| RHEL-06-000520 | High | The SSH daemon must be configured to use only the SSHv2 protocol. | SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used. |
| RHEL-06-000030 | High | The system must not have accounts configured with blank or null passwords. | If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. |
| RHEL-06-000207 | High | The telnet daemon must not be running. | The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be... |
| RHEL-06-000206 | High | The telnet-server package must not be installed. | Removing the "telnet-server" package decreases the risk of the telnet service's accidental (or intentional) activation. |
| RHEL-06-000209 | High | The telnet daemon must not be running. | The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be... |
| RHEL-06-000208 | High | The telnet daemon must not be running. | The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be... |
| RHEL-06-000238 | High | The SSH daemon must not allow authentication using an empty password. | Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. |
| RHEL-06-000239 | High | The SSH daemon must not allow authentication using an empty password. | Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. |
| RHEL-06-000283 | High | The system must use and update a DoD-approved virus scan program. | Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. |
| RHEL-06-000285 | High | The system must have a host-based intrusion detection tool installed. | Adding host-based intrusion detection tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network... |
| RHEL-06-000284 | High | The system must use and update a DoD-approved virus scan program. | Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. |
| RHEL-06-000286 | High | The x86 CTRL-ALT-DELETE key sequence must be disabled. | A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the... |
| RHEL-06-000015 | High | The system package management tool must cryptographically verify the authenticity of all software packages during installation. | Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering. |
| RHEL-06-000010 | High | Vendor-recommended software patches and updates, and system security patches and updates, must be installed and up-to-date. | Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. |
| RHEL-06-000011 | High | Vendor-recommended software patches and updates, and system security patches and updates, must be installed and up-to-date. | Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. |
| RHEL-06-000012 | High | The system package management tool must cryptographically verify the authenticity of system software packages during installation. | Ensuring the validity of packages' cryptographic signatures prior to installation ensures the provenance of the software and protects against malicious tampering. |
| RHEL-06-000013 | High | The system package management tool must cryptographically verify the authenticity of system software packages during installation. | Ensuring the validity of packages' cryptographic signatures prior to installation ensures the provenance of the software and protects against malicious tampering. |
| RHEL-06-000019 | High | There must be no .rhosts or hosts.equiv files on the system. | Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system. |
| RHEL-06-000338 | High | The TFTP daemon must operate in "secure mode" which provides access only to a single directory on the host file system. | Using the "-s" option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally-specified directory reduces the risk of sharing files which should... |
| RHEL-06-000014 | High | The system package management tool must cryptographically verify the authenticity of all software packages during installation. | Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering. |
| RHEL-06-000514 | High | The RPM package management tool must cryptographically verify the authenticity of all software packages during installation. | Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering. |
| RHEL-06-000227 | High | The SSH daemon must be configured to use only the SSHv2 protocol. | SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used. |
| RHEL-06-000226 | High | The SSH daemon must be configured to use only the SSHv2 protocol. | SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used. |
| RHEL-06-000228 | High | The SSH daemon must be configured to use only the SSHv2 protocol. | SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used. |
| RHEL-06-000008 | High | Vendor-provided cryptographic certificates must be installed to verify the integrity of system software. | This key is necessary to cryptographically verify packages are from Red Hat. |
| RHEL-06-000213 | High | The rsh-server package must not be installed. | The "rsh-server" package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation. |
| RHEL-06-000210 | High | The telnet daemon must not be running. | The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be... |
| RHEL-06-000211 | High | The telnet daemon must not be running. | The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be... |
| RHEL-06-000216 | High | The rexecd service must not be running. | The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen... |
| RHEL-06-000217 | High | The rexecd service must not be running. | The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen... |
| RHEL-06-000214 | High | The rshd service must not be running. | The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen... |
| RHEL-06-000215 | High | The rshd service must not be running. | The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen... |
| RHEL-06-000218 | High | The rlogind service must not be running. | The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be... |
| RHEL-06-000502-PF | Medium | The operating system must respond to security function anomalies in accordance with organization-defined responses and alternative action(s). | The need to verify security functionality applies to all security functions. For those security functions unable to execute automated self-tests the organization either implements compensating... |
| SRG-OS-000141-NA | Medium | The operating system must restrict the ability of users to launch Denial of Service attacks against other information systems or networks. | When it comes to Denial of Service attacks (DoS), most of the attention is paid to ensuring the systems and applications are not victims of these attacks. While it is true those accountable for... |
| SRG-OS-000117-NA | Medium | The operating system must authenticate devices before establishing network connections using bidirectional cryptographically based authentication between devices. | Device authentication is a solution enabling an organization to manage both users and devices. It is an additional layer of authentication ensuring only specific pre-authorized devices operated by... |
| RHEL-06-000082 | Medium | IP forwarding for IPv4 must not be enabled, unless the system is a router. | IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for routers. |
| RHEL-06-000326 | Medium | The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts. | An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. |
| RHEL-06-000455 | Medium | The operating system must install software updates automatically. | Security faults with software applications and operating systems are discovered daily and vendors are constantly updating and patching their products to address newly discovered security... |
| RHEL-06-000324 | Medium | A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts. | An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. |
| RHEL-06-000325 | Medium | The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts. | An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. |
| RHEL-06-000320 | Medium | The system's local firewall must implement a deny-all, allow-by-exception policy for forwarded packets. | In "iptables" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to "DROP" implements proper design for a firewall,... |
| RHEL-06-000403-PNF | Medium | The operating system must employ automated mechanisms to prevent program execution in accordance with the organization defined specifications. | Operating systems are capable of providing a wide variety of functions and services. Execution must be disabled based on organization defined specifications. |
| SRG-OS-000201-NA | Medium | The operating system must provide automated support for the management of distributed security testing. | The need to verify security functionality applies to all security functions. |
| RHEL-06-000133 | Medium | All rsyslog-generated log files must be owned by root. | The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. |
| RHEL-06-000038 | Medium | The /etc/gshadow file must have mode 0000. | The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. |
| RHEL-06-000039 | Medium | The /etc/passwd file must be owned by root. | The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security. |
| RHEL-06-000135 | Medium | All rsyslog-generated log files must have mode 0600 or less permissive. | Log files can contain valuable information regarding system configuration. If the system log files are not protected unauthorized users could change the logged data, eliminating their forensic value. |
| RHEL-06-000134 | Medium | All rsyslog-generated log files must be group-owned by root. | The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. |
| RHEL-06-000032 | Medium | The root account must be the only account having a UID of 0. | An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper... |
| RHEL-06-000033 | Medium | The /etc/shadow file must be owned by root. | The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to... |
| RHEL-06-000031 | Medium | The /etc/passwd file must not contain password hashes. | The hashes for all user account passwords should be stored in the file "/etc/shadow" and never in "/etc/passwd", which is readable by all users. |
| RHEL-06-000036 | Medium | The /etc/gshadow file must be owned by root. | The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security. |
| RHEL-06-000037 | Medium | The /etc/gshadow file must be group-owned by root. | The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security. |
| RHEL-06-000034 | Medium | The /etc/shadow file must be group-owned by root. | The "/etc/shadow" file stores password hashes. Protection of this file is critical for system security. |
| RHEL-06-000035 | Medium | The /etc/shadow file must have mode 0000. | The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to... |
| SRG-OS-000116-NA | Medium | The operating system must authenticate devices before establishing wireless network connections using bidirectional cryptographically based authentication between devices. | Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices operated by specific... |
| RHEL-06-000500-PNF | Medium | The operating system must preserve organization-defined system state information in the event of a system failure. | Failure in a known state can address safety or security in accordance with the mission/business needs of the organization. Failure in a known secure state helps prevent a loss of confidentiality,... |
| RHEL-06-000463-PF | Medium | The operating system must provide automated support for the management of distributed security testing. | The need to verify security functionality applies to all security functions. |
| SRG-OS-000229-NA | Medium | The operating system must employ automated mechanisms to centrally manage configuration settings. | Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters... |
| SRG-OS-000166-NA | Medium | The operating system must produce, control, and distribute symmetric and asymmetric cryptographic keys using NSA-approved key management technology and processes. | Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. In addition to being required for the effective... |
| RHEL-06-000417-PNF | Medium | The operating system must isolate security functions enforcing access and information flow control from both non-security functions and from other security functions. | The operating system isolates security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) controlling access to and protecting the... |
| RHEL-06-000494-PF | Medium | The operating system must automatically implement organization-defined safeguards and countermeasures if security functions (or mechanisms) are changed inappropriately. | Any changes to the hardware, software, and/or firmware components of the operating system can potentially have significant effects on the overall security of the system. Accordingly, only... |
| SRG-OS-000149-NA | Medium | The operating system must route organization-defined internal communications traffic to organization-defined external networks through authenticated proxy servers within the managed interfaces of boundary protection devices. | A proxy server is designed to hide the identity of the client when making a connection to a server on the outside of its network. This prevents any hackers on the outside of learning IP addresses... |
| RHEL-06-000394-PF | Medium | The operating system, when transferring information between different security domains, must decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| RHEL-06-000377-PNF | Medium | The operating system must produce audit records containing sufficient information to establish the sources of the events. | Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, time stamps, source... |
| RHEL-06-000460-PNF | Medium | The operating system must verify the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification). | Security functional testing involves testing the operating system for conformance to the operating system security function specifications, as well as, for the underlying security model. The need... |
| RHEL-06-000146 | Medium | Auditing must be implemented. | Ensuring the "auditd" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist. |
| RHEL-06-000145 | Medium | Auditing must be implemented. | Ensuring the "auditd" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist. |
| RHEL-06-000142 | Medium | Auditing must be implemented. | Ensuring the "auditd" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist. |
| RHEL-06-000143 | Medium | Auditing must be implemented. | Ensuring the "auditd" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist. |
| RHEL-06-000415-PNF | Medium | The operating system must prevent the presentation of information system management-related functionality at an interface for general (i.e., non-privileged) users. | Operating system management functionality includes functions necessary to administer the operating, network components, workstations, or servers, and typically requires privileged user access. The... |
