DISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit

Audit Details

Name: DISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit

Updated: 4/25/2022

Authority: DISA STIG

Plugin: Unix

Revision: 1.16

Estimated Item Count: 958

File Details

Filename: DISA_STIG_RHEL_5_v1r18.audit

Size: 1.62 MB

MD5: b994b6db16df2716967bf95764323078
SHA256: c6ba748254d4458e6186a77902c2ad27ec9f17015f1f83783621379996279bc7

Audit Changelog

 
Revision 1.16

Apr 25, 2022

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.15

Oct 5, 2021

Miscellaneous
  • References updated.
Revision 1.14

Jul 30, 2021

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.13

Jun 17, 2021

Miscellaneous
  • Metadata updated.
Revision 1.12

Mar 23, 2021

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.11

Oct 5, 2020

Functional Update
  • GEN000000-LNX00600 - PAM system must not grant sole access to admin privileges to the first user who logs into the console.
  • GEN000140-3 - A file integrity baseline including cryptographic hashes must be maintained - 'database has been configured'
  • GEN000240 - The system clock must be synchronized to an authoritative DoD time source.
  • GEN000241 - The system clock must be synchronized continuously.
  • GEN000242 - The system must use at least two time sources for clock synchronization - 'cron jobs'
  • GEN000450 - System must limit users to 10 simultaneous system logins or a site-defined number in accordance with operational requirements
  • GEN000452 - The system must display the date and time of the last successful account login upon login.
  • GEN000460 - The system must disable accounts after three consecutive unsuccessful login attempts.
  • GEN000560 - The system must not have accounts configured with blank or null passwords.
  • GEN001060 - The system must log successful and unsuccessful access to the root account - rsyslog 'authpriv.*'
  • GEN001060 - The system must log successful and unsuccessful access to the root account - rsyslog.conf
  • GEN001060 - The system must log successful and unsuccessful access to the root account - syslog 'authpriv.*'
  • GEN001060 - The system must log successful and unsuccessful access to the root account - syslog.conf
  • GEN001100 - Root passwords must never be passed over a network in clear text form.
  • GEN001375 - For systems using DNS resolution, at least two name servers must be configured
  • GEN001375 - For systems using DNS resolution, at least two name servers must be configured - first name server
  • GEN001375 - For systems using DNS resolution, at least two name servers must be configured - second name server
  • GEN002720 - The audit system must be configured to audit failed attempts to access files and programs - '-S creat -F exit=-EACCES'
  • GEN002720 - The audit system must be configured to audit failed attempts to access files and programs - '-S creat -F exit=-EPERM'
  • GEN002720 - The audit system must be configured to audit failed attempts to access files and programs - '-S creat -F success=0'
  • GEN002720-2 - The audit system must be configured to audit failed attempts to access files and programs - '-S open -F exit=-EACCES'
  • GEN002720-2 - The audit system must be configured to audit failed attempts to access files and programs - '-S open -F exit=-EPERM'
  • GEN002720-2 - The audit system must be configured to audit failed attempts to access files and programs - '-S open -F success=0'
  • GEN002720-3 - The audit system must be configured to audit failed attempts to access files and programs - '-S openat -F exit=-EACCES'
  • GEN002720-3 - The audit system must be configured to audit failed attempts to access files and programs - '-S openat -F exit=-EPERM'
  • GEN002720-3 - The audit system must be configured to audit failed attempts to access files and programs - '-S openat -F success=0'
  • GEN002720-4 - The audit system must be configured to audit failed attempts to access files and programs - '-S truncate -F exit=-EACCES'
  • GEN002720-4 - The audit system must be configured to audit failed attempts to access files and programs - '-S truncate -F exit=-EPERM'
  • GEN002720-4 - The audit system must be configured to audit failed attempts to access files and programs - '-S truncate -F success=0'
  • GEN002720-5 - The audit system must be configured to audit failed attempts to access files and programs - '-S ftruncate -F exit=-EACCES'
  • GEN002720-5 - The audit system must be configured to audit failed attempts to access files and programs - '-S ftruncate -F exit=-EPERM'
  • GEN002720-5 - The audit system must be configured to audit failed attempts to access files and programs - '-S ftruncate -F success=0'
  • GEN002730 - The audit system must alert the SA when the audit storage volume approaches its capacity - 'action_mail_account'
