STIGQter STIGQter: STIG Summary: Oracle Linux 5 Security Technical Implementation Guide

Version: 1

Release: 13 Benchmark Date: 26 Oct 2018

CheckedNameTitle
SV-63087r2_ruleThe system must require authentication upon booting into single-user and maintenance modes.
SV-63187r2_ruleDirect logins must not be permitted to shared, default, application, or utility accounts.
SV-63251r1_ruleAll accounts on the system must have unique user or account names.
SV-63255r1_ruleAll accounts must be assigned unique User Identification Numbers (UIDs).
SV-63333r1_ruleThe Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
SV-63363r1_ruleSuccessful and unsuccessful logins and logouts must be logged.
SV-63383r1_ruleThe system must disable accounts after three consecutive unsuccessful login attempts.
SV-63391r1_ruleThe delay between login prompts following a failed login attempt must be at least 4 seconds.
SV-63649r1_ruleThe root user must not own the logon session for an application requiring a continuous display.
SV-63787r1_ruleThe system must not have accounts configured with blank or null passwords.
SV-64341r1_ruleThe root account must be the only account having a UID of 0.
SV-64353r1_ruleThe root users home directory must not be the root directory (/).
SV-64359r2_ruleThe root accounts home directory (other than /) must have mode 0700 or less permissive.
SV-64373r4_ruleThe root accounts executable search path must be the must contain only authorized paths.
SV-64387r1_ruleThe root account must not have world-writable directories in its executable search path.
SV-64389r1_ruleThe system must prevent the root account from directly logging in except from the system console.
SV-63299r1_ruleGIDs reserved for system accounts must not be assigned to non-system groups.
SV-63319r1_ruleAll GIDs referenced in the /etc/passwd file must be defined in the /etc/group file.
SV-63733r2_ruleThe system must have a host-based intrusion detection tool installed.
SV-63099r1_ruleSystem security patches and updates must be installed and up-to-date.
SV-64461r1_ruleSystem files and directories must not have uneven access permissions.
SV-64463r2_ruleAll files and directories must have a valid owner.
SV-64467r1_ruleAll network services daemon files must have mode 0755 or less permissive.
SV-64487r3_ruleSystem log files must have mode 0640 or less permissive.
SV-63879r1_ruleAll skeleton files (typically those in /etc/skel) must have mode 0644 or less permissive.
SV-64537r1_ruleNIS/NIS+/yp files must be owned by root, sys, or bin.
SV-64515r1_ruleNIS/NIS+/yp files must be group-owned by root, sys, or bin.
SV-64509r1_ruleThe NIS/NIS+/yp command files must have mode 0755 or less permissive.
SV-64517r3_ruleManual page files must have mode 0644 or less permissive.
SV-64525r2_ruleLibrary files must have mode 0755 or less permissive.
SV-64477r2_ruleAll system command files must have mode 0755 or less permissive.
SV-64483r1_ruleAll system files, programs, and directories must be owned by a system account.
SV-64485r1_ruleSystem files, programs, and directories must be group-owned by a system group.
SV-64569r1_ruleThe /etc/shadow (or equivalent) file must be owned by root.
SV-64557r1_ruleThe /etc/passwd file must have mode 0644 or less permissive.
SV-64573r1_ruleThe /etc/shadow (or equivalent) file must have mode 0400.
SV-63399r4_ruleThe owner, group-owner, mode, ACL, and location of files with the setuid bit set must be documented using site-defined procedures.
SV-63459r2_ruleThe owner, group-owner, mode, ACL and location of files with the setgid bit set must be documented using site-defined procedures.
SV-63421r3_ruleThe system must be checked weekly for unauthorized setuid files as well as unauthorized modification to authorized setuid files.
SV-63589r3_ruleThe system must be checked weekly for unauthorized setgid files as well as unauthorized modification to authorized setgid files.
SV-63441r1_ruleRemovable media, remote file systems, and any file system not containing approved setuid files must be mounted with the nosuid option.
SV-63691r1_ruleThe sticky bit must be set on all public directories.
SV-63705r1_ruleAll public directories must be owned by root or an application account.
SV-63801r1_ruleThe system and user default umask must be 077.
SV-63809r1_ruleDefault system accounts must be disabled or removed.
SV-63819r1_ruleAuditing must be implemented.
SV-63845r1_ruleSystem audit logs must be owned by root.
SV-63883r1_ruleSystem audit logs must have mode 0640 or less permissive.
SV-64247r1_ruleThe audit system must be configured to audit failed attempts to access files and programs.
SV-64263r1_ruleThe audit system must be configured to audit files and programs deleted by the user.
SV-65285r1_ruleThe audit system must be configured to audit login, logout, and session initiation.
SV-64623r1_ruleThe audit system must be configured to audit all discretionary access control permission modifications.
SV-64233r1_ruleThe inetd.conf file, xinetd.conf file, and the xinetd.d directory must be owned by root or bin.
SV-64239r1_ruleThe xinetd configuration files must have mode 0640 or less permissive.
SV-63977r1_ruleThe services file must be owned by root or bin.
SV-63983r1_ruleThe services file must have mode 0644 or less permissive.
SV-63875r1_ruleGlobal initialization files must contain the mesg -n or mesg n commands.
SV-64115r1_ruleThe hosts.lpd file (or equivalent) must not contain a + character.
SV-64119r1_ruleThe hosts.lpd (or equivalent) file must be owned by root, bin, sys, or lp.
SV-64121r1_ruleThe hosts.lpd (or equivalent) must have mode 0644 or less permissive.
SV-63607r1_ruleThe alias file must be owned by root.
SV-63637r2_ruleThe alias file must have mode 0644 or less permissive.
SV-63699r1_ruleFiles executed through a mail aliases file must be owned by root and must reside within a directory owned and writable only by root.
SV-63739r1_ruleFiles executed through a mail aliases file must have mode 0755 or less permissive.
SV-63747r1_ruleSendmail logging must not be set to less than nine in the sendmail.cf file.
SV-63749r2_ruleThe system syslog service must log informational and more severe SMTP service messages.
SV-63751r3_ruleThe SMTP service log file must be owned by root.
SV-63753r3_ruleThe SMTP service log file must have mode 0644 or less permissive.
SV-62959r1_ruleThe ftpusers file must exist.
