STIGQter STIGQter: STIG Summary: Red Hat Enterprise Linux 6 Security Technical Implementation Guide

Version: 1

Release: 24 Benchmark Date: 25 Oct 2019

CheckedNameTitle
SV-50237r1_ruleAutomated file system mounting tools must not be enabled unless needed.
SV-50238r4_ruleAuditing must be enabled at boot by setting a kernel parameter.
SV-50243r1_ruleThe /etc/gshadow file must be owned by root.
SV-50244r2_ruleThe systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets.
SV-50245r2_ruleAudit log files must be group-owned by root.
SV-50246r2_ruleThe mail system must forward all mail for root to one or more system administrators.
SV-50247r4_ruleThe system package management tool must verify contents of all files associated with packages.
SV-50248r1_ruleThe /etc/gshadow file must be group-owned by root.
SV-50249r1_ruleThe /etc/gshadow file must have mode 0000.
SV-50250r1_ruleThe /etc/passwd file must be owned by root.
SV-50251r1_ruleThe /etc/passwd file must be group-owned by root.
SV-50252r2_ruleThe system package management tool must verify permissions on all files and directories associated with packages.
SV-50253r2_ruleThe system package management tool must verify group-ownership on all files and directories associated with packages.
SV-50254r2_ruleThe system package management tool must verify ownership on all files and directories associated with packages.
SV-50255r1_ruleThe system must use a separate file system for /tmp.
SV-50256r1_ruleThe system must use a separate file system for /var.
SV-50257r1_ruleThe /etc/passwd file must have mode 0644 or less permissive.
SV-50258r1_ruleThe /etc/group file must be owned by root.
SV-50259r1_ruleThe /etc/group file must be group-owned by root.
SV-50260r1_ruleThe NFS server must not have the all_squash option enabled.
SV-50261r1_ruleThe /etc/group file must have mode 0644 or less permissive.
SV-50263r1_ruleThe system must use a separate file system for /var/log.
SV-50264r1_ruleThe audit system must take appropriate action when there are disk errors on the audit storage volume.
SV-50265r3_ruleLibrary files must have mode 0755 or less permissive.
SV-50266r4_ruleLibrary files must be owned by a system account.
SV-50267r1_ruleThe system must use a separate file system for the system audit data path.
SV-50268r1_ruleThe audit system must take appropriate action when the audit storage volume is full.
SV-50269r3_ruleAll system command files must have mode 755 or less permissive.
SV-50270r2_ruleThe audit system must alert designated staff members when the audit storage volume approaches capacity.
SV-50271r1_ruleThe system must forward audit records to the syslog service.
SV-50272r1_ruleAll system command files must be owned by root.
SV-50273r1_ruleThe system must use a separate file system for user home directories.
SV-50274r2_ruleThe system must allow locking of graphical desktop sessions.
SV-50275r3_ruleThe system must require passwords to contain a minimum of 15 characters.
SV-50276r3_ruleVendor-provided cryptographic certificates must be installed to verify the integrity of system software.
SV-50277r1_ruleUsers must not be able to change passwords more than once every 24 hours.
SV-50278r2_ruleThe Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite.
SV-50279r1_ruleUser passwords must be changed at least every 60 days.
SV-50280r1_ruleUsers must be warned 7 days in advance of password expiration.
SV-50281r1_ruleSystem security patches and updates must be installed and up-to-date.
SV-50282r2_ruleThe system must require passwords to contain at least one numeric character.
SV-50283r1_ruleThe system package management tool must cryptographically verify the authenticity of system software packages during installation.
SV-50285r2_ruleThe operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh.
SV-50287r1_ruleThe operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.
SV-50288r1_ruleThe system package management tool must cryptographically verify the authenticity of all software packages during installation.
SV-50289r1_ruleThe operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives.
SV-50290r1_ruleA file integrity tool must be installed.
SV-50291r6_ruleThe operating system must enforce requirements for the connection of mobile devices to operating systems.
SV-50292r1_ruleThere must be no .rhosts or hosts.equiv files on the system.
SV-50293r1_ruleThe system must prevent the root account from logging in from virtual consoles.
SV-50294r1_ruleAudit log directories must have mode 0755 or less permissive.
