D Security Technical Implementation Guides Compliance Standards
- About Security Technical Implementation Guides
A Security Technical Implementation Guide (STIG) is a methodology followed by the U.S. Department of Defense (DOD). - Enabling and Disabling STIG Rules on Oracle Key Vault
You can enable STIG rules on Oracle Key Vault by enabling Strict mode. - Current Implementation of STIG Rules on Oracle Key Vault
You should be aware of the vulnerability categories that STIG recommendations addresses. - Current Implementation of Database STIG Rules
The current implementation of the database STIG rules encompass a wide range of rules. - Current Implementation of Operating System STIG Rules
The current implementation of the operating system STIG rules encompass a wide range of rules.
D.1 About Security Technical Implementation Guides
A Security Technical Implementation Guide (STIG) is a methodology followed by the U.S. Department of Defense (DOD).
STIG is designed reduce the attack surface of computer systems and networks, thereby ensuring a lockdown of highly confidential information stored within the DOD network. STIGs provide secure configuration standards for the DOD's Information Assurance (IA) and IA-enabled devices and systems. STIGs are created by the Defense Information Systems Agency (DISA).
For over a decade, Oracle has worked closely with the DOD to develop, publish, and maintain a growing list of STIGs for a variety of core Oracle products and technologies including:
-
Oracle Database
-
Oracle Solaris
-
Oracle Linux
-
Oracle WebLogic
When STIGs are updated, Oracle analyzes the latest recommendations in order to identify new ways to improve the security of its products by:
-
Implementing new and innovative security capabilities that are then added to future STIG updates
-
Delivering functionality to automate the assessment and implementation of STIG recommendations
-
Improving “out of the box" security configuration settings based upon STIG recommendations
Related Topics
D.2 Enabling and Disabling STIG Rules on Oracle Key Vault
You can enable STIG rules on Oracle Key Vault by enabling Strict mode.
- Enabling STIG Rules on Oracle Key Vault
You enable STIG rules (strict mode) from the command line. - Disabling STIG Rules on Oracle Key Vault
You disable STIG rules (strict mode) from the command line.
D.2.1 Enabling STIG Rules on Oracle Key Vault
You enable STIG rules (strict mode) from the command line.
Parent topic: Enabling and Disabling STIG Rules on Oracle Key Vault
D.2.2 Disabling STIG Rules on Oracle Key Vault
You disable STIG rules (strict mode) from the command line.
Parent topic: Enabling and Disabling STIG Rules on Oracle Key Vault
D.3 Current Implementation of STIG Rules on Oracle Key Vault
You should be aware of the vulnerability categories that STIG recommendations addresses.
Oracle has developed a security-hardened configuration of Oracle Key Vault that supports U.S. Department of Defense Security Technical Implementation Guide (STIG) recommendations.
Table D-1 lists the three vulnerability categories that STIG recommendations address.
Table D-1 Vulnerability Categories
Category | Description |
---|---|
CAT I |
Any vulnerability, the exploitation of which will, directly and immediately result in loss of Confidentiality, Availability, or Integrity. |
CAT II |
Any vulnerability, the exploitation of which has a potential to result in loss of Confidentiality, Availability, or Integrity. |
CAT III |
Any vulnerability, the existence of which degrades measures to protect against loss of Confidentiality, Availability, or Integrity. |
D.4 Current Implementation of Database STIG Rules
The current implementation of the database STIG rules encompass a wide range of rules.
Table D-2 shows the current implementation of Database STIG rules on Oracle Key Vault.
