1. Administrator's Guide
  2. Security Technical Implementation Guides Compliance Standards

D Security Technical Implementation Guides Compliance Standards

Oracle Key Vault follows the Security Technical Implementation Guides (STIG)-based compliance standards.

D.1 About Security Technical Implementation Guides

A Security Technical Implementation Guide (STIG) is a methodology followed by the U.S. Department of Defense (DOD).

STIG is designed reduce the attack surface of computer systems and networks, thereby ensuring a lockdown of highly confidential information stored within the DOD network. STIGs provide secure configuration standards for the DOD's Information Assurance (IA) and IA-enabled devices and systems. STIGs are created by the Defense Information Systems Agency (DISA).

For over a decade, Oracle has worked closely with the DOD to develop, publish, and maintain a growing list of STIGs for a variety of core Oracle products and technologies including:

  • Oracle Database

  • Oracle Solaris

  • Oracle Linux

  • Oracle WebLogic

When STIGs are updated, Oracle analyzes the latest recommendations in order to identify new ways to improve the security of its products by:

  • Implementing new and innovative security capabilities that are then added to future STIG updates

  • Delivering functionality to automate the assessment and implementation of STIG recommendations

  • Improving “out of the box" security configuration settings based upon STIG recommendations

Related Topics

Parent topic: Security Technical Implementation Guides Compliance Standards

D.2 Enabling and Disabling STIG Rules on Oracle Key Vault

You can enable STIG rules on Oracle Key Vault by enabling Strict mode.

Parent topic: Security Technical Implementation Guides Compliance Standards

D.2.1 Enabling STIG Rules on Oracle Key Vault

You enable STIG rules (strict mode) from the command line.

  1. Log in to the operating system of the Key Vault server as the root user.
  2. Run the following command as root:
    /usr/local/dbfw/bin/stig -–enable

Parent topic: Enabling and Disabling STIG Rules on Oracle Key Vault

D.2.2 Disabling STIG Rules on Oracle Key Vault

You disable STIG rules (strict mode) from the command line.

  1. Log in to the operating system of the Key Vault server as the root user.
  2. Run the following command as root:
    /usr/local/dbfw/bin/stig -–disable

Parent topic: Enabling and Disabling STIG Rules on Oracle Key Vault

D.3 Current Implementation of STIG Rules on Oracle Key Vault

You should be aware of the vulnerability categories that STIG recommendations addresses.

Oracle has developed a security-hardened configuration of Oracle Key Vault that supports U.S. Department of Defense Security Technical Implementation Guide (STIG) recommendations.

Table D-1 lists the three vulnerability categories that STIG recommendations address.

Table D-1 Vulnerability Categories

Category Description

CAT I

Any vulnerability, the exploitation of which will, directly and immediately result in loss of Confidentiality, Availability, or Integrity.

CAT II

Any vulnerability, the exploitation of which has a potential to result in loss of Confidentiality, Availability, or Integrity.

CAT III

Any vulnerability, the existence of which degrades measures to protect against loss of Confidentiality, Availability, or Integrity.

Parent topic: Security Technical Implementation Guides Compliance Standards

D.4 Current Implementation of Database STIG Rules

The current implementation of the database STIG rules encompass a wide range of rules.

Table D-2 shows the current implementation of Database STIG rules on Oracle Key Vault.

Table D-2 Current Implementation of Database STIG Rules

STIG ID Title Severity Addressed by Script Addressed by Documentation Action required Implemented Notes

DG0004-ORACLE11

DBMS application object owner accounts

CAT II

No

No

None

No

Application object owner accounts KEYVAULT, APEX_040200, MANAGEMENT, and AVSYS are locked after the installation of Oracle Key Vault.

DG0008-ORACLE11

DBMS application object ownership

No

No

Yes

No

No

The object owner accounts in the Oracle Key Vault server are as follows:

  • KEYVAULT
  • APEX_040200
  • AVSYS
  • MANAGEMENT

DG0014-ORACLE11

DBMS demonstration and sample databases

CAT II

No

No

None

No

All default demonstration and sample database objects have been removed.

