UCF STIG Viewer Logo

Red Hat Enterprise Linux 6 Security Technical Implementation Guide


Overview

Date Finding Count (269)
2020-09-03 CAT I (High): 18 CAT II (Med): 147 CAT III (Low): 104
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-217983 High The telnet-server package must not be installed.
V-217984 High The telnet daemon must not be running.
V-217985 High The rsh-server package must not be installed.
V-217986 High The rshd service must not be running.
V-217987 High The rexecd service must not be running.
V-217988 High The rlogind service must not be running.
V-217862 High The Red Hat Enterprise Linux operating system must not contain .shosts or shosts.equiv files.
V-217860 High There must be no .rhosts or hosts.equiv files on the system.
V-217994 High The SSH daemon must be configured to use only the SSHv2 protocol.
V-217852 High Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
V-218112 High The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
V-218055 High The NFS server must not have the insecure file locking option enabled.
V-218069 High The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.
V-217868 High The system must not have accounts configured with blank or null passwords.
V-218072 High The snmpd service must not use a default password.
V-218036 High The x86 Ctrl-Alt-Delete key sequence must be disabled.
V-218001 High The SSH daemon must not allow authentication using an empty password.
V-224669 High The Red Hat Enterprise Linux operating system must be a vendor-supported release.
V-217928 Medium The operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
V-217878 Medium The /etc/passwd file must be group-owned by root.
V-218038 Medium The sendmail package must be removed.
V-217897 Medium The system must disable accounts after three consecutive unsuccessful logon attempts.
V-217891 Medium System and Application account passwords must be changed at least annually.
V-217918 Medium The system must not accept IPv4 source-routed packets by default.
V-217898 Medium The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth).
V-217899 Medium The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs).
V-217950 Medium The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low.
V-218013 Medium The graphical desktop environment must have automatic lock enabled.
V-218012 Medium The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment.
V-218035 Medium The system must have a host-based intrusion detection tool installed.
V-217889 Medium User passwords must be changed at least every 60 days.
V-217888 Medium Users must not be able to change passwords more than once every 24 hours.
V-217881 Medium The /etc/group file must be group-owned by root.
V-217880 Medium The /etc/group file must be owned by root.
V-217883 Medium Library files must have mode 0755 or less permissive.
V-217882 Medium The /etc/group file must have mode 0644 or less permissive.
V-217885 Medium All system command files must have mode 755 or less permissive.
V-217884 Medium Library files must be owned by a system account.
V-217887 Medium The system must require passwords to contain a minimum of 15 characters.
V-217886 Medium All system command files must be owned by root.
V-218022 Medium Remote file systems must be mounted with the nosuid option.
V-218021 Medium Remote file systems must be mounted with the nodev option.
V-218026 Medium The system must prohibit the reuse of passwords within five iterations.
V-217858 Medium The system must use a Linux Security Module at boot time.
V-217859 Medium A file integrity baseline must be created.
V-217923 Medium The system must be configured to use TCP syncookies when experiencing a TCP SYN flood.
V-217874 Medium The /etc/gshadow file must be owned by root.
V-217875 Medium The /etc/gshadow file must be group-owned by root.
V-217876 Medium The /etc/gshadow file must have mode 0000.
V-217877 Medium The /etc/passwd file must be owned by root.
V-217870 Medium The root account must be the only account having a UID of 0.
V-217871 Medium The /etc/shadow file must be owned by root.
V-218033 Medium The system package management tool must verify contents of all files associated with the audit package.
V-217873 Medium The /etc/shadow file must have mode 0000.
V-217879 Medium The /etc/passwd file must have mode 0644 or less permissive.
V-217919 Medium The system must not accept ICMPv4 secure redirect packets by default.
V-217980 Medium The audit system must be configured to audit the loading and unloading of dynamic kernel modules.
V-217981 Medium The xinetd service must be disabled if no network services utilizing it are enabled.
V-217989 Medium The ypserv package must not be installed.
V-217908 Medium The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
V-217909 Medium The system must implement virtual address space randomization.
V-217865 Medium The system must prevent the root account from logging in from virtual consoles.
V-217861 Medium The system must use a Linux Security Module configured to enforce limits on system services.
V-217900 Medium The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf).
V-217901 Medium The system boot loader configuration file(s) must be owned by root.
V-217902 Medium The system boot loader configuration file(s) must be group-owned by root.
V-217903 Medium The system boot loader configuration file(s) must have mode 0600 or less permissive.