  • GEN002860 - Audit logs must be rotated daily.
  • GEN002870 - The system must be configured to send audit records to a remote audit server - '/etc/rsyslog.conf contains *.* @<server>'
  • GEN002870 - The system must be configured to send audit records to a remote audit server - '/etc/syslog.conf contains *.* @<server>'
  • GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'adm' - cron.allow
  • GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'adm' - cron.deny
  • GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'bin' - cron.allow
  • GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'bin' - cron.deny
  • GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'daemon' - cron.allow
  • GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'daemon' - cron.deny
  • GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'ftp' - cron.allow
  • GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'ftp' - cron.deny
  • GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'games' - cron.allow
  • GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'games' - cron.deny
  • GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'gopher' - cron.allow
  • GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'gopher' - cron.deny
  • GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'halt' - cron.allow
  • GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'halt' - cron.deny
  • GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'lp' - cron.allow
  • GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'lp' - cron.deny
  • GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'mail' - cron.allow
  • GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'mail' - cron.deny
  • GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'news' - cron.allow
  • GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'news' - cron.deny
  • GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'nobody' - cron.allow
  • GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'nobody' - cron.deny
  • GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'operator' - cron.allow
  • GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'operator' - cron.deny
  • GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'shutdown' - cron.allow
  • GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'shutdown' - cron.deny
  • GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'uucp' - cron.allow
  • GEN003060 - System accounts must not be listed in cron.allow or must be included in cron.deny - 'uucp' - cron.deny
  • GEN003160 - Cron logging must be implemented - rsyslog.conf
  • GEN003160 - Cron logging must be implemented - syslog.conf
  • GEN003160 - Cron logging must be implemented.
  • GEN003280 - Access to the 'at' utility must be controlled via the at.allow and/or at.deny file(s).
  • GEN003300 - The at.deny file must not be empty if it exists.
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'adm' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'adm' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'bin' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'bin' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'daemon' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'daemon' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'ftp' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'ftp' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'games' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'games' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'gopher' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'gopher' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'halt' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'halt' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'lp' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'lp' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'mail' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'mail' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'news' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'news' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'nobody' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'nobody' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'operator' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'operator' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'shutdown' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'shutdown' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'uucp' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'uucp' - at.deny
  • GEN003540 - The system must implement non-executable program stacks - 'kernel.exec-shield'
  • GEN003540 - The system must implement non-executable program stacks - 'kernel.randomize_va_space'
  • GEN003540 - The system must implement non-executable program stacks.
