UCF STIG Viewer Logo

Red Hat Enterprise Linux 6 Security Technical Implementation Guide


Overview

Date Finding Count (178)
2014-06-10 CAT I (High): 12 CAT II (Med): 88 CAT III (Low): 78
STIG Description
The Red Hat Enterprise Linux 6 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-38701 High The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.
V-38491 High There must be no .rhosts or hosts.equiv files on the system.
V-38497 High The system must not have accounts configured with blank or null passwords.
V-38476 High Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
V-38607 High The SSH daemon must be configured to use only the SSHv2 protocol.
V-38602 High The rlogind service must not be running.
V-38614 High The SSH daemon must not allow authentication using an empty password.
V-38594 High The rshd service must not be running.
V-38591 High The rsh-server package must not be installed.
V-38598 High The rexecd service must not be running.
V-38587 High The telnet-server package must not be installed.
V-38589 High The telnet daemon must not be running.
V-38612 Medium The SSH daemon must not allow host-based authentication.
V-38459 Medium The /etc/group file must be group-owned by root.
V-51363 Medium The system must use a Linux Security Module configured to enforce limits on system services.
V-38499 Medium The /etc/passwd file must not contain password hashes.
V-38451 Medium The /etc/passwd file must be group-owned by root.
V-38458 Medium The /etc/group file must be owned by root.
V-38492 Medium The system must prevent the root account from logging in from virtual consoles.
V-38490 Medium The operating system must enforce requirements for the connection of mobile devices to operating systems.
V-38443 Medium The /etc/gshadow file must be owned by root.
V-38526 Medium The system must not accept ICMPv4 secure redirect packets on any interface.
V-38524 Medium The system must not accept ICMPv4 redirect packets on any interface.
V-38489 Medium A file integrity tool must be installed.
V-38523 Medium The system must not accept IPv4 source-routed packets on any interface.
V-38520 Medium The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited.
V-38521 Medium The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components.
V-38466 Medium Library files must be owned by root.
V-38461 Medium The /etc/group file must have mode 0644 or less permissive.
V-38469 Medium All system command files must have mode 0755 or less permissive.
V-38498 Medium Audit log files must have mode 0640 or less permissive.
V-38555 Medium The system must employ a local IPv4 firewall.
V-51875 Medium The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access.
V-38495 Medium Audit log files must be owned by root.
V-38671 Medium The sendmail package must be removed.
V-38674 Medium X Windows must not be enabled unless required.
V-38679 Medium The DHCP client must be disabled if not needed.
V-38475 Medium The system must require passwords to contain a minimum of 14 characters.
V-38477 Medium Users must not be able to change passwords more than once every 24 hours.
V-38470 Medium The audit system must alert designated staff members when the audit storage volume approaches capacity.
V-38472 Medium All system command files must be owned by root.
V-38479 Medium User passwords must be changed at least every 60 days.
V-38542 Medium The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
V-38544 Medium The system must use a reverse-path filter for IPv4 network traffic when possible by default.
V-38546 Medium The IPv6 protocol handler must not be bound to the network stack unless needed.
V-38548 Medium The system must ignore ICMPv6 redirects by default.
V-38529 Medium The system must not accept IPv4 source-routed packets by default.
V-38688 Medium A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
V-38680 Medium The audit system must identify staff members to receive notifications of audit log storage volume capacity issues.
V-38606 Medium The tftp-server package must not be installed.
V-38605 Medium The cron service must be running.
V-38604 Medium The ypbind service must not be running.
V-38603 Medium The ypserv package must not be installed.
V-38601 Medium The system must not send ICMPv4 redirects from any interface.
V-38600 Medium The system must not send ICMPv4 redirects by default.
V-38449 Medium The /etc/gshadow file must have mode 0000.
V-38448 Medium The /etc/gshadow file must be group-owned by root.
V-38579 Medium The system boot loader configuration file(s) must be owned by root.
V-38613 Medium The system must not permit root logins using remote access programs such as ssh.
V-38574 Medium The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth).
