Introduction
Test Result
| Result ID | Profile | Start time | End time | Benchmark | Benchmark version |
| xccdf_org.open-scap_testresult_RHEL6-Default | RHEL6-Default | 2013-02-05 13:13 | 2013-02-05 13:27 | embedded | 0.2 |
Target info
Targets
|
Addresses
|
Platforms
|
Score
| system | score | max | % | bar |
| urn:xccdf:scoring:default | 91.03 | 100.00 | 91.03% | |
| urn:xccdf:scoring:flat | 680.00 | 740.00 | 91.89% |
Results overview
Rule Results Summary
| pass | fixed | fail | error | not selected | not checked | not applicable | informational | unknown | total |
| 68 | 0 | 6 | 0 | 69 | 0 | 0 | 0 | 0 | 143 |
Rule results summary
Results details
Result for Red Hat GPG Keys are Installed
Result: pass
Rule ID: rule-1005
Time: 2013-02-05 13:13
The GPG keys should be installed.
Security identifiers
- CCE-14440-2
Result for gpgcheck is Globally Activated
Result: pass
Rule ID: rule-1007
Time: 2013-02-05 13:13
The gpgcheck option should be used to ensure that checking
of an RPM package’s signature always occurs prior to its installation.
To force yum to check package signatures before
installing them, ensure that the following line appears in
/etc/yum.conf in the [main] section:
gpgcheck=1
Security identifiers
- CCE-14914-6
Result for Package Signature Checking is Not Disabled For Any Repos
Result: fail
Rule ID: rule-1008
Time: 2013-02-05 13:13
To ensure that signature checking is not disabled for any
repos, ensure that the following line DOES NOT appear in any repo
configuration files in /etc/yum.repos.d or elsewhere:
gpgcheck=0
Security identifiers
- CCE-14813-0
check value of gpgcheck=1 in all /etc/yum.repos.d/*
| path | content |
| /etc/yum.repos.d/covscan-rhel.repo | gpgcheck=0 |
| /etc/yum.repos.d/covscan-rhel.repo | gpgcheck=0 |
Result for User ownership of 'shadow' file
Result: pass
Rule ID: rule-1010
Time: 2013-02-05 13:13
Severity: medium
The /etc/shadow file should be owned by root.
Security identifiers
- CCE-3918-0
Result for Group ownership of 'shadow' file
Result: pass
Rule ID: rule-1011
Time: 2013-02-05 13:13
Severity: medium
The /etc/shadow file should be owned by root.
Security identifiers
- CCE-3988-3
Result for User ownership of 'group' file
Result: pass
Rule ID: rule-1012
Time: 2013-02-05 13:13
Severity: medium
The /etc/group file should be owned by root.
Security identifiers
- CCE-3276-3
Result for Group ownership of 'group' file
Result: pass
Rule ID: rule-1013
Time: 2013-02-05 13:13
Severity: medium
The /etc/group file should be owned by root.
Security identifiers
- CCE-3883-6
Result for User ownership of 'gshadow' file
Result: pass
Rule ID: rule-1014
Time: 2013-02-05 13:13
Severity: medium
The /etc/gshadow file should be owned by root.
Security identifiers
- CCE-4210-1
Result for Group ownership of 'gshadow' file
Result: pass
Rule ID: rule-1015
Time: 2013-02-05 13:13
Severity: medium
The /etc/gshadow file should be owned by root.
Security identifiers
- CCE-4064-2
Result for User ownership of 'passwd' file
Result: pass
Rule ID: rule-1016
Time: 2013-02-05 13:13
Severity: medium
The /etc/passwd file should be owned by root.
Security identifiers
- CCE-3958-6
Result for Group ownership of 'passwd' file
Result: pass
Rule ID: rule-1017
Time: 2013-02-05 13:13
Severity: medium
The /etc/passwd file should be owned by root.
Security identifiers
- CCE-3495-9
Result for Permissions on 'shadow' file
Result: pass
Rule ID: rule-1018
Time: 2013-02-05 13:13
Severity: medium
File permissions for /etc/shadow should be set correctly.