SV-62981r1_ruleThe ftpusers file must contain account names not allowed to use FTP.
SV-63009r1_ruleThe ftpusers file must be owned by root.
SV-63079r1_ruleThe ftpusers file must have mode 0640 or less permissive.
SV-63103r1_ruleThe FTP daemon must be configured for logging or verbose mode.
SV-62955r1_ruleAnonymous FTP must not be active on the system unless authorized.
SV-63119r1_ruleThe TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.
SV-63163r1_ruleThe TFTP daemon must have mode 0755 or less permissive.
SV-63159r1_ruleThe TFTP daemon must be configured to vendor specifications, including a dedicated TFTP user account, a non-login shell such as /bin/false, and a home directory owned by the TFTP user.
SV-63199r3_ruleAny X Windows host must write .Xauthority files.
SV-63803r1_ruleThe Network Information System (NIS) protocol must not be used.
SV-64577r1_ruleAll interactive users must be assigned a home directory in the /etc/passwd file.
SV-64579r1_ruleAll interactive user home directories defined in the /etc/passwd file must exist.
SV-64585r1_ruleAll user home directories must have mode 0750 or less permissive.
SV-64589r1_ruleAll interactive user home directories must be owned by their respective users.
SV-63825r1_ruleAll interactive user home directories must be group-owned by the home directory owners primary group.
SV-63339r2_ruleAll local initialization files must be owned by the home directorys user or root.
SV-63345r1_ruleAll local initialization files must have mode 0740 or less permissive.
SV-63843r1_ruleAll run control scripts must have mode 0755 or less permissive.
SV-63849r4_ruleRun control scripts executable search paths must contain only authorized paths.
SV-63855r1_ruleRun control scripts must not execute world-writable programs or scripts.
SV-63591r1_ruleThere must be no .netrc files on the system.
SV-63831r1_ruleAll files and directories contained in interactive user home directories must be owned by the home directorys owner.
SV-63837r1_ruleAll files and directories contained in user home directories must have mode 0750 or less permissive.
SV-63651r1_ruleThe /etc/shells (or equivalent) file must exist.
SV-63671r2_ruleAll shells referenced in /etc/passwd must be listed in the /etc/shells file, except any shells specified for the purpose of preventing logins.
SV-64285r1_ruleAccounts must be locked upon 35 days of inactivity.
SV-63677r1_ruleAll shell files must be owned by root or bin.
SV-63713r1_ruleAll shell files must have mode 0755 or less permissive.
SV-63209r3_ruleThe system must be checked for extraneous device files at least weekly.
SV-63229r3_ruleDevice files and directories must only be writable by users with a system account or as configured by the vendor.
SV-63241r1_ruleDevice files used for backup must only be readable and/or writable by root or the backup user.
SV-64237r1_ruleThe Network File System (NFS) export configuration file must be owned by root.
SV-64199r1_ruleThe Network File System (NFS) export configuration file must have mode 0644 or less permissive.
SV-64189r1_ruleAll Network File System (NFS) exported system files and system directories must be owned by root.
SV-64169r1_ruleThe Network File System (NFS) anonymous UID and GID must be configured to values without permissions.
SV-64163r1_ruleThe Network File System (NFS) server must be configured to restrict file system access to local hosts.
SV-64157r1_ruleThe Network File System (NFS) server must not allow remote root access.
SV-64147r1_ruleThe nosuid option must be enabled on all Network File System (NFS) client mounts.
SV-63577r1_ruleThe system must use an access control program.
SV-63571r2_ruleThe systems access control program must log each system access attempt.
SV-64415r2_ruleAccess to the cron utility must be controlled using the cron.allow and/or cron.deny file(s).
SV-64411r1_ruleThe cron.allow file must have mode 0600 or less permissive.
SV-64405r1_ruleCron must not execute group-writable or world-writable programs.
SV-64403r1_ruleCron must not execute programs in, or subordinate to, world-writable directories.
SV-64391r1_ruleCrontab files must have mode 0600 or less permissive, and files in cron script directories must have mode 0700 or less permissive.
SV-64375r1_ruleCron and crontab directories must have mode 0755 or less permissive.
SV-64293r1_ruleCron and crontab directories must be owned by root or bin.
SV-64305r1_ruleCron and crontab directories must be group-owned by root, sys, bin or cron.
SV-64313r2_ruleCron logging must be implemented.
SV-64317r2_ruleThe cronlog file must have mode 0600 or less permissive.
SV-64369r1_ruleAccess to the at utility must be controlled via the at.allow and/or at.deny file(s).
SV-64371r1_ruleThe at.deny file must not be empty if it exists.
SV-64379r1_ruleDefault system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist.
SV-64453r1_ruleThe at.allow file must have mode 0600 or less permissive.
SV-64469r1_ruleThe at daemon must not execute group-writable or world-writable programs.
SV-64475r1_ruleThe at daemon must not execute programs in, or subordinate to, world-writable directories.
SV-63371r1_ruleSNMP communities, users, and passphrases must be changed from the default.
SV-63425r1_ruleThe snmpd.conf file must have mode 0600 or less permissive.
SV-63429r1_ruleManagement Information Base (MIB) files must have mode 0640 or less permissive.
SV-63673r1_rulePublic directories must be the only world-writable directories and world-writable files must be located only in public directories.
SV-63989r1_ruleInetd or xinetd logging/tracing must be enabled.
SV-63139r1_ruleThe system must be configured to only boot from the system boot device.
SV-62805r1_ruleThe X server must have the correct options enabled.
SV-62815r1_ruleAn X server must have none of the following options enabled: -ac, -core (except for debugging purposes), or -nolock.
SV-63965r1_ruleThe system must not run an Internet Network News (INN) server.
SV-62875r1_ruleThe /etc/security/access.conf file must be owned by root.
SV-64123r1_ruleThe Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL.
SV-64095r1_ruleThe /etc/smb.conf file must be owned by root.
SV-64087r1_ruleThe /etc/smb.conf file must have mode 0644 or less permissive.
SV-64077r1_ruleThe /etc/smbpasswd file must be owned by root.
SV-64055r1_ruleThe smb.conf file must use the hosts option to restrict access to Samba.
SV-63659r1_ruleUsers must not be able to change passwords more than once every 24 hours.
SV-64449r2_ruleRoot passwords must never be passed over a network in clear text form.
