Download
| Alert*
|
oval:gov.nist.usgcb.rhel:def:201745
The telnet service should be disabled. oval:gov.nist.usgcb.rhel:def:141130 The password dcredit should meet minimum requirements using pam_cracklib oval:gov.nist.usgcb.rhel:def:2034011 Require packet signing of clients who mount Samba shares using the mount.cifs program (e.g., those who specify shares in /etc/fstab). To do so, ensure that signing options (either sec=krb5i or sec=ntlmv2i) are used. oval:gov.nist.usgcb.rhel:def:2034010 Require samba clients running smbclient to use packet signing. A Samba client should only communicate with servers who can support SMB packet signing. oval:gov.nist.usgcb.rhel:def:201825 The tftp service should be disabled. oval:gov.nist.usgcb.rhel:def:202052 The atd service should be disabled. oval:gov.nist.usgcb.rhel:def:203175 The vsftpd service should be uninstalled. oval:gov.nist.usgcb.rhel:def:180372 The firewall should allow or reject access to the avahi service. oval:gov.nist.usgcb.rhel:def:182444 The irda service should be enabled or disabled as appropriate. oval:gov.nist.usgcb.rhel:def:181560 The rawdevices service should be enabled or disabled as appropriate. oval:gov.nist.usgcb.rhel:def:573897 The talk package should be installed or uninstalled as appropriate. oval:gov.nist.usgcb.rhel:def:573896 The talk-server package should be installed or uninstalled as appropriate. oval:gov.nist.usgcb.rhel:def:573895 The pam_ccreds package should be installed or uninstalled as appropriate. oval:gov.nist.usgcb.rhel:def:573894 The ipsec-tools package should be installed or uninstalled as appropriate. oval:gov.nist.usgcb.rhel:def:573893 The isdn4k-utils package should installed or uninstalled as appropriate. oval:gov.nist.usgcb.rhel:def:573892 The sendmail package should be installed or uninstalled as appropriate. oval:gov.nist.usgcb.rhel:def:573891 The postfix package should be installed or uninstalled as appropriate. oval:gov.nist.usgcb.rhel:def:573898 The irda-utils package should be installed or uninstalled as appropriate. oval:gov.nist.usgcb.rhel:def:201480 The rsyslog package should be installed or uninstalled as appropriate. oval:gov.nist.usgcb.rhel:def:201479 Support for TIPC should be disabled. oval:gov.nist.usgcb.rhel:def:201115 Check for device ���le that is not labeled. oval:gov.nist.usgcb.rhel:def:201478 Support for RDS should be disabled. oval:gov.nist.usgcb.rhel:def:201474 Change the default policy to DROP (from ACCEPT) for the INPUT built-in chain. oval:gov.nist.usgcb.rhel:def:201477 Support for SCTP should be disabled. oval:gov.nist.usgcb.rhel:def:201476 Support for DCCP should be disabled. oval:gov.nist.usgcb.rhel:def:40725 The autofs service should be enabled or disabled as appropriate. oval:gov.nist.usgcb.rhel:def:201006 Idle activation of the screen lock should be enabled. oval:gov.nist.usgcb.rhel:def:201005 Idle activation of the screen saver should be enabled. oval:gov.nist.usgcb.rhel:def:201007 The screen saver should be blank. oval:gov.nist.usgcb.rhel:def:36491 Firewall access to printing service should be enabled or disabled as appropriate oval:gov.nist.usgcb.rhel:def:201685 Audit rules about the Information on Kernel Module Loading and Unloading. oval:gov.nist.usgcb.rhel:def:201575 Audit rules about time are enabled oval:gov.nist.usgcb.rhel:def:99900 User accounts may or may not be inactivated a specified number of days after account expiration. oval:gov.nist.usgcb.rhel:def:201776 The rlogin service should be disabled. oval:gov.nist.usgcb.rhel:def:201775 The rsh service should be disabled. oval:gov.nist.usgcb.rhel:def:201774 The rcp service should be disabled. oval:gov.nist.usgcb.rhel:def:20306 The nosuid option should be enabled for all NFS mounts oval:gov.nist.usgcb.rhel:def:20303 The nfs service should be disabled