V-217904 Medium The system boot loader must require authentication.
V-217905 Medium The system must require authentication upon booting into single-user and maintenance modes.
V-217906 Medium The system must not permit interactive boot.
V-218040 Medium X Windows must not be enabled unless required.
V-218042 Medium The DHCP client must be disabled if not needed.
V-218048 Medium A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.
V-218049 Medium The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system.
V-217930 Medium The system must employ a local IPv4 firewall.
V-217941 Medium The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited.
V-217993 Medium The cron service must be running.
V-217992 Medium The TFTP service must not be running.
V-217991 Medium The tftp-server package must not be installed unless required.
V-217990 Medium The ypbind service must not be running.
V-217995 Medium The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
V-217850 Medium The audit system must alert designated staff members when the audit storage volume approaches capacity.
V-217857 Medium A file integrity tool must be installed.
V-217854 Medium System security patches and updates must be installed and up-to-date.
V-217855 Medium The system package management tool must cryptographically verify the authenticity of system software packages during installation.
V-218111 Medium The Red Hat Enterprise Linux operating system must have an anti-virus solution installed.
V-217913 Medium IP forwarding for IPv4 must not be enabled, unless the system is a router.
V-217912 Medium The system must not send ICMPv4 redirects from any interface.
V-217911 Medium The system must not send ICMPv4 redirects by default.
V-217910 Medium The system must limit the ability of processes to have simultaneous write and execute access to memory.
V-217916 Medium The system must not accept ICMPv4 secure redirect packets on any interface.
V-217915 Medium The system must not accept ICMPv4 redirect packets on any interface.
V-217914 Medium The system must not accept IPv4 source-routed packets on any interface.
V-218053 Medium The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.
V-218052 Medium The operating system must detect unauthorized changes to software and information.
V-218051 Medium The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs.
V-218050 Medium The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency.
V-218057 Medium The audit system must identify staff members to receive notifications of audit log storage volume capacity issues.
V-218056 Medium The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity.
V-218058 Medium The Bluetooth kernel module must be disabled.
V-217931 Medium The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
V-217867 Medium Default operating system accounts, other than root, must be locked.
V-217940 Medium All rsyslog-generated log files must have mode 0600 or less permissive.
V-218009 Medium Mail relaying must be restricted.
V-218105 Medium The login user list must be disabled.
V-218107 Medium The sudo command must require authentication.
V-218106 Medium The noexec option must be added to the /tmp partition.
V-218101 Medium Audit log files must be group-owned by root.
V-218100 Medium The mail system must forward all mail for root to one or more system administrators.
V-218102 Medium The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets.
V-217926 Medium The system must ignore ICMPv6 redirects by default.
V-217927 Medium The system must employ a local IPv6 firewall.
V-217924 Medium The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
V-217925 Medium The system must use a reverse-path filter for IPv4 network traffic when possible by default.
V-218064 Medium The Bluetooth service must be disabled.
V-218062 Medium A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
V-218063 Medium The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
V-218060 Medium The systems local firewall must implement a deny-all, allow-by-exception policy for forwarded packets.
V-218034 Medium There must be no world-writable files on the system.
V-218084 Medium Audit log files must have mode 0640 or less permissive.
V-218085 Medium Audit log files must be owned by root.
V-218086 Medium Audit log directories must have mode 0755 or less permissive.
V-218087 Medium The operating system must enforce requirements for the connection of mobile devices to operating systems.
V-218080 Medium The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
V-218081 Medium The system must require administrator action to unlock an account locked by excessive failed login attempts.
V-218082 Medium The system must disable accounts after excessive login failures within a 15-minute interval.
V-218083 Medium The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access.
V-217948 Medium The system must set a maximum audit log file size.
V-218088 Medium The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives.
V-218089 Medium The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.
V-217949 Medium The system must rotate audit log files that reach the maximum file size.
V-217869 Medium The /etc/passwd file must not contain password hashes.
V-217999 Medium The SSH daemon must not allow host-based authentication.
V-218079 Medium The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
V-218078 Medium There must be no .netrc files on the system.
V-217933 Medium The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets.
V-217932 Medium The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
V-217935 Medium The Stream Control Transmission Protocol (SCTP) must be disabled unless required.
V-217934 Medium The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.
V-217937 Medium The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required.
V-217939 Medium All rsyslog-generated log files must be group-owned by root.
V-217938 Medium All rsyslog-generated log files must be owned by root.
