| V-282352 | | TOSS 5 must automatically expire temporary accounts within 72 hours. | Temporary accounts are privileged or nonprivileged accounts that are established during pressing circumstances, such as new software or hardware confi... |
| V-282353 | | TOSS 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers. | The actions taken by system administrators must be audited to keep a record of what was executed on the system, as well as for accountability purposes... |
| V-282354 | | TOSS 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory. | The actions taken by system administrators (SAs) must be audited to keep a record of what was executed on the system, as well as for accountability pu... |
| V-282355 | | TOSS 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, ... |
| V-282356 | | TOSS 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, ... |
| V-282357 | | TOSS 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd. | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, ... |
| V-282358 | | TOSS 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, ... |
| V-282359 | | TOSS 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, ... |
| V-282360 | | TOSS 5 must automatically lock an account when three unsuccessful login attempts occur. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-282361 | | TOSS 5 must automatically lock an account when three unsuccessful login attempts occur during a 15-minute time period. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, ... |
| V-282362 | | TOSS 5 must ensure account lockouts persist. | Lockouts persisting across reboots ensure that the account is only unlocked by an administrator. If the lockouts did not persist across reboots, an at... |
| V-282363 | | TOSS 5 must log username information when unsuccessful login attempts occur. | Without auditing these events, it may be harder or impossible to identify what an attacker did after an attack.... |
| V-282364 | | TOSS 5 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | If the "pam_faillock.so" module is not loaded, the system will not correctly lockout accounts to prevent password guessing attacks.... |
| V-282365 | | TOSS 5 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | If the "pam_faillock.so" module is not loaded, the system will not correctly lockout accounts to prevent password guessing attacks.... |
| V-282366 | | TOSS 5 must display the Standard Mandatory DOD or other applicable U.S. Government Notice and Consent Banner before granting local or remote access to the system via a command line user login. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-282367 | | TOSS 5 must display the Standard Mandatory DOD or other applicable U.S. Government agency Notice and Consent Banner before granting local or remote access to the system via a SSH login. | The warning message reinforces policy awareness during the login process and facilitates possible legal action against attackers. Alternatively, syste... |
| V-282368 | | TOSS 5 must display the Standard Mandatory DOD or other applicable U.S. Government agency Notice and Consent Banner before granting local or remote access to the system via a graphical user login. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-282369 | | TOSS 5 must prevent a user from overriding the banner-message-enable setting for the graphical user interface. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-282372 | | TOSS 5 must directly initiate a session lock for all connection types when the smart card is removed. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-282373 | | TOSS 5 must prevent a user from overriding the disabling of the graphical user smart card removal action. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-282374 | | TOSS 5 must enable a user session lock until that user reestablishes access using established identification and authentication procedures for graphical user sessions. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-282375 | | TOSS 5 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syst... |
| V-282376 | | TOSS 5 must have the tmux package installed. | "tmux" is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses "tm... |
| V-282377 | | TOSS 5 must automatically lock graphical user sessions after 10 minutes of inactivity. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syst... |
| V-282378 | | TOSS 5 must prevent a user from overriding the session idle-delay setting for the graphical user interface. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syst... |
| V-282379 | | TOSS 5 must initiate a session lock for graphical user interfaces when the screensaver is activated. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-282380 | | TOSS 5 must prevent a user from overriding the session lock-delay setting for the graphical user interface. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syst... |
| V-282381 | | TOSS 5 must automatically exit interactive command shell user sessions after 15 minutes of inactivity. | Terminating an idle interactive command shell user session within a short time period reduces the window of opportunity for unauthorized personnel to ... |
| V-282382 | | TOSS 5 must conceal via the session lock information previously visible on the display with a publicly viewable image. | Setting the screensaver mode to blank-only conceals the contents of the display from passersby.... |
| V-282383 | | TOSS 5 must log SSH connection attempts and failures to the server. | SSH provides several logging levels with varying amounts of verbosity. "DEBUG" is specifically not recommended, other than strictly for debugging SSH ... |
| V-282384 | | All TOSS 5 remote access methods must be monitored. | Logging remote access methods can be used to trace the decrease in the risks associated with remote user access management. It can also be used to spo... |
| V-282385 | | TOSS 5 must force a frequent session key renegotiation for SSH connections to the server. | Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercep... |
| V-282388 | | TOSS 5 must audit all uses of the chmod, fchmod, and fchmodat system calls. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-282389 | | TOSS 5 must audit all uses of the chown, fchown, fchownat, and lchown system calls. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-282390 | | TOSS 5 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-282391 | | TOSS 5 must audit all uses of umount system calls. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-282392 | | TOSS 5 must audit all uses of the chacl command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-282393 | | TOSS 5 must audit all uses of the setfacl command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-282394 | | TOSS 5 must audit all uses of the chcon command. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-282395 | | TOSS 5 must audit all uses of the semanage command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-282396 | | TOSS 5 must audit all uses of the setfiles command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-282397 | | TOSS 5 must audit all uses of the setsebool command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-282398 | | TOSS 5 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-282399 | | TOSS 5 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-282400 | | TOSS 5 must audit all uses of the delete_module system call. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-282401 | | TOSS 5 must audit all uses of the init_module and finit_module system calls. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-282402 | | TOSS 5 must audit all uses of the chage command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-282403 | | TOSS 5 must audit all uses of the chsh command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-282404 | | TOSS 5 must audit all uses of the crontab command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-282405 | | TOSS 5 must audit all uses of the gpasswd command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-282406 | | TOSS 5 must audit all uses of the kmod command. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-282407 | | TOSS 5 must audit all uses of the newgrp command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-282408 | | TOSS 5 must audit all uses of the pam_timestamp_check command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-282409 | | TOSS 5 must audit all uses of the passwd command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-282410 | | TOSS 5 must audit all uses of the postdrop command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-282411 | | TOSS 5 must audit all uses of the postqueue command. | Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and inv... |
| V-282412 | | TOSS 5 must audit all uses of the ssh-agent command. | Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and inv... |
