UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Red Hat Enterprise Linux 6 Security Technical Implementation Guide


Overview

Date Finding Count (492)
2013-02-05 CAT I (High): 33 CAT II (Med): 337 CAT III (Low): 122
STIG Description
The Red Hat Enterprise Linux 6 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Public)

Finding ID Severity Title
RHEL-06-000520 High The SSH daemon must be configured to use only the SSHv2 protocol.
RHEL-06-000030 High The system must not have accounts configured with blank or null passwords.
RHEL-06-000207 High The telnet daemon must not be running.
RHEL-06-000206 High The telnet-server package must not be installed.
RHEL-06-000209 High The telnet daemon must not be running.
RHEL-06-000208 High The telnet daemon must not be running.
RHEL-06-000238 High The SSH daemon must not allow authentication using an empty password.
RHEL-06-000239 High The SSH daemon must not allow authentication using an empty password.
RHEL-06-000283 High The system must use and update a DoD-approved virus scan program.
RHEL-06-000285 High The system must have a host-based intrusion detection tool installed.
RHEL-06-000284 High The system must use and update a DoD-approved virus scan program.
RHEL-06-000286 High The x86 CTRL-ALT-DELETE key sequence must be disabled.
RHEL-06-000015 High The system package management tool must cryptographically verify the authenticity of all software packages during installation.
RHEL-06-000010 High Vendor-recommended software patches and updates, and system security patches and updates, must be installed and up-to-date.
RHEL-06-000011 High Vendor-recommended software patches and updates, and system security patches and updates, must be installed and up-to-date.
RHEL-06-000012 High The system package management tool must cryptographically verify the authenticity of system software packages during installation.
RHEL-06-000013 High The system package management tool must cryptographically verify the authenticity of system software packages during installation.
RHEL-06-000019 High There must be no .rhosts or hosts.equiv files on the system.
RHEL-06-000338 High The TFTP daemon must operate in "secure mode" which provides access only to a single directory on the host file system.
RHEL-06-000014 High The system package management tool must cryptographically verify the authenticity of all software packages during installation.
RHEL-06-000514 High The RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
RHEL-06-000227 High The SSH daemon must be configured to use only the SSHv2 protocol.
RHEL-06-000226 High The SSH daemon must be configured to use only the SSHv2 protocol.
RHEL-06-000228 High The SSH daemon must be configured to use only the SSHv2 protocol.
RHEL-06-000008 High Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
RHEL-06-000213 High The rsh-server package must not be installed.
RHEL-06-000210 High The telnet daemon must not be running.
RHEL-06-000211 High The telnet daemon must not be running.
RHEL-06-000216 High The rexecd service must not be running.
RHEL-06-000217 High The rexecd service must not be running.
RHEL-06-000214 High The rshd service must not be running.
RHEL-06-000215 High The rshd service must not be running.
RHEL-06-000218 High The rlogind service must not be running.
RHEL-06-000502-PF Medium The operating system must respond to security function anomalies in accordance with organization-defined responses and alternative action(s).
SRG-OS-000141-NA Medium The operating system must restrict the ability of users to launch Denial of Service attacks against other information systems or networks.
SRG-OS-000117-NA Medium The operating system must authenticate devices before establishing network connections using bidirectional cryptographically based authentication between devices.
RHEL-06-000082 Medium IP forwarding for IPv4 must not be enabled, unless the system is a router.
RHEL-06-000326 Medium The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
RHEL-06-000455 Medium The operating system must install software updates automatically.
RHEL-06-000324 Medium A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
RHEL-06-000325 Medium The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
RHEL-06-000320 Medium The system's local firewall must implement a deny-all, allow-by-exception policy for forwarded packets.
RHEL-06-000403-PNF Medium The operating system must employ automated mechanisms to prevent program execution in accordance with the organization defined specifications.
SRG-OS-000201-NA Medium The operating system must provide automated support for the management of distributed security testing.
RHEL-06-000133 Medium All rsyslog-generated log files must be owned by root.
RHEL-06-000038 Medium The /etc/gshadow file must have mode 0000.
RHEL-06-000039 Medium The /etc/passwd file must be owned by root.
RHEL-06-000135 Medium All rsyslog-generated log files must have mode 0600 or less permissive.
RHEL-06-000134 Medium All rsyslog-generated log files must be group-owned by root.
RHEL-06-000032 Medium The root account must be the only account having a UID of 0.
RHEL-06-000033 Medium The /etc/shadow file must be owned by root.
RHEL-06-000031 Medium The /etc/passwd file must not contain password hashes.
RHEL-06-000036 Medium The /etc/gshadow file must be owned by root.
RHEL-06-000037 Medium The /etc/gshadow file must be group-owned by root.
RHEL-06-000034 Medium The /etc/shadow file must be group-owned by root.
RHEL-06-000035 Medium The /etc/shadow file must have mode 0000.
SRG-OS-000116-NA Medium The operating system must authenticate devices before establishing wireless network connections using bidirectional cryptographically based authentication between devices.
RHEL-06-000500-PNF Medium The operating system must preserve organization-defined system state information in the event of a system failure.
RHEL-06-000463-PF Medium The operating system must provide automated support for the management of distributed security testing.
SRG-OS-000229-NA Medium The operating system must employ automated mechanisms to centrally manage configuration settings.
SRG-OS-000166-NA Medium The operating system must produce, control, and distribute symmetric and asymmetric cryptographic keys using NSA-approved key management technology and processes.
RHEL-06-000417-PNF Medium The operating system must isolate security functions enforcing access and information flow control from both non-security functions and from other security functions.
