UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Red Hat Enterprise Linux 5 Security Technical Implementation Guide


Overview

Date Finding Count (394)
2017-01-27 CAT I (High): 16 CAT II (Med): 332 CAT III (Low): 46
STIG Description
The Red Hat Enterprise Linux 5 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Public)

Finding ID Severity Title
V-4387 High Anonymous FTP accounts must not have a functional shell.
V-4249 High The system boot loader must require authentication.
V-4248 High For systems capable of using GRUB, the system must be configured with GRUB as the default boot loader unless another boot loader has been authorized, justified, and documented using site-defined procedures.
V-847 High The TFTP daemon must operate in "secure mode" which provides access only to a single directory on the host file system.
V-848 High The TFTP daemon must have mode 0755 or less permissive.
V-922 High All shell files must have mode 0755 or less permissive.
V-770 High The system must not have accounts configured with blank or null passwords.
V-4342 High The x86 CTRL-ALT-DELETE key sequence must be disabled.
V-4295 High The SSH daemon must be configured to only use the SSHv2 protocol.
V-4268 High The system must not have special privilege accounts, such as shutdown and halt.
V-24386 High The telnet daemon must not be running.
V-11940 High The operating system must be a supported release.
V-11988 High There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system.
V-4689 High The SMTP service must be an up-to-date version.
V-4688 High The rexec daemon must not be running.
V-4687 High The rsh daemon must not be running.
V-819 Medium The audit system must be configured to audit all discretionary access control permission modifications.
V-818 Medium The audit system must be configured to audit login, logout, and session initiation.
V-815 Medium The audit system must be configured to audit files and programs deleted by the user.
V-814 Medium The audit system must be configured to audit failed attempts to access files and programs.
V-813 Medium System audit logs must have mode 0640 or less permissive.
V-812 Medium System audit logs must be owned by root.
V-763 Medium The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
V-12039 Medium The /etc/securetty file must be owned by root.
V-22471 Medium The SSH public host key files must have mode 0644 or less permissive.
V-22470 Medium The SSH daemon must restrict login ability to specific users and/or groups.
V-12030 Medium The system's access control program must be configured to grant or deny system access to specific hosts.
V-22573 Medium If the system is using LDAP for authentication or account information, the LDAP TLS key file must have mode 0600 or less permissive.
V-22571 Medium If the system is using LDAP for authentication or account information, the LDAP TLS key file must be owned by root.
V-22574 Medium If the system is using LDAP for authentication or account information, the LDAP TLS key file must not have an extended ACL.
V-4385 Medium The system must not use .forward files.
V-978 Medium Crontab files must have mode 0600 or less permissive, and files in cron script directories must have mode 0700 or less permissive.
V-979 Medium Cron and crontab directories must have mode 0755 or less permissive.
V-22375 Medium The audit system must alert the SA when the audit storage volume approaches its capacity.
V-22505 Medium The /etc/news/passwd.nntp file must not have an extended ACL.
V-22504 Medium The /etc/news/nnrp.access file must not have an extended ACL.
V-22503 Medium The /etc/news/hosts.nntp.nolimit file must not have an extended ACL.
V-22502 Medium The /etc/news/incoming.conf file must not have an extended ACL.
V-22501 Medium Samba must be configured to not allow guest access to shares.
V-22500 Medium Samba must be configured to use encrypted passwords.
V-842 Medium The ftpusers file must be owned by root.
V-928 Medium The Network File System (NFS) export configuration file must be owned by root.
V-23732 Medium The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
V-22595 Medium The access.conf file must not have an extended ACL.
V-22596 Medium The /etc/sysctl.conf file must not have an extended ACL.
V-29238 Medium The audit system must be configured to audit failed attempts to access files and programs.
V-29239 Medium The audit system must be configured to audit failed attempts to access files and programs.
V-29236 Medium The audit system must be configured to audit failed attempts to access files and programs.
V-29237 Medium The audit system must be configured to audit failed attempts to access files and programs.
V-921 Medium All shell files must be owned by root or bin.
V-4336 Medium The /etc/sysctl.conf file must have mode 0600 or less permissive.
V-4335 Medium The /etc/sysctl.conf file must be group-owned by root.
V-4334 Medium The /etc/sysctl.conf file must be owned by root.
V-29281 Medium The audit system must be configured to audit the loading and unloading of dynamic kernel modules - delete_module.