| SRG-OS-000181-NA | Medium | The operating system must prevent the execution of prohibited mobile code. | Decisions regarding the employment of mobile code within operating systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies... |
| RHEL-06-000148 | Medium | Auditing must be implemented. | Ensuring the "auditd" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist. |
| RHEL-06-000392-PNF | Medium | The operating system must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. | To prevent the compromise of authentication information, such as passwords during the authentication process, the feedback from the operating system shall not provide any information allowing an... |
| SRG-OS-000187-NA | Medium | The operating system at organization-defined information system components must load and execute the operating environment from hardware-enforced, read-only media. | Organizations may require the information system to load the operating environment from hardware enforced read-only media. The term operating environment is defined as the code upon which... |
| RHEL-06-000367-PF | Medium | The operating system must support organization-defined one-way flows using hardware mechanisms. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| RHEL-06-000258 | Medium | The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user to re-authenticate to unlock the environment. | Enabling idle activation of the screen saver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management... |
| RHEL-06-000249 | Medium | Mail relaying must be restricted. | This ensures "postfix" accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack. |
| RHEL-06-000248 | Medium | The system clock must be synchronized to an authoritative DoD time source. | Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. Using a trusted NTP server provided by your... |
| RHEL-06-000245 | Medium | The SSH daemon must be configured to use only FIPS 140-2 approved ciphers. | Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance. |
| RHEL-06-000244 | Medium | The SSH daemon must be configured to use only FIPS 140-2 approved ciphers. | Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance. |
| RHEL-06-000247 | Medium | The system clock must be synchronized continuously, or at least daily. | Enabling the "ntpd" service ensures that the "ntpd" service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is... |
| RHEL-06-000240 | Medium | The SSH daemon must be configured with the Department of Defense (DoD) login banner. | The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious... |
| RHEL-06-000243 | Medium | The SSH daemon must be configured to use only FIPS 140-2 approved ciphers. | Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance. |
| RHEL-06-000242 | Medium | The SSH daemon must be configured to use only FIPS 140-2 approved ciphers. | Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance. |
| RHEL-06-000251 | Medium | If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms. | The ssl directive specifies whether to use ssl or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL. |
| SRG-OS-000009-NA | Medium | The operating system must enforce information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| RHEL-06-000390-PNF | Medium | The operating system, for PKI-based authentication must enforce authorized access to the corresponding private key. | The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and... |
| SRG-OS-000011-NA | Medium | The operating system must enforce dynamic information flow control based on policy that must allow or disallow information flows based upon changing conditions or operational considerations. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| RHEL-06-000399-PNF | Medium | The operating system must employ automated mechanisms to enforce access restrictions. | When dealing with access restrictions pertaining to change control, it should be noted that, any changes to the hardware, software, and/or firmware components of the information system and/or... |
| RHEL-06-000513-PF | Medium | The audit system must alert designated staff members when audit storage volume is generating disk errors. | Administrators should be made aware of an inability to record audit records. If a separate partition or logical audit storage volume is generating disk errors, the SA and other designated staff... |
| SRG-OS-000204-NA | Medium | The operating system must identify potentially security-relevant error conditions. | The structure and content of error messages need to be carefully considered by the organization. The extent to which the operating system is able to identify and handle error conditions is guided... |
| RHEL-06-000423-PNF | Medium | The operating system must limit the use of resources by priority. | Priority protection helps prevent a lower-priority process from delaying or interfering with the operating system servicing any higher-priority process. Operating systems must limit potential high... |
| SRG-OS-000225-NA | Medium | The operating system must uniquely identify source domains for information transfer. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| SRG-OS-000165-NA | Medium | The operating system must produce, control, and distribute symmetric cryptographic keys using NIST-approved or NSA-approved key management technology and processes. | Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. In addition to being required for the effective... |
| SRG-OS-000226-NA | Medium | The operating system must uniquely authenticate source domains for information transfer. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| RHEL-06-000235 | Medium | The SSH daemon must not allow host-based authentication. | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. |
| RHEL-06-000397-PNF | Medium | The operating system must provide the capability for a privileged administrator to configure organization-defined security policy filters to support different security policies. | In order to control changes in policy, a privileged administrator must be able to change policy filters to support different security policies. |
| RHEL-06-000108 | Medium | The system must employ a local IPv6 firewall. | The "ip6tables" service provides the system's host-based firewalling capability for IPv6 and ICMPv6. |
| RHEL-06-000109 | Medium | The system must employ a local IPv6 firewall. | The "ip6tables" service provides the system's host-based firewalling capability for IPv6 and ICMPv6. |
| RHEL-06-000359-PF | Medium | The operating system must dynamically manage user privileges and associated access authorizations. | While user identities remain relatively constant over time, user privileges may change more frequently based on the ongoing mission/business requirements and operational needs of the organization.... |
| RHEL-06-000102 | Medium | The system must employ a local IPv6 firewall. | The "ip6tables" service provides the system's host-based firewalling capability for IPv6 and ICMPv6. |
| RHEL-06-000103 | Medium | The system must employ a local IPv6 firewall. | The "ip6tables" service provides the system's host-based firewalling capability for IPv6 and ICMPv6. |
| RHEL-06-000100 | Medium | The system must employ a local IPv6 firewall. | The "ip6tables" service provides the system's host-based firewalling capability for IPv6 and ICMPv6. |
| RHEL-06-000101 | Medium | The system must employ a local IPv6 firewall. | The "ip6tables" service provides the system's host-based firewalling capability for IPv6 and ICMPv6. |
| RHEL-06-000106 | Medium | The system must employ a local IPv6 firewall. | The "ip6tables" service provides the system's host-based firewalling capability for IPv6 and ICMPv6. |
| RHEL-06-000107 | Medium | The system must employ a local IPv6 firewall. | The "ip6tables" service provides the system's host-based firewalling capability for IPv6 and ICMPv6. |
| RHEL-06-000104 | Medium | The system must employ a local IPv6 firewall. | The "ip6tables" service provides the system's host-based firewalling capability for IPv6 and ICMPv6. |
| RHEL-06-000105 | Medium | The system must employ a local IPv6 firewall. | The "ip6tables" service provides the system's host-based firewalling capability for IPv6 and ICMPv6. |
| RHEL-06-000065 | Medium | The system boot loader configuration file(s) must be owned by root. | Only root should be able to modify important boot parameters. |
| RHEL-06-000064 | Medium | The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf). | Using a stronger hashing algorithm makes password cracking attacks more difficult. |
| RHEL-06-000067 | Medium | The system boot loader configuration file(s) must have mode 0600 or less permissive. | Proper permissions ensure that only the root user can modify important boot parameters. |
| RHEL-06-000066 | Medium | The system boot loader configuration file(s) must be group-owned by root. | The "root" group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway. |
| RHEL-06-000061 | Medium | The system must disable accounts after three consecutive unsuccessful login attempts. | Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. |
| RHEL-06-000430-PNF | Medium | The operating system must protect the integrity of transmitted information. | Ensuring the integrity of transmitted information requires the operating system take feasible measures to employ transmission layer security. This requirement applies to communications across... |
| RHEL-06-000063 | Medium | The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs). | Using a stronger hashing algorithm makes password cracking attacks more difficult. |
| RHEL-06-000062 | Medium | The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth). | Using a stronger hashing algorithm makes password cracking attacks more difficult. |
| RHEL-06-000233 | Medium | The SSH daemon must ignore .rhosts files. | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. |
| RHEL-06-000069 | Medium | The system must require authentication upon booting into single-user and maintenance modes. | This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. |
| RHEL-06-000068 | Medium | The system boot loader must require authentication. | Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to... |
| SRG-OS-000168-NA | Medium | The operating system must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key. | Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. In addition to being required for the effective... |
| RHEL-06-000372-PF | Medium | The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access. | Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account... |
| SRG-OS-000162-NA | Medium | The operating system must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission. | Confidentiality of the data must be maintained to ensure unauthorized users or processes do not have access to it. This can be accomplished via access control mechanisms or encryption. |
| SRG-OS-000227-NA | Medium | The operating system must provide additional protection for mobile devices accessed via login by purging information from the device after organization-defined number of consecutive, unsuccessful login attempts to the mobile device. | Mobile devices present additional risks related to attempted unauthorized access. If they are lost, stolen or misplaced, attempts can be made to unlock the device by guessing the PIN. In order to... |
| RHEL-06-000432-PNF | Medium | The operating system must maintain the integrity of information during aggregation, packaging, and transformation in preparation for transmission. | Ensuring the confidentiality of transmitted information requires the operating system take measures in preparing information for transmission. This can be accomplished via access control or encryption. |
| SRG-OS-000223-NA | Medium | The operating system, when transferring information between different security domains, must detect unsanctioned information. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| RHEL-06-000203 | Medium | The xinetd service must be disabled if no network services utilizing it are enabled. | The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are... |
| RHEL-06-000293 | Medium | The system must prohibit the reuse of passwords within twenty-four iterations. | Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. |
| SRG-OS-000001-NA | Medium | The operating system must provide automated support for account management functions. | A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. Examples include, but... |
| RHEL-06-000384A | Medium | Audit log files must be owned by root. | If non-privileged users can write to audit logs, audit trails can be modified or destroyed. |
| RHEL-06-000384B | Medium | Audit log files must be group-owned by root. | If non-privileged users can write to audit logs, audit trails can be modified or destroyed. |
| SRG-OS-000164-NA | Medium | The operating system must establish a trusted communications path between the user and organization-defined security functions within the operating system. | The user interface must provide an unspoofable and faithful communication channel between the user and any entity trusted to manipulate authorities on the user's behalf. A trusted path shall be... |
| RHEL-06-000331 | Medium | The Bluetooth service must be disabled. | Disabling the "bluetooth" service prevents the system from attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be... |
| RHEL-06-000474-PNF | Medium | The operating system must enforce approved authorizations for controlling the flow of information within the system in accordance with applicable policy. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| RHEL-06-000454-PNF | Medium | The operating system must employ organization-defined information system components with no writeable storage that are persistent across component restart or power on/off. | Organizations may require operating systems to be non-modifiable or to be stored and executed on non-writeable storage. Use of non-modifiable storage ensures the integrity of the program from the... |
| RHEL-06-000389-PNF | Medium | The operating system, for PKI-based authentication must validate certificates by constructing a certification path with status information to an accepted trust anchor. | A trust anchor is an authoritative entity represented via a public key and associated data. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for... |
