HKU Server Compliance Baseline Policies for Unix/Linux Platforms

Supported Unix/Linux Platforms include: RHEL/CentOS 7-8, AIX 7, Solaris 10-11 and HP-UX 11.31

Rule No. Description STIG Group ID (Vulid)
Identification and Authorization
1 Root account MUST be the only account having UID 0 – if there is more than one account with UID 0, potential intruders may increase the chance of guessing the password of privileged accounts. V-38500
2 The system MUST not have unnecessary accounts – Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system should be removed or locked. V-38496 V-4269
3 Shadow password or equivalent MUST be turned on – if the /etc/passwd (usually world-readable) contains password hashes, the passwords are subject to attack through lookup tables or cryptographic weaknesses in the hashes. V-38499
4 The root user must not own the logon session for an application requiring a continuous display – this may pose security risk as unauthorized users could interrupt the process and gain root access to the system. If an application requires continuous display, please make sure an unprivileged user session is used instead. V-769
5 X-server on Linux system enables the GUI (Graphical User Interface) such that user can interact with the system without using cryptic commands. Improper configuration of the X-server may expose security risk on the systems. For system with X-server enabled to ensure proper options are in place. If possible, the use of X-server on server system should be avoided. V-1021
6 To safe guard against brute force login attempt, automatic account lockout has to be effect to lockout account with consecutive failed logon (recommended value of 8 or less) attempts. V-38501
Password Control and Policy
7 User passwords must be changed at least every 180 days. V-38477/V-11976
8 Users must be warned 7 days in advance of password expiration. V-38480
9 The system must require passwords contain a minimum of 10 characters. V-38475/V-11947
10 The system must require passwords to contain at least one numeric character. V-38482
11 The system must not have accounts configured with blank or null passwords. V-770/V-38497
12 The system must prohibit the reuse of passwords within three iterations. V-38658/V-4084
Auditing and Logging
13 Successful and unsuccessful logins and logouts must be logged. V-38628/V-765
14 Auditing must be enabled at boot by setting a kernel parameter. V-38438
15 The audit system must be configured to audit user deletions of files and programs. V-38575
Access Control
16a Remote root access using password authentication MUST be disabled to ensure the accountability and audit logging of root access. V-1047
16b Enable SELinux with enforcing mode V-51363
Services and Applications
17 No P2P Software Application – the system must NOT have peer to peer file sharing application software installed V-12025
18 Legacy broadcast based protocols such as IPX and NETBEUI MUST be disabled V-22520
19 The system MUST have an approved anti-virus software application installed with update-to-date virus engine and signature if the server is acting as a file server role. Regular virus system scanning or real-time scanning, if supported, must be enabled on a file server. V-38666
20 Security related patches MUST be applied to the system on a timely manner V-38481
21 Disable unused services – system applications that are NOT required on the system should be disabled or removed. In general, the following software packages MUST not be running unless they are required due to business need: See Below
21a Legacy inetd-based services including chargen, echo, discard, daytime and time V-29514
21b telnet-server V-38589
21c rshd service V-38594
21d rexecd service V-38598
21e rlogind service V-38602
21f ybind service V-38604
21g Unencrypted FTP must not be used on the system. V-12010
21h The TFTP service must not be running. V-38609
22 Enable System Firewall (iptables for IPv4 and ip6tables for IPv6) – firewall MUST be turned on and configured according to the need of the system as a first line of defence. V-38555 V-38549
23 The firewall MUST implement a default DENY ALL rule with allowed by exception rule enabled on need basis. V-38444 V-38686
24 The SSH daemon must be configured to use only the SSHv2 protocol. V-38607