V-29284 Medium The audit system must be configured to audit the loading and unloading of dynamic kernel modules - /sbin/insmod.
V-29286 Medium The audit system must be configured to audit the loading and unloading of dynamic kernel modules -/sbin/modprobe.
V-29289 Medium Files in cron script directories must have mode 0700 or less permissive.
V-29288 Medium The audit system must be configured to audit the loading and unloading of dynamic kernel modules - /sbin/rmmod
V-22309 Medium The root account's home directory must not have an extended ACL.
V-22303 Medium The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes.
V-22302 Medium The system must enforce compliance of the entire password during authentification.
V-22305 Medium The system must require passwords contain at least one lowercase alphabetic character.
V-22304 Medium The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.
V-22307 Medium The system must prevent the use of dictionary words for passwords.
V-22306 Medium The system must require at least eight characters be changed between the old and new passwords during a password change.
V-840 Medium The ftpusers file must exist.
V-843 Medium The ftpusers file must have mode 0640 or less permissive.
V-1059 Medium The smbpasswd file must have mode 0600 or less permissive.
V-924 Medium Device files and directories must only be writable by users with a system account or as configured by the vendor.
V-1021 Medium The X server must have the correct options enabled.
V-1058 Medium The smbpasswd file must be group-owned by root.
V-12040 Medium The /etc/securetty file must have mode 0600 or less permissive.
V-22546 Medium The system must not have Teredo enabled.
V-22472 Medium The SSH private host key files must have mode 0600 or less permissive.
V-22549 Medium The DHCP client must not send dynamic DNS updates.
V-1055 Medium The /etc/security/access.conf file must have mode 0640 or less permissive.
V-22428 Medium The services file must not have an extended ACL.
V-22429 Medium The portmap or rpcbind service must not be running unless needed.
V-22398 Medium The at.deny file must be group-owned by root, bin, sys, or cron.
V-22397 Medium The at.allow file must be group-owned by root, bin, sys, or cron.
V-22396 Medium The "at" directory must be group-owned by root, bin, sys, or cron.
V-1054 Medium The /etc/access.conf file must have a privileged group owner.
V-22394 Medium The cron.deny file must be group-owned by root, bin, or sys.
V-22427 Medium The services file must be group-owned by root, bin, sys, or system.
V-22392 Medium The at.deny file must have mode 0600 or less permissive.
V-22426 Medium The xinetd.d directory must not have an extended ACL.
V-22390 Medium The at.allow file must not have an extended ACL.
V-22423 Medium The inetd.conf file, xinetd.conf file, and the xinetd.d directory must be group-owned by root, bin, sys, or system.
V-22395 Medium The "at" directory must not have an extended ACL.
V-11999 Medium The system must implement non-executable program stacks.
V-22572 Medium If the system is using LDAP for authentication or account information, the LDAP TLS key file must be group-owned by root, bin, or sys.
V-22391 Medium The cron.allow file must be group-owned by root, bin, sys, or cron.
V-29272 Medium The audit system must be configured to audit all discretionary access control permission modifications.
V-11995 Medium Default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist.
V-29274 Medium The audit system must be configured to audit all discretionary access control permission modifications.
V-29275 Medium The audit system must be configured to audit all discretionary access control permission modifications.
V-29279 Medium The audit system must be configured to audit all discretionary access control permission modifications.
V-22491 Medium The system must not have IP forwarding for IPv6 enabled, unless the system is an IPv6 router.
V-22492 Medium The Network File System (NFS) export configuration file must be group-owned by root, bin, sys, or system.
V-22497 Medium The /etc/smb.conf file must not have an extended ACL.
V-22496 Medium All Network File System (NFS) exported system files and system directories must be group-owned by root, bin, sys, or system.
V-22499 Medium Samba must be configured to use an authentication mechanism other than "share."
V-22498 Medium The /etc/smbpasswd file must not have an extended ACL.
V-4276 Medium The /etc/news/passwd.nntp file (or equivalent) must have mode 0600 or less permissive.
V-4275 Medium The /etc/news/readers.conf (or equivalent) must have mode 0600 or less permissive.
V-4278 Medium The files in /etc/news must be group-owned by root or news.
V-4370 Medium The traceroute command must be group-owned by sys, bin, root, or system.
V-1032 Medium Users must not be able to change passwords more than once every 24 hours.
V-4090 Medium All system start-up files must be group-owned by root, sys, bin, other, or system.
