UCF STIG Viewer Logo

Red Hat Enterprise Linux 7 Security Technical Implementation Guide


Overview

Date Finding Count (240)
2017-12-14 CAT I (High): 29 CAT II (Med): 200 CAT III (Low): 11
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-72251 High The SSH daemon must be configured to only use the SSHv2 protocol.
V-72005 High The root account must be the only account having unrestricted access to the system.
V-72313 High SNMP community strings must be changed from the default.
V-71955 High The operating system must not allow an unrestricted logon to the system.
V-71953 High The operating system must not allow an unattended or automatic logon to the system via a graphical user interface.
V-71969 High The ypserv package must not be installed.
V-72067 High The operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
V-71961 High Systems with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.
V-72301 High The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for operational support.
V-71963 High Systems using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.
V-72303 High Remote X connections for interactive users must be encrypted.
V-71967 High The rsh-server package must not be installed.
V-71989 High The operating system must enable SELinux.
V-71981 High The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of packages without verification of the repository metadata.
V-71849 High The file permissions, ownership, and group membership of system files and commands must match the vendor values.
V-71977 High The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
V-71979 High The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
V-71993 High The x86 Ctrl-Alt-Delete key sequence must be disabled.
V-71991 High The operating system must enable the SELinux targeted policy.
V-71997 High The operating system must be a vendor supported release.
V-72299 High A File Transfer Protocol (FTP) server package must not be installed unless needed.
V-72213 High The system must use a virus scan program.
V-71939 High The SSH daemon must not allow authentication using an empty password.
V-71855 High The cryptographic hash of system files and commands must match vendor values.
V-72279 High There must be no shosts.equiv files on the system.
V-72277 High There must be no .shosts files on the system.
V-71937 High The system must not have accounts configured with blank or null passwords.
V-72077 High The telnet-server package must not be installed.
V-72079 High Auditing must be configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users.
V-72099 Medium All uses of the fchown command must be audited.
V-72417 Medium The operating system must have the required packages for multifactor authentication installed.
V-72091 Medium The operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.
V-72093 Medium The operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.
V-72095 Medium All privileged function executions must be audited.
V-72097 Medium All uses of the chown command must be audited.
V-72149 Medium All uses of the passwd command must be audited.
V-72253 Medium The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
V-72001 Medium The system must not have unnecessary accounts.
V-72007 Medium All files and directories must have a valid owner.
V-72257 Medium The SSH private host key files must have mode 0600 or less permissive.
V-72255 Medium The SSH public host key files must have mode 0644 or less permissive.
V-72009 Medium All files and directories must have a valid group owner.
V-72259 Medium The SSH daemon must not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.
V-72227 Medium The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications.
V-71897 Medium The operating system must have the screen package installed.
V-71891 Medium The operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.
V-71959 Medium The operating system must not allow a non-certificate trusted host SSH logon to the system.
V-71893 Medium The operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.
V-72311 Medium The Network File System (NFS) must be configured to use RPCSEC_GSS.
V-71957 Medium The operating system must not allow users to override SSH environment variables.
V-72317 Medium The system must not have unauthorized IP tunnels configured.
V-72161 Medium All uses of the sudo command must be audited.
V-72315 Medium The system access control program must be configured to grant or deny system access to specific hosts and services.
V-72183 Medium All uses of the crontab command must be audited.
V-72427 Medium The operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).
V-71931 Medium Existing passwords must be restricted to a 60-day maximum lifetime.
V-72119 Medium All uses of the fremovexattr command must be audited.
V-73157 Medium The operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface.
V-72011 Medium All local interactive users must have a home directory assigned in the /etc/passwd file.
V-72013 Medium All local interactive user accounts, upon creation, must be assigned a home directory.
V-72015 Medium All local interactive user home directories defined in the /etc/passwd file must exist.
V-72017 Medium All local interactive user home directories must have mode 0750 or less permissive.
V-72019 Medium All local interactive user home directories must be owned by their respective users.
