| Checked | Name | Title |
|---|
| ☐ | SV-208793r603263_rule | The system must use a separate file system for /tmp. |
| ☐ | SV-208794r603263_rule | The system must use a separate file system for /var. |
| ☐ | SV-208795r603263_rule | The system must use a separate file system for /var/log. |
| ☐ | SV-208796r603263_rule | The system must use a separate file system for user home directories. |
| ☐ | SV-208797r603263_rule | The Red Hat Network Service (rhnsd) service must not be running, unless it is being used to query the Oracle Unbreakable Linux Network for updates and information. |
| ☐ | SV-208798r603263_rule | System security patches and updates must be installed and up-to-date. |
| ☐ | SV-208799r603263_rule | The system must use a Linux Security Module at boot time. |
| ☐ | SV-208800r603263_rule | A file integrity baseline must be created. |
| ☐ | SV-208801r603263_rule | The system must use a Linux Security Module configured to enforce limits on system services. |
| ☐ | SV-208802r603263_rule | The system must use a Linux Security Module configured to limit the privileges of system services. |
| ☐ | SV-208803r603263_rule | All device files must be monitored by the system Linux Security Module. |
| ☐ | SV-208804r603263_rule | The system must prevent the root account from logging in from virtual consoles. |
| ☐ | SV-208805r603263_rule | The system must prevent the root account from logging in from serial consoles. |
| ☐ | SV-208806r603263_rule | Default operating system accounts, other than root, must be locked. |
| ☐ | SV-208807r603263_rule | The system must not have accounts configured with blank or null passwords. |
| ☐ | SV-208808r603263_rule | The /etc/passwd file must not contain password hashes. |
| ☐ | SV-208809r603263_rule | The root account must be the only account having a UID of 0. |
| ☐ | SV-208810r603263_rule | The /etc/shadow file must be owned by root. |
| ☐ | SV-208811r603263_rule | The /etc/shadow file must be group-owned by root. |
| ☐ | SV-208812r603263_rule | The /etc/shadow file must have mode 0000. |
| ☐ | SV-208813r603263_rule | The /etc/gshadow file must be owned by root. |
| ☐ | SV-208814r603263_rule | The /etc/gshadow file must be group-owned by root. |
| ☐ | SV-208815r603263_rule | The /etc/gshadow file must have mode 0000. |
| ☐ | SV-208816r603263_rule | The /etc/passwd file must be owned by root. |
| ☐ | SV-208817r603263_rule | The /etc/passwd file must be group-owned by root. |
| ☐ | SV-208818r603263_rule | The /etc/passwd file must have mode 0644 or less permissive. |
| ☐ | SV-208819r603263_rule | The /etc/group file must be owned by root. |
| ☐ | SV-208820r603263_rule | The /etc/group file must be group-owned by root. |
| ☐ | SV-208821r603263_rule | The /etc/group file must have mode 0644 or less permissive. |
| ☐ | SV-208822r603263_rule | Library files must have mode 0755 or less permissive. |
| ☐ | SV-208823r603263_rule | Library files must be owned by a system account. |
| ☐ | SV-208824r603263_rule | All system command files must have mode 755 or less permissive. |
| ☐ | SV-208825r603263_rule | All system command files must be owned by root. |
| ☐ | SV-208826r603263_rule | The system must require passwords to contain a minimum of 15 characters. |
| ☐ | SV-208827r603263_rule | Users must not be able to change passwords more than once every 24 hours. |
| ☐ | SV-208828r603263_rule | User passwords must be changed at least every 60 days. |
| ☐ | SV-208829r603263_rule | Users must be warned 7 days in advance of password expiration. |
| ☐ | SV-208830r603263_rule | System and application account passwords must be changed at least annually. |
| ☐ | SV-208831r603263_rule | The system must require passwords to contain at least one numeric character. |
| ☐ | SV-208832r603263_rule | The system must require passwords to contain at least one uppercase alphabetic character. |
| ☐ | SV-208833r603263_rule | The system must require passwords to contain at least one special character. |
| ☐ | SV-208834r603263_rule | The system must require passwords to contain at least one lower-case alphabetic character. |
| ☐ | SV-208835r603263_rule | The system must require at least eight characters be changed between the old and new passwords during a password change. |
| ☐ | SV-208836r603263_rule | The system must disable accounts after three consecutive unsuccessful logon attempts. |
| ☐ | SV-208837r603263_rule | The system must use a FIPS 140-2-approved cryptographic hashing algorithm for generating account password hashes (system-auth). |
| ☐ | SV-208838r603263_rule | The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs). |
| ☐ | SV-208839r603263_rule | The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf). |