Table D-2 Current Implementation of Database STIG Rules
STIG ID | Title | Severity | Addressed by Script | Addressed by Documentation | Action required | Implemented | Notes |
---|---|---|---|---|---|---|---|
DG0004-ORACLE11 |
DBMS application object owner accounts |
CAT II |
No |
No |
None |
No |
Application object owner accounts |
DG0008-ORACLE11 |
DBMS application object ownership |
No |
No |
Yes |
No |
No |
The object owner accounts in the Oracle Key Vault server are as follows:
|
DG0014-ORACLE11 |
DBMS demonstration and sample databases |
CAT II |
No |
No |
None |
No |
All default demonstration and sample database objects have been removed. |
DG0071-ORACLE11 |
DBMS password change variance |
CAT II |
No |
No |
No |
No |
Currently not supported |
DG0073-ORACLE11 |
DBMS failed login account lock |
CAT II |
Yes |
No |
No |
No |
For profiles |
DG0075-ORACLE11 |
DBMS links to external databases |
CAT II |
No |
Yes |
No |
No |
No |
DG0077-ORACLE11 |
Production data protection on a shared system |
CAT II |
No |
No |
None |
No |
No |
DG0116-ORACLE11 |
DBMS privileged role assignments |
CAT II |
Yes |
Yes |
No |
No |
No |
DG0117-ORACLE11 |
DBMS administrative privilege assignment |
CAT II |
No |
No |
No |
No |
Currently not supported |
DG0121-ORACLE11 |
DBMS application user privilege assignment |
CAT II |
No |
No |
No |
No |
Currently not supported |
DG0123-ORACLE11 |
DBMS Administrative data access |
CAT II |
No |
No |
No |
No |
Currently not supported |
DG0125-ORACLE11 |
DBMS account password expiration |
CAT II |
Yes |
No |
No |
No |
For profiles |
DG0126-ORACLE11 |
DBMS account password reuse |
CAT II |
No |
No |
None |
No |
No. |
DG0128-ORACLE11 |
DBMS default passwords |
CAT I |
Yes |
No |
No |
No |
Account CTXSYS is assigned a random password in the script. |
DG0133-ORACLE11 |
DBMS Account lock time |
CAT II |
Yes |
No |
No |
No |
No |
DG0141-ORACLE11 |
DBMS access control bypass |
CAT II |
Yes |
No |
No |
No |
Users can use a script to audit the following events:
|
DG0142-ORACLE11 |
DBMS Privileged action audit |
CAT II |
No |
No |
None |
No |
No |
DG0192-ORACLE11 |
DBMS fully-qualified name for remote access |
CAT II |
Yes |
No |
No |
No |
Currently not supported |
DO0231-ORACLE11 |
Oracle application object owner tablespaces |
CAT II |
No |
No |
No |
No |
Currently not supported |
DO0250-ORACLE11 |
Oracle database link usage |
CAT II |
No |
Yes |
No |
No |
No |
DO0270-ORACLE11 |
Oracle redo log file availability |
CAT II |
No |
No |
No |
No |
Currently not supported |
DO0350-ORACLE11 |
Oracle system privilege assignment |
CAT II |
No |
No |
No |
No |
Currently not supported |
DO3475-ORACLE11 |
Oracle |
CAT II |
No |
No |
No |
No |
Currently not supported |
DO3536-ORACLE11 |
Oracle |
CAT II |
Yes |
No |
No |
No |
No |
DO3540-ORACLE11 |
Oracle |
CAT II |
No |
No |
None |
No |
Parameter |
DO3609-ORACLE11 |
System privileges granted WITH ADMIN OPTION |
CAT II |
No |
No |
No |
No |
Currently not supported |
DO3610-ORACLE11 |
Oracle minimum object auditing |
CAT II |
No |
No |
No |
No |
Currently not supported |
DO3689-ORACLE11 |
Oracle object permission assignment to PUBLIC |
CAT II |
No |
No |
No |
No |
Currently not supported |
DO3696-ORACLE11 |
Oracle RESOURCE_LIMIT parameter |
CAT II |
No |
No |
No |
No |
Currently not supported |
D.5 Current Implementation of Operating System STIG Rules
The current implementation of the operating system STIG rules encompass a wide range of rules.
Table D-3 shows the current implementation of Operating System STIG Rules on Oracle Key Vault.
