openstack/ansible-hardening
Code Issues Proposed changes

Docs overhaul

Browse Source 
* Docs are now ordered by STIG ID number to make them easier to browse.
* Deployer notes are better organized.
* Script + CSV added for automated documentation generation.

Implements: blueprint security-hardening

Change-Id: Ib87bec701eddf1601574f4e027f301c775e5e1cd
This commit is contained in:
Major Hayden 2015-10-13 16:23:08 -05:00
parent 241f6cd074
commit a676e37a84
270 changed files with 7734 additions and 3719 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1538
doc/source/configurations-cat1.rst
View File

File diff suppressed because it is too large Load Diff

2189
doc/source/configurations-cat2.rst
View File

File diff suppressed because it is too large Load Diff

262
doc/source/configurations-cat3.rst
View File

@ -4,264 +4,40 @@
Category 3 (High) configurations
================================
.. contents::
:depth: 2
.. toctree::
:maxdepth: 1
.. include:: stig-notes/V-38462.rst
V-38653: The snmpd service must not use a default password.
-----------------------------------------------------------
.. include:: stig-notes/V-38476.rst
Presence of the default SNMP password enables querying of different system
aspects and could result in unauthorized knowledge of the system.
.. include:: stig-notes/V-38491.rst
Details: `V-38653 in STIG Viewer`_.
.. include:: stig-notes/V-38497.rst
.. _V-38653 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38653
.. include:: stig-notes/V-38587.rst
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38653.rst
.. include:: stig-notes/V-38589.rst
V-38666: The system must use and update a DoD-approved virus scan program.
--------------------------------------------------------------------------
.. include:: stig-notes/V-38591.rst
Virus scanning software can be used to detect if a system has been compromised
by computer viruses, as well as to limit their spread to other systems.
.. include:: stig-notes/V-38594.rst
Details: `V-38666 in STIG Viewer`_.
.. include:: stig-notes/V-38598.rst
.. _V-38666 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38666
.. include:: stig-notes/V-38602.rst
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38666.rst
.. include:: stig-notes/V-38607.rst
V-38668: The x86 Ctrl-Alt-Delete key sequence must be disabled.
---------------------------------------------------------------
.. include:: stig-notes/V-38614.rst
A locally logged-in user who presses Ctrl-Alt-Delete, when at the console, can
reboot the system. If accidentally pressed, as could happen in the case of
mixed OS environment, this can create the risk of short-term loss of
availability of systems due to unintentional reboot. In the GNOME graphical
environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is
reduced because the user will be prompted before any action is taken.
.. include:: stig-notes/V-38653.rst
Details: `V-38668 in STIG Viewer`_.
.. include:: stig-notes/V-38666.rst
.. _V-38668 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38668
.. include:: stig-notes/V-38668.rst
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38668.rst
.. include:: stig-notes/V-38677.rst
V-38462: The RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
-------------------------------------------------------------------------------------------------------------------------------------
.. include:: stig-notes/V-38701.rst
Ensuring all packages' cryptographic signatures are valid prior to
installation ensures the provenance of the software and protects against
malicious tampering.
Details: `V-38462 in STIG Viewer`_.
.. _V-38462 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38462
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38462.rst
V-38497: The system must not have accounts configured with blank or null passwords.
-----------------------------------------------------------------------------------
If an account has an empty password, anyone could log in and run commands with
the privileges of that account. Accounts with empty passwords should never be
used in operational environments.
Details: `V-38497 in STIG Viewer`_.
.. _V-38497 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38497
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38497.rst
V-38677: The NFS server must not have the insecure file locking option enabled.
-------------------------------------------------------------------------------
Allowing insecure file locking could allow for sensitive data to be viewed or
edited by an unauthorized user.
Details: `V-38677 in STIG Viewer`_.
.. _V-38677 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38677
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38677.rst
V-38476: Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
-----------------------------------------------------------------------------------------------------------------
The Red Hat GPG keys are necessary to cryptographically verify packages are
from Red Hat.
Details: `V-38476 in STIG Viewer`_.
.. _V-38476 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38476
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38476.rst
V-38491: There must be no .rhosts or hosts.equiv files on the system.
---------------------------------------------------------------------
Trust files are convenient, but when used in conjunction with the R-services,
they can allow unauthenticated access to a system.
Details: `V-38491 in STIG Viewer`_.
.. _V-38491 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38491
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38491.rst
V-38607: The SSH daemon must be configured to use only the SSHv2 protocol.