V-217929 Medium The operating system must prevent public IPv6 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
V-217998 Medium The SSH daemon must ignore .rhosts files.
V-224674 Medium Wireless network adapters must be disabled.
V-218094 Medium The audit system must take appropriate action when there are disk errors on the audit storage volume.
V-218093 Medium The audit system must take appropriate action when the audit storage volume is full.
V-218090 Medium The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh.
V-218031 Medium The system package management tool must verify ownership on all files and directories associated with the audit package.
V-218011 Medium The graphical desktop environment must set the idle timeout to no more than 15 minutes.
V-218030 Medium The system package management tool must verify permissions on all files and directories associated with the audit package.
V-217944 Medium The operating system must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event.
V-217945 Medium The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods.
V-217946 Medium The operating system must produce audit records containing sufficient information to establish what type of events occurred.
V-217947 Medium The system must retain enough rotated audit logs to cover the required log retention period.
V-218008 Medium The system clock must be synchronized to an authoritative DoD time source.
V-217872 Medium The /etc/shadow file must be group-owned by root.
V-217942 Medium The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components.
V-218004 Medium The SSH daemon must be configured to use only FIPS 140-2 approved ciphers.
V-218005 Medium The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
V-218032 Medium The system package management tool must verify group-ownership on all files and directories associated with the audit package.
V-218000 Medium The system must not permit root logins using remote access programs such as ssh.
V-218002 Medium The SSH daemon must be configured with the Department of Defense (DoD) login banner.
V-218007 Medium The system clock must be synchronized continuously, or at least daily.
V-218071 Medium The snmpd service must use only SNMP protocol version 3 or newer.
V-218003 Low The SSH daemon must not permit user environment settings.
V-217896 Low The system must require at least eight characters be changed between the old and new passwords during a password change.
V-217894 Low The system must require passwords to contain at least one special character.
V-217895 Low The system must require passwords to contain at least one lower-case alphabetic character.
V-217892 Low The system must require passwords to contain at least one numeric character.
V-217893 Low The system must require passwords to contain at least one uppercase alphabetic character.
V-217890 Low Users must be warned 7 days in advance of password expiration.
V-217957 Low The operating system must automatically audit account modification.
V-217956 Low The operating system must automatically audit account creation.
V-217955 Low The audit system must be configured to audit all attempts to alter system time through /etc/localtime.
V-217954 Low The audit system must be configured to audit all attempts to alter system time through clock_settime.
V-217953 Low The audit system must be configured to audit all attempts to alter system time through stime.
V-217952 Low The audit system must be configured to audit all attempts to alter system time through settimeofday.
V-217951 Low The audit system must be configured to audit all attempts to alter system time through adjtimex.
V-218017 Low The ntpdate service must not be running.
V-218016 Low The atd service must be disabled.
V-218015 Low The Automatic Bug Reporting Tool (abrtd) service must not be running.
V-218014 Low The system must display a publicly-viewable pattern during a graphical desktop environment session lock.
V-217959 Low The operating system must automatically audit account termination.
V-217958 Low The operating system must automatically audit account disabling actions.
V-217968 Low The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr.
V-217969 Low The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr.
V-217962 Low The audit system must be configured to audit all discretionary access control permission modifications using chmod.
V-217963 Low The audit system must be configured to audit all discretionary access control permission modifications using chown.
V-217960 Low The audit system must be configured to audit modifications to the systems network configuration.
V-217961 Low The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux).
V-217966 Low The audit system must be configured to audit all discretionary access control permission modifications using fchown.
V-217967 Low The audit system must be configured to audit all discretionary access control permission modifications using fchownat.
V-217964 Low The audit system must be configured to audit all discretionary access control permission modifications using fchmod.
V-217965 Low The audit system must be configured to audit all discretionary access control permission modifications using fchmodat.
V-218023 Low The noexec option must be added to removable media partitions.
V-218020 Low The rdisc service must not be running.
V-218027 Low The operating system must employ cryptographic mechanisms to protect information in storage.
V-218024 Low The system must use SMB client signing for connecting to samba servers using smbclient.
V-218025 Low The system must use SMB client signing for connecting to samba servers using mount.cifs.
V-218028 Low The operating system must protect the confidentiality and integrity of data at rest.
V-218029 Low The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of data at rest unless otherwise protected by alternative physical measures.
V-217922 Low The system must ignore ICMPv4 bogus error responses.