oval:gov.nist.usgcb.rhel:def:20304 The rpcsvcgssd service should be disabled oval:gov.nist.usgcb.rhel:def:20205 The crond service should be enabled. oval:gov.nist.usgcb.rhel:def:20323 The httpd package should be uninstalled. oval:gov.nist.usgcb.rhel:def:20200 The bluetooth service should be disabled. oval:gov.nist.usgcb.rhel:def:20201 The hidd service should be disabled. oval:gov.nist.usgcb.rhel:def:20322 The httpd service should be disabled. oval:gov.nist.usgcb.rhel:def:20317 The vsftpd service should be disabled. oval:gov.nist.usgcb.rhel:def:20312 The bind package should be uninstalled. oval:gov.nist.usgcb.rhel:def:20311 The named service should be disabled. oval:gov.nist.usgcb.rhel:def:200855 Check each directory in root's path and make use it does not grant write permission to group and other oval:gov.nist.usgcb.rhel:def:20107 The SELinux policy should be set appropriately. oval:gov.nist.usgcb.rhel:def:20228 File permissions for /etc/cron.d should be set correctly. oval:gov.nist.usgcb.rhel:def:20226 File permissions for /etc/cron.weekly should be set correctly. oval:gov.nist.usgcb.rhel:def:20106 The SELinux state should be set appropriately. oval:gov.nist.usgcb.rhel:def:20227 File permissions for /etc/cron.monthly should be set correctly. oval:gov.nist.usgcb.rhel:def:20103 The direct gnome login warning banner should be set correctly. oval:gov.nist.usgcb.rhel:def:20224 File permissions for /etc/cron.hourly should be set correctly. oval:gov.nist.usgcb.rhel:def:20104 SELinux should be enabled oval:gov.nist.usgcb.rhel:def:20225 File permissions for /etc/cron.daily should be set correctly. oval:gov.nist.usgcb.rhel:def:20101 The vlock package should be installed oval:gov.nist.usgcb.rhel:def:20102 The system login banner text should be set correctly. oval:gov.nist.usgcb.rhel:def:20341 The squid service should be disabled. oval:gov.nist.usgcb.rhel:def:20100 The allowed period of inactivity gnome desktop lockout should be configured correctly. oval:gov.nist.usgcb.rhel:def:20342 The squid package should be uninstalled. oval:gov.nist.usgcb.rhel:def:20340 The smb service should be disabled. oval:gov.nist.usgcb.rhel:def:20213 File permissions for /etc/anacrontab should be set correctly. oval:gov.nist.usgcb.rhel:def:20332 The dovecot package should be uninstalled. oval:gov.nist.usgcb.rhel:def:20210 File permissions for /etc/crontab should be set correctly. oval:gov.nist.usgcb.rhel:def:20331 The dovecot service should be disabled. oval:gov.nist.usgcb.rhel:def:20008 The yum-updatesd service should be disabled oval:gov.nist.usgcb.rhel:def:20006 If user home directories will be stored locally, create a separate partition for /home. If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at this time, and the mountpoi ... oval:gov.nist.usgcb.rhel:def:20248 Disable the ability to provide remote graphical display oval:gov.nist.usgcb.rhel:def:20007 The rhnsd service should be disabled. oval:gov.nist.usgcb.rhel:def:20128 All wireless interfaces should be disabled. oval:gov.nist.usgcb.rhel:def:20249 Enable warning banner for GUI login oval:gov.nist.usgcb.rhel:def:20004 System logs are stored in the /var/log directory. Ensure that it has its own partition or logical volume. oval:gov.nist.usgcb.rhel:def:20125 Performing source validation by reverse path should be enabled or disabled for all interfaces as appropriate. oval:gov.nist.usgcb.rhel:def:20005 Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing ... oval:gov.nist.usgcb.rhel:def:20126 The default setting for performing source validation by reverse path should be enabled or disabled for network interfaces as appropriate. oval:gov.nist.usgcb.rhel:def:20002 The /var directory is used by daemons and other system services to store frequently-changing data. It is not uncommon for the /var directory to contain world-writable