| RHEL-06-000094 | Medium | The system must be configured to use TCP syncookies when experiencing a TCP SYN flood. | A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a... |
| SRG-OS-000155-NA | Medium | The operating system must employ automated mechanisms to enforce strict adherence to protocol format. | Crafted packets not conforming to IEEE standards can be used by malicious people to exploit a host's protocol stack to create a Denial of Service or force a device reset. |
| RHEL-06-000456-PNF | Medium | The operating system must support automated patch management tools to facilitate flaw remediation to organization-defined information system components. | The organization (including any contractor to the organization) must promptly install security-relevant software updates (e.g., patches, service packs, hot fixes). Flaws discovered during security... |
| SRG-OS-000006-NA | Medium | The operating system must enforce dual authorization, based on organizational policies and procedures for organization-defined privileged commands. | Dual authorization mechanisms require two distinct approving authorities to approve the use of the command prior to it being invoked. An organization may determine certain commands or... |
| RHEL-06-000159 | Medium | The system must retain enough rotated audit logs to cover the required log retention period. | The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. |
| RHEL-06-000158 | Medium | Auditing must be enabled at boot by setting a kernel parameter. | Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although "auditd" takes care of enabling this for all processes which launch after it... |
| SRG-OS-000179-NA | Medium | The operating system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider. | For user certificates, each organization attains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key... |
| RHEL-06-000512-PF | Medium | The audit system must alert designated staff members when audit storage volume is full. | Administrators should be made aware of an inability to record audit records. If a separate partition or logical audit storage volume is full, the SA and other designated staff must be notified. ... |
| RHEL-06-000029 | Medium | Default system accounts, other than root, must be locked. | Disabling authentication for default system accounts makes it more difficult for attackers to make use of them to compromise a system. |
| RHEL-06-000421-PNF | Medium | The operating system must not share resources used to interface with systems operating at different security levels. | The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on... |
| RHEL-06-000021 | Medium | The system must use a Linux Security Module configured to enforce limits on system services. | Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the... |
| RHEL-06-000020 | Medium | The system must use a Linux Security Module configured to enforce limits on system services. | Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the... |
| RHEL-06-000022 | Medium | The system must use a Linux Security Module configured to enforce limits on system services. | Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the... |
| RHEL-06-000027 | Medium | The system must prevent the root account from logging in from virtual consoles. | Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. |
| SRG-OS-000167-NA | Medium | The operating system must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 certificates or prepositioned keying material. | Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. In addition to being required for the effective... |
| SRG-OS-000224-NA | Medium | The operating system, when transferring information between different security domains, must prohibit the transfer of unsanctioned information in accordance with the security policy. | Information flow control regulates where information is allowed to travel within an operating system and between information systems (as opposed to who is allowed to access the information) and... |
| RHEL-06-000282 | Medium | There must be no world-writable files on the system. | Data in world-writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever... |
| SRG-OS-000268-NA | Medium | The operating system must take corrective actions, when unauthorized mobile code is identified. | Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code... |
| SRG-OS-000222-NA | Medium | The operating system, when transferring information between different security domains, must implement policy filters constraining data structure and content to organization-defined information security policy requirements. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| SRG-OS-000235-NA | Medium | The operating system must notify the user of organization-defined security-related changes to the user's account that occur during the organization-defined time period. | Some organizations may define certain security events as events requiring user notification. An organization may define an event such as a password change to a user's account occurring outside of... |
| RHEL-06-000154 | Medium | Auditing must be implemented. | Ensuring the "auditd" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist. |
| RHEL-06-000157 | Medium | Auditing must be enabled at boot by setting a kernel parameter. | Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although "auditd" takes care of enabling this for all processes which launch after it... |
| RHEL-06-000156 | Medium | Auditing must be implemented. | Ensuring the "auditd" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist. |
| RHEL-06-000098 | Medium | The IPv6 protocol handler must not be bound to the network stack unless needed. | Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation. |
| RHEL-06-000099 | Medium | The system must ignore ICMPv6 redirects by default. | An illicit ICMP redirect message could result in a man-in-the-middle attack. |
| SRG-OS-000013-NA | Medium | The operating system must enforce organization-defined limitations on the embedding of data types within other data types. | Embedding of data within other data is often used for the clandestine transfer of data. Embedding of data within other data can circumvent protections in place to protect information and systems. |
| RHEL-06-000095 | Medium | The system must be configured to use TCP syncookies when experiencing a TCP SYN flood. | A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a... |
| RHEL-06-000096 | Medium | The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces. | Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are... |
| RHEL-06-000097 | Medium | The system must use a reverse-path filter for IPv4 network traffic when possible by default. | Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are... |
| RHEL-06-000090 | Medium | The system must not accept ICMPv4 secure redirect packets by default. | Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. |
| RHEL-06-000378-PNF | Medium | The operating system must produce audit records containing sufficient information to establish the outcome (success or failure) of the events. | Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time... |
| SRG-OS-000205-NA | Medium | The operating system must generate error messages providing information necessary for corrective actions without revealing organization-defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited. | Any operating system providing too much information in error logs and in administrative messages to the screen, risks compromising the data and security of the structure and content of error... |
| RHEL-06-000139 | Medium | Auditing must be implemented. | Ensuring the "auditd" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist. |
| SRG-OS-000234-NA | Medium | The operating system must notify the user of the number of unsuccessful login/access attempts that occur during organization-defined time period. | Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts made to login to their account allows the... |
| SRG-OS-000154-NA | Medium | The operating system must prevent discovery of specific system components (or devices) composing a managed interface. | Allowing discovery of operating system resources, names, or components can lead to giving information to an attacker that may be used as an attack vector. |
| RHEL-06-000278 | Medium | The system package management tool must verify permissions on all files and directories associated with the "audit" package | Permissions on audit binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should... |
| RHEL-06-000279 | Medium | The system package management tool must verify ownership on all files and directories associated with the "audit" package. | Ownership of audit binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be... |
| RHEL-06-000414-PNF | Medium | The operating system must separate user functionality (including user interface services) from operating system management functionality. | Operating system management functionality includes functions necessary to administer machine, network components, workstations, or servers, and typically requires privileged user access. The... |
| RHEL-06-000419-PNF | Medium | The operating system must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. | The operating system isolates security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) controlling access to and protecting the... |
| RHEL-06-000270 | Medium | Remote file systems must be mounted with the "nosuid" option. | NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem. |
| RHEL-06-000387-PNF | Medium | The operating system must allow designated organizational personnel to select which auditable events are to be audited by the operating system. | The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of... |
| SRG-OS-000102-NA | Medium | The operating system must implement transaction recovery for transaction-based systems. | Recovery and reconstitution constitutes executing an operating system contingency plan comprised of activities to restore essential missions and business functions. Transaction rollback and... |
| SRG-OS-000068-NA | Medium | The operating system, for PKI-based authentication must map the authenticated identity to the user account. | The cornerstone of the PKI is the private key used to encrypt or digitally sign information. The key by itself is a cryptographic value that does not contain specific user information. The... |
| RHEL-06-000368-PNF | Medium | The operating system must provide the capability for a privileged administrator to enable/disable organization-defined security policy filters. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| RHEL-06-000485-PNF | Medium | The operating system must support and maintain the binding of organization-defined security attributes to information in storage. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects, objects) with respect to safeguarding information. These attributes are... |
| SRG-OS-000210-NA | Medium | The operating system must maintain reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released. | When it comes to data review and data release, there must be a correlation between the reviewed data and the person who performs the review. If the reviewer is a human or if the review function is... |
| SRG-OS-000101-NA | Medium | The operating system must conduct backups of operating system documentation including security-related documentation per organization-defined frequency to conduct backups that is consistent with recovery time and recovery point objectives. | Operating system backup is a critical step in maintaining data assurance and availability. Information system and security related documentation contains information pertaining to system... |
| RHEL-06-000506 | Medium | The operating system, upon successful logon, must display to the user the date and time of the last logon or access via a local console or tty. | Users need to be aware of activity that occurs regarding their accounts. Providing users with information regarding the date and time of their last successful login allows the user to determine if... |
| RHEL-06-000507 | Medium | The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh. | Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the date and time of their last successful login allows the user to determine if... |
| RHEL-06-000504 | Medium | The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives. | Operating system backup is a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. Backups shall be... |
| RHEL-06-000505 | Medium | The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives. | Operating system backup is a critical step in maintaining data assurance and availability. System-level information includes system-state information, operating system and application software,... |
| RHEL-06-000503 | Medium | The system must have USB Mass Storage disabled unless needed. | USB storage devices such as thumb drives can be used to introduce unauthorized software and other vulnerabilities. Support for these devices should be disabled and the devices themselves should be... |
| SRG-OS-000156-NA | Medium | The operating system must fail securely in the event of an operational failure of a boundary protection device. | Fail secure is a condition achieved by the operating system employing a set of information system mechanisms to ensure, in the event of an operational failure of a boundary protection device at a... |
| RHEL-06-000119 | Medium | The system must employ a local IPv4 firewall. | The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP. |
| RHEL-06-000118 | Medium | The system must employ a local IPv4 firewall. | The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP. |
| RHEL-06-000445-PF | Medium | The operating system must validate the integrity of security attributes exchanged between systems. | When data is exchanged between information systems, the security attributes associated with the data needs to be maintained. Security attributes are an abstraction representing the basic... |
| RHEL-06-000424-PNF | Medium | The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks. | This control enhancement is implemented within the remote device (e.g., notebook/laptop computer) via configuration settings not configurable by the user of the device. An example of a non-remote... |
| RHEL-06-000111 | Medium | The system must employ a local IPv4 firewall. | The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP. |
| RHEL-06-000110 | Medium | The system must employ a local IPv4 firewall. | The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP. |