SV-64455r1_ruleThe system must not permit root logins using remote access programs such as ssh.
SV-63247r1_ruleAudio devices must have mode 0660 or less permissive.
SV-63301r1_ruleAudio devices must be owned by root.
SV-62901r1_ruleThe /etc/security/access.conf file must have a privileged group owner.
SV-62903r1_ruleThe /etc/security/access.conf file must have mode 0640 or less permissive.
SV-64093r1_ruleThe /etc/smb.conf file must be group-owned by root, bin, sys, or system.
SV-64069r1_ruleThe smbpasswd file must be group-owned by root.
SV-64063r1_ruleThe smbpasswd file must have mode 0600 or less permissive.
SV-63341r2_ruleAudio devices must be group-owned by root, sys, bin, or system.
SV-64441r1_ruleThe root shell must be located in the / file system.
SV-63405r1_ruleGraphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity and the system must require users to re-authenticate to unlock the environment. Applications requiring continuous, real-time screen display (i.e., network management products) require the following and need to be documented with the IAO. -The logon session does not have administrator rights. -The display station (i.e., keyboard, monitor, etc.) is located in a controlled access area.
SV-64321r2_ruleThe system must prohibit the reuse of passwords within five iterations.
SV-63573r3_ruleUser start-up files must not execute world-writable programs.
SV-63857r1_ruleAll system start-up files must be owned by root.
SV-63859r1_ruleAll system start-up files must be group-owned by root, sys, bin, other, or system.
SV-63861r1_ruleSystem start-up files must only execute programs owned by a privileged UID or an application.
SV-63135r1_ruleSystem BIOS or system controllers supporting password protection must have administrator accounts/passwords configured, and no others.
SV-63121r1_ruleThe system must not use removable media as the boot loader.
SV-63115r1_ruleFor systems capable of using GRUB, the system must be configured with GRUB as the default boot loader unless another boot loader has been authorized, justified, and documented using site-defined procedures.
SV-63105r1_ruleThe system boot loader must require authentication.
SV-63093r1_ruleThe systems boot loader configuration file(s) must have mode 0600 or less permissive.
SV-63107r1_ruleIf the system boots from removable media, it must be stored in a safe or similarly secured container.
SV-62797r1_ruleThe system must not have special privilege accounts, such as shutdown and halt.
SV-63195r2_ruleThe system must not have unnecessary accounts.
SV-63947r1_ruleThe /etc/news/incoming.conf (or equivalent) must have mode 0600 or less permissive.
SV-63921r1_ruleThe /etc/news/infeed.conf (or equivalent) must have mode 0600 or less permissive.
SV-63909r1_ruleThe /etc/news/readers.conf (or equivalent) must have mode 0600 or less permissive.
SV-63899r1_ruleThe /etc/news/passwd.nntp file (or equivalent) must have mode 0600 or less permissive.
SV-63829r1_ruleFiles in /etc/news must be owned by root or news.
SV-63817r1_ruleThe files in /etc/news must be group-owned by root or news.
SV-63543r1_ruleThe SSH daemon must be configured to only use the SSHv2 protocol.
SV-64393r1_ruleRemote consoles must be disabled or protected from unauthorized access.
SV-63137r1_ruleThe system clock must be synchronized to an authoritative DoD time source.
SV-64225r1_ruleThe root file system must employ journaling or another mechanism ensuring file system consistency.
SV-64125r1_ruleThe system must not run Samba unless needed.
SV-62929r1_ruleThe /etc/sysctl.conf file must be owned by root.
SV-62951r1_ruleThe /etc/sysctl.conf file must be group-owned by root.
SV-62963r1_ruleThe /etc/sysctl.conf file must have mode 0600 or less permissive.
SV-62985r1_ruleThe Linux NFS Server must not have the insecure file locking option.
SV-62991r1_ruleThe x86 CTRL-ALT-DELETE key sequence must be disabled.
SV-63003r1_ruleThe Linux PAM system must not grant sole access to admin privileges to the first user who logs into the console.
SV-64423r1_ruleAudit logs must be rotated daily.
SV-64329r1_ruleThe cron.deny file must have mode 0600 or less permissive.
SV-64337r2_ruleCron programs must not set the umask to a value less restrictive than 077.
SV-64343r1_ruleThe cron.allow file must be owned by root, bin, or sys.
SV-64287r1_ruleThe at directory must have mode 0755 or less permissive.
SV-64299r2_ruleThe at directory must be owned by root, bin, sys, daemon, or cron.
SV-64409r1_ruleAt jobs must not set the umask to a value less restrictive than 077.
SV-64319r1_ruleThe at.allow file must be owned by root, bin, or sys.
SV-64417r1_ruleThe at.deny file must be owned by root, bin, or sys.
SV-63487r1_ruleThe traceroute command owner must be root.
SV-63511r1_ruleThe traceroute command must be group-owned by sys, bin, root, or system.
SV-63525r1_ruleThe traceroute file must have mode 0700 or less permissive.
SV-63545r1_ruleAdministrative accounts must not run a web browser, except as needed for local service administration.
SV-63771r1_ruleThe SMTP services SMTP greeting must not provide version information.
SV-62713r2_ruleThe system must not use .forward files.
SV-63109r1_ruleAnonymous FTP accounts must not have a functional shell.
SV-63465r1_ruleIf the system is a Network Management System (NMS) server, it must only run the NMS and any software required by the NMS.
SV-63473r2_ruleThe /etc/syslog.conf file must be owned by root.
SV-65303r2_ruleThe /etc/syslog.conf file must be group-owned by root, bin, sys, or system.
SV-63507r2_ruleThe system must only use remote syslog servers (log hosts) that is justified and documented using site-defined procedures.
SV-64105r1_ruleThe system must be configured with a default gateway for IPv4 if the system uses IPv4, unless the system is a router.
SV-64109r2_ruleA system used for routing must not run other network services or applications.
SV-63813r1_ruleThe system must not use UDP for NIS/NIS+.
SV-63611r1_ruleAll .rhosts, .shosts, or host.equiv files must only contain trusted host-user pairs.
SV-63635r1_ruleAll .rhosts, .shosts, .netrc, or hosts.equiv files must be accessible by only root or the owner.
SV-64361r1_ruleThe cron.deny file must be owned by root, bin, or sys.
SV-64011r1_ruleThe rsh daemon must not be running.
