UCF STIG Viewer Logo

Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide


Overview

Date Finding Count (227)
2022-05-18 CAT I (High): 12 CAT II (Med): 206 CAT III (Low): 9
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-253122 High TOSS must not allow blank or null passwords in the password-auth file.
V-252938 High The systemd Ctrl-Alt-Delete burst key sequence in TOSS must be disabled.
V-252930 High TOSS must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.
V-252937 High The root account must be the only account having unrestricted access to the TOSS system.
V-253098 High A File Transfer Protocol (FTP) server package must not be installed unless mission essential on TOSS.
V-252940 High TOSS must not allow blank or null passwords in the system-auth file.
V-252945 High TOSS must not allow an unattended or automatic logon to the system.
V-252963 High The x86 Ctrl-Alt-Delete key sequence in TOSS must be disabled if a graphical user interface is installed.
V-252966 High TOSS must not allow accounts configured with blank or null passwords.
V-253109 High The x86 Ctrl-Alt-Delete key sequence must be disabled on TOSS.
V-253059 High TOSS must implement NIST FIPS-validated cryptography for the following: to provision digital signatures; to generate cryptographic hashes; and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
V-253110 High TOSS must be a vendor-supported release.
V-252960 Medium All TOSS local interactive user accounts must be assigned a home directory upon creation.
V-253049 Medium Successful/unsuccessful uses of "userhelper" in TOSS must generate an audit record.
V-253048 Medium Successful/unsuccessful uses of "unix_chkpwd" in TOSS must generate an audit record.
V-253045 Medium Successful/unsuccessful uses of the "umount" command in TOSS must generate an audit record.
V-253044 Medium Successful/unsuccessful uses of the "su" command in TOSS must generate an audit record.
V-253047 Medium Successful/unsuccessful uses of the "usermod" command in TOSS must generate an audit record.
V-253046 Medium Successful/unsuccessful uses of the "unix_update" in TOSS must generate an audit record.
V-253041 Medium Successful/unsuccessful uses of the "gpasswd" command in TOSS must generate an audit record.
V-253040 Medium Successful/unsuccessful uses of "semanage" in TOSS must generate an audit record.
V-253043 Medium Successful/unsuccessful uses of the "mount" syscall in TOSS must generate an audit record.
V-253042 Medium Successful/unsuccessful uses of the "mount" command in TOSS must generate an audit record.
V-253128 Medium TOSS must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
V-253129 Medium TOSS must not send Internet Control Message Protocol (ICMP) redirects.
V-253126 Medium TOSS must not forward IPv6 source-routed packets by default.
V-253127 Medium TOSS must not forward IPv6 source-routed packets.
V-253124 Medium TOSS must not forward IPv4 source-routed packets by default.
V-253125 Medium TOSS must not forward IPv4 source-routed packets.
V-253123 Medium TOSS must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
V-253120 Medium TOSS must not accept router advertisements on all IPv6 interfaces by default.
V-253121 Medium TOSS must not accept router advertisements on all IPv6 interfaces.
V-252972 Medium TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
V-252973 Medium TOSS audit records must contain information to establish what type of events occurred, when the events occurred, the source of events, where events occurred, and the outcome of events.
V-252998 Medium Successful/unsuccessful uses of the "renameat" command in TOSS must generate an audit record.
V-252999 Medium Successful/unsuccessful uses of the "rmdir" command in TOSS must generate an audit record.
V-252994 Medium Successful/unsuccessful uses of the "pam_timestamp_check" command in TOSS must generate an audit record.
V-252995 Medium Successful/unsuccessful uses of the "newgrp" command in TOSS must generate an audit record.
V-252996 Medium Successful/unsuccessful uses of the "init_module" command in TOSS must generate an audit record.
V-252997 Medium Successful/unsuccessful uses of the "rename" command in TOSS must generate an audit record.
V-252990 Medium Successful/unsuccessful uses of postqueue in TOSS must generate an audit record.