  • GEN003660 - The system must log authentication informational data - rsyslog authpriv.*
  • GEN003660 - The system must log authentication informational data - rsyslog authpriv.debug
  • GEN003660 - The system must log authentication informational data - rsyslog authpriv.info
  • GEN003660 - The system must log authentication informational data - rsyslog.conf
  • GEN003660 - The system must log authentication informational data - syslog authpriv.*
  • GEN003660 - The system must log authentication informational data - syslog authpriv.debug
  • GEN003660 - The system must log authentication informational data - syslog authpriv.info
  • GEN003660 - The system must log authentication informational data - syslog.conf
  • GEN003800 - Xinetd logging/tracing must be enabled - '/etc/xinetd.conf log_on_failure'
  • GEN003800 - Xinetd logging/tracing must be enabled - '/etc/xinetd.conf log_on_success'
  • GEN003800 - Xinetd logging/tracing must be enabled - '/etc/xinetd.conf log_type'
  • GEN003800 - Xinetd logging/tracing must be enabled - '/etc/xinetd.d/* log_on_failure'
  • GEN003800 - Xinetd logging/tracing must be enabled - '/etc/xinetd.d/* log_on_success'
  • GEN003800 - Xinetd logging/tracing must be enabled - '/etc/xinetd.d/* log_type'
  • GEN003820 - The rsh daemon must not be running.
  • GEN003830 - The rlogind service must not be running.
  • GEN003840 - The rexec daemon must not be running.
  • GEN003860 - The system must not have the finger service active.
  • GEN004440 - Sendmail logging must not be set to less than nine in the sendmail.cf file.
  • GEN004540 - The SMTP service HELP command must not be enabled - SmtpGreetingMessage
  • GEN004540 - The SMTP service HELP command must not be enabled.
  • GEN004540 - The SMTP service HELP command must not be enabled. helpfile does not exist
  • GEN004560 - The SMTP service's SMTP greeting must not provide version information.
  • GEN004580 - The system must not use .forward files - '/etc/mail/sendmail.cf'
  • GEN004580 - The system must not use .forward files - 'find .forward'
  • GEN004600 - The SMTP service must be an up-to-date version - 'postfix'
  • GEN004600 - The SMTP service must be an up-to-date version - 'sendmail'
  • GEN004620 - The Sendmail server must have the debug feature disabled.
  • GEN004660 - The SMTP service must not have the EXPN feature active.
  • GEN004680 - The SMTP service must not have the VRFY feature active.
  • GEN004700 - The Sendmail service must not have the wizard backdoor active.
  • GEN004710 - Mail relaying must be restricted - '/etc/mail/sendmail.cf DaemonPortOptions'
  • GEN004710 - Mail relaying must be restricted - '/etc/postfix/main.cf inet_interfaces'
  • GEN004710 - Mail relaying must be restricted - '/etc/postfix/main.cf smtpd_client_restrictions permit not before reject'
  • GEN004710 - Mail relaying must be restricted - '/etc/postfix/main.cf smtpd_client_restrictions reject exists'
  • GEN004710 - Mail relaying must be restricted - 'promiscuous_relay'
  • GEN004800 - Unencrypted FTP must not be used on the system - 'gssftp'
  • GEN004800 - Unencrypted FTP must not be used on the system - 'vsftpd'
  • GEN004820 - Anonymous FTP must not be active on the system unless authorized.
  • GEN004840 - If the system is an anonymous FTP server, it must be isolated to the DMZ network.
  • GEN004880 - The ftpusers file must exist.
  • GEN004900 - The ftpusers file must contain account names not allowed to use FTP.
  • GEN004920 - The ftpusers file must be owned by root - '/etc/ftpusers'
  • GEN004920 - The ftpusers file must be owned by root - '/etc/vsftpd.ftpusers'
  • GEN004920 - The ftpusers file must be owned by root - '/etc/vsftpd/ftpusers'
  • GEN004930 - The ftpusers file must be group-owned by root, bin, sys, or system - '/etc/ftpusers'
  • GEN004930 - The ftpusers file must be group-owned by root, bin, sys, or system - '/etc/vsftpd.ftpusers'
  • GEN004930 - The ftpusers file must be group-owned by root, bin, sys, or system - '/etc/vsftpd/ftpusers'
  • GEN004940 - The ftpusers file must have mode 0640 or less permissive - '/etc/ftpusers'
  • GEN004940 - The ftpusers file must have mode 0640 or less permissive - '/etc/vsftpd.ftpusers'
  • GEN004940 - The ftpusers file must have mode 0640 or less permissive - '/etc/vsftpd/ftpusers'
  • GEN004950 - The ftpusers file must not have an extended ACL - '/etc/ftpusers'
  • GEN004950 - The ftpusers file must not have an extended ACL - '/etc/vsftpd.ftpusers'
  • GEN004950 - The ftpusers file must not have an extended ACL - '/etc/vsftpd/ftpusers'
  • GEN004980 - The FTP daemon must be configured for logging or verbose mode.
  • GEN005000 - Anonymous FTP accounts must not have a functional shell.
  • GEN005040 - All FTP gssftp users must have a default umask of 077 - '/etc/vsftpd/vsftpd.conf anon_umask'