SV-64037r1_ruleThe rexec daemon must not be running.
SV-62907r2_ruleThe SMTP service must be an up-to-date version.
SV-62813r1_ruleThe sendmail server must have the debug feature disabled.
SV-62821r1_ruleThe SMTP service must not have a uudecode alias active.
SV-62833r1_ruleThe SMTP service must not have the EXPN feature active.
SV-62859r1_ruleThe SMTP service must not have the Verify (VRFY) feature active.
SV-62867r1_ruleThe sendmail service must not have the wizard backdoor active.
SV-63167r1_ruleAny active TFTP daemon must be authorized and approved in the system accreditation package.
SV-63353r1_ruleThe system must not have the UUCP service active.
SV-63295r1_ruleX displays must not be exported to the world.
SV-64051r1_ruleThe system must not have the finger service active.
SV-62925r1_ruleIf the system is an anonymous FTP server, it must be isolated to the DMZ network.
SV-63095r1_ruleThe operating system must be a supported release.
SV-63133r3_ruleA file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.
SV-63277r1_ruleUIDs reserved for system accounts must not be assigned to non-system accounts.
SV-63903r3_ruleThe system must require passwords contain a minimum of 15 characters.
SV-63973r1_ruleThe system must require passwords contain at least one uppercase alphabetic character.
SV-64071r1_ruleThe system must require passwords contain at least one numeric character.
SV-64075r1_ruleThe system must require passwords contain at least one special character.
SV-64079r1_ruleThe system must require passwords contain no more than three consecutive repeating characters.
SV-64083r1_ruleUser passwords must be changed at least every 60 days.
SV-64091r1_ruleAll non-interactive/automated processing account passwords must be changed at least once per year or be locked.
SV-64397r1_ruleThe root account must not be used for direct log in.
SV-64435r2_ruleThe system must log successful and unsuccessful access to the root account.
SV-63865r1_ruleAll global initialization files must have mode 0644 or less permissive.
SV-63869r1_ruleAll global initialization files must be owned by root.
SV-63871r1_ruleAll global initialization files must be group-owned by root, sys, bin, other, system, or the system default.
SV-63307r1_ruleAll skeleton files and directories (typically in /etc/skel) must be owned by root or bin.
SV-63327r3_ruleAll global initialization files executable search paths must contain only authorized paths.
SV-63541r3_ruleAll local initialization files executable search paths must contain only authorized paths.
SV-63581r1_ruleThe .rhosts, .shosts, hosts.equiv, shosts.equiv, /etc/passwd, /etc/shadow, and/or /etc/group files must not contain a plus (+) without defining entries for NIS+ netgroups.
SV-63621r1_ruleThere must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system.
SV-63647r1_ruleThe .rhosts file must not be supported in PAM.
SV-63797r1_ruleAll public directories must be group-owned by root, sys, bin, or an application group.
SV-64401r1_ruleCrontabs must be owned by root or the crontab creator.
SV-64395r1_ruleDefault system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist.
SV-64311r2_ruleProcess core dumps must be disabled unless needed.
SV-64427r2_ruleThe kernel core dump data directory must be owned by root.
SV-64439r1_ruleThe system must implement non-executable program stacks.
SV-64451r1_ruleThe system must not forward IPv4 source-routed packets.
SV-64215r1_ruleA separate file system must be used for user home directories (such as /home or an equivalent).
SV-64229r2_ruleThe system must log informational authentication data.
SV-64231r1_ruleInetd and xinetd must be disabled or removed if no network services utilizing them are enabled.
SV-63759r2_ruleThe SMTP service HELP command must not be enabled.
SV-62885r1_ruleUnencrypted FTP must not be used on the system.
SV-63113r1_ruleAll FTP users must have a default umask of 077.
SV-63205r1_ruleAll .Xauthority files must have mode 0600 or less permissive.
SV-63313r1_rule.Xauthority or X*.hosts (or equivalent) file(s) must be used to restrict access to the X server.
SV-63329r1_ruleThe .Xauthority utility must only permit access to authorized hosts.
SV-63347r1_ruleX Window System connections not required must be disabled.
SV-63443r1_ruleThe snmpd.conf file must be owned by root.
SV-63495r1_ruleThe system must not be used as a syslog server (loghost) for systems external to the enclave.
SV-63531r1_ruleThe syslog daemon must not accept remote messages unless it is a syslog server documented using site-defined procedures.
SV-64101r1_ruleThe SSH daemon must be configured for IP filtering.
SV-64113r1_ruleIP forwarding for IPv4 must not be enabled, unless the system is a router.
SV-64137r1_ruleThe system must not have a public Instant Messaging (IM) client installed.
SV-64127r1_ruleThe system must not have any peer-to-peer file-sharing application installed.
SV-63785r1_ruleNIS maps must be protected through hard-to-guess domain names.
SV-63761r1_ruleThe system vulnerability assessment tool, host-based intrusion detection tool, and file integrity tool must notify the SA and the IAO of a security breach or a suspected security breach.
SV-63551r1_ruleThe systems access control program must be configured to grant or deny system access to specific hosts.
SV-63013r1_ruleThe /etc/securetty file must be group-owned by root, sys, or bin.
SV-63061r1_ruleThe /etc/securetty file must be owned by root.
SV-63071r1_ruleThe /etc/securetty file must have mode 0600 or less permissive.
SV-64029r2_ruleNetwork analysis tools must not be installed.
SV-63143r4_ruleThe system clock must be synchronized continuously.
SV-63147r1_ruleThe system must use at least two time sources for clock synchronization.
SV-63153r1_ruleThe system must use time sources local to the enclave.
SV-63161r1_ruleThe time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.
SV-63165r1_ruleThe time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, or sys.
SV-63171r1_ruleThe time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
SV-63177r1_ruleThe time synchronization configuration file (such as /etc/ntp.conf) must not have an extended ACL.
SV-63367r1_ruleThe system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.
SV-63373r1_ruleThe system must display the date and time of the last successful account login upon login.
SV-63633r1_ruleThe system must display a publicly-viewable pattern during a graphical desktop environment session lock.
SV-63933r2_ruleThe system must enforce compliance of the entire password during authentication.
SV-63943r2_ruleThe system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes.
SV-63949r1_ruleThe password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.
SV-64065r1_ruleThe system must require passwords contain at least one lowercase alphabetic character.