| ☐ | SV-208840r603263_rule | The system boot loader configuration file(s) must be owned by root. |
| ☐ | SV-208841r603263_rule | The system boot loader configuration file(s) must be group-owned by root. |
| ☐ | SV-208842r603263_rule | The system boot loader configuration file(s) must have mode 0600 or less permissive. |
| ☐ | SV-208843r603263_rule | The system boot loader must require authentication. |
| ☐ | SV-208844r603263_rule | The system must require authentication upon booting into single-user and maintenance modes. |
| ☐ | SV-208845r603263_rule | The system must not permit interactive boot. |
| ☐ | SV-208846r646940_rule | The system must be configured so all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements. |
| ☐ | SV-208847r603263_rule | The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts. |
| ☐ | SV-208848r603263_rule | The system must implement virtual address space randomization. |
| ☐ | SV-208849r603263_rule | The system must limit the ability of processes to have simultaneous write and execute access to memory. |
| ☐ | SV-208850r603263_rule | The system must not send ICMPv4 redirects by default. |
| ☐ | SV-208851r603263_rule | The system must not send ICMPv4 redirects from any interface. |
| ☐ | SV-208852r603263_rule | IP forwarding for IPv4 must not be enabled, unless the system is a router. |
| ☐ | SV-208853r603263_rule | The system must not accept IPv4 source-routed packets on any interface. |
| ☐ | SV-208854r603263_rule | The system must not accept ICMPv4 redirect packets on any interface. |
| ☐ | SV-208855r603263_rule | The system must not accept ICMPv4 secure redirect packets on any interface. |
| ☐ | SV-208856r603263_rule | The system must log Martian packets. |
| ☐ | SV-208857r603263_rule | The system must not accept IPv4 source-routed packets by default. |
| ☐ | SV-208858r603263_rule | The system must not accept ICMPv4 secure redirect packets by default. |
| ☐ | SV-208859r603263_rule | The system must ignore ICMPv4 redirect messages by default. |
| ☐ | SV-208860r603263_rule | The system must not respond to ICMPv4 sent to a broadcast address. |
| ☐ | SV-208861r603263_rule | The system must ignore ICMPv4 bogus error responses. |
| ☐ | SV-208862r603263_rule | The system must be configured to use TCP syncookies when experiencing a TCP SYN flood. |
| ☐ | SV-208863r603263_rule | The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces. |
| ☐ | SV-208864r603263_rule | The system must use a reverse-path filter for IPv4 network traffic when possible by default. |
| ☐ | SV-208865r603263_rule | The system must ignore ICMPv6 redirects by default. |
| ☐ | SV-208866r603263_rule | The Datagram Congestion Control Protocol (DCCP) must be disabled unless required. |
| ☐ | SV-208867r603263_rule | The Stream Control Transmission Protocol (SCTP) must be disabled unless required. |
| ☐ | SV-208868r603263_rule | The Reliable Datagram Sockets (RDS) protocol must be disabled unless required. |
| ☐ | SV-208869r603263_rule | The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required. |
| ☐ | SV-208870r603263_rule | All rsyslog-generated log files must be owned by root. |
| ☐ | SV-208871r603263_rule | All rsyslog-generated log files must be group-owned by root. |
| ☐ | SV-208872r603263_rule | All rsyslog-generated log files must have mode 0600 or less permissive. |
| ☐ | SV-208873r603263_rule | The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited. |
| ☐ | SV-208874r603263_rule | System logs must be rotated daily. |
| ☐ | SV-208875r603263_rule | The operating system must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event. |
| ☐ | SV-208876r603263_rule | The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods. |
| ☐ | SV-208877r603263_rule | The operating system must produce audit records containing sufficient information to establish what type of events occurred. |
| ☐ | SV-208878r603263_rule | The system must retain enough rotated audit logs to cover the required log retention period. |
| ☐ | SV-208879r603263_rule | The system must set a maximum audit log file size. |
| ☐ | SV-208880r603263_rule | The system must rotate audit log files that reach the maximum file size. |
| ☐ | SV-208881r603263_rule | The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low. |
| ☐ | SV-208882r603263_rule | The audit system must be configured to audit all attempts to alter system time through adjtimex. |
| ☐ | SV-208883r603263_rule | The audit system must be configured to audit all attempts to alter system time through settimeofday. |
| ☐ | SV-208884r603263_rule | The audit system must be configured to audit all attempts to alter system time through stime. |
