STIGQter STIGQter: STIG Summary: Oracle Linux 6 Security Technical Implementation Guide

Version: 1

Release: 17 Benchmark Date: 25 Oct 2019

CheckedNameTitle
SV-64721r1_ruleAutomated file system mounting tools must not be enabled unless needed.
SV-64723r3_ruleAuditing must be enabled at boot by setting a kernel parameter.
SV-64725r1_ruleThe system must provide automated support for account management functions.
SV-64727r2_ruleThe systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets.
SV-64729r1_ruleAudit log files must be group-owned by root.
SV-64731r2_ruleThe mail system must forward all mail for root to one or more system administrators.
SV-64735r1_ruleThe system must use a separate file system for /var/log.
SV-64739r1_ruleThe system must use a separate file system for /tmp.
SV-64741r2_ruleThe system package management tool must verify contents of all files associated with packages.
SV-64743r1_ruleThe system must use a separate file system for /var.
SV-64745r2_ruleThe system package management tool must verify permissions on all files and directories associated with packages.
SV-64751r3_ruleThe audit system must be configured to audit the loading and unloading of dynamic kernel modules.
SV-64753r1_ruleThe xinetd service must be disabled if no network services utilizing it are enabled.
SV-64755r1_ruleThe xinetd service must be uninstalled if no network services utilizing it are enabled.
SV-64757r1_ruleThe telnet-server package must not be installed.
SV-64759r1_ruleThe telnet daemon must not be running.
SV-64761r1_ruleThe rsh-server package must not be installed.
SV-64763r1_ruleThe rshd service must not be running.
SV-64765r1_ruleThe rexecd service must not be running.
SV-64767r1_ruleThe rlogind service must not be running.
SV-64769r1_ruleThe ypserv package must not be installed.
SV-64771r1_ruleThe ypbind service must not be running.
SV-64773r3_ruleThe tftp-server package must not be installed unless required.
SV-64775r1_ruleThe TFTP service must not be running.
SV-64777r1_ruleThe cron service must be running.
SV-64779r1_ruleThe SSH daemon must be configured to use only the SSHv2 protocol.
SV-64781r1_ruleThe SSH daemon must set a timeout interval on idle sessions.
SV-64783r1_ruleThe SSH daemon must set a timeout count on idle sessions.
SV-64785r1_ruleThe SSH daemon must ignore .rhosts files.
SV-64787r1_ruleThe SSH daemon must not allow host-based authentication.
SV-64797r2_ruleThe system package management tool must verify group-ownership on all files and directories associated with packages.
SV-64799r2_ruleThe system package management tool must verify ownership on all files and directories associated with packages.
SV-64801r1_ruleThe NFS server must not have the all_squash option enabled.
SV-64805r1_ruleThe audit system must take appropriate action when there are disk errors on the audit storage volume.
SV-64807r1_ruleThe audit system must take appropriate action when the audit storage volume is full.
SV-64809r1_ruleThe system must forward audit records to the syslog service.
SV-64813r2_ruleThe system must allow locking of graphical desktop sessions.
SV-64815r2_ruleThe operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh.
SV-64819r1_ruleThe operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.
SV-64821r1_ruleThe operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives.
SV-64823r2_ruleThe operating system must enforce requirements for the connection of mobile devices to operating systems.
SV-64827r2_ruleThe system must not accept ICMPv4 secure redirect packets on any interface.
SV-64831r2_ruleThe system must log Martian packets.
SV-64833r1_ruleAudit log directories must have mode 0755 or less permissive.
SV-64835r1_ruleAudit log files must be owned by root.
SV-64837r1_ruleAudit log files must have mode 0640 or less permissive.
SV-64841r3_ruleThe system must disable accounts after excessive login failures within a 15-minute interval.
SV-64843r3_ruleThe system must require administrator action to unlock an account locked by excessive failed login attempts.
SV-64845r3_ruleThe system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
SV-64847r3_ruleThe FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
SV-64849r2_ruleThere must be no .netrc files on the system.
SV-64853r2_ruleThe system must not accept IPv4 source-routed packets by default.
SV-64857r2_ruleThe system must not accept ICMPv4 secure redirect packets by default.
SV-64861r2_ruleThe system must ignore ICMPv4 redirect messages by default.