V-22444 Medium The ftpusers file must be group-owned by root, bin, sys, or system.
V-22445 Medium The ftpusers file must not have an extended ACL.
V-808 Medium The system and user default umask must be 077.
V-800 Medium The /etc/shadow (or equivalent) file must have mode 0400.
V-777 Medium The root account must not have world-writable directories in its executable search path.
V-775 Medium The root account's home directory (other than /) must have mode 0700.
V-773 Medium The root account must be the only account having a UID of 0.
V-22461 Medium The SSH client must be configured to only use FIPS 140-2 approved ciphers.
V-22462 Medium The SSH client must be configured to not use Cipher-Block Chaining (CBC)-based ciphers.
V-22463 Medium The SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
V-981 Medium Cron and crontab directories must be group-owned by root, sys, bin or cron.
V-980 Medium Cron and crontab directories must be owned by root or bin.
V-983 Medium The cronlog file must have mode 0600 or less permissive.
V-982 Medium Cron logging must be implemented.
V-985 Medium The at.deny file must not be empty if it exists.
V-984 Medium Access to the "at" utility must be controlled via the at.allow and/or at.deny file(s).
V-987 Medium The at.allow file must have mode 0600 or less permissive.
V-22294 Medium The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.
V-4394 Medium The /etc/syslog.conf file must be group-owned by root, bin, sys, or system.
V-4393 Medium The /etc/syslog.conf file must be owned by root.
V-974 Medium Access to the cron utility must be controlled using the cron.allow and/or cron.deny file(s).
V-975 Medium The cron.allow file must have mode 0600 or less permissive.
V-22349 Medium The /etc/gshadow file must not contain any group password hashes.
V-22348 Medium The /etc/group file must not contain any group password hashes.
V-22344 Medium The /etc/gshadow file must not have an extended ACL.
V-22347 Medium The /etc/passwd file must not contain password hashes.
V-22341 Medium The /etc/gshadow file must be owned by root.
V-22340 Medium The /etc/shadow file must not have an extended ACL.
V-22343 Medium The /etc/gshadow file must have mode 0400.
V-22342 Medium The /etc/gshadow file must be group-owned by root.
V-22514 Medium The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.
V-22511 Medium The Stream Control Transmission Protocol (SCTP) must be disabled unless required.
V-12005 Medium Inetd and xinetd must be disabled or removed if no network services utilizing them are enabled.
V-12004 Medium The system must log informational authentication data.
V-12006 Medium The SMTP service HELP command must not be enabled.
V-12002 Medium The system must not forward IPv4 source-routed packets.
V-4084 Medium The system must prohibit the reuse of passwords within five iterations.
V-4430 Medium The cron.deny file must be owned by root, bin, or sys.
V-58537 Medium The SSH daemon must not allow host-based authentication.
V-941 Medium The system's access control program must log each system access attempt.
V-940 Medium The system must use an access control program.
V-22702 Medium System audit logs must be group-owned by root, bin, sys, or system.
V-823 Medium The services file must be owned by root or bin.
V-831 Medium The alias file must be owned by root.
V-793 Medium Library files must have mode 0755 or less permissive.
V-834 Medium Files executed through a mail aliases file must have mode 0755 or less permissive.
V-931 Medium All Network File System (NFS) exported system files and system directories must be owned by root.
V-932 Medium The Network File System (NFS) anonymous UID and GID must be configured to values without permissions.
V-933 Medium The Network File System (NFS) server must be configured to restrict file system access to local hosts.
V-935 Medium The Network File System (NFS) server must not allow remote root access.
V-936 Medium The "nosuid" option must be enabled on all Network File System (NFS) client mounts.
V-788 Medium All skeleton files (typically those in /etc/skel) must have mode 0644 or less permissive.
V-22550 Medium The system must ignore IPv6 ICMP redirect messages.
V-824 Medium The services file must have mode 0644 or less permissive.
V-22557 Medium If the system is using LDAP for authentication or account information, the LDAP TLS connection must require the server provide a certificate with a valid trust path to a trusted CA.
V-22558 Medium If the system is using LDAP for authentication or account information, the system must verify the LDAP server's certificate has not been revoked.
V-22559 Medium If the system is using LDAP for authentication or account information the /etc/ldap.conf (or equivalent) file must have mode 0644 or less permissive.
V-11972 Medium The system must require passwords contain at least one numeric character.