| ☐ | SV-208885r603263_rule | The audit system must be configured to audit all attempts to alter system time through clock_settime. |
| ☐ | SV-208886r603263_rule | The audit system must be configured to audit all attempts to alter system time through /etc/localtime. |
| ☐ | SV-208887r603263_rule | The operating system must automatically audit account creation. |
| ☐ | SV-208888r603263_rule | The operating system must automatically audit account modification. |
| ☐ | SV-208889r603263_rule | The operating system must automatically audit account disabling actions. |
| ☐ | SV-208890r603263_rule | The operating system must automatically audit account termination. |
| ☐ | SV-208891r603263_rule | The audit system must be configured to audit modifications to the systems network configuration. |
| ☐ | SV-208892r603263_rule | The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux). |
| ☐ | SV-208893r603263_rule | The audit system must be configured to audit all discretionary access control permission modifications using chmod. |
| ☐ | SV-208894r603263_rule | The audit system must be configured to audit all discretionary access control permission modifications using chown. |
| ☐ | SV-208895r603263_rule | The audit system must be configured to audit all discretionary access control permission modifications using fchmod. |
| ☐ | SV-208896r603263_rule | The audit system must be configured to audit all discretionary access control permission modifications using fchmodat. |
| ☐ | SV-208897r603263_rule | The audit system must be configured to audit all discretionary access control permission modifications using fchown. |
| ☐ | SV-208898r603263_rule | The audit system must be configured to audit all discretionary access control permission modifications using fchownat. |
| ☐ | SV-208899r603263_rule | The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr. |
| ☐ | SV-208900r603263_rule | The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr. |
| ☐ | SV-208901r603263_rule | The audit system must be configured to audit all discretionary access control permission modifications using lchown. |
| ☐ | SV-208902r603263_rule | The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr. |
| ☐ | SV-208903r603263_rule | The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr. |
| ☐ | SV-208904r603263_rule | The audit system must be configured to audit all discretionary access control permission modifications using removexattr. |
| ☐ | SV-208905r603263_rule | The audit system must be configured to audit all discretionary access control permission modifications using setxattr. |
| ☐ | SV-208906r603263_rule | The audit system must be configured to audit failed attempts to access files and programs. |
| ☐ | SV-208907r603263_rule | The audit system must be configured to audit successful file system mounts. |
| ☐ | SV-208908r603263_rule | The audit system must be configured to audit user deletions of files and programs. |
| ☐ | SV-208909r603263_rule | The audit system must be configured to audit changes to the /etc/sudoers file. |
| ☐ | SV-208910r603263_rule | The audit system must be configured to audit the loading and unloading of dynamic kernel modules. |
| ☐ | SV-208911r603263_rule | The xinetd service must be disabled if no network services utilizing it are enabled. |
| ☐ | SV-208912r603263_rule | The xinetd service must be uninstalled if no network services utilizing it are enabled. |
| ☐ | SV-208913r603263_rule | The telnet-server package must not be installed. |
| ☐ | SV-208914r603263_rule | The rsh-server package must not be installed. |
| ☐ | SV-208915r603263_rule | The rshd service must not be running. |
| ☐ | SV-208916r603263_rule | The rexecd service must not be running. |
| ☐ | SV-208917r603263_rule | The ypserv package must not be installed. |
| ☐ | SV-208918r603263_rule | The ypbind service must not be running. |
| ☐ | SV-208919r603263_rule | The tftp-server package must not be installed unless required. |
| ☐ | SV-208920r603263_rule | The cron service must be running. |
| ☐ | SV-208921r603340_rule | The SSH daemon must set a timeout interval on idle sessions. |
| ☐ | SV-208922r603263_rule | The SSH daemon must set a timeout count on idle sessions. |
| ☐ | SV-208923r603263_rule | The SSH daemon must ignore .rhosts files. |
| ☐ | SV-208924r603263_rule | The SSH daemon must not allow host-based authentication. |
| ☐ | SV-208925r603263_rule | The system must not permit root logins using remote access programs such as ssh. |
| ☐ | SV-208926r603263_rule | The SSH daemon must not allow authentication using an empty password. |
| ☐ | SV-208927r603263_rule | The SSH daemon must be configured with the Department of Defense (DoD) login banner. |
| ☐ | SV-208928r603263_rule | The SSH daemon must not permit user environment settings. |