directories, installed by other software packages. ... oval:gov.nist.usgcb.rhel:def:20123 Ignoring bogus ICMP responses to broadcasts should be enabled or disabled as appropriate. oval:gov.nist.usgcb.rhel:def:20244 Remote connections from accounts with empty passwords should be disabled (and dependencies are met) oval:gov.nist.usgcb.rhel:def:20365 The snmpd service should be disabled. oval:gov.nist.usgcb.rhel:def:20124 Sending TCP syncookies should be enabled or disabled as appropriate. oval:gov.nist.usgcb.rhel:def:20245 SSH warning banner should be enabled (and dependencies are met) oval:gov.nist.usgcb.rhel:def:20366 The net-snmp package should be uninstalled. oval:gov.nist.usgcb.rhel:def:20000 The /tmp directory is a world-writable directory used for temporary ���le storage. Verify that it has its own partition or logical volume. oval:gov.nist.usgcb.rhel:def:20121 The default setting for accepting "secure" ICMP redirects (those from gateways listed in the default gateways list) should be enabled or disabled for network interfaces as appropriate. oval:gov.nist.usgcb.rhel:def:20242 SSH host-based authentication should be disabled (and dependencies are met) oval:gov.nist.usgcb.rhel:def:20122 Ignoring ICMP echo requests (pings) sent to broadcast / multicast addresses should be enabled or disabled as appropriate. oval:gov.nist.usgcb.rhel:def:20243 Root login via SSH should be disabled (and dependencies are met) oval:gov.nist.usgcb.rhel:def:20240 The SSH ClientAliveCountMax should be set to an appropriate value (and dependencies are met) oval:gov.nist.usgcb.rhel:def:20120 The default setting for accepting ICMP redirects should be enabled or disabled for network interfaces as appropriate. oval:gov.nist.usgcb.rhel:def:20241 Emulation of the rsh command through the ssh server should be disabled (and dependencies are met) oval:gov.nist.usgcb.rhel:def:43680 CCE-4368-7:Mount Remote Filesystems with nodev oval:gov.nist.usgcb.rhel:def:200801 The "account deny" policy should meet minimum requirements. oval:gov.nist.usgcb.rhel:def:20118 Logging of "martian" packets (those with impossible addresses) should be enabled or disabled for all interfaces as appropriate. oval:gov.nist.usgcb.rhel:def:20239 The SSH idle timout interval should be set to an appropriate value (and dependencies are met) oval:gov.nist.usgcb.rhel:def:20119 The default setting for accepting source routed packets should be enabled or disabled for network interfaces as appropriate. oval:gov.nist.usgcb.rhel:def:20116 Accepting ICMP redirects should be enabled or disabled for all interfaces as appropriate. oval:gov.nist.usgcb.rhel:def:20117 Accepting "secure" ICMP redirects (those from gateways listed in the default gateways list) should be enabled or disabled for all interfaces as appropriate. oval:gov.nist.usgcb.rhel:def:20238 SSH version 1 protocol support should be disabled. (and dependencies are met) oval:gov.nist.usgcb.rhel:def:20114 IP forwarding should be disabled. oval:gov.nist.usgcb.rhel:def:20115 Accepting source routed packets should be enabled or disabled for all interfaces as appropriate. oval:gov.nist.usgcb.rhel:def:20112 The default setting for sending ICMP redirects should be disabled for network interfaces. oval:gov.nist.usgcb.rhel:def:20113 Sending ICMP redirects should be disabled for all interfaces. oval:gov.nist.usgcb.rhel:def:20110 The mcstrans service should be disabled. oval:gov.nist.usgcb.rhel:def:20028 prevents usage of this uncommon ���lesystems. oval:gov.nist.usgcb.rhel:def:20149 All rsyslog log files should be owned by root user. oval:gov.nist.usgcb.rhel:def:20029 prevents usage of this uncommon ���lesystems. oval:gov.nist.usgcb.rhel:def:20147 The iptables service should be enabled. oval:gov.nist.usgcb.rhel:def:20268 The dhcpd service should be enabled or disabled