Supported Unix/Linux Platforms include: RHEL/CentOS 7-8, AIX 7, Solaris 10-11 and HP-UX 11.31
Rule No. | Description | STIG Group ID (Vulid) |
---|---|---|
Identification and Authorization | ||
1 | Root account MUST be the only account having UID 0 – if there is more than one account with UID 0, potential intruders may increase the chance of guessing the password of privileged accounts. | V-38500 |
2 | The system MUST not have unnecessary accounts – Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system should be removed or locked. | V-38496 V-4269 |
3 | Shadow password or equivalent MUST be turned on – if the /etc/passwd (usually world-readable) contains password hashes, the passwords are subject to attack through lookup tables or cryptographic weaknesses in the hashes. | V-38499 |
4 | The root user must not own the logon session for an application requiring a continuous display – this may pose security risk as unauthorized users could interrupt the process and gain root access to the system. If an application requires continuous display, please make sure an unprivileged user session is used instead. | V-769 |
5 | X-server on Linux system enables the GUI (Graphical User Interface) such that user can interact with the system without using cryptic commands. Improper configuration of the X-server may expose security risk on the systems. For system with X-server enabled to ensure proper options are in place. If possible, the use of X-server on server system should be avoided. | V-1021 |
6 | To safe guard against brute force login attempt, automatic account lockout has to be effect to lockout account with consecutive failed logon (recommended value of 8 or less) attempts. | V-38501 |
Password Control and Policy | ||
7 | User passwords must be changed at least every 180 days. | V-38477/V-11976 |
8 | Users must be warned 7 days in advance of password expiration. | V-38480 |
9 | The system must require passwords contain a minimum of 10 characters. | V-38475/V-11947 |
10 | The system must require passwords to contain at least one numeric character. | V-38482 |
11 | The system must not have accounts configured with blank or null passwords. | V-770/V-38497 |
12 | The system must prohibit the reuse of passwords within three iterations. | V-38658/V-4084 |
Auditing and Logging | ||
13 | Successful and unsuccessful logins and logouts must be logged. | V-38628/V-765 |
14 | Auditing must be enabled at boot by setting a kernel parameter. | V-38438 |
15 | The audit system must be configured to audit user deletions of files and programs. | V-38575 |
Access Control | ||
16a | Remote root access using password authentication MUST be disabled to ensure the accountability and audit logging of root access. | V-1047 |
16b | Enable SELinux with enforcing mode | V-51363 |
Services and Applications | ||
17 | No P2P Software Application – the system must NOT have peer to peer file sharing application software installed | V-12025 |
18 | Legacy broadcast based protocols such as IPX and NETBEUI MUST be disabled | V-22520 |
19 | The system MUST have an approved anti-virus software application installed with update-to-date virus engine and signature if the server is acting as a file server role. Regular virus system scanning or real-time scanning, if supported, must be enabled on a file server. | V-38666 |
20 | Security related patches MUST be applied to the system on a timely manner | V-38481 |
21 | Disable unused services – system applications that are NOT required on the system should be disabled or removed. In general, the following software packages MUST not be running unless they are required due to business need: | See Below |
21a | Legacy inetd-based services including chargen, echo, discard, daytime and time | V-29514 |
21b | telnet-server | V-38589 |
21c | rshd service | V-38594 |
21d | rexecd service | V-38598 |
21e | rlogind service | V-38602 |
21f | ybind service | V-38604 |
21g | Unencrypted FTP must not be used on the system. | V-12010 |
21h | The TFTP service must not be running. | V-38609 |
22 | Enable System Firewall (iptables for IPv4 and ip6tables for IPv6) – firewall MUST be turned on and configured according to the need of the system as a first line of defence. | V-38555 V-38549 |
23 | The firewall MUST implement a default DENY ALL rule with allowed by exception rule enabled on need basis. | V-38444 V-38686 |
24 | The SSH daemon must be configured to use only the SSHv2 protocol. | V-38607 |