V-11973 Medium The system must require passwords contain at least one special character.
V-11975 Medium The system must require passwords contain no more than three consecutive repeating characters.
V-11976 Medium User passwords must be changed at least every 60 days.
V-22419 Medium The system must be configured to use TCP syncookies when experiencing a TCP SYN flood.
V-22411 Medium The system must not respond to Internet Control Message Protocol (ICMP) timestamp requests sent to a broadcast address.
V-22410 Medium The system must not respond to Internet Control Message Protocol v4 (ICMPv4) echoes sent to a broadcast address.
V-22327 Medium The /etc/nsswitch.conf file must be owned by root.
V-22414 Medium The system must not accept source-routed IPv4 packets.
V-22417 Medium The system must not send IPv4 Internet Control Message Protocol (ICMP) redirects.
V-22416 Medium The system must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.
V-22314 Medium All system command files must not have extended ACLs.
V-22315 Medium System log files must not have extended ACLs, except as needed to support authorized software.
V-22313 Medium All network services daemon files must not have extended ACLs.
V-22310 Medium The root account's library search path must be the system default and must contain only absolute paths.
V-22311 Medium The root account's list of preloaded libraries must be empty.
V-22318 Medium NIS/NIS+/yp command files must not have extended ACLs.
V-22319 Medium The /etc/resolv.conf file must be owned by root.
V-27283 Medium The graphical desktop environment must set the idle timeout to no more than 15 minutes.
V-27284 Medium Graphical desktop environments provided by the system must have automatic lock enabled.
V-22438 Medium The aliases file must be group-owned by root, sys, bin, or system.
V-29249 Medium The audit system must be configured to audit all administrative, privileged, and security actions.
V-29248 Medium The audit system must be configured to audit all administrative, privileged, and security actions.
V-22436 Medium The hosts.lpd (or equivalent) file must not have an extended ACL.
V-29245 Medium The audit system must be configured to audit all administrative, privileged, and security actions.
V-29244 Medium The audit system must be configured to audit all administrative, privileged, and security actions.
V-29247 Medium The audit system must be configured to audit all administrative, privileged, and security actions.
V-29246 Medium The audit system must be configured to audit all administrative, privileged, and security actions.
V-29241 Medium The audit system must be configured to audit all administrative, privileged, and security actions.
V-29240 Medium The audit system must be configured to audit file deletions.
V-29243 Medium The audit system must be configured to audit all administrative, privileged, and security actions.
V-29242 Medium The audit system must be configured to audit all administrative, privileged, and security actions.
V-22488 Medium The SSH daemon must not allow compression or must only allow compression after successful authentication.
V-22489 Medium The SSH daemon must be configured with the Department of Defense (DoD) logon banner.
V-22486 Medium The SSH daemon must use privilege separation.
V-22487 Medium The SSH daemon must not allow rhosts RSA authentication.
V-22485 Medium The SSH daemon must perform strict mode checking of home directory configuration files.
V-12023 Medium IP forwarding for IPv4 must not be enabled, unless the system is a router.
V-4371 Medium The traceroute file must have mode 0700 or less permissive.
V-22323 Medium The /etc/hosts file must be owned by root.
V-22563 Medium If the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be owned by root.
V-4089 Medium All system start-up files must be owned by root.
V-867 Medium The Network Information System (NIS) protocol must not be used.
V-4083 Medium Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity and the system must require users to re-authenticate to unlock the environment. Applications requiring continuous, real-time screen display (i.e., network management products) require the following and need to be documented with the IAO. -The logon session does not have administrator rights. -The display station (i.e., keyboard, monitor, etc.) is located in a controlled access area.
V-22321 Medium The /etc/resolv.conf file must have mode 0644 or less permissive.
V-1029 Medium The /etc/smbpasswd file must be owned by root.
V-24384 Medium If the system is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords.
V-1025 Medium The /etc/access.conf file must be owned by root.
V-22456 Medium The SSH client must be configured to only use the SSHv2 protocol.
V-1028 Medium The /etc/smb.conf file must have mode 0644 or less permissive.
V-22458 Medium The SSH daemon must be configured to only use FIPS 140-2 approved ciphers.
V-22329 Medium The /etc/nsswitch.conf file must have mode 0644 or less permissive.
V-22328 Medium The /etc/nsswitch.conf file must be group-owned by root, bin, or sys.
V-22455 Medium The system must use a remote syslog server (loghost).