SV-64283r2_ruleThe system must require at least eight characters be changed between the old and new passwords during a password change.
SV-64303r1_ruleThe system must prevent the use of dictionary words for passwords.
SV-64327r1_ruleThe system must restrict the ability to switch to the root user to members of a defined group.
SV-64363r1_ruleThe root accounts home directory must not have an extended ACL.
SV-64377r1_ruleThe root accounts library search path must be the system default and must contain only absolute paths.
SV-64383r1_ruleThe root accounts list of preloaded libraries must be empty.
SV-64465r2_ruleAll files and directories must have a valid group-owner.
SV-64473r1_ruleAll network services daemon files must not have extended ACLs.
SV-64479r1_ruleAll system command files must not have extended ACLs.
SV-64493r1_ruleSystem log files must not have extended ACLs, except as needed to support authorized software.
SV-64521r2_ruleAll manual page files must not have extended ACLs.
SV-64531r2_ruleAll library files must not have extended ACLs.
SV-64503r1_ruleNIS/NIS+/yp command files must not have extended ACLs.
SV-64497r1_ruleThe /etc/resolv.conf file must be owned by root.
SV-64099r1_ruleThe /etc/resolv.conf file must be group-owned by root, bin, or sys.
SV-64185r1_ruleThe /etc/resolv.conf file must have mode 0644 or less permissive.
SV-64513r1_ruleThe /etc/resolv.conf file must not have an extended ACL.
SV-64519r1_ruleThe /etc/hosts file must be owned by root.
SV-64523r1_ruleThe /etc/hosts file must be group-owned by root, bin, or sys.
SV-64527r1_ruleThe /etc/hosts file must have mode 0644 or less permissive.
SV-64533r1_ruleThe /etc/hosts file must not have an extended ACL.
SV-64535r1_ruleThe /etc/nsswitch.conf file must be owned by root.
SV-64539r1_ruleThe /etc/nsswitch.conf file must be group-owned by root, bin, or sys.
SV-64541r1_ruleThe /etc/nsswitch.conf file must have mode 0644 or less permissive.
SV-64545r1_ruleThe /etc/nsswitch.conf file must not have an extended ACL.
SV-64547r1_ruleFor systems using DNS resolution, at least two name servers must be configured.
SV-64549r1_ruleThe /etc/passwd file must be owned by root.
SV-64553r1_ruleThe /etc/passwd file must be group-owned by root, bin, or sys.
SV-64559r1_ruleThe /etc/passwd file must not have an extended ACL.
SV-64561r1_ruleThe /etc/group file must be owned by root.
SV-64563r1_ruleThe /etc/group file must be group-owned by root, bin, or sys.
SV-64565r1_ruleThe /etc/group file must have mode 0644 or less permissive.
SV-64567r1_ruleThe /etc/group file must not have an extended ACL.
SV-64571r1_ruleThe /etc/shadow file (or equivalent) must be group-owned by root, bin, or sys.
SV-64575r1_ruleThe /etc/shadow file must not have an extended ACL.
SV-62667r1_ruleThe /etc/gshadow file must be owned by root.
SV-62681r1_ruleThe /etc/gshadow file must be group-owned by root.
SV-62697r1_ruleThe /etc/gshadow file must have mode 0400.
SV-62711r1_ruleThe /etc/gshadow file must not have an extended ACL.
SV-64581r1_ruleThe /etc/passwd file must not contain password hashes.
SV-64583r1_ruleThe /etc/group file must not contain any group password hashes.
SV-62767r1_ruleThe /etc/gshadow file must not contain any group password hashes.
SV-64587r1_ruleUser home directories must not have extended ACLs.
SV-63833r1_ruleAll files and directories contained in user home directories must be group-owned by a group of which the home directorys owner is a member.
SV-63839r1_ruleAll files and directories contained in user home directories must not have extended ACLs.
SV-63847r1_ruleAll run control scripts must have no extended ACLs.
SV-63851r3_ruleRun control scripts library search paths must contain only authorized paths.
SV-63853r3_ruleRun control scripts lists of preloaded libraries must contain only authorized paths.
SV-63867r1_ruleAll global initialization files must not have extended ACLs.
SV-63881r1_ruleSkeleton files must not have extended ACLs.
SV-63323r1_ruleAll skeleton files (typically in /etc/skel) must be group-owned by root, bin, sys, system, or other.
SV-63331r3_ruleGlobal initialization files library search paths must contain only authorized paths.
SV-63335r3_ruleGlobal initialization files lists of preloaded libraries must contain only authorized paths.
SV-63343r1_ruleLocal initialization files must be group-owned by the users primary group or root.
SV-63537r1_ruleLocal initialization files must not have extended ACLs.
SV-63549r3_ruleLocal initialization files library search paths must contain only authorized paths.
SV-63569r3_ruleLocal initialization files lists of preloaded libraries must contain only authorized paths.
SV-63697r1_ruleAll shell files must be group-owned by root, bin, sys, or system.
SV-63017r1_ruleAll shell files must not have extended ACLs.
SV-63293r1_ruleAudio devices must not have extended ACLs.
SV-63455r1_ruleRemovable media, remote file systems, and any file system not containing approved device files must be mounted with the nodev option.
SV-63885r1_ruleAll system audit files must not have extended ACLs.
SV-63959r1_ruleSystem audit tool executables must be owned by root.
SV-63975r1_ruleSystem audit tool executables must be group-owned by root, bin, sys, or system.
SV-64003r1_ruleSystem audit tool executables must have mode 0750 or less permissive.
SV-64097r1_ruleSystem audit tool executables must not have extended ACLs.
SV-64223r1_ruleThe audit system must alert the SA in the event of an audit processing failure.
SV-64261r1_ruleThe audit system must alert the SA when the audit storage volume approaches its capacity.
SV-64267r1_ruleThe audit system must be configured to audit account creation.
SV-64269r1_ruleThe audit system must be configured to audit account modification.
SV-64271r1_ruleThe audit system must be configured to audit account disabling.
SV-64273r1_ruleThe audit system must be configured to audit account termination.
SV-64505r1_ruleThe audit system must be configured to audit the loading and unloading of dynamic kernel modules.
SV-64407r1_ruleThe cron.allow file must not have an extended ACL.
SV-64399r1_ruleCrontab files must be group-owned by root, cron, or the crontab creators primary group.