as appropriate. oval:gov.nist.usgcb.rhel:def:20027 prevents usage of this uncommon ���lesystems. oval:gov.nist.usgcb.rhel:def:20148 The syslog service should be enabled or disabled as appropriate. oval:gov.nist.usgcb.rhel:def:20269 The dhcp package should be uninstalled. oval:gov.nist.usgcb.rhel:def:20266 The hplip service should be disabled. oval:gov.nist.usgcb.rhel:def:20146 The ip6tables service should be enabled. oval:gov.nist.usgcb.rhel:def:20019 The nosuid option should be enabled for all removable media. oval:gov.nist.usgcb.rhel:def:20017 The nodev option should be enabled for all removable media. oval:gov.nist.usgcb.rhel:def:20018 The noexec option should be enabled for all removable media. oval:gov.nist.usgcb.rhel:def:20136 Accepting redirects from IPv6 routers should be disabled as appropriate for all network interfaces. (and dependencies are met) oval:gov.nist.usgcb.rhel:def:20016 The nodev option should be enabled for all non-root partitions. oval:gov.nist.usgcb.rhel:def:20014 The AIDE package should be installed oval:gov.nist.usgcb.rhel:def:20135 The default setting for accepting IPv6 router advertisements should be disabled for network interfaces. (and dependencies are met) oval:gov.nist.usgcb.rhel:def:20011 To ensure that signature checking is not disabled for any repos, ensure that the following line DOES NOT appear in any repo con���guration ���les in /etc/yum.repos.d or elsewhere oval:gov.nist.usgcb.rhel:def:20130 Automatic IPv6 address assignment should be disabled. oval:gov.nist.usgcb.rhel:def:20010 The gpgcheck option should be used to ensure that checking of an RPM package���s signature always occurs prior to its installation./ oval:gov.nist.usgcb.rhel:def:20250 The avahi-daemon service should be disabled. oval:gov.nist.usgcb.rhel:def:144120 Add nodev Option to /tmp Partition oval:gov.nist.usgcb.rhel:def:20048 The sgid bit should be set only for specified files. oval:gov.nist.usgcb.rhel:def:20169 Force a reboot to change audit rules is enabled oval:gov.nist.usgcb.rhel:def:20049 The suid bit should be set only for specified files. oval:gov.nist.usgcb.rhel:def:20046 The sticky bit should be set for all world-writable directories. oval:gov.nist.usgcb.rhel:def:20167 Audit rules about the Files Deletion Events by User (successful and unsuccessful) are enabled oval:gov.nist.usgcb.rhel:def:20047 The world-write permission should be disabled for all files. oval:gov.nist.usgcb.rhel:def:20168 Audit rules about the System Administrator Actions are enabled oval:gov.nist.usgcb.rhel:def:20289 The ldap service should be disabled. oval:gov.nist.usgcb.rhel:def:20044 File permissions for /etc/gshadow should be set correctly. oval:gov.nist.usgcb.rhel:def:20165 Audit rules about the Information on the Use of Privileged Commands are enabled oval:gov.nist.usgcb.rhel:def:20045 File permissions for /etc/passwd should be set correctly. oval:gov.nist.usgcb.rhel:def:20166 Audit rules about the Information on Exporting to Media (successful) are enabled oval:gov.nist.usgcb.rhel:def:20042 File permissions for /etc/shadow should be set correctly. oval:gov.nist.usgcb.rhel:def:20163 Audit rules about the Discretionary Access Control Permission Modi���cation Events are enabled oval:gov.nist.usgcb.rhel:def:20043 File permissions for /etc/group should be set correctly. oval:gov.nist.usgcb.rhel:def:20164 Audit rules about the Unauthorized Access Attempts to Files (unsuccessful) are enabled oval:gov.nist.usgcb.rhel:def:20283 A remote NTP Server for time synchronization should be specified (and dependencies are met) oval:gov.nist.usgcb.rhel:def:20160 Audit rules about the System���s Mandatory Access Controls are enabled oval:gov.nist.usgcb.rhel:def:20281 The ntpd service should be enabled. oval:gov.nist.usgcb.rhel:def:20158 Audit rules about User/Group