RHEL-06-000494-PF Medium The operating system must automatically implement organization-defined safeguards and countermeasures if security functions (or mechanisms) are changed inappropriately.
SRG-OS-000149-NA Medium The operating system must route organization-defined internal communications traffic to organization-defined external networks through authenticated proxy servers within the managed interfaces of boundary protection devices.
RHEL-06-000394-PF Medium The operating system, when transferring information between different security domains, must decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms.
RHEL-06-000377-PNF Medium The operating system must produce audit records containing sufficient information to establish the sources of the events.
RHEL-06-000460-PNF Medium The operating system must verify the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification).
RHEL-06-000146 Medium Auditing must be implemented.
RHEL-06-000145 Medium Auditing must be implemented.
RHEL-06-000142 Medium Auditing must be implemented.
RHEL-06-000143 Medium Auditing must be implemented.
RHEL-06-000415-PNF Medium The operating system must prevent the presentation of information system management-related functionality at an interface for general (i.e., non-privileged) users.
SRG-OS-000181-NA Medium The operating system must prevent the execution of prohibited mobile code.
RHEL-06-000148 Medium Auditing must be implemented.
RHEL-06-000392-PNF Medium The operating system must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
SRG-OS-000187-NA Medium The operating system at organization-defined information system components must load and execute the operating environment from hardware-enforced, read-only media.
RHEL-06-000367-PF Medium The operating system must support organization-defined one-way flows using hardware mechanisms.
RHEL-06-000258 Medium The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user to re-authenticate to unlock the environment.
RHEL-06-000249 Medium Mail relaying must be restricted.
RHEL-06-000248 Medium The system clock must be synchronized to an authoritative DoD time source.
RHEL-06-000245 Medium The SSH daemon must be configured to use only FIPS 140-2 approved ciphers.
RHEL-06-000244 Medium The SSH daemon must be configured to use only FIPS 140-2 approved ciphers.
RHEL-06-000247 Medium The system clock must be synchronized continuously, or at least daily.
RHEL-06-000240 Medium The SSH daemon must be configured with the Department of Defense (DoD) login banner.
RHEL-06-000243 Medium The SSH daemon must be configured to use only FIPS 140-2 approved ciphers.
RHEL-06-000242 Medium The SSH daemon must be configured to use only FIPS 140-2 approved ciphers.
RHEL-06-000251 Medium If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms.
SRG-OS-000009-NA Medium The operating system must enforce information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions.
RHEL-06-000390-PNF Medium The operating system, for PKI-based authentication must enforce authorized access to the corresponding private key.
SRG-OS-000011-NA Medium The operating system must enforce dynamic information flow control based on policy that must allow or disallow information flows based upon changing conditions or operational considerations.
RHEL-06-000399-PNF Medium The operating system must employ automated mechanisms to enforce access restrictions.
RHEL-06-000513-PF Medium The audit system must alert designated staff members when audit storage volume is generating disk errors.
SRG-OS-000204-NA Medium The operating system must identify potentially security-relevant error conditions.
RHEL-06-000423-PNF Medium The operating system must limit the use of resources by priority.
SRG-OS-000225-NA Medium The operating system must uniquely identify source domains for information transfer.
SRG-OS-000165-NA Medium The operating system must produce, control, and distribute symmetric cryptographic keys using NIST-approved or NSA-approved key management technology and processes.
SRG-OS-000226-NA Medium The operating system must uniquely authenticate source domains for information transfer.
RHEL-06-000235 Medium The SSH daemon must not allow host-based authentication.
RHEL-06-000397-PNF Medium The operating system must provide the capability for a privileged administrator to configure organization-defined security policy filters to support different security policies.
RHEL-06-000108 Medium The system must employ a local IPv6 firewall.
RHEL-06-000109 Medium The system must employ a local IPv6 firewall.
RHEL-06-000359-PF Medium The operating system must dynamically manage user privileges and associated access authorizations.
RHEL-06-000102 Medium The system must employ a local IPv6 firewall.
RHEL-06-000103 Medium The system must employ a local IPv6 firewall.
RHEL-06-000100 Medium The system must employ a local IPv6 firewall.
RHEL-06-000101 Medium The system must employ a local IPv6 firewall.
RHEL-06-000106 Medium The system must employ a local IPv6 firewall.
RHEL-06-000107 Medium The system must employ a local IPv6 firewall.
RHEL-06-000104 Medium The system must employ a local IPv6 firewall.
RHEL-06-000105 Medium The system must employ a local IPv6 firewall.
RHEL-06-000065 Medium The system boot loader configuration file(s) must be owned by root.
RHEL-06-000064 Medium The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf).
RHEL-06-000067 Medium The system boot loader configuration file(s) must have mode 0600 or less permissive.
RHEL-06-000066 Medium The system boot loader configuration file(s) must be group-owned by root.
RHEL-06-000061 Medium The system must disable accounts after three consecutive unsuccessful login attempts.
RHEL-06-000430-PNF Medium The operating system must protect the integrity of transmitted information.
RHEL-06-000063 Medium The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs).
RHEL-06-000062 Medium The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth).
RHEL-06-000233 Medium The SSH daemon must ignore .rhosts files.
RHEL-06-000069 Medium The system must require authentication upon booting into single-user and maintenance modes.
RHEL-06-000068 Medium The system boot loader must require authentication.
SRG-OS-000168-NA Medium The operating system must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key.
RHEL-06-000372-PF Medium The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access.
SRG-OS-000162-NA Medium The operating system must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission.