| RHEL-06-000113 | Medium | The system must employ a local IPv4 firewall. | The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP. |
| RHEL-06-000112 | Medium | The system must employ a local IPv4 firewall. | The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP. |
| RHEL-06-000115 | Medium | The system must employ a local IPv4 firewall. | The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP. |
| RHEL-06-000114 | Medium | The system must employ a local IPv4 firewall. | The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP. |
| RHEL-06-000117 | Medium | The system must employ a local IPv4 firewall. | The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP. |
| RHEL-06-000116 | Medium | The system must employ a local IPv4 firewall. | The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP. |
| RHEL-06-000050 | Medium | The system must require passwords to contain a minimum of 14 characters. | Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully... |
| RHEL-06-000051 | Medium | Users must not be able to change passwords more than once every 24 hours. | Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement. |
| RHEL-06-000053 | Medium | User passwords must be changed at least every 60 days. | Setting the password maximum age ensures users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password... |
| RHEL-06-000420-PNF | Medium | The operating system must prevent unauthorized and unintended information transfer via shared system resources. | The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on... |
| SRG-OS-000211-NA | Medium | The operating system must validate the binding of the reviewer's identity to the information at the transfer/release point prior to release/transfer from one security domain to another security domain. | This non-repudiation control enhancement is intended to mitigate the risk that information could be modified between review and transfer/release particularly when the transfer is occurring between... |
| RHEL-06-000274 | Medium | The system must prohibit the reuse of passwords within twenty-four iterations. | Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. |
| RHEL-06-000381-PNF | Medium | The operating system must support an audit reduction capability. | Audit reduction is used to reduce the volume of audit records in order to facilitate manual review. Before a security review information systems and/or applications with an audit reduction... |
| RHEL-06-000327-PF | Medium | The operating system, upon successful logon, must display to the user the date and time of the last logon (access) via GUI. | Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the date and time of their last successful login allows the user to determine if... |
| SRG-OS-000012-NA | Medium | The operating system must prevent encrypted data from bypassing content checking mechanisms. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| RHEL-06-000431-PNF | Medium | The operating system must employ cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures. | Ensuring the integrity of transmitted information requires operating systems take measures to employ some form of cryptographic mechanism in order to recognize changes to information. This is... |
| SRG-OS-000217-NA | Medium | The operating system must protect the audit records resulting from non-local accesses to privileged accounts and the execution of privileged functions. | Protection of audit records and audit data is of critical importance. Care must be taken to ensure privileged users cannot circumvent audit protections put in place. Auditing might not be reliable... |
| RHEL-06-000234 | Medium | The SSH daemon must ignore .rhosts files. | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. |
| SRG-OS-000216-NA | Medium | The operating system must use cryptographic mechanisms to protect the integrity of audit information. | Protection of audit records and audit data is of critical importance. Cryptographic mechanisms are the industry established standard used to protect the integrity of audit data. |
| RHEL-06-000236 | Medium | The SSH daemon must not allow host-based authentication. | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. |
| RHEL-06-000237 | Medium | The system must not permit root logins using remote access programs such as ssh. | Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password. |
| SRG-OS-000188-NA | Medium | The operating system at organization-defined information system components must load and execute organization-defined applications from hardware-enforced, read-only media. | Use of non-modifiable storage ensures the integrity of the software program from the point of creation of the read-only image. Organizations may require the information system to load specified... |
| RHEL-06-000396-PNF | Medium | The operating system must bind security attributes to information to facilitate information flow policy enforcement. | Operating system application enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy.... |
| SRG-OS-000130-NA | Medium | The operating system must use cryptographic mechanisms to protect and restrict access to information on portable digital media. | When data is written to portable digital media, such as thumb drives, floppy diskettes, compact disks, and magnetic tape, etc., there is risk of data loss. An organizational assessment of risk... |
| RHEL-06-000376-PNF | Medium | The operating system must produce audit records containing sufficient information to establish where the events occurred. | Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, time stamps, source... |
| RHEL-06-000288 | Medium | The sendmail package must be removed. | The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead. |
| RHEL-06-000281 | Medium | The system package management tool must verify contents of all files associated with the audit package. | The hash on important files like audit system executables should match the information given by the RPM database. Audit executables with erroneous hashes could be a sign of nefarious activity on... |
| RHEL-06-000280 | Medium | The system package management tool must verify group-ownership on all files and directories associated with the "audit" package. | Group-ownership of audit binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The group-ownership set by the vendor... |
| RHEL-06-000458-PNF | Medium | The operating system must prevent non-privileged users from circumventing intrusion detection and prevention capabilities. | Intrusion detection and prevention capabilities must be architected and implemented to prevent non-privileged users from circumventing such protections. This can be accomplished through the use of... |
| RHEL-06-000398-PNF | Medium | The operating system must enforce logical access restrictions associated with changes to the information system. | When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system can... |
| RHEL-06-000309 | Medium | The NFS server must not have the insecure file locking option enabled. | Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user. |
| RHEL-06-000302 | Medium | A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries. | By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files. |
| RHEL-06-000303 | Medium | A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries. | By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files. |
| RHEL-06-000304 | Medium | A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries. | By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files. |
| RHEL-06-000305 | Medium | A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries. | By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files. |
| RHEL-06-000306 | Medium | A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries. | By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files. |
| RHEL-06-000307 | Medium | A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries. | By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files. |
| RHEL-06-000373-PNF | Medium | The operating system must retain the session lock until the user reestablishes access using established identification and authentication procedures. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not want to log out because of the temporary nature of... |
| SRG-OS-000060-NA | Medium | The operating system must produce audit records on hardware-enforced, write-once media. | The protection of audit records from unauthorized or accidental deletion or modification requires the operating system produce audit records on hardware-enforced write-once media. |
| SRG-OS-000092-NA | Medium | The operating system must employ automated mechanisms to centrally apply configuration settings. | Configuration settings are the configurable security-related parameters of operating system. Security-related parameters are those parameters impacting the security state of the system including... |
| SRG-OS-000238-NA | Medium | The operating system must support and maintain the binding of organization-defined security attributes to information in transmission. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects, objects) with respect to safeguarding information. These attributes are... |
| SRG-OS-000252-NA | Medium | The operating system must provide the capability to capture/record and log all content related to a user session. | Session auditing activities are developed, integrated, and used in consultation with legal counsel in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations. |
| RHEL-06-000464-PNF | Medium | The operating system must check the validity of information inputs. | Invalid user input occurs when a user inserts data or characters the system is unprepared to process that data. This results in unanticipated behavior that could lead to a compromise. |
| RHEL-06-000411-PNF | Medium | The operating system must dynamically manage identifiers, attributes, and associated access authorizations. | Dynamic management of identities and association of attributes and privileges with these identities are anticipated and provisioned. Pre-established trust relationships and mechanisms with... |
| RHEL-06-000465-PNF | Medium | The operating system must support the requirement that organizations, if an information system component failure is detected must activate an organization-defined alarm and/or automatically shuts down the operating system. | Predictable failure prevention requires organizational planning to address system failure issues. If a subsystem of the operating system, hardware, or the operating system itself, is key to... |
| SRG-OS-000153-NA | Medium | The operating system must route all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing. | Managed interfaces employing boundary protection must be used for operating systems when using privileged accesses. |
| RHEL-06-000492-PNF | Medium | The operating system must display security attributes in human-readable form on each object output from the system to system output devices to identify an organization-identified set of special dissemination, handling, or distribution instructions using organization-identified human readable, standard naming conventions. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects, objects) with respect to safeguarding information. These attributes are... |
| SRG-OS-000091-NA | Medium | The operating system must enforce a two-person rule for changes to organization-defined information system components and system-level information. | Regarding access restrictions for changes made to organization-defined information system components and system level information. Any changes to the hardware, software, and/or firmware components... |
| RHEL-06-000412-PNF | Medium | The operating system must employ automated mechanisms to restrict the use of maintenance tools to authorized personnel only. | The intent of this control is to address the security-related issues arising from the software brought into the operating system specifically for diagnostic and repair actions (e.g., a software... |
| RHEL-06-000501-PF | Medium | The operating system must take organization-defined list of least disruptive actions to terminate suspicious events. | System availability is a key tenet of system security. Organizations need to have the flexibility to be able to define the automated actions taken in response to an identified incident. This... |
| RHEL-06-000466-PNF | Medium | The operating system must associate the identity of the information producer with the information. | Non-repudiation supports audit requirements to provide the appropriate organizational officials the means to identify who produced specific information in the event of an information transfer. |
| RHEL-06-000491-PNF | Medium | The operating system must only allow authorized users to associate security attributes with information. | The term security label is often used to associate a set of security attributes with a specific information object as part of the data structure for that object (e.g., user access privileges,... |
| SRG-OS-000093-NA | Medium | The operating system must employ automated mechanisms to centrally verify configuration settings. | Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters... |
| RHEL-06-000016 | Medium | A file integrity tool must be installed. | The AIDE package must be installed if it is to be available for integrity checking. |
| RHEL-06-000017 | Medium | The system must use a Linux Security Module at boot time. | Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during... |
| RHEL-06-000371-PF | Medium | The operating system, upon successful logon, must display to the user the date and time of the last logon (access) via GUI. | Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the date and time of their last successful login allows the user to determine if... |
| RHEL-06-000018 | Medium | The system must use a Linux Security Module at boot time. | Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during... |
| RHEL-06-000473-PNF | Medium | The operating system must enforce an organization-defined Discretionary Access Control (DAC) policy that must allow users to specify and control sharing by named individuals or groups of individuals, or by both. | Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices,... |
| SRG-OS-000251-NA | Medium | The operating system must ensure remote sessions for accessing an organization-defined list of security functions and security-relevant information are audited. | Remote access is any access to an organizational operating system by a user (or an information system) communicating through an external, non-organization-controlled network.
