UCF STIG Viewer Logo

Oracle Linux 6 Security Technical Implementation Guide


Overview

Date Finding Count (274)
2021-06-14 CAT I (High): 18 CAT II (Med): 152 CAT III (Low): 104
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-219557 High The telnet daemon must not be running.
V-219558 High The rlogind service must not be running.
V-209019 High The x86 Ctrl-Alt-Delete key sequence must be disabled.
V-208807 High The system must not have accounts configured with blank or null passwords.
V-219957 High The Oracle Linux operating system must not contain .shosts or shosts.equiv files.
V-219560 High The SSH daemon must be configured to use only the SSHv2 protocol.
V-209043 High The snmpd service must not use a default password.
V-209040 High The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.
V-209031 High The NFS server must not have the insecure file locking option enabled.
V-208915 High The rshd service must not be running.
V-208914 High The rsh-server package must not be installed.
V-208913 High The telnet-server package must not be installed.
V-224675 High The Oracle Linux operating system must be a vendor-supported release.
V-219547 High There must be no .rhosts or hosts.equiv files on the system.
V-219543 High Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
V-209076 High The Oracle Linux 6 operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
V-208926 High The SSH daemon must not allow authentication using an empty password.
V-208916 High The rexecd service must not be running.
V-219551 Medium The system must employ a local IPv4 firewall.
V-219550 Medium The operating system must prevent public IPv6 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
V-219553 Medium The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
V-219552 Medium The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
V-219555 Medium The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components.
V-219554 Medium The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets.
V-219559 Medium The TFTP service must not be running.
V-209015 Medium The system package management tool must verify ownership on all files and directories associated with the audit package.
V-209014 Medium The system package management tool must verify permissions on all files and directories associated with the audit package.
V-209017 Medium The system package management tool must verify contents of all files associated with the audit package.
V-209016 Medium The system package management tool must verify group-ownership on all files and directories associated with the audit package.
V-209012 Medium The system must prohibit the reuse of passwords within five iterations.
V-209018 Medium There must be no world-writable files on the system.
V-208935 Medium The graphical desktop environment must have automatic lock enabled.
V-208934 Medium The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment.
V-208838 Medium The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs).
V-208839 Medium The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf).
V-208933 Medium The graphical desktop environment must set the idle timeout to no more than 15 minutes.
V-208836 Medium The system must disable accounts after three consecutive unsuccessful logon attempts.
V-208837 Medium The system must use a FIPS 140-2-approved cryptographic hashing algorithm for generating account password hashes (system-auth).
V-208830 Medium System and application account passwords must be changed at least annually.
V-237626 Medium The Oracle Linux operating system must require re-authentication when using the "sudo" command.
V-237625 Medium The Oracle Linux operating system must use the invoking user's password for privilege escalation when using "sudo".
V-237624 Medium The Oracle Linux operating system must restrict privilege elevation to authorized personnel.
V-208918 Medium The ypbind service must not be running.
V-209065 Medium The mail system must forward all mail for root to one or more system administrators.
V-208799 Medium The system must use a Linux Security Module at boot time.
V-208798 Medium System security patches and updates must be installed and up-to-date.
V-208828 Medium User passwords must be changed at least every 60 days.
V-208827 Medium Users must not be able to change passwords more than once every 24 hours.
V-208826 Medium The system must require passwords to contain a minimum of 15 characters.
V-208823 Medium Library files must be owned by a system account.
V-208822 Medium Library files must have mode 0755 or less permissive.
V-208820 Medium The /etc/group file must be group-owned by root.
V-209072 Medium The sudo command must require authentication.
V-208825 Medium All system command files must be owned by root.
V-208824 Medium All system command files must have mode 755 or less permissive.
V-208821 Medium The /etc/group file must have mode 0644 or less permissive.
V-208812 Medium The /etc/shadow file must have mode 0000.
V-208813 Medium The /etc/gshadow file must be owned by root.
V-208810 Medium The /etc/shadow file must be owned by root.
V-208811 Medium The /etc/shadow file must be group-owned by root.
V-208816 Medium The /etc/passwd file must be owned by root.
V-208817 Medium The /etc/passwd file must be group-owned by root.
V-208815 Medium The /etc/gshadow file must have mode 0000.
V-208818 Medium The /etc/passwd file must have mode 0644 or less permissive.
V-208819 Medium The /etc/group file must be owned by root.
V-208931 Medium If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms.
V-208930 Medium Mail relaying must be restricted.
V-208806 Medium Default operating system accounts, other than root, must be locked.
V-209042 Medium The snmpd service must use only SNMP protocol version 3 or newer.
