HKU Server Compliance Baseline Policies for Unix/Linux Platforms

Supported Unix/Linux Platforms include: RHEL/CentOS 7-8, AIX 7, Solaris 10-11 and HP-UX 11.31

Rule No.DescriptionSTIG Group ID (Vulid)
Identification and Authorization
1Root account MUST be the only account having UID 0 – if there is more than one account with UID 0, potential intruders may increase the chance of guessing the password of privileged accounts.V-38500
2The system MUST not have unnecessary accounts – Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system should be removed or locked.V-38496 V-4269
3Shadow password or equivalent MUST be turned on – if the /etc/passwd (usually world-readable) contains password hashes, the passwords are subject to attack through lookup tables or cryptographic weaknesses in the hashes.V-38499
4The root user must not own the logon session for an application requiring a continuous display – this may pose security risk as unauthorized users could interrupt the process and gain root access to the system. If an application requires continuous display, please make sure an unprivileged user session is used instead.V-769
5X-server on Linux system enables the GUI (Graphical User Interface) such that user can interact with the system without using cryptic commands. Improper configuration of the X-server may expose security risk on the systems. For system with X-server enabled to ensure proper options are in place. If possible, the use of X-server on server system should be avoided.V-1021
6To safe guard against brute force login attempt, automatic account lockout has to be effect to lockout account with consecutive failed logon (recommended value of 8 or less) attempts.V-38501
Password Control and Policy
7User passwords must be changed at least every 180 days.V-38477/V-11976
8Users must be warned 7 days in advance of password expiration.V-38480
9The system must require passwords contain a minimum of 10 characters.V-38475/V-11947
10The system must require passwords to contain at least one numeric character.V-38482
11The system must not have accounts configured with blank or null passwords.V-770/V-38497
12The system must prohibit the reuse of passwords within three iterations.V-38658/V-4084
Auditing and Logging
13Successful and unsuccessful logins and logouts must be logged.V-38628/V-765
14Auditing must be enabled at boot by setting a kernel parameter.V-38438
15The audit system must be configured to audit user deletions of files and programs.V-38575
Access Control
16aRemote root access using password authentication MUST be disabled to ensure the accountability and audit logging of root access.V-1047
16bEnable SELinux with enforcing modeV-51363
Services and Applications
17No P2P Software Application – the system must NOT have peer to peer file sharing application software installedV-12025
18Legacy broadcast based protocols such as IPX and NETBEUI MUST be disabledV-22520
19The system MUST have an approved anti-virus software application installed with update-to-date virus engine and signature if the server is acting as a file server role. Regular virus system scanning or real-time scanning, if supported, must be enabled on a file server.V-38666
20Security related patches MUST be applied to the system on a timely mannerV-38481
21Disable unused services – system applications that are NOT required on the system should be disabled or removed. In general, the following software packages MUST not be running unless they are required due to business need:See Below
21aLegacy inetd-based services including chargen, echo, discard, daytime and timeV-29514
21btelnet-serverV-38589
21crshd serviceV-38594
21drexecd serviceV-38598
21erlogind serviceV-38602
21fybind serviceV-38604
21gUnencrypted FTP must not be used on the system.V-12010
21hThe TFTP service must not be running.V-38609
22Enable System Firewall (iptables for IPv4 and ip6tables for IPv6) – firewall MUST be turned on and configured according to the need of the system as a first line of defence.V-38555 V-38549
23The firewall MUST implement a default DENY ALL rule with allowed by exception rule enabled on need basis.V-38444 V-38686
24The SSH daemon must be configured to use only the SSHv2 protocol.V-38607

Latest News

     

    Knowledge Base