Remote access to... |
| RHEL-06-000149-PNF | Medium | The operating system must provide the capability to automatically process audit records for events of interest based upon selectable, event criteria. | Audit reduction is used to reduce the volume of audit records in order to facilitate manual review. Before a security review information systems and/or applications with an audit reduction... |
| RHEL-06-000160 | Medium | The system must set a maximum audit log file size. | The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. |
| RHEL-06-000161 | Medium | The system must rotate audit log files that reach the maximum file size. | Automatically rotating logs (by setting this to "rotate") minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that... |
| RHEL-06-000089 | Medium | The system must not accept IPv4 source-routed packets by default. | Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required. |
| RHEL-06-000083 | Medium | The system must not accept IPv4 source-routed packets on any interface. | Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required. |
| RHEL-06-000081 | Medium | The system must not send ICMPv4 redirects from any interface. | Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for routers. |
| RHEL-06-000080 | Medium | The system must not send ICMPv4 redirects by default. | Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for routers. |
| RHEL-06-000087 | Medium | The system must not accept ICMPv4 secure redirect packets on any interface. | Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. |
| RHEL-06-000086 | Medium | The system must not accept ICMPv4 secure redirect packets on any interface. | Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. |
| RHEL-06-000085 | Medium | The system must not accept ICMPv4 redirect packets on any interface. | Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required. |
| RHEL-06-000084 | Medium | The system must not accept ICMPv4 redirect packets on any interface. | Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required. |
| RHEL-06-000312-PF | Medium | The operating system must validate the binding of the information producer's identity to the information. | The operating system must validate the binding of the information producer's identity to the information. |
| RHEL-06-000490-PNF | Medium | The operating system must maintain the binding of security attributes to information with sufficient assurance that the information--attribute association can be used as the basis for automated policy actions. | The term security label is often used to associate a set of security attributes with a specific information object as part of the data structure for that object (e.g., user access privileges,... |
| RHEL-06-000489-PNF | Medium | The operating system must only allow authorized entities to change security attributes. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects, objects) with respect to safeguarding information. These attributes are... |
| SRG-OS-000019-NA | Medium | The operating system must implement separation of duties through assigned information system access authorizations. | Separation of duties is a prevalent Information Technology control implemented at different layers of the information system, including the operating system and in applications. It serves to... |
| RHEL-06-000348 | Medium | The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner. | This setting will cause the system greeting banner to be used for FTP connections as well. |
| RHEL-06-000349 | Medium | The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication. | Smart card login provides two-factor authentication stronger than that provided by a username/password combination. Smart cards leverage a PKI (public key infrastructure) in order to provide and... |
| RHEL-06-000347 | Medium | There must be no .netrc files on the system. | Unencrypted passwords for remote FTP servers may be stored in ".netrc" files. DoD policy requires passwords be encrypted in storage and not used in access scripts. |
| RHEL-06-000340 | Medium | The snmpd service must use only SNMP protocol version 3 or newer. | Earlier versions of SNMP are considered insecure, as they potentially allow unauthorized access to detailed system management information. |
| RHEL-06-000341 | Medium | The snmpd service must not use a default password. | Presence of the default SNMP password enables querying of different system aspects and could result in unauthorized knowledge of the system. |
| RHEL-06-000388-PNF | Medium | The operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance. | Audit generation and audit records can be generated from various components within the information system. The list of audited events is the set of events for which audits are to be generated.... |
| RHEL-06-000269 | Medium | Remote file systems must be mounted with the "nodev" option. | Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users. |
| SRG-OS-000177-NA | Medium | The operating system must associate security attributes with information exchanged between information systems. | When data is exchanged between information systems, the security attributes associated with the data needs to be maintained. Security attributes are an abstraction representing the basic... |
| RHEL-06-000486-PNF | Medium | The operating system must support and maintain the binding of organization-defined security attributes to information in process. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects, objects) with respect to safeguarding information. These attributes are... |
| RHEL-06-000048 | Medium | All system command files must be owned by root. | System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. |
| SRG-OS-000261-NA | Medium | The operating system uniquely must identify destination domains for information transfer. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| RHEL-06-000042 | Medium | The /etc/group file must be owned by root. | The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security. |
| RHEL-06-000393-PF | Medium | The operating system, when transferring information between different security domains, must identify information flows by data type specification and usage. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| RHEL-06-000418-PNF | Medium | The operating system must implement an information system isolation boundary to minimize the number of non-security functions included within the boundary containing security functions. | The operating system isolates security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) controlling access to and protecting the... |
| RHEL-06-000379-PNF | Medium | The operating system must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject. | Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes, time stamps,... |
| RHEL-06-000511 | Medium | The audit system must take appropriate action when there are disk errors on the audit storage volume. | Taking appropriate action in case of disk errors will minimize the possibility of losing audit records. |
| RHEL-06-000510 | Medium | The audit system must take appropriate action when the audit storage volume is full. | Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. |
| SRG-OS-000219-NA | Medium | The operating system must monitor for atypical usage of operating system accounts. | Atypical account usage is behavior that is not part of normal usage cycles, e.g., accounts logging in after hours or on weekends. |
| SRG-OS-000175-NA | Medium | The operating system must prohibit remote activation of collaborative computing devices, excluding the organization-defined exceptions where remote activation is to be allowed. | Collaborative computing devices include networked white boards, cameras, and microphones. Collaborative software examples include instant messaging or chat clients. |
| RHEL-06-000124 | Medium | The Datagram Congestion Control Protocol (DCCP) must be disabled unless required. | Disabling DCCP protects the system against exploitation of any flaws in its implementation. |
| RHEL-06-000125 | Medium | The Stream Control Transmission Protocol (SCTP) must be disabled unless required. | Disabling SCTP protects the system against exploitation of any flaws in its implementation. |
| RHEL-06-000127 | Medium | The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required. | Disabling TIPC protects the system against exploitation of any flaws in its implementation. |
| RHEL-06-000120 | Medium | The system's local firewall must implement a deny-all, allow-by-exception policy for inbound packets. | In "iptables" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to "DROP" implements proper design for a firewall,... |
| RHEL-06-000121 | Medium | The system's local firewall must implement a deny-all, allow-by-exception policy for inbound packets. | In "iptables" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to "DROP" implements proper design for a firewall,... |
| RHEL-06-000122 | Medium | The system's local firewall must implement a deny-all, allow-by-exception policy for inbound packets. | In "iptables" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to "DROP" implements proper design for a firewall,... |
| RHEL-06-000123 | Medium | The system's local firewall must implement a deny-all, allow-by-exception policy for inbound packets. | In "iptables" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to "DROP" implements proper design for a firewall,... |
| RHEL-06-000047 | Medium | All system command files must have mode 0755 or less permissive. | System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted. |
| RHEL-06-000046 | Medium | Library files must be owned by root. | Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the... |
| RHEL-06-000045 | Medium | Library files must have mode 0755 or less permissive. | Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to... |
| RHEL-06-000044 | Medium | The /etc/group file must have mode 0644 or less permissive. | The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security. |
| RHEL-06-000043 | Medium | The /etc/group file must be group-owned by root. | The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security. |
| RHEL-06-000140-PNF | Medium | The operating system audit records must be able to be used by a report generation capability. | Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify a network element that has been... |
| RHEL-06-000041 | Medium | The /etc/passwd file must have mode 0644 or less permissive. | If the "/etc/passwd" file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and... |
| RHEL-06-000040 | Medium | The /etc/passwd file must be group-owned by root. | The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security. |
| RHEL-06-000416-PNF | Medium | The operating system must isolate security functions from nonsecurity functions. | Operating system management functionality includes functions necessary to administer the operating, network components, workstations, or servers, and typically requires privileged user access. The... |