Table D-3 Current Implementation of Operating System STIG Rules
STIG ID | Title | Severity | Key Vault Server - Default | Key Vault Server - STIG |
---|---|---|---|---|
SV-50237r1_rule |
Automated file system mounting tools must not be enabled unless needed. |
CAT III |
No action required |
Addressed by script |
SV-50238r2_rule |
Auditing must be enabled at boot by setting a kernel parameter. |
CAT III |
No action required |
Addressed by script |
SV-50243r1_rule |
The |
CAT II |
No action required |
Addressed by script |
SV-50248r1_rule |
The |
CAT II |
No action required |
Addressed by script |
SV-50249r1_rule |
The |
CAT II |
No action required |
Addressed by script |
SV-50250r1_rule |
The |
CAT II |
No action required |
Addressed by script |
SV-50251r1_rule |
The |
CAT II |
No action required |
Addressed by script |
SV-50255r1_rule |
The system must use a separate file system for |
CAT III |
No action required |
Addressed by script |
SV-50256r1_rule |
The system must use a separate file system for |
CAT III |
Addressed by script |
Implemented differently |
SV-50257r1_rule |
The |
CAT II |
No action required |
Addressed by script |
SV-50258r1_rule |
The |
CAT II |
No action required |
Addressed by script |
SV-50259r1_rule |
The |
CAT II |
No action required |
Addressed by script |
SV-50261r1_rule |
The |
CAT II |
No action required |
Addressed by script |
SV-50263r1_rule |
The system must use a separate file system for |
CAT III |
No action required |
Addressed by script |
SV-50266r1_rule |
Library files must be owned by |
CAT II |
No action required |
Addressed by script |
SV-50267r1_rule |
The system must use a separate file system for the system audit data path. |
CAT III |
Addressed by script |
Not implemented |
SV-50269r2_rule |
All system command files must have mode 0755 or less permissive. |
CAT II |
No action required |
Addressed by script |
SV-50270r2_rule |
The audit system must alert designated staff members when the audit storage volume approaches capacity. |
CAT II |
Addressed by script |
Not implemented |
SV-50272r1_rule |
All system command files must be owned by root. |
CAT II |
No action required |
Addressed by script |
SV-50273r1_rule |
The system must use a separate file system for user home directories. |
CAT III |
No action required |
Addressed by script |
SV-50275r1_rule |
The system must require passwords to contain a minimum of 14 characters. |
CAT II |
Addressed by script |
Addressed by script |
SV-50277r1_rule |
Users must not be able to change passwords more than once every 24 hours. |
CAT II |
No action required |
Addressed by script |
SV-50278r2_rule |
The Red Hat Network Service ( |
CAT III |
No action required |
Addressed by script |
SV-50279r1_rule |
User passwords must be changed at least every 60 days. |
CAT II |
Addressed by script |
Addressed by script |
SV-50280r1_rule |
Users must be warned 7 days in advance of password expiration. |
CAT III |
No action required |
Addressed by script |
SV-50282r1_rule |
The system must require passwords to contain at least one numeric character. |
CAT III |
No action required |
Addressed by script |
SV-50283r1_rule |
The system package management tool must cryptographically verify the authenticity of system software packages during installation. |
CAT II |
No action required |
Addressed by script |
SV-50288r1_rule |
The system package management tool must cryptographically verify the authenticity of all software packages during installation. |
CAT III |
No action required |
Addressed by script |
SV-50290r1_rule |
A file integrity tool must be installed. |
CAT II |
No action required |
Addressed by script |
SV-50291r2_rule |
The operating system must enforce requirements for the connection of mobile devices to operating systems. |
CAT II |
No action required |
Addressed by script |
SV-50292r1_rule |
There must be no . |
CAT I |
No action required |
Addressed by script |
SV-50293r1_rule |
The system must prevent the root account from logging in from virtual consoles. |
CAT II |
No action required |
Addressed by script |
SV-50295r1_rule |
The system must prevent the root account from logging in from serial consoles. |
CAT III |
No action required |
Addressed by script |
SV-50296r1_rule |
Audit log files must be owned by |
CAT II |
No action required |
Addressed by script |
SV-50298r2_rule |
The system must not have accounts configured with blank or null passwords. |
CAT I |
No action required |
Addressed by script |
SV-50299r1_rule |
Audit log files must have mode 0640 or less permissive. |
CAT II |
No action required |
Addressed by script |
SV-50300r1_rule |
The |
CAT II |
No action required |
Addressed by script |
SV-50301r2_rule |