SV-64381r1_ruleCrontab files must not have extended ACLs.
SV-64367r1_ruleCron and crontab directories must not have extended ACLs.
SV-64325r2_ruleThe cron log files must not have extended ACLs.
SV-64331r1_ruleThe cron.deny file must not have an extended ACL.
SV-64347r1_ruleThe at.allow file must not have an extended ACL.
SV-64351r1_ruleThe cron.allow file must be group-owned by root, bin, sys, or cron.
SV-64355r1_ruleThe at.deny file must have mode 0600 or less permissive.
SV-64357r1_ruleThe at.deny file must not have an extended ACL.
SV-64365r1_ruleThe cron.deny file must be group-owned by root, bin, or sys.
SV-64289r1_ruleThe at directory must not have an extended ACL.
SV-64297r1_ruleThe at directory must be group-owned by root, bin, sys, or cron.
SV-64413r1_ruleThe at.allow file must be group-owned by root, bin, sys, or cron.
SV-64309r1_ruleThe at.deny file must be group-owned by root, bin, sys, or cron.
SV-64421r1_ruleKernel core dumps must be disabled unless needed.
SV-64431r1_ruleThe kernel core dump data directory must be group-owned by root, bin, sys, or system.
SV-64433r2_ruleThe kernel core dump data directory must have mode 0700 or less permissive.
SV-64437r2_ruleThe kernel core dump data directory must not have an extended ACL.
SV-64443r1_ruleNetwork interfaces must not be configured to allow user control.
SV-64445r2_ruleThe system must not process Internet Control Message Protocol (ICMP) timestamp requests.
SV-64459r1_ruleThe system must not respond to Internet Control Message Protocol v4 (ICMPv4) echoes sent to a broadcast address.
SV-64195r2_ruleThe system must not respond to Internet Control Message Protocol (ICMP) timestamp requests sent to a broadcast address.
SV-64197r1_ruleThe system must not accept source-routed IPv4 packets.
SV-64201r1_ruleProxy Address Resolution Protocol (Proxy ARP) must not be enabled on the system.
SV-64203r1_ruleThe system must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.
SV-64205r1_ruleThe system must not send IPv4 Internet Control Message Protocol (ICMP) redirects.
SV-64207r1_ruleThe system must log martian packets.
SV-64209r1_ruleThe system must be configured to use TCP syncookies when experiencing a TCP SYN flood.
SV-64213r1_ruleThe system must not be configured for network bridging.
SV-64227r1_ruleAll local file systems must employ journaling or another mechanism ensuring file system consistency.
SV-64235r1_ruleThe inetd.conf file, xinetd.conf file, and the xinetd.d directory must be group-owned by root, bin, sys, or system.
SV-64241r1_ruleThe inetd.conf and xinetd.conf files must not have extended ACLs.
SV-64243r1_ruleThe xinetd.d directory must have mode 0755 or less permissive.
SV-63971r1_ruleThe xinetd.d directory must not have an extended ACL.
SV-63979r2_ruleThe services file must be group-owned by root or bin.
SV-63985r1_ruleThe services file must not have an extended ACL.
SV-63995r1_ruleThe portmap or rpcbind service must not be running unless needed.
SV-63997r1_ruleThe portmap or rpcbind service must not be installed unless needed.
SV-64009r1_ruleThe rshd service must not be installed.
SV-64019r1_ruleThe rlogind service must not be running.
SV-64015r1_ruleThe rlogind service must not be installed.
SV-64039r1_ruleThe rexecd service must not be installed.
SV-64117r2_ruleThe hosts.lpd (or equivalent) file must be group-owned by lp.
SV-63475r1_ruleThe hosts.lpd (or equivalent) file must not have an extended ACL.
SV-63539r1_ruleThe traceroute file must not have an extended ACL.
SV-63613r1_ruleThe aliases file must be group-owned by root, sys, bin, or system.
SV-63643r1_ruleThe alias file must not have an extended ACL.
SV-63719r1_ruleFiles executed through a mail aliases file must be group-owned by root, bin, sys, or system, and must reside within a directory group-owned by root, bin, sys, or system.
SV-63745r1_ruleFiles executed through a mail aliases file must not have extended ACLs.
SV-63755r3_ruleThe SMTP service log file must not have an extended ACL.
SV-63015r1_ruleThe ftpusers file must be group-owned by root, bin, sys, or system.
SV-63083r1_ruleThe ftpusers file must not have an extended ACL.
SV-63285r1_ruleThe .Xauthority files must not have extended ACLs.
SV-63397r1_ruleThe SNMP service must use only SNMPv3 or its successors.
SV-63407r1_ruleThe SNMP service must require the use of a FIPS 140-2 approved cryptographic hash algorithm as part of its authentication and integrity methods.
SV-63415r1_ruleThe SNMP service must require the use of a FIPS 140-2 approved encryption algorithm for protecting the privacy of SNMP messages.
SV-63437r1_ruleManagement Information Base (MIB) files must not have extended ACLs.
SV-63461r1_ruleThe snmpd.conf file must be group-owned by root, bin, sys, or system.
SV-63463r1_ruleThe snmpd.conf file must not have an extended ACL.
SV-63467r2_ruleThe /etc/syslog.conf file must have mode 0640 or less permissive.
SV-63471r2_ruleThe /etc/syslog.conf file must not have an extended ACL.
SV-63501r2_ruleThe system must use a remote syslog server (loghost).
SV-63547r1_ruleThe SSH client must be configured to only use the SSHv2 protocol.
SV-63553r1_ruleThe SSH daemon must only listen on management network addresses unless authorized for uses other than management.
SV-63561r2_ruleThe SSH daemon must be configured to only use FIPS 140-2 approved ciphers.
SV-63567r1_ruleThe SSH daemon must be configured to not use Cipher-Block Chaining (CBC) ciphers.
SV-63587r2_ruleThe SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
SV-63593r1_ruleThe SSH client must be configured to only use FIPS 140-2 approved ciphers.
SV-63595r1_ruleThe SSH client must be configured to not use Cipher-Block Chaining (CBC)-based ciphers.
SV-63669r2_ruleThe SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
SV-63727r1_ruleThe SSH daemon must restrict login ability to specific users and/or groups.
SV-63841r1_ruleThe SSH public host key files must have mode 0644 or less permissive.