DG0071-ORACLE11

DBMS password change variance

CAT II

No

No

No

No

Currently not supported

DG0073-ORACLE11

DBMS failed login account lock

CAT II

Yes

No

No

No

For profiles FAILED_LOGIN_ATTEMPTS is set to the required limit in the script.

DG0075-ORACLE11

DBMS links to external databases

CAT II

No

Yes

No

No

No

DG0077-ORACLE11

Production data protection on a shared system

CAT II

No

No

None

No

No

DG0116-ORACLE11

DBMS privileged role assignments

CAT II

Yes

Yes

No

No

No

DG0117-ORACLE11

DBMS administrative privilege assignment

CAT II

No

No

No

No

Currently not supported

DG0121-ORACLE11

DBMS application user privilege assignment

CAT II

No

No

No

No

Currently not supported

DG0123-ORACLE11

DBMS Administrative data access

CAT II

No

No

No

No

Currently not supported

DG0125-ORACLE11

DBMS account password expiration

CAT II

Yes

No

No

No

For profiles PASSWORD_LIFE_TIME is set to the required limit in the script.

DG0126-ORACLE11

DBMS account password reuse

CAT II

No

No

None

No

No.

DG0128-ORACLE11

DBMS default passwords

CAT I

Yes

No

No

No

Account CTXSYS is assigned a random password in the script.

DG0133-ORACLE11

DBMS Account lock time

CAT II

Yes

No

No

No

No

DG0141-ORACLE11

DBMS access control bypass

CAT II

Yes

No

No

No

Users can use a script to audit the following events:

DROP ANY SYNONYM

DROP ANY INDEXTYPE

DG0142-ORACLE11

DBMS Privileged action audit

CAT II

No

No

None

No

No

DG0192-ORACLE11

DBMS fully-qualified name for remote access

CAT II

Yes

No

No

No

Currently not supported

DO0231-ORACLE11

Oracle application object owner tablespaces

CAT II

No

No

No

No

Currently not supported

DO0250-ORACLE11

Oracle database link usage

CAT II

No

Yes

No

No

No

DO0270-ORACLE11

Oracle redo log file availability

CAT II

No

No

No

No

Currently not supported

DO0350-ORACLE11

Oracle system privilege assignment

CAT II

No

No

No

No

Currently not supported

DO3475-ORACLE11

Oracle PUBLIC access to restricted packages

CAT II

No

No

No

No

Currently not supported

DO3536-ORACLE11

Oracle IDLE_TIME profile parameter

CAT II

Yes

No

No

No

No

DO3540-ORACLE11

Oracle SQL92_SECURITY parameter

CAT II

No

No

None

No

Parameter SQL92_SECURITY is already set to TRUE.

DO3609-ORACLE11

System privileges granted WITH ADMIN OPTION

CAT II

No

No

No

No

Currently not supported

DO3610-ORACLE11

Oracle minimum object auditing

CAT II

No

No

No

No

Currently not supported

DO3689-ORACLE11

Oracle object permission assignment to PUBLIC

CAT II

No

No

No

No

Currently not supported

DO3696-ORACLE11

Oracle RESOURCE_LIMIT parameter

CAT II

No

No

No

No

Currently not supported

Parent topic: Security Technical Implementation Guides Compliance Standards

D.5 Current Implementation of Operating System STIG Rules

The current implementation of the operating system STIG rules encompass a wide range of rules.

Table D-3 shows the current implementation of Operating System STIG Rules on Oracle Key Vault.

Table D-3 Current Implementation of Operating System STIG Rules

STIG ID Title Severity Key Vault Server - Default Key Vault Server - STIG

SV-50237r1_rule

Automated file system mounting tools must not be enabled unless needed.

CAT III

No action required

Addressed by script

SV-50238r2_rule

Auditing must be enabled at boot by setting a kernel parameter.

CAT III

No action required

Addressed by script

SV-50243r1_rule

The /etc/gshadow file must be owned by root.

CAT II

No action required

Addressed by script

SV-50248r1_rule

The /etc/gshadow file must be group-owned by root.