SV-50295r1_ruleThe system must prevent the root account from logging in from serial consoles.
SV-50296r1_ruleAudit log files must be owned by root.
SV-50297r3_ruleDefault operating system accounts, other than root, must be locked.
SV-50298r3_ruleThe system must not have accounts configured with blank or null passwords.
SV-50299r1_ruleAudit log files must have mode 0640 or less permissive.
SV-50300r1_ruleThe /etc/passwd file must not contain password hashes.
SV-50301r2_ruleThe root account must be the only account having a UID of 0.
SV-50302r4_ruleThe system must disable accounts after excessive login failures within a 15-minute interval.
SV-50303r1_ruleThe /etc/shadow file must be owned by root.
SV-50304r1_ruleThe /etc/shadow file must be group-owned by root.
SV-50305r1_ruleThe /etc/shadow file must have mode 0000.
SV-50312r3_ruleIP forwarding for IPv4 must not be enabled, unless the system is a router.
SV-50313r2_ruleThe operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
SV-50314r2_ruleThe systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets.
SV-50315r5_ruleThe Datagram Congestion Control Protocol (DCCP) must be disabled unless required.
SV-50316r5_ruleThe Stream Control Transmission Protocol (SCTP) must be disabled unless required.
SV-50317r3_ruleThe Reliable Datagram Sockets (RDS) protocol must be disabled unless required.
SV-50318r5_ruleThe Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required.
SV-50319r2_ruleAll rsyslog-generated log files must be owned by root.
SV-50320r2_ruleAll rsyslog-generated log files must be group-owned by root.
SV-50321r1_ruleThe operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited.
SV-50322r1_ruleThe operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components.
SV-50323r4_ruleThe audit system must be configured to audit all attempts to alter system time through settimeofday.
SV-50324r3_ruleThe system must not accept IPv4 source-routed packets on any interface.
SV-50325r3_ruleThe system must not accept ICMPv4 redirect packets on any interface.
SV-50326r5_ruleThe audit system must be configured to audit all attempts to alter system time through stime.
SV-50327r3_ruleThe system must not accept ICMPv4 secure redirect packets on any interface.
SV-50328r4_ruleThe audit system must be configured to audit all attempts to alter system time through clock_settime.
SV-50329r3_ruleThe system must log Martian packets.
SV-50330r3_ruleThe system must not accept IPv4 source-routed packets by default.
SV-50331r2_ruleThe audit system must be configured to audit all attempts to alter system time through /etc/localtime.
SV-50332r2_ruleThe operating system must automatically audit account creation.
SV-50333r3_ruleThe system must not accept ICMPv4 secure redirect packets by default.
SV-50334r4_ruleThe system must ignore ICMPv4 redirect messages by default.
SV-50335r2_ruleThe operating system must automatically audit account modification.
SV-50336r3_ruleThe system must not respond to ICMPv4 sent to a broadcast address.
SV-50337r2_ruleThe operating system must automatically audit account disabling actions.
SV-50338r3_ruleThe system must ignore ICMPv4 bogus error responses.
SV-50339r2_ruleThe operating system must automatically audit account termination.
SV-50340r3_ruleThe system must be configured to use TCP syncookies when experiencing a TCP SYN flood.
SV-50341r5_ruleThe audit system must be configured to audit modifications to the systems network configuration.
SV-50342r2_ruleThe audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux).
SV-50343r3_ruleThe system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
SV-50344r4_ruleThe audit system must be configured to audit all discretionary access control permission modifications using chmod.
SV-50345r3_ruleThe system must use a reverse-path filter for IPv4 network traffic when possible by default.
SV-50346r4_ruleThe audit system must be configured to audit all discretionary access control permission modifications using chown.
SV-50348r4_ruleThe audit system must be configured to audit all discretionary access control permission modifications using fchmod.
SV-50349r4_ruleThe system must ignore ICMPv6 redirects by default.
SV-50350r3_ruleThe system must employ a local IPv6 firewall.
SV-50351r4_ruleThe audit system must be configured to audit all discretionary access control permission modifications using fchmodat.
SV-50352r3_ruleThe operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
SV-50353r4_ruleThe audit system must be configured to audit all discretionary access control permission modifications using fchown.