Information are enabled oval:gov.nist.usgcb.rhel:def:20159 Audit rules about the System���s Network Environment are enabled oval:gov.nist.usgcb.rhel:def:20156 The auditd service should be enabled. oval:gov.nist.usgcb.rhel:def:20157 Look for argument audit=1 in the kernel line in /boot/grub/grub.conf oval:gov.nist.usgcb.rhel:def:20033 prevents usage of this uncommon ���lesystems. oval:gov.nist.usgcb.rhel:def:20154 The logrotate (syslog rotater) service should be enabled. oval:gov.nist.usgcb.rhel:def:20031 prevents usage of this uncommon ���lesystems. oval:gov.nist.usgcb.rhel:def:20152 Syslog logs should be sent to a remote loghost oval:gov.nist.usgcb.rhel:def:20032 prevents usage of this uncommon ���lesystems. oval:gov.nist.usgcb.rhel:def:20153 RSyslogd should reject remote messages oval:gov.nist.usgcb.rhel:def:20150 All syslog log files should be owned by the appropriate group. oval:gov.nist.usgcb.rhel:def:20030 prevents usage of this uncommon ���lesystems. oval:gov.nist.usgcb.rhel:def:20151 File permissions for all syslog log files should be set correctly. oval:gov.nist.usgcb.rhel:def:20068 Login access to non-root system accounts should be disabled oval:gov.nist.usgcb.rhel:def:20069 Login access to accounts without passwords should be disabled oval:gov.nist.usgcb.rhel:def:20066 Command access to the root account should be restricted to the wheel group. oval:gov.nist.usgcb.rhel:def:20187 The kdump service should be disabled. oval:gov.nist.usgcb.rhel:def:20064 Login prompts on serial ports should be disabled. oval:gov.nist.usgcb.rhel:def:20065 The wheel group should exist oval:gov.nist.usgcb.rhel:def:20186 The isdn service should be disabled. oval:gov.nist.usgcb.rhel:def:20063 Logins through the primary console device should be disabled oval:gov.nist.usgcb.rhel:def:20181 The ypbind service should be disabled. oval:gov.nist.usgcb.rhel:def:20182 The tftp-server package should be uninstalled. oval:gov.nist.usgcb.rhel:def:20180 The ypserv package should be uninstalled. oval:gov.nist.usgcb.rhel:def:20059 Kernel support for the XD/NX processor feature should be enabled oval:gov.nist.usgcb.rhel:def:20057 ExecShield should be enabled oval:gov.nist.usgcb.rhel:def:20058 ExecShield randomized placement of virtual memory regions should be enabled oval:gov.nist.usgcb.rhel:def:20055 Core dumps for all users should be disabled oval:gov.nist.usgcb.rhel:def:20056 Core dumps for setuid programs should be disabled oval:gov.nist.usgcb.rhel:def:20177 The rsh-server package should be uninstalled. oval:gov.nist.usgcb.rhel:def:20053 The daemon umask should be set as appropriate oval:gov.nist.usgcb.rhel:def:20174 The telnet-server package should be uninstalled. oval:gov.nist.usgcb.rhel:def:20295 The netfs service should be disabled. oval:gov.nist.usgcb.rhel:def:500116 Add noexec Option to /tmp Partition oval:gov.nist.usgcb.rhel:def:20296 The portmap service should be disabled. oval:gov.nist.usgcb.rhel:def:500115 Add noexec Option to /dev/shm Partition oval:gov.nist.usgcb.rhel:def:20051 All files should be owned by a group oval:gov.nist.usgcb.rhel:def:20172 The inetd package should be uninstalled. oval:gov.nist.usgcb.rhel:def:20293 The rpcgssd service should be disabled. oval:gov.nist.usgcb.rhel:def:500114 Add nosuid Option to /dev/shm Partition oval:gov.nist.usgcb.rhel:def:20173 The xinetd package should be uninstalled. oval:gov.nist.usgcb.rhel:def:20294 The rpcidmapd service should be disabled. oval:gov.nist.usgcb.rhel:def:500113 Add nodev Option to /dev/shm Partition oval:gov.nist.usgcb.rhel:def:20170 The inetd service should be disabled. oval:gov.nist.usgcb.rhel:def:20050 All files should be owned by a user oval:gov.nist.usgcb.rhel:def:20171 The xinetd service should be disabled. oval:gov.nist.usgcb.rhel:def:20292 The nfslock service should be