CAT II

No action required

Addressed by script

SV-50249r1_rule

The /etc/gshadow file must have mode 0000.

CAT II

No action required

Addressed by script

SV-50250r1_rule

The /etc/passwd file must be owned by root.

CAT II

No action required

Addressed by script

SV-50251r1_rule

The /etc/passwd file must be group-owned by root.

CAT II

No action required

Addressed by script

SV-50255r1_rule

The system must use a separate file system for /tmp.

CAT III

No action required

Addressed by script

SV-50256r1_rule

The system must use a separate file system for /var.

CAT III

Addressed by script

Implemented differently

SV-50257r1_rule

The /etc/passwd file must have mode 0644 or less permissive.

CAT II

No action required

Addressed by script

SV-50258r1_rule

The /etc/group file must be owned by root.

CAT II

No action required

Addressed by script

SV-50259r1_rule

The /etc/group file must be group-owned by root.

CAT II

No action required

Addressed by script

SV-50261r1_rule

The /etc/group file must have mode 0644 or less permissive.

CAT II

No action required

Addressed by script

SV-50263r1_rule

The system must use a separate file system for /var/log.

CAT III

No action required

Addressed by script

SV-50266r1_rule

Library files must be owned by root.

CAT II

No action required

Addressed by script

SV-50267r1_rule

The system must use a separate file system for the system audit data path.

CAT III

Addressed by script

Not implemented

SV-50269r2_rule

All system command files must have mode 0755 or less permissive.

CAT II

No action required

Addressed by script

SV-50270r2_rule

The audit system must alert designated staff members when the audit storage volume approaches capacity.

CAT II

Addressed by script

Not implemented

SV-50272r1_rule

All system command files must be owned by root.

CAT II

No action required

Addressed by script

SV-50273r1_rule

The system must use a separate file system for user home directories.

CAT III

No action required

Addressed by script

SV-50275r1_rule

The system must require passwords to contain a minimum of 14 characters.

CAT II

Addressed by script

Addressed by script

SV-50277r1_rule

Users must not be able to change passwords more than once every 24 hours.

CAT II

No action required

Addressed by script

SV-50278r2_rule

The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite.

CAT III

No action required

Addressed by script

SV-50279r1_rule

User passwords must be changed at least every 60 days.

CAT II

Addressed by script

Addressed by script

SV-50280r1_rule

Users must be warned 7 days in advance of password expiration.

CAT III

No action required

Addressed by script

SV-50282r1_rule

The system must require passwords to contain at least one numeric character.

CAT III

No action required

Addressed by script

SV-50283r1_rule

The system package management tool must cryptographically verify the authenticity of system software packages during installation.

CAT II

No action required

Addressed by script

SV-50288r1_rule

The system package management tool must cryptographically verify the authenticity of all software packages during installation.

CAT III

No action required

Addressed by script

SV-50290r1_rule

A file integrity tool must be installed.

CAT II

No action required

Addressed by script

SV-50291r2_rule

The operating system must enforce requirements for the connection of mobile devices to operating systems.

CAT II

No action required

Addressed by script

SV-50292r1_rule

There must be no .rhosts or hosts.equiv files on the system.

CAT I

No action required

Addressed by script

SV-50293r1_rule

The system must prevent the root account from logging in from virtual consoles.

CAT II

No action required

Addressed by script

SV-50295r1_rule

The system must prevent the root account from logging in from serial consoles.

CAT III

No action required

Addressed by script

SV-50296r1_rule

Audit log files must be owned by root.

CAT II

No action required

Addressed by script

SV-50298r2_rule

The system must not have accounts configured with blank or null passwords.

CAT I

No action required

Addressed by script

SV-50299r1_rule

Audit log files must have mode 0640 or less permissive.

CAT II

No action required

Addressed by script

SV-50300r1_rule

The /etc/passwd file must not contain password hashes.

CAT II

No action required

Addressed by script

SV-50301r2_rule

The root account must be the only account having a UID of 0.

CAT II

No action required

Addressed by script

SV-50302r3_rule

The system must disable accounts after excessive login failures within a 15-minute interval.