SV-50354r3_ruleThe operating system must prevent public IPv6 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
SV-50355r4_ruleThe audit system must be configured to audit all discretionary access control permission modifications using fchownat.
SV-50356r2_ruleThe system must employ a local IPv4 firewall.
SV-50357r4_ruleThe audit system must be configured to audit all discretionary access control permission modifications using fremovexattr.
SV-50358r4_ruleThe audit system must be configured to audit all discretionary access control permission modifications using fsetxattr.
SV-50359r4_ruleThe audit system must be configured to audit all discretionary access control permission modifications using lchown.
SV-50360r4_ruleThe audit system must be configured to audit all discretionary access control permission modifications using lremovexattr.
SV-50361r2_ruleThe operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
SV-50362r4_ruleThe audit system must be configured to audit all discretionary access control permission modifications using lsetxattr.
SV-50364r4_ruleThe audit system must be configured to audit all discretionary access control permission modifications using removexattr.
SV-50366r4_ruleThe audit system must be configured to audit all discretionary access control permission modifications using setxattr.
SV-50367r3_ruleThe audit system must be configured to audit failed attempts to access files and programs.
SV-50368r4_ruleThe audit system must be configured to audit all use of setuid and setgid programs.
SV-50369r4_ruleThe audit system must be configured to audit successful file system mounts.
SV-50370r2_ruleThe system must require passwords to contain at least one uppercase alphabetic character.
SV-50371r2_ruleThe system must require passwords to contain at least one special character.
SV-50372r3_ruleThe system must require passwords to contain at least one lower-case alphabetic character.
SV-50373r3_ruleThe system must require at least eight characters be changed between the old and new passwords during a password change.
SV-50374r4_ruleThe system must disable accounts after three consecutive unsuccessful logon attempts.
SV-50375r4_ruleThe system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth).
SV-50376r5_ruleThe audit system must be configured to audit user deletions of files and programs.
SV-50377r1_ruleThe system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs).
SV-50378r1_ruleThe system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf).
SV-50379r2_ruleThe audit system must be configured to audit changes to the /etc/sudoers file.
SV-50380r2_ruleThe system boot loader configuration file(s) must be owned by root.
SV-50381r3_ruleThe audit system must be configured to audit the loading and unloading of dynamic kernel modules.
SV-50382r2_ruleThe system boot loader configuration file(s) must be group-owned by root.
SV-50383r2_ruleThe xinetd service must be disabled if no network services utilizing it are enabled.
SV-50384r5_ruleThe system boot loader configuration file(s) must have mode 0600 or less permissive.
SV-50385r1_ruleThe xinetd service must be uninstalled if no network services utilizing it are enabled.
SV-50386r4_ruleThe system boot loader must require authentication.
SV-50387r1_ruleThe system must require authentication upon booting into single-user and maintenance modes.
SV-50388r1_ruleThe telnet-server package must not be installed.
SV-50389r1_ruleThe system must not permit interactive boot.
SV-50390r2_ruleThe telnet daemon must not be running.
SV-50391r1_ruleThe system must allow locking of the console screen in text mode.
SV-50392r1_ruleThe rsh-server package must not be installed.
SV-50393r4_ruleThe system must require administrator action to unlock an account locked by excessive failed login attempts.
SV-50394r3_ruleThe Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
SV-50395r2_ruleThe rshd service must not be running.
SV-50396r3_ruleThe system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
SV-50397r3_ruleThe system must implement virtual address space randomization.
SV-50398r3_ruleThe system must limit the ability of processes to have simultaneous write and execute access to memory.
SV-50399r2_ruleThe rexecd service must not be running.
SV-50400r3_ruleThe FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
SV-50401r3_ruleThe system must not send ICMPv4 redirects by default.
SV-50402r3_ruleThe system must not send ICMPv4 redirects from any interface.
SV-50403r2_ruleThe rlogind service must not be running.
SV-50404r1_ruleThe ypserv package must not be installed.
SV-50405r2_ruleThe ypbind service must not be running.
SV-50406r2_ruleThe cron service must be running.
SV-50407r3_ruleThe tftp-server package must not be installed unless required.
SV-50408r1_ruleThe SSH daemon must be configured to use only the SSHv2 protocol.