V-22326 Medium The /etc/hosts file must not have an extended ACL.
V-22325 Medium The /etc/hosts file must have mode 0644 or less permissive.
V-1027 Medium The /etc/smb.conf file must be owned by root.
V-22451 Medium The snmpd.conf file must be group-owned by root, bin, sys, or system.
V-22322 Medium The /etc/resolv.conf file must not have an extended ACL.
V-22453 Medium The /etc/syslog.conf file must have mode 0640 or less permissive.
V-1023 Medium The system must not run an Internet Network News (INN) server.
V-1022 Medium An X server must have none of the following options enabled: -ac, -core (except for debugging purposes), or -nolock.
V-994 Medium The snmpd.conf file must have mode 0600 or less permissive.
V-995 Medium Management Information Base (MIB) files must have mode 0640 or less permissive.
V-22425 Medium The xinetd.d directory must have mode 0755 or less permissive.
V-901 Medium All user home directories must have mode 0750 or less permissive.
V-22358 Medium All skeleton files (typically in /etc/skel) must be group-owned by root, bin, sys, system, or other.
V-906 Medium All run control scripts must have mode 0755 or less permissive.
V-22357 Medium Skeleton files must not have extended ACLs.
V-22355 Medium Run control scripts lists of preloaded libraries must contain only authorized paths.
V-22524 Medium The AppleTalk protocol must be disabled or not installed.
V-12011 Medium All FTP users must have a default umask of 077.
V-12019 Medium The snmpd.conf file must be owned by root.
V-4428 Medium All .rhosts, .shosts, .netrc, or hosts.equiv files must be accessible by only root or the owner.
V-4358 Medium The cron.deny file must have mode 0600 or less permissive.
V-4696 Medium The system must not have the UUCP service active.
V-22424 Medium The inetd.conf and xinetd.conf files must not have extended ACLs.
V-822 Medium The xinetd configuration files must have mode 0640 or less permissive.
V-791 Medium The NIS/NIS+/yp command files must have mode 0755 or less permissive.
V-821 Medium The inetd.conf file, xinetd.conf file, and the xinetd.d directory must be owned by root or bin.
V-794 Medium All system command files must have mode 0755 or less permissive.
V-795 Medium All system files, programs, and directories must be owned by a system account.
V-796 Medium System files, programs, and directories must be group-owned by a system group.
V-797 Medium The /etc/shadow (or equivalent) file must be owned by root.
V-798 Medium The /etc/passwd file must have mode 0644 or less permissive.
V-828 Medium The hosts.lpd (or equivalent) file must be owned by root, bin, sys, or lp.
V-829 Medium The hosts.lpd (or equivalent) must have mode 0644 or less permissive.
V-22404 Medium Kernel core dumps must be disabled unless needed.
V-22569 Medium If the system is using LDAP for authentication or account information, the LDAP TLS certificate file must have mode 0644 or less permissive.
V-22568 Medium If the system is using LDAP for authentication or account information, the LDAP TLS certificate file must be group-owned by root, bin, sys, or system.
V-22565 Medium If the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must have mode 0644 (0755 for directories) or less permissive.
V-22564 Medium If the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be group-owned by root, bin, sys, or system.
V-22567 Medium For systems using NSS LDAP, the TLS certificate file must be owned by root.
V-22566 Medium If the system is using LDAP for authentication or account information, the LDAP TLS certificate authority file and/or directory (as appropriate) must not have an extended ACL.
V-22561 Medium If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be group-owned by root, bin, sys, or system.
V-22560 Medium If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be owned by root.
V-22408 Medium Network interfaces must not be configured to allow user control.
V-22562 Medium If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must not have an extended ACL.
V-787 Medium System log files must have mode 0640 or less permissive.
V-832 Medium The alias file must have mode 0644 or less permissive.
V-22365 Medium All shell files must be group-owned by root, bin, sys, or system.
V-22369 Medium All system audit files must not have extended ACLs.
V-1056 Medium The /etc/smb.conf file must be group-owned by root, bin, sys, or system.
V-837 Medium The SMTP service log file must be owned by root.
V-22665 Medium The system must not be running any routing protocol daemons, unless the system is a router.
V-23953 Medium The 'ldd' command must be disabled unless it protects against the execution of untrusted files.
V-23952 Medium Mail relaying must be restricted.
V-29259 Medium The audit system must be configured to audit all discretionary access control permission modifications.