SV-63863r1_ruleThe SSH private host key files must have mode 0600 or less permissive.
SV-63877r1_ruleThe SSH daemon must not permit GSSAPI authentication unless needed.
SV-63953r1_ruleThe SSH client must not permit GSSAPI authentication unless needed.
SV-64033r1_ruleThe SSH daemon must not permit Kerberos authentication unless needed.
SV-64067r1_ruleThe SSH daemon must perform strict mode checking of home directory configuration files.
SV-64073r1_ruleThe SSH daemon must use privilege separation.
SV-64081r1_ruleThe SSH daemon must not allow rhosts RSA authentication.
SV-64089r1_ruleThe SSH daemon must not allow compression or must only allow compression after successful authentication.
SV-64103r1_ruleThe SSH daemon must be configured with the Department of Defense (DoD) logon banner.
SV-64107r1_ruleThe system must be configured with a default gateway for IPv6 if the system uses IPv6, unless the system is a router.
SV-64245r1_ruleThe system must not have IP forwarding for IPv6 enabled, unless the system is an IPv6 router.
SV-64211r1_ruleThe Network File System (NFS) export configuration file must be group-owned by root, bin, sys, or system.
SV-64191r1_ruleThe Network File System (NFS) exports configuration file must not have an extended ACL.
SV-64181r1_ruleAll Network File System (NFS) exported system files and system directories must be group-owned by root, bin, sys, or system.
SV-64085r1_ruleThe /etc/smb.conf file must not have an extended ACL.
SV-64061r1_ruleThe /etc/smbpasswd file must not have an extended ACL.
SV-64049r1_ruleSamba must be configured to use an authentication mechanism other than share.
SV-64041r1_ruleSamba must be configured to use encrypted passwords.
SV-64013r1_ruleSamba must be configured to not allow guest access to shares.
SV-63925r1_ruleThe /etc/news/incoming.conf file must not have an extended ACL.
SV-63915r1_ruleThe /etc/news/hosts.nntp.nolimit file must not have an extended ACL.
SV-63901r1_ruleThe /etc/news/nnrp.access file must not have an extended ACL.
SV-63835r1_ruleThe /etc/news/passwd.nntp file must not have an extended ACL.
SV-63667r1_ruleThe system package management tool must be used to verify system software periodically.
SV-63657r1_ruleThe file integrity tool must be configured to verify ACLs.
SV-63631r1_ruleThe file integrity tool must be configured to verify extended attributes.
SV-63653r1_ruleThe file integrity tool must use FIPS 140-2 approved cryptographic hashes for validating file contents.
SV-63529r1_ruleThe Stream Control Transmission Protocol (SCTP) must be disabled unless required.
SV-63521r1_ruleThe Datagram Congestion Control Protocol (DCCP) must be disabled unless required.
SV-63453r1_ruleThe AppleTalk protocol must be disabled or not installed.
SV-63451r1_ruleThe Reliable Datagram Sockets (RDS) protocol must be disabled or not installed unless required.
SV-63449r1_ruleThe Transparent Inter-Process Communication (TIPC) protocol must be disabled or uninstalled.
SV-63447r1_ruleThe Bluetooth protocol handler must be disabled or not installed.
SV-63423r1_ruleThe system must not have 6to4 enabled.
SV-63417r1_ruleThe system must not have Teredo enabled.
SV-63413r1_ruleThe system must not have IP tunnels configured.
SV-63411r1_ruleThe DHCP client must be disabled if not needed.
SV-63409r1_ruleThe DHCP client must not send dynamic DNS updates.
SV-63401r1_ruleThe system must ignore IPv6 ICMP redirect messages.
SV-63393r1_ruleThe system must not forward IPv6 source-routed packets.
SV-63369r3_ruleIf the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms.
SV-63365r1_ruleIf the system is using LDAP for authentication or account information, certificates used to authenticate to the LDAP server must be provided from DoD PKI or a DoD-approved external PKI.
SV-63361r1_ruleIf the system is using LDAP for authentication or account information, the LDAP TLS connection must require the server provide a certificate with a valid trust path to a trusted CA.
SV-63357r1_ruleIf the system is using LDAP for authentication or account information, the system must verify the LDAP servers certificate has not been revoked.
SV-63349r1_ruleIf the system is using LDAP for authentication or account information the /etc/ldap.conf (or equivalent) file must have mode 0644 or less permissive.
SV-63321r1_ruleIf the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be owned by root.
SV-63317r1_ruleIf the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be group-owned by root, bin, sys, or system.
SV-63315r1_ruleIf the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must not have an extended ACL.
SV-63303r3_ruleIf the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be owned by root.
SV-63291r1_ruleIf the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be group-owned by root, bin, sys, or system.
SV-63289r1_ruleIf the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must have mode 0644 (0755 for directories) or less permissive.
SV-63287r1_ruleIf the system is using LDAP for authentication or account information, the LDAP TLS certificate authority file and/or directory (as appropriate) must not have an extended ACL.
SV-63257r1_ruleFor systems using NSS LDAP, the TLS certificate file must be owned by root.
SV-63253r1_ruleIf the system is using LDAP for authentication or account information, the LDAP TLS certificate file must be group-owned by root, bin, sys, or system.
SV-63249r2_ruleIf the system is using LDAP for authentication or account information, the LDAP TLS certificate file must have mode 0644 or less permissive.
SV-63245r1_ruleIf the system is using LDAP for authentication or account information, the LDAP TLS certificate file must not have an extended ACL.
SV-63243r1_ruleIf the system is using LDAP for authentication or account information, the LDAP TLS key file must be owned by root.
SV-63235r1_ruleIf the system is using LDAP for authentication or account information, the LDAP TLS key file must be group-owned by root, bin, or sys.
SV-63233r1_ruleIf the system is using LDAP for authentication or account information, the LDAP TLS key file must have mode 0600 or less permissive.
SV-63213r1_ruleIf the system is using LDAP for authentication or account information, the LDAP TLS key file must not have an extended ACL.
SV-63197r1_ruleThe system must use available memory address randomization techniques.
SV-63193r1_ruleAutomated file system mounting tools must not be enabled unless needed.
SV-63189r1_ruleThe system must have USB disabled unless needed.
SV-63179r1_ruleThe system must have USB Mass Storage disabled unless needed.