SV-64863r2_ruleThe system must not respond to ICMPv4 sent to a broadcast address.
SV-64867r1_ruleThe system must use a separate file system for the system audit data path.
SV-64869r2_ruleThe system must ignore ICMPv4 bogus error responses.
SV-64871r1_ruleThe system default umask for daemons must be 027 or 022.
SV-64873r1_ruleThe system default umask in /etc/login.defs must be 077.
SV-64875r1_ruleThe system default umask in /etc/profile must be 077.
SV-64877r3_ruleThe audit system must alert designated staff members when the audit storage volume approaches capacity.
SV-64879r1_ruleThe system default umask for the csh shell must be 077.
SV-64883r1_ruleThe system must use a separate file system for user home directories.
SV-64889r2_ruleThe system must be configured to use TCP syncookies when experiencing a TCP SYN flood.
SV-64891r2_ruleThe system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
SV-64895r3_ruleVendor-provided cryptographic certificates must be installed to verify the integrity of system software.
SV-64899r1_ruleThe Red Hat Network Service (rhnsd) service must not be running, unless it is being used to query the Oracle Unbreakable Linux Network for updates and information.
SV-64901r1_ruleSystem security patches and updates must be installed and up-to-date.
SV-64905r2_ruleThe system must use a reverse-path filter for IPv4 network traffic when possible by default.
SV-64907r1_ruleThe system package management tool must cryptographically verify the authenticity of system software packages during installation.
SV-64913r1_ruleThe system default umask for the bash shell must be 077.
SV-64915r1_ruleThe system package management tool must cryptographically verify the authenticity of all software packages during installation.
SV-64917r2_ruleThe system must ignore ICMPv6 redirects by default.
SV-64919r1_ruleThe snmpd service must not use a default password.
SV-64921r1_ruleA file integrity tool must be installed.
SV-64923r1_ruleThe snmpd service must use only SNMP protocol version 3 or newer.
SV-64925r1_ruleThere must be no .rhosts or hosts.equiv files on the system.
SV-64927r1_ruleThe system must prevent the root account from logging in from virtual consoles.
SV-64931r1_ruleThe system must prevent the root account from logging in from serial consoles.
SV-64937r3_ruleDefault operating system accounts, other than root, must be locked.
SV-64943r3_ruleThe system must not have accounts configured with blank or null passwords.
SV-64945r2_ruleThe FTP daemon must be configured for logging or verbose mode.
SV-64947r1_ruleThe /etc/passwd file must not contain password hashes.
SV-64953r2_ruleThe root account must be the only account having a UID of 0.
SV-64957r2_ruleThe TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.
SV-64959r1_ruleThe /etc/shadow file must be owned by root.
SV-64961r1_ruleThe /etc/shadow file must be group-owned by root.
SV-64963r1_ruleThe /etc/shadow file must have mode 0000.
SV-64965r1_ruleThe /etc/gshadow file must be owned by root.
SV-64967r2_ruleThe system must employ a local IPv6 firewall.
SV-64969r1_ruleThe /etc/gshadow file must be group-owned by root.
SV-64971r1_ruleThe /etc/gshadow file must have mode 0000.
SV-64973r2_ruleThe operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
SV-64975r1_ruleThe /etc/passwd file must be owned by root.
SV-64977r1_ruleThe /etc/passwd file must be group-owned by root.
SV-64979r1_ruleThe /etc/passwd file must have mode 0644 or less permissive.
SV-64981r1_ruleThe /etc/group file must be owned by root.
SV-64983r1_ruleThe /etc/group file must be group-owned by root.
SV-64985r1_ruleThe /etc/group file must have mode 0644 or less permissive.
SV-64987r2_ruleThe operating system must prevent public IPv6 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
SV-64989r2_ruleLibrary files must have mode 0755 or less permissive.
SV-64991r4_ruleLibrary files must be owned by a system account.
SV-64993r2_ruleAll system command files must have mode 755 or less permissive.
SV-64995r2_ruleAll system command files must be owned by root.
SV-64997r3_ruleThe system must require passwords to contain a minimum of 15 characters.
SV-64999r1_ruleUsers must not be able to change passwords more than once every 24 hours.
SV-65001r1_ruleUser passwords must be changed at least every 60 days.
SV-65003r2_ruleThe system must employ a local IPv4 firewall.