SV-50409r1_ruleThe SSH daemon must set a timeout interval on idle sessions.
SV-50410r3_ruleThe TFTP service must not be running.
SV-50411r1_ruleThe SSH daemon must set a timeout count on idle sessions.
SV-50412r1_ruleThe SSH daemon must ignore .rhosts files.
SV-50413r1_ruleThe SSH daemon must not allow host-based authentication.
SV-50414r1_ruleThe system must not permit root logins using remote access programs such as ssh.
SV-50415r1_ruleThe SSH daemon must not allow authentication using an empty password.
SV-50416r1_ruleThe SSH daemon must be configured with the Department of Defense (DoD) login banner.
SV-50417r1_ruleThe SSH daemon must not permit user environment settings.
SV-50418r2_ruleThe SSH daemon must be configured to use only FIPS 140-2 approved ciphers.
SV-50419r2_ruleThe avahi service must be disabled.
SV-50420r2_ruleThere must be no .netrc files on the system.
SV-50421r1_ruleThe system clock must be synchronized continuously, or at least daily.
SV-50422r1_ruleThe system clock must be synchronized to an authoritative DoD time source.
SV-50423r2_ruleMail relaying must be restricted.
SV-50424r2_ruleAll rsyslog-generated log files must have mode 0600 or less permissive.
SV-50425r1_ruleSystem logs must be rotated daily.
SV-50428r2_ruleThe openldap-servers package must not be installed unless required.
SV-50429r2_ruleThe operating system must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event.
SV-50430r3_ruleThe graphical desktop environment must set the idle timeout to no more than 15 minutes.
SV-50431r3_ruleThe graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment.
SV-50432r2_ruleThe operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods.
SV-50433r2_ruleThe operating system must produce audit records containing sufficient information to establish what type of events occurred.
SV-50434r1_ruleThe system must set a maximum audit log file size.
SV-50435r2_ruleThe system must rotate audit log files that reach the maximum file size.
SV-50437r1_ruleThe system must retain enough rotated audit logs to cover the required log retention period.
SV-50438r2_ruleThe system package management tool must verify contents of all files associated with the audit package.
SV-50439r3_ruleThe graphical desktop environment must have automatic lock enabled.
SV-50440r3_ruleThe system must display a publicly-viewable pattern during a graphical desktop environment session lock.
SV-50441r2_ruleThe Automatic Bug Reporting Tool (abrtd) service must not be running.
SV-50442r3_ruleThe atd service must be disabled.
SV-50443r1_ruleThe system default umask for daemons must be 027 or 022.
SV-50444r3_ruleThere must be no world-writable files on the system.
SV-50445r2_ruleThe ntpdate service must not be running.
SV-50446r1_ruleThe system default umask in /etc/login.defs must be 077.
SV-50447r2_ruleThe oddjobd service must not be running.
SV-50448r1_ruleThe system default umask in /etc/profile must be 077.
SV-50449r2_ruleThe qpidd service must not be running.
SV-50450r1_ruleThe system default umask for the csh shell must be 077.
SV-50451r2_ruleThe rdisc service must not be running.
SV-50452r1_ruleThe system default umask for the bash shell must be 077.
SV-50453r2_ruleRemote file systems must be mounted with the nodev option.
SV-50454r2_ruleThe snmpd service must not use a default password.
SV-50455r2_ruleRemote file systems must be mounted with the nosuid option.
SV-50456r1_ruleThe noexec option must be added to removable media partitions.
SV-50457r1_ruleThe system must use SMB client signing for connecting to samba servers using smbclient.
SV-50458r2_ruleThe system must use SMB client signing for connecting to samba servers using mount.cifs.
SV-50459r6_ruleThe system must prohibit the reuse of passwords within five iterations.
SV-50460r2_ruleThe operating system must employ cryptographic mechanisms to protect information in storage.
SV-50461r2_ruleThe snmpd service must use only SNMP protocol version 3 or newer.
SV-50462r2_ruleThe operating system must protect the confidentiality and integrity of data at rest.
SV-50463r2_ruleThe operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of data at rest unless otherwise protected by alternative physical measures.
SV-50464r1_ruleThe system package management tool must verify permissions on all files and directories associated with the audit package.