The root account must be the only account having a UID of 0. |
CAT II |
No action required |
Addressed by script |
SV-50302r3_rule |
The system must disable accounts after excessive login failures within a 15-minute interval. |
CAT II |
No action required |
Addressed by script |
SV-50303r1_rule |
The |
CAT II |
No action required |
Addressed by script |
SV-50304r1_rule |
The |
CAT II |
No action required |
Addressed by script |
SV-50305r1_rule |
The |
CAT II |
No action required |
Addressed by script |
SV-50312r1_rule |
IP forwarding for IPv4 must not be enabled, unless the system is a router. |
CAT II |
No action required |
Addressed by script |
SV-50313r2_rule |
The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices. |
CAT II |
No action required |
Addressed by script |
SV-50314r1_rule |
The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets. |
CAT II |
No action required |
Addressed by script |
SV-50315r2_rule |
The Datagram Congestion Control Protocol (DCCP) must be disabled unless required. |
CAT II |
No action required |
Addressed by script |
SV-50316r2_rule |
The Stream Control Transmission Protocol (SCTP) must be disabled unless required. |
CAT II |
No action required |
Addressed by script |
SV-50317r2_rule |
The Reliable Datagram Sockets (RDS) protocol must be disabled unless required. |
CAT III |
No action required |
Addressed by script |
SV-50318r2_rule |
The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required. |
CAT II |
No action required |
Addressed by script |
SV-50319r2_rule |
All rsyslog-generated log files must be owned by root. |
CAT II |
No action required |
Addressed by script |
SV-50321r1_rule |
The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited. |
CAT II |
Addressed by script |
Not implemented |
SV-50322r1_rule |
The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components. |
CAT II |
Addressed by script |
Not implemented |
SV-50323r2_rule |
The audit system must be configured to audit all attempts to alter system time through |
CAT III |
No action required |
Addressed by script |
SV-50324r2_rule |
The system must not accept IPv4 source-routed packets on any interface. |
CAT II |
No action required |
Addressed by script |
SV-50325r1_rule |
The system must not accept ICMPv4 redirect packets on any interface. |
CAT II |
No action required |
Addressed by script |
SV-50326r3_rule |
The audit system must be configured to audit all attempts to alter system time through |
CAT III |
No action required |
Addressed by script |
SV-50327r1_rule |
The system must not accept ICMPv4 secure redirect packets on any interface. |
CAT II |
No action required |
Addressed by script |
SV-50328r2_rule |
The audit system must be configured to audit all attempts to alter system time through |
CAT III |
No action required |
Addressed by script |
SV-50329r1_rule |
The system must log Martian packets. |
CAT III |
Addressed by script |
Not implemented |
SV-50330r1_rule |
The system must not accept IPv4 source-routed packets by default. |
CAT II |
No action required |
Addressed by script |
SV-50331r1_rule |
The audit system must be configured to audit all attempts to alter system time through |
CAT III |
No action required |
Addressed by script |
SV-50332r1_rule |
The operating system must automatically audit account creation. |
CAT III |
No action required |
Addressed by script |
SV-50333r1_rule |
The system must not accept ICMPv4 secure redirect packets by default. |
CAT II |
No action required |
Addressed by script |
SV-50334r2_rule |
The system must ignore ICMPv4 redirect messages by default. |
CAT III |
No action required |
Addressed by script |
SV-50335r1_rule |
The operating system must automatically audit account modification. |
CAT III |
No action required |
Addressed by script |
SV-50336r2_rule |
The system must not respond to ICMPv4 sent to a broadcast address. |
CAT III |
No action required |
Addressed by script |
SV-50337r1_rule |
The operating system must automatically audit account disabling actions. |
CAT III |
No action required |
Addressed by script |
SV-50338r2_rule |
The system must ignore ICMPv4 bogus error responses. |
CAT III |
No action required |
Addressed by script |
SV-50339r1_rule |
The operating system must automatically audit account termination. |
CAT III |
No action required |
Addressed by script |
SV-50340r1_rule |
The system must be configured to use TCP |
CAT II |
No action required |
Addressed by script |
SV-50342r1_rule |
The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration ( |
CAT III |
No action required |
Addressed by script |
SV-50343r1_rule |
The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces. |
CAT II |
No action required |