| ☐ | SV-208929r603263_rule | The avahi service must be disabled. |
| ☐ | SV-208930r603263_rule | Mail relaying must be restricted. |
| ☐ | SV-208931r603263_rule | If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms. |
| ☐ | SV-208932r603263_rule | The openldap-servers package must not be installed unless required. |
| ☐ | SV-208933r603263_rule | The graphical desktop environment must set the idle timeout to no more than 15 minutes. |
| ☐ | SV-208934r603263_rule | The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment. |
| ☐ | SV-208935r603263_rule | The graphical desktop environment must have automatic lock enabled. |
| ☐ | SV-208936r603263_rule | The system must display a publicly-viewable pattern during a graphical desktop environment session lock. |
| ☐ | SV-208937r603263_rule | The Automatic Bug Reporting Tool (abrtd) service must not be running. |
| ☐ | SV-208938r603263_rule | The atd service must be disabled. |
| ☐ | SV-208939r603263_rule | The ntpdate service must not be running. |
| ☐ | SV-208940r603263_rule | The oddjobd service must not be running. |
| ☐ | SV-208941r603263_rule | The qpidd service must not be running. |
| ☐ | SV-208942r603263_rule | The rdisc service must not be running. |
| ☐ | SV-209008r603263_rule | Remote file systems must be mounted with the nodev option. |
| ☐ | SV-209009r603263_rule | Remote file systems must be mounted with the nosuid option. |
| ☐ | SV-209010r603263_rule | The system must use SMB client signing for connecting to samba servers using smbclient. |
| ☐ | SV-209011r603263_rule | The system must use SMB client signing for connecting to samba servers using mount.cifs. |
| ☐ | SV-209012r603263_rule | The system must prohibit the reuse of passwords within five iterations. |
| ☐ | SV-209013r603263_rule | The operating system must protect the confidentiality and integrity of data at rest. |
| ☐ | SV-209014r603263_rule | The system package management tool must verify permissions on all files and directories associated with the audit package. |
| ☐ | SV-209015r603263_rule | The system package management tool must verify ownership on all files and directories associated with the audit package. |
| ☐ | SV-209016r603263_rule | The system package management tool must verify group-ownership on all files and directories associated with the audit package. |
| ☐ | SV-209017r603263_rule | The system package management tool must verify contents of all files associated with the audit package. |
| ☐ | SV-209018r603263_rule | There must be no world-writable files on the system. |
| ☐ | SV-209019r603263_rule | The x86 Ctrl-Alt-Delete key sequence must be disabled. |
| ☐ | SV-209020r603263_rule | The postfix service must be enabled for mail delivery. |
| ☐ | SV-209021r603263_rule | The sendmail package must be removed. |
| ☐ | SV-209022r603263_rule | The netconsole service must be disabled unless required. |
| ☐ | SV-209023r603263_rule | The xorg-x11-server-common (X Windows) package must not be installed, unless required. |
| ☐ | SV-209024r603263_rule | The DHCP client must be disabled if not needed. |
| ☐ | SV-209025r603263_rule | All GIDs referenced in /etc/passwd must be defined in /etc/group. |
| ☐ | SV-209026r603263_rule | All accounts on the system must have unique user or account names. |
| ☐ | SV-209027r603263_rule | Temporary accounts must be provisioned with an expiration date. |
| ☐ | SV-209028r603263_rule | Emergency accounts must be provisioned with an expiration date. |
| ☐ | SV-209029r603263_rule | The system must require passwords to contain no more than three consecutive repeating characters. |
| ☐ | SV-209030r603263_rule | Process core dumps must be disabled unless needed. |
| ☐ | SV-209031r603263_rule | The NFS server must not have the insecure file locking option enabled. |
| ☐ | SV-209032r603263_rule | The audit system must identify staff members to receive notifications of audit log storage volume capacity issues. |
| ☐ | SV-209033r603263_rule | The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements. |
| ☐ | SV-209034r603263_rule | A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts. |
| ☐ | SV-209035r603263_rule | The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts. |
| ☐ | SV-209036r603263_rule | Accounts must be locked upon 35 days of inactivity. |
| ☐ | SV-209037r603263_rule | The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity. |
| ☐ | SV-209038r603263_rule | The sticky bit must be set on all public directories. |
| ☐ | SV-209039r603263_rule | All public directories must be owned by a system account. |
| ☐ | SV-209040r603263_rule | The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system. |