  • GEN005040 - All FTP gssftp users must have a default umask of 077 - '/etc/vsftpd/vsftpd.conf local_umask'
  • GEN005040 - All FTP gssftp users must have a default umask of 077 - '/etc/xinetd.d/gssftp'
  • GEN005080 - The TFTP daemon must operate in 'secure mode' which provides access only to a single directory on the host file system.
  • GEN005100 - The TFTP daemon must have mode 0755 or less permissive.
  • GEN005120 - The TFTP daemon must be configured to vendor specifications, including a dedicated TFTP user account, a non-login shell.
  • GEN005160 - Any X Windows host must write .Xauthority files.
  • GEN005180 - All .Xauthority files must have mode 0600 or less permissive.
  • GEN005190 - The .Xauthority files must not have extended ACLs.
  • GEN005200 - X displays must not be exported to the world.
  • GEN005220 - .Xauthority or X*.hosts (or equivalent) file(s) must be used to restrict access to the X server.
  • GEN005240 - The .Xauthority utility must only permit access to authorized hosts.
  • GEN005260 - X Window System connections that are not required must be disabled.
  • GEN005390 - The /etc/rsyslog.conf file must have mode 0640 or less permissive.
  • GEN005390 - The /etc/syslog.conf file must have mode 0640 or less permissive.
  • GEN005395 - The /etc/rsyslog.conf file must not have an extended ACL.
  • GEN005395 - The /etc/syslog.conf file must not have an extended ACL.
  • GEN005450 - The system must use a remote syslog server (loghost) - rsyslog.conf
  • GEN005450 - The system must use a remote syslog server (loghost) - syslog.conf
  • GEN005521 - The SSH daemon must restrict login ability to specific users and/or groups - '/etc/pam.d/sshd pam_access.so required'
  • GEN005521 - The SSH daemon must restrict login ability to specific users and/or groups - '/etc/ssh/sshd_config AllowGroups'
  • GEN005521 - The SSH daemon must restrict login ability to specific users and/or groups - '/etc/ssh/sshd_config AllowUsers'
  • GEN005521 - The SSH daemon must restrict login ability to specific users and/or groups.
  • GEN005740 - The NFS export configuration file must be owned by root.
  • GEN005750 - The NFS export configuration file must be group-owned by root, bin, sys, or system.
  • GEN005760 - The NFS export configuration file must have mode 0644 or less permissive.
  • GEN005770 - The NFS exports configuration file must not have an extended ACL.
  • GEN005800 - All NFS-exported system files and system directories must be owned by root.
  • GEN005810 - All NFS-exported system files and system directories must be group-owned by root, bin, sys, or system.
  • GEN005820 - The NFS anonymous UID and GID must be configured to values that have no permissions - 'anongid'
  • GEN005820 - The NFS anonymous UID and GID must be configured to values that have no permissions - 'anonuid'
  • GEN005840 - The NFS server must be configured to restrict file system access to local hosts.
  • GEN005880 - The NFS server must not allow remote root access - 'all_squash / root_squash'
  • GEN005880 - The NFS server must not allow remote root access - 'no_root_squash'
  • GEN006060 - The system must not run the Samba service unless needed.
  • GEN006080 - The Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL - '/etc/xinetd.d/swat'
  • GEN006080 - The Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL - 'samba-swat'
  • GEN006080 - The Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL - 'samba3x-swat'
  • GEN006100 - The /etc/samba/smb.conf file must be owned by root.
  • GEN006120 - The /etc/samba/smb.conf file must be group-owned by root, bin, sys, or system.
  • GEN006140 - The /etc/samba/smb.conf file must have mode 0644 or less permissive.
  • GEN006150 - The /etc/samba/smb.conf file must not have an extended ACL.
  • GEN006160 - The /etc/samba/passdb.tdb and /etc/samba.secrets.tdb files must be owned by root - '/etc/samba.secrets.tdb'
  • GEN006160 - The /etc/samba/passdb.tdb and /etc/samba.secrets.tdb files must be owned by root - '/etc/samba/passdb.tdb'
  • GEN006180 - The smbpasswd file must be group-owned by root - '/etc/samba/passdb.tdb'
  • GEN006180 - The smbpasswd file must be group-owned by root - '/etc/samba/secrets.tdb'
  • GEN006200 - The smbpasswd file must have mode 0600 or less permissive - '/etc/samba/passdb.tdb'
  • GEN006200 - The smbpasswd file must have mode 0600 or less permissive - '/etc/samba/secrets.tdb'
  • GEN006210 - The /etc/smbpasswd file must not have an extended ACL - '/etc/samba/passdb.tdb'
  • GEN006210 - The /etc/smbpasswd file must not have an extended ACL - '/etc/samba/secrets.tdb'
  • GEN006220 - The smb.conf file must use the 'hosts' option to restrict access to Samba.
  • GEN006225 - Samba must be configured to use an authentication mechanism other than 'share.'
