`Check`,`Text`,`Issue`
`iptables_smtp_enabled`,`To configure iptables to allow port 25 traffic one must edit /etc/sysconfig/iptables and /etc/sysconfig/ip6tables (if IPv6 is in use). Add the following line, ensuring that it appears before the final LOG and DROP lines for the INPUT chain: -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT`,`The test does not first check if Postfix (mail/smtp daemon) is installed and running, so any remediation will happen (incorrectly) regardless of Postfix’s existence or activity.`
`postfix_logging`,`Edit the file /etc/rsyslog.conf. Add or correct the following line if necessary (this is the default): mail.*	 -/var/log/maillog Run the following commands to ensure correct permissions on the mail log: # chown root:root /var/log/maillog # chmod 600 /var/log/maillog Ensure log will be rotated as appropriate by adding or correcting the following line if needed into the list on the first line of /etc/logrotate.d/syslog (this is the default): /var/log/maillog`,`Postfix not even installed/running.  Test should first check if Postfix is installed and/or running and PASS if neither is true.`
`postfix_server_denial_of_service `,`Edit /etc/postfix/main.cf. Add or correct the following lines: default_process_limit = 100 smtpd_client_connection_count_limit = 10 smtpd_client_connection_rate_limit = 30 queue_minfree = 20971520 header_size_limit = 51200 message_size_limit = 10485760 smtpd_recipient_limit = 100`,`Postfix not even installed/running.  Test should first check if Postfix is installed and/or running and PASS if neither is true.`
`service_netconsole_disabled`,`The netconsole service is responsible for loading the netconsole kernel module, which logs kernel printk messages over UDP to a syslog server. This allows debugging of problems where disk logging fails and serial consoles are impractical. The netconsole service can be disabled with the following command: # chkconfig netconsole off`,`Test incorrectly discovering service as it is not enabled and still fails.`
`service_rdisc_disabled`,`The rdisc service implements the client side of the ICMP Internet Router Discovery Protocol (IRDP), which allows discovery of routers on the local subnet. If a router is discovered then the local routing table is updated with a corresponding default route. By default this daemon is disabled. The rdisc service can be disabled with the following command: # chkconfig rdisc off`,`Test incorrectly discovering service as it is not enabled and still fails.`
` service_saslauthd_disabled`,`The saslauthd service handles plaintext authentication requests on behalf of the SASL library. The service isolates all code requiring superuser privileges for SASL authentication into a single process, and can also be used to provide proxy authentication services to clients that do not understand SASL based authentication. The saslauthd service can be disabled with the following command: # chkconfig saslauthd off`,`Test incorrectly discovering service as it is not enabled and still fails.`
`enable_auditd_bootloader`,`To ensure that all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to the kernel line in /etc/grub.conf, in the manner below: kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1`,`Test incorrectly performing check as ‘audit=1’ is present in /etc/grub.conf and still fails.`
`console_device_restrict_access_desktop`,`If the display manager has been altered to allow remote users to log in and the host is configured to run at runlevel 5, change console as well as the xconsole directive in the /etc/security/console.perms to the following: <console>=tty[0-9][0-9]* vc/[0-9][0-9]* :0\.[0-9] :0 <xconsole>=:0\.[0-9] :0`,`Test does not check the stated AND statement, as the system is booting to runlevel 3 and still fails.`
`console_device_restrict_access_server`,`If the display manager has been altered to allow remote users to log in and the host is configured to run at runlevel 5, change console as well as the xconsole directive in the /etc/security/console.perms to the following: <console>=tty[0-9][0-9]* vc/[0-9][0-9]*`,`Test does not check the stated AND statement, as the system is booting to runlevel 3 and still fails.`
`mount_option_tmp_nodev`,`The nodev mount option can be used to prevent device files from being created in /tmp. Legitimate character and block devices should not exist within temporary directories like /tmp. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /tmp.`,`Test incorrectly performing check as no option already exists correctly in /etc/fstab and still fails`
`mount_option_tmp_noexec`,`The noexec mount option can be used to prevent binaries from being executed out of /tmp. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /tmp.`,`Test incorrectly performing check as no option already exists correctly in /etc/fstab and still fails`
`mount_option_tmp_nosuid`,`The nosuid mount option can be used to prevent execution of setuid programs in /tmp. The suid/sgid permissions should not be required in these world-writeable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /tmp.`,`Test incorrectly performing check as no option already exists correctly in /etc/fstab and still fails`
`mount_option_dev_shm_nodev`,`The nodev mount option can be used to prevent creation of device files in /dev/shm. Legitimate character and block devices should not exist within temporary directories like /dev/shm. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm.`,`Test incorrectly performing check as no /dev/shm exists within /etc/fstab and still fails`
`mount_option_dev_shm_noexec`,`The noexec mount option can be used to prevent binaries from being executed out of /dev/shm. It can be dangerous to allow the execution of binaries from world-writeable temporary storage directories such as /dev/shm. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm.`,`Test incorrectly performing check as no /dev/shm exists within /etc/fstab and still fails`
`mount_option_dev_shm_nosuid`,`The nosuid mount option can be used to prevent execution of setuid programs in /dev/shm. The suid/sgid permissions should not be required in these world-writeable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm.`,`Test incorrectly performing check as no /dev/shm exists within /etc/fstab and still fails`