Security identifiers
- CCE-4130-1
Result for Permissions on 'group' file
Result: pass
Rule ID: rule-1019
Time: 2013-02-05 13:13
Severity: medium
File permissions for /etc/group should be set correctly.
Security identifiers
- CCE-3967-7
Result for Permissions on 'gshadow' file
Result: pass
Rule ID: rule-1020
Time: 2013-02-05 13:13
Severity: medium
File permissions for /etc/gshadow should be set correctly.
Security identifiers
- CCE-3932-1
Result for Permissions on 'passwd' file
Result: pass
Rule ID: rule-1021
Time: 2013-02-05 13:13
Severity: medium
File permissions for /etc/passwd should be set correctly.
Security identifiers
- CCE-3566-7
Result for All World-Writable Directories Have Sticky Bits Set
Result: fail
Rule ID: rule-1022
Time: 2013-02-05 13:14
Severity: low
The sticky bit should be set for all world-writable directories.
Security identifiers
- CCE-3399-3
Sticky bit on all world writable directories
| path | type | UID | GID | size | permissions |
| /tmp/.covlk/ | directory | 0 | 0 | 4096 | rwxrwxrwx |
Result for Unauthorized World-Writable Files
Result: fail
Rule ID: rule-1023
Time: 2013-02-05 13:15
Severity: medium
The world-write permission should be disabled for all files.
Security identifiers
- CCE-3795-2
World writable files
| path | type | UID | GID | size | permissions |
| /tmp/.covlk/0308000000000000.6e32080000000000 | regular | 0 | 0 | 1 | rw-rw-rw- |
| /tmp/.covlk/0308000000000000.ad24060000000000 | regular | 0 | 0 | 1 | rw-rw-rw- |
| /tmp/.covlk/0308000000000000.5722040000000000 | regular | 0 | 0 | 1 | rw-rw-rw- |
| /tmp/.covlk/0308000000000000.9e24060000000000 | regular | 0 | 0 | 1 | rw-rw-rw- |
| /tmp/.covlk/0308000000000000.a124060000000000 | regular | 0 | 0 | 1 | rw-rw-rw- |
| /tmp/.covlk/0308000000000000.a724060000000000 | regular | 0 | 0 | 1 | rw-rw-rw- |
| /tmp/.covlk/0308000000000000.bb32080000000000 | regular | 0 | 0 | 1 | rw-rw-rw- |
| /tmp/.covlk/0308000000000000.3e22040000000000 | regular | 0 | 0 | 1 | rw-rw-rw- |
| /tmp/.covlk/0308000000000000.a524060000000000 | regular | 0 | 0 | 1 | rw-rw-rw- |
Result for Unauthorized SGID System Executables
Result: pass
Rule ID: rule-1024
Time: 2013-02-05 13:18
Severity: medium
The sgid bit should not be set for all files.
Security identifiers
- CCE-14340-4
Result for Unauthorized SUID System Executables
Result: fail
Rule ID: rule-1025
Time: 2013-02-05 13:21
Severity: high
The suid bit should not be set for all files.
Security identifiers
- CCE-14340-4
executable files with suid set
| path | type | UID | GID | size | permissions |
| /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache | regular | 173 | 173 | 10752 | rwsr-xr-x |
Result for Files unowned by any user
Result: pass
Rule ID: rule-1026
Time: 2013-02-05 13:23
Severity: medium
All files should be owned by a user
Security identifiers
- CCE-4223-4
Result for Files unowned by any group
Result: pass
Rule ID: rule-1027
Time: 2013-02-05 13:27
Severity: medium
All files should be owned by a group
Security identifiers
- CCE-3573-3
Result for World writable directories not owned by a system account
Result: pass
Rule ID: rule-1028
Time: 2013-02-05 13:27
Severity: medium
All world writable directories should be owned by a system user
Security identifiers
- CCE-14794-2
Result for Daemon umask setting
Result: pass
Rule ID: rule-1029
Time: 2013-02-05 13:27
Severity: medium
The daemon umask should be set as appropriate
Security identifiers
- CCE-4220-0
Result for Disable Core Dumps for SUID programs
Result: pass
Rule ID: rule-1031
Time: 2013-02-05 13:27
Severity: low
Core dumps for setuid programs should be disabled
Security identifiers
- CCE-4247-3
Result for ExecShield is enabled (runtime)
Result: pass
Rule ID: rule-1032
Time: 2013-02-05 13:27
ExecShield should be enabled
Security identifiers
- CCE-4168-1
Result for ExecShield randomized placement of virtual memory regions is enabled (runtime)
Result: pass
Rule ID: rule-1033
Time: 2013-02-05 13:27
ExecShield randomized placement of virtual memory regions should be enabled
Security identifiers
- CCE-4146-7
Result for Root logins to serial ports are not permited
Result: fail
Rule ID: rule-1035
Time: 2013-02-05 13:27
Severity: medium
Root logins on serial ports should be disabled.
