Oracle Linux 6 Security Technical Implementation Guide

U_Oracle_Linux_6_STIG_V1R12_Manual-xccdf.xml

The Oracle Linux 6 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]
Details

Version / Release: V1R12

Published: 2018-03-01

Updated At: 2018-09-23 19:17:53

Download

Filter

Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.
    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-64721r1_rule OL6-00-000526 CCI-000366 LOW Automated file system mounting tools must not be enabled unless needed. All filesystems that are required for the successful operation of the system should be explicitly listed in "/etc/fstab" by an administrator. New filesystems should not be arbitrarily introduced via the automounter. The "autofs" daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as "/misc/cd". However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it is almost always possible to configure filesystem mounts statically by editing "/etc/fstab" rather than relying on the automounter.
    SV-64723r3_rule OL6-00-000525 CCI-000169 LOW Auditing must be enabled at boot by setting a kernel parameter. Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although "auditd" takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.
    SV-64725r1_rule OL6-00-000524 CCI-000015 MEDIUM The system must provide automated support for account management functions. A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. Enterprise environments make user account management challenging and complex. A user management process requiring administrators to manually address account management functions adds risk of potential oversight.
    SV-64727r2_rule OL6-00-000523 CCI-000066 MEDIUM The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets. In "ip6tables" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to "DROP" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted.
    SV-64729r1_rule OL6-00-000522 CCI-000162 MEDIUM Audit log files must be group-owned by root. If non-privileged users can write to audit logs, audit trails can be modified or destroyed.
    SV-64731r2_rule OL6-00-000521 CCI-000366 MEDIUM The mail system must forward all mail for root to one or more system administrators. A number of system services utilize email messages sent to the root user to notify system administrators of active or impending issues. These messages must be forwarded to at least one monitored email address.
    SV-64735r1_rule OL6-00-000003 CCI-000366 LOW The system must use a separate file system for /var/log. Placing "/var/log" in its own partition enables better separation between log files and other files in "/var/".
    SV-64739r1_rule OL6-00-000001 CCI-000366 LOW The system must use a separate file system for /tmp. The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.
    SV-64741r2_rule OL6-00-000519 CCI-000366 LOW The system package management tool must verify contents of all files associated with packages. The hash on important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.
    SV-64743r1_rule OL6-00-000002 CCI-000366 LOW The system must use a separate file system for /var. Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the "/var" directory to contain world-writable directories, installed by other software packages.
    SV-64745r2_rule OL6-00-000518 CCI-000366 LOW The system package management tool must verify permissions on all files and directories associated with packages. Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.
    SV-64751r2_rule OL6-00-000202 CCI-000172 MEDIUM The audit system must be configured to audit the loading and unloading of dynamic kernel modules. The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.
    SV-64753r1_rule OL6-00-000203 CCI-000382 MEDIUM The xinetd service must be disabled if no network services utilizing it are enabled. The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself.
    SV-64755r1_rule OL6-00-000204 CCI-000382 LOW The xinetd service must be uninstalled if no network services utilizing it are enabled. Removing the "xinetd" package decreases the risk of the xinetd service's accidental (or intentional) activation.
    SV-64757r1_rule OL6-00-000206 CCI-000381 HIGH The telnet-server package must not be installed. Removing the "telnet-server" package decreases the risk of the unencrypted telnet service's accidental (or intentional) activation. Mitigation: If the telnet-server package is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.
    SV-64759r1_rule OL6-00-000211 CCI-000888 HIGH The telnet daemon must not be running. The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks. Mitigation: If an enabled telnet daemon is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.
    SV-64761r1_rule OL6-00-000213 CCI-000381 HIGH The rsh-server package must not be installed. The "rsh-server" package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation.
    SV-64763r1_rule OL6-00-000214 CCI-000068 HIGH The rshd service must not be running. The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
    SV-64765r1_rule OL6-00-000216 CCI-000068 HIGH The rexecd service must not be running. The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
    SV-64767r1_rule OL6-00-000218 CCI-001436 HIGH The rlogind service must not be running. The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
    SV-64769r1_rule OL6-00-000220 CCI-000381 MEDIUM The ypserv package must not be installed. Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.
    SV-64771r1_rule OL6-00-000221 CCI-000382 MEDIUM The ypbind service must not be running. Disabling the "ypbind" service ensures the system is not acting as a client in a NIS or NIS+ domain.
    SV-64773r2_rule OL6-00-000222 CCI-000381 MEDIUM The tftp-server package must not be installed unless required. Removing the "tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services.
    SV-64775r1_rule OL6-00-000223 CCI-001436 MEDIUM The TFTP service must not be running. Disabling the "tftp" service ensures the system is not acting as a tftp server, which does not provide encryption or authentication.
    SV-64777r1_rule OL6-00-000224 CCI-000366 MEDIUM The cron service must be running. Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.
    SV-64779r1_rule OL6-00-000227 CCI-000774 HIGH The SSH daemon must be configured to use only the SSHv2 protocol. SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used.
    SV-64781r1_rule OL6-00-000230 CCI-001133 LOW The SSH daemon must set a timeout interval on idle sessions. Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another.
    SV-64783r1_rule OL6-00-000231 CCI-000879 LOW The SSH daemon must set a timeout count on idle sessions. This ensures a user login will be terminated as soon as the "ClientAliveCountMax" is reached.
