UCF STIG Viewer Logo

Oracle Linux 6 Security Technical Implementation Guide


Overview

Date Finding Count (263)
2015-06-09 CAT I (High): 17 CAT II (Med): 145 CAT III (Low): 101
STIG Description
The Oracle Linux 6 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-50873 High The system must use and update a DoD-approved virus scan program.
V-50877 High The x86 Ctrl-Alt-Delete key sequence must be disabled.
V-50597 High The RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
V-50561 High The rlogind service must not be running.
V-50713 High The snmpd service must not use a default password.
V-50801 High The SSH daemon must not allow authentication using an empty password.
V-50719 High There must be no .rhosts or hosts.equiv files on the system.
V-50551 High The telnet-server package must not be installed.
V-50553 High The telnet daemon must not be running.
V-50555 High The rsh-server package must not be installed.
V-50557 High The rshd service must not be running.
V-50559 High The rexecd service must not be running.
V-50737 High The system must not have accounts configured with blank or null passwords.
V-50689 High Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
V-50751 High The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.
V-50573 High The SSH daemon must be configured to use only the SSHv2 protocol.
V-51047 High The NFS server must not have the insecure file locking option enabled.
V-50871 Medium There must be no world-writable files on the system.
V-50875 Medium The system must have a host-based intrusion detection tool installed.
V-50811 Medium The system clock must be synchronized continuously, or at least daily.
V-50767 Medium The operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
V-50979 Medium The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
V-50765 Medium The /etc/gshadow file must have mode 0000.
V-50763 Medium The /etc/gshadow file must be group-owned by root.
V-50761 Medium The system must employ a local IPv6 firewall.
V-50647 Medium The system must not accept IPv4 source-routed packets by default.
V-50641 Medium The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
V-50643 Medium There must be no .netrc files on the system.
V-50769 Medium The /etc/passwd file must be owned by root.
V-51017 Medium The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system.
V-50963 Medium The system must not send ICMPv4 redirects from any interface.
V-59347 Medium The system must use a Linux Security Module at boot time.
V-50565 Medium The ypbind service must not be running.
V-50567 Medium The tftp-server package must not be installed unless required.
V-50563 Medium The ypserv package must not be installed.
V-50967 Medium IP forwarding for IPv4 must not be enabled, unless the system is a router.
V-50569 Medium The TFTP service must not be running.
V-50989 Medium The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.
V-50545 Medium The audit system must be configured to audit the loading and unloading of dynamic kernel modules.
V-50889 Medium The DHCP client must be disabled if not needed.
V-50885 Medium X Windows must not be enabled unless required.
V-50881 Medium The sendmail package must be removed.
V-50969 Medium The system must not accept IPv4 source-routed packets on any interface.
V-50711 Medium The system must ignore ICMPv6 redirects by default.
V-50717 Medium The snmpd service must use only SNMP protocol version 3 or newer.
V-50547 Medium The xinetd service must be disabled if no network services utilizing it are enabled.
V-50961 Medium The system must not send ICMPv4 redirects by default.
V-50651 Medium The system must not accept ICMPv4 secure redirect packets by default.
V-59353 Medium A file integrity baseline must be created.
V-50791 Medium The system must require passwords to contain a minimum of 14 characters.
V-50797 Medium The system must employ a local IPv4 firewall.
V-50795 Medium User passwords must be changed at least every 60 days.
V-50955 Medium The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
V-50957 Medium The system must implement virtual address space randomization.
V-50951 Medium The system must not permit interactive boot.
V-50519 Medium The system must provide automated support for account management functions.
V-50959 Medium The system must limit the ability of processes to have simultaneous write and execute access to memory.
V-50683 Medium The system must be configured to use TCP syncookies when experiencing a TCP SYN flood.
V-50701 Medium The system package management tool must cryptographically verify the authenticity of system software packages during installation.
V-59367 Medium The system must use a Linux Security Module configured to enforce limits on system services.
V-50817 Medium If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms.
V-50705 Medium The IPv6 protocol handler must not be bound to the network stack unless needed.
V-50819 Medium The LDAP client must use a TLS connection using trust certificates signed by the site CA.
V-51019 Medium The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components.
V-50721 Medium The system must prevent the root account from logging in from virtual consoles.
V-50629 Medium Audit log files must be owned by root.
V-50627 Medium Audit log directories must have mode 0755 or less permissive.