Security identifiers
- CCE-4256-4
Tests that ttyS[0-9]+ is not present in /etc/securetty
| path | content |
| /etc/securetty | ttyS0 |
Result for The 'wheel' group should exist
Result: pass
Rule ID: rule-1036
Time: 2013-02-05 13:27
Severity: medium
Ensure that the group wheel exists
Security identifiers
- CCE-14088-9
Result for No Accounts Have Empty Password Fields
Result: pass
Rule ID: rule-1039
Time: 2013-02-05 13:27
Severity: medium
Login access to accounts without passwords should be disabled
Security identifiers
- CCE-4238-2
Result for All Account Password Hashes are Shadowed
Result: pass
Rule ID: rule-1040
Time: 2013-02-05 13:27
Severity: medium
Check that passwords are shadowed
Security identifiers
- CCE-14300-8
Result for No Non-Root Accounts Have UID 0
Result: pass
Rule ID: rule-1041
Time: 2013-02-05 13:27
Severity: medium
Anonymous root logins should be disabled
Security identifiers
- CCE-4009-7
Result for Minimum password age
Result: pass
Rule ID: rule-1042
Time: 2013-02-05 13:27
Severity: medium
The minimum password age should be set appropriately
Security identifiers
- CCE-4180-6
Result for Maximum password age
Result: pass
Rule ID: rule-1043
Time: 2013-02-05 13:27
Severity: medium
The maximum password age should be set to: 180
Security identifiers
- CCE-4092-3
Result for Password warn age
Result: pass
Rule ID: rule-1044
Time: 2013-02-05 13:27
Severity: medium
The password warn age should be set to: 7
Security identifiers
- CCE-4097-2
Result for Password retry Requirements
Result: pass
Rule ID: rule-1045
Time: 2013-02-05 13:27
Severity: medium
The password retry should meet minimum requirements
Security identifiers
- CCE-15054-0
Result for No Dangerous Directories Exist in Root's PATH variable
Result: pass
Rule ID: rule-1055
Time: 2013-02-05 13:27
Severity: medium
The PATH variable should be set correctly for user root
Security identifiers
- CCE-3301-9
Result for The PATH variable for root does not include any world-writable or group-writable directories
Result: pass
Rule ID: rule-1056
Time: 2013-02-05 13:27
Severity: medium
Check each directory in root's path and make use it does not grant write permission to group and other
Security identifiers
- CCE-14957-5
Result for The default umask for all users is set correctly in /etc/bashrc
Result: pass
Rule ID: rule-1059
Time: 2013-02-05 13:27
Severity: medium
The default umask for all users for the bash shell should be set to: 022
Security identifiers
- CCE-3844-8
Result for The default umask for all users is set correctly in /etc/csh.cshrc
Result: pass
Rule ID: rule-1060
Time: 2013-02-05 13:27
Severity: medium
The default umask for all users for the csh shell should be set to: 022
Security identifiers
- CCE-4227-5
Result for The default umask for all users is set correctly in /etc/login.defs
Result: pass
Rule ID: rule-1061
Time: 2013-02-05 13:27
Severity: medium
The default umask for all users should be set to: 077
Security identifiers
- CCE-14107-7
Result for No ~/.netrc files exist
Result: pass
Rule ID: rule-1063
Time: 2013-02-05 13:27
Severity: medium
No user's home directory should contain a .netrc file
Result for Boot Loader user owner
Result: pass
Rule ID: rule-1064
Time: 2013-02-05 13:27
Severity: medium
Boot Loader configuration file should be owned by root.