V-252991 Medium Successful/unsuccessful uses of setsebool in TOSS must generate an audit record.
V-252992 Medium Successful/unsuccessful uses of the ssh-keysign in TOSS must generate an audit record.
V-252993 Medium Successful/unsuccessful uses of the "setfacl" command in RTOSS must generate an audit record.
V-252939 Medium There must be no ".shosts" files on The TOSS operating system.
V-252932 Medium TOSS must have the packages required for multifactor authentication installed.
V-252933 Medium TOSS must prohibit the use of cached authentications after one day.
V-252931 Medium TOSS must require re-authentication when using the "sudo" command.
V-252936 Medium The debug-shell systemd service must be disabled on TOSS.
V-252934 Medium All TOSS networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
V-252935 Medium For TOSS systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.
V-253038 Medium Successful/unsuccessful uses of the "removexattr" system call in TOSS must generate an audit record.
V-253039 Medium Successful/unsuccessful modifications to the "lastlog" file in TOSS must generate an audit record.
V-253133 Medium TOSS must restrict privilege elevation to authorized personnel.
V-253132 Medium TOSS must restrict exposed kernel pointer addresses access.
V-253135 Medium TOSS network interfaces must not be in promiscuous mode.
V-253134 Medium TOSS must use reverse path filtering on all IPv4 interfaces.
V-253137 Medium TOSS must enable kernel parameters to enforce discretionary access control on hardlinks.
V-253136 Medium TOSS must enable kernel parameters to enforce discretionary access control on symlinks.
V-253030 Medium The TOSS audit system must prevent all software from executing at higher privilege levels than users executing the software and the audit system must be configured to audit the execution of privileged functions.
V-253031 Medium TOSS must allocate audit record storage capacity to store at least one week's worth of audit records, when audit records are not immediately sent to a central audit record storage facility.
V-253032 Medium The TOSS audit records must be off-loaded onto a different system or storage media from the system being audited.
V-253033 Medium TOSS must label all off-loaded audit logs before sending them to the central log server.
V-253034 Medium The TOSS audit system must be configured to audit any usage of the "fsetxattr" system call.
V-253035 Medium The TOSS audit system must be configured to audit any usage of the "lsetxattr" system call.
V-253036 Medium Successful/unsuccessful uses of the fremovexattr system call in TOSS must generate an audit record.
V-253037 Medium Successful/unsuccessful uses of the "lremovexattr" system call in TOSS must generate an audit record.
V-253000 Medium Successful/unsuccessful uses of the "unlink" command in TOSS must generate an audit record.
V-252949 Medium TOSS must automatically lock graphical user sessions after 15 minutes of inactivity.
V-252948 Medium TOSS must retain a user's session lock until that user reestablishes access using established identification and authentication procedures.
V-252989 Medium Successful/unsuccessful uses of postdrop in TOSS must generate an audit record.
V-252988 Medium Successful/unsuccessful uses of the "passwd" command in TOSS must generate an audit record.
V-252987 Medium Successful/unsuccessful uses of the ssh-agent in TOSS must generate an audit record.
V-252986 Medium Successful/unsuccessful uses of the "chcon" command in TOSS must generate an audit record.
V-252985 Medium Successful/unsuccessful uses of the "chage" command in TOSS must generate an audit record.
V-252984 Medium The TOSS audit system must protect logon UIDs from unauthorized change.
V-252983 Medium The TOSS audit system must protect auditing rules from unauthorized change.
V-252982 Medium TOSS audit log directory must be owned by group root to prevent unauthorized read access.
V-252981 Medium TOSS audit log directory must be owned by user root to prevent unauthorized read access.
V-252980 Medium TOSS audit logs must be owned by group root to prevent unauthorized read access.
V-252929 Medium The TOSS file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency.
V-252928 Medium TOSS must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
V-252925 Medium The TOSS operating system must implement DoD-approved TLS encryption in the GnuTLS package.