Addressed by script |
SV-50344r2_rule |
The audit system must be configured to audit all discretionary access control permission modifications using |
CAT III |
No action required |
Addressed by script |
SV-50345r1_rule |
The system must use a reverse-path filter for IPv4 network traffic when possible by default. |
CAT II |
No action required |
Addressed by script |
SV-50346r2_rule |
The audit system must be configured to audit all discretionary access control permission modifications using |
CAT III |
No action required |
Addressed by script |
SV-50347r2_rule |
The IPv6 protocol handler must not be bound to the network stack unless needed. |
CAT II |
No action required |
Addressed by script |
SV-50348r2_rule |
The audit system must be configured to audit all discretionary access control permission modifications using |
CAT III |
No action required |
Addressed by script |
SV-50349r2_rule |
The system must ignore ICMPv6 redirects by default. |
CAT II |
No action required |
Addressed by script |
SV-50351r2_rule |
The audit system must be configured to audit all discretionary access control permission modifications using |
CAT III |
No action required |
Addressed by script |
SV-50353r2_rule |
The audit system must be configured to audit all discretionary access control permission modifications using |
CAT III |
No action required |
Addressed by script |
SV-50355r2_rule |
The audit system must be configured to audit all discretionary access control permission modifications using |
CAT III |
No action required |
Addressed by script |
SV-50356r2_rule |
The system must employ a local IPv4 firewall. |
CAT II |
No action required |
Addressed by script |
SV-50357r2_rule |
The audit system must be configured to audit all discretionary access control permission modifications using |
CAT III |
No action required |
Addressed by script |
SV-50358r2_rule |
The audit system must be configured to audit all discretionary access control permission modifications using |
CAT III |
No action required |
Addressed by script |
SV-50359r2_rule |
The audit system must be configured to audit all discretionary access control permission modifications using |
CAT III |
No action required |
Addressed by script |
SV-50360r2_rule |
The audit system must be configured to audit all discretionary access control permission modifications using |
CAT III |
No action required |
Addressed by script |
SV-50362r2_rule |
The audit system must be configured to audit all discretionary access control permission modifications using |
CAT III |
No action required |
Addressed by script |
SV-50364r2_rule |
The audit system must be configured to audit all discretionary access control permission modifications using |
CAT III |
No action required |
Addressed by script |
SV-50366r2_rule |
The audit system must be configured to audit all discretionary access control permission modifications using |
CAT III |
No action required |
Addressed by script |
SV-50369r2_rule |
The audit system must be configured to audit successful file system mounts. |
CAT III |
No action required |
Addressed by script |
SV-50370r1_rule |
The system must require passwords to contain at least one uppercase alphabetic character. |
CAT III |
No action required |
Addressed by script |
SV-50371r1_rule |
The system must require passwords to contain at least one special character. |
CAT III |
No action required |
Addressed by script |
SV-50372r1_rule |
The system must require passwords to contain at least one lowercase alphabetic character. |
CAT III |
No action required |
Addressed by script |
SV-50373r1_rule |
The system must require at least four characters be changed between the old and new passwords during a password change. |
CAT III |
No action required |
Addressed by script |
SV-50374r3_rule |
The system must disable accounts after three consecutive unsuccessful logon attempts. |
CAT II |
No action required |
Addressed by script |
SV-50375r1_rule |
The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth). |
CAT II |
No action required |
Addressed by script |
SV-50376r4_rule |
The audit system must be configured to audit user deletions of files and programs. |
CAT III |
No action required |
Addressed by script |
SV-50377r1_rule |
The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes ( |
CAT II |
No action required |
Addressed by script |
SV-50378r1_rule |
The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes ( |
CAT II |
No action required |
Addressed by script |
SV-50379r1_rule |
The audit system must be configured to audit changes to the |
CAT III |
No action required |
Addressed by script |
SV-50380r1_rule |
The system boot loader configuration file(s) must be owned by |