V-73159 Medium When passwords are changed or new passwords are established, pwquality must be used.
V-72309 Medium The system must not be performing packet forwarding unless the system is a router.
V-72225 Medium The Standard Mandatory DoD Notice and Consent Banner must be displayed immediately prior to, or as part of, remote access logon prompts.
V-77821 Medium The Datagram Congestion Control Protocol (DCCP) kernel module must be disabled unless required.
V-72223 Medium All network connections associated with a communication session must be terminated at the end of the session or after 10 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.
V-72221 Medium A FIPS 140-2 approved cryptographic algorithm must be used for SSH communications.
V-71965 Medium The operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.
V-72117 Medium All uses of the removexattr command must be audited.
V-72307 Medium An X Windows display manager must not be installed unless approved.
V-72109 Medium All uses of the fchmodat command must be audited.
V-71983 Medium USB mass storage must be disabled.
V-71921 Medium The shadow file must be configured to store only encrypted representations of passwords.
V-72433 Medium The operating system must implement certificate status checking for PKI authentication.
V-71985 Medium File system automounter must be disabled unless required.
V-71923 Medium User and group account administration utilities must be configured to store only encrypted representations of passwords.
V-72057 Medium Kernel core dumps must be disabled unless needed.
V-71927 Medium Passwords must be restricted to a 24 hours/1 day minimum lifetime.
V-71975 Medium Designated personnel must be notified if baseline configurations are changed in an unauthorized manner.
V-72029 Medium All local initialization files for interactive users must be owned by the home directory user or root.
V-71973 Medium A file integrity tool must verify the baseline operating system configuration at least weekly.
V-71971 Medium The operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
V-72025 Medium All files and directories contained in local interactive user home directories must be group-owned by a group of which the home directory owner is a member.
V-72027 Medium All files and directories contained in local interactive user home directories must have mode 0750 or less permissive.
V-72021 Medium All local interactive user home directories must be group-owned by the home directory owners primary group.
V-72197 Medium The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
V-72023 Medium All files and directories contained in local interactive user home directories must be owned by the owner of the home directory.
V-72235 Medium All networked systems must use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission.
V-72237 Medium All network connections associated with SSH traffic must terminate at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.
V-72231 Medium The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.
V-72233 Medium All networked systems must have SSH installed.
V-72239 Medium The SSH daemon must not allow authentication using RSA rhosts authentication.
V-71999 Medium Vendor packaged system security patches and updates must be installed and up to date.
V-71935 Medium Passwords must be a minimum of 15 characters in length.
V-71911 Medium When passwords are changed a minimum of eight of the total number of characters must be changed.
V-73155 Medium The operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface.
V-71995 Medium The operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
V-72151 Medium All uses of the unix_chkpwd command must be audited.
V-71913 Medium When passwords are changed a minimum of four character classes must be changed.
V-72159 Medium All uses of the su command must be audited.
V-72153 Medium All uses of the gpasswd command must be audited.
V-71925 Medium Passwords for new users must be restricted to a 24 hours/1 day minimum lifetime.
V-71915 Medium When passwords are changed the number of repeating consecutive characters must not be more than three characters.
V-71903 Medium When passwords are changed or new passwords are established, the new password must contain at least one upper-case character.
V-71901 Medium The operating system must initiate a session lock for graphical user interfaces when the screensaver is activated.
V-72039 Medium All system device files must be correctly labeled to prevent unauthorized modification.
V-71907 Medium When passwords are changed or new passwords are assigned, the new password must contain at least one numeric character.
V-71905 Medium When passwords are changed or new passwords are established, the new password must contain at least one lower-case character.
V-72155 Medium All uses of the chage command must be audited.
V-72283 Medium The system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
V-72031 Medium Local initialization files for local interactive users must be group-owned by the users primary group or root.
V-72285 Medium The system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
V-72037 Medium Local initialization files must not execute world-writable programs.