| RHEL-06-000457-PNF | Medium | The operating system must prevent non-privileged users from circumventing malicious code protection capabilities. | Malicious code protection software must be protected so as to prevent a non-privileged user or a malicious piece of software from disabling the protection mechanism. A common tactic of malware is... |
| RHEL-06-000459-PNF | Medium | The operating system must protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion. | Intrusion-monitoring tools can accumulate a significant amount of sensitive data; examples could include user account information and application data not related to the intrusion monitoring... |
| SRG-OS-000180-NA | Medium | The operating system must implement detection and inspection mechanisms to identify unauthorized mobile code. | Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code... |
| SRG-OS-000122-NA | Medium | The operating system must implement a configurable capability to automatically disable the operating system if any of the organization-defined lists of security violations are detected. | The operating system must implement a configurable capability to automatically disable the operating system if any of the organization-defined lists of security violations are detected. |
| RHEL-06-000461-PF | Medium | The operating system must provide notification of failed automated security tests. | The need to verify security functionality applies to all security functions. For those security functions unable to execute automated self-tests the organization either implements compensating... |
| SRG-OS-000267-NA | Medium | The operating system must protect non-local maintenance sessions by separating the maintenance session from other network sessions with the information system by either physically separated communications paths or logically separated communications paths. | This is a requirement that maintenance needs to be done on a separate interface or encrypted channel so as to segment maintenance activity from regular usage. When performing non-local... |
| SRG-OS-000174-NA | Medium | The operating system must protect the integrity and availability of publicly available information and applications. | The purpose of this control is to ensure organizations explicitly address the protection needs for public information and applications with such protection likely being implemented as part of... |
| RHEL-06-000383 | Medium | Audit log files must have mode 0640 or less permissive. | If users can write to audit logs, audit trails can be modified or destroyed. |
| RHEL-06-000385 | Medium | Audit log directories must have mode 0755 or less permissive. | If users can delete audit logs, audit trails can be modified or destroyed. |
| RHEL-06-000223 | Medium | The TFTP service must not be running. | Disabling the "tftp" service ensures the system is not acting as a tftp server, which does not provide encryption or authentication. |
| RHEL-06-000222 | Medium | The tftp-server package must not be installed. | Removing the "tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services. |
| RHEL-06-000451-PNF | Medium | The operating system must protect the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission. | Information can be subjected to unauthorized changes (e.g., malicious and/or unintentional modification) at information aggregation or protocol transformation points. It is therefore imperative... |
| RHEL-06-000220 | Medium | The ypserv package must not be installed. | Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services. |
| RHEL-06-000224 | Medium | The cron service must be running. | Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential. |
| SRG-OS-000214-NA | Medium | The operating system must employ automated mechanisms to alert security personnel of any organization-defined inappropriate or unusual activities with security implications. | Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a... |
| SRG-OS-000173-NA | Medium | The operating system must employ FIPS-validate or NSA-approved cryptography to implement digital signatures. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or un-tested encryption algorithms undermines the purposes of utilizing encryption to... |
| RHEL-06-000488-PNF | Medium | The operating system must dynamically reconfigure security attributes in accordance with an identified security policy as information is created and combined. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects, objects) with respect to safeguarding information. These attributes are... |
| SRG-OS-000263-NA | Medium | The operating system must track problems associated with the information transfer. | When an operating system transfers data, there is the chance an error or problem with the data transfer may occur. The operating system needs to track failures and any problems encountered when... |
| RHEL-06-000353 | Medium | The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication. | Smart card login provides two-factor authentication stronger than that provided by a username/password combination. Smart cards leverage a PKI (public key infrastructure) in order to provide and... |
| RHEL-06-000151-PF | Medium | The operating system must fail to an organization-defined known state for organization-defined types of failures. | Failure in a known state can address safety or security in accordance with the mission/business needs of the organization. It helps prevent a loss of confidentiality, integrity, or availability in... |
| RHEL-06-000316 | Medium | The Bluetooth kernel module must be disabled. | If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation. |
| RHEL-06-000315 | Medium | The Bluetooth kernel module must be disabled. | If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation. |
| RHEL-06-000314 | Medium | The audit system must identify staff members to receive notifications of audit log storage volume capacity issues. | Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action. |
| RHEL-06-000313 | Medium | The audit system must identify staff members to receive notifications of audit log storage volume capacity issues. | Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action. |
| RHEL-06-000311 | Medium | The audit system must alert designated staff members when the audit storage volume approaches capacity. | Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. |
| RHEL-06-000259 | Medium | The graphical desktop environment must have automatic lock enabled. | Enabling the activation of the screen lock after an idle period ensures password entry will be required in order to access the system, preventing access by passersby. |
| RHEL-06-000257 | Medium | The graphical desktop environment must set the idle timeout to no more than 15 minutes. | Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby. |
| RHEL-06-000254 | Medium | If the system is using LDAP for authentication or account information, the system must use a TLS connection using trust certificates signed by the site CA. | The tls_cacertdir or tls_cacertfile directives are required when tls_checkpeer is configured (which is the default for openldap versions 2.1 and up). These directives define the path to the trust... |
| RHEL-06-000255 | Medium | If the system is using LDAP for authentication or account information, the system must use a TLS connection using trust certificates signed by the site CA. | The tls_cacertdir or tls_cacertfile directives are required when tls_checkpeer is configured (which is the default for openldap versions 2.1 and up). These directives define the path to the trust... |
| RHEL-06-000252 | Medium | If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms. | The ssl directive specifies whether to use ssl or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL. |
| RHEL-06-000253 | Medium | The LDAP client must use a TLS connection using trust certificates signed by the site CA. | The tls_cacertdir or tls_cacertfile directives are required when tls_checkpeer is configured (which is the default for openldap versions 2.1 and up). These directives define the path to the trust... |
| RHEL-06-000250 | Medium | The LDAP client must use a TLS connection using FIPS 140-2 approved cryptographic algorithms. | The ssl directive specifies whether to use ssl or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL. |
| SRG-OS-000172-NA | Medium | The operating system must employ FIPS-validated cryptography to protect information when it must be separated from individuals who have the necessary clearances, yet lack the necessary access approvals. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or un-tested encryption algorithms undermines the purposes of utilizing encryption to... |
| SRG-OS-000014-NA | Medium | The operating system must enforce information flow control on metadata. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| RHEL-06-000382-PNF | Medium | The operating system must use internal system clocks to generate time stamps for audit records. | Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Time stamps generated by the information system... |
| SRG-OS-000262-NA | Medium | The operating system uniquely must authenticate destination domains for information transfer. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| RHEL-06-000374-PNF | Medium | The operating system must employ automated mechanisms to enable authorized users to make information sharing decisions based on access authorizations of sharing partners and access restrictions on information to be shared. | Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or... |
| RHEL-06-000332 | Medium | The Bluetooth service must be disabled. | Disabling the "bluetooth" service prevents the system from attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be... |
| RHEL-06-000221 | Medium | The ypbind service must not be running. | Disabling the "ypbind" service ensures the system is not acting as a client in a NIS or NIS+ domain. |
| RHEL-06-000005 | Medium | The audit system must alert designated staff members when the audit storage volume approaches capacity. | Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. |
| SRG-OS-000083-NA | Medium | The operating system must enforce security policies regarding information on interconnected systems. | The operating system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy. Information... |
| RHEL-06-000369-PNF | Medium | The operating system must provide the capability for a privileged administrator to configure the organization-defined security policy filters to support different security policies. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| RHEL-06-000375-PNF | Medium | The operating system must produce audit records containing sufficient information to establish when (date and time) the events occurred. | Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, time stamps, source... |
| SRG-OS-000008-NA | Medium | The operating system must prevent access to organization-defined security-relevant information except during secure, non-operable system states. | Security-relevant information is any information within the information system potentially impacting the operation of security functions in a manner that could result in failure to enforce the... |
