UCF STIG Viewer Logo

Red Hat Enterprise Linux 6 Security Technical Implementation Guide


Overview

Date Finding Count (261)
2016-12-16 CAT I (High): 16 CAT II (Med): 144 CAT III (Low): 101
STIG Description
The Red Hat Enterprise Linux 6 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-38653 High The snmpd service must not use a default password.
V-38666 High The system must use and update a DoD-approved virus scan program.
V-38668 High The x86 Ctrl-Alt-Delete key sequence must be disabled.
V-38497 High The system must not have accounts configured with blank or null passwords.
V-38677 High The NFS server must not have the insecure file locking option enabled.
V-38476 High Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
V-38491 High There must be no .rhosts or hosts.equiv files on the system.
V-38607 High The SSH daemon must be configured to use only the SSHv2 protocol.
V-38602 High The rlogind service must not be running.
V-38594 High The rshd service must not be running.
V-38591 High The rsh-server package must not be installed.
V-38598 High The rexecd service must not be running.
V-38587 High The telnet-server package must not be installed.
V-38589 High The telnet daemon must not be running.
V-38701 High The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.
V-38614 High The SSH daemon must not allow authentication using an empty password.
V-38612 Medium The SSH daemon must not allow host-based authentication.
V-38459 Medium The /etc/group file must be group-owned by root.
V-38643 Medium There must be no world-writable files on the system.
V-38551 Medium The operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
V-51363 Medium The system must use a Linux Security Module configured to enforce limits on system services.
V-38499 Medium The /etc/passwd file must not contain password hashes.
V-38450 Medium The /etc/passwd file must be owned by root.
V-38581 Medium The system boot loader configuration file(s) must be group-owned by root.
V-38451 Medium The /etc/passwd file must be group-owned by root.
V-38458 Medium The /etc/group file must be owned by root.
V-38658 Medium The system must prohibit the reuse of passwords within five iterations.
V-38582 Medium The xinetd service must be disabled if no network services utilizing it are enabled.
V-38652 Medium Remote file systems must be mounted with the nodev option.
V-38654 Medium Remote file systems must be mounted with the nosuid option.
V-38490 Medium The operating system must enforce requirements for the connection of mobile devices to operating systems.
V-38443 Medium The /etc/gshadow file must be owned by root.
V-38526 Medium The system must not accept ICMPv4 secure redirect packets on any interface.
V-38524 Medium The system must not accept ICMPv4 redirect packets on any interface.
V-38488 Medium The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives.
V-38520 Medium The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited.
V-38521 Medium The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components.
V-38484 Medium The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh.
V-38486 Medium The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.
V-38481 Medium System security patches and updates must be installed and up-to-date.
V-38529 Medium The system must not accept IPv4 source-routed packets by default.
V-38665 Medium The system package management tool must verify group-ownership on all files and directories associated with the audit package.
V-38664 Medium The system package management tool must verify ownership on all files and directories associated with the audit package.
V-38667 Medium The system must have a host-based intrusion detection tool installed.
V-38660 Medium The snmpd service must use only SNMP protocol version 3 or newer.
V-38663 Medium The system package management tool must verify permissions on all files and directories associated with the audit package.
V-38446 Medium The mail system must forward all mail for root to one or more system administrators.
V-38466 Medium Library files must be owned by a system account.
V-38465 Medium Library files must have mode 0755 or less permissive.
V-38464 Medium The audit system must take appropriate action when there are disk errors on the audit storage volume.
V-38461 Medium The /etc/group file must have mode 0644 or less permissive.
V-38492 Medium The system must prevent the root account from logging in from virtual consoles.
V-38469 Medium All system command files must have mode 755 or less permissive.
V-38468 Medium The audit system must take appropriate action when the audit storage volume is full.
V-38553 Medium The operating system must prevent public IPv6 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
V-38498 Medium Audit log files must have mode 0640 or less permissive.
V-38555 Medium The system must employ a local IPv4 firewall.
V-51875 Medium The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access.
V-38493 Medium Audit log directories must have mode 0755 or less permissive.
V-38496 Medium Default operating system accounts, other than root, must be locked.
V-38523 Medium The system must not accept IPv4 source-routed packets on any interface.
V-38673 Medium The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.
V-38670 Medium The operating system must detect unauthorized changes to software and information.