SV-65005r1_ruleThe system must not permit root logins using remote access programs such as ssh.
SV-65007r1_ruleThe SSH daemon must not allow authentication using an empty password.
SV-65009r1_ruleThe SSH daemon must be configured with the Department of Defense (DoD) login banner.
SV-65011r1_ruleThe SSH daemon must not permit user environment settings.
SV-65013r1_ruleThe SSH daemon must be configured to use only FIPS 140-2 approved ciphers.
SV-65015r1_ruleThe avahi service must be disabled.
SV-65017r1_ruleThe system clock must be synchronized continuously, or at least daily.
SV-65019r1_ruleThe system clock must be synchronized to an authoritative DoD time source.
SV-65021r2_ruleMail relaying must be restricted.
SV-65023r1_ruleIf the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms.
SV-65025r1_ruleThe LDAP client must use a TLS connection using trust certificates signed by the site CA.
SV-65027r1_ruleThe openldap-servers package must not be installed unless required.
SV-65029r2_ruleThe graphical desktop environment must set the idle timeout to no more than 15 minutes.
SV-65031r3_ruleThe graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment.
SV-65033r2_ruleThe graphical desktop environment must have automatic lock enabled.
SV-65035r2_ruleThe system must display a publicly-viewable pattern during a graphical desktop environment session lock.
SV-65037r1_ruleThe Automatic Bug Reporting Tool (abrtd) service must not be running.
SV-65041r2_ruleThe atd service must be disabled.
SV-65043r1_ruleThe ntpdate service must not be running.
SV-65045r1_ruleThe oddjobd service must not be running.
SV-65047r2_ruleThe qpidd service must not be running.
SV-65049r1_ruleThe rdisc service must not be running.
SV-65051r2_ruleRemote file systems must be mounted with the nodev option.
SV-65053r2_ruleRemote file systems must be mounted with the nosuid option.
SV-65055r1_ruleThe noexec option must be added to removable media partitions.
SV-65057r1_ruleThe system must use SMB client signing for connecting to samba servers using smbclient.
SV-65059r2_ruleThe system must use SMB client signing for connecting to samba servers using mount.cifs.
SV-65061r5_ruleThe system must prohibit the reuse of passwords within five iterations.
SV-65063r1_ruleThe operating system must employ cryptographic mechanisms to protect information in storage.
SV-65065r1_ruleThe operating system must protect the confidentiality and integrity of data at rest.
SV-65067r1_ruleThe operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of data at rest unless otherwise protected by alternative physical measures.
SV-65069r1_ruleThe system package management tool must verify permissions on all files and directories associated with the audit package.
SV-65071r1_ruleThe system package management tool must verify ownership on all files and directories associated with the audit package.
SV-65073r1_ruleThe system package management tool must verify group-ownership on all files and directories associated with the audit package.
SV-65075r1_ruleThe system package management tool must verify contents of all files associated with the audit package.
SV-65077r2_ruleThere must be no world-writable files on the system.
SV-65081r3_ruleThe system must have a host-based intrusion detection tool installed.
SV-65083r4_ruleThe x86 Ctrl-Alt-Delete key sequence must be disabled.
SV-65085r1_ruleThe postfix service must be enabled for mail delivery.
SV-65087r1_ruleThe sendmail package must be removed.
SV-65089r1_ruleThe netconsole service must be disabled unless required.
SV-65091r1_ruleX Windows must not be enabled unless required.
SV-65093r1_ruleThe xorg-x11-server-common (X Windows) package must not be installed, unless required.
SV-65095r1_ruleThe DHCP client must be disabled if not needed.
SV-65109r2_ruleThe operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
SV-65113r1_ruleUsers must be warned 7 days in advance of password expiration.
SV-65117r2_ruleThe system must require passwords to contain at least one numeric character.
SV-65119r2_ruleThe system must require passwords to contain at least one uppercase alphabetic character.
SV-65121r2_ruleThe system must require passwords to contain at least one special character.
SV-65123r3_ruleThe system must require passwords to contain at least one lower-case alphabetic character.
SV-65125r3_ruleThe system must require at least eight characters be changed between the old and new passwords during a password change.
SV-65127r3_ruleThe system must disable accounts after three consecutive unsuccessful logon attempts.