| RHEL-06-000072 | Medium | The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts. | An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. |
| RHEL-06-000073 | Medium | The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts. | An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. |
| RHEL-06-000070 | Medium | The system must not permit interactive boot. | Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security. |
| RHEL-06-000380-PNF | Medium | Operating system must support the capability to centralize the review and analysis of audit records from multiple components within the system. | Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a... |
| RHEL-06-000078 | Medium | The system must implement virtual address space randomization. | Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt... |
| RHEL-06-000079 | Medium | The system must limit the ability of processes to have simultaneous write and execute access to memory. | ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control... |
| SRG-OS-000183-NA | Medium | The operating system must prevent the automatic execution of mobile code in organization-defined software applications and must require organization-defined actions prior to executing the code. | Decisions regarding the employment of mobile code within operating systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies... |
| RHEL-06-000497-PNF | Medium | The operating system must enforce a Discretionary Access Control (DAC) policy that limits propagation of access rights. | Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices,... |
| SRG-OS-000115-NA | Medium | The operating system must authenticate devices before establishing remote network connections using bidirectional cryptographically based authentication between devices. | Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices operated by specific... |
| SRG-OS-000233-NA | Medium | The operating system must notify the user of the number of successful logins/accesses that occur during the organization-defined time period. | Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of successful attempts made to login to their account allows the user... |
| RHEL-06-000493-PNF | Medium | The operating system must enforce a Discretionary Access Control (DAC) policy that includes or excludes access to the granularity of a single user. | Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices,... |
| RHEL-06-000352 | Medium | The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication. | Smart card login provides two-factor authentication stronger than that provided by a username/password combination. Smart cards leverage a PKI (public key infrastructure) in order to provide and... |
| RHEL-06-000351 | Medium | The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication. | Smart card login provides two-factor authentication stronger than that provided by a username/password combination. Smart cards leverage a PKI (public key infrastructure) in order to provide and... |
| RHEL-06-000350 | Medium | The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication. | Smart card login provides two-factor authentication stronger than that provided by a username/password combination. Smart cards leverage a PKI (public key infrastructure) in order to provide and... |
| RHEL-06-000357 | Medium | The system must disable accounts after excessive login failures within a 15-minute interval. | Locking out user accounts after a number of incorrect attempts within a specific period of time prevents direct password guessing attacks. |
| RHEL-06-000356 | Medium | The system must require administrator action to unlock an account locked by excessive failed login attempts. | Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate... |
| RHEL-06-000355 | Medium | The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication. | Smart card login provides two-factor authentication stronger than that provided by a username/password combination. Smart cards leverage a PKI (public key infrastructure) in order to provide and... |
| RHEL-06-000354 | Medium | The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication. | Smart card login provides two-factor authentication stronger than that provided by a username/password combination. Smart cards leverage a PKI (public key infrastructure) in order to provide and... |
| RHEL-06-000162 | Medium | The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low. | Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur. |
| RHEL-06-000163 | Medium | The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low. | Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur. |
| SRG-OS-000182-NA | Medium | The operating system must prevent the download of prohibited mobile code. | Decisions regarding the employment of mobile code within operating systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies... |
| RHEL-06-000322 | Low | The system must provide VPN connectivity for communications over untrusted networks. | Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network. |
| RHEL-06-000321 | Low | The system must provide VPN connectivity for communications over untrusted networks. | Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network. |
| RHEL-06-000137 | Low | The system must use a remote syslog server (loghost). | A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect.... |
| RHEL-06-000136 | Low | The system must use a remote syslog server (loghost). | A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect.... |
| RHEL-06-000246 | Low | The avahi service must be disabled. | Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted. |
| RHEL-06-000241 | Low | The SSH daemon must not permit user environment settings. | SSH environment options potentially allow users to bypass access restriction in some configurations. |
| RHEL-06-000319 | Low | The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements. | Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an... |
| RHEL-06-000343 | Low | The system default umask for the csh shell must be 077. | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to... |
| RHEL-06-000201 | Low | The audit system must be configured to audit changes to the "/etc/sudoers" file. | The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. |
| RHEL-06-000200 | Low | The audit system must be configured to audit user deletions of files and programs. | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that... |
| RHEL-06-000202 | Low | The audit system must be configured to audit the loading and unloading of dynamic kernel modules. | The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules... |
| RHEL-06-000204 | Low | The xinetd service must be uninstalled if no network services utilizing it are enabled. | Removing the "xinetd" package decreases the risk of the xinetd service's accidental (or intentional) activation. |
| RHEL-06-000191 | Low | The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr. | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the... |
| RHEL-06-000190 | Low | The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr. | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the... |
| RHEL-06-000193 | Low | The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr. | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the... |
| RHEL-06-000192 | Low | The audit system must be configured to audit all discretionary access control permission modifications using lchown. | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the... |
| RHEL-06-000195 | Low | The audit system must be configured to audit all discretionary access control permission modifications using removexattr. | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the... |
| RHEL-06-000194 | Low | The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr. | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the... |
| RHEL-06-000197 | Low | The audit system must be configured to audit failed attempts to access files and programs. | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| RHEL-06-000196 | Low | The audit system must be configured to audit all discretionary access control permission modifications using setxattr. | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the... |
| RHEL-06-000199 | Low | The audit system must be configured to audit successful file system mounts. | The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit... |
| RHEL-06-000198 | Low | The audit system must be configured to audit all use of setuid programs. | Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to... |
| RHEL-06-000298 | Low | Temporary and emergency accounts must be provisioned with an expiration date. | When temporary and emergency accounts are created, there is a risk they may remain in place and active after the need for them no longer exists. Account expiration greatly reduces the risk of... |
| RHEL-06-000299 | Low | The system must require passwords to contain no more than three consecutive repeating characters. | Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks. |
| RHEL-06-000292 | Low | The DHCP client must be disabled if not needed. | DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the... |
| RHEL-06-000290 | Low | X Windows must not be enabled unless required. | Unnecessary services should be disabled to decrease the attack surface of the system. |
| RHEL-06-000291 | Low | The xorg-x11-server-common (X Windows) package must not be installed, unless required. | Unnecessary packages should not be installed to decrease the attack surface of the system. |
| RHEL-06-000296 | Low | All accounts on the system must have unique user or account names | Unique usernames allow for accountability on the system. |
| RHEL-06-000297 | Low | Temporary and emergency accounts must be provisioned with an expiration date. | When temporary and emergency accounts are created, there is a risk they may remain in place and active after the need for them no longer exists. Account expiration greatly reduces the risk of... |
| RHEL-06-000294 | Low | All GIDs referenced in /etc/passwd must be defined in /etc/group | Inconsistency in GIDs between /etc/passwd and /etc/group could lead to a user having unintended rights. |
| RHEL-06-000295 | Low | All accounts on the system must have unique user or account names. | Unique usernames allow for accountability on the system. |
| RHEL-06-000339 | Low | The FTP daemon must be configured for logging or verbose mode. | To trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to the ftp server are logged using the verbose vsftpd log format. The default... |
| RHEL-06-000335 | Low | Accounts must be locked upon 35 days of inactivity. | Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. |
| RHEL-06-000334 | Low | Accounts must be locked upon 35 days of inactivity. | Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. |
| RHEL-06-000337 | Low | All public directories must be owned by a system account. | Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users. |
| RHEL-06-000336 | Low | The sticky bit must be set on all public directories. | Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure.