    SV-64785r1_rule OL6-00-000234 CCI-000766 MEDIUM The SSH daemon must ignore .rhosts files. SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
    SV-64787r1_rule OL6-00-000236 CCI-000766 MEDIUM The SSH daemon must not allow host-based authentication. SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
    SV-64797r2_rule OL6-00-000517 CCI-000366 LOW The system package management tool must verify group-ownership on all files and directories associated with packages. Group-ownership of system binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The group-ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.
    SV-64799r2_rule OL6-00-000516 CCI-000366 LOW The system package management tool must verify ownership on all files and directories associated with packages. Ownership of system binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.
    SV-64801r1_rule OL6-00-000515 CCI-000764 LOW The NFS server must not have the all_squash option enabled. The "all_squash" option maps all client requests to a single anonymous uid/gid on the NFS server, negating the ability to track file access by user ID.
    SV-64805r1_rule OL6-00-000511 CCI-000140 MEDIUM The audit system must take appropriate action when there are disk errors on the audit storage volume. Taking appropriate action in case of disk errors will minimize the possibility of losing audit records.
    SV-64807r1_rule OL6-00-000510 CCI-000140 MEDIUM The audit system must take appropriate action when the audit storage volume is full. Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.
    SV-64809r1_rule OL6-00-000509 CCI-000136 LOW The system must forward audit records to the syslog service. The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include an audit event multiplexor plugin (audispd) to pass audit records to the local syslog server.
    SV-64813r2_rule OL6-00-000508 CCI-000058 LOW The system must allow locking of graphical desktop sessions. The ability to lock graphical desktop sessions manually allows users to easily secure their accounts should they need to depart from their workstations temporarily.
    SV-64815r2_rule OL6-00-000507 CCI-000052 MEDIUM The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh. Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. At ssh login, a user must be presented with the last successful login date and time.
    SV-64819r1_rule OL6-00-000505 CCI-000537 MEDIUM The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives. Operating system backup is a critical step in maintaining data assurance and availability. System-level information includes system-state information, operating system and application software, and licenses. Backups must be consistent with organizational recovery time and recovery point objectives.
    SV-64821r1_rule OL6-00-000504 CCI-000535 MEDIUM The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives. Operating system backup is a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. Backups shall be consistent with organizational recovery time and recovery point objectives.
    SV-64823r2_rule OL6-00-000503 CCI-000086 MEDIUM The operating system must enforce requirements for the connection of mobile devices to operating systems. USB storage devices such as thumb drives can be used to introduce unauthorized software and other vulnerabilities. Support for these devices should be disabled and the devices themselves should be tightly controlled.
    SV-64827r2_rule OL6-00-000086 CCI-000366 MEDIUM The system must not accept ICMPv4 secure redirect packets on any interface. Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.
    SV-64831r2_rule OL6-00-000088 CCI-000366 LOW The system must log Martian packets. The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.
    SV-64833r1_rule OL6-00-000385 CCI-000164 MEDIUM Audit log directories must have mode 0755 or less permissive. If users can delete audit logs, audit trails can be modified or destroyed.
    SV-64835r1_rule OL6-00-000384 CCI-000162 MEDIUM Audit log files must be owned by root. If non-privileged users can write to audit logs, audit trails can be modified or destroyed.
    SV-64837r1_rule OL6-00-000383 CCI-000163 MEDIUM Audit log files must have mode 0640 or less permissive. If users can write to audit logs, audit trails can be modified or destroyed.
    SV-64841r3_rule OL6-00-000357 CCI-001452 MEDIUM The system must disable accounts after excessive login failures within a 15-minute interval. Locking out user accounts after a number of incorrect attempts within a specific period of time prevents direct password guessing attacks.
    SV-64843r3_rule OL6-00-000356 CCI-000047 MEDIUM The system must require administrator action to unlock an account locked by excessive failed login attempts. Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations.
    SV-64845r3_rule OL6-00-000349 CCI-000765 MEDIUM The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication. Smart card login provides two-factor authentication stronger than that provided by a username/password combination. Smart cards leverage a PKI (public key infrastructure) in order to provide and verify credentials.
    SV-64847r2_rule OL6-00-000348 CCI-000048 MEDIUM The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner. This setting will cause the system greeting banner to be used for FTP connections as well.
    SV-64849r2_rule OL6-00-000347 CCI-000196 MEDIUM There must be no .netrc files on the system. Unencrypted passwords for remote FTP servers may be stored in ".netrc" files. DoD policy requires passwords be encrypted in storage and not used in access scripts.
    SV-64853r2_rule OL6-00-000089 CCI-000366 MEDIUM The system must not accept IPv4 source-routed packets by default. Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
    SV-64857r2_rule OL6-00-000090 CCI-000366 MEDIUM The system must not accept ICMPv4 secure redirect packets by default. Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.
    SV-64861r2_rule OL6-00-000091 CCI-000366 LOW The system must ignore ICMPv4 redirect messages by default. This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
    SV-64863r2_rule OL6-00-000092 CCI-000366 LOW The system must not respond to ICMPv4 sent to a broadcast address. Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.
    SV-64867r1_rule OL6-00-000004 CCI-000137 LOW The system must use a separate file system for the system audit data path. Placing "/var/log/audit" in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.
    SV-64869r2_rule OL6-00-000093 CCI-000366 LOW The system must ignore ICMPv4 bogus error responses. Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.
    SV-64871r1_rule OL6-00-000346 CCI-000366 LOW The system default umask for daemons must be 027 or 022. The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions.
    SV-64873r1_rule OL6-00-000345 CCI-000366 LOW The system default umask in /etc/login.defs must be 077. The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.