Security identifiers
- CCE-4144-2
Result for Boot Loader group owner
Result: pass
Rule ID: rule-1065
Time: 2013-02-05 13:27
Severity: medium
Boot Loader configuration file should be owned by group root.
Security identifiers
- CCE-4197-0
Result for Permissions on boot loader
Result: pass
Rule ID: rule-1066
Time: 2013-02-05 13:27
Severity: medium
Boot Loader configuration file permissions should be set correctly.
Security identifiers
- CCE-3923-0
Result for SELinux should NOT be disabled in /boot/grub/grub.conf.
Result: pass
Rule ID: rule-1079
Time: 2013-02-05 13:27
Severity: medium
SELinux should NOT be disabled in /boot/grub/grub.conf. Check that selinux=0 is not found
Security identifiers
- CCE-3977-6
Result for Proper SELinux state
Result: pass
Rule ID: rule-1080
Time: 2013-02-05 13:27
Severity: medium
The SELinux state should be set appropriately
Security identifiers
- CCE-3999-0
Result for Proper SELinux policy
Result: pass
Rule ID: rule-1081
Time: 2013-02-05 13:27
Severity: medium
The SELinux policy should be set appropriately.
Security identifiers
- CCE-3624-4
Result for Disable MCS Translation Service (mcstrans) if Possible
Result: pass
Rule ID: rule-1083
Time: 2013-02-05 13:27
Severity: low
The mcstrans service should be disabled.
Security identifiers
- CCE-3668-1
Result for Accepting source routed packets for all interfaces is configured (runtime)
Result: pass
Rule ID: rule-1087
Time: 2013-02-05 13:27
Severity: medium
Accepting source routed packets should be: 0 for all interfaces as appropriate.
Security identifiers
- CCE-4236-6
Result for Accepting "secure" ICMP redirects for all interfaces is configured (runtime)
Result: pass
Rule ID: rule-1089
Time: 2013-02-05 13:27
Severity: medium
Accepting "secure" ICMP redirects (those from gateways listed in the default gateways list) should be: 0 for all interfaces as appropriate.
Security identifiers
- CCE-3472-8
Result for Logging of "martian" packets for all interfaces is configured (runtime)
Result: pass
Rule ID: rule-1090
Time: 2013-02-05 13:27
Severity: medium
Logging of "martian" packets (those with impossible addresses) should be: 0 for all interfaces as appropriate.
Security identifiers
- CCE-4320-8
Result for Default accepting of source routed packets is configured (runtime)
Result: pass
Rule ID: rule-1091
Time: 2013-02-05 13:27
Severity: medium
The default setting for accepting source routed packets should be: 0 for all interfaces as appropriate.
Security identifiers
- CCE-4091-5
Result for Default accepting ICMP redirects is configured (runtime)
Result: pass
Rule ID: rule-1092
Time: 2013-02-05 13:27
Severity: medium
The default setting for accepting ICMP redirects should be: 0 for all interfaces as appropriate.
Security identifiers
- CCE-4186-3
Result for Default accepting of "secure" ICMP redirects is configured (runtime)
Result: pass
Rule ID: rule-1093
Time: 2013-02-05 13:27
Severity: medium
The default setting for accepting "secure" ICMP redirects (those from gateways listed in the default gateways list) should be: 0 for all interfaces as appropriate.
Security identifiers
- CCE-3339-9
Result for Default logging of "martian" packets for all interfaces is configured (runtime)
Result: pass
Rule ID: rule-1094
Time: 2013-02-05 13:27
Severity: medium
Logging of "martian" packets (those with impossible addresses) should be: 0 for all interfaces as appropriate.
Result for Ignoring ICMP echo requests is configured (runtime)
Result: pass
Rule ID: rule-1095
Time: 2013-02-05 13:27
Severity: medium
Ignoring ICMP echo requests (pings) sent to broadcast / multicast addresses should be: 1 for all interfaces as appropriate.