SV-65129r4_ruleThe system must use a FIPS 140-2-approved cryptographic hashing algorithm for generating account password hashes (system-auth).
SV-65133r1_ruleThe system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs).
SV-65139r2_ruleThe system boot loader configuration file(s) must be owned by root.
SV-65143r1_ruleThe system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf).
SV-65145r2_ruleThe system boot loader configuration file(s) must be group-owned by root.
SV-65149r3_ruleThe system boot loader configuration file(s) must have mode 0600 or less permissive.
SV-65151r3_ruleThe system boot loader must require authentication.
SV-65153r1_ruleThe system must require authentication upon booting into single-user and maintenance modes.
SV-65157r1_ruleThe system must not permit interactive boot.
SV-65159r1_ruleThe system must allow locking of the console screen in text mode.
SV-65161r4_ruleThe Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
SV-65163r2_ruleThe system must implement virtual address space randomization.
SV-65165r3_ruleThe system must limit the ability of processes to have simultaneous write and execute access to memory.
SV-65167r2_ruleThe system must not send ICMPv4 redirects by default.
SV-65169r2_ruleThe system must not send ICMPv4 redirects from any interface.
SV-65173r2_ruleIP forwarding for IPv4 must not be enabled, unless the system is a router.
SV-65175r2_ruleThe system must not accept IPv4 source-routed packets on any interface.
SV-65177r2_ruleThe system must not accept ICMPv4 redirect packets on any interface.
SV-65179r2_ruleAll GIDs referenced in /etc/passwd must be defined in /etc/group.
SV-65185r2_ruleThe operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
SV-65191r1_ruleAll accounts on the system must have unique user or account names.
SV-65193r1_ruleThe systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets.
SV-65195r2_ruleThe Datagram Congestion Control Protocol (DCCP) must be disabled unless required.
SV-65197r1_ruleTemporary accounts must be provisioned with an expiration date.
SV-65199r1_ruleEmergency accounts must be provisioned with an expiration date.
SV-65201r4_ruleThe system must require passwords to contain no more than three consecutive repeating characters.
SV-65203r2_ruleThe Stream Control Transmission Protocol (SCTP) must be disabled unless required.
SV-65207r1_ruleThe Reliable Datagram Sockets (RDS) protocol must be disabled unless required.
SV-65211r2_ruleThe Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required.
SV-65213r2_ruleAll rsyslog-generated log files must be owned by root.
SV-65215r2_ruleAll rsyslog-generated log files must be group-owned by root.
SV-65217r2_ruleA file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.
SV-65219r2_ruleAll rsyslog-generated log files must have mode 0600 or less permissive.
SV-65221r1_ruleThe operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited.
SV-65223r2_ruleThe operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system.
SV-65225r1_ruleThe operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components.
SV-65227r1_ruleSystem logs must be rotated daily.
SV-65229r2_ruleThe operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency.
SV-65233r1_ruleThe operating system must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event.
SV-65235r2_ruleThe operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs.
SV-65239r1_ruleThe operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods.
SV-65241r2_ruleThe operating system must detect unauthorized changes to software and information.
SV-65243r2_ruleThe operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.
SV-65245r1_ruleThe operating system must produce audit records containing sufficient information to establish what type of events occurred.
SV-65247r2_ruleProcess core dumps must be disabled unless needed.
SV-65249r1_ruleThe system must retain enough rotated audit logs to cover the required log retention period.
SV-65253r1_ruleThe NFS server must not have the insecure file locking option enabled.
SV-65255r1_ruleThe system must set a maximum audit log file size.
SV-65257r2_ruleThe audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity.
SV-65259r2_ruleThe system must rotate audit log files that reach the maximum file size.
SV-65263r1_ruleThe audit system must identify staff members to receive notifications of audit log storage volume capacity issues.
SV-65267r3_ruleThe audit system must be configured to audit all attempts to alter system time through adjtimex.
SV-65269r3_ruleThe audit system must be configured to audit all attempts to alter system time through settimeofday.
SV-65273r3_ruleThe audit system must be configured to audit all attempts to alter system time through stime.
SV-65275r3_ruleThe audit system must be configured to audit all attempts to alter system time through clock_settime.
SV-65277r2_ruleThe audit system must be configured to audit all attempts to alter system time through /etc/localtime.