  • GEN006230 - Samba must be configured to use encrypted passwords.
  • GEN006235 - Samba must be configured to not allow guest access to shares.
  • GEN006240 - The system must not run an Internet Network News (INN) server.
  • GEN006260 - The /etc/news/incoming.conf (or equivalent) must have mode 0600 or less permissive
  • GEN006270 - The /etc/news/incoming.conf file must not have an extended ACL.
  • GEN006280 - The /etc/news/infeed.conf (or equivalent) must have mode 0600 or less permissive.
  • GEN006290 - The /etc/news/hosts.nntp.nolimit file must not have an extended ACL.
  • GEN006300 - The /etc/news/readers.conf (or equivalent) must have mode 0600 or less permissive
  • GEN006310 - The /etc/news/nnrp.access file must not have an extended ACL.
  • GEN006320 - The /etc/news/passwd.nntp file (or equivalent) must have mode 0600 or less permissive.
  • GEN006330 - The /etc/news/passwd.nntp file must not have an extended ACL.
  • GEN006340 - Files in /etc/news must be owned by root or news.
  • GEN006360 - The files in /etc/news must be group-owned by root or news.
  • GEN006380 - The system must not use UDP for NIS/NIS+.
  • GEN006420 - NIS maps must be protected through hard-to-guess domain names.
  • GEN006565 - The system package management tool must be used to verify system software periodically.
  • GEN006570 - The file integrity tool must be configured to verify ACLs.
  • GEN006571 - The file integrity tool must be configured to verify extended attributes.
  • GEN006575 - The file integrity tool must use FIPS 140-2 approved cryptographic hashes for validating file contents.
  • GEN006600 - The system's access control program must log each system access attempt - /etc/rsyslog.conf not found
  • GEN006600 - The system's access control program must log each system access attempt - /etc/syslog.conf not found
  • GEN006600 - The system's access control program must log each system access attempt - rsyslog *.debug
  • GEN006600 - The system's access control program must log each system access attempt - rsyslog *.info
  • GEN006600 - The system's access control program must log each system access attempt - rsyslog authpriv.*
  • GEN006600 - The system's access control program must log each system access attempt - rsyslog authpriv.debug
  • GEN006600 - The system's access control program must log each system access attempt - rsyslog authpriv.info
  • GEN006600 - The system's access control program must log each system access attempt - syslog *.debug
  • GEN006600 - The system's access control program must log each system access attempt - syslog *.info
  • GEN006600 - The system's access control program must log each system access attempt - syslog authpriv.*
  • GEN006600 - The system's access control program must log each system access attempt - syslog authpriv.debug
  • GEN006600 - The system's access control program must log each system access attempt - syslog authpriv.info
  • GEN006620 - The system's access control program must be configured to grant or deny system access to specific hosts.
  • GEN006640 - The system must use and update a DoD-approved virus scan program.
  • GEN007020 - The Stream Control Transmission Protocol (SCTP) must be disabled unless required.
  • GEN007080 - The Datagram Congestion Control Protocol (DCCP) must be disabled unless required - 'install dccp /bin/true'
  • GEN007080 - The Datagram Congestion Control Protocol (DCCP) must be disabled unless required - 'install dccp_ipv4 /bin/true'
  • GEN007080 - The Datagram Congestion Control Protocol (DCCP) must be disabled unless required - 'install dccp_ipv6 /bin/true'
  • GEN007260 - The AppleTalk protocol must be disabled or not installed - 'install appletalk'
  • GEN007480 - The Reliable Datagram Sockets (RDS) protocol must be disabled or not installed unless required - 'install rds /bin/true'
  • GEN007540 - The Transparent Inter-Process Communication (TIPC) must be disabled or not installed - 'install tipc /bin/true'
  • GEN007660 - The Bluetooth protocol handler must be disabled or not installed - 'install bluetooth /bin/true'
  • GEN007850 - The DHCP client must not send dynamic DNS updates.
  • GEN007960 - The 'ldd' command must be disabled unless it protects against the execution of untrusted files.
  • GEN007980 - If using LDAP for auth or account information, must use a TLS connection using FIPS 140-2 algorithms - '/etc/ldap.conf'
  • GEN007980 - If using LDAP for auth or account information, must use a TLS connection using FIPS 140-2 algorithms - 'ssl start_tls'
  • GEN007980 - If using LDAP for auth or account information, must use a TLS connection using FIPS 140-2 approved algorithms - 'tls_ciphers'
  • GEN008000 - If using LDAP for auth or account info, certs used must be provided from DoD or an approved external PKI - 'manual cert check'