CAT II |
No action required |
Addressed by script |
SV-50381r1_rule |
The audit system must be configured to audit the loading and unloading of dynamic kernel modules. |
CAT II |
No action required |
Addressed by script |
SV-50382r1_rule |
The system boot loader configuration file(s) must be group-owned by root. |
CAT II |
No action required |
Addressed by script |
SV-50383r2_rule |
The |
CAT II |
No action required |
Addressed by script |
SV-50384r2_rule |
The system boot loader configuration file(s) must have mode 0600 or less permissive. |
CAT II |
No action required |
Addressed by script |
SV-50385r1_rule |
The |
CAT III |
No action required |
Addressed by script |
SV-50386r1_rule |
The system boot loader must require authentication. |
CAT II |
Addressed by script |
Not implemented |
SV-50387r1_rule |
The system must require authentication upon booting into single-user and maintenance modes. |
CAT II |
Addressed by script |
Not implemented |
SV-50388r1_rule |
The |
CAT I |
No action required |
Addressed by script |
SV-50389r1_rule |
The system must not permit interactive boot. |
CAT II |
No action required |
Addressed by script |
SV-50390r2_rule |
The |
CAT I |
No action required |
Addressed by script |
SV-50391r1_rule |
The system must allow locking of the console screen in text mode. |
CAT III |
Addressed by script |
Not implemented |
SV-50392r1_rule |
The |
CAT I |
No action required |
Addressed by script |
SV-50393r3_rule |
The system must require administrator action to unlock an account locked by excessive failed login attempts. |
CAT II |
Addressed by script |
Addressed by script |
SV-50395r2_rule |
The |
CAT I |
No action required |
Addressed by script |
SV-50399r2_rule |
The |
CAT I |
No action required |
Addressed by script |
SV-50401r1_rule |
The system must not send ICMPv4 redirects by default. |
CAT II |
No action required |
Addressed by script |
SV-50402r1_rule |
The system must not send ICMPv4 redirects from any interface. |
CAT II |
No action required |
Addressed by script |
SV-50403r2_rule |
The |
CAT I |
No action required |
Addressed by script |
SV-50404r1_rule |
The |
CAT II |
No action required |
Addressed by script |
SV-50405r2_rule |
The |
CAT II |
No action required |
Addressed by script |
SV-50406r2_rule |
The |
CAT II |
No action required |
Addressed by script |
SV-50407r1_rule |
The |
CAT II |
No action required |
Addressed by script |
SV-50408r1_rule |
The SSH daemon must be configured to use only the SSHv2 protocol. |
CAT I |
No action required |
Addressed by script |
SV-50409r1_rule |
The SSH daemon must set a timeout interval on idle sessions. |
CAT III |
No action required |
Addressed by script |
SV-50411r1_rule |
The SSH daemon must set a timeout count on idle sessions. |
CAT III |
No action required |
Addressed by script |
SV-50412r1_rule |
The SSH daemon must ignore |
CAT II |
No action required |
Addressed by script |
SV-50413r1_rule |
The SSH daemon must not allow host-based authentication. |
CAT II |
No action required |
Addressed by script |
SV-50414r1_rule |
The system must not permit root logins using remote access programs such as SSH. |
CAT II |
No action required |
Addressed by script |
SV-50415r1_rule |
The SSH daemon must not allow authentication using an empty password. |
CAT I |
No action required |
Addressed by script |
SV-50416r1_rule |
The SSH daemon must be configured with the Department of Defense (DoD) login banner. |
CAT II |
Addressed by script |
Not implemented |
SV-50417r1_rule |
The SSH daemon must not permit user environment settings. |
CAT III |
No action required |
Addressed by script |
SV-50419r2_rule |
The |
CAT III |
No action required |
Addressed by script |
SV-50421r1_rule |
The system clock must be synchronized continuously, or at least daily. |
CAT II |
Addressed by script |
Addressed by documentation |
SV-50422r1_rule |
The system clock must be synchronized to an authoritative DoD time source. |
CAT II |
No action required |
Addressed by script |
SV-50423r2_rule |
Mail relaying must be restricted. |
CAT II |
Addressed by script |
Not applicable |
SV-50428r1_rule |
The |
CAT III |
No action required |
Addressed by script |
SV-50430r3_rule |
The graphical desktop environment must set the idle timeout to no more than 15 minutes. |
CAT II |
No action required |
Addressed by script |
SV-50431r3_rule |
The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment. |
CAT II |
No action required |
Addressed by script |
SV-50434r1_rule |
The system must set a maximum audit log file size. |
CAT II |
No action required |
Addressed by script |
SV-50435r1_rule |
The system must rotate audit log files that reach the maximum file size. |
