Characteristics

Evaluation was performed on a target called some.target.somewhere.com.

CPE Platforms

  • cpe:/o:fedoraproject:fedora:20

Addresses

  • IPv4 123.123.123.123
  • IPv4 123.123.123.124
  • IPv6 0:0:0:0:0:0:0:1

Compliance and Scoring

The system is not compliant! Please review rule results and apply remediation.
55% passed
35% failed
10% other
Scoring system Score Maximum %
urn:xccdf:scoring:default 42.71 100.00
42.71%
urn:xccdf:scoring:flat 62.71 100.00
62.71%

Rule Overview

Title Identifiers Severity Result
id_id_id_idPrelinking Disabled
  • cve 123
  • cce 321
 1low 1fail
id_id_id_id2gpgcheck Enabled In Main Yum Configuration - 3medium 9pass

Result Details

Prelinking Disabled

Resultfail
Rule IDxccdf_org.ssgproject.content_rule_disable_prelink
Time2014-07-09 16:19
Severitylow
The prelinking feature changes binaries in an attempt to decrease their startup time. In order to disable it, change or add the following line inside the file /etc/sysconfig/prelink: 
PRELINKING=no
Next, run the following command to return binaries to a normal, non-prelinked state: 
# /sbin/prelink -ua
The prelinking feature can interfere with the operation of checksum integrity tools (e.g. AIDE), because it modifies binaries to speed up their startup time. Also it makes the location of shared libraries very predictable, mitigating the efficiency of address space layout randomization (ASLR) protection mechanism. In addition, each upgrade of an application or a library requires prelink to be run again.
Remediation script: 
#
# Disable prelinking altogether
#
if grep -q ^PRELINKING /etc/sysconfig/prelink
then
  sed -i 's/PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink
else
  echo -e "\n# Set PRELINKING=no per security requirements" >> /etc/sysconfig/prelink
  echo "PRELINKING=no" >> /etc/sysconfig/prelink
fi

#
# Undo previous prelink changes to binaries
#
/usr/sbin/prelink -ua

gpgcheck Enabled In Main Yum Configuration

Resultpass
Rule IDxccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
Time2014-07-09 16:19
Severityhigh
The gpgcheck option should be used to ensure checking of an RPM package's signature always occurs prior to its installation. To configure yum to check package signatures before installing them, ensure the following line appears in /etc/yum.conf in the [main] section: 
gpgcheck=1
Ensuring the validity of packages' cryptographic signatures prior to installation ensures the provenance of the software and protects against malicious tampering.