V-208800 Medium A file integrity baseline must be created.
V-208809 Medium The root account must be the only account having a UID of 0.
V-208808 Medium The /etc/passwd file must not contain password hashes.
V-209071 Medium The noexec option must be added to the /tmp partition.
V-208881 Medium The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low.
V-208880 Medium The system must rotate audit log files that reach the maximum file size.
V-209059 Medium The audit system must take appropriate action when there are disk errors on the audit storage volume.
V-209058 Medium The audit system must take appropriate action when the audit storage volume is full.
V-209051 Medium The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
V-209050 Medium The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
V-209053 Medium Audit log files must have mode 0640 or less permissive.
V-209052 Medium The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access.
V-209055 Medium Audit log directories must have mode 0755 or less permissive.
V-209054 Medium Audit log files must be owned by root.
V-209056 Medium The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh.
V-219582 Medium The system must require administrator action to unlock an account locked by excessive failed login attempts.
V-219583 Medium The system must disable accounts after excessive login failures within a 15-minute interval.
V-219581 Medium The Bluetooth service must be disabled.
V-219586 Medium The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.
V-219584 Medium The operating system must enforce requirements for the connection of mobile devices to operating systems.
V-219585 Medium The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives.
V-219588 Medium The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets.
V-219589 Medium The Oracle Linux 6 operating system must use a virus scan program.
V-208870 Medium All rsyslog-generated log files must be owned by root.
V-208871 Medium All rsyslog-generated log files must be group-owned by root.
V-208872 Medium All rsyslog-generated log files must have mode 0600 or less permissive.
V-208873 Medium The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited.
V-208875 Medium The operating system must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event.
V-208876 Medium The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods.
V-208877 Medium The operating system must produce audit records containing sufficient information to establish what type of events occurred.
V-208878 Medium The system must retain enough rotated audit logs to cover the required log retention period.
V-208879 Medium The system must set a maximum audit log file size.
V-219568 Medium The Oracle Linux operating system must implement the Endpoint Security for Linux Threat Prevention tool.
V-208804 Medium The system must prevent the root account from logging in from virtual consoles.
V-219561 Medium The Oracle Linux 6 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.
V-219562 Medium The system clock must be synchronized continuously, or at least daily.
V-219563 Medium The system clock must be synchronized to an authoritative DoD time source.
V-219564 Medium The LDAP client must use a TLS connection using trust certificates signed by the site CA.
V-208848 Medium The system must implement virtual address space randomization.
V-209024 Medium The DHCP client must be disabled if not needed.
V-208801 Medium The system must use a Linux Security Module configured to enforce limits on system services.
V-209021 Medium The sendmail package must be removed.
V-208863 Medium The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
V-208862 Medium The system must be configured to use TCP syncookies when experiencing a TCP SYN flood.
V-208867 Medium The Stream Control Transmission Protocol (SCTP) must be disabled unless required.
V-208866 Medium The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.
V-208865 Medium The system must ignore ICMPv6 redirects by default.
V-208864 Medium The system must use a reverse-path filter for IPv4 network traffic when possible by default.
V-208869 Medium The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required.
V-208843 Medium The system boot loader must require authentication.
V-219579 Medium The systems local firewall must implement a deny-all, allow-by-exception policy for forwarded packets.
V-219578 Medium The Bluetooth kernel module must be disabled.
V-219569 Medium X Windows must not be enabled unless required.
V-219573 Medium The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency.
V-219572 Medium The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system.
V-219571 Medium A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.
V-219570 Medium Wireless network adapters must be disabled.
V-219577 Medium The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity.
V-219576 Medium The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.
V-219575 Medium The operating system must detect unauthorized changes to software and information.
V-219574 Medium The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs.
V-208849 Medium The system must limit the ability of processes to have simultaneous write and execute access to memory.
V-209035 Medium The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
V-209049 Medium There must be no .netrc files on the system.
V-209032 Medium The audit system must identify staff members to receive notifications of audit log storage volume capacity issues.
V-209034 Medium A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
V-208919 Medium The tftp-server package must not be installed unless required.
V-208917 Medium The ypserv package must not be installed.
V-208911 Medium The xinetd service must be disabled if no network services utilizing it are enabled.
V-208910 Medium The audit system must be configured to audit the loading and unloading of dynamic kernel modules.
V-208857 Medium The system must not accept IPv4 source-routed packets by default.
V-208854 Medium The system must not accept ICMPv4 redirect packets on any interface.
V-208855 Medium The system must not accept ICMPv4 secure redirect packets on any interface.