| V-282413 | | TOSS 5 must audit all uses of the ssh-keysign command. | Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and inv... |
| V-282414 | | TOSS 5 must audit all uses of the su command. | Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and inv... |
| V-282415 | | TOSS 5 must audit all uses of the sudo command. | Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and inv... |
| V-282416 | | TOSS 5 must audit all uses of the sudoedit command. | Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and inv... |
| V-282417 | | TOSS 5 must audit all uses of the unix_chkpwd command. | Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and inv... |
| V-282418 | | TOSS 5 must audit all uses of the unix_update command. | Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and inv... |
| V-282419 | | TOSS 5 must audit all uses of the userhelper command. | Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and inv... |
| V-282420 | | TOSS 5 must audit all uses of the usermod command. | Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and inv... |
| V-282421 | | TOSS 5 must audit all uses of the mount command. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-282422 | | Successful/unsuccessful uses of the umount system call in TOSS 5 must generate an audit record. | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing D... |
| V-282423 | | Successful/unsuccessful uses of the umount2 system call in TOSS 5 must generate an audit record. | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing D... |
| V-282424 | | TOSS 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-282425 | | TOSS 5 must label all offloaded audit logs before sending them to the central log server. | Enriched logging is needed to determine who, what, and when events occur on a system. Without this, determining root cause of an event will be much mo... |
| V-282426 | | TOSS 5 must forward mail from postmaster to the root account using a postfix alias. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-282427 | | TOSS 5 system administrators (SAs) and/or information system security officer (ISSOs) (at a minimum) must be alerted of an audit processing failure event. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-282428 | | TOSS 5 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-282429 | | TOSS 5 must take appropriate action when a critical audit processing failure occurs. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-282430 | | TOSS 5 must periodically flush audit records to disk to prevent the loss of audit records. | If option "freq" is not set to a value that requires audit records being written to disk after a threshold number is reached, then audit records may b... |
| V-282431 | | TOSS 5 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Satisfies: SRG... |
| V-282432 | | TOSS 5 audit log directory must be owned by root to prevent unauthorized read access. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Satisfies: SRG... |
| V-282433 | | TOSS 5 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-282434 | | TOSS 5 audit system must protect login user identifiers (UIDs) from unauthorized change. | If modification of login UIDs is not prevented, they can be changed by nonprivileged users and make auditing complicated or impossible.
Satisfies: SR... |
| V-282435 | | TOSS 5 audit system must protect auditing rules from unauthorized change. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit informat... |
| V-282437 | | TOSS 5 audit package must be installed. | Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to es... |
| V-282438 | | TOSS 5 audit service must be enabled. | Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage o... |
| V-282439 | | The TOSS 5 audit system must audit local events. | Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to es... |
| V-282440 | | TOSS 5 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. | Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent t... |
| V-282441 | | TOSS 5 /etc/audit/auditd.conf file must have 0640 or less permissive to prevent unauthorized access. | Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent t... |
| V-282442 | | TOSS 5, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly tru... |
| V-282443 | | TOSS 5, for public key infrastructure (PKI)-based authentication, must enforce authorized access to the corresponding private key. | If the private key is discovered, an attacker can use it to authenticate as an authorized user and gain access to the network infrastructure.
The cor... |
| V-282444 | | TOSS 5 must map the authenticated identity to the user or group account for PKI-based authentication. | Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will n... |
| V-282445 | | TOSS 5 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-282447 | | TOSS 5 must enforce password complexity by requiring at least one uppercase character. | Using a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure ... |
| V-282448 | | TOSS 5 must enforce password complexity by requiring that at least one lowercase character be used. | Using a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure ... |
| V-282449 | | TOSS 5 must enforce password complexity by requiring that at least one numeric character be used. | Using a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure ... |
| V-282450 | | TOSS 5 must enforce password complexity rules for the root account. | Using a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure ... |
| V-282451 | | TOSS 5 must require users to change at least eight characters when changing passwords. | Using a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure ... |
| V-282452 | | TOSS 5 must limit the maximum number of repeating characters of the same character class to four when passwords are changed. | Using a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure ... |
| V-282453 | | TOSS 5 must limit the maximum number of repeating characters to three when passwords are changed. | Using a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure ... |
| V-282454 | | TOSS 5 must require the change of at least four character classes when passwords are changed. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-282455 | | TOSS 5 password-auth must be configured to use a sufficient number of hashing rounds. | Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be ... |
| V-282456 | | TOSS 5 system-auth must be configured to use a sufficient number of hashing rounds. | Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be ... |
| V-282457 | | TOSS 5 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords. | Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be ... |
| V-282458 | | TOSS 5 must be configured to use the shadow file to store only encrypted representations of passwords. | Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be ... |
| V-282459 | | TOSS 5 shadow password suite must be configured to use a sufficient number of hashing rounds. | Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be ... |
| V-282460 | | TOSS 5 must employ FIPS 140-3-approved cryptographic hashing algorithms for all stored passwords. | The system must use a strong hashing algorithm to store the password.
Passwords must be protected at all times, and encryption is the standard method... |
| V-282461 | | The TOSS 5 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3-approved cryptographic hashing algorithm for system authentication. | Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and; therefore, cannot be relied upon to provide c... |
| V-282462 | | TOSS 5 must not have the rsh-server package installed. | Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be ... |
| V-282463 | | TOSS 5 passwords for new users or password changes must have a 24 hours minimum password lifetime restriction in /etc/login.defs. | Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If u... |
| V-282464 | | TOSS 5 passwords must have a 24 hours minimum password lifetime restriction in /etc/shadow. | Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If u... |
| V-282465 | | TOSS 5 user account passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs. | Any password, no matter how complex, can eventually be cracked; therefore, passwords must be changed periodically. If the operating system does not li... |
| V-282466 | | TOSS 5 user account passwords must have a 60-day maximum password lifetime restriction. | Any password, no matter how complex, can eventually be cracked; therefore, passwords must be changed periodically. If TOSS 5 does not limit the lifeti... |
| V-282467 | | TOSS 5 passwords must be created with a minimum of 15 characters. | The shorter the password, the lower the number of possible combinations that must be tested before the password is compromised.