SRG-OS-000227-NA Medium The operating system must provide additional protection for mobile devices accessed via login by purging information from the device after organization-defined number of consecutive, unsuccessful login attempts to the mobile device.
RHEL-06-000432-PNF Medium The operating system must maintain the integrity of information during aggregation, packaging, and transformation in preparation for transmission.
SRG-OS-000223-NA Medium The operating system, when transferring information between different security domains, must detect unsanctioned information.
RHEL-06-000203 Medium The xinetd service must be disabled if no network services utilizing it are enabled.
RHEL-06-000293 Medium The system must prohibit the reuse of passwords within twenty-four iterations.
SRG-OS-000001-NA Medium The operating system must provide automated support for account management functions.
RHEL-06-000384A Medium Audit log files must be owned by root.
RHEL-06-000384B Medium Audit log files must be group-owned by root.
SRG-OS-000164-NA Medium The operating system must establish a trusted communications path between the user and organization-defined security functions within the operating system.
RHEL-06-000331 Medium The Bluetooth service must be disabled.
RHEL-06-000474-PNF Medium The operating system must enforce approved authorizations for controlling the flow of information within the system in accordance with applicable policy.
RHEL-06-000454-PNF Medium The operating system must employ organization-defined information system components with no writeable storage that are persistent across component restart or power on/off.
RHEL-06-000389-PNF Medium The operating system, for PKI-based authentication must validate certificates by constructing a certification path with status information to an accepted trust anchor.
RHEL-06-000094 Medium The system must be configured to use TCP syncookies when experiencing a TCP SYN flood.
SRG-OS-000155-NA Medium The operating system must employ automated mechanisms to enforce strict adherence to protocol format.
RHEL-06-000456-PNF Medium The operating system must support automated patch management tools to facilitate flaw remediation to organization-defined information system components.
SRG-OS-000006-NA Medium The operating system must enforce dual authorization, based on organizational policies and procedures for organization-defined privileged commands.
RHEL-06-000159 Medium The system must retain enough rotated audit logs to cover the required log retention period.
RHEL-06-000158 Medium Auditing must be enabled at boot by setting a kernel parameter.
SRG-OS-000179-NA Medium The operating system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
RHEL-06-000512-PF Medium The audit system must alert designated staff members when audit storage volume is full.
RHEL-06-000029 Medium Default system accounts, other than root, must be locked.
RHEL-06-000421-PNF Medium The operating system must not share resources used to interface with systems operating at different security levels.
RHEL-06-000021 Medium The system must use a Linux Security Module configured to enforce limits on system services.
RHEL-06-000020 Medium The system must use a Linux Security Module configured to enforce limits on system services.
RHEL-06-000022 Medium The system must use a Linux Security Module configured to enforce limits on system services.
RHEL-06-000027 Medium The system must prevent the root account from logging in from virtual consoles.
SRG-OS-000167-NA Medium The operating system must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 certificates or prepositioned keying material.
SRG-OS-000224-NA Medium The operating system, when transferring information between different security domains, must prohibit the transfer of unsanctioned information in accordance with the security policy.
RHEL-06-000282 Medium There must be no world-writable files on the system.
SRG-OS-000268-NA Medium The operating system must take corrective actions, when unauthorized mobile code is identified.
SRG-OS-000222-NA Medium The operating system, when transferring information between different security domains, must implement policy filters constraining data structure and content to organization-defined information security policy requirements.
SRG-OS-000235-NA Medium The operating system must notify the user of organization-defined security-related changes to the user's account that occur during the organization-defined time period.
RHEL-06-000154 Medium Auditing must be implemented.
RHEL-06-000157 Medium Auditing must be enabled at boot by setting a kernel parameter.
RHEL-06-000156 Medium Auditing must be implemented.
RHEL-06-000098 Medium The IPv6 protocol handler must not be bound to the network stack unless needed.
RHEL-06-000099 Medium The system must ignore ICMPv6 redirects by default.
SRG-OS-000013-NA Medium The operating system must enforce organization-defined limitations on the embedding of data types within other data types.
RHEL-06-000095 Medium The system must be configured to use TCP syncookies when experiencing a TCP SYN flood.
RHEL-06-000096 Medium The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
RHEL-06-000097 Medium The system must use a reverse-path filter for IPv4 network traffic when possible by default.
RHEL-06-000090 Medium The system must not accept ICMPv4 secure redirect packets by default.
RHEL-06-000378-PNF Medium The operating system must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.
SRG-OS-000205-NA Medium The operating system must generate error messages providing information necessary for corrective actions without revealing organization-defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.
RHEL-06-000139 Medium Auditing must be implemented.
SRG-OS-000234-NA Medium The operating system must notify the user of the number of unsuccessful login/access attempts that occur during organization-defined time period.
SRG-OS-000154-NA Medium The operating system must prevent discovery of specific system components (or devices) composing a managed interface.
RHEL-06-000278 Medium The system package management tool must verify permissions on all files and directories associated with the "audit" package
RHEL-06-000279 Medium The system package management tool must verify ownership on all files and directories associated with the "audit" package.
RHEL-06-000414-PNF Medium The operating system must separate user functionality (including user interface services) from operating system management functionality.
RHEL-06-000419-PNF Medium The operating system must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
RHEL-06-000270 Medium Remote file systems must be mounted with the "nosuid" option.
RHEL-06-000387-PNF Medium The operating system must allow designated organizational personnel to select which auditable events are to be audited by the operating system.
SRG-OS-000102-NA Medium The operating system must implement transaction recovery for transaction-based systems.
SRG-OS-000068-NA Medium The operating system, for PKI-based authentication must map the authenticated identity to the user account.