V-252924 Medium The TOSS operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.
V-252927 Medium The TOSS operating system must be configured to preserve log records from failure events.
V-252926 Medium The TOSS SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms.
V-252921 Medium TOSS must prevent unauthorized and unintended information transfer via shared system resources.
V-252920 Medium TOSS must use a Linux Security Module configured to enforce limits on system services.
V-252922 Medium The TOSS operating system must be configured to use TCP syncookies.
V-252943 Medium The TOSS SSH daemon must not allow compression or must only allow compression after successful authentication.
V-253029 Medium TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/".
V-253028 Medium TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers".
V-252942 Medium The TOSS SSH daemon must not allow authentication using known host's authentication.
V-253023 Medium TOSS must use cryptographic mechanisms to protect the integrity of audit tools.
V-253022 Medium TOSS audit tools must be owned by "root".
V-253021 Medium Successful/unsuccessful uses of the truncate system call in TOSS must generate an audit record.
V-253020 Medium Successful/unsuccessful uses of the openat system call in TOSS must generate an audit record.
V-253027 Medium TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd".
V-253026 Medium TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd".
V-253025 Medium TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow".
V-253024 Medium TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group".
V-252946 Medium TOSS must enforce the limit of five consecutive invalid logon attempts by a user during a 15-minute time period.
V-253096 Medium TOSS must prevent the use of dictionary words for passwords.
V-253097 Medium TOSS must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
V-253095 Medium TOSS must enable the "SELinux" targeted policy.
V-253092 Medium A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring TOSS can implement rate-limiting measures on impacted network interfaces.
V-253093 Medium TOSS must implement non-executable data to protect its memory from unauthorized code execution.
V-253090 Medium TOSS must accept Personal Identity Verification (PIV) credentials.
V-253091 Medium TOSS must implement DoD-approved encryption in the OpenSSL package.
V-253099 Medium All TOSS local files and directories must have a valid group owner.
V-252958 Medium TOSS must require users to reauthenticate for privilege escalation.
V-252959 Medium TOSS must require users to provide a password for privilege escalation.
V-252969 Medium All TOSS local interactive user home directories must have mode 0770 or less permissive.
V-253018 Medium Successful/unsuccessful uses of the open system call in TOSS must generate an audit record.
V-253019 Medium Successful/unsuccessful uses of the open_by_handle_at system call system call in TOSS must generate an audit record.
V-253016 Medium Successful/unsuccessful uses of the ftruncate system call system call in TOSS must generate an audit record.
V-252951 Medium TOSS duplicate User IDs (UIDs) must not exist for interactive users.
V-253014 Medium Successful/unsuccessful uses of the fchown system call in TOSS must generate an audit record.
V-252953 Medium TOSS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
V-252954 Medium TOSS must automatically remove or disable emergency accounts after the crisis is resolved or 72 hours.
V-252955 Medium TOSS must reveal error messages only to authorized users.
V-252956 Medium TOSS must protect wireless access to the system using authentication of users and/or devices.
V-252957 Medium TOSS must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.
V-252916 Medium The TOSS file system automounter must be disabled unless required.
V-252917 Medium The TOSS pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2-approved cryptographic hashing algorithm for system authentication.
V-252965 Medium TOSS must display the date and time of the last successful account logon upon an SSH logon.
V-252964 Medium TOSS must disable the user list at logon for graphical user interfaces.
V-252978 Medium TOSS audit log directory must have a mode of 0700 or less permissive to prevent unauthorized read access.
V-253001 Medium Successful/unsuccessful uses of the "unlinkat" command in TOSS must generate an audit record.
V-252950 Medium TOSS must map the authenticated identity to the user or group account for PKI-based authentication.
V-253003 Medium Successful/unsuccessful uses of the "delete_module" command in TOSS must generate an audit record.