Password complexity, ... |
| V-282468 | | TOSS 5 passwords, for new users, must have a minimum of 15 characters. | The shorter the password, the lower the number of possible combinations that must be tested before the password is compromised.
Password complexity, ... |
| V-282471 | | TOSS 5 must require authentication to access emergency mode. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-282472 | | TOSS 5 must require authentication to access single-user mode. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-282474 | | TOSS 5 must be configured to disable the Asynchronous Transfer Mode (ATM) kernel module. | Disabling ATM protects the system against exploitation of any flaws in its implementation.... |
| V-282475 | | TOSS 5 must be configured to disable the Controller Area Network (CAN) kernel module. | Disabling CAN protects the system against exploitation of any flaws in its implementation.... |
| V-282476 | | TOSS 5 must be configured to disable the FireWire kernel module. | Disabling FireWire protects the system against exploitation of any flaws in its implementation.... |
| V-282477 | | TOSS 5 must disable the Stream Control Transmission Protocol (SCTP) kernel module. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-282478 | | TOSS 5 must disable the Transparent Inter Process Communication (TIPC) kernel module. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-282479 | | TOSS 5 must not have the ypserv package installed. | The NIS service provides an unencrypted authentication service, which does not provide for the confidentiality and integrity of user passwords or the ... |
| V-282480 | | TOSS 5 must not have the rsh-server package installed. | The "rsh-server" service provides unencrypted remote access service, which does not provide for the confidentiality and integrity of user passwords or... |
| V-282481 | | TOSS 5 must not have the telnet-server package installed. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-282482 | | TOSS 5 must not have the iprutils package installed. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-282485 | | TOSS 5 must have the firewalld package installed. | "firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
Remote access services,... |
| V-282486 | | The firewalld service on TOSS 5 must be active. | "firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
Remote access services,... |
| V-282487 | | TOSS 5 must control remote access methods. | To prevent unauthorized device connection, unauthorized information transfer, or unauthorized tunneling (i.e., embedding of data types within data typ... |
| V-282488 | | TOSS 5 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within d... |
| V-282489 | | TOSS 5 duplicate User IDs (UIDs) must not exist for interactive users. | To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and co... |
| V-282490 | | All TOSS 5 interactive users must have a primary group that exists. | If a user is assigned the Group Identifier (GID) of a group that does not exist on the system, and a group with the GID is subsequently created, the u... |
| V-282491 | | TOSS 5 groups must have unique Group ID (GID). | To ensure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the syst... |
| V-282492 | | TOSS 5 must have the openssl-pkcs11 package installed. | Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires us... |
| V-282494 | | TOSS 5 must not permit direct logins to the root account using remote access via SSH. | Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on ... |
| V-282497 | | TOSS 5 file system automount function must be disabled unless required. | An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous aut... |
| V-282498 | | TOSS 5 must disable the graphical user interface automount function unless required. | Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
Satisfies: SRG-OS-000114-G... |
| V-282499 | | TOSS 5 must prevent a user from overriding the disabling of the graphical user interface automount function. | A nonprivileged account is any operating system account with authorizations of a nonprivileged user.
Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-0003... |
| V-282500 | | TOSS 5 must prevent a user from overriding the disabling of the graphical user interface autorun function. | Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Secu... |
| V-282501 | | TOSS 5 must be configured to disable USB mass storage. | USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.
Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-0... |
| V-282502 | | TOSS 5 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. | Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected ac... |
| V-282503 | | TOSS 5 must use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. | Overriding the system crypto policy makes the behavior of Kerberos violate expectations and makes system configuration more fragmented.... |
| V-282505 | | TOSS 5 must restrict access to the kernel message buffer. | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the a... |
| V-282506 | | TOSS 5 must prevent kernel profiling by nonprivileged users. | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the a... |
| V-282507 | | TOSS 5 must restrict exposed kernel pointer addresses access. | Exposing kernel pointers (through procfs or "seq_printf()") exposes kernel writeable structures, which may contain functions pointers. If a write vuln... |
| V-282508 | | TOSS 5 must disable access to network bpf system call from nonprivileged processes. | Loading and accessing the packet filters programs and maps using the "bpf()" system call has the potential of revealing sensitive information about th... |
| V-282509 | | TOSS 5 must restrict usage of ptrace to descendant processes. | Unrestricted usage of ptrace allows compromised binaries to run ptrace on other processes of the user. This way, the attacker can steal sensitive info... |
| V-282510 | | TOSS 5 must use a Linux Security Module configured to enforce limits on system services. | Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is de... |
| V-282511 | | A sticky bit must be set on all TOSS 5 public directories. | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the a... |
| V-282512 | | TOSS 5 must be configured to use TCP syncookies. | Denial of service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accompl... |
| V-282516 | | TOSS 5 /var/log directory must have mode 0755 or less permissive. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-282517 | | TOSS 5 /var/log/messages file must have mode 0640 or less permissive. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-282518 | | TOSS 5 /var/log directory must be owned by root. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-282519 | | TOSS 5 /var/log directory must be group-owned by root. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-282520 | | TOSS 5 /var/log/messages file must be owned by root. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-282521 | | TOSS 5 /var/log/messages file must be group-owned by root. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-282522 | | TOSS 5 SSH daemon must be configured to use systemwide crypto policies. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-282523 | | TOSS 5 must implement DOD or other applicable U.S. Government agency-approved encryption ciphers to protect the confidentiality of SSH client connections. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-282524 | | TOSS 5 must implement DOD or other applicable U.S. Government agency-approved encryption ciphers to protect the confidentiality of SSH server connections. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-282525 | | The TOSS 5 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-282527 | | TOSS 5 must implement DOD or other applicable U.S. Government agency -approved encryption in the OpenSSL package. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-282528 | | TOSS 5 must implement DOD or other applicable U.S. Government agency-approved TLS encryption in the OpenSSL package. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-282530 | | TOSS 5 must produce audit records containing information to establish the identity of any individual or process associated with the event. | Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to es... |