CAT II

No action required

Addressed by script

SV-50303r1_rule

The /etc/shadow file must be owned by root.

CAT II

No action required

Addressed by script

SV-50304r1_rule

The /etc/shadow file must be group-owned by root.

CAT II

No action required

Addressed by script

SV-50305r1_rule

The /etc/shadow file must have mode 0000.

CAT II

No action required

Addressed by script

SV-50312r1_rule

IP forwarding for IPv4 must not be enabled, unless the system is a router.

CAT II

No action required

Addressed by script

SV-50313r2_rule

The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.

CAT II

No action required

Addressed by script

SV-50314r1_rule

The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets.

CAT II

No action required

Addressed by script

SV-50315r2_rule

The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.

CAT II

No action required

Addressed by script

SV-50316r2_rule

The Stream Control Transmission Protocol (SCTP) must be disabled unless required.

CAT II

No action required

Addressed by script

SV-50317r2_rule

The Reliable Datagram Sockets (RDS) protocol must be disabled unless required.

CAT III

No action required

Addressed by script

SV-50318r2_rule

The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required.

CAT II

No action required

Addressed by script

SV-50319r2_rule

All rsyslog-generated log files must be owned by root.

CAT II

No action required

Addressed by script

SV-50321r1_rule

The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited.

CAT II

Addressed by script

Not implemented

SV-50322r1_rule

The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components.

CAT II

Addressed by script

Not implemented

SV-50323r2_rule

The audit system must be configured to audit all attempts to alter system time through settimeofday.

CAT III

No action required

Addressed by script

SV-50324r2_rule

The system must not accept IPv4 source-routed packets on any interface.

CAT II

No action required

Addressed by script

SV-50325r1_rule

The system must not accept ICMPv4 redirect packets on any interface.

CAT II

No action required

Addressed by script

SV-50326r3_rule

The audit system must be configured to audit all attempts to alter system time through stime.

CAT III

No action required

Addressed by script

SV-50327r1_rule

The system must not accept ICMPv4 secure redirect packets on any interface.

CAT II

No action required

Addressed by script

SV-50328r2_rule

The audit system must be configured to audit all attempts to alter system time through clock_settime.

CAT III

No action required

Addressed by script

SV-50329r1_rule

The system must log Martian packets.

CAT III

Addressed by script

Not implemented

SV-50330r1_rule

The system must not accept IPv4 source-routed packets by default.

CAT II

No action required

Addressed by script

SV-50331r1_rule

The audit system must be configured to audit all attempts to alter system time through /etc/localtime.

CAT III

No action required

Addressed by script

SV-50332r1_rule

The operating system must automatically audit account creation.

CAT III

No action required

Addressed by script

SV-50333r1_rule

The system must not accept ICMPv4 secure redirect packets by default.

CAT II

No action required

Addressed by script

SV-50334r2_rule

The system must ignore ICMPv4 redirect messages by default.

CAT III

No action required

Addressed by script

SV-50335r1_rule

The operating system must automatically audit account modification.

CAT III

No action required

Addressed by script

SV-50336r2_rule

The system must not respond to ICMPv4 sent to a broadcast address.

CAT III

No action required

Addressed by script

SV-50337r1_rule

The operating system must automatically audit account disabling actions.

CAT III

No action required

Addressed by script

SV-50338r2_rule

The system must ignore ICMPv4 bogus error responses.

CAT III

No action required

Addressed by script

SV-50339r1_rule

The operating system must automatically audit account termination.

CAT III

No action required

Addressed by script

SV-50340r1_rule

The system must be configured to use TCP syncookies.

CAT II

No action required

Addressed by script

SV-50342r1_rule

The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux).

CAT III

No action required

Addressed by script

SV-50343r1_rule

The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.

CAT II

No action required

Addressed by script

SV-50344r2_rule

The audit system must be configured to audit all discretionary access control permission modifications using chmod.

CAT III

No action required

Addressed by script

SV-50345r1_rule

The system must use a reverse-path filter for IPv4 network traffic when possible by default.

CAT II

No action required

Addressed by script

SV-50346r2_rule

The audit system must be configured to audit all discretionary access control permission modifications using chown.

