DISA STIG for Oracle Linux 5 v2r1

Audit Details

Name: DISA STIG for Oracle Linux 5 v2r1

Updated: 9/19/2023

Authority: DISA STIG

Plugin: Unix

Revision: 1.6

Estimated Item Count: 967

File Details

Filename: DISA_STIG_Oracle_Linux_5_v2r1.audit

Size: 2.04 MB

MD5: fed200f68488e6528a054a1fdafcc117
SHA256: 33f38840502e879ca665f5f5090efc7489cb2852631affe298159088afd21e62

Audit Items

DescriptionCategories
DISA_STIG_Oracle_Linux_5_v2r1.audit from DISA Oracle Linux 5 v2r1 STIG
GEN000000-LNX00320 - The system must not have special privilege accounts, such as shutdown and halt - /etc/passwd halt'

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

GEN000000-LNX00320 - The system must not have special privilege accounts, such as shutdown and halt - /etc/passwd reboot'

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

GEN000000-LNX00320 - The system must not have special privilege accounts, such as shutdown and halt - /etc/passwd shutdown'

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

GEN000000-LNX00320 - The system must not have special privilege accounts, such as shutdown and halt - /etc/shadow halt'

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

GEN000000-LNX00320 - The system must not have special privilege accounts, such as shutdown and halt - /etc/shadow reboot'

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

GEN000000-LNX00320 - The system must not have special privilege accounts, such as shutdown and halt - /etc/shadow shutdown'

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

GEN000000-LNX00360 - The X server must have the correct options enabled - '-audit = 4'

CONFIGURATION MANAGEMENT

GEN000000-LNX00360 - The X server must have the correct options enabled - '-auth'

CONFIGURATION MANAGEMENT

GEN000000-LNX00360 - The X server must have the correct options enabled - '-s <= 15'

CONFIGURATION MANAGEMENT

GEN000000-LNX00360 - The X server must have the correct options enabled - ':0 /usr/bin/X:0'

CONFIGURATION MANAGEMENT

GEN000000-LNX00380 - An X server must have none of the following options enabled: -ac, -core (except for debugging purposes), or -nolock - '-ac'

CONFIGURATION MANAGEMENT

GEN000000-LNX00380 - An X server must have none of the following options enabled: -ac, -core (except for debugging purposes), or -nolock - '-core'

CONFIGURATION MANAGEMENT

GEN000000-LNX00380 - An X server must have none of the following options enabled: -ac, -core (except for debugging purposes), or -nolock - '-nolock'

CONFIGURATION MANAGEMENT

GEN000000-LNX00400 - The /etc/security/access.conf file must be owned by root.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

GEN000000-LNX00420 - The /etc/security/access.conf file must have a privileged group owner.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

GEN000000-LNX00440 - The /etc/security/access.conf file must have mode 0640 or less permissive.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

GEN000000-LNX00450 - The access.conf file must not have an extended ACL.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

GEN000000-LNX00480 - The /etc/sysctl.conf file must be owned by root.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

GEN000000-LNX00500 - The /etc/sysctl.conf file must be group-owned by root.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

GEN000000-LNX00520 - The /etc/sysctl.conf file must have mode 0600 or less permissive.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

GEN000000-LNX00530 - The /etc/sysctl.conf file must not have an extended ACL.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

GEN000000-LNX00560 - The Linux NFS Server must not have the insecure file locking option.

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

GEN000000-LNX00580 - The x86 CTRL-ALT-DELETE key sequence must be disabled.

CONFIGURATION MANAGEMENT

GEN000000-LNX00600 - The Linux PAM system must not grant sole access to admin privileges to the first user who logs into the console.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

GEN000000-LNX00620 - The /etc/securetty file must be group-owned by root, sys, or bin.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

GEN000000-LNX00640 - The /etc/securetty file must be owned by root.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

GEN000000-LNX00660 - The /etc/securetty file must have mode 0600 or less permissive.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

GEN000000-LNX00720 - Auditing must be enabled at boot by setting a kernel parameter.

CONFIGURATION MANAGEMENT

GEN000000-LNX00800 - The system must use a Linux Security Module configured to limit the privileges of system services - 'SELINUX = enforcing'

CONFIGURATION MANAGEMENT

GEN000000-LNX00800 - The system must use a Linux Security Module configured to limit the privileges of system services - 'SELINUXTYPE = targeted or strict'

CONFIGURATION MANAGEMENT

GEN000000-LNX001431 - The /etc/gshadow file must be owned by root.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

GEN000000-LNX001432 - The /etc/gshadow file must be group-owned by root.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

GEN000000-LNX001433 - The /etc/gshadow file must have mode 0400.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

GEN000000-LNX001434 - The /etc/gshadow file must not have an extended ACL.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

GEN000000-LNX001476 - The /etc/gshadow file must not contain any group password hashes.

CONFIGURATION MANAGEMENT

GEN000020 - The system must require authentication upon booting into single-user and maintenance modes.

ACCESS CONTROL

GEN000100 - The operating system must be a supported release.

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

GEN000120 - System security patches and updates must be installed and up-to-date.

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

GEN000140-2 - A file integrity baseline including cryptographic hashes must be created - '/etc/aide.conf must exist'

CONFIGURATION MANAGEMENT

GEN000140-2 - A file integrity baseline including cryptographic hashes must be created - 'cryptographic hash is used '

CONFIGURATION MANAGEMENT

GEN000140-2 - A file integrity baseline including cryptographic hashes must be created - 'database location'

CONFIGURATION MANAGEMENT

GEN000140-3 - A file integrity baseline including cryptographic hashes must be maintained - '/etc/aide.conf exists'

CONFIGURATION MANAGEMENT

GEN000140-3 - A file integrity baseline including cryptographic hashes must be maintained - 'database has been configured'

CONFIGURATION MANAGEMENT

GEN000220 - A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.

CONFIGURATION MANAGEMENT, RISK ASSESSMENT

GEN000240 - The system clock must be synchronized to an authoritative DoD time source.

AUDIT AND ACCOUNTABILITY

GEN000241 - The system clock must be synchronized continuously - 'maxpoll 10'

CONFIGURATION MANAGEMENT

GEN000241 - The system clock must be synchronized continuously.

CONFIGURATION MANAGEMENT

GEN000242 - The system must use at least two time sources for clock synchronization - '/etc/ntp.conf'

AUDIT AND ACCOUNTABILITY

GEN000242 - The system must use at least two time sources for clock synchronization - 'cron jobs'

AUDIT AND ACCOUNTABILITY