| V-282531 | | TOSS 5 audit tools must have a mode of 0755 or less permissive. | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tool... |
| V-282532 | | TOSS 5 audit tools must be owned by root. | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tool... |
| V-282533 | | TOSS 5 audit tools must be group-owned by root. | Protecting audit information includes identifying and protecting the tools used to view and manipulate log data; therefore, protecting audit tools is ... |
| V-282534 | | TOSS 5 must use cryptographic mechanisms to protect the integrity of audit tools. | Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit informat... |
| V-282535 | | TOSS 5 system commands must have mode 755 or less permissive. | If TOSS 5 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing a... |
| V-282536 | | TOSS 5 library directories must have mode 755 or less permissive. | If TOSS 5 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing a... |
| V-282537 | | TOSS 5 library files must have mode 755 or less permissive. | If TOSS 5 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing a... |
| V-282538 | | TOSS 5 system commands must be owned by root. | If TOSS 5 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing a... |
| V-282539 | | TOSS 5 system commands must be group-owned by root or a system account. | If TOSS 5 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing a... |
| V-282540 | | TOSS 5 library files must be owned by root. | If TOSS 5 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing a... |
| V-282541 | | TOSS 5 library files must be group-owned by root or a system account. | If TOSS 5 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing a... |
| V-282542 | | TOSS 5 library directories must be owned by root. | If TOSS 5 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing a... |
| V-282543 | | TOSS 5 library directories must be group-owned by root or a system account. | If TOSS 5 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing a... |
| V-282544 | | TOSS 5 must enforce password complexity by requiring at least one special character. | Using a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure ... |
| V-282545 | | The TOSS 5 systemd-journald service must be enabled. | In the event of a system failure, TOSS 5 must preserve any information necessary to determine cause of the failure and return to operations with the l... |
| V-282549 | | TOSS 5 must securely compare internal information system clocks at least every 24 hours. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-282553 | | TOSS 5 must enable kernel parameters to enforce discretionary access control on hardlinks. | By enabling the "fs.protected_hardlinks" kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such ha... |
| V-282554 | | TOSS 5 must enable kernel parameters to enforce discretionary access control (DAC) on symlinks. | By enabling the "fs.protected_symlinks" kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable direct... |
| V-282559 | | The TOSS 5 debug-shell systemd service must be disabled. | The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabl... |
| V-282560 | | TOSS 5 must have the sudo package installed. | "sudo" is a program designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is t... |
| V-282561 | | TOSS 5 must audit uses of the execve system call. | Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromise... |
| V-282562 | | TOSS 5 must allocate audit record storage capacity to store at least one week's worth of audit records. | To ensure TOSS 5 systems have a sufficient storage capacity in which to write the audit logs, TOSS 5 needs to be able to allocate audit record storage... |
| V-282563 | | TOSS 5 must be configured to off-load audit records onto a different system from the system being audited via syslog. | The auditd service does not include the ability to send audit records to a centralized server for management directly. However, it can use a plug-in f... |
| V-282564 | | TOSS 5 must authenticate the remote logging server for off-loading audit logs via rsyslog. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-282565 | | TOSS 5 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited via rsyslog. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-282566 | | TOSS 5 must encrypt, via the gtls driver, the transfer of audit records off-loaded onto a different system or media from the system being audited via rsyslog. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-282567 | | TOSS 5 must take appropriate action when the internal event queue is full. | The audit system should have an action setup in the event the internal event queue becomes full so that no data is lost. Information stored in one loc... |
| V-282568 | | TOSS 5 audispd-plugins package must be installed. | "audispd-plugins" provides plugins for the real-time interface to the audit subsystem, "audispd". These plugins can relay events to remote machines or... |
| V-282569 | | TOSS 5 must act when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. | If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storag... |
| V-282570 | | TOSS 5 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization. | If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storag... |
| V-282571 | | TOSS 5 must act when allocated audit record storage volume reaches 95 percent of the audit record storage capacity. | If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity.... |
| V-282572 | | TOSS 5 must act when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity. | If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity.... |
| V-282574 | | TOSS 5 must have the chrony package installed. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-282575 | | TOSS 5 chronyd service must be enabled. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-282578 | | TOSS 5 must have the s-nail package installed. | The "s-nail" package provides the mail command required to allow sending email notifications of unauthorized configuration changes to designated perso... |
| V-282579 | | TOSS 5 must have the Advanced Intrusion Detection Environment (AIDE) package installed. | Without verifying the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined... |
| V-282580 | | TOSS 5 must routinely check the baseline configuration for unauthorized changes and notify the system administrator (SA) when anomalies in the operation of any security functions are discovered. | Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating s... |
| V-282581 | | TOSS 5 SSH daemon must not allow Kerberos authentication. | Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled thr... |
| V-282586 | | TOSS 5 subscription-manager package must be installed. | The Subscription Manager application manages software subscriptions and software repositories for installed software products on the local system. It ... |
| V-282587 | | TOSS 5 must mount /var/tmp with the nosuid option. | The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-282588 | | TOSS 5 must disable the graphical user interface autorun function unless required. | Allowing autorun commands to execute may introduce malicious code to a system. Configuring this setting prevents users from executing autorun commands... |
| V-282589 | | TOSS 5 fapolicy module must be installed. | The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software program... |
| V-282590 | | TOSS 5 must use the invoking user's password for privilege escalation when using sudo. | If the "rootpw", "targetpw", or "runaspw" flags are defined and not disabled, by default the operating system will prompt the invoking user for the "r... |
| V-282591 | | TOSS 5 must have the pcsc-lite package installed. | The "pcsc-lite" package must be installed so it is available for multifactor authentication using smart cards.... |
| V-282592 | | TOSS 5 must have the opensc package installed. | The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.