CAT II |
No action required |
Addressed by script |
SV-50436r2_rule |
The audit system must be configured to audit all attempts to alter system time through |
CAT III |
No action required |
Addressed by script |
SV-50437r1_rule |
The system must retain enough rotated audit logs to cover the required log retention period. |
CAT II |
No action required |
Addressed by script |
SV-50439r3_rule |
The graphical desktop environment must have automatic lock enabled. |
CAT II |
No action required |
Addressed by script |
SV-50440r3_rule |
The system must display a publicly-viewable pattern during a graphical desktop environment session lock. |
CAT III |
No action required |
Addressed by script |
SV-50441r2_rule |
The Automatic Bug Reporting Tool ( |
CAT III |
No action required |
Addressed by script |
SV-50442r2_rule |
The |
CAT III |
No action required |
Addressed by script |
SV-50443r1_rule |
The system default |
CAT III |
No action required |
Addressed by script |
SV-50445r2_rule |
The |
CAT III |
No action required |
Addressed by script |
SV-50446r1_rule |
The system default |
CAT III |
No action required |
Addressed by script |
SV-50447r2_rule |
The |
CAT III |
No action required |
Addressed by script |
SV-50448r1_rule |
The system default |
CAT III |
Addressed by script |
Not implemented |
SV-50449r2_rule |
The |
CAT III |
No action required |
Addressed by script |
SV-50450r1_rule |
The system default |
CAT III |
Addressed by script |
Not implemented |
SV-50451r2_rule |
The |
CAT III |
No action required |
Addressed by script |
SV-50452r1_rule |
The system default |
CAT III |
Addressed by script |
Not implemented |
SV-50457r1_rule |
The system must use SMB client signing for connecting to samba servers using |
CAT III |
Addressed by script |
Not implemented |
SV-50470r1_rule |
The postfix service must be enabled for mail delivery. |
CAT III |
Addressed by script |
Not implemented |
SV-50472r1_rule |
The |
CAT II |
No action required |
Addressed by script |
SV-50473r2_rule |
The |
CAT III |
No action required |
Addressed by script |
SV-50475r1_rule |
X Windows must not be enabled unless required. |
CAT II |
No action required |
Addressed by script |
SV-50476r2_rule |
Process core dumps must be disabled unless needed. |
CAT III |
Addressed by script |
Not implemented |
SV-50477r1_rule |
The |
CAT III |
No action required |
Addressed by script |
SV-50480r2_rule |
The DHCP client must be disabled if not needed. |
CAT II |
Addressed by script |
Not implemented |
SV-50481r1_rule |
The audit system must identify staff members to receive notifications of audit log storage volume capacity issues. |
CAT II |
No action required |
Addressed by script |
SV-50485r2_rule |
The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements. |
CAT III |
Addressed by script |
Not implemented |
SV-50488r2_rule |
The system must provide VPN connectivity for communications over untrusted networks. |
CAT III |
Addressed by script |
Not implemented |
SV-50489r2_rule |
A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts. |
CAT II |
No action required |
Addressed by script |
SV-50492r2_rule |
The Bluetooth service must be disabled. |
CAT II |
No action required |
Addressed by script |
SV-50493r1_rule |
Accounts must be locked upon 35 days of inactivity. |
CAT III |
Addressed by script |
Not implemented |
SV-50495r1_rule |
The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity. |
CAT III |
Addressed by script |
Not implemented |
SV-50498r2_rule |
The sticky bit must be set on all public directories. |
CAT III |
Addressed by script |
No action required |
SV-50500r2_rule |
All public directories must be owned by a system account. |
CAT III |
No action required |
Addressed by script |
SV-50502r1_rule |
The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system. |
CAT I |
No action required |
Addressed by script |
SV-65547r1_rule |
The system must use a Linux Security Module at boot time. |
CAT II |
No action required |
Addressed by script |
SV-65573r1_rule |
The system must use a Linux Security Module configured to enforce limits on system services. |
CAT II |
Addressed by script |
Not implemented |
SV-65579r1_rule |
The system must use a Linux Security Module configured to limit the privileges of system services. |
CAT III |
No action required |
Addressed by script |
SV-66089r1_rule |
The operating system, upon successful logoNoccess, must display to the user the number of unsuccessful logoNoccess attempts since the last successful logoNoccess. |
CAT II |
No action required |
Addressed by script |
SV-68627r1_rule |
The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low. |
CAT II |
Addressed by script |
Not implemented |