    SV-64875r1_rule OL6-00-000344 CCI-000366 LOW The system default umask in /etc/profile must be 077. The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.
    SV-64877r3_rule OL6-00-000005 CCI-000138 MEDIUM The audit system must alert designated staff members when the audit storage volume approaches capacity. Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.
    SV-64879r1_rule OL6-00-000343 CCI-000366 LOW The system default umask for the csh shell must be 077. The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.
    SV-64883r1_rule OL6-00-000007 CCI-000366 LOW The system must use a separate file system for user home directories. Ensuring that "/home" is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.
    SV-64889r2_rule OL6-00-000095 CCI-001095 MEDIUM The system must be configured to use TCP syncookies when experiencing a TCP SYN flood. A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.
    SV-64891r2_rule OL6-00-000096 CCI-000366 MEDIUM The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces. Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.
    SV-64895r3_rule OL6-00-000008 CCI-000352 HIGH Vendor-provided cryptographic certificates must be installed to verify the integrity of system software. This key is necessary to cryptographically verify packages that packages are from the operating system vendor.
    SV-64899r1_rule OL6-00-000009 CCI-000382 LOW The Red Hat Network Service (rhnsd) service must not be running, unless it is being used to query the Oracle Unbreakable Linux Network for updates and information. Although systems management and patching is extremely important to system security, management by a system outside the enterprise enclave is not desirable for some environments. However, if the system needs to communicate with the Oracle Unbreakable Linux Network for updates or information, then the "rhnsd" daemon can remain on.
    SV-64901r1_rule OL6-00-000011 CCI-001233 MEDIUM System security patches and updates must be installed and up-to-date. Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities.
    SV-64905r2_rule OL6-00-000097 CCI-000366 MEDIUM The system must use a reverse-path filter for IPv4 network traffic when possible by default. Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.
    SV-64907r1_rule OL6-00-000013 CCI-000663 MEDIUM The system package management tool must cryptographically verify the authenticity of system software packages during installation. Ensuring the validity of packages' cryptographic signatures prior to installation ensures the provenance of the software and protects against malicious tampering.
    SV-64913r1_rule OL6-00-000342 CCI-000366 LOW The system default umask for the bash shell must be 077. The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.
    SV-64915r1_rule OL6-00-000015 CCI-000663 LOW The system package management tool must cryptographically verify the authenticity of all software packages during installation. Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering.
    SV-64917r2_rule OL6-00-000099 CCI-000366 MEDIUM The system must ignore ICMPv6 redirects by default. An illicit ICMP redirect message could result in a man-in-the-middle attack.
    SV-64919r1_rule OL6-00-000341 CCI-000366 HIGH The snmpd service must not use a default password. Presence of the default SNMP password enables querying of different system aspects and could result in unauthorized knowledge of the system.
    SV-64921r1_rule OL6-00-000016 CCI-001069 MEDIUM A file integrity tool must be installed. The AIDE package must be installed if it is to be available for integrity checking.
    SV-64923r1_rule OL6-00-000340 CCI-000366 MEDIUM The snmpd service must use only SNMP protocol version 3 or newer. Earlier versions of SNMP are considered insecure, as they potentially allow unauthorized access to detailed system management information.
    SV-64925r1_rule OL6-00-000019 CCI-001436 HIGH There must be no .rhosts or hosts.equiv files on the system. Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.
    SV-64927r1_rule OL6-00-000027 CCI-000770 MEDIUM The system must prevent the root account from logging in from virtual consoles. Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account.
    SV-64931r1_rule OL6-00-000028 CCI-000770 LOW The system must prevent the root account from logging in from serial consoles. Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account.
    SV-64937r3_rule OL6-00-000029 CCI-000366 MEDIUM Default operating system accounts, other than root, must be locked. Disabling authentication for default system accounts makes it more difficult for attackers to make use of them to compromise a system.
    SV-64943r2_rule OL6-00-000030 CCI-000366 HIGH The system must not have accounts configured with blank or null passwords. If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
    SV-64945r1_rule OL6-00-000339 CCI-000130 LOW The FTP daemon must be configured for logging or verbose mode. To trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to the ftp server are logged using the verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log.
    SV-64947r1_rule OL6-00-000031 CCI-000366 MEDIUM The /etc/passwd file must not contain password hashes. The hashes for all user account passwords should be stored in the file "/etc/shadow" and never in "/etc/passwd", which is readable by all users.
    SV-64953r2_rule OL6-00-000032 CCI-000366 MEDIUM The root account must be the only account having a UID of 0. An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.
    SV-64957r1_rule OL6-00-000338 CCI-000366 HIGH The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system. Using the "-s" option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally specified directory reduces the risk of sharing files which should remain private.
    SV-64959r1_rule OL6-00-000033 CCI-000366 MEDIUM The /etc/shadow file must be owned by root. The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.
    SV-64961r1_rule OL6-00-000034 CCI-000366 MEDIUM The /etc/shadow file must be group-owned by root. The "/etc/shadow" file stores password hashes. Protection of this file is critical for system security.
    SV-64963r1_rule OL6-00-000035 CCI-000366 MEDIUM The /etc/shadow file must have mode 0000. The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.
    SV-64965r1_rule OL6-00-000036 CCI-000366 MEDIUM The /etc/gshadow file must be owned by root. The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.
    SV-64967r2_rule OL6-00-000103 CCI-001118 MEDIUM The system must employ a local IPv6 firewall. The "ip6tables" service provides the system's host-based firewalling capability for IPv6 and ICMPv6.