The DOD has mandated the use of the common access... |
| V-282593 | | TOSS 5 must have the USBGuard package installed. | The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device autho... |
| V-282594 | | TOSS 5 must have the USBGuard package enabled. | The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device autho... |
| V-282595 | | TOSS 5 must block unauthorized peripherals before establishing a connection. | The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device autho... |
| V-282597 | | TOSS 5 must prohibit the use of cached authenticators after one day. | If cached authentication information is out of date, the validity of the authentication information may be questionable.... |
| V-282598 | | TOSS 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-282599 | | TOSS 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/tallylog. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-282602 | | TOSS 5 crypto policy must not be overridden. | Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system.... |
| V-282603 | | TOSS 5 must implement a systemwide encryption policy. | Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system.... |
| V-282605 | | TOSS 5 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures on impacted network interfaces are implemented. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or m... |
| V-282606 | | All TOSS 5 networked systems must have SSH installed. | Without protecting the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted... |
| V-282607 | | All TOSS 5 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Without protecting the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted... |
| V-282608 | | TOSS 5 must implement DOD or other applicable U.S. Government agency-approved encryption in the bind package. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Cryptographic mechanisms used for pr... |
| V-282610 | | TOSS 5 must implement nonexecutable data to protect its memory from unauthorized code execution. | ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a li... |
| V-282613 | | TOSS 5 must enable the "SELinux" targeted policy. | Setting the SELinux policy to "targeted" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exp... |
| V-282616 | | TOSS 5 must have the rsyslog package installed. | "rsyslogd" is a system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to suppor... |
| V-282617 | | TOSS 5 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Offloading is a common process in information sy... |
| V-282618 | | TOSS 5 must prevent the use of dictionary words for passwords. | Using a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure ... |
| V-282619 | | TOSS 5 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt. | Increasing the time between a failed authentication attempt and reprompting to enter credentials helps to slow a single-threaded brute force attack.... |
| V-282620 | | TOSS 5 must disable virtual system calls. | System calls are special routines in the Linux kernel which userspace applications ask to do privileged tasks. Invoking a system call is an expensive ... |
| V-282621 | | TOSS 5 must clear the page allocator to prevent use-after-free attacks. | Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will b... |
| V-282622 | | TOSS 5 must disable the kernel.core_pattern. | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data an... |
| V-282624 | | TOSS 5 vendor packaged system security patches and updates must be installed and up to date. | Installing software updates is a fundamental mitigation against the exploitation of publicly known vulnerabilities. If the most recent security patche... |
| V-282625 | | The graphical display manager must not be the default target on TOSS 5 unless approved. | Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of sec... |
| V-282627 | | TOSS 5 must disable the ability of systemd to spawn an interactive boot process. | Using interactive or recovery boot, the console user could disable auditing, firewalls, or other services, thereby weakening system security.... |
| V-282628 | | The TOSS 5 /boot/grub2/grub.cfg file must be group owned by root. | The "root" group is a highly privileged group. Furthermore, the group owner of this file should not have any access privileges.... |
| V-282629 | | The TOSS 5 /boot/grub2/grub.cfg file must be owned by root. | The "/boot/grub2/grub.cfg" file stores sensitive system configurations. Protecting this file is critical for system security.... |
| V-282630 | | TOSS 5 must prevent loading a new kernel for later execution. | Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software... |
| V-282631 | | TOSS 5 must disable core dump backtraces. | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data an... |
| V-282632 | | TOSS 5 must disable storing core dumps. | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data an... |
| V-282633 | | TOSS 5 must disable acquiring, saving, and processing core dumps. | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data an... |
| V-282634 | | TOSS 5 must not have the sendmail package installed. | The "sendmail "software was not developed with security in mind, and its design prevents it from being effectively contained by SELinux. Postfix must ... |
| V-282635 | | TOSS 5 must not have the quagga package installed. | Quagga is a network routing software suite providing implementations of Open Shortest Path First (OSPF), Routing Information Protocol (RIP), and Borde... |
| V-282636 | | TOSS 5 must have the gnutls-utils package installed. | GnuTLS is a secure communications library implementing the SSL, TLS, and DTLS protocols and technologies around them. It provides a simple C language ... |
| V-282637 | | TOSS 5 must have the nss-tools package installed. | Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server application... |
| V-282638 | | TOSS 5 must have the rng-tools package installed. | "rng-tools" provides hardware random number generator tools, such as those used in the formation of x509/PKI certificates.... |
| V-282639 | | TOSS 5 must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS. | When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and gro... |
| V-282640 | | TOSS 5 must prevent special devices on file systems that are imported via Network File System (NFS). | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-282641 | | TOSS 5 cron configuration directories must have a mode of 0700 or less permissive. | Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable... |
| V-282642 | | All TOSS 5 local initialization files must have mode 0740 or less permissive. | Local initialization files are used to configure the user's shell environment upon logon. Maliciously modifying these files could compromise accounts ... |
| V-282643 | | All TOSS 5 local interactive user home directories must have mode 0770 or less permissive. | Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.... |
| V-282644 | | The TOSS 5 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access. | The "/etc/group" file contains information regarding groups that are configured on the system. Protecting this file is important for system security.... |
| V-282645 | | The TOSS 5 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access. | The "/etc/group-" file is a backup file of "/etc/group" and thus contains information regarding groups configured on the system. Protecting this file ... |
| V-282646 | | The TOSS 5 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access. | The "/etc/gshadow" file contains group password hashes. Protecting this file is critical for system security.... |
| V-282647 | | The TOSS 5 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access. | The "/etc/gshadow-" file is a backup of "/etc/gshadow" and contains group password hashes. Protecting this file is critical for system security.... |
| V-282648 | | The TOSS 5 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access. | If the "/etc/passwd" file is writable by a group owner or the world, it increases the risk of compromise. The file contains the list of accounts on th... |
| V-282649 | | The TOSS 5 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access. | The "/etc/passwd-" file is a backup file of "/etc/passwd" and contains information about the users configured on the system. Protecting this file is c... |
| V-282650 | | The TOSS 5 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access. | The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protecting thi... |
| V-282651 | | The TOSS 5 /etc/group file must be owned by root. | The "/etc/group" file contains information regarding groups that are configured on the system. Protecting this file is critical for system security.... |
| V-282652 | | The TOSS 5 /etc/group file must be group-owned by root. | The "/etc/group" file contains information regarding groups configured on the system. Protecting this file is critical for system security.... |
| V-282653 | | The TOSS 5 /etc/group- file must be owned by root. | The "/etc/group-" file is a backup file of "/etc/group", and as such, contains information regarding groups that are configured on the system. Protect... |
| V-282654 | | The TOSS 5 /etc/group- file must be group-owned by root. | The "/etc/group-" file is a backup file of "/etc/group", and as such, contains information regarding groups that are configured on the system. Protect... |