V-38577 Medium The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf).
V-38576 Medium The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs).
V-38573 Medium The system must disable accounts after three consecutive unsuccessful login attempts.
V-38518 Medium All rsyslog-generated log files must be owned by root.
V-38517 Medium The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required.
V-38515 Medium The Stream Control Transmission Protocol (SCTP) must be disabled unless required.
V-38514 Medium The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.
V-38513 Medium The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets.
V-38691 Medium The Bluetooth service must be disabled.
V-38511 Medium IP forwarding for IPv4 must not be enabled, unless the system is a router.
V-38615 Medium The SSH daemon must be configured with the Department of Defense (DoD) login banner.
V-38611 Medium The SSH daemon must ignore .rhosts files.
V-38457 Medium The /etc/passwd file must have mode 0644 or less permissive.
V-38450 Medium The /etc/passwd file must be owned by root.
V-51337 Medium The system must use a Linux Security Module at boot time.
V-38585 Medium The system boot loader must require authentication.
V-38582 Medium The xinetd service must be disabled if no network services utilizing it are enabled.
V-38504 Medium The /etc/shadow file must have mode 0000.
V-38500 Medium The root account must be the only account having a UID of 0.
V-38501 Medium The system must disable accounts after excessive login failures within a 15-minute interval.
V-38502 Medium The /etc/shadow file must be owned by root.
V-38503 Medium The /etc/shadow file must be group-owned by root.
V-38621 Medium The system clock must be synchronized to an authoritative DoD time source.
V-38620 Medium The system clock must be synchronized continuously, or at least daily.
V-38586 Medium The system must require authentication upon booting into single-user and maintenance modes.
V-38580 Medium The audit system must be configured to audit the loading and unloading of dynamic kernel modules.
V-38581 Medium The system boot loader configuration file(s) must be group-owned by root.
V-38583 Medium The system boot loader configuration file(s) must have mode 0600 or less permissive.
V-38629 Medium The graphical desktop environment must set the idle timeout to no more than 15 minutes.
V-38588 Medium The system must not permit interactive boot.
V-38483 Medium The system package management tool must cryptographically verify the authenticity of system software packages during installation.
V-38539 Medium The system must be configured to use TCP syncookies.
V-38532 Medium The system must not accept ICMPv4 secure redirect packets by default.
V-38512 Medium The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
V-38638 Medium The graphical desktop environment must have automatic lock enabled.
V-38636 Medium The system must retain enough rotated audit logs to cover the required log retention period.
V-38634 Medium The system must rotate audit log files that reach the maximum file size.
V-38633 Medium The system must set a maximum audit log file size.
V-38630 Medium The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user to re-authenticate to unlock the environment.
V-38622 Medium Mail relaying must be restricted.
V-38649 Low The system default umask for the csh shell must be 077.
V-38648 Low The qpidd service must not be running.
V-38642 Low The system default umask for daemons must be 027 or 022.
V-38641 Low The atd service must be disabled.
V-38640 Low The Automatic Bug Reporting Tool (abrtd) service must not be running.
V-38647 Low The system default umask in /etc/profile must be 077.
V-38646 Low The oddjobd service must not be running.
V-38645 Low The system default umask in /etc/login.defs must be 077.
V-38644 Low The ntpdate service must not be running.
V-51369 Low The system must use a Linux Security Module configured to limit the privileges of system services.
V-38650 Low The rdisc service must not be running.
V-38651 Low The system default umask for the bash shell must be 077.
V-38656 Low The system must use SMB client signing for connecting to samba servers using smbclient.
V-38558 Low The audit system must be configured to audit all discretionary access control permission modifications using lchown.
V-38527 Low The audit system must be configured to audit all attempts to alter system time through clock_settime.
V-38525 Low The audit system must be configured to audit all attempts to alter system time through stime.
V-38487 Low The system package management tool must cryptographically verify the authenticity of all software packages during installation.
V-38480 Low Users must be warned 7 days in advance of password expiration.
V-38528 Low The system must log Martian packets.