    SV-64969r1_rule OL6-00-000037 CCI-000366 MEDIUM The /etc/gshadow file must be group-owned by root. The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.
    SV-64971r1_rule OL6-00-000038 CCI-000366 MEDIUM The /etc/gshadow file must have mode 0000. The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.
    SV-64973r2_rule OL6-00-000106 CCI-001098 MEDIUM The operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. The "ip6tables" service provides the system's host-based firewalling capability for IPv6 and ICMPv6.
    SV-64975r1_rule OL6-00-000039 CCI-000366 MEDIUM The /etc/passwd file must be owned by root. The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.
    SV-64977r1_rule OL6-00-000040 CCI-000366 MEDIUM The /etc/passwd file must be group-owned by root. The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.
    SV-64979r1_rule OL6-00-000041 CCI-000366 MEDIUM The /etc/passwd file must have mode 0644 or less permissive. If the "/etc/passwd" file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.
    SV-64981r1_rule OL6-00-000042 CCI-000366 MEDIUM The /etc/group file must be owned by root. The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
    SV-64983r1_rule OL6-00-000043 CCI-000366 MEDIUM The /etc/group file must be group-owned by root. The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
    SV-64985r1_rule OL6-00-000044 CCI-000366 MEDIUM The /etc/group file must have mode 0644 or less permissive. The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
    SV-64987r2_rule OL6-00-000107 CCI-001100 MEDIUM The operating system must prevent public IPv6 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices. The "ip6tables" service provides the system's host-based firewalling capability for IPv6 and ICMPv6.
    SV-64989r2_rule OL6-00-000045 CCI-001499 MEDIUM Library files must have mode 0755 or less permissive. Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system.
    SV-64991r4_rule OL6-00-000046 CCI-001499 MEDIUM Library files must be owned by a system account. Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system.
    SV-64993r2_rule OL6-00-000047 CCI-001499 MEDIUM All system command files must have mode 755 or less permissive. System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.
    SV-64995r2_rule OL6-00-000048 CCI-001499 MEDIUM All system command files must be owned by root. System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.
    SV-64997r3_rule OL6-00-000050 CCI-000205 MEDIUM The system must require passwords to contain a minimum of 15 characters. Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result. While it does not negate the password length requirement, it is preferable to migrate from a password-based authentication scheme to a stronger one based on PKI (public key infrastructure).
    SV-64999r1_rule OL6-00-000051 CCI-000198 MEDIUM Users must not be able to change passwords more than once every 24 hours. Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.
    SV-65001r1_rule OL6-00-000053 CCI-000199 MEDIUM User passwords must be changed at least every 60 days. Setting the password maximum age ensures users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.
    SV-65003r2_rule OL6-00-000113 CCI-001118 MEDIUM The system must employ a local IPv4 firewall. The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.
    SV-65005r1_rule OL6-00-000237 CCI-000770 MEDIUM The system must not permit root logins using remote access programs such as ssh. Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password.
    SV-65007r1_rule OL6-00-000239 CCI-000766 HIGH The SSH daemon must not allow authentication using an empty password. Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.
    SV-65009r1_rule OL6-00-000240 CCI-000048 MEDIUM The SSH daemon must be configured with the Department of Defense (DoD) login banner. The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.
    SV-65011r1_rule OL6-00-000241 CCI-001414 LOW The SSH daemon must not permit user environment settings. SSH environment options potentially allow users to bypass access restriction in some configurations.
    SV-65013r1_rule OL6-00-000243 CCI-001144 MEDIUM The SSH daemon must be configured to use only FIPS 140-2 approved ciphers. Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance.
    SV-65015r1_rule OL6-00-000246 CCI-000366 LOW The avahi service must be disabled. Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted.
    SV-65017r1_rule OL6-00-000247 CCI-000160 MEDIUM The system clock must be synchronized continuously, or at least daily. Enabling the "ntpd" service ensures that the "ntpd" service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.
    SV-65019r1_rule OL6-00-000248 CCI-000160 MEDIUM The system clock must be synchronized to an authoritative DoD time source. Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. Using a trusted NTP server provided by your organization is recommended.
    SV-65021r2_rule OL6-00-000249 CCI-000382 MEDIUM Mail relaying must be restricted. This ensures "postfix" accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack.
    SV-65023r1_rule OL6-00-000252 CCI-001453 MEDIUM If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms. The ssl directive specifies whether to use ssl or not. If not specified it will default to "no". It should be set to "start_tls" rather than doing LDAP over SSL.
    SV-65025r1_rule OL6-00-000253 CCI-000776 MEDIUM The LDAP client must use a TLS connection using trust certificates signed by the site CA. The tls_cacertdir or tls_cacertfile directives are required when tls_checkpeer is configured (which is the default for openldap versions 2.1 and up). These directives define the path to the trust certificates signed by the site CA.
    SV-65027r1_rule OL6-00-000256 CCI-000366 LOW The openldap-servers package must not be installed unless required. Unnecessary packages should not be installed to decrease the attack surface of the system.
    SV-65029r2_rule OL6-00-000257 CCI-000057 MEDIUM The graphical desktop environment must set the idle timeout to no more than 15 minutes. Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby.
    SV-65031r3_rule OL6-00-000258 CCI-000057 MEDIUM The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment. Enabling idle activation of the screen saver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area.
    SV-65033r2_rule OL6-00-000259 CCI-000057 MEDIUM The graphical desktop environment must have automatic lock enabled. Enabling the activation of the screen lock after an idle period ensures password entry will be required in order to access the system, preventing access by passersby.