V-217979 Low The audit system must be configured to audit changes to the /etc/sudoers file.
V-217978 Low The audit system must be configured to audit user deletions of files and programs.
V-217975 Low The audit system must be configured to audit failed attempts to access files and programs.
V-217974 Low The audit system must be configured to audit all discretionary access control permission modifications using setxattr.
V-217977 Low The audit system must be configured to audit successful file system mounts.
V-217976 Low The audit system must be configured to audit all use of setuid and setgid programs.
V-217971 Low The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr.
V-217970 Low The audit system must be configured to audit all discretionary access control permission modifications using lchown.
V-217973 Low The audit system must be configured to audit all discretionary access control permission modifications using removexattr.
V-217972 Low The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr.
V-218039 Low The netconsole service must be disabled unless required.
V-217982 Low The xinetd service must be uninstalled if no network services utilizing it are enabled.
V-217864 Low All device files must be monitored by the system Linux Security Module.
V-217863 Low The system must use a Linux Security Module configured to limit the privileges of system services.
V-217907 Low The system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.
V-218041 Low The xorg-x11-server-common (X Windows) package must not be installed, unless required.
V-218043 Low All GIDs referenced in /etc/passwd must be defined in /etc/group
V-218044 Low All accounts on the system must have unique user or account names
V-218045 Low Temporary accounts must be provisioned with an expiration date.
V-218046 Low Emergency accounts must be provisioned with an expiration date.
V-218047 Low The system must require passwords to contain no more than three consecutive repeating characters.
V-218018 Low The oddjobd service must not be running.
V-217997 Low The SSH daemon must set a timeout count on idle sessions.
V-217996 Low The SSH daemon must set a timeout interval on idle sessions.
V-217853 Low The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite.
V-217851 Low The system must use a separate file system for user home directories.
V-217856 Low The system package management tool must cryptographically verify the authenticity of all software packages during installation.
V-218110 Low The Red Hat Enterprise Linux operating system must mount /dev/shm with the noexec option.
V-217917 Low The system must log Martian packets.
V-218054 Low Process core dumps must be disabled unless needed.
V-218059 Low The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.
V-217866 Low The system must prevent the root account from logging in from serial consoles.
V-217849 Low The system must use a separate file system for the system audit data path.
V-217848 Low The system must use a separate file system for /var/log.
V-217847 Low The system must use a separate file system for /var.
V-217846 Low The system must use a separate file system for /tmp.
V-218104 Low Automated file system mounting tools must not be enabled unless needed.
V-218103 Low Auditing must be enabled at boot by setting a kernel parameter.
V-218109 Low The Red Hat Enterprise Linux operating system must mount /dev/shm with the nosuid option.
V-218108 Low The Red Hat Enterprise Linux operating system must mount /dev/shm with the nodev option.
V-217920 Low The system must ignore ICMPv4 redirect messages by default.
V-217921 Low The system must not respond to ICMPv4 sent to a broadcast address.
V-218066 Low The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity.
V-218067 Low The sticky bit must be set on all public directories.
V-218065 Low Accounts must be locked upon 35 days of inactivity.
V-218061 Low The system must provide VPN connectivity for communications over untrusted networks.
V-218068 Low All public directories must be owned by a system account.
V-218019 Low The qpidd service must not be running.
V-217936 Low The Reliable Datagram Sockets (RDS) protocol must be disabled unless required.
V-218073 Low The system default umask for the bash shell must be 077.
V-218075 Low The system default umask in /etc/profile must be 077.
V-218074 Low The system default umask for the csh shell must be 077.
V-218077 Low The system default umask for daemons must be 027 or 022.
V-218076 Low The system default umask in /etc/login.defs must be 077.
V-218097 Low The system package management tool must verify group-ownership on all files and directories associated with packages.
V-218096 Low The system package management tool must verify ownership on all files and directories associated with packages.
V-218095 Low The NFS server must not have the all_squash option enabled.
V-218092 Low The system must forward audit records to the syslog service.
V-218091 Low The system must allow locking of graphical desktop sessions.
V-218037 Low The postfix service must be enabled for mail delivery.
V-218099 Low The system package management tool must verify contents of all files associated with packages.
V-218098 Low The system package management tool must verify permissions on all files and directories associated with packages.
V-217943 Low System logs must be rotated daily.
V-218006 Low The avahi service must be disabled.
V-218070 Low The FTP daemon must be configured for logging or verbose mode.
V-218010 Low The openldap-servers package must not be installed unless required.