RHEL-06-000368-PNF Medium The operating system must provide the capability for a privileged administrator to enable/disable organization-defined security policy filters.
RHEL-06-000485-PNF Medium The operating system must support and maintain the binding of organization-defined security attributes to information in storage.
SRG-OS-000210-NA Medium The operating system must maintain reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.
SRG-OS-000101-NA Medium The operating system must conduct backups of operating system documentation including security-related documentation per organization-defined frequency to conduct backups that is consistent with recovery time and recovery point objectives.
RHEL-06-000506 Medium The operating system, upon successful logon, must display to the user the date and time of the last logon or access via a local console or tty.
RHEL-06-000507 Medium The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh.
RHEL-06-000504 Medium The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives.
RHEL-06-000505 Medium The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.
RHEL-06-000503 Medium The system must have USB Mass Storage disabled unless needed.
SRG-OS-000156-NA Medium The operating system must fail securely in the event of an operational failure of a boundary protection device.
RHEL-06-000119 Medium The system must employ a local IPv4 firewall.
RHEL-06-000118 Medium The system must employ a local IPv4 firewall.
RHEL-06-000445-PF Medium The operating system must validate the integrity of security attributes exchanged between systems.
RHEL-06-000424-PNF Medium The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks.
RHEL-06-000111 Medium The system must employ a local IPv4 firewall.
RHEL-06-000110 Medium The system must employ a local IPv4 firewall.
RHEL-06-000113 Medium The system must employ a local IPv4 firewall.
RHEL-06-000112 Medium The system must employ a local IPv4 firewall.
RHEL-06-000115 Medium The system must employ a local IPv4 firewall.
RHEL-06-000114 Medium The system must employ a local IPv4 firewall.
RHEL-06-000117 Medium The system must employ a local IPv4 firewall.
RHEL-06-000116 Medium The system must employ a local IPv4 firewall.
RHEL-06-000050 Medium The system must require passwords to contain a minimum of 14 characters.
RHEL-06-000051 Medium Users must not be able to change passwords more than once every 24 hours.
RHEL-06-000053 Medium User passwords must be changed at least every 60 days.
RHEL-06-000420-PNF Medium The operating system must prevent unauthorized and unintended information transfer via shared system resources.
SRG-OS-000211-NA Medium The operating system must validate the binding of the reviewer's identity to the information at the transfer/release point prior to release/transfer from one security domain to another security domain.
RHEL-06-000274 Medium The system must prohibit the reuse of passwords within twenty-four iterations.
RHEL-06-000381-PNF Medium The operating system must support an audit reduction capability.
RHEL-06-000327-PF Medium The operating system, upon successful logon, must display to the user the date and time of the last logon (access) via GUI.
SRG-OS-000012-NA Medium The operating system must prevent encrypted data from bypassing content checking mechanisms.
RHEL-06-000431-PNF Medium The operating system must employ cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures.
SRG-OS-000217-NA Medium The operating system must protect the audit records resulting from non-local accesses to privileged accounts and the execution of privileged functions.
RHEL-06-000234 Medium The SSH daemon must ignore .rhosts files.
SRG-OS-000216-NA Medium The operating system must use cryptographic mechanisms to protect the integrity of audit information.
RHEL-06-000236 Medium The SSH daemon must not allow host-based authentication.
RHEL-06-000237 Medium The system must not permit root logins using remote access programs such as ssh.
SRG-OS-000188-NA Medium The operating system at organization-defined information system components must load and execute organization-defined applications from hardware-enforced, read-only media.
RHEL-06-000396-PNF Medium The operating system must bind security attributes to information to facilitate information flow policy enforcement.
SRG-OS-000130-NA Medium The operating system must use cryptographic mechanisms to protect and restrict access to information on portable digital media.
RHEL-06-000376-PNF Medium The operating system must produce audit records containing sufficient information to establish where the events occurred.
RHEL-06-000288 Medium The sendmail package must be removed.
RHEL-06-000281 Medium The system package management tool must verify contents of all files associated with the audit package.
RHEL-06-000280 Medium The system package management tool must verify group-ownership on all files and directories associated with the "audit" package.
RHEL-06-000458-PNF Medium The operating system must prevent non-privileged users from circumventing intrusion detection and prevention capabilities.
RHEL-06-000398-PNF Medium The operating system must enforce logical access restrictions associated with changes to the information system.
RHEL-06-000309 Medium The NFS server must not have the insecure file locking option enabled.
RHEL-06-000302 Medium A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.
RHEL-06-000303 Medium A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.
RHEL-06-000304 Medium A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.
RHEL-06-000305 Medium A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.
RHEL-06-000306 Medium A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.
RHEL-06-000307 Medium A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.
RHEL-06-000373-PNF Medium The operating system must retain the session lock until the user reestablishes access using established identification and authentication procedures.
SRG-OS-000060-NA Medium The operating system must produce audit records on hardware-enforced, write-once media.
SRG-OS-000092-NA Medium The operating system must employ automated mechanisms to centrally apply configuration settings.
SRG-OS-000238-NA Medium The operating system must support and maintain the binding of organization-defined security attributes to information in transmission.
SRG-OS-000252-NA Medium The operating system must provide the capability to capture/record and log all content related to a user session.
RHEL-06-000464-PNF Medium The operating system must check the validity of information inputs.
RHEL-06-000411-PNF Medium The operating system must dynamically manage identifiers, attributes, and associated access authorizations.
RHEL-06-000465-PNF Medium The operating system must support the requirement that organizations, if an information system component failure is detected must activate an organization-defined alarm and/or automatically shuts down the operating system.