V-838 Medium The SMTP service log file must have mode 0644 or less permissive.
V-29252 Medium The audit system must be configured to audit all discretionary access control permission modifications.
V-29253 Medium The audit system must be configured to audit all discretionary access control permission modifications.
V-29250 Medium The audit system must be configured to audit all discretionary access control permission modifications.
V-29251 Medium The audit system must be configured to audit all discretionary access control permission modifications.
V-29257 Medium The audit system must be configured to audit all discretionary access control permission modifications.
V-29255 Medium The audit system must be configured to audit all discretionary access control permission modifications.
V-11947 Medium The system must require passwords contain a minimum of 15 characters.
V-22421 Medium The system must not be configured for network bridging.
V-11948 Medium The system must require passwords contain at least one uppercase alphabetic character.
V-4250 Medium The system's boot loader configuration file(s) must have mode 0600 or less permissive.
V-23741 Medium TCP backlog queue sizes must be set appropriately.
V-22587 Medium The system's boot loader configuration file(s) must be group-owned by root, bin, sys, or system.
V-22586 Medium The system's boot loader configuration files must be owned by root.
V-22585 Medium The system's boot loader configuration file(s) must not have extended ACLs.
V-22582 Medium The system must employ a local firewall.
V-22393 Medium The at.deny file must not have an extended ACL.
V-776 Medium The root accounts executable search path must contain only authorized paths.
V-4321 Medium The system must not run Samba unless needed.
V-756 Medium The system must require authentication upon booting into single-user and maintenance modes.
V-24624 Medium The system boot loader must protect passwords using an MD5 or stronger cryptographic hash.
V-22460 Medium The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
V-22338 Medium The /etc/group file must not have an extended ACL.
V-22339 Medium The /etc/shadow file (or equivalent) must be group-owned by root, bin, or sys.
V-22334 Medium The /etc/passwd file must not have an extended ACL.
V-22335 Medium The /etc/group file must be owned by root.
V-22336 Medium The /etc/group file must be group-owned by root, bin, or sys.
V-22337 Medium The /etc/group file must have mode 0644 or less permissive.
V-22330 Medium The /etc/nsswitch.conf file must not have an extended ACL.
V-22447 Medium The SNMP service must use only SNMPv3 or its successors.
V-22332 Medium The /etc/passwd file must be owned by root.
V-22333 Medium The /etc/passwd file must be group-owned by root, bin, or sys.
V-1061 Medium Audio devices must be group-owned by root, sys, bin, or system.
V-22415 Medium Proxy Address Resolution Protocol (Proxy ARP) must not be enabled on the system.
V-913 Medium There must be no .netrc files on the system.
V-916 Medium The /etc/shells (or equivalent) file must exist.
V-22533 Medium The Transparent Inter-Process Communication (TIPC) protocol must be disabled or uninstalled.
V-22530 Medium The Reliable Datagram Sockets (RDS) protocol must be disabled or not installed unless required.
V-22539 Medium The Bluetooth protocol handler must be disabled or not installed.
V-22383 Medium The audit system must be configured to audit the loading and unloading of dynamic kernel modules.
V-22385 Medium Crontab files must be group-owned by root, cron, or the crontab creator's primary group.
V-22384 Medium The cron.allow file must not have an extended ACL.
V-1048 Medium Audio devices must have mode 0660 or less permissive.
V-1049 Medium Audio devices must be owned by root.
V-22437 Medium The traceroute file must not have an extended ACL.
V-1047 Medium The system must not permit root logins using remote access programs such as ssh.
V-22435 Medium The hosts.lpd (or equivalent) file must be group-owned by lp.
V-22434 Medium The rexecd service must not be installed.
V-22433 Medium The rlogind service must not be installed.
V-22432 Medium The rlogind service must not be running.
V-22431 Medium The rshd service must not be installed.
V-22430 Medium The portmap or rpcbind service must not be installed unless needed.
V-11989 Medium The .rhosts file must not be supported in PAM.
V-11981 Medium All global initialization files must have mode 0644 or less permissive.
V-11983 Medium All global initialization files must be group-owned by root, sys, bin, other, system, or the system default.
V-11982 Medium All global initialization files must be owned by root.
V-11985 Medium All global initialization files executable search paths must contain only authorized paths.
V-11984 Medium All skeleton files and directories (typically in /etc/skel) must be owned by root or bin.