V-50799 Medium The system must not permit root logins using remote access programs such as ssh.
V-50621 Medium The system must not accept ICMPv4 secure redirect packets on any interface.
V-50789 Medium All system command files must be owned by root.
V-51015 Medium The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited.
V-51013 Medium All rsyslog-generated log files must have mode 0600 or less permissive.
V-51011 Medium A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.
V-50781 Medium The operating system must prevent public IPv6 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
V-50783 Medium Library files must have mode 0755 or less permissive.
V-50785 Medium Library files must be owned by root.
V-60819 Medium The sudo command must require authentication.
V-50787 Medium All system command files must have mode 755 or less permissive.
V-50943 Medium The system boot loader configuration file(s) must have mode 0600 or less permissive.
V-50947 Medium The system must require authentication upon booting into single-user and maintenance modes.
V-50945 Medium The system boot loader must require authentication.
V-50699 Medium The system must use a reverse-path filter for IPv4 network traffic when possible by default.
V-50793 Medium Users must not be able to change passwords more than once every 24 hours.
V-50823 Medium The graphical desktop environment must set the idle timeout to no more than 15 minutes.
V-59377 Medium The login user list must be disabled.
V-50827 Medium The graphical desktop environment must have automatic lock enabled.
V-59375 Medium The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access.
V-59379 Medium The noexec option must be added to the /tmp partition.
V-50731 Medium Default operating system accounts, other than root, must be locked.
V-50639 Medium The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
V-50635 Medium The system must disable accounts after excessive login failures within a 15-minute interval.
V-50637 Medium The system must require administrator action to unlock an account locked by excessive failed login attempts.
V-50631 Medium Audit log files must have mode 0640 or less permissive.
V-51005 Medium The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required.
V-51007 Medium All rsyslog-generated log files must be owned by root.
V-50825 Medium The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment.
V-51009 Medium All rsyslog-generated log files must be group-owned by root.
V-50803 Medium The SSH daemon must be configured with the Department of Defense (DoD) login banner.
V-50937 Medium The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf).
V-50933 Medium The system boot loader configuration file(s) must be owned by root.
V-50939 Medium The system boot loader configuration file(s) must be group-owned by root.
V-50609 Medium The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh.
V-51127 Medium The Bluetooth service must be disabled.
V-51125 Medium The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
V-50987 Medium The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets.
V-50601 Medium The audit system must take appropriate action when the audit storage volume is full.
V-51033 Medium The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods.
V-50971 Medium The system must not accept ICMPv4 redirect packets on any interface.
V-51035 Medium The operating system must detect unauthorized changes to software and information.
V-51037 Medium The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.
V-50685 Medium The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
V-50523 Medium Audit log files must be group-owned by root.
V-50525 Medium The mail system must forward all mail for root to one or more system administrators.
V-50617 Medium The operating system must enforce requirements for the connection of mobile devices to operating systems.
V-50615 Medium The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives.
V-50599 Medium The audit system must take appropriate action when there are disk errors on the audit storage volume.
V-50613 Medium The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.
V-50521 Medium The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets.
V-50847 Medium Remote file systems must be mounted with the nosuid option.
V-50845 Medium Remote file systems must be mounted with the nodev option.
V-51123 Medium A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
V-50759 Medium The /etc/gshadow file must be owned by root.
V-50815 Medium Mail relaying must be restricted.
V-50757 Medium The /etc/shadow file must have mode 0000.
V-50755 Medium The /etc/shadow file must be group-owned by root.
V-50753 Medium The /etc/shadow file must be owned by root.
V-51029 Medium The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs.
V-51027 Medium The operating system must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event.
V-50695 Medium System security patches and updates must be installed and up-to-date.
V-51023 Medium The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency.
V-50813 Medium The system clock must be synchronized to an authoritative DoD time source.
V-50997 Medium The Stream Control Transmission Protocol (SCTP) must be disabled unless required.
V-50715 Medium A file integrity tool must be installed.
V-50581 Medium The SSH daemon must not allow host-based authentication.
V-50855 Medium The system must prohibit the reuse of passwords within twenty-four iterations.
V-50747 Medium The root account must be the only account having a UID of 0.
V-50741 Medium The /etc/passwd file must not contain password hashes.
V-51053 Medium The system must rotate audit log files that reach the maximum file size.
V-51051 Medium The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity.