    SV-65035r2_rule OL6-00-000260 CCI-000060 LOW The system must display a publicly-viewable pattern during a graphical desktop environment session lock. Setting the screensaver mode to blank-only conceals the contents of the display from passersby.
    SV-65037r1_rule OL6-00-000261 CCI-000382 LOW The Automatic Bug Reporting Tool (abrtd) service must not be running. Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the local machine, as well as sensitive information from within a process's address space or registers.
    SV-65041r2_rule OL6-00-000262 CCI-000382 LOW The atd service must be disabled. The "atd" service could be used by an unsophisticated insider to carry out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with "at" or "batch" is not common.
    SV-65043r1_rule OL6-00-000265 CCI-000382 LOW The ntpdate service must not be running. The "ntpdate" service may only be suitable for systems which are rebooted frequently enough that clock drift does not cause problems between reboots. In any event, the functionality of the ntpdate service is now available in the ntpd program and should be considered deprecated.
    SV-65045r1_rule OL6-00-000266 CCI-000382 LOW The oddjobd service must not be running. The "oddjobd" service may provide necessary functionality in some environments but it can be disabled if it is not needed. Execution of tasks by privileged programs, on behalf of unprivileged ones, has traditionally been a source of privilege escalation security issues.
    SV-65047r2_rule OL6-00-000267 CCI-000382 LOW The qpidd service must not be running. The qpidd service is automatically installed when the "base" package selection is selected during installation. The qpidd service listens for network connections, which increases the attack surface of the system. If the system is not intended to receive AMQP, traffic then the "qpidd" service is not needed and should be disabled or removed.
    SV-65049r1_rule OL6-00-000268 CCI-000382 LOW The rdisc service must not be running. General-purpose systems typically have their network and routing information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information.
    SV-65051r2_rule OL6-00-000269 CCI-000366 MEDIUM Remote file systems must be mounted with the nodev option. Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users.
    SV-65053r2_rule OL6-00-000270 CCI-000366 MEDIUM Remote file systems must be mounted with the nosuid option. NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem.
    SV-65055r1_rule OL6-00-000271 CCI-000087 LOW The noexec option must be added to removable media partitions. Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise.
    SV-65057r1_rule OL6-00-000272 CCI-000366 LOW The system must use SMB client signing for connecting to samba servers using smbclient. Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.
    SV-65059r2_rule OL6-00-000273 CCI-000366 LOW The system must use SMB client signing for connecting to samba servers using mount.cifs. Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.
    SV-65061r4_rule OL6-00-000274 CCI-000200 MEDIUM The system must prohibit the reuse of passwords within five iterations. Preventing reuse of previous passwords helps ensure that a compromised password is not reused by a user.
    SV-65063r1_rule OL6-00-000275 CCI-001019 LOW The operating system must employ cryptographic mechanisms to protect information in storage. The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.
    SV-65065r1_rule OL6-00-000276 CCI-001199 LOW The operating system must protect the confidentiality and integrity of data at rest. The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.
    SV-65067r1_rule OL6-00-000277 CCI-001200 LOW The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of data at rest unless otherwise protected by alternative physical measures. The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.
    SV-65069r1_rule OL6-00-000278 CCI-001493 MEDIUM The system package management tool must verify permissions on all files and directories associated with the audit package. Permissions on audit binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.
    SV-65071r1_rule OL6-00-000279 CCI-001494 MEDIUM The system package management tool must verify ownership on all files and directories associated with the audit package. Ownership of audit binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.
    SV-65073r1_rule OL6-00-000280 CCI-001495 MEDIUM The system package management tool must verify group-ownership on all files and directories associated with the audit package. Group-ownership of audit binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The group-ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.
    SV-65075r1_rule OL6-00-000281 CCI-001496 MEDIUM The system package management tool must verify contents of all files associated with the audit package. The hash on important files like audit system executables should match the information given by the RPM database. Audit executables with erroneous hashes could be a sign of nefarious activity on the system.
    SV-65077r2_rule OL6-00-000282 CCI-000366 MEDIUM There must be no world-writable files on the system. Data in world-writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files.
    SV-65081r3_rule OL6-00-000285 CCI-001259 MEDIUM The system must have a host-based intrusion detection tool installed. Adding host-based intrusion detection tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of system, which may not otherwise exist in an organization's systems management regime.
    SV-65083r3_rule OL6-00-000286 CCI-000366 HIGH The x86 Ctrl-Alt-Delete key sequence must be disabled. A locally logged-in user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.
    SV-65085r1_rule OL6-00-000287 CCI-000366 LOW The postfix service must be enabled for mail delivery. Local mail delivery is essential to some system maintenance and notification tasks.
    SV-65087r1_rule OL6-00-000288 CCI-000366 MEDIUM The sendmail package must be removed. The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead.
    SV-65089r1_rule OL6-00-000289 CCI-000382 LOW The netconsole service must be disabled unless required. The "netconsole" service is not necessary unless there is a need to debug kernel panics, which is not common.
    SV-65091r1_rule OL6-00-000290 CCI-001436 MEDIUM X Windows must not be enabled unless required. Unnecessary services should be disabled to decrease the attack surface of the system.
    SV-65093r1_rule OL6-00-000291 CCI-000366 LOW The xorg-x11-server-common (X Windows) package must not be installed, unless required. Unnecessary packages should not be installed to decrease the attack surface of the system.