CAT III

No action required

Addressed by script

SV-50347r2_rule

The IPv6 protocol handler must not be bound to the network stack unless needed.

CAT II

No action required

Addressed by script

SV-50348r2_rule

The audit system must be configured to audit all discretionary access control permission modifications using fchmod.

CAT III

No action required

Addressed by script

SV-50349r2_rule

The system must ignore ICMPv6 redirects by default.

CAT II

No action required

Addressed by script

SV-50351r2_rule

The audit system must be configured to audit all discretionary access control permission modifications using fchmodat.

CAT III

No action required

Addressed by script

SV-50353r2_rule

The audit system must be configured to audit all discretionary access control permission modifications using fchown.

CAT III

No action required

Addressed by script

SV-50355r2_rule

The audit system must be configured to audit all discretionary access control permission modifications using fchownat.

CAT III

No action required

Addressed by script

SV-50356r2_rule

The system must employ a local IPv4 firewall.

CAT II

No action required

Addressed by script

SV-50357r2_rule

The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr.

CAT III

No action required

Addressed by script

SV-50358r2_rule

The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr.

CAT III

No action required

Addressed by script

SV-50359r2_rule

The audit system must be configured to audit all discretionary access control permission modifications using lchown.

CAT III

No action required

Addressed by script

SV-50360r2_rule

The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr.

CAT III

No action required

Addressed by script

SV-50362r2_rule

The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr.

CAT III

No action required

Addressed by script

SV-50364r2_rule

The audit system must be configured to audit all discretionary access control permission modifications using removexattr.

CAT III

No action required

Addressed by script

SV-50366r2_rule

The audit system must be configured to audit all discretionary access control permission modifications using setxattr.

CAT III

No action required

Addressed by script

SV-50369r2_rule

The audit system must be configured to audit successful file system mounts.

CAT III

No action required

Addressed by script

SV-50370r1_rule

The system must require passwords to contain at least one uppercase alphabetic character.

CAT III

No action required

Addressed by script

SV-50371r1_rule

The system must require passwords to contain at least one special character.

CAT III

No action required

Addressed by script

SV-50372r1_rule

The system must require passwords to contain at least one lowercase alphabetic character.

CAT III

No action required

Addressed by script

SV-50373r1_rule

The system must require at least four characters be changed between the old and new passwords during a password change.

CAT III

No action required

Addressed by script

SV-50374r3_rule

The system must disable accounts after three consecutive unsuccessful logon attempts.

CAT II

No action required

Addressed by script

SV-50375r1_rule

The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth).

CAT II

No action required

Addressed by script

SV-50376r4_rule

The audit system must be configured to audit user deletions of files and programs.

CAT III

No action required

Addressed by script

SV-50377r1_rule

The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs).

CAT II

No action required

Addressed by script

SV-50378r1_rule

The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf).

CAT II

No action required

Addressed by script

SV-50379r1_rule

The audit system must be configured to audit changes to the /etc/sudoers file.

CAT III

No action required

Addressed by script

SV-50380r1_rule

The system boot loader configuration file(s) must be owned by root.

CAT II

No action required

Addressed by script

SV-50381r1_rule

The audit system must be configured to audit the loading and unloading of dynamic kernel modules.

CAT II

No action required

Addressed by script

SV-50382r1_rule

The system boot loader configuration file(s) must be group-owned by root.

CAT II

No action required

Addressed by script

SV-50383r2_rule

The xinetd service must be disabled if no network services utilizing it are enabled.

CAT II

No action required

Addressed by script

SV-50384r2_rule

The system boot loader configuration file(s) must have mode 0600 or less permissive.

CAT II

No action required

Addressed by script

SV-50385r1_rule

The xinetd service must be uninstalled if no network services utilizing it are enabled.

CAT III

No action required

Addressed by script

SV-50386r1_rule

The system boot loader must require authentication.

CAT II

Addressed by script

Not implemented

SV-50387r1_rule

The system must require authentication upon booting into single-user and maintenance modes.

CAT II

Addressed by script

Not implemented

SV-50388r1_rule

The telnet-server package must not be installed.