SRG-OS-000153-NA Medium The operating system must route all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.
RHEL-06-000492-PNF Medium The operating system must display security attributes in human-readable form on each object output from the system to system output devices to identify an organization-identified set of special dissemination, handling, or distribution instructions using organization-identified human readable, standard naming conventions.
SRG-OS-000091-NA Medium The operating system must enforce a two-person rule for changes to organization-defined information system components and system-level information.
RHEL-06-000412-PNF Medium The operating system must employ automated mechanisms to restrict the use of maintenance tools to authorized personnel only.
RHEL-06-000501-PF Medium The operating system must take organization-defined list of least disruptive actions to terminate suspicious events.
RHEL-06-000466-PNF Medium The operating system must associate the identity of the information producer with the information.
RHEL-06-000491-PNF Medium The operating system must only allow authorized users to associate security attributes with information.
SRG-OS-000093-NA Medium The operating system must employ automated mechanisms to centrally verify configuration settings.
RHEL-06-000016 Medium A file integrity tool must be installed.
RHEL-06-000017 Medium The system must use a Linux Security Module at boot time.
RHEL-06-000371-PF Medium The operating system, upon successful logon, must display to the user the date and time of the last logon (access) via GUI.
RHEL-06-000018 Medium The system must use a Linux Security Module at boot time.
RHEL-06-000473-PNF Medium The operating system must enforce an organization-defined Discretionary Access Control (DAC) policy that must allow users to specify and control sharing by named individuals or groups of individuals, or by both.
SRG-OS-000251-NA Medium The operating system must ensure remote sessions for accessing an organization-defined list of security functions and security-relevant information are audited.
RHEL-06-000149-PNF Medium The operating system must provide the capability to automatically process audit records for events of interest based upon selectable, event criteria.
RHEL-06-000160 Medium The system must set a maximum audit log file size.
RHEL-06-000161 Medium The system must rotate audit log files that reach the maximum file size.
RHEL-06-000089 Medium The system must not accept IPv4 source-routed packets by default.
RHEL-06-000083 Medium The system must not accept IPv4 source-routed packets on any interface.
RHEL-06-000081 Medium The system must not send ICMPv4 redirects from any interface.
RHEL-06-000080 Medium The system must not send ICMPv4 redirects by default.
RHEL-06-000087 Medium The system must not accept ICMPv4 secure redirect packets on any interface.
RHEL-06-000086 Medium The system must not accept ICMPv4 secure redirect packets on any interface.
RHEL-06-000085 Medium The system must not accept ICMPv4 redirect packets on any interface.
RHEL-06-000084 Medium The system must not accept ICMPv4 redirect packets on any interface.
RHEL-06-000312-PF Medium The operating system must validate the binding of the information producer's identity to the information.
RHEL-06-000490-PNF Medium The operating system must maintain the binding of security attributes to information with sufficient assurance that the information--attribute association can be used as the basis for automated policy actions.
RHEL-06-000489-PNF Medium The operating system must only allow authorized entities to change security attributes.
SRG-OS-000019-NA Medium The operating system must implement separation of duties through assigned information system access authorizations.
RHEL-06-000348 Medium The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
RHEL-06-000349 Medium The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
RHEL-06-000347 Medium There must be no .netrc files on the system.
RHEL-06-000340 Medium The snmpd service must use only SNMP protocol version 3 or newer.
RHEL-06-000341 Medium The snmpd service must not use a default password.
RHEL-06-000388-PNF Medium The operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance.
RHEL-06-000269 Medium Remote file systems must be mounted with the "nodev" option.
SRG-OS-000177-NA Medium The operating system must associate security attributes with information exchanged between information systems.
RHEL-06-000486-PNF Medium The operating system must support and maintain the binding of organization-defined security attributes to information in process.
RHEL-06-000048 Medium All system command files must be owned by root.
SRG-OS-000261-NA Medium The operating system uniquely must identify destination domains for information transfer.
RHEL-06-000042 Medium The /etc/group file must be owned by root.
RHEL-06-000393-PF Medium The operating system, when transferring information between different security domains, must identify information flows by data type specification and usage.
RHEL-06-000418-PNF Medium The operating system must implement an information system isolation boundary to minimize the number of non-security functions included within the boundary containing security functions.
RHEL-06-000379-PNF Medium The operating system must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.
RHEL-06-000511 Medium The audit system must take appropriate action when there are disk errors on the audit storage volume.
RHEL-06-000510 Medium The audit system must take appropriate action when the audit storage volume is full.
SRG-OS-000219-NA Medium The operating system must monitor for atypical usage of operating system accounts.
SRG-OS-000175-NA Medium The operating system must prohibit remote activation of collaborative computing devices, excluding the organization-defined exceptions where remote activation is to be allowed.
RHEL-06-000124 Medium The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.
RHEL-06-000125 Medium The Stream Control Transmission Protocol (SCTP) must be disabled unless required.
RHEL-06-000127 Medium The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required.
RHEL-06-000120 Medium The system's local firewall must implement a deny-all, allow-by-exception policy for inbound packets.
RHEL-06-000121 Medium The system's local firewall must implement a deny-all, allow-by-exception policy for inbound packets.
RHEL-06-000122 Medium The system's local firewall must implement a deny-all, allow-by-exception policy for inbound packets.
RHEL-06-000123 Medium The system's local firewall must implement a deny-all, allow-by-exception policy for inbound packets.
RHEL-06-000047 Medium All system command files must have mode 0755 or less permissive.
RHEL-06-000046 Medium Library files must be owned by root.
RHEL-06-000045 Medium Library files must have mode 0755 or less permissive.