The only authorized public directories are those temporary directories... |
| RHEL-06-000028 | Low | The system must prevent the root account from logging in from serial consoles. | Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account. |
| RHEL-06-000023 | Low | The system must use a Linux Security Module configured to limit the privileges of system services. | Setting the SELinux policy to "targeted" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services. |
| RHEL-06-000025 | Low | All device files must be monitored by the system Linux Security Module. | If a device file carries the SELinux type "unlabeled_t", then SELinux cannot properly restrict access to the device file. |
| RHEL-06-000024 | Low | The system must use a Linux Security Module configured to limit the privileges of system services. | Setting the SELinux policy to "targeted" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services. |
| RHEL-06-000026 | Low | All device files must be monitored by the system Linux Security Module. | If a device file carries the SELinux type "unlabeled_t", then SELinux cannot properly restrict access to the device file. |
| RHEL-06-000060 | Low | The system must require at least four characters be changed between the old and new passwords during a password change. | Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are... |
| RHEL-06-000091 | Low | The system must ignore IPv4 ICMP redirect messages. | This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required. |
| RHEL-06-000092 | Low | The system must not respond to ICMPv4 sent to a broadcast address. | Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network. |
| RHEL-06-000093 | Low | The system must ignore ICMPv4 bogus error responses. | Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged. |
| RHEL-06-000138 | Low | System logs must be rotated daily. | Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full. |
| RHEL-06-000271 | Low | The noexec option must be added to removable media partitions. | Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise. |
| RHEL-06-000272 | Low | The system must use SMB client signing for connecting to samba servers using smbclient. | Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit. |
| RHEL-06-000273 | Low | The system must use SMB client signing for connecting to samba servers using mount.cifs. | Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit. |
| RHEL-06-000275 | Low | The operating system must employ cryptographic mechanisms to protect information in storage. | The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost. |
| RHEL-06-000276 | Low | The operating system must employ cryptographic mechanisms to protect information in storage. | The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost. |
| RHEL-06-000277 | Low | The operating system must employ cryptographic mechanisms to protect information in storage. | The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost. |
| RHEL-06-000508 | Low | The system must allow locking of graphical desktop sessions. | The ability to lock graphical desktop sessions manually allows users to easily secure their accounts should they need to depart from their workstations temporarily. |
| RHEL-06-000509 | Low | The system must forward audit records to the syslog service. | The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include an audit event multiplexor plugin (audispd) to... |
| RHEL-06-000054 | Low | Users must be warned 14 days in advance of password expiration. | Setting the password warning age enables users to make the change at a practical time. |
| RHEL-06-000055 | Low | The system must reject session authentication after three consecutive failed authentication attempts. | Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to... |
| RHEL-06-000056 | Low | The system must require passwords to contain at least one numeric character. | Requiring digits makes password guessing attacks more difficult by ensuring a larger search space. |
| RHEL-06-000057 | Low | The system must require passwords to contain at least one uppercase alphabetic character. | Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space. |
| RHEL-06-000058 | Low | The system must require passwords to contain at least one special character. | Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space. |
| RHEL-06-000059 | Low | The system must require passwords to contain at least one lowercase alphabetic character. | Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space. |
| RHEL-06-000230 | Low | The SSH daemon must set a timeout interval on idle sessions. | Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another. |
| RHEL-06-000231 | Low | The SSH daemon must set a timeout count on idle sessions. | This ensures a user login will be terminated as soon as the "ClientAliveCountMax" is reached. |
| RHEL-06-000232 | Low | The SSH daemon must set a timeout count on idle sessions. | This ensures a user login will be terminated as soon as the "ClientAliveCountMax" is reached. |
| RHEL-06-000289 | Low | The netconsole service must be disabled unless required. | The "netconsole" service is not necessary unless there is a need to debug kernel panics, which is not common. |
| RHEL-06-000287 | Low | The postfix service must be enabled for mail delivery. | Local mail delivery is essential to some system maintenance and notification tasks. |
| RHEL-06-000308 | Low | Process core dumps must be disabled unless needed. | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers... |
| RHEL-06-000300 | Low | All files and directories must have a valid owner. | Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft... |
| RHEL-06-000301 | Low | All files must be owned by a group. | Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft... |
| RHEL-06-000071 | Low | The system must allow locking of the console screen. | Installing "screen" ensures a console locking capability is available for users who may need to suspend console logins. |
| RHEL-06-000088 | Low | The system must log Martian packets. | The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these... |
| RHEL-06-000165 | Low | The audit system must be configured to audit all attempts to alter system time through adjtimex. | Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such... |
| RHEL-06-000167 | Low | The audit system must be configured to audit all attempts to alter system time through settimeofday. | Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such... |
| RHEL-06-000169 | Low | The audit system must be configured to audit all attempts to alter system time through stime. | Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such... |
| RHEL-06-000344 | Low | The system default umask in /etc/profile must be 077. | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to... |
| RHEL-06-000345 | Low | The system default umask in /etc/login.defs must be 077. | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to... |
| RHEL-06-000346 | Low | The system default umask for daemons must be 027 or 022. | The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions. |
| RHEL-06-000342 | Low | The system default umask for the bash shell must be 077. | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to... |
| RHEL-06-000267 | Low | The qpidd service must not be running. | The qpidd service is automatically installed when the "base" package selection is selected during installation. The qpidd service listens for network connections which increases the attack surface... |
| RHEL-06-000266 | Low | The oddjobd service must not be running. | The "oddjobd" service may provide necessary functionality in some environments but it can be disabled if it is not needed. Execution of tasks by privileged programs, on behalf of unprivileged... |
| RHEL-06-000265 | Low | The ntpdate service must not be running. | The "ntpdate" service may only be suitable for systems which are rebooted frequently enough that clock drift does not cause problems between reboots. In any event, the functionality of the ntpdate... |
| RHEL-06-000264 | Low | Automated file system mounting tools must not be enabled unless needed. | All filesystems that are required for the successful operation of the system should be explicitly listed in /etc/fstab by and administrator. New filesystems should not be arbitrarily introduced... |
| RHEL-06-000263 | Low | Automated file system mounting tools must not be enabled unless needed. | All filesystems that are required for the successful operation of the system should be explicitly listed in /etc/fstab by and administrator. New filesystems should not be arbitrarily introduced... |
| RHEL-06-000262 | Low | The atd service must be disabled. | The "atd" service could be used by an unsophisticated insider to carry out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule... |
| RHEL-06-000261 | Low | The Automatic Bug Reporting Tool (abrtd) service must not be running. | Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the local machine, as well as sensitive information from within a process's address space... |
| RHEL-06-000260 | Low | The system must display a publicly-viewable pattern during a graphical desktop environment session lock. | Setting the screensaver mode to blank-only conceals the contents of the display from passersby. |
| RHEL-06-000268 | Low | The rdisc service must not be running. | General-purpose systems typically have their network and routing information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead... |
| RHEL-06-000049 | Low | Audit log files must have mode 0640 or less permissive. | If users can write to audit logs, audit trails can be modified or destroyed. |
| RHEL-06-000519 | Low | The system package management tool must verify contents of all files associated with packages. | The hash on important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system. |
| RHEL-06-000518 | Low | The system package management tool must verify permissions on all files and directories associated with packages. | Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should... |
| RHEL-06-000515 | Low | The NFS server must not have the all_squash option enabled. | The "all_squash" option maps all client requests to a single anonymous uid/gid on the NFS server, negating the ability to track file access by user ID. |
| RHEL-06-000517 | Low | The system package management tool must verify group-ownership on all files and directories associated with packages. | Group-ownership of system binaries and configuration files that is incorrect could allow an unauthorized users to gain privileges that they should not have. The group-ownership set by the vendor... |
| RHEL-06-000516 | Low | The system package management tool must verify ownership on all files and directories associated with packages. | Ownership of system binaries and configuration files that is incorrect could allow an unauthorized users to gain privileges that they should not have. The ownership set by the vendor should be... |
| RHEL-06-000126 | Low | The Reliable Datagram Sockets (RDS) protocol must be disabled unless required. | Disabling RDS protects the system against exploitation of any flaws in its implementation. |
| RHEL-06-000229 | Low | The SSH daemon must set a timeout interval on idle sessions. | Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another. |
| RHEL-06-000317 | Low | The system must have USB Mass Storage disabled unless needed. | USB storage devices such as thumb drives can be used to introduce unauthorized software and other vulnerabilities. Support for these devices should be disabled and the devices themselves should be... |
| RHEL-06-000256 | Low | The openldap-servers package must not be installed unless required. | Unnecessary packages should not be installed to decrease the attack surface of the system. |
| RHEL-06-000318 | Low | The system must have USB Mass Storage disabled unless needed. | USB storage devices such as thumb drives can be used to introduce unauthorized software and other vulnerabilities. Support for these devices should be disabled and the devices themselves should be... |
| RHEL-06-000003 | Low | The system must use a separate file system for /var/log. | Placing "/var/log" in its own partition enables better separation between log files and other files in "/var/". |
| RHEL-06-000002 | Low | The system must use a separate file system for /var. | Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is... |
| RHEL-06-000001 | Low | The system must use a separate file system for /tmp. | The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it. |
| RHEL-06-000007 | Low | The system must use a separate file system for user home directories. | Ensuring that "/home" is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit... |
| RHEL-06-000006 | Low | The system must use a separate file system for the system audit data path. | Placing "/var/log/audit" in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space. |
| RHEL-06-000004 | Low | The system must use a separate file system for the system audit data path. | Placing "/var/log/audit" in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space. |
| RHEL-06-000009 | Low | The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite. | Although systems management and patching is extremely important to system security, management by a system outside the enterprise enclave is not desirable for some environments. However, if the... |
| RHEL-06-000179 | Low | The audit system must be configured to audit account creation and modification. | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be... |
| RHEL-06-000178 | Low | The audit system must be configured to audit account creation and modification. | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be... |
| RHEL-06-000177 | Low | The audit system must be configured to audit account creation and modification. | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be... |
| RHEL-06-000176 | Low | The audit system must be configured to audit account creation and modification. | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be... |
| RHEL-06-000175 | Low | The audit system must be configured to audit account creation and modification. | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be... |
| RHEL-06-000174 | Low | The audit system must be configured to audit account creation and modification. | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be... |
| RHEL-06-000173 | Low | The audit system must be configured to audit all attempts to alter system time through /etc/localtime. | Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such... |
| RHEL-06-000171 | Low | The audit system must be configured to audit all attempts to alter system time through clock_settime. | Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such... |
| RHEL-06-000182 | Low | The audit system must be configured to audit modifications to the systems network configuration. | The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. |
| RHEL-06-000183 | Low | The audit system must be configured to audit modifications to the system's Mandatory Access Control (MAC) configuration (SELinux). | The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited. |
| RHEL-06-000180 | Low | The audit system must be configured to audit account creation and modification. | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be... |
| RHEL-06-000181 | Low | The audit system must be configured to audit account creation and modification. | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be... |
| RHEL-06-000186 | Low | The audit system must be configured to audit all discretionary access control permission modifications using fchmod. | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the... |
| RHEL-06-000187 | Low | The audit system must be configured to audit all discretionary access control permission modifications using fchmodat. | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the... |
| RHEL-06-000184 | Low | The audit system must be configured to audit all discretionary access control permission modifications using chmod. | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the... |
| RHEL-06-000185 | Low | The audit system must be configured to audit all discretionary access control permission modifications using chown. | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the... |
| RHEL-06-000188 | Low | The audit system must be configured to audit all discretionary access control permission modifications using fchown. | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the... |
| RHEL-06-000189 | Low | The audit system must be configured to audit all discretionary access control permission modifications using fchownat. | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the... |