disabled. oval:gov.nist.usgcb.rhel:def:500119 Postfix network listening should be disabled oval:gov.nist.usgcb.rhel:def:500118 Disable the network sniffer oval:gov.nist.usgcb.rhel:def:500117 Bind mount the /var/tmp directory to /var oval:gov.nist.usgcb.rhel:def:20088 The default umask for all users should be set correctly for the csh shell oval:gov.nist.usgcb.rhel:def:20089 The default umask for all users should be set correctly oval:gov.nist.usgcb.rhel:def:20086 File permissions should be set correctly for the home directories for all user accounts. oval:gov.nist.usgcb.rhel:def:20087 The default umask for all users should be set correctly for the bash shell oval:gov.nist.usgcb.rhel:def:20084 The passwords to remember should be set correctly. oval:gov.nist.usgcb.rhel:def:20085 The PATH variable should be set correctly for user root oval:gov.nist.usgcb.rhel:def:20083 The password hashing algorithm should be set correctly. oval:gov.nist.usgcb.rhel:def:178160 The libuser library imports login_defs from a file as appropriate. oval:gov.nist.usgcb.rhel:def:20077 NIS file inclusions should be set appropriately in the /etc/passwd file oval:gov.nist.usgcb.rhel:def:20075 NIS file inclusions should be set appropriately in the /etc/shadow file oval:gov.nist.usgcb.rhel:def:20196 The readahead_early service should be disabled. oval:gov.nist.usgcb.rhel:def:20076 NIS file inclusions should be set appropriately in the /etc/group file oval:gov.nist.usgcb.rhel:def:20197 The readahead_later service should be disabled. oval:gov.nist.usgcb.rhel:def:20073 The "maximum password age" policy should meet minimum requirements. oval:gov.nist.usgcb.rhel:def:20074 The password warn age should be set appropriately oval:gov.nist.usgcb.rhel:def:20071 The password minimum length should be set appropriately oval:gov.nist.usgcb.rhel:def:20072 The "minimum password age" policy should meet minimum requirements. oval:gov.nist.usgcb.rhel:def:20193 Disable Zeroconf automatic route assignment in the 169.245.0.0 subnet. oval:gov.nist.usgcb.rhel:def:20070 Anonymous root logins are disabled oval:gov.nist.usgcb.rhel:def:20097 The ability for users to perform interactive startups should be disabled. oval:gov.nist.usgcb.rhel:def:20095 The grub boot loader should have password protection enabled oval:gov.nist.usgcb.rhel:def:20096 The requirement for a password to boot into single-user mode should be configured correctly. oval:gov.nist.usgcb.rhel:def:200155 >Verify the integrity of installed packages by comparing the installed ���les with information about the ���les taken from the package metadata stored in the RPM database. oval:gov.nist.usgcb.rhel:def:20094 File permissions for /boot/grub/grub.conf should be set correctly. oval:gov.nist.usgcb.rhel:def:202456 Use only approved ciphers oval:gov.nist.usgcb.rhel:def:202455 PermitUserEnvironment should be disabled oval:gov.nist.usgcb.rhel:def:20090 The default umask for all users should be set correctly oval:gov.nist.usgcb.rhel:def:500112 Add nosuid Option to /tmp Partition oval:gov.nist.usgcb.rhel:def:200065 The GPG key should be installed. oval:gov.nist.usgcb.rhel:def:202885 Clients require LDAP servers to provide valid certificates for SSL communications. oval:gov.nist.usgcb.rhel:def:200785 The password ocredit should meet minimum requirements using pam_cracklib oval:gov.nist.usgcb.rhel:def:200786 The password lcredit should meet minimum requirements using pam_cracklib oval:gov.nist.usgcb.rhel:def:200787 The password difok should meet minimum requirements using pam_cracklib oval:gov.nist.usgcb.rhel:def:200781 The password retry should meet minimum requirements using pam_cracklib oval:gov.nist.usgcb.rhel:def:200784 The password ucredit should meet minimum requirements using pam_cracklib oval:gov.nist.usgcb.rhel:def:200695 Check that passwords are shadowed |