V-72287 Medium The system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
V-72305 Medium If the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon must be configured to operate in secure mode.
V-72201 Medium All uses of the renameat command must be audited.
V-72203 Medium All uses of the rmdir command must be audited.
V-72205 Medium All uses of the unlink command must be audited.
V-72157 Medium All uses of the userhelper command must be audited.
V-72207 Medium All uses of the unlinkat command must be audited.
V-71919 Medium The PAM system service must be configured to store only encrypted representations of passwords.
V-72209 Medium The system must send rsyslog output to a log aggregation server.
V-71861 Medium The operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
V-71863 Medium The operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.
V-78997 Medium The operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface.
V-72297 Medium The system must be configured to prevent unrestricted mail relaying.
V-72295 Medium Network interfaces must not be in promiscuous mode.
V-72293 Medium The system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
V-72291 Medium The system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.
V-72121 Medium All uses of the lremovexattr command must be audited.
V-72123 Medium All uses of the creat command must be audited.
V-72125 Medium All uses of the open command must be audited.
V-72127 Medium All uses of the openat command must be audited.
V-72129 Medium All uses of the open_by_handle_at command must be audited.
V-72319 Medium The system must not forward IPv6 source-routed packets.
V-71859 Medium The operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
V-72049 Medium The umask must be set to 077 for all local interactive user accounts.
V-72219 Medium The host must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments.
V-72047 Medium All world-writable directories must be group-owned by root, sys, bin, or an application group.
V-72045 Medium File systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.
V-72215 Medium The system must update the virus scan program every seven days or more frequently.
V-72043 Medium File systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.
V-72041 Medium File systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.
V-72211 Medium The rsyslog daemon must not accept log messages from other servers unless the server is being used for log aggregation.
V-72133 Medium All uses of the ftruncate command must be audited.
V-72139 Medium All uses of the chcon command must be audited.
V-72131 Medium All uses of the truncate command must be audited.
V-72165 Medium All uses of the newgrp command must be audited.
V-72137 Medium All uses of the setsebool command must be audited.
V-79001 Medium All uses of the finit_module command must be audited.
V-72229 Medium The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.
V-72167 Medium All uses of the chsh command must be audited.
V-71929 Medium Passwords for new users must be restricted to a 60-day maximum lifetime.
V-72135 Medium All uses of the semanage command must be audited.
V-78999 Medium All uses of the create_module command must be audited.
V-72115 Medium All uses of the lsetxattr command must be audited.
V-71899 Medium The operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces.
V-78995 Medium The operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.
V-72111 Medium All uses of the setxattr command must be audited.
V-72189 Medium All uses of the delete_module command must be audited.
V-72113 Medium All uses of the fsetxattr command must be audited.
V-71951 Medium The delay between logon prompts following a failed console logon attempt must be at least four seconds.
V-72195 Medium All uses of the modprobe command must be audited.
V-72269 Medium The operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
V-77825 Medium The operating system must implement virtual address space randomization.
V-72191 Medium All uses of the insmod command must be audited.
V-77823 Medium The operating system must require authentication upon booting into single-user and maintenance modes.
V-72193 Medium All uses of the rmmod command must be audited.
V-72033 Medium All local initialization files must have mode 0740 or less permissive.
V-72263 Medium The SSH daemon must perform strict mode checking of home directory configuration files.
V-72055 Medium If the cron.allow file exists it must be group-owned by root.
V-72261 Medium The SSH daemon must not permit Kerberos authentication unless needed.
V-72163 Medium All uses of the sudoers command must be audited.
V-72199 Medium All uses of the rename command must be audited.
V-71909 Medium When passwords are changed or new passwords are assigned, the new password must contain at least one special character.
V-72265 Medium The SSH daemon must use privilege separation.
V-72053 Medium If the cron.allow file exists it must be owned by root.
V-72289 Medium The system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
V-72051 Medium Cron logging must be implemented.
V-72035 Medium All local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory.