V-51057 Medium The audit system must identify staff members to receive notifications of audit log storage volume capacity issues.
V-50865 Medium The system package management tool must verify ownership on all files and directories associated with the audit package.
V-50867 Medium The system package management tool must verify group-ownership on all files and directories associated with the audit package.
V-50863 Medium The system package management tool must verify permissions on all files and directories associated with the audit package.
V-50869 Medium The system package management tool must verify contents of all files associated with the audit package.
V-50671 Medium The audit system must alert designated staff members when the audit storage volume approaches capacity.
V-59373 Medium The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low.
V-50903 Medium The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
V-50779 Medium The /etc/group file must have mode 0644 or less permissive.
V-50807 Medium The SSH daemon must be configured to use only FIPS 140-2 approved ciphers.
V-50921 Medium The system must disable accounts after three consecutive unsuccessful logon attempts.
V-50771 Medium The /etc/passwd file must be group-owned by root.
V-50773 Medium The /etc/passwd file must have mode 0644 or less permissive.
V-51111 Medium The Bluetooth kernel module must be disabled.
V-50775 Medium The /etc/group file must be owned by root.
V-51117 Medium The systems local firewall must implement a deny-all, allow-by-exception policy for forwarded packets.
V-50777 Medium The /etc/group file must be group-owned by root.
V-51049 Medium The system must set a maximum audit log file size.
V-50927 Medium The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs).
V-50571 Medium The cron service must be running.
V-50923 Medium The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth).
V-51043 Medium The system must retain enough rotated audit logs to cover the required log retention period.
V-50579 Medium The SSH daemon must ignore .rhosts files.
V-50879 Low The postfix service must be enabled for mail delivery.
V-50593 Low The system package management tool must verify ownership on all files and directories associated with packages.
V-50973 Low All GIDs referenced in /etc/passwd must be defined in /etc/group.
V-51077 Low The operating system must automatically audit account modification.
V-51071 Low The audit system must be configured to audit all attempts to alter system time through /etc/localtime.
V-51073 Low The operating system must automatically audit account creation.
V-50591 Low The system package management tool must verify group-ownership on all files and directories associated with packages.
V-51169 Low The audit system must be configured to audit all discretionary access control permission modifications using chmod.
V-51167 Low The audit system must be configured to audit all discretionary access control permission modifications using chown.
V-51165 Low The audit system must be configured to audit all discretionary access control permission modifications using fchmod.
V-51163 Low The audit system must be configured to audit all discretionary access control permission modifications using fchmodat.
V-51161 Low The audit system must be configured to audit all discretionary access control permission modifications using fchown.
V-50725 Low The system must prevent the root account from logging in from serial consoles.
V-50887 Low The xorg-x11-server-common (X Windows) package must not be installed, unless required.
V-50883 Low The netconsole service must be disabled unless required.
V-50657 Low The system must not respond to ICMPv4 sent to a broadcast address.
V-50809 Low The avahi service must be disabled.
V-50655 Low The system must ignore ICMPv4 redirect messages by default.
V-51063 Low The audit system must be configured to audit all attempts to alter system time through settimeofday.
V-51061 Low The audit system must be configured to audit all attempts to alter system time through adjtimex.
V-51067 Low The audit system must be configured to audit all attempts to alter system time through stime.
V-51147 Low The audit system must be configured to audit all discretionary access control permission modifications using removexattr.
V-50603 Low The system must forward audit records to the syslog service.
V-51171 Low The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux).
V-51069 Low The audit system must be configured to audit all attempts to alter system time through clock_settime.
V-50953 Low The system must allow locking of the console screen in text mode.
V-50707 Low The system default umask for the bash shell must be 077.
V-50709 Low The system package management tool must cryptographically verify the authenticity of all software packages during installation.
V-59369 Low The system must use a Linux Security Module configured to limit the privileges of system services.
V-50625 Low The system must log Martian packets.
V-51093 Low The audit system must be configured to audit modifications to the systems network configuration.
V-51149 Low The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr.
V-50549 Low The xinetd service must be uninstalled if no network services utilizing it are enabled.
V-51141 Low The audit system must be configured to audit all use of setuid and setgid programs.
V-51143 Low The audit system must be configured to audit failed attempts to access files and programs.
V-51145 Low The audit system must be configured to audit all discretionary access control permission modifications using setxattr.