SV-50465r1_ruleThe system package management tool must verify ownership on all files and directories associated with the audit package.
SV-50466r1_ruleThe system package management tool must verify group-ownership on all files and directories associated with the audit package.
SV-50468r3_ruleThe system must have a host-based intrusion detection tool installed.
SV-50469r4_ruleThe x86 Ctrl-Alt-Delete key sequence must be disabled.
SV-50470r1_ruleThe postfix service must be enabled for mail delivery.
SV-50471r2_ruleThe operating system must detect unauthorized changes to software and information.
SV-50472r1_ruleThe sendmail package must be removed.
SV-50473r2_ruleThe netconsole service must be disabled unless required.
SV-50474r2_ruleThe operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.
SV-50475r1_ruleX Windows must not be enabled unless required.
SV-50476r2_ruleProcess core dumps must be disabled unless needed.
SV-50477r2_ruleThe xorg-x11-server-common (X Windows) package must not be installed, unless required.
SV-50478r1_ruleThe NFS server must not have the insecure file locking option enabled.
SV-50479r2_ruleThe audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity.
SV-50480r4_ruleThe DHCP client must be disabled if not needed.
SV-50481r1_ruleThe audit system must identify staff members to receive notifications of audit log storage volume capacity issues.
SV-50482r2_ruleAll GIDs referenced in /etc/passwd must be defined in /etc/group
SV-50483r6_ruleThe Bluetooth kernel module must be disabled.
SV-50484r1_ruleAll accounts on the system must have unique user or account names
SV-50485r2_ruleThe system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.
SV-50486r1_ruleTemporary accounts must be provisioned with an expiration date.
SV-50487r2_ruleThe systems local firewall must implement a deny-all, allow-by-exception policy for forwarded packets.
SV-50488r3_ruleThe system must provide VPN connectivity for communications over untrusted networks.
SV-50489r3_ruleA login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
SV-50490r5_ruleThe Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
SV-50491r1_ruleEmergency accounts must be provisioned with an expiration date.
SV-50492r2_ruleThe Bluetooth service must be disabled.
SV-50493r1_ruleAccounts must be locked upon 35 days of inactivity.
SV-50494r4_ruleThe system must require passwords to contain no more than three consecutive repeating characters.
SV-50495r1_ruleThe operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity.
SV-50496r2_ruleA file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.
SV-50497r2_ruleThe operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system.
SV-50498r2_ruleThe sticky bit must be set on all public directories.
SV-50499r2_ruleThe operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency.
SV-50500r2_ruleAll public directories must be owned by a system account.
SV-50501r2_ruleThe operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs.
SV-50502r2_ruleThe TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.
SV-50503r2_ruleThe FTP daemon must be configured for logging or verbose mode.
SV-55880r2_ruleThe login user list must be disabled.
SV-65547r2_ruleThe system must use a Linux Security Module at boot time.
SV-65573r1_ruleThe system must use a Linux Security Module configured to enforce limits on system services.
SV-65579r1_ruleThe system must use a Linux Security Module configured to limit the privileges of system services.
SV-65589r1_ruleAll device files must be monitored by the system Linux Security Module.
SV-65601r1_ruleA file integrity baseline must be created.
SV-66089r2_ruleThe operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access.
SV-68627r3_ruleThe audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low.
SV-71919r1_ruleThe noexec option must be added to the /tmp partition.
SV-73331r2_ruleThe sudo command must require authentication.
SV-87461r1_ruleWireless network adapters must be disabled.
SV-96155r2_ruleThe audit system must be configured to audit all attempts to alter system time through adjtimex.
SV-96157r1_ruleThe Red Hat Enterprise Linux operating system must have an anti-virus solution installed.
SV-96159r1_ruleThe Red Hat Enterprise Linux operating system must mount /dev/shm with the nodev option.
SV-96161r1_ruleThe Red Hat Enterprise Linux operating system must mount /dev/shm with the nosuid option.
SV-96163r1_ruleThe Red Hat Enterprise Linux operating system must mount /dev/shm with the noexec option.
SV-102359r1_ruleSystem and Application account passwords must be changed at least annually.
SV-106367r1_ruleThe Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
SV-106369r1_ruleThe SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.