RHEL-06-000044 Medium The /etc/group file must have mode 0644 or less permissive.
RHEL-06-000043 Medium The /etc/group file must be group-owned by root.
RHEL-06-000140-PNF Medium The operating system audit records must be able to be used by a report generation capability.
RHEL-06-000041 Medium The /etc/passwd file must have mode 0644 or less permissive.
RHEL-06-000040 Medium The /etc/passwd file must be group-owned by root.
RHEL-06-000416-PNF Medium The operating system must isolate security functions from nonsecurity functions.
RHEL-06-000457-PNF Medium The operating system must prevent non-privileged users from circumventing malicious code protection capabilities.
RHEL-06-000459-PNF Medium The operating system must protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion.
SRG-OS-000180-NA Medium The operating system must implement detection and inspection mechanisms to identify unauthorized mobile code.
SRG-OS-000122-NA Medium The operating system must implement a configurable capability to automatically disable the operating system if any of the organization-defined lists of security violations are detected.
RHEL-06-000461-PF Medium The operating system must provide notification of failed automated security tests.
SRG-OS-000267-NA Medium The operating system must protect non-local maintenance sessions by separating the maintenance session from other network sessions with the information system by either physically separated communications paths or logically separated communications paths.
SRG-OS-000174-NA Medium The operating system must protect the integrity and availability of publicly available information and applications.
RHEL-06-000383 Medium Audit log files must have mode 0640 or less permissive.
RHEL-06-000385 Medium Audit log directories must have mode 0755 or less permissive.
RHEL-06-000223 Medium The TFTP service must not be running.
RHEL-06-000222 Medium The tftp-server package must not be installed.
RHEL-06-000451-PNF Medium The operating system must protect the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission.
RHEL-06-000220 Medium The ypserv package must not be installed.
RHEL-06-000224 Medium The cron service must be running.
SRG-OS-000214-NA Medium The operating system must employ automated mechanisms to alert security personnel of any organization-defined inappropriate or unusual activities with security implications.
SRG-OS-000173-NA Medium The operating system must employ FIPS-validate or NSA-approved cryptography to implement digital signatures.
RHEL-06-000488-PNF Medium The operating system must dynamically reconfigure security attributes in accordance with an identified security policy as information is created and combined.
SRG-OS-000263-NA Medium The operating system must track problems associated with the information transfer.
RHEL-06-000353 Medium The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
RHEL-06-000151-PF Medium The operating system must fail to an organization-defined known state for organization-defined types of failures.
RHEL-06-000316 Medium The Bluetooth kernel module must be disabled.
RHEL-06-000315 Medium The Bluetooth kernel module must be disabled.
RHEL-06-000314 Medium The audit system must identify staff members to receive notifications of audit log storage volume capacity issues.
RHEL-06-000313 Medium The audit system must identify staff members to receive notifications of audit log storage volume capacity issues.
RHEL-06-000311 Medium The audit system must alert designated staff members when the audit storage volume approaches capacity.
RHEL-06-000259 Medium The graphical desktop environment must have automatic lock enabled.
RHEL-06-000257 Medium The graphical desktop environment must set the idle timeout to no more than 15 minutes.
RHEL-06-000254 Medium If the system is using LDAP for authentication or account information, the system must use a TLS connection using trust certificates signed by the site CA.
RHEL-06-000255 Medium If the system is using LDAP for authentication or account information, the system must use a TLS connection using trust certificates signed by the site CA.
RHEL-06-000252 Medium If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms.
RHEL-06-000253 Medium The LDAP client must use a TLS connection using trust certificates signed by the site CA.
RHEL-06-000250 Medium The LDAP client must use a TLS connection using FIPS 140-2 approved cryptographic algorithms.
SRG-OS-000172-NA Medium The operating system must employ FIPS-validated cryptography to protect information when it must be separated from individuals who have the necessary clearances, yet lack the necessary access approvals.
SRG-OS-000014-NA Medium The operating system must enforce information flow control on metadata.
RHEL-06-000382-PNF Medium The operating system must use internal system clocks to generate time stamps for audit records.
SRG-OS-000262-NA Medium The operating system uniquely must authenticate destination domains for information transfer.
RHEL-06-000374-PNF Medium The operating system must employ automated mechanisms to enable authorized users to make information sharing decisions based on access authorizations of sharing partners and access restrictions on information to be shared.
RHEL-06-000332 Medium The Bluetooth service must be disabled.
RHEL-06-000221 Medium The ypbind service must not be running.
RHEL-06-000005 Medium The audit system must alert designated staff members when the audit storage volume approaches capacity.
SRG-OS-000083-NA Medium The operating system must enforce security policies regarding information on interconnected systems.
RHEL-06-000369-PNF Medium The operating system must provide the capability for a privileged administrator to configure the organization-defined security policy filters to support different security policies.
RHEL-06-000375-PNF Medium The operating system must produce audit records containing sufficient information to establish when (date and time) the events occurred.
SRG-OS-000008-NA Medium The operating system must prevent access to organization-defined security-relevant information except during secure, non-operable system states.
RHEL-06-000072 Medium The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
RHEL-06-000073 Medium The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
RHEL-06-000070 Medium The system must not permit interactive boot.
RHEL-06-000380-PNF Medium Operating system must support the capability to centralize the review and analysis of audit records from multiple components within the system.
RHEL-06-000078 Medium The system must implement virtual address space randomization.
RHEL-06-000079 Medium The system must limit the ability of processes to have simultaneous write and execute access to memory.
SRG-OS-000183-NA Medium The operating system must prevent the automatic execution of mobile code in organization-defined software applications and must require organization-defined actions prior to executing the code.