V-50805 Low The SSH daemon must not permit user environment settings.
V-50843 Low The rdisc service must not be running.
V-50821 Low The openldap-servers package must not be installed unless required.
V-59371 Low All device files must be monitored by the system Linux Security Module.
V-50739 Low The FTP daemon must be configured for logging or verbose mode.
V-50829 Low The system must display a publicly-viewable pattern during a graphical desktop environment session lock.
V-51157 Low The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr.
V-50911 Low The system must require passwords to contain at least one numeric character.
V-51155 Low The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr.
V-51151 Low The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr.
V-51083 Low The operating system must automatically audit account disabling actions.
V-50539 Low The system package management tool must verify permissions on all files and directories associated with packages.
V-51001 Low The Reliable Datagram Sockets (RDS) protocol must be disabled unless required.
V-50533 Low The system must use a separate file system for /tmp.
V-50537 Low The system must use a separate file system for /var.
V-50535 Low The system package management tool must verify contents of all files associated with packages.
V-50667 Low The system default umask in /etc/login.defs must be 077.
V-50839 Low The oddjobd service must not be running.
V-50837 Low The ntpdate service must not be running.
V-50835 Low The atd service must be disabled.
V-50831 Low The Automatic Bug Reporting Tool (abrtd) service must not be running.
V-51121 Low The system must provide VPN connectivity for communications over untrusted networks.
V-51129 Low Accounts must be locked upon 35 days of inactivity.
V-50607 Low The system must allow locking of graphical desktop sessions.
V-50529 Low The system must use a separate file system for /var/log.
V-50985 Low All accounts on the system must have unique user or account names.
V-50663 Low The system must ignore ICMPv4 bogus error responses.
V-50849 Low The noexec option must be added to removable media partitions.
V-50595 Low The NFS server must not have the all_squash option enabled.
V-51423 Low All public directories must be owned by a system account.
V-50841 Low The qpidd service must not be running.
V-50515 Low Automated file system mounting tools must not be enabled unless needed.
V-51131 Low The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity.
V-50517 Low Auditing must be enabled at boot by setting a kernel parameter.
V-51133 Low The sticky bit must be set on all public directories.
V-51135 Low The audit system must be configured to audit changes to the /etc/sudoers file.
V-51139 Low The audit system must be configured to audit successful file system mounts.
V-50661 Low The system must use a separate file system for the system audit data path.
V-51021 Low System logs must be rotated daily.
V-51087 Low The operating system must automatically audit account termination.
V-50665 Low The system default umask for daemons must be 027 or 022.
V-50991 Low Temporary accounts must be provisioned with an expiration date.
V-50993 Low Emergency accounts must be provisioned with an expiration date.
V-50995 Low The system must require passwords to contain no more than three consecutive repeating characters.
V-51159 Low The audit system must be configured to audit all discretionary access control permission modifications using fchownat.
V-50859 Low The operating system must protect the confidentiality and integrity of data at rest.
V-50913 Low The system must require passwords to contain at least one uppercase alphabetic character.
V-50915 Low The system must require passwords to contain at least one special character.
V-50917 Low The system must require passwords to contain at least one lowercase alphabetic character.
V-50919 Low The system must require at least four characters be changed between the old and new passwords during a password change.
V-50851 Low The system must use SMB client signing for connecting to samba servers using smbclient.
V-50669 Low The system default umask in /etc/profile must be 077.
V-50857 Low The operating system must employ cryptographic mechanisms to protect information in storage.
V-50853 Low The system must use SMB client signing for connecting to samba servers using mount.cifs.
V-51153 Low The audit system must be configured to audit all discretionary access control permission modifications using lchown.
V-50693 Low The Red Hat Network Service (rhnsd) service must not be running, unless it is being used to query the Oracle Unbreakable Linux Network for updates and information.
V-51137 Low The audit system must be configured to audit user deletions of files and programs.
V-50861 Low The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of data at rest unless otherwise protected by alternative physical measures.
V-50673 Low The system default umask for the csh shell must be 077.
V-50677 Low The system must use a separate file system for user home directories.
V-50907 Low Users must be warned 7 days in advance of password expiration.
V-51115 Low The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.
V-50577 Low The SSH daemon must set a timeout count on idle sessions.
V-50575 Low The SSH daemon must set a timeout interval on idle sessions.
V-51041 Low Process core dumps must be disabled unless needed.