  • GEN008000 - If using LDAP for auth or account info, certs used must be provided from DoD or an approved external PKI - 'tls_cert'
  • GEN008020 - If using LDAP for auth or acct info, the LDAP TLS connection must require a cert that has a valid trust path to a trusted CA.
  • GEN008040 - If using LDAP for auth or account information, the system must check that the LDAP server's certificate has not been revoked.
  • GEN008050 - If using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords.
  • GEN008060 - If using LDAP for authentication or account information the /etc/ldap.conf file must have mode 0644 or less permissive.
  • GEN008080 - If using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be owned by root.
  • GEN008100 - If using LDAP for auth or account information, the /etc/ldap.conf file must be group-owned by root, bin, sys, or system.
  • GEN008120 - If using LDAP for auth or acct information, the /etc/ldap.conf (or equivalent) file must not have an extended ACL.
  • GEN008140 - If using LDAP for auth or account information, the TLS certificate auth file and dir must be owned by root - '/etc/ssl/'
  • GEN008140 - If using LDAP for auth or account information, the TLS certificate auth file and dir must be owned by root - '/etc/ssl/certs'
  • GEN008140 - If using LDAP for auth or acct information, the TLS certificate auth file and dir must be owned by root - '/etc/ssl/ca.cert'
  • GEN008160 - Using LDAP for auth or account info, the TLS cert file and dir must be group-owned by root,bin,sys,or system - '/etc/ssl/'
  • GEN008160 - Using LDAP for auth or acct info, the TLS cert file and dir must be group-owned by root,bin,sys,or system - '/etc/ssl/certs'
  • GEN008160 - Using LDAP for auth or acct info, the TLS cert file and dir must be group-owned by root,bin,sys,or system - /etc/ssl/ca.cert
  • GEN008180 - If using LDAP for auth or account info, the TLS cert file and dir must have mode 0644 or less permissive - '/etc/ssl/ca.cert'
  • GEN008180 - If using LDAP for auth or account info, the TLS cert file and dir must have mode 0644 or less permissive - '/etc/ssl/certs'
  • GEN008180 - If using LDAP for auth or account info, the TLS cert file and dir must have mode 0755 or less permissive - '/etc/ssl/'
  • GEN008200 - If using LDAP for auth or account info, the TLS cert file and/or directory (as appropriate) must not have an extended ACL.
  • GEN008220 - For systems using NSS LDAP, the TLS certificate file must be owned by root - ''/etc/openldap/cacerts/cert.pem
  • GEN008240 - Using LDAP for auth or acct info, TLS cert must be group-owned by root,bin,sys,or system - '/etc/openldap/cacerts/cert.pem'
  • GEN008260 - If using LDAP for auth or acct info, the TLS cert must have mode 0644 or less permissive - '/etc/openldap/cacerts/cert.pem'
  • GEN008280 - If using LDAP for auth or acct info, the TLS cert must not have an extended ACL - '/etc/openldap/cacerts/cert.pem'
  • GEN008300 - If using LDAP for auth or acct info, the LDAP TLS key file must be owned by root - '/etc/openldap/cacerts/key.pem'
  • GEN008320 - If using LDAP for auth or acct info, the LDAP TLS key file must be group-owned by root - '/etc/openldap/cacerts/key.pem'
  • GEN008340 - If using LDAP for auth or acct info, the LDAP TLS key must have mode 0600 or less permissive - '/etc/openldap/cacerts/key.pem'
  • GEN008360 - If using LDAP for auth or acct info, the LDAP TLS key file must not have an extended ACL - '/etc/openldap/cacerts/key.pem'
  • GEN008480 - The system must have USB Mass Storage disabled unless needed.
  • GEN008500 - The system must have IEEE 1394 (Firewire) disabled unless needed.
  • GEN008800 - The package management tool must cryptographically verify the authenticity of packages during install - '/etc/yum.repos.d/*'
  • GEN008800 - The package management tool must cryptographically verify the authenticity of packages during installation - '/etc/yum.conf'
Miscellaneous
  • Platform check updated.
Revision 1.10

Sep 30, 2020

Functional Update
  • GEN001560 - All files and directories contained in user home directories must have mode 0750 or less permissive.
  • GEN001900 - All local initialization files executable search paths must contain only authorized paths.
  • GEN001901 - Local initialization files library search paths must contain only authorized paths.
  • GEN001902 - Local initialization files lists of preloaded libraries must contain only authorized paths.
  • GEN002560 - The system and user default umask must be 077 - '~/.*'
Revision 1.9

Sep 29, 2020

Miscellaneous
  • References updated.
Revision 1.8

Jul 28, 2020

Functional Update
  • GEN001160 - All files and directories must have a valid owner.
  • GEN001170 - All files and directories must have a valid group-owner.
Revision 1.7

Jul 14, 2020

Miscellaneous
  • Metadata updated.