RHEL-06-000497-PNF Medium The operating system must enforce a Discretionary Access Control (DAC) policy that limits propagation of access rights.
SRG-OS-000115-NA Medium The operating system must authenticate devices before establishing remote network connections using bidirectional cryptographically based authentication between devices.
SRG-OS-000233-NA Medium The operating system must notify the user of the number of successful logins/accesses that occur during the organization-defined time period.
RHEL-06-000493-PNF Medium The operating system must enforce a Discretionary Access Control (DAC) policy that includes or excludes access to the granularity of a single user.
RHEL-06-000352 Medium The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
RHEL-06-000351 Medium The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
RHEL-06-000350 Medium The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
RHEL-06-000357 Medium The system must disable accounts after excessive login failures within a 15-minute interval.
RHEL-06-000356 Medium The system must require administrator action to unlock an account locked by excessive failed login attempts.
RHEL-06-000355 Medium The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
RHEL-06-000354 Medium The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
RHEL-06-000162 Medium The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low.
RHEL-06-000163 Medium The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low.
SRG-OS-000182-NA Medium The operating system must prevent the download of prohibited mobile code.
RHEL-06-000322 Low The system must provide VPN connectivity for communications over untrusted networks.
RHEL-06-000321 Low The system must provide VPN connectivity for communications over untrusted networks.
RHEL-06-000137 Low The system must use a remote syslog server (loghost).
RHEL-06-000136 Low The system must use a remote syslog server (loghost).
RHEL-06-000246 Low The avahi service must be disabled.
RHEL-06-000241 Low The SSH daemon must not permit user environment settings.
RHEL-06-000319 Low The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.
RHEL-06-000343 Low The system default umask for the csh shell must be 077.
RHEL-06-000201 Low The audit system must be configured to audit changes to the "/etc/sudoers" file.
RHEL-06-000200 Low The audit system must be configured to audit user deletions of files and programs.
RHEL-06-000202 Low The audit system must be configured to audit the loading and unloading of dynamic kernel modules.
RHEL-06-000204 Low The xinetd service must be uninstalled if no network services utilizing it are enabled.
RHEL-06-000191 Low The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr.
RHEL-06-000190 Low The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr.
RHEL-06-000193 Low The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr.
RHEL-06-000192 Low The audit system must be configured to audit all discretionary access control permission modifications using lchown.
RHEL-06-000195 Low The audit system must be configured to audit all discretionary access control permission modifications using removexattr.
RHEL-06-000194 Low The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr.
RHEL-06-000197 Low The audit system must be configured to audit failed attempts to access files and programs.
RHEL-06-000196 Low The audit system must be configured to audit all discretionary access control permission modifications using setxattr.
RHEL-06-000199 Low The audit system must be configured to audit successful file system mounts.
RHEL-06-000198 Low The audit system must be configured to audit all use of setuid programs.
RHEL-06-000298 Low Temporary and emergency accounts must be provisioned with an expiration date.
RHEL-06-000299 Low The system must require passwords to contain no more than three consecutive repeating characters.
RHEL-06-000292 Low The DHCP client must be disabled if not needed.
RHEL-06-000290 Low X Windows must not be enabled unless required.
RHEL-06-000291 Low The xorg-x11-server-common (X Windows) package must not be installed, unless required.
RHEL-06-000296 Low All accounts on the system must have unique user or account names
RHEL-06-000297 Low Temporary and emergency accounts must be provisioned with an expiration date.
RHEL-06-000294 Low All GIDs referenced in /etc/passwd must be defined in /etc/group
RHEL-06-000295 Low All accounts on the system must have unique user or account names.
RHEL-06-000339 Low The FTP daemon must be configured for logging or verbose mode.
RHEL-06-000335 Low Accounts must be locked upon 35 days of inactivity.
RHEL-06-000334 Low Accounts must be locked upon 35 days of inactivity.
RHEL-06-000337 Low All public directories must be owned by a system account.
RHEL-06-000336 Low The sticky bit must be set on all public directories.
RHEL-06-000028 Low The system must prevent the root account from logging in from serial consoles.
RHEL-06-000023 Low The system must use a Linux Security Module configured to limit the privileges of system services.
RHEL-06-000025 Low All device files must be monitored by the system Linux Security Module.
RHEL-06-000024 Low The system must use a Linux Security Module configured to limit the privileges of system services.
RHEL-06-000026 Low All device files must be monitored by the system Linux Security Module.
RHEL-06-000060 Low The system must require at least four characters be changed between the old and new passwords during a password change.
RHEL-06-000091 Low The system must ignore IPv4 ICMP redirect messages.
RHEL-06-000092 Low The system must not respond to ICMPv4 sent to a broadcast address.
RHEL-06-000093 Low The system must ignore ICMPv4 bogus error responses.
RHEL-06-000138 Low System logs must be rotated daily.
RHEL-06-000271 Low The noexec option must be added to removable media partitions.
RHEL-06-000272 Low The system must use SMB client signing for connecting to samba servers using smbclient.
RHEL-06-000273 Low The system must use SMB client signing for connecting to samba servers using mount.cifs.
RHEL-06-000275 Low The operating system must employ cryptographic mechanisms to protect information in storage.
RHEL-06-000276 Low The operating system must employ cryptographic mechanisms to protect information in storage.
RHEL-06-000277 Low The operating system must employ cryptographic mechanisms to protect information in storage.
RHEL-06-000508 Low The system must allow locking of graphical desktop sessions.
RHEL-06-000509 Low The system must forward audit records to the syslog service.