SV-65279r2_ruleThe operating system must automatically audit account creation.
SV-65283r2_ruleThe operating system must automatically audit account modification.
SV-65291r2_ruleThe operating system must automatically audit account disabling actions.
SV-65295r2_ruleThe operating system must automatically audit account termination.
SV-65301r5_ruleThe audit system must be configured to audit modifications to the systems network configuration.
SV-65321r3_ruleThe Bluetooth kernel module must be disabled.
SV-65325r2_ruleThe system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.
SV-65327r1_ruleThe systems local firewall must implement a deny-all, allow-by-exception policy for forwarded packets.
SV-65331r2_ruleThe system must provide VPN connectivity for communications over untrusted networks.
SV-65333r2_ruleA login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
SV-65335r3_ruleThe Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
SV-65337r2_ruleThe Bluetooth service must be disabled.
SV-65339r1_ruleAccounts must be locked upon 35 days of inactivity.
SV-65341r1_ruleThe operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity.
SV-65343r1_ruleThe sticky bit must be set on all public directories.
SV-65345r2_ruleThe audit system must be configured to audit changes to the /etc/sudoers file.
SV-65347r3_ruleThe audit system must be configured to audit user deletions of files and programs.
SV-65349r3_ruleThe audit system must be configured to audit successful file system mounts.
SV-65351r2_ruleThe audit system must be configured to audit all use of setuid and setgid programs.
SV-65353r2_ruleThe audit system must be configured to audit failed attempts to access files and programs.
SV-65355r3_ruleThe audit system must be configured to audit all discretionary access control permission modifications using setxattr.
SV-65357r3_ruleThe audit system must be configured to audit all discretionary access control permission modifications using removexattr.
SV-65359r3_ruleThe audit system must be configured to audit all discretionary access control permission modifications using lsetxattr.
SV-65361r3_ruleThe audit system must be configured to audit all discretionary access control permission modifications using lremovexattr.
SV-65363r3_ruleThe audit system must be configured to audit all discretionary access control permission modifications using lchown.
SV-65365r3_ruleThe audit system must be configured to audit all discretionary access control permission modifications using fsetxattr.
SV-65367r3_ruleThe audit system must be configured to audit all discretionary access control permission modifications using fremovexattr.
SV-65369r3_ruleThe audit system must be configured to audit all discretionary access control permission modifications using fchownat.
SV-65371r3_ruleThe audit system must be configured to audit all discretionary access control permission modifications using fchown.
SV-65373r3_ruleThe audit system must be configured to audit all discretionary access control permission modifications using fchmodat.
SV-65375r3_ruleThe audit system must be configured to audit all discretionary access control permission modifications using fchmod.
SV-65377r3_ruleThe audit system must be configured to audit all discretionary access control permission modifications using chown.
SV-65379r3_ruleThe audit system must be configured to audit all discretionary access control permission modifications using chmod.
SV-65381r2_ruleThe audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux).
SV-65633r1_ruleAll public directories must be owned by a system account.
SV-73777r2_ruleThe system must use a Linux Security Module at boot time.
SV-73783r1_ruleA file integrity baseline must be created.
SV-73797r1_ruleThe system must use a Linux Security Module configured to enforce limits on system services.
SV-73799r1_ruleThe system must use a Linux Security Module configured to limit the privileges of system services.
SV-73801r1_ruleAll device files must be monitored by the system Linux Security Module.
SV-73803r3_ruleThe audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low.
SV-73805r1_ruleThe operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access.
SV-73807r1_ruleThe login user list must be disabled.
SV-73809r1_ruleThe noexec option must be added to the /tmp partition.
SV-75275r1_ruleThe sudo command must require authentication.
SV-87469r1_ruleWireless network adapters must be disabled.
SV-96167r1_ruleThe Oracle Linux 6 operating system must use a virus scan program.
SV-96171r1_ruleThe Oracle Linux operating system must mount /dev/shm with the nodev option.
SV-96173r1_ruleThe Oracle Linux operating system must mount /dev/shm with the nosuid option.
SV-96175r1_ruleThe Oracle Linux operating system must mount /dev/shm with the noexec option.
SV-102349r1_ruleSystem and application account passwords must be changed at least annually.
SV-106371r1_ruleThe Oracle Linux 6 operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.