V-38671 Medium The sendmail package must be removed.
V-38674 Medium X Windows must not be enabled unless required.
V-38630 Medium The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment.
V-38678 Medium The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity.
V-58901 Medium The sudo command must require authentication.
V-38475 Medium The system must require passwords to contain a minimum of 15 characters.
V-38477 Medium Users must not be able to change passwords more than once every 24 hours.
V-38470 Medium The audit system must alert designated staff members when the audit storage volume approaches capacity.
V-38679 Medium The DHCP client must be disabled if not needed.
V-38479 Medium User passwords must be changed at least every 60 days.
V-54381 Medium The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low.
V-38445 Medium Audit log files must be group-owned by root.
V-38542 Medium The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
V-38544 Medium The system must use a reverse-path filter for IPv4 network traffic when possible by default.
V-38548 Medium The system must ignore ICMPv6 redirects by default.
V-38549 Medium The system must employ a local IPv6 firewall.
V-38472 Medium All system command files must be owned by root.
V-38689 Medium The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
V-38688 Medium A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
V-38686 Medium The systems local firewall must implement a deny-all, allow-by-exception policy for forwarded packets.
V-38682 Medium The Bluetooth kernel module must be disabled.
V-38680 Medium The audit system must identify staff members to receive notifications of audit log storage volume capacity issues.
V-38606 Medium The tftp-server package must not be installed unless required.
V-38605 Medium The cron service must be running.
V-38604 Medium The ypbind service must not be running.
V-38603 Medium The ypserv package must not be installed.
V-38601 Medium The system must not send ICMPv4 redirects from any interface.
V-38600 Medium The system must not send ICMPv4 redirects by default.
V-38449 Medium The /etc/gshadow file must have mode 0000.
V-38448 Medium The /etc/gshadow file must be group-owned by root.
V-38609 Medium The TFTP service must not be running.
V-51391 Medium A file integrity baseline must be created.
V-38632 Medium The operating system must produce audit records containing sufficient information to establish what type of events occurred.
V-38579 Medium The system boot loader configuration file(s) must be owned by root.
V-38613 Medium The system must not permit root logins using remote access programs such as ssh.
V-38574 Medium The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth).
V-38577 Medium The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf).
V-38576 Medium The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs).
V-38489 Medium A file integrity tool must be installed.
V-38573 Medium The system must disable accounts after three consecutive unsuccessful logon attempts.
V-38698 Medium The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency.
V-38519 Medium All rsyslog-generated log files must be group-owned by root.
V-38518 Medium All rsyslog-generated log files must be owned by root.
V-38517 Medium The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required.
V-38515 Medium The Stream Control Transmission Protocol (SCTP) must be disabled unless required.
V-38514 Medium The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.
V-38691 Medium The Bluetooth service must be disabled.
V-38511 Medium IP forwarding for IPv4 must not be enabled, unless the system is a router.
V-38597 Medium The system must limit the ability of processes to have simultaneous write and execute access to memory.
V-38596 Medium The system must implement virtual address space randomization.
V-38595 Medium The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
V-38593 Medium The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
V-38592 Medium The system must require administrator action to unlock an account locked by excessive failed login attempts.
V-38457 Medium The /etc/passwd file must have mode 0644 or less permissive.
V-38495 Medium Audit log files must be owned by root.
V-38619 Medium There must be no .netrc files on the system.
V-38599 Medium The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
V-51337 Medium The system must use a Linux Security Module at boot time.
V-38585 Medium The system boot loader must require authentication.
V-43150 Medium The login user list must be disabled.
V-72817 Medium Wireless network adapters must be disabled.
V-57569 Medium The noexec option must be added to the /tmp partition.
V-38560 Medium The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
V-38444 Medium The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets.
V-38504 Medium The /etc/shadow file must have mode 0000.
V-38500 Medium The root account must be the only account having a UID of 0.
V-38501 Medium The system must disable accounts after excessive login failures within a 15-minute interval.
V-38502 Medium The /etc/shadow file must be owned by root.
V-38503 Medium The /etc/shadow file must be group-owned by root.
V-38621 Medium The system clock must be synchronized to an authoritative DoD time source.
V-38620 Medium The system clock must be synchronized continuously, or at least daily.
V-38623 Medium All rsyslog-generated log files must have mode 0600 or less permissive.