    SV-65095r1_rule OL6-00-000292 CCI-000366 MEDIUM The DHCP client must be disabled if not needed. DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances.
    SV-65109r2_rule OL6-00-000116 CCI-001098 MEDIUM The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.
    SV-65113r1_rule OL6-00-000054 CCI-000366 LOW Users must be warned 7 days in advance of password expiration. Setting the password warning age enables users to make the change at a practical time.
    SV-65117r1_rule OL6-00-000056 CCI-000194 LOW The system must require passwords to contain at least one numeric character. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.
    SV-65119r1_rule OL6-00-000057 CCI-000192 LOW The system must require passwords to contain at least one uppercase alphabetic character. Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space.
    SV-65121r1_rule OL6-00-000058 CCI-001619 LOW The system must require passwords to contain at least one special character. Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.
    SV-65123r2_rule OL6-00-000059 CCI-000193 LOW The system must require passwords to contain at least one lower-case alphabetic character. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.
    SV-65125r2_rule OL6-00-000060 CCI-000195 LOW The system must require at least eight characters be changed between the old and new passwords during a password change. Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.
    SV-65127r3_rule OL6-00-000061 CCI-000044 MEDIUM The system must disable accounts after three consecutive unsuccessful logon attempts. Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.
    SV-65129r3_rule OL6-00-000062 CCI-000803 MEDIUM The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth). Using a stronger hashing algorithm makes password cracking attacks more difficult.
    SV-65133r1_rule OL6-00-000063 CCI-000803 MEDIUM The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs). Using a stronger hashing algorithm makes password cracking attacks more difficult.
    SV-65139r2_rule OL6-00-000065 CCI-000366 MEDIUM The system boot loader configuration file(s) must be owned by root. Only root should be able to modify important boot parameters.
    SV-65143r1_rule OL6-00-000064 CCI-000803 MEDIUM The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf). Using a stronger hashing algorithm makes password cracking attacks more difficult.
    SV-65145r2_rule OL6-00-000066 CCI-000366 MEDIUM The system boot loader configuration file(s) must be group-owned by root. The "root" group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.
    SV-65149r3_rule OL6-00-000067 CCI-000366 MEDIUM The system boot loader configuration file(s) must have mode 0600 or less permissive. Proper permissions ensure that only the root user can modify important boot parameters.
    SV-65151r3_rule OL6-00-000068 CCI-000213 MEDIUM The system boot loader must require authentication. Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.
    SV-65153r1_rule OL6-00-000069 CCI-000213 MEDIUM The system must require authentication upon booting into single-user and maintenance modes. This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.
    SV-65157r1_rule OL6-00-000070 CCI-000213 MEDIUM The system must not permit interactive boot. Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security.
    SV-65159r1_rule OL6-00-000071 CCI-000058 LOW The system must allow locking of the console screen in text mode. Installing "screen" ensures a console locking capability is available for users who may need to suspend console logins.
    SV-65161r4_rule OL6-00-000073 CCI-001384 MEDIUM The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts. An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.
    SV-65163r2_rule OL6-00-000078 CCI-000366 MEDIUM The system must implement virtual address space randomization. Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return oriented programming (ROP) techniques.
    SV-65165r3_rule OL6-00-000079 CCI-000366 MEDIUM The system must limit the ability of processes to have simultaneous write and execute access to memory. A common type of exploit is the stack buffer overflow. An application receives from an attacker more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack.
    SV-65167r2_rule OL6-00-000080 CCI-000366 MEDIUM The system must not send ICMPv4 redirects by default. Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.
    SV-65169r2_rule OL6-00-000081 CCI-000366 MEDIUM The system must not send ICMPv4 redirects from any interface. Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.
    SV-65173r2_rule OL6-00-000082 CCI-000366 MEDIUM IP forwarding for IPv4 must not be enabled, unless the system is a router. IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.
    SV-65175r2_rule OL6-00-000083 CCI-000366 MEDIUM The system must not accept IPv4 source-routed packets on any interface. Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
    SV-65177r2_rule OL6-00-000084 CCI-000366 MEDIUM The system must not accept ICMPv4 redirect packets on any interface. Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required.
    SV-65179r2_rule OL6-00-000294 CCI-000366 LOW All GIDs referenced in /etc/passwd must be defined in /etc/group. Inconsistency in GIDs between /etc/passwd and /etc/group could lead to a user having unintended rights.
    SV-65185r2_rule OL6-00-000117 CCI-001100 MEDIUM The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices. The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.
    SV-65191r1_rule OL6-00-000296 CCI-000804 LOW All accounts on the system must have unique user or account names. Unique usernames allow for accountability on the system.
    SV-65193r1_rule OL6-00-000120 CCI-000066 MEDIUM The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets. In "iptables" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to "DROP" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted.
    SV-65195r2_rule OL6-00-000124 CCI-000382 MEDIUM The Datagram Congestion Control Protocol (DCCP) must be disabled unless required. Disabling DCCP protects the system against exploitation of any flaws in its implementation.
    SV-65197r1_rule OL6-00-000297 CCI-000016 LOW Temporary accounts must be provisioned with an expiration date. When temporary accounts are created, there is a risk they may remain in place and active after the need for them no longer exists. Account expiration greatly reduces the risk of accounts being misused or hijacked.
    SV-65199r1_rule OL6-00-000298 CCI-001682 LOW Emergency accounts must be provisioned with an expiration date. When emergency accounts are created, there is a risk they may remain in place and active after the need for them no longer exists. Account expiration greatly reduces the risk of accounts being misused or hijacked.
