Table 9-1 lists the vulnerabilities fixed by running the STIGfix script.
Table 9-1 List of Vulnerabilities Fixed by STIGfix Script
| Vulnerability ID | Description |
|---|---|
|
GEN000000_LNX00380 |
An Xserver must have none of the following options enabled: -ac, -core (except for debugging purposes), or -nolock. |
|
GEN000000-LNX00440 |
The /etc/security/access.conf file must have mode 0640 or less permissive. |
|
GEN000000-LNX00520 |
The /etc/sysctl.conf file must have mode 0600 or less permissive. |
|
GEN000000-LNX00580 |
The x86 CTRL-ALT-DELETE key sequence must be disabled. |
|
GEN000020 |
The system must require authentication upon booting into single-user and maintenance modes. (CCE-4241-6) |
|
GEN000252 |
The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive. |
|
GEN000290-2 |
The system must not have the unnecessary (news) account. |
|
GEN000290-3 |
The system must not have the unnecessary (gopher) account. |
|
GEN000290-4 |
The system must not have the unnecessary (ftp) account. |
|
GEN000460 |
The system must disable accounts after three consecutive unsuccessful login attempts. |
|
GEN000500_2 |
The graphical desktop environment must set the idle timeout to no more than 15 minutes. Note: You can ignore the Fail status on the Linux 6 operating system. |
|
GEN000500_3 |
Graphical desktop environments provided by the system must have automatic lock enabled. |
|
GEN000540 |
Users must not be able to change passwords more than once every 24 hours. |
|
GEN000560 |
The system must not have accounts configured with blank or null passwords. |
|
GEN000580 |
The system must require passwords contain a minimum of 14 characters. |
|
GEN000590 |
The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes. |
|
GEN000600 |
The system must require passwords contain at least one uppercase alphabetic character. |
|
GEN000610 |
The system must require passwords contain at least one lowercase alphabetic character. |
|
GEN000620 |
The system must require passwords contain at least one numeric character. |
|
GEN000640 |
The system must require passwords contain at least one special character. |
|
GEN000680 |
The system must require passwords contain no more than three consecutive repeating characters. |
|
GEN000700 |
User passwords must be changed at least every 60 days. |
|
GEN000750 |
The system must require at least four characters be changed between the old and new passwords during a password change. |
|
GEN000800 |
The system must prohibit the reuse of passwords within five iterations. |
|
GEN000920 |
The root account's home directory (other than /) must have mode 0700. |
|
GEN000940 |
The root account's executable search path must be the vendor default and must contain only absolute paths. |
|
GEN000980 |
The system must prevent the root account from directly logging in except from the system console. |
|
GEN001120 |
The system must not permit root logins using remote access programs such as ssh. |
|
GEN001720 |
All global initialization files must have mode 0644 or less permissive. |
|
GEN002100 |
The rhosts file must not be supported in PAM. |
|
GEN002560 |
The system and user default umask must be 077. |
|
GEN003060 |
Default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file if the cron.allow file does not exist. |
|
GEN003080 |
Crontab files must have mode 0600 or less permissive and files in cron script directories must have mode 0700 or less. |
|
GEN003080-2 |
Files in cron script directories must have mode 0700 or less permissive. |
|
GEN003200 |
The cron.deny file must have mode 0600 or less permissive. |
|
GEN003320 |
Default system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist. |
|
GEN003609 |
The system must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. |
|
GEN003610 |
The system must not send IPv4 Internet Control Message Protocol (ICMP) redirects. |
|
GEN003740 |
The xinetd configuration files must have mode 0640 or less permissive. |
|
GEN003810 |
The portmap or rpcbind service must not be running unless needed. Note: You can ignore the Fail status on the Linux 6 operating system. |
|
GEN004000 |
The traceroute file must have mode 0700 or less permissive. |
|
GEN004540 |
The SMTP service HELP command must not be enabled. |
|
GEN004580 |
The system must not use forward files. |
|
GEN005040 |
All FTP users must have a default umask of 077. Note: You can ignore the Fail status on the Linux 6 operating system. |
|
GEN005320 |
The snmpd.conf file must have mode 0600 or less permissive. |
|
GEN005390 |
The /etc/syslog.conf file must have mode 0640 or less permissive. Note: You can ignore the Fail status on the Linux 6 operating system. |
|
GEN005501 |
The SSH client must be configured to only use the SSHv2 protocol. |
|
GEN005505 |
The SSH daemon must be configured to only use FIPS 140-2 approved ciphers. |
|
GEN005507 |
The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. |
|
GEN005550 |
The SSH daemon must be configured with the Department of Defense (DoD) logon banner. This file contains the banner message which will be displayed to any user accessing the hardened system. Users should modify this file to add their company policy or banner message before applying STIGfix. |
|
GEN007020 |
The Stream Control Transmission Protocol (SCTP) must be disabled unless required. |
|
GEN007080 |
The Datagram Congestion Control Protocol (DCCP) must be disabled unless required. |
|
GEN007480 |
The Reliable Datagram Sockets (RDS) protocol must be disabled or not installed unless required. |
|
GEN007540 |
The Transparent Inter-Process Communication (TIPC) protocol must be disabled or uninstalled. |
|
GEN007660 |
The Bluetooth protocol handler must be disabled or not installed. |
|
GEN008040 |
If the system is using LDAP for authentication or account information, the system must verify that the LDAP server's certificate has not been revoked. |
|
GEN008700 |
The system boot loader must require authentication. |
Parent topic: Hardening an Exalytics Machine