V-253002 Medium Successful/unsuccessful uses of the "finit_module" command in TOSS must generate an audit record.
V-253005 Medium Successful/unsuccessful uses of the "chsh" command in TOSS must generate an audit record.
V-253004 Medium Successful/unsuccessful uses of the "crontab" command in TOSS must generate an audit record.
V-253007 Medium Successful/unsuccessful uses of the "chacl" command in TOSS must generate an audit record.
V-253006 Medium Successful/unsuccessful uses of setfiles in TOSS must generate an audit record.
V-253009 Medium Successful/unsuccessful uses of the chmod system call in TOSS must generate an audit record.
V-253008 Medium TOSS must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
V-252941 Medium TOSS must not be performing packet forwarding unless the system is a router.
V-252952 Medium TOSS must use multifactor authentication for network and local access to privileged and non-privileged accounts.
V-252944 Medium The TOSS SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.
V-252979 Medium TOSS audit logs must be owned by user root to prevent unauthorized read access.
V-253015 Medium Successful/unsuccessful uses of the fchownat system call in TOSS must generate an audit record.
V-253012 Medium Successful/unsuccessful uses of the fchmod system call in TOSS must generate an audit record.
V-253013 Medium Successful/unsuccessful uses of the fchmodat system call in TOSS must generate an audit record.
V-253010 Medium Successful/unsuccessful uses of the chown system call in TOSS must generate an audit record.
V-253011 Medium Successful/unsuccessful uses of the creat system call in TOSS must generate an audit record.
V-253074 Medium TOSS must disable the asynchronous transfer mode (ATM) protocol.
V-253075 Medium TOSS must disable the controller area network (CAN) protocol.
V-253076 Medium TOSS must disable the stream control transmission (SCTP) protocol.
V-253077 Medium TOSS must disable the transparent inter-process communication (TIPC) protocol.
V-253070 Medium TOSS must cover or disable the built-in or attached camera when not in use.
V-253071 Medium TOSS must disable IEEE 1394 (FireWire) Support.
V-253072 Medium TOSS must disable mounting of cramfs.
V-253073 Medium TOSS must disable network management of the chrony daemon.
V-252976 Medium TOSS must take appropriate action when an audit processing failure occurs.
V-252977 Medium TOSS audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access.
V-252974 Medium TOSS must generate audit records containing the full-text recording of privileged commands.
V-252975 Medium TOSS must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
V-253078 Medium TOSS must not have any automated bug reporting tools installed.
V-253079 Medium TOSS must not have the sendmail package installed.
V-252970 Medium All TOSS local interactive user home directories must be owned by root.
V-252971 Medium All TOSS local interactive user home directories must be owned by the user's primary group.
V-253067 Medium TOSS must enforce a 60-day maximum password lifetime restriction.
V-253066 Medium TOSS must enforce 24 hours/1 day as the minimum password lifetime.
V-253089 Medium TOSS must take appropriate action when the internal event queue is full.
V-253088 Medium A firewall must be installed on TOSS.
V-252918 Medium The TOSS pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2-approved cryptographic hashing algorithm for system authentication.
V-252962 Medium All TOSS local interactive users must have a home directory assigned in the /etc/passwd file.
V-253081 Medium TOSS must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
V-253080 Medium TOSS must not have the telnet-server package installed.
V-253083 Medium TOSS must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.
V-253082 Medium TOSS must be configured to disable USB mass storage.
V-253085 Medium All TOSS local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
V-253087 Medium TOSS must enforce password complexity by requiring that at least one special character be used.
V-253086 Medium TOSS must limit privileges to change software resident within software libraries.
V-252967 Medium TOSS must not have unnecessary accounts.
V-253108 Medium The TOSS SSH public host key files must have mode 0644 or less permissive.
V-253065 Medium TOSS must not have the rsh-server package installed.
V-253064 Medium TOSS must store only encrypted representations of passwords.
V-253063 Medium TOSS must require the change of at least eight characters when passwords are changed.