V-208852 Medium IP forwarding for IPv4 must not be enabled, unless the system is a router.
V-208853 Medium The system must not accept IPv4 source-routed packets on any interface.
V-208850 Medium The system must not send ICMPv4 redirects by default.
V-208851 Medium The system must not send ICMPv4 redirects from any interface.
V-208858 Medium The system must not accept ICMPv4 secure redirect packets by default.
V-219548 Medium The system must employ a local IPv6 firewall.
V-219549 Medium The operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
V-219546 Medium A file integrity tool must be installed.
V-219544 Medium The system package management tool must cryptographically verify the authenticity of system software packages during installation.
V-219542 Medium The audit system must alert designated staff members when the audit storage volume approaches capacity.
V-208842 Medium The system boot loader configuration file(s) must have mode 0600 or less permissive.
V-219958 Medium The Oracle Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
V-209070 Medium The login user list must be disabled.
V-209008 Medium Remote file systems must be mounted with the nodev option.
V-209009 Medium Remote file systems must be mounted with the nosuid option.
V-209066 Medium Audit log files must be group-owned by root.
V-208927 Medium The SSH daemon must be configured with the Department of Defense (DoD) login banner.
V-208923 Medium The SSH daemon must ignore .rhosts files.
V-208920 Medium The cron service must be running.
V-208814 Medium The /etc/gshadow file must be group-owned by root.
V-208924 Medium The SSH daemon must not allow host-based authentication.
V-208925 Medium The system must not permit root logins using remote access programs such as ssh.
V-208841 Medium The system boot loader configuration file(s) must be group-owned by root.
V-208840 Medium The system boot loader configuration file(s) must be owned by root.
V-208845 Medium The system must not permit interactive boot.
V-208844 Medium The system must require authentication upon booting into single-user and maintenance modes.
V-208847 Medium The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
V-209067 Medium The system must provide automated support for account management functions.
V-219556 Low The audit system must be configured to audit all use of setuid and setgid programs.
V-209011 Low The system must use SMB client signing for connecting to samba servers using mount.cifs.
V-209010 Low The system must use SMB client signing for connecting to samba servers using smbclient.
V-209013 Low The operating system must protect the confidentiality and integrity of data at rest.
V-208937 Low The Automatic Bug Reporting Tool (abrtd) service must not be running.
V-208936 Low The system must display a publicly-viewable pattern during a graphical desktop environment session lock.
V-208932 Low The openldap-servers package must not be installed unless required.
V-208834 Low The system must require passwords to contain at least one lower-case alphabetic character.
V-208835 Low The system must require at least eight characters be changed between the old and new passwords during a password change.
V-208831 Low The system must require passwords to contain at least one numeric character.
V-208832 Low The system must require passwords to contain at least one uppercase alphabetic character.
V-208833 Low The system must require passwords to contain at least one special character.
V-209023 Low The xorg-x11-server-common (X Windows) package must not be installed, unless required.
V-209064 Low The system package management tool must verify contents of all files associated with packages.
V-209060 Low The NFS server must not have the all_squash option enabled.
V-209061 Low The system package management tool must verify ownership on all files and directories associated with packages.
V-209062 Low The system package management tool must verify group-ownership on all files and directories associated with packages.
V-209063 Low The system package management tool must verify permissions on all files and directories associated with packages.
V-208829 Low Users must be warned 7 days in advance of password expiration.
V-208797 Low The Red Hat Network Service (rhnsd) service must not be running, unless it is being used to query the Oracle Unbreakable Linux Network for updates and information.
V-208796 Low The system must use a separate file system for user home directories.
V-208793 Low The system must use a separate file system for /tmp.
V-208940 Low The oddjobd service must not be running.
V-209068 Low Auditing must be enabled at boot by setting a kernel parameter.
V-208942 Low The rdisc service must not be running.
V-209069 Low Automated file system mounting tools must not be enabled unless needed.
V-209074 Low The Oracle Linux operating system must mount /dev/shm with the nosuid option.
V-208909 Low The audit system must be configured to audit changes to the /etc/sudoers file.
V-209044 Low The system default umask for the bash shell must be 077.
V-209025 Low All GIDs referenced in /etc/passwd must be defined in /etc/group.
V-209075 Low The Oracle Linux operating system must mount /dev/shm with the noexec option.
V-208898 Low The audit system must be configured to audit all discretionary access control permission modifications using fchownat.
V-208899 Low The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr.
V-208892 Low The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux).
V-208893 Low The audit system must be configured to audit all discretionary access control permission modifications using chmod.
V-208890 Low The operating system must automatically audit account termination.