CAT I

No action required

Addressed by script

SV-50389r1_rule

The system must not permit interactive boot.

CAT II

No action required

Addressed by script

SV-50390r2_rule

The telnet daemon must not be running.

CAT I

No action required

Addressed by script

SV-50391r1_rule

The system must allow locking of the console screen in text mode.

CAT III

Addressed by script

Not implemented

SV-50392r1_rule

The rsh-server package must not be installed.

CAT I

No action required

Addressed by script

SV-50393r3_rule

The system must require administrator action to unlock an account locked by excessive failed login attempts.

CAT II

Addressed by script

Addressed by script

SV-50395r2_rule

The rshd service must not be running.

CAT I

No action required

Addressed by script

SV-50399r2_rule

The rexecd service must not be running.

CAT I

No action required

Addressed by script

SV-50401r1_rule

The system must not send ICMPv4 redirects by default.

CAT II

No action required

Addressed by script

SV-50402r1_rule

The system must not send ICMPv4 redirects from any interface.

CAT II

No action required

Addressed by script

SV-50403r2_rule

The rlogind service must not be running.

CAT I

No action required

Addressed by script

SV-50404r1_rule

The ypserv package must not be installed.

CAT II

No action required

Addressed by script

SV-50405r2_rule

The ypbind service must not be running.

CAT II

No action required

Addressed by script

SV-50406r2_rule

The cron service must be running.

CAT II

No action required

Addressed by script

SV-50407r1_rule

The tftp-server package must not be installed.

CAT II

No action required

Addressed by script

SV-50408r1_rule

The SSH daemon must be configured to use only the SSHv2 protocol.

CAT I

No action required

Addressed by script

SV-50409r1_rule

The SSH daemon must set a timeout interval on idle sessions.

CAT III

No action required

Addressed by script

SV-50411r1_rule

The SSH daemon must set a timeout count on idle sessions.

CAT III

No action required

Addressed by script

SV-50412r1_rule

The SSH daemon must ignore rhosts files.

CAT II

No action required

Addressed by script

SV-50413r1_rule

The SSH daemon must not allow host-based authentication.

CAT II

No action required

Addressed by script

SV-50414r1_rule

The system must not permit root logins using remote access programs such as SSH.

CAT II

No action required

Addressed by script

SV-50415r1_rule

The SSH daemon must not allow authentication using an empty password.

CAT I

No action required

Addressed by script

SV-50416r1_rule

The SSH daemon must be configured with the Department of Defense (DoD) login banner.

CAT II

Addressed by script

Not implemented

SV-50417r1_rule

The SSH daemon must not permit user environment settings.

CAT III

No action required

Addressed by script

SV-50419r2_rule

The avahi service must be disabled.

CAT III

No action required

Addressed by script

SV-50421r1_rule

The system clock must be synchronized continuously, or at least daily.

CAT II

Addressed by script

Addressed by documentation

SV-50422r1_rule

The system clock must be synchronized to an authoritative DoD time source.

CAT II

No action required

Addressed by script

SV-50423r2_rule

Mail relaying must be restricted.

CAT II

Addressed by script

Not applicable

SV-50428r1_rule

The openldap-servers package must not be installed unless required.

CAT III

No action required

Addressed by script

SV-50430r3_rule

The graphical desktop environment must set the idle timeout to no more than 15 minutes.

CAT II

No action required

Addressed by script

SV-50431r3_rule

The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment.

CAT II

No action required

Addressed by script

SV-50434r1_rule

The system must set a maximum audit log file size.

CAT II

No action required

Addressed by script

SV-50435r1_rule

The system must rotate audit log files that reach the maximum file size.

CAT II

No action required

Addressed by script

SV-50436r2_rule

The audit system must be configured to audit all attempts to alter system time through adjtimex.

CAT III

No action required

Addressed by script

SV-50437r1_rule

The system must retain enough rotated audit logs to cover the required log retention period.

CAT II

No action required

Addressed by script

SV-50439r3_rule

The graphical desktop environment must have automatic lock enabled.