RHEL-06-000054 Low Users must be warned 14 days in advance of password expiration.
RHEL-06-000055 Low The system must reject session authentication after three consecutive failed authentication attempts.
RHEL-06-000056 Low The system must require passwords to contain at least one numeric character.
RHEL-06-000057 Low The system must require passwords to contain at least one uppercase alphabetic character.
RHEL-06-000058 Low The system must require passwords to contain at least one special character.
RHEL-06-000059 Low The system must require passwords to contain at least one lowercase alphabetic character.
RHEL-06-000230 Low The SSH daemon must set a timeout interval on idle sessions.
RHEL-06-000231 Low The SSH daemon must set a timeout count on idle sessions.
RHEL-06-000232 Low The SSH daemon must set a timeout count on idle sessions.
RHEL-06-000289 Low The netconsole service must be disabled unless required.
RHEL-06-000287 Low The postfix service must be enabled for mail delivery.
RHEL-06-000308 Low Process core dumps must be disabled unless needed.
RHEL-06-000300 Low All files and directories must have a valid owner.
RHEL-06-000301 Low All files must be owned by a group.
RHEL-06-000071 Low The system must allow locking of the console screen.
RHEL-06-000088 Low The system must log Martian packets.
RHEL-06-000165 Low The audit system must be configured to audit all attempts to alter system time through adjtimex.
RHEL-06-000167 Low The audit system must be configured to audit all attempts to alter system time through settimeofday.
RHEL-06-000169 Low The audit system must be configured to audit all attempts to alter system time through stime.
RHEL-06-000344 Low The system default umask in /etc/profile must be 077.
RHEL-06-000345 Low The system default umask in /etc/login.defs must be 077.
RHEL-06-000346 Low The system default umask for daemons must be 027 or 022.
RHEL-06-000342 Low The system default umask for the bash shell must be 077.
RHEL-06-000267 Low The qpidd service must not be running.
RHEL-06-000266 Low The oddjobd service must not be running.
RHEL-06-000265 Low The ntpdate service must not be running.
RHEL-06-000264 Low Automated file system mounting tools must not be enabled unless needed.
RHEL-06-000263 Low Automated file system mounting tools must not be enabled unless needed.
RHEL-06-000262 Low The atd service must be disabled.
RHEL-06-000261 Low The Automatic Bug Reporting Tool (abrtd) service must not be running.
RHEL-06-000260 Low The system must display a publicly-viewable pattern during a graphical desktop environment session lock.
RHEL-06-000268 Low The rdisc service must not be running.
RHEL-06-000049 Low Audit log files must have mode 0640 or less permissive.
RHEL-06-000519 Low The system package management tool must verify contents of all files associated with packages.
RHEL-06-000518 Low The system package management tool must verify permissions on all files and directories associated with packages.
RHEL-06-000515 Low The NFS server must not have the all_squash option enabled.
RHEL-06-000517 Low The system package management tool must verify group-ownership on all files and directories associated with packages.
RHEL-06-000516 Low The system package management tool must verify ownership on all files and directories associated with packages.
RHEL-06-000126 Low The Reliable Datagram Sockets (RDS) protocol must be disabled unless required.
RHEL-06-000229 Low The SSH daemon must set a timeout interval on idle sessions.
RHEL-06-000317 Low The system must have USB Mass Storage disabled unless needed.
RHEL-06-000256 Low The openldap-servers package must not be installed unless required.
RHEL-06-000318 Low The system must have USB Mass Storage disabled unless needed.
RHEL-06-000003 Low The system must use a separate file system for /var/log.
RHEL-06-000002 Low The system must use a separate file system for /var.
RHEL-06-000001 Low The system must use a separate file system for /tmp.
RHEL-06-000007 Low The system must use a separate file system for user home directories.
RHEL-06-000006 Low The system must use a separate file system for the system audit data path.
RHEL-06-000004 Low The system must use a separate file system for the system audit data path.
RHEL-06-000009 Low The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite.
RHEL-06-000179 Low The audit system must be configured to audit account creation and modification.
RHEL-06-000178 Low The audit system must be configured to audit account creation and modification.
RHEL-06-000177 Low The audit system must be configured to audit account creation and modification.
RHEL-06-000176 Low The audit system must be configured to audit account creation and modification.
RHEL-06-000175 Low The audit system must be configured to audit account creation and modification.
RHEL-06-000174 Low The audit system must be configured to audit account creation and modification.
RHEL-06-000173 Low The audit system must be configured to audit all attempts to alter system time through /etc/localtime.
RHEL-06-000171 Low The audit system must be configured to audit all attempts to alter system time through clock_settime.
RHEL-06-000182 Low The audit system must be configured to audit modifications to the systems network configuration.
RHEL-06-000183 Low The audit system must be configured to audit modifications to the system's Mandatory Access Control (MAC) configuration (SELinux).
RHEL-06-000180 Low The audit system must be configured to audit account creation and modification.
RHEL-06-000181 Low The audit system must be configured to audit account creation and modification.
RHEL-06-000186 Low The audit system must be configured to audit all discretionary access control permission modifications using fchmod.
RHEL-06-000187 Low The audit system must be configured to audit all discretionary access control permission modifications using fchmodat.
RHEL-06-000184 Low The audit system must be configured to audit all discretionary access control permission modifications using chmod.
RHEL-06-000185 Low The audit system must be configured to audit all discretionary access control permission modifications using chown.
RHEL-06-000188 Low The audit system must be configured to audit all discretionary access control permission modifications using fchown.
RHEL-06-000189 Low The audit system must be configured to audit all discretionary access control permission modifications using fchownat.