V-77819 Medium The operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.
V-71933 Medium Passwords must be prohibited from reuse for a minimum of five generations.
V-72101 Medium All uses of the lchown command must be audited.
V-72107 Medium All uses of the fchmod command must be audited.
V-72105 Medium All uses of the chmod command must be audited.
V-72187 Medium All uses of the init_module command must be audited.
V-72185 Medium All uses of the pam_timestamp_check command must be audited.
V-73163 Medium The audit system must take appropriate action when there is an error sending audit records to a remote system.
V-72271 Medium The operating system must protect against or limit the effects of Denial of Service (DoS) attacks by validating the operating system is implementing rate-limiting measures on impacted network interfaces.
V-73161 Medium File systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.
V-72273 Medium The operating system must enable an application firewall, if available.
V-73167 Medium The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
V-73165 Medium The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
V-72089 Medium The operating system must immediately notify the System Administrator (SA) and Information System Security Officer ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.
V-71945 Medium If three unsuccessful root logon attempts within 15 minutes occur the associated account must be locked.
V-71949 Medium Users must re-authenticate for privilege escalation.
V-72147 Medium The operating system must generate audit records for all successful account access events.
V-72083 Medium The operating system must off-load audit records onto a different system or media from the system being audited.
V-72081 Medium The operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure.
V-72087 Medium The audit system must take appropriate action when the audit storage volume is full.
V-71917 Medium When passwords are changed the number of repeating characters of the same character class must not be more than four characters.
V-72085 Medium The operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.
V-71947 Medium Users must provide a password for privilege escalation.
V-72145 Medium The operating system must generate audit records for all unsuccessful account access events.
V-72267 Medium The SSH daemon must not allow compression or must only allow compression after successful authentication.
V-72169 Medium All uses of the sudoedit command must be audited.
V-72143 Medium The operating system must generate audit records for all successful/unsuccessful account access count events.
V-72245 Medium The system must display the date and time of the last successful account logon upon an SSH logon.
V-72247 Medium The system must not permit direct logons to the root account using remote access via SSH.
V-72075 Medium The system must not allow removable media to be used as the boot loader unless approved.
V-72241 Medium All network connections associated with SSH traffic must terminate after a period of inactivity.
V-72073 Medium The file integrity tool must use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.
V-72243 Medium The SSH daemon must not allow authentication using rhosts authentication.
V-71943 Medium Accounts subject to three unsuccessful logon attempts within 15 minutes must be locked for the maximum configurable period.
V-72141 Medium All uses of the setfiles command must be audited.
V-72249 Medium The SSH daemon must not allow authentication using known hosts authentication.
V-71941 Medium The operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.
V-72179 Medium All uses of the ssh-keysign command must be audited.
V-72103 Medium All uses of the fchownat command must be audited.
V-72177 Medium All uses of the postqueue command must be audited.
V-73171 Medium The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
V-72175 Medium All uses of the postdrop command must be audited.
V-73173 Medium The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
V-72173 Medium All uses of the umount command must be audited.
V-73175 Medium The system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
V-72171 Medium All uses of the mount command must be audited.
V-73177 Medium Wireless network adapters must be disabled.
V-72003 Low All Group Identifiers (GIDs) referenced in the /etc/passwd file must be defined in the /etc/group file.
V-72061 Low The system must use a separate file system for /var.
V-72063 Low The system must use a separate file system for the system audit data path.
V-71987 Low The operating system must remove all software components after updated versions have been installed.
V-72059 Low A separate file system must be used for user home directories (such as /home or an equivalent).
V-72281 Low For systems using DNS resolution, at least two name servers must be configured.
V-72065 Low The system must use a separate file system for /tmp (or equivalent).
V-72217 Low The operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
V-72069 Low The file integrity tool must be configured to verify Access Control Lists (ACLs).
V-72275 Low The system must display the date and time of the last successful account logon upon logon.
V-72071 Low The file integrity tool must be configured to verify extended attributes.