V-253062 Medium TOSS must enforce password complexity by requiring that at least one numeric character be used.
V-253061 Medium TOSS must enforce password complexity by requiring that at least one lower-case character be used.
V-253060 Medium TOSS must enforce password complexity by requiring that at least one upper-case character be used.
V-253100 Medium All TOSS local files and directories must have a valid owner.
V-252968 Medium TOSS must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
V-253102 Medium If the Trivial File Transfer Protocol (TFTP) server is required, the TOSS TFTP daemon must be configured to operate in secure mode.
V-253103 Medium The graphical display manager must not be installed on TOSS unless approved.
V-253069 Medium TOSS must enforce a minimum 15-character password length.
V-253068 Medium TOSS must prohibit password reuse for a minimum of five generations.
V-253101 Medium Cron logging must be implemented in TOSS.
V-253106 Medium The TOSS SSH daemon must perform strict mode checking of home directory configuration files.
V-253107 Medium The TOSS SSH private host key files must have mode 0600 or less permissive.
V-253058 Medium TOSS must force a frequent session key renegotiation for SSH connections to the server.
V-253052 Medium The TOSS audit system must audit local events.
V-253050 Medium Successful/unsuccessful uses of the "kmod" command in TOSS must generate an audit record.
V-253051 Medium The auditd service must be running in TOSS.
V-253056 Medium TOSS must monitor remote access methods.
V-253057 Medium TOSS must force a frequent session key renegotiation for SSH connections by the client.
V-253054 Medium TOSS must have the packages required for offloading audit logs installed.
V-253055 Medium TOSS must have the packages required for encrypting offloaded audit logs installed.
V-252914 Medium TOSS must require authentication upon booting into emergency or rescue modes.
V-252915 Medium TOSS must not permit direct logons to the root account using remote access from outside of the system via SSH.
V-253119 Medium TOSS must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
V-253118 Medium TOSS must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.
V-252911 Medium TOSS must display the Standard Mandatory DoD Notice and Consent Banner or equivalent US Government Agency Notice and Consent Banner before granting local or remote access to the system.
V-252912 Medium TOSS, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
V-252913 Medium TOSS, for PKI-based authentication, must enforce authorized access to the corresponding private key.
V-253113 Medium TOSS must disable access to network bpf syscall from unprivileged processes.
V-253112 Medium TOSS must define default permissions for logon and non-logon shells.
V-253111 Medium TOSS must be configured to prevent unrestricted mail relaying.
V-253115 Medium TOSS must enable the hardware random number generator entropy gatherer service.
V-253114 Medium TOSS must enable hardening for the Berkeley Packet Filter Just-in-time compiler.
V-253131 Medium TOSS must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
V-252961 Medium All TOSS local interactive user home directories must be group-owned by the home directory owner's primary group.
V-253130 Medium TOSS must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
V-252919 Medium The TOSS operating system must implement DoD-approved encryption in the OpenSSL package.
V-253017 Medium Successful/unsuccessful uses of the lchown system call in TOSS must generate an audit record.
V-252923 Low TOSS must display the Standard Mandatory DoD Notice and Consent Banner or equivalent US Government Agency Notice and Consent Banner before granting local or remote access to the system via a ssh logon.
V-253094 Low YUM must remove all software components after updated versions have been installed on TOSS.
V-252947 Low TOSS must limit the number of concurrent sessions to 256 for all accounts and/or account types.
V-253084 Low TOSS must have policycoreutils package installed.
V-253104 Low The TOSS file integrity tool must be configured to verify Access Control Lists (ACLs).
V-253105 Low The TOSS file integrity tool must be configured to verify extended attributes.
V-253053 Low TOSS must resolve audit information before writing to disk.
V-253117 Low TOSS must have the packages required to use the hardware random number generator entropy gatherer service.
V-253116 Low TOSS must ensure the SSH server uses strong entropy.