V-38580 Medium The audit system must be configured to audit the loading and unloading of dynamic kernel modules.
V-38583 Medium The system boot loader configuration file(s) must have mode 0600 or less permissive.
V-38629 Medium The graphical desktop environment must set the idle timeout to no more than 15 minutes.
V-38628 Medium The operating system must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event.
V-38588 Medium The system must not permit interactive boot.
V-38700 Medium The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs.
V-38695 Medium A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.
V-38483 Medium The system package management tool must cryptographically verify the authenticity of system software packages during installation.
V-38539 Medium The system must be configured to use TCP syncookies when experiencing a TCP SYN flood.
V-38513 Medium The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets.
V-38532 Medium The system must not accept ICMPv4 secure redirect packets by default.
V-38512 Medium The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
V-38439 Medium The system must provide automated support for account management functions.
V-38638 Medium The graphical desktop environment must have automatic lock enabled.
V-38636 Medium The system must retain enough rotated audit logs to cover the required log retention period.
V-38637 Medium The system package management tool must verify contents of all files associated with the audit package.
V-38634 Medium The system must rotate audit log files that reach the maximum file size.
V-38696 Medium The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system.
V-38633 Medium The system must set a maximum audit log file size.
V-38586 Medium The system must require authentication upon booting into single-user and maintenance modes.
V-38631 Medium The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods.
V-38615 Medium The SSH daemon must be configured with the Department of Defense (DoD) login banner.
V-38622 Medium Mail relaying must be restricted.
V-38617 Medium The SSH daemon must be configured to use only FIPS 140-2 approved ciphers.
V-38611 Medium The SSH daemon must ignore .rhosts files.
V-38649 Low The system default umask for the csh shell must be 077.
V-38648 Low The qpidd service must not be running.
V-38642 Low The system default umask for daemons must be 027 or 022.
V-38641 Low The atd service must be disabled.
V-38640 Low The Automatic Bug Reporting Tool (abrtd) service must not be running.
V-38647 Low The system default umask in /etc/profile must be 077.
V-38646 Low The oddjobd service must not be running.
V-38645 Low The system default umask in /etc/login.defs must be 077.
V-38644 Low The ntpdate service must not be running.
V-38570 Low The system must require passwords to contain at least one special character.
V-51369 Low The system must use a Linux Security Module configured to limit the privileges of system services.
V-38452 Low The system package management tool must verify permissions on all files and directories associated with packages.
V-38453 Low The system package management tool must verify group-ownership on all files and directories associated with packages.
V-38608 Low The SSH daemon must set a timeout interval on idle sessions.
V-38447 Low The system package management tool must verify contents of all files associated with packages.
V-38659 Low The operating system must employ cryptographic mechanisms to protect information in storage.
V-38650 Low The rdisc service must not be running.
V-38651 Low The system default umask for the bash shell must be 077.
V-38656 Low The system must use SMB client signing for connecting to samba servers using smbclient.
V-38657 Low The system must use SMB client signing for connecting to samba servers using mount.cifs.
V-38437 Low Automated file system mounting tools must not be enabled unless needed.
V-51379 Low All device files must be monitored by the system Linux Security Module.
V-38527 Low The audit system must be configured to audit all attempts to alter system time through clock_settime.
V-38525 Low The audit system must be configured to audit all attempts to alter system time through stime.
V-38522 Low The audit system must be configured to audit all attempts to alter system time through settimeofday.
V-38487 Low The system package management tool must cryptographically verify the authenticity of all software packages during installation.
V-38480 Low Users must be warned 7 days in advance of password expiration.
V-38528 Low The system must log Martian packets.
V-38661 Low The operating system must protect the confidentiality and integrity of data at rest.
V-38662 Low The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of data at rest unless otherwise protected by alternative physical measures.
V-38669 Low The postfix service must be enabled for mail delivery.
V-38467 Low The system must use a separate file system for the system audit data path.
V-38463 Low The system must use a separate file system for /var/log.
V-38530 Low The audit system must be configured to audit all attempts to alter system time through /etc/localtime.
V-38460 Low The NFS server must not have the all_squash option enabled.
V-38702 Low The FTP daemon must be configured for logging or verbose mode.
V-38552 Low The audit system must be configured to audit all discretionary access control permission modifications using fchown.