V-38482 Low The system must require passwords to contain at least one numeric character.
V-38669 Low The postfix service must be enabled for mail delivery.
V-38467 Low The system must use a separate file system for the system audit data path.
V-38463 Low The system must use a separate file system for /var/log.
V-38552 Low The audit system must be configured to audit all discretionary access control permission modifications using fchown.
V-38550 Low The audit system must be configured to audit all discretionary access control permission modifications using fchmodat.
V-38557 Low The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr.
V-38556 Low The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr.
V-38554 Low The audit system must be configured to audit all discretionary access control permission modifications using fchownat.
V-38522 Low The audit system must be configured to audit all attempts to alter system time through settimeofday.
V-38559 Low The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr.
V-38494 Low The system must prevent the root account from logging in from serial consoles.
V-38672 Low The netconsole service must be disabled unless required.
V-38676 Low The xorg-x11-server-common (X Windows) package must not be installed, unless required.
V-38675 Low Process core dumps must be disabled unless needed.
V-38473 Low The system must use a separate file system for user home directories.
V-38536 Low The operating system must automatically audit account disabling actions.
V-38478 Low The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite.
V-38541 Low The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux).
V-38543 Low The audit system must be configured to audit all discretionary access control permission modifications using chmod.
V-38545 Low The audit system must be configured to audit all discretionary access control permission modifications using chown.
V-38547 Low The audit system must be configured to audit all discretionary access control permission modifications using fchmod.
V-38687 Low The system must provide VPN connectivity for communications over untrusted networks.
V-38684 Low The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.
V-38608 Low The SSH daemon must set a timeout interval on idle sessions.
V-38578 Low The audit system must be configured to audit changes to the /etc/sudoers file.
V-38575 Low The audit system must be configured to audit user deletions of files and programs.
V-38571 Low The system must require passwords to contain at least one lowercase alphabetic character.
V-38570 Low The system must require passwords to contain at least one special character.
V-38572 Low The system must require at least four characters be changed between the old and new passwords during a password change.
V-38699 Low All public directories must be owned by a system account.
V-38516 Low The Reliable Datagram Sockets (RDS) protocol must be disabled unless required.
V-38616 Low The SSH daemon must not permit user environment settings.
V-38610 Low The SSH daemon must set a timeout count on idle sessions.
V-38590 Low The system must allow locking of the console screen in text mode.
V-38456 Low The system must use a separate file system for /var.
V-38455 Low The system must use a separate file system for /tmp.
V-38618 Low The avahi service must be disabled.
V-38568 Low The audit system must be configured to audit successful file system mounts.
V-38569 Low The system must require passwords to contain at least one uppercase alphabetic character.
V-38563 Low The audit system must be configured to audit all discretionary access control permission modifications using removexattr.
V-38561 Low The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr.
V-38565 Low The audit system must be configured to audit all discretionary access control permission modifications using setxattr.
V-38627 Low The openldap-servers package must not be installed unless required.
V-38584 Low The xinetd service must be uninstalled if no network services utilizing it are enabled.
V-38694 Low The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity.
V-38538 Low The operating system must automatically audit account termination.
V-38697 Low The sticky bit must be set on all public directories.
V-38531 Low The operating system must automatically audit account creation.
V-38530 Low The audit system must be configured to audit all attempts to alter system time through /etc/localtime.
V-38533 Low The system must ignore ICMPv4 redirect messages by default.
V-38535 Low The system must not respond to ICMPv4 sent to a broadcast address.
V-38534 Low The operating system must automatically audit account modification.
V-38537 Low The system must ignore ICMPv4 bogus error responses.
V-38438 Low Auditing must be enabled at boot by setting a kernel parameter.
V-38692 Low Accounts must be locked upon 35 days of inactivity.
V-38639 Low The system must display a publicly-viewable pattern during a graphical desktop environment session lock.
V-38635 Low The audit system must be configured to audit all attempts to alter system time through adjtimex.
V-38437 Low Automated file system mounting tools must not be enabled unless needed.