| V-282655 | | The TOSS 5 /etc/gshadow file must be owned by root. | The "/etc/gshadow" file contains group password hashes. Protecting this file is critical for system security.... |
| V-282656 | | The TOSS 5 /etc/gshadow file must be group-owned by root. | The "/etc/gshadow" file contains group password hashes. Protecting this file is critical for system security.... |
| V-282657 | | The TOSS 5 /etc/gshadow- file must be owned by root. | The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protecting this file is critical for system secur... |
| V-282658 | | The TOSS 5 /etc/gshadow- file must be group-owned by root. | The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protecting this file is critical for system secur... |
| V-282659 | | The TOSS 5 /etc/passwd file must be owned by root. | The "/etc/passwd" file contains information about the users that are configured on the system. Protecting this file is critical for system security.... |
| V-282660 | | The TOSS 5 /etc/passwd file must be group-owned by root. | The "/etc/passwd" file contains information about the users that are configured on the system. Protecting this file is critical for system security.... |
| V-282661 | | The TOSS 5 /etc/passwd- file must be owned by root. | The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protec... |
| V-282662 | | The TOSS 5 /etc/passwd- file must be group-owned by root. | The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protec... |
| V-282663 | | The TOSS 5 /etc/shadow file must be owned by root. | The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protecting this file is critical for system security. Fa... |
| V-282664 | | The TOSS 5 /etc/shadow file must be group-owned by root. | The "/etc/shadow" file stores password hashes. Protecting this file is critical for system security.... |
| V-282665 | | The TOSS 5 /etc/shadow- file must be owned by root. | The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protecting thi... |
| V-282666 | | The TOSS 5 /etc/shadow- file must be group-owned by root. | The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protecting thi... |
| V-282667 | | The TOSS 5 cron configuration files directory must be owned by root. | Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable... |
| V-282668 | | The TOSS 5 cron configuration files directory must be group-owned by root. | Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable... |
| V-282669 | | All TOSS 5 world-writable directories must be owned by root, sys, bin, or an application user. | If a world-writable directory is not owned by root, sys, bin, or an application user identifier (UID), unauthorized users may be able to modify files ... |
| V-282670 | | All TOSS 5 local files and directories must have a valid group owner. | Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files with... |
| V-282671 | | All TOSS 5 local files and directories must have a valid owner. | Unowned files and directories may be unintentionally inherited if a user is assigned the same user identifier "UID" as the UID of the unowned files.... |
| V-282672 | | TOSS 5 must be configured so that all system device files are correctly labeled to prevent unauthorized modification. | If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system may perform unintended or unauthorized op... |
| V-282673 | | TOSS 5 /etc/crontab file must have mode 0600. | Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable... |
| V-282674 | | The TOSS 5 /etc/shadow file must have mode 0000 to prevent unauthorized access. | The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protecting this file is critical for system security. Fa... |
| V-282675 | | A TOSS 5 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound conne... |
| V-282676 | | TOSS 5 network interfaces must not be in promiscuous mode. | Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access thes... |
| V-282677 | | TOSS 5 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time (JIT) compiler. | When hardened, the extended BPF JIT compiler will randomize any kernel addresses in the BPF programs and maps and will not expose the JIT addresses in... |
| V-282678 | | TOSS 5 systems using DNS resolution must have at least two name servers configured. | To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the fai... |
| V-282679 | | TOSS 5 must configure a DNS processing mode set in Network Manager. | In order to ensure that DNS resolver settings are respected, a DNS mode in Network Manager must be configured.... |
| V-282680 | | TOSS 5 must not have unauthorized IP tunnels configured. | IP tunneling mechanisms can be used to bypass network filtering. If tunneling is required, it must be documented with the information system security ... |
| V-282681 | | TOSS 5 must be configured to prevent unrestricted mail relaying. | If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthor... |
| V-282683 | | The TOSS 5 libreswan package must be installed. | Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area net... |
| V-282685 | | TOSS 5 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the hos... |
| V-282686 | | TOSS 5 must not forward Internet Protocol version 4 (IPv4) source-routed packets. | Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which... |
| V-282687 | | TOSS 5 must log IPv4 packets with impossible addresses. | The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign o... |
| V-282688 | | TOSS 5 must log IPv4 packets with impossible addresses by default. | The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign o... |
| V-282689 | | TOSS 5 must use reverse path filtering on all IPv4 interfaces. | Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were ... |
| V-282690 | | TOSS 5 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the hos... |
| V-282691 | | TOSS 5 must not forward IPv4 source-routed packets by default. | Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which... |
| V-282692 | | TOSS 5 must use a reverse-path filter for IPv4 network traffic when possible by default. | Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were ... |
| V-282693 | | TOSS 5 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
Ignoring ICMP echo requests (pings... |
| V-282694 | | TOSS 5 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs. | Some routers will send responses to broadcast frames that violate RFC-1122, which fills up a log file system with many useless error messages. An atta... |
| V-282695 | | TOSS 5 must not send Internet Control Message Protocol (ICMP) redirects. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain inform... |
| V-282696 | | TOSS 5 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain inform... |
| V-282697 | | TOSS 5 must not enable Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router. | Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when no... |
| V-282698 | | TOSS 5 must not accept router advertisements on all Internet Protocol version 6 (IPv6) interfaces. | An illicit router advertisement message could result in a man-in-the-middle attack.... |
| V-282699 | | TOSS 5 must ignore Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages. | An illicit ICMP redirect message could result in a man-in-the-middle attack.... |
| V-282700 | | TOSS 5 must not forward Internet Protocol version 6 (IPv6) source-routed packets. | Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, ... |
| V-282701 | | TOSS 5 must not enable Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router. | IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only... |
| V-282702 | | TOSS 5 must not accept router advertisements on all Internet Protocol version 6 (IPv6) interfaces by default. | An illicit router advertisement message could result in a man-in-the-middle attack.... |
| V-282703 | | TOSS 5 must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the hos... |
| V-282704 | | TOSS 5 must not forward Internet Protocol version 6 (IPv6) source-routed packets by default. | Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, ... |
| V-282705 | | TOSS 5 must have the openssh-clients package installed. | This package includes utilities to make encrypted connections and transfer files securely to SSH servers.... |
| V-282706 | | The TOSS 5 SSH server configuration file must be group-owned by root. | Service configuration files enable or disable features of their respective services, which if configured incorrectly, can lead to insecure and vulnera... |
| V-282707 | | The TOSS 5 SSH server configuration file must be owned by root. | Service configuration files enable or disable features of their respective services, which if configured incorrectly, can lead to insecure and vulnera... |
| V-282708 | | The TOSS 5 SSH server configuration file must have mode 0600 or less permissive. | Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable... |
| V-282709 | | TOSS 5 SSH private host key files must have mode 0640 or less permissive. | If an unauthorized user obtains the private SSH host key file, the host could be impersonated.... |
| V-282710 | | TOSS 5 SSH public host key files must have mode 0644 or less permissive. | If a public host key file is modified by an unauthorized user, the SSH service may be compromised.... |
| V-282711 | | The TOSS 5 SSH daemon must not allow rhosts authentication. | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.... |
| V-282712 | | The TOSS 5 SSH daemon must not allow known hosts authentication. | Configuring the IgnoreUserKnownHosts setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even ... |