CAT II

No action required

Addressed by script

SV-50440r3_rule

The system must display a publicly-viewable pattern during a graphical desktop environment session lock.

CAT III

No action required

Addressed by script

SV-50441r2_rule

The Automatic Bug Reporting Tool (abrtd) service must not be running.

CAT III

No action required

Addressed by script

SV-50442r2_rule

The atd service must be disabled.

CAT III

No action required

Addressed by script

SV-50443r1_rule

The system default umask for daemons must be 027 or 022.

CAT III

No action required

Addressed by script

SV-50445r2_rule

The ntpdate service must not be running.

CAT III

No action required

Addressed by script

SV-50446r1_rule

The system default umask in /etc/login.defs must be 077.

CAT III

No action required

Addressed by script

SV-50447r2_rule

The oddjobd service must not be running.

CAT III

No action required

Addressed by script

SV-50448r1_rule

The system default umask in /etc/profile must be 077.

CAT III

Addressed by script

Not implemented

SV-50449r2_rule

The qpidd service must not be running.

CAT III

No action required

Addressed by script

SV-50450r1_rule

The system default umask for the csh shell must be 077.

CAT III

Addressed by script

Not implemented

SV-50451r2_rule

The rdisc service must not be running.

CAT III

No action required

Addressed by script

SV-50452r1_rule

The system default umask for the bash shell must be 077.

CAT III

Addressed by script

Not implemented

SV-50457r1_rule

The system must use SMB client signing for connecting to samba servers using smbclient.

CAT III

Addressed by script

Not implemented

SV-50470r1_rule

The postfix service must be enabled for mail delivery.

CAT III

Addressed by script

Not implemented

SV-50472r1_rule

The sendmail package must be removed.

CAT II

No action required

Addressed by script

SV-50473r2_rule

The netconsole service must be disabled unless required.

CAT III

No action required

Addressed by script

SV-50475r1_rule

X Windows must not be enabled unless required.

CAT II

No action required

Addressed by script

SV-50476r2_rule

Process core dumps must be disabled unless needed.

CAT III

Addressed by script

Not implemented

SV-50477r1_rule

The xorg-x11-server-common (X Windows) package must not be installed, unless required.

CAT III

No action required

Addressed by script

SV-50480r2_rule

The DHCP client must be disabled if not needed.

CAT II

Addressed by script

Not implemented

SV-50481r1_rule

The audit system must identify staff members to receive notifications of audit log storage volume capacity issues.

CAT II

No action required

Addressed by script

SV-50485r2_rule

The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.

CAT III

Addressed by script

Not implemented

SV-50488r2_rule

The system must provide VPN connectivity for communications over untrusted networks.

CAT III

Addressed by script

Not implemented

SV-50489r2_rule

A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.

CAT II

No action required

Addressed by script

SV-50492r2_rule

The Bluetooth service must be disabled.

CAT II

No action required

Addressed by script

SV-50493r1_rule

Accounts must be locked upon 35 days of inactivity.

CAT III

Addressed by script

Not implemented

SV-50495r1_rule

The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity.

CAT III

Addressed by script

Not implemented

SV-50498r2_rule

The sticky bit must be set on all public directories.

CAT III

Addressed by script

No action required

SV-50500r2_rule

All public directories must be owned by a system account.

CAT III

No action required

Addressed by script

SV-50502r1_rule

The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.

CAT I

No action required

Addressed by script

SV-65547r1_rule

The system must use a Linux Security Module at boot time.

CAT II

No action required

Addressed by script

SV-65573r1_rule

The system must use a Linux Security Module configured to enforce limits on system services.

CAT II

Addressed by script

Not implemented

SV-65579r1_rule

The system must use a Linux Security Module configured to limit the privileges of system services.

CAT III

No action required

Addressed by script

SV-66089r1_rule

The operating system, upon successful logoNoccess, must display to the user the number of unsuccessful logoNoccess attempts since the last successful logoNoccess.

CAT II

No action required

Addressed by script

SV-68627r1_rule

The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low.

CAT II

Addressed by script

Not implemented

Parent topic: Security Technical Implementation Guides Compliance Standards