V-208891 Low The audit system must be configured to audit modifications to the systems network configuration.
V-208896 Low The audit system must be configured to audit all discretionary access control permission modifications using fchmodat.
V-208897 Low The audit system must be configured to audit all discretionary access control permission modifications using fchown.
V-208894 Low The audit system must be configured to audit all discretionary access control permission modifications using chown.
V-208895 Low The audit system must be configured to audit all discretionary access control permission modifications using fchmod.
V-219541 Low The system must use a separate file system for the system audit data path.
V-209046 Low The system default umask in /etc/profile must be 077.
V-209047 Low The system default umask in /etc/login.defs must be 077.
V-208803 Low All device files must be monitored by the system Linux Security Module.
V-208802 Low The system must use a Linux Security Module configured to limit the privileges of system services.
V-209048 Low The system default umask for daemons must be 027 or 022.
V-208794 Low The system must use a separate file system for /var.
V-208889 Low The operating system must automatically audit account disabling actions.
V-208888 Low The operating system must automatically audit account modification.
V-208885 Low The audit system must be configured to audit all attempts to alter system time through clock_settime.
V-208884 Low The audit system must be configured to audit all attempts to alter system time through stime.
V-208887 Low The operating system must automatically audit account creation.
V-208886 Low The audit system must be configured to audit all attempts to alter system time through /etc/localtime.
V-208883 Low The audit system must be configured to audit all attempts to alter system time through settimeofday.
V-208882 Low The audit system must be configured to audit all attempts to alter system time through adjtimex.
V-208939 Low The ntpdate service must not be running.
V-208938 Low The atd service must be disabled.
V-209057 Low The system must allow locking of graphical desktop sessions.
V-219580 Low The system must provide VPN connectivity for communications over untrusted networks.
V-219587 Low The system must forward audit records to the syslog service.
V-208874 Low System logs must be rotated daily.
V-208907 Low The audit system must be configured to audit successful file system mounts.
V-208805 Low The system must prevent the root account from logging in from serial consoles.
V-219565 Low The noexec option must be added to removable media partitions.
V-219566 Low The operating system must employ cryptographic mechanisms to protect information in storage.
V-219567 Low The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of data at rest unless otherwise protected by alternative physical measures.
V-209045 Low The system default umask for the csh shell must be 077.
V-209028 Low Emergency accounts must be provisioned with an expiration date.
V-209029 Low The system must require passwords to contain no more than three consecutive repeating characters.
V-209026 Low All accounts on the system must have unique user or account names.
V-209027 Low Temporary accounts must be provisioned with an expiration date.
V-209020 Low The postfix service must be enabled for mail delivery.
V-209022 Low The netconsole service must be disabled unless required.
V-208908 Low The audit system must be configured to audit user deletions of files and programs.
V-208904 Low The audit system must be configured to audit all discretionary access control permission modifications using removexattr.
V-208905 Low The audit system must be configured to audit all discretionary access control permission modifications using setxattr.
V-208906 Low The audit system must be configured to audit failed attempts to access files and programs.
V-209041 Low The FTP daemon must be configured for logging or verbose mode.
V-208900 Low The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr.
V-208901 Low The audit system must be configured to audit all discretionary access control permission modifications using lchown.
V-208902 Low The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr.
V-208903 Low The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr.
V-208861 Low The system must ignore ICMPv4 bogus error responses.
V-208860 Low The system must not respond to ICMPv4 sent to a broadcast address.
V-208868 Low The Reliable Datagram Sockets (RDS) protocol must be disabled unless required.
V-209039 Low All public directories must be owned by a system account.
V-209038 Low The sticky bit must be set on all public directories.
V-209037 Low The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity.
V-209036 Low Accounts must be locked upon 35 days of inactivity.
V-209033 Low The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.
V-209030 Low Process core dumps must be disabled unless needed.
V-208941 Low The qpidd service must not be running.
V-208795 Low The system must use a separate file system for /var/log.
V-208912 Low The xinetd service must be uninstalled if no network services utilizing it are enabled.
V-208856 Low The system must log Martian packets.
V-208859 Low The system must ignore ICMPv4 redirect messages by default.
V-209073 Low The Oracle Linux operating system must mount /dev/shm with the nodev option.
V-219545 Low The system package management tool must cryptographically verify the authenticity of all software packages during installation.
V-208922 Low The SSH daemon must set a timeout count on idle sessions.
V-208921 Low The SSH daemon must set a timeout interval on idle sessions.
V-208928 Low The SSH daemon must not permit user environment settings.
V-208929 Low The avahi service must be disabled.
V-208846 Low The system must be configured so all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.