    SV-65201r2_rule OL6-00-000299 CCI-000366 LOW The system must require passwords to contain no more than three consecutive repeating characters. Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.
    SV-65203r2_rule OL6-00-000125 CCI-000382 MEDIUM The Stream Control Transmission Protocol (SCTP) must be disabled unless required. Disabling SCTP protects the system against exploitation of any flaws in its implementation.
    SV-65207r1_rule OL6-00-000126 CCI-000382 LOW The Reliable Datagram Sockets (RDS) protocol must be disabled unless required. Disabling RDS protects the system against exploitation of any flaws in its implementation.
    SV-65211r2_rule OL6-00-000127 CCI-000382 MEDIUM The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required. Disabling TIPC protects the system against exploitation of any flaws in its implementation.
    SV-65213r2_rule OL6-00-000133 CCI-001314 MEDIUM All rsyslog-generated log files must be owned by root. The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.
    SV-65215r2_rule OL6-00-000134 CCI-001314 MEDIUM All rsyslog-generated log files must be group-owned by root. The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.
    SV-65217r2_rule OL6-00-000302 CCI-000374 MEDIUM A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries. By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.
    SV-65219r2_rule OL6-00-000135 CCI-001314 MEDIUM All rsyslog-generated log files must have mode 0600 or less permissive. Log files can contain valuable information regarding system configuration. If the system log files are not protected, unauthorized users could change the logged data, eliminating their forensic value.
    SV-65221r1_rule OL6-00-000136 CCI-001348 MEDIUM The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited. A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.
    SV-65223r2_rule OL6-00-000303 CCI-000416 MEDIUM The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system. By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.
    SV-65225r1_rule OL6-00-000137 CCI-000169 MEDIUM The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components. A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.
    SV-65227r1_rule OL6-00-000138 CCI-000366 LOW System logs must be rotated daily. Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.
    SV-65229r2_rule OL6-00-000304 CCI-001069 MEDIUM The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency. By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.
    SV-65233r1_rule OL6-00-000145 CCI-001487 MEDIUM The operating system must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event. Ensuring the "auditd" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.
    SV-65235r2_rule OL6-00-000305 CCI-001263 MEDIUM The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs. By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.
    SV-65239r1_rule OL6-00-000148 CCI-000067 MEDIUM The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods. Ensuring the "auditd" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.
    SV-65241r2_rule OL6-00-000306 CCI-001297 MEDIUM The operating system must detect unauthorized changes to software and information. By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.
    SV-65243r2_rule OL6-00-000307 CCI-001589 MEDIUM The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked. By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.
    SV-65245r1_rule OL6-00-000154 CCI-000130 MEDIUM The operating system must produce audit records containing sufficient information to establish what type of events occurred. Ensuring the "auditd" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.
    SV-65247r2_rule OL6-00-000308 CCI-000366 LOW Process core dumps must be disabled unless needed. A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
    SV-65249r1_rule OL6-00-000159 CCI-000366 MEDIUM The system must retain enough rotated audit logs to cover the required log retention period. The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.
    SV-65253r1_rule OL6-00-000309 CCI-000764 HIGH The NFS server must not have the insecure file locking option enabled. Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user.
    SV-65255r1_rule OL6-00-000160 CCI-000366 MEDIUM The system must set a maximum audit log file size. The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.
    SV-65257r2_rule OL6-00-000311 CCI-000143 MEDIUM The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity. Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.
    SV-65259r2_rule OL6-00-000161 CCI-000366 MEDIUM The system must rotate audit log files that reach the maximum file size. Automatically rotating logs (by setting this to "rotate") minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, "keep_logs" can be employed.
    SV-65263r1_rule OL6-00-000313 CCI-000139 MEDIUM The audit system must identify staff members to receive notifications of audit log storage volume capacity issues. Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.
    SV-65267r2_rule OL6-00-000165 CCI-000169 LOW The audit system must be configured to audit all attempts to alter system time through adjtimex. Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
    SV-65269r2_rule OL6-00-000167 CCI-000169 LOW The audit system must be configured to audit all attempts to alter system time through settimeofday. Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
    SV-65273r2_rule OL6-00-000169 CCI-000169 LOW The audit system must be configured to audit all attempts to alter system time through stime. Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
    SV-65275r2_rule OL6-00-000171 CCI-000169 LOW The audit system must be configured to audit all attempts to alter system time through clock_settime. Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
    SV-65277r2_rule OL6-00-000173 CCI-000169 LOW The audit system must be configured to audit all attempts to alter system time through /etc/localtime. Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
    SV-65279r2_rule OL6-00-000174 CCI-000018 LOW The operating system must automatically audit account creation. In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
    SV-65283r2_rule OL6-00-000175 CCI-001403 LOW The operating system must automatically audit account modification. In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
    SV-65291r2_rule OL6-00-000176 CCI-001404 LOW The operating system must automatically audit account disabling actions. In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
    SV-65295r2_rule OL6-00-000177 CCI-001405 LOW The operating system must automatically audit account termination. In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
    SV-65301r4_rule OL6-00-000182 CCI-000366 LOW The audit system must be configured to audit modifications to the systems network configuration. The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.
    SV-65321r3_rule OL6-00-000315 CCI-000085 MEDIUM The Bluetooth kernel module must be disabled. If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.
    SV-65325r2_rule OL6-00-000319 CCI-000054 LOW The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements. Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions.