Security identifiers
- CCE-3644-2
Result for Ignoring bogus ICMP responses is configured (runtime)
Result: pass
Rule ID: rule-1096
Time: 2013-02-05 13:27
Severity: medium
Ignoring bogus ICMP responses to broadcasts should be: 1 for all interfaces as appropriate.
Security identifiers
- CCE-4133-5
Result for Sending TCP syncookies is configured (runtime)
Result: pass
Rule ID: rule-1097
Time: 2013-02-05 13:27
Severity: medium
Sending TCP syncookies should be: 1 for all interfaces as appropriate.
Security identifiers
- CCE-4265-5
Result for The default setting for performing source validation by reverse path is configured (runtime)
Result: pass
Rule ID: rule-1099
Time: 2013-02-05 13:27
Severity: medium
The default setting for performing source validation by reverse path should be: 1 for all interfaces as appropriate.
Security identifiers
- CCE-3840-6
Result for Configure number of sent router solicitations
Result: pass
Rule ID: rule-1103
Time: 2013-02-05 13:27
Severity: medium
The default number of sent router solicitations should be: 0 for all interfaces.
Result for Configure whether to accept router preference
Result: pass
Rule ID: rule-1104
Time: 2013-02-05 13:27
Severity: medium
Router preference should be accepted by default: 0
Result for Configure whether to accept path information
Result: pass
Rule ID: rule-1105
Time: 2013-02-05 13:27
Severity: medium
Path information should be accepted by default: 0
Result for Configure whether to accept default router information
Result: pass
Rule ID: rule-1106
Time: 2013-02-05 13:27
Severity: medium
Default router information should be accepted by default: 0
Result for Configure whether to autoconfigure addresses
Result: pass
Rule ID: rule-1107
Time: 2013-02-05 13:27
Severity: medium
Addresses should be autoconfigured by default: 0
Result for Configure number of duplicate address detection probes
Result: pass
Rule ID: rule-1108
Time: 2013-02-05 13:27
Severity: medium
Number of duplicate address detection probes should be by default: 0
Result for Configure maximum number of autoconfigured addresses
Result: pass
Rule ID: rule-1109
Time: 2013-02-05 13:27
Severity: medium
Maximum number of autoconfigured addresses be by default: 1
Result for ip6tables service is enabled
Result: pass
Rule ID: rule-1111
Time: 2013-02-05 13:27
Severity: high
The ip6tables service should be enabled.
Security identifiers
- CCE-4167-3
Result for iptables service is enabled
Result: pass
Rule ID: rule-1112
Time: 2013-02-05 13:27
Severity: high
The iptables service should be enabled.
Security identifiers
- CCE-4189-7
Result for Rsyslog service is enabled
Result: pass
Rule ID: rule-1120
Time: 2013-02-05 13:27
Severity: medium
The rsyslog service should be enabled.
Security identifiers
- CCE-3679-8
Result for User ownership of System Log Files
Result: pass
Rule ID: rule-1121
Time: 2013-02-05 13:27
Severity: medium
All syslog log files should be owned by user 0.
Security identifiers
- CCE-4366-1
Result for Group ownership of System Log Files
Result: pass
Rule ID: rule-1122
Time: 2013-02-05 13:27
Severity: medium
All syslog log files should be group owned group 0.
Security identifiers
- CCE-3701-0
Result for Rsyslog shouldn't be run in a compatibility mode
Result: fail
Rule ID: rule-1125
Time: 2013-02-05 13:27
Severity: medium
An appropriate compatibility mode, that matches the daemons current version should be specified using the SYSLOGD_OPTION variable in /etc/sysconfig/rsyslog.
Result for All Logs are Rotated by logrotate
Result: pass
Rule ID: rule-1126
Time: 2013-02-05 13:27
Severity: medium
The logrotate (syslog rotater) service should be enabled.
Security identifiers
- CCE-4182-2
Result for Auditd service is enabled
Result: pass
Rule ID: rule-1127
Time: 2013-02-05 13:27
Severity: medium
The auditd service should be enabled.
Security identifiers
- CCE-4292-9