SV-63173r1_ruleThe system must have IEEE 1394 (Firewire) disabled unless needed.
SV-63149r1_ruleThe system must employ a local firewall.
SV-63141r1_ruleThe systems local firewall must implement a deny-all, allow-by-exception policy.
SV-63085r1_ruleThe system must use a Linux Security Module configured to limit the privileges of system services.
SV-63091r1_ruleThe systems boot loader configuration file(s) must not have extended ACLs.
SV-63089r1_ruleThe systems boot loader configuration files must be owned by root.
SV-63069r1_ruleThe systems boot loader configuration file(s) must be group-owned by root, bin, sys, or system.
SV-63027r2_ruleThe system package management tool must cryptographically verify the authenticity of software packages during installation.
SV-63025r1_ruleThe system package management tool must not automatically obtain updates.
SV-62909r1_ruleThe access.conf file must not have an extended ACL.
SV-62983r1_ruleThe /etc/sysctl.conf file must not have an extended ACL.
SV-63081r1_ruleAuditing must be enabled at boot by setting a kernel parameter.
SV-64111r1_ruleThe system must not be running any routing protocol daemons, unless the system is a router.
SV-63873r1_ruleSystem audit logs must be group-owned by root, bin, sys, or system.
SV-63359r1_ruleThe FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
SV-64217r1_ruleThe system must use a separate file system for /var.
SV-64219r1_ruleThe system must use a separate file system for the system audit data path.
SV-64221r1_ruleThe system must use a separate file system for /tmp (or equivalent).
SV-64457r1_ruleTCP backlog queue sizes must be set appropriately.
SV-62879r2_ruleMail relaying must be restricted.
SV-63379r1_ruleThe ldd command must be disabled unless it protects against the execution of untrusted files.
SV-63385r1_ruleThe system must not respond to ICMPv6 echo requests sent to a broadcast address.
SV-63351r1_ruleThe Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
SV-63005r2_ruleThe system, if capable, must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
SV-64419r2_ruleThe system must be configured to send audit/system records to a remote audit server.
SV-63355r3_ruleIf the system is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords.
SV-64021r1_ruleThe telnet daemon must not be running.
SV-63097r1_ruleThe system boot loader must protect passwords using an MD5 or stronger cryptographic hash.
SV-63101r1_ruleA file integrity baseline including cryptographic hashes must be created.
SV-63129r1_ruleA file integrity baseline including cryptographic hashes must be maintained.
SV-63215r2_ruleThe system must not have the unnecessary news account.
SV-63227r2_ruleThe system must not have the unnecessary gopher account.
SV-63231r2_ruleThe system must not have the unnecessary ftp account.
SV-63609r1_ruleThe graphical desktop environment must set the idle timeout to no more than 15 minutes.
SV-63619r1_ruleGraphical desktop environments provided by the system must have automatic lock enabled.
SV-63987r1_ruleGlobal settings defined in system-auth must be applied in the pam.d definition files.
SV-64249r1_ruleThe audit system must be configured to audit failed attempts to access files and programs.
SV-64255r1_ruleThe audit system must be configured to audit failed attempts to access files and programs.
SV-64257r1_ruleThe audit system must be configured to audit failed attempts to access files and programs.
SV-64259r1_ruleThe audit system must be configured to audit failed attempts to access files and programs.
SV-64265r1_ruleThe audit system must be configured to audit file deletions.
SV-64471r1_ruleThe audit system must be configured to audit all administrative, privileged, and security actions.
SV-64481r1_ruleThe audit system must be configured to audit all administrative, privileged, and security actions.
SV-64489r1_ruleThe audit system must be configured to audit all administrative, privileged, and security actions.
SV-64491r2_ruleThe audit system must be configured to audit all administrative, privileged, and security actions.
SV-64529r1_ruleThe audit system must be configured to audit all administrative, privileged, and security actions.
SV-64543r1_ruleThe audit system must be configured to audit all administrative, privileged, and security actions.
SV-64551r1_ruleThe audit system must be configured to audit all administrative, privileged, and security actions.
SV-64555r1_ruleThe audit system must be configured to audit all administrative, privileged, and security actions.
SV-64275r1_ruleThe audit system must be configured to audit all administrative, privileged, and security actions.
SV-64611r1_ruleThe audit system must be configured to audit all discretionary access control permission modifications.
SV-64609r1_ruleThe audit system must be configured to audit all discretionary access control permission modifications.
SV-64607r1_ruleThe audit system must be configured to audit all discretionary access control permission modifications.
SV-64605r1_ruleThe audit system must be configured to audit all discretionary access control permission modifications.
SV-64603r1_ruleThe audit system must be configured to audit all discretionary access control permission modifications.
SV-64601r1_ruleThe audit system must be configured to audit all discretionary access control permission modifications.
SV-64599r1_ruleThe audit system must be configured to audit all discretionary access control permission modifications.
SV-64591r1_ruleThe audit system must be configured to audit all discretionary access control permission modifications.
SV-64619r1_ruleThe audit system must be configured to audit all discretionary access control permission modifications.
SV-64617r1_ruleThe audit system must be configured to audit all discretionary access control permission modifications.
SV-64615r1_ruleThe audit system must be configured to audit all discretionary access control permission modifications.
SV-64613r1_ruleThe audit system must be configured to audit all discretionary access control permission modifications.
SV-64499r1_ruleThe audit system must be configured to audit the loading and unloading of dynamic kernel modules - delete_module.
SV-64495r1_ruleThe audit system must be configured to audit the loading and unloading of dynamic kernel modules - /sbin/insmod.
SV-64429r1_ruleThe audit system must be configured to audit the loading and unloading of dynamic kernel modules -/sbin/modprobe.
SV-64425r1_ruleThe audit system must be configured to audit the loading and unloading of dynamic kernel modules - /sbin/rmmod
SV-64385r1_ruleFiles in cron script directories must have mode 0700 or less permissive.
SV-63201r2_ruleThe system must not have the unnecessary games account.
SV-62899r1_ruleAccounts must be locked upon 35 days of inactivity.
SV-75259r1_ruleThe SSH daemon must not allow host-based authentication.
SV-75261r1_ruleThe sudo command must require authentication.
SV-87413r1_ruleWireless network adapters must be disabled.
SV-96169r1_ruleThe Oracle Linux 5 operating system must use a virus scan program.