V-38550 Low The audit system must be configured to audit all discretionary access control permission modifications using fchmodat.
V-38557 Low The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr.
V-38556 Low The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr.
V-38554 Low The audit system must be configured to audit all discretionary access control permission modifications using fchownat.
V-38559 Low The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr.
V-38558 Low The audit system must be configured to audit all discretionary access control permission modifications using lchown.
V-38494 Low The system must prevent the root account from logging in from serial consoles.
V-38672 Low The netconsole service must be disabled unless required.
V-38676 Low The xorg-x11-server-common (X Windows) package must not be installed, unless required.
V-38675 Low Process core dumps must be disabled unless needed.
V-38474 Low The system must allow locking of graphical desktop sessions.
V-38471 Low The system must forward audit records to the syslog service.
V-38473 Low The system must use a separate file system for user home directories.
V-38536 Low The operating system must automatically audit account disabling actions.
V-38478 Low The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite.
V-38540 Low The audit system must be configured to audit modifications to the systems network configuration.
V-38541 Low The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux).
V-38543 Low The audit system must be configured to audit all discretionary access control permission modifications using chmod.
V-38547 Low The audit system must be configured to audit all discretionary access control permission modifications using fchmod.
V-38482 Low The system must require passwords to contain at least one numeric character.
V-38454 Low The system package management tool must verify ownership on all files and directories associated with packages.
V-38687 Low The system must provide VPN connectivity for communications over untrusted networks.
V-38685 Low Temporary accounts must be provisioned with an expiration date.
V-38684 Low The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.
V-38683 Low All accounts on the system must have unique user or account names
V-38681 Low All GIDs referenced in /etc/passwd must be defined in /etc/group
V-38578 Low The audit system must be configured to audit changes to the /etc/sudoers file.
V-38575 Low The audit system must be configured to audit user deletions of files and programs.
V-38571 Low The system must require passwords to contain at least one lower-case alphabetic character.
V-38572 Low The system must require at least eight characters be changed between the old and new passwords during a password change.
V-38699 Low All public directories must be owned by a system account.
V-38516 Low The Reliable Datagram Sockets (RDS) protocol must be disabled unless required.
V-38690 Low Emergency accounts must be provisioned with an expiration date.
V-38693 Low The system must require passwords to contain no more than three consecutive repeating characters.
V-38590 Low The system must allow locking of the console screen in text mode.
V-38456 Low The system must use a separate file system for /var.
V-38455 Low The system must use a separate file system for /tmp.
V-38618 Low The avahi service must be disabled.
V-38568 Low The audit system must be configured to audit successful file system mounts.
V-38569 Low The system must require passwords to contain at least one uppercase alphabetic character.
V-38561 Low The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr.
V-38566 Low The audit system must be configured to audit failed attempts to access files and programs.
V-38567 Low The audit system must be configured to audit all use of setuid and setgid programs.
V-38565 Low The audit system must be configured to audit all discretionary access control permission modifications using setxattr.
V-38537 Low The system must ignore ICMPv4 bogus error responses.
V-38624 Low System logs must be rotated daily.
V-38627 Low The openldap-servers package must not be installed unless required.
V-38584 Low The xinetd service must be uninstalled if no network services utilizing it are enabled.
V-38694 Low The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity.
V-38545 Low The audit system must be configured to audit all discretionary access control permission modifications using chown.
V-38538 Low The operating system must automatically audit account termination.
V-38697 Low The sticky bit must be set on all public directories.
V-38531 Low The operating system must automatically audit account creation.
V-38533 Low The system must ignore ICMPv4 redirect messages by default.
V-38535 Low The system must not respond to ICMPv4 sent to a broadcast address.
V-38534 Low The operating system must automatically audit account modification.
V-38655 Low The noexec option must be added to removable media partitions.
V-38438 Low Auditing must be enabled at boot by setting a kernel parameter.
V-38692 Low Accounts must be locked upon 35 days of inactivity.
V-38639 Low The system must display a publicly-viewable pattern during a graphical desktop environment session lock.
V-38635 Low The audit system must be configured to audit all attempts to alter system time through adjtimex.
V-38616 Low The SSH daemon must not permit user environment settings.
V-38563 Low The audit system must be configured to audit all discretionary access control permission modifications using removexattr.
V-38610 Low The SSH daemon must set a timeout count on idle sessions.