| ☐ | SV-209041r603263_rule | The FTP daemon must be configured for logging or verbose mode. |
| ☐ | SV-209042r603263_rule | The snmpd service must use only SNMP protocol version 3 or newer. |
| ☐ | SV-209043r603263_rule | The snmpd service must not use a default password. |
| ☐ | SV-209044r603263_rule | The system default umask for the bash shell must be 077. |
| ☐ | SV-209045r603263_rule | The system default umask for the csh shell must be 077. |
| ☐ | SV-209046r603263_rule | The system default umask in /etc/profile must be 077. |
| ☐ | SV-209047r603263_rule | The system default umask in /etc/login.defs must be 077. |
| ☐ | SV-209048r603263_rule | The system default umask for daemons must be 027 or 022. |
| ☐ | SV-209049r603263_rule | There must be no .netrc files on the system. |
| ☐ | SV-209050r603263_rule | The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner. |
| ☐ | SV-209051r603263_rule | The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication. |
| ☐ | SV-209052r603263_rule | The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access. |
| ☐ | SV-209053r603263_rule | Audit log files must have mode 0640 or less permissive. |
| ☐ | SV-209054r603263_rule | Audit log files must be owned by root. |
| ☐ | SV-209055r603263_rule | Audit log directories must have mode 0755 or less permissive. |
| ☐ | SV-209056r603263_rule | The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh. |
| ☐ | SV-209057r603263_rule | The system must allow locking of graphical desktop sessions. |
| ☐ | SV-209058r603263_rule | The audit system must take appropriate action when the audit storage volume is full. |
| ☐ | SV-209059r603263_rule | The audit system must take appropriate action when there are disk errors on the audit storage volume. |
| ☐ | SV-209060r603263_rule | The NFS server must not have the all_squash option enabled. |
| ☐ | SV-209061r603263_rule | The system package management tool must verify ownership on all files and directories associated with packages. |
| ☐ | SV-209062r603263_rule | The system package management tool must verify group-ownership on all files and directories associated with packages. |
| ☐ | SV-209063r603263_rule | The system package management tool must verify permissions on all files and directories associated with packages. |
| ☐ | SV-209064r603263_rule | The system package management tool must verify contents of all files associated with packages. |
| ☐ | SV-209065r603263_rule | The mail system must forward all mail for root to one or more system administrators. |
| ☐ | SV-209066r603263_rule | Audit log files must be group-owned by root. |
| ☐ | SV-209067r603263_rule | The system must provide automated support for account management functions. |
| ☐ | SV-209068r603263_rule | Auditing must be enabled at boot by setting a kernel parameter. |
| ☐ | SV-209069r603263_rule | Automated file system mounting tools must not be enabled unless needed. |
| ☐ | SV-209070r603263_rule | The login user list must be disabled. |
| ☐ | SV-209071r603263_rule | The noexec option must be added to the /tmp partition. |
| ☐ | SV-209072r603263_rule | The sudo command must require authentication. |
| ☐ | SV-209073r603263_rule | The Oracle Linux operating system must mount /dev/shm with the nodev option. |
| ☐ | SV-209074r603263_rule | The Oracle Linux operating system must mount /dev/shm with the nosuid option. |
| ☐ | SV-209075r603263_rule | The Oracle Linux operating system must mount /dev/shm with the noexec option. |
| ☐ | SV-209076r603263_rule | The Oracle Linux 6 operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |
| ☐ | SV-219541r603263_rule | The system must use a separate file system for the system audit data path. |
| ☐ | SV-219542r603263_rule | The audit system must alert designated staff members when the audit storage volume approaches capacity. |
| ☐ | SV-219543r603263_rule | Vendor-provided cryptographic certificates must be installed to verify the integrity of system software. |
| ☐ | SV-219544r603263_rule | The system package management tool must cryptographically verify the authenticity of system software packages during installation. |
| ☐ | SV-219545r603263_rule | The system package management tool must cryptographically verify the authenticity of all software packages during installation. |
| ☐ | SV-219546r603263_rule | A file integrity tool must be installed. |
| ☐ | SV-219547r603263_rule | There must be no .rhosts or hosts.equiv files on the system. |
| ☐ | SV-219548r603263_rule | The system must employ a local IPv6 firewall. |
| ☐ | SV-219549r603263_rule | The operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. |
| ☐ | SV-219550r603263_rule | The operating system must prevent public IPv6 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices. |