    SV-65327r1_rule OL6-00-000320 CCI-001109 MEDIUM The systems local firewall must implement a deny-all, allow-by-exception policy for forwarded packets. In "iptables" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to "DROP" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted.
    SV-65331r2_rule OL6-00-000321 CCI-001130 LOW The system must provide VPN connectivity for communications over untrusted networks. Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network.
    SV-65333r2_rule OL6-00-000324 CCI-000050 MEDIUM A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts. An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.
    SV-65335r3_rule OL6-00-000326 CCI-001384 MEDIUM The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts. An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.
    SV-65337r2_rule OL6-00-000331 CCI-000085 MEDIUM The Bluetooth service must be disabled. Disabling the "bluetooth" service prevents the system from attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range.
    SV-65339r1_rule OL6-00-000334 CCI-000017 LOW Accounts must be locked upon 35 days of inactivity. Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.
    SV-65341r1_rule OL6-00-000335 CCI-000795 LOW The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity. Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.
    SV-65343r1_rule OL6-00-000336 CCI-000366 LOW The sticky bit must be set on all public directories. Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure. The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, and by users for temporary file storage - such as /tmp - and for directories requiring global read/write access.
    SV-65345r2_rule OL6-00-000201 CCI-000172 LOW The audit system must be configured to audit changes to the /etc/sudoers file. The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.
    SV-65347r2_rule OL6-00-000200 CCI-000172 LOW The audit system must be configured to audit user deletions of files and programs. Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as detecting malicious processes that attempt to delete log files to conceal their presence.
    SV-65349r2_rule OL6-00-000199 CCI-000172 LOW The audit system must be configured to audit successful file system mounts. The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.
    SV-65351r2_rule OL6-00-000198 CCI-000040 LOW The audit system must be configured to audit all use of setuid and setgid programs. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
    SV-65353r1_rule OL6-00-000197 CCI-000172 LOW The audit system must be configured to audit failed attempts to access files and programs. Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    SV-65355r2_rule OL6-00-000196 CCI-000172 LOW The audit system must be configured to audit all discretionary access control permission modifications using setxattr. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
    SV-65357r2_rule OL6-00-000195 CCI-000172 LOW The audit system must be configured to audit all discretionary access control permission modifications using removexattr. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
    SV-65359r2_rule OL6-00-000194 CCI-000172 LOW The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
    SV-65361r2_rule OL6-00-000193 CCI-000172 LOW The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
    SV-65363r2_rule OL6-00-000192 CCI-000172 LOW The audit system must be configured to audit all discretionary access control permission modifications using lchown. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
    SV-65365r2_rule OL6-00-000191 CCI-000172 LOW The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
    SV-65367r2_rule OL6-00-000190 CCI-000172 LOW The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
    SV-65369r2_rule OL6-00-000189 CCI-000172 LOW The audit system must be configured to audit all discretionary access control permission modifications using fchownat. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
    SV-65371r2_rule OL6-00-000188 CCI-000172 LOW The audit system must be configured to audit all discretionary access control permission modifications using fchown. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
    SV-65373r2_rule OL6-00-000187 CCI-000172 LOW The audit system must be configured to audit all discretionary access control permission modifications using fchmodat. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
    SV-65375r2_rule OL6-00-000186 CCI-000172 LOW The audit system must be configured to audit all discretionary access control permission modifications using fchmod. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
    SV-65377r2_rule OL6-00-000185 CCI-000172 LOW The audit system must be configured to audit all discretionary access control permission modifications using chown. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
    SV-65379r2_rule OL6-00-000184 CCI-000172 LOW The audit system must be configured to audit all discretionary access control permission modifications using chmod. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
    SV-65381r2_rule OL6-00-000183 CCI-000366 LOW The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux). The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.
    SV-65633r1_rule OL6-00-000337 CCI-000366 LOW All public directories must be owned by a system account. Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.
    SV-73777r2_rule OL6-00-000017 CCI-000366 MEDIUM The system must use a Linux Security Module at boot time. Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.
    SV-73783r1_rule OL6-00-000018 CCI-000366 MEDIUM A file integrity baseline must be created. For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
    SV-73797r1_rule OL6-00-000020 CCI-000366 MEDIUM The system must use a Linux Security Module configured to enforce limits on system services. Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges.
    SV-73799r1_rule OL6-00-000023 CCI-000366 LOW The system must use a Linux Security Module configured to limit the privileges of system services. Setting the SELinux policy to "targeted" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.
    SV-73801r1_rule OL6-00-000025 CCI-000366 LOW All device files must be monitored by the system Linux Security Module. If a device file carries the SELinux type "unlabeled_t", then SELinux cannot properly restrict access to the device file.
    SV-73803r3_rule OL6-00-000163 CCI-000366 MEDIUM The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low. Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.
    SV-73805r1_rule OL6-00-000372 CCI-000366 MEDIUM The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access. Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.
    SV-73807r1_rule OL6-00-000527 CCI-000366 MEDIUM The login user list must be disabled. Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in.
    SV-73809r1_rule OL6-00-000528 CCI-000366 MEDIUM The noexec option must be added to the /tmp partition. Allowing users to execute binaries from world-writable directories such as "/tmp" should never be necessary in normal operation and can expose the system to potential compromise.
    SV-75275r1_rule OL6-00-000529 CCI-002038 MEDIUM The sudo command must require authentication. The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts.
    SV-87469r1_rule OL6-00-000293 CCI-001443 MEDIUM Wireless network adapters must be disabled. The use of wireless networking can introduce many different attack vectors into the organization’s network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.