V-11986 Medium All local initialization files executable search paths must contain only authorized paths.
V-29261 Medium The audit system must be configured to audit all discretionary access control permission modifications.
V-22290 Medium The system clock must be synchronized continuously.
V-22297 Medium The time synchronization configuration file (such as /etc/ntp.conf) must not have an extended ACL.
V-22296 Medium The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
V-789 Medium NIS/NIS+/yp files must be owned by root, sys, or bin.
V-986 Medium Default system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist.
V-4368 Medium The at.deny file must be owned by root, bin, or sys.
V-4369 Medium The traceroute command owner must be root.
V-4364 Medium The "at" directory must have mode 0755 or less permissive.
V-4367 Medium The at.allow file must be owned by root, bin, or sys.
V-4361 Medium The cron.allow file must be owned by root, bin, or sys.
V-27279 Medium The system must not have the unnecessary "ftp" account.
V-27276 Medium The system must not have the unnecessary "gopher" account.
V-27275 Medium The system must not have the unnecessary "news" account.
V-22454 Medium The /etc/syslog.conf file must not have an extended ACL.
V-22473 Low The SSH daemon must not permit GSSAPI authentication unless needed.
V-22475 Low The SSH daemon must not permit Kerberos authentication unless needed.
V-22474 Low The SSH client must not permit GSSAPI authentication unless needed.
V-22576 Low The system must use available memory address randomization techniques.
V-22577 Low Automated file system mounting tools must not be enabled unless needed.
V-4384 Low The SMTP service's SMTP greeting must not provide version information.
V-22370 Low System audit tool executables must be owned by root.
V-22371 Low System audit tool executables must be group-owned by root, bin, sys, or system.
V-22372 Low System audit tool executables must have mode 0750 or less permissive.
V-22373 Low System audit tool executables must not have extended ACLs.
V-22374 Low The audit system must alert the SA in the event of an audit processing failure.
V-22376 Low The audit system must be configured to audit account creation.
V-22377 Low The audit system must be configured to audit account modification.
V-22378 Low The audit system must be configured to audit account disabling.
V-23739 Low The system must use a separate file system for /tmp (or equivalent).
V-23738 Low The system must use a separate file system for the system audit data path.
V-23736 Low The system must use a separate file system for /var.
V-22598 Low Auditing must be enabled at boot by setting a kernel parameter.
V-22308 Low The system must restrict the ability to switch to the root user to members of a defined group.
V-929 Low The Network File System (NFS) export configuration file must have mode 0644 or less permissive.
V-22579 Low The system must have USB Mass Storage disabled unless needed.
V-11996 Low Process core dumps must be disabled unless needed.
V-11997 Low The kernel core dump data directory must be owned by root.
V-22422 Low All local file systems must employ journaling or another mechanism ensuring file system consistency.
V-24357 Low The system must be configured to send audit/system records to a remote audit server.
V-22493 Low The Network File System (NFS) exports configuration file must not have an extended ACL.
V-774 Low The root user's home directory must not be the root directory (/).
V-1011 Low Inetd or xinetd logging/tracing must be enabled.
V-22298 Low The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.
V-12003 Low A separate file system must be used for user home directories (such as /home or an equivalent).
V-835 Low Sendmail logging must not be set to less than nine in the sendmail.cf file.
V-781 Low All GIDs referenced in the /etc/passwd file must be defined in the /etc/group file.
V-22418 Low The system must log martian packets.
V-1062 Low The root shell must be located in the / file system.
V-900 Low All interactive user home directories defined in the /etc/passwd file must exist.
V-22350 Low User home directories must not have extended ACLs.
V-4692 Low The SMTP service must not have the EXPN feature active.
V-4693 Low The SMTP service must not have the Verify (VRFY) feature active.
V-899 Low All interactive users must be assigned a home directory in the /etc/passwd file.
V-22406 Low The kernel core dump data directory must have mode 0700 or less permissive.
V-22405 Low The kernel core dump data directory must be group-owned by root, bin, sys, or system.
V-22584 Low The system must use a Linux Security Module configured to limit the privileges of system services.
V-22580 Low The system must have IEEE 1394 (Firewire) disabled unless needed.
V-22588 Low The system package management tool must cryptographically verify the authenticity of software packages during installation.
V-22382 Low The audit system must be configured to audit account termination.
V-825 Low Global initialization files must contain the "mesg -n" or "mesg n" commands.