | Use vsftpd to Provide FTP Service if Necessary | man | man | man | man | |
| 3.15.3 | Configure vsftpd Securely | |||||
| 3.15.3.1 | Enable Logging of All FTP Transactions | TD | TD | TD | TD | |
| 3.15.3.2 | Create Warning Banners for All FTP Users | TD | TD | TD | TD | |
| 3.15.3.3 | Restrict the Set of Users Allowed to Access FTP | |||||
| 3.15.3.3.1 | Restrict Access to Anonymous Users if Possible | TD | TD | TD | TD | |
| 3.15.3.3.2 | Limit Users Allowed FTP Accesss if Necessary | man | man | man | man | |
| 3.15.3.4 | Disable FTP Uploads if Possible | TD | TD | TD | TD | |
| 3.15.3.5 | Place the FTP Home Directory on its Own Partition | man | man | man | man | |
| 3.15.3.6 | Configure Firewalls to Protect the FTP Server | TD | TD | TD | TD | |
| 3.16 | Web Server | |||||
| 3.16.1 | Disable Apache if Possible | X | X | X | X | |
| 3.16.2 | Install Apache if Necessary | |||||
| 3.16.2.1 | Install Apache Software Safely | man | man | man | man | |
| 3.16.2.2 | Confirm Minimal Built-in Modules | report | report | report | report | |
| 3.16.3 | Secure the Apache Configuration | |||||
| 3.16.3.1 | Restrict Information Leakage | TD | TD | TD | TD | |
| 3.16.3.2 | Minimize Loadable Modules | report | report | report | report | |
| 3.16.3.2.1 | Apache Core Modules | TD | TD | TD | TD | |
| 3.16.3.2.2 | HTTP Basic Authentication | TD | TD | TD | TD | |
| 3.16.3.2.3 | HTTP Digest Authentication | TD | TD | TD | TD | |
| 3.16.3.2.4 | mod_rewrite | TD | TD | TD | TD | |
| 3.16.3.2.5 | LDAP Support | TD | TD | TD | TD | |
| 3.16.3.2.6 | Server Side Includes | TD | TD | TD | TD | |
| 3.16.3.2.7 | MIME Magic | TD | TD | TD | TD | |
| 3.16.3.2.8 | WebDAV (Distributed Authoring and Versioning) | TD | TD | TD | TD | |
| 3.16.3.2.9 | Server Activity Status | TD | TD | TD | TD | |
| 3.16.3.2.10 | Web Server Configuration Display | TD | TD | TD | TD | |
| 3.16.3.2.11 | URL Correction on Misspelled Entries | TD | TD | TD | TD | |
| 3.16.3.2.12 | User-specific directories | TD | TD | TD | TD | |
| 3.16.3.2.13 | Proxy Support | TD | TD | TD | TD | |
| 3.16.3.2.14 | Cache Support | TD | TD | TD | TD | |
| 3.16.3.2.15 | CGI Support (and Related Modules) | TD | TD | TD | TD | |
| 3.16.3.2.16 | Various Optional Components | TD | TD | TD | TD | |
| 3.16.3.3 | Minimize Configuration Files Included | TD | TD | TD | TD | |
| 3.16.3.4 | Directory Restrictions | |||||
| 3.16.3.4.1 | Restrict Root Directory | TD | TD | TD | TD | |
| 3.16.3.4.2 | Restrict Web Directory | TD | TD | TD | TD | |
| 3.16.3.4.3 | Restrict Other Critical Directories | man | man | man | man | |
| 3.16.3.5 | Configure Authentication if Applicable | man | man | man | man | |
| 3.16.3.6 | Limit Available Methods | TD | TD | TD | TD | |
| 3.16.4 | Use Appropriate Modules to Improve Apache’s Security | |||||
| 3.16.4.1 | Deploy mod ssl | man | man | man | man | |
| 3.16.4.2 | Deploy mod security | TD | TD | TD | TD | |
| 3.16.4.3 | Use Denial-of-Service Protection Modules | man | man | man | man | |
| 3.16.4.4 | Configure Supplemental Modules Appropriately | man | man | man | man | |
| 3.16.5 | Configure Operating System to Protect Web Server | |||||
| 3.16.5.1 | Restrict File and Directory Access | TD | TD | TD | TD | |
| 3.16.5.2 | Configure iptables to Allow Access to the Web Server | TD | TD | TD | TD | |
| 3.16.5.3 | Run Apache in a chroot Jail if Possible | man | man | man | man | |
| 3.16.6 | Additional Resources | |||||
| 3.17 | IMAP and POP3 Server | |||||
| 3.17.1 | Disable Dovecot if Possible | X | X | X | X | |
| 3.17.2 | Configure Dovecot if Necessary | |||||
| 3.17.2.1 | Support Only the Necessary Protocols | man | man | man | man | |
| 3.17.2.2 | Enable SSL Support | man | man | man | man | |
| 3.17.2.3 | Enable Dovecot Options to Protect Against Code Flaws | TD | TD | TD | TD | |
| 3.17.2.4 | Allow IMAP Clients to Access the Server | TD | TD | TD | TD | |
| 3.18 | Samba (SMB) Microsoft Windows File Sharing Server | |||||
| 3.18.1 | Disable Samba if Possible | X | X | X | X | |
| 3.18.2 | Configure Samba if Necessary | |||||
| 3.18.2.1 | Testing the Samba Configuration File | report | report | report | report | |
| 3.18.2.2 | Choosing the Appropriate security Parameter | man | man | man | man | |
| 3.18.2.3 | Disable Guest Access and Local Login Support | TD | TD | TD | TD | |
| 3.18.2.4 | Disable Root Access | TD | TD | TD | TD | |
| 3.18.2.5 | Set the Allowed Authentication Negotiation Levels | TD | TD | TD | TD | |
| 3.18.2.6 | Let Domain Controllers Create Machine Trust Accounts On-the-Fly | TD | TD | TD | TD | |
| 3.18.2.7 | Restrict Access to the [IPC$] Share | man | man | man | man | |
| 3.18.2.8 | Restrict File Sharing | man | man | man | man | |
| 3.18.2.9 | Restrict Printer Sharing | man | man | man | man | |
| 3.18.2.10 | Configure iptables to Allow Access to the Samba Server | man | man | man | man | |
| 3.18.3 | Avoid the Samba Web Administration Tool (SWAT) | man | man | man | man | |
| 3.19 | Proxy Server | |||||
| 3.19.1 | Disable Squid if Possible | X | X | X | X | |
| 3.19.2 | Configure Squid if Necessary | |||||
| 3.19.2.1 | Listen on Uncommon Port | man | man | man | man | |
| 3.19.2.2 | Verify Default Secure Settings | TD | TD | TD | TD | |
| 3.19.2.3 | Change Default Insecure Settings | TD | TD | TD | TD | |
| 3.19.2.4 | Configure Authentication if Applicable | man | man | man | man | |
| 3.19.2.5 | Access Control Lists (ACL) | man | man | man | man | |
| 3.19.2.6 | Configure Internet Cache Protocol (ICP) if Necessary | man | man | man | man | |
| 3.19.2.7 | Configure iptables to Allow Access to the Proxy Server | man | man | man | man | |
| 3.19.2.8 | Forward Log Messages to Syslog Daemon | TD | TD | TD | TD | |
| 3.19.2.9 | Do Not Run as Root | man | man | man | man | |
| 3.20 | SNMP Server | |||||
| 3.20.1 | Disable SNMP Server if Possible | X | X | X | X | |
| 3.20.2 | Configure SNMP Server if Necessary | man | man | man | man |