| V-282713 | | The TOSS 5 SSH daemon must perform strict mode checking of home directory configuration files. | If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.... |
| V-282714 | | The TOSS 5 SSH daemon must display the date and time of the last successful account logon upon an SSH logon. | Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.... |
| V-282715 | | The TOSS 5 effective dconf policy must match the policy keyfiles. | Unlike text-based keyfiles, the binary database is impossible to check through most automated and all manual means; therefore, to evaluate dconf confi... |
| V-282716 | | TOSS 5 must disable the ability of a user to restart the system from the login screen. | A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can creat... |
| V-282717 | | TOSS 5 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface. | A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can creat... |
| V-282718 | | TOSS 5 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot. | A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of... |
| V-282719 | | TOSS 5 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface. | A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of... |
| V-282720 | | TOSS 5 must disable the user list at logon for graphical user interfaces. | Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to enumerate known user accounts without au... |
| V-282721 | | All TOSS 5 local interactive user accounts must be assigned a home directory upon creation. | If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.... |
| V-282722 | | TOSS 5 must set the umask value to 077 for all local interactive user accounts. | The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although u... |
| V-282723 | | TOSS 5 system accounts must not have an interactive login shell. | Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts.... |
| V-282724 | | Executable search paths within the initialization files of all local interactive TOSS 5 users must only contain paths that resolve to the system default or the users home directory. | The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If th... |
| V-282725 | | All TOSS 5 local interactive users must have a home directory assigned in the /etc/passwd file. | If local interactive users are not assigned a valid home directory, there is no place to store and control the files they should own.... |
| V-282726 | | All TOSS 5 local interactive user home directories defined in the /etc/passwd file must exist. | If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working d... |
| V-282727 | | All TOSS 5 local interactive user home directories must be group-owned by the home directory owner's primary group. | If the Group Identifier (GID) of a local interactive user's home directory is not the same as the primary GID of the user, this would allow unauthoriz... |
| V-282728 | | TOSS 5 must not have unauthorized accounts. | Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for indiv... |
| V-282730 | | Local TOSS 5 initialization files must not execute world-writable programs. | If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user file... |
| V-282732 | | TOSS 5 must have policycoreutils package installed. | If security functions are not verified, they may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware,... |
| V-282733 | | TOSS 5 policycoreutils-python-utils package must be installed. | The "policycoreutils-python-utils" package is required to operate and manage an SELinux environment and its policies. It provides utilities such as "s... |
| V-282734 | | TOSS 5 must require reauthentication when using the sudo command. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
When operating systems provide the c... |
| V-282735 | | TOSS 5 must require users to reauthenticate for privilege escalation. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
When operating systems provide the ca... |
| V-282736 | | TOSS 5 must restrict privilege elevation to authorized personnel. | If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.... |
| V-282739 | | TOSS 5 must require users to provide a password for privilege escalation. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
When operating systems provide the ca... |
| V-282740 | | TOSS 5 must not be configured to bypass password requirements for privilege escalation. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the cap... |
| V-282741 | | TOSS 5 must not have accounts configured with blank or null passwords. | If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should ne... |
| V-282742 | | TOSS 5 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories. | TOSS 5 installation media ships with an optional file integrity tool called Advanced Intrusion Detection Environment (AIDE). AIDE is highly configurab... |
| V-282745 | | TOSS 5 must have the packages required for encrypting off-loaded audit logs installed. | The "rsyslog-gnutls" package provides Transport Layer Security (TLS) support for the rsyslog daemon, which enables secure remote logging.... |
| V-282746 | | The rsyslog service on TOSS 5 must be active. | The "rsyslog" service must be running to provide logging services, which are essential to system administration.... |
| V-282747 | | TOSS 5 must be configured so the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation. | Unintentionally running an rsyslog server that accepts remote messages puts the system at increased risk. Malicious rsyslog messages sent to the serve... |
| V-282748 | | TOSS 5 must use cron logging. | Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cr... |
| V-282749 | | The TOSS 5 audit system must take appropriate action when an error writing to the audit storage volume occurs. | It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit ... |
| V-282750 | | The TOSS 5 audit system must take appropriate action when the audit storage volume is full. | It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit ... |
| V-282751 | | The TOSS 5 audit system must take appropriate action when the audit files have reached maximum size. | It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit ... |
| V-282752 | | TOSS 5 must write audit records to disk. | Audit data should be synchronously written to disk to ensure log integrity. This setting ensures all audit event data is written to disk.... |
| V-282753 | | TOSS 5 must define default permissions for the bash shell. | The "umask "controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although... |
| V-282754 | | TOSS 5 must define default permissions for the c shell. | The "umask" controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although... |
| V-282755 | | TOSS 5 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. | Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.... |
| V-282756 | | TOSS 5 must define default permissions for the system default profile. | The "umask" controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although... |
| V-282758 | | TOSS 5 must not allow users to override SSH environment variables. | SSH environment options potentially allow users to bypass access restriction in some configurations.... |
| V-282760 | | All TOSS local interactive user home directories must have mode 0770 or less permissive. | Users' home directories/folders may contain information of a sensitive nature. Nonprivileged users should coordinate any information sharing with a sy... |
| V-282764 | | TOSS 5 must, for password-based authentication, verify when users create or update passwords the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a). | Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords ... |
| V-282768 | | TOSS 5 must accept only external credentials that are NIST compliant. | Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing web... |
| V-282770 | | TOSS 5 must include only approved trust anchors in trust stores or certificate stores managed by the organization. | Public key infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates related to the inter... |
| V-282771 | | TOSS 5 must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store. | A Trusted Platform Module (TPM) is an example of a hardware-protected data store that can be used to protect cryptographic keys.... |
| V-282772 | | TOSS 5 must securely compare internal information system clocks at least every 24 hours. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-282371 | | TOSS 5 must limit the number of concurrent sessions to 256 for all accounts and/or account types. | Operating system management includes the ability to control the number of users and user sessions that use an operating system. Limiting the number of... |
| V-282387 | | TOSS 5 must enable auditing of processes that start prior to the audit daemon. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-282436 | | TOSS 5 must enable Linux audit logging for the USBGuard daemon. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-282473 | | TOSS 5 must enable mitigations against processor-based vulnerabilities. | Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass k... |
| V-282483 | | TOSS 5 must disable mounting of cramfs. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-282484 | | TOSS 5 must disable network management of the chrony daemon. | Not exposing the management interface of the chrony daemon on the network diminishes the attack space.
Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-00... |
| V-282529 | | TOSS 5 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-282611 | | TOSS 5 must remove all software components after updated versions have been installed. | Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by advers... |
| V-282626 | | TOSS 5 must enable the hardware random number generator entropy gatherer service. | The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to ... |
| V-282731 | | TOSS 5 must display the date and time of the last successful account logon upon user logon. | Users must be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts th... |
| V-282743 | | TOSS 5 must be configured so that the file integrity tool verifies Access Control Lists (ACLs). | TOSS 5 installation media ships with an optional file integrity tool called Advanced Intrusion Detection Environment (AIDE). AIDE is highly configurab... |
| V-282744 | | TOSS 5 must be configured so the file integrity tool verifies extended attributes. | TOSS 5 installation media ships with an optional file integrity tool called Advanced Intrusion Detection Environment (AIDE). AIDE is highly configurab... |
| V-282386 | | TOSS 5 IP tunnels must use FIPS 140-3-approved cryptographic algorithms. | Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations and makes system configuration more fragmented.... |
| V-282446 | | TOSS 5 must ensure the password complexity module is enabled in the password-auth file. | Enabling PAM password complexity permits enforcement of strong passwords and consequently makes the system less prone to dictionary attacks.... |
| V-282470 | | TOSS 5 must require a unique superuser name upon booting into single-user and maintenance modes. | Having a nondefault grub superuser username makes password-guessing attacks less effective.... |
| V-282493 | | TOSS 5 SSHD must not allow blank or null passwords. | If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should ne... |
| V-282504 | | TOSS 5 must enable the Pluggable Authentication Module (PAM) interface for SSHD. | When "UsePAM" is set to "yes", PAM runs through account and session types properly. This is important when restricted access to services based off of ... |
| V-282514 | | TOSS 5 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | TOSS 5 systems handling data requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modificati... |
| V-282526 | | TOSS 5 must implement DOD or other applicable U.S. Government agency-approved TLS encryption in the GnuTLS package. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Transport Layer Security (TLS) encry... |
| V-282557 | | The systemd Ctrl-Alt-Delete burst key sequence in TOSS 5 must be disabled. | A locally logged-in user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case o... |
| V-282558 | | The x86 Ctrl-Alt-Delete key sequence must be disabled on TOSS 5. | A locally logged-in user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case o... |
| V-282582 | | TOSS 5 must ensure cryptographic verification of vendor software packages. | Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofi... |
| V-282583 | | TOSS 5 must check the GPG signature of software packages originating from external software repositories before installation. | Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software... |
| V-282584 | | TOSS 5 must check the GPG signature of locally installed software packages before installation. | Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software... |
| V-282585 | | TOSS 5 must have GPG signature verification enabled for all software repositories. | Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software... |
| V-282601 | | TOSS 5 must have the crypto-policies package installed. | Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system.... |
| V-282615 | | TOSS 5 crypto policy files must match files shipped with the operating system. | The TOSS 5 package "crypto-policies" defines the cryptography policies for the system.
If the files are changed from those shipped with the operating... |
| V-282623 | | TOSS 5 must be a vendor-supported release. | An operating system release is considered supported if the vendor continues to provide security patches for the product. With an unsupported release, ... |
| V-282682 | | If the Trivial File Transfer Protocol (TFTP) server is required, TOSS 5 TFTP daemon must be configured to operate in secure mode. | Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files. Using the "-s" option causes t... |
| V-282684 | | There must be no .shosts files on TOSS 5. | The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not suffici... |
| V-282729 | | The root account must be the only account with unrestricted access to TOSS 5 system. | An account has root authority if it has a user identifier (UID) of "0". Multiple accounts with a UID of "0" afford more opportunity for potential intr... |
| V-282737 | | TOSS 5 must not allow blank or null passwords. | If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should ne... |
| V-282738 | | TOSS 5 must ensure the password complexity module is enabled in the system-auth file. | Enabling PAM password complexity permits enforcement of strong passwords and consequently makes the system less prone to dictionary attacks.... |
| V-282757 | | TOSS 5 must not allow an unattended or automatic logon to the system. | Failure to restrict system access to authenticated users negatively impacts operating system security.... |
| V-282759 | | TOSS 5 must not allow unattended or automatic logon via the graphical user interface. | Failure to restrict system access to authenticated users negatively impacts operating system security.... |