--------------------------------------------------------------------------
SSH protocol version 1 suffers from design flaws that result in security
vulnerabilities and should not be used.
Details: `V-38607 in STIG Viewer`_.
.. _V-38607 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38607
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38607.rst
V-38602: The rlogind service must not be running.
-------------------------------------------------
The rlogin service uses unencrypted network communications, which means that
data from the login session, including passwords and all other information
transmitted during the session, can be stolen by eavesdroppers on the network.
Details: `V-38602 in STIG Viewer`_.
.. _V-38602 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38602
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38602.rst
V-38594: The rshd service must not be running.
----------------------------------------------
The rsh service uses unencrypted network communications, which means that data
from the login session, including passwords and all other information
transmitted during the session, can be stolen by eavesdroppers on the network.
Details: `V-38594 in STIG Viewer`_.
.. _V-38594 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38594
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38594.rst
V-38591: The rsh-server package must not be installed.
------------------------------------------------------
The "rsh-server" package provides several obsolete and insecure network
services. Removing it decreases the risk of those services' accidental (or
intentional) activation.
Details: `V-38591 in STIG Viewer`_.
.. _V-38591 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38591
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38591.rst
V-38598: The rexecd service must not be running.
------------------------------------------------
The rexec service uses unencrypted network communications, which means that
data from the login session, including passwords and all other information
transmitted during the session, can be stolen by eavesdroppers on the network.
Details: `V-38598 in STIG Viewer`_.
.. _V-38598 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38598
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38598.rst
V-38587: The telnet-server package must not be installed.
---------------------------------------------------------
Removing the "telnet-server" package decreases the risk of the unencrypted
telnet service's accidental (or intentional) activation. Mitigation: If the
telnet-server package is configured to only allow encrypted sessions, such as
with Kerberos or the use of encrypted network tunnels, the risk of exposing
sensitive information is mitigated.
Details: `V-38587 in STIG Viewer`_.
.. _V-38587 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38587
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38587.rst
V-38589: The telnet daemon must not be running.
-----------------------------------------------
The telnet protocol uses unencrypted network communication, which means that
data from the login session, including passwords and all other information
transmitted during the session, can be stolen by eavesdroppers on the network.
The telnet protocol is also subject to man-in-the-middle attacks. Mitigation:
If an enabled telnet daemon is configured to only allow encrypted sessions,
such as with Kerberos or the use of encrypted network tunnels, the risk of
exposing sensitive information is mitigated.
Details: `V-38589 in STIG Viewer`_.
.. _V-38589 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38589
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38589.rst
V-38701: The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.
------------------------------------------------------------------------------------------------------------------------------
Using the "-s" option causes the TFTP service to only serve files from the
given directory. Serving files from an intentionally specified directory
reduces the risk of sharing files which should remain private.
Details: `V-38701 in STIG Viewer`_.
.. _V-38701 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38701
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38701.rst
V-38614: The SSH daemon must not allow authentication using an empty password.
------------------------------------------------------------------------------
Configuring this setting for the SSH daemon provides additional assurance that
remote login via SSH will require a password, even in the event of
misconfiguration elsewhere.
Details: `V-38614 in STIG Viewer`_.
.. _V-38614 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38614
Developer Notes
~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38614.rst

96
doc/source/generate_docs.py Normal file
View File

@ -0,0 +1,96 @@
#!/usr/bin/env python
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Generates the documentation scaffolding."""
import csv
from jinja2 import Template
from textwrap import fill
def reindent(string_to_indent, numSpaces):
"""Indent strings with spaces."""
s = string_to_indent.splitlines()
s = [(numSpaces * ' ') + line.lstrip() for line in s]
return '\n'.join(s)
stigviewer_url = ("https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/"
"2015-05-26/finding/{0}")
stig_note_template = """{{ title }}
{{ '-' * title | length }}
{{ desc }}
Details: `{{ id }} in STIG Viewer`_.
.. _{{ id }} in STIG Viewer: {{ stigviewer }}
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/{{ id }}.rst
"""
stigs = []
with open('rhel6stig.csv', 'r') as csvfile:
reader = csv.reader(csvfile)
for