| ☐ | SV-219551r603263_rule | The system must employ a local IPv4 firewall. |
| ☐ | SV-219552r603263_rule | The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. |
| ☐ | SV-219553r603263_rule | The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices. |
| ☐ | SV-219554r603263_rule | The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets. |
| ☐ | SV-219555r603263_rule | The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components. |
| ☐ | SV-219556r603263_rule | The audit system must be configured to audit all use of setuid and setgid programs. |
| ☐ | SV-219557r603263_rule | The telnet daemon must not be running. |
| ☐ | SV-219558r603263_rule | The rlogind service must not be running. |
| ☐ | SV-219559r603263_rule | The TFTP service must not be running. |
| ☐ | SV-219560r603263_rule | The SSH daemon must be configured to use only the SSHv2 protocol. |
| ☐ | SV-219561r603343_rule | The Oracle Linux 6 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. |
| ☐ | SV-219562r603263_rule | The system clock must be synchronized continuously, or at least daily. |
| ☐ | SV-219563r603263_rule | The system clock must be synchronized to an authoritative DoD time source. |
| ☐ | SV-219564r603263_rule | The LDAP client must use a TLS connection using trust certificates signed by the site CA. |
| ☐ | SV-219565r603263_rule | The noexec option must be added to removable media partitions. |
| ☐ | SV-219566r603263_rule | The operating system must employ cryptographic mechanisms to protect information in storage. |
| ☐ | SV-219567r603263_rule | The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of data at rest unless otherwise protected by alternative physical measures. |
| ☐ | SV-219568r603263_rule | The system must have a host-based intrusion detection tool installed. |
| ☐ | SV-219569r603263_rule | X Windows must not be enabled unless required. |
| ☐ | SV-219570r603263_rule | Wireless network adapters must be disabled. |
| ☐ | SV-219571r603263_rule | A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries. |
| ☐ | SV-219572r603263_rule | The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system. |
| ☐ | SV-219573r603263_rule | The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency. |
| ☐ | SV-219574r603263_rule | The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs. |
| ☐ | SV-219575r603263_rule | The operating system must detect unauthorized changes to software and information. |
| ☐ | SV-219576r603263_rule | The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked. |
| ☐ | SV-219577r603263_rule | The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity. |
| ☐ | SV-219578r603263_rule | The Bluetooth kernel module must be disabled. |
| ☐ | SV-219579r603263_rule | The systems local firewall must implement a deny-all, allow-by-exception policy for forwarded packets. |
| ☐ | SV-219580r603263_rule | The system must provide VPN connectivity for communications over untrusted networks. |
| ☐ | SV-219581r603263_rule | The Bluetooth service must be disabled. |
| ☐ | SV-219582r603263_rule | The system must require administrator action to unlock an account locked by excessive failed login attempts. |
| ☐ | SV-219583r603263_rule | The system must disable accounts after excessive login failures within a 15-minute interval. |
| ☐ | SV-219584r603263_rule | The operating system must enforce requirements for the connection of mobile devices to operating systems. |
| ☐ | SV-219585r603263_rule | The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives. |
| ☐ | SV-219586r603263_rule | The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives. |
| ☐ | SV-219587r603263_rule | The system must forward audit records to the syslog service. |
| ☐ | SV-219588r603263_rule | The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets. |
| ☐ | SV-219589r603263_rule | The Oracle Linux 6 operating system must use a virus scan program. |
| ☐ | SV-219957r603263_rule | The Oracle Linux operating system must not contain .shosts or shosts.equiv files. |
| ☐ | SV-219958r603346_rule | The Oracle Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. |
| ☐ | SV-224675r603263_rule | The Oracle Linux operating system must be a vendor-supported release. |
| ☐ | SV-237624r646943_rule | The Oracle Linux operating system must restrict privilege elevation to authorized personnel. |
| ☐ | SV-237625r646946_rule | The Oracle Linux operating system must use the invoking user's password for privilege escalation when using "sudo". |
| ☐ | SV-237626r646949_rule | The Oracle Linux operating system must require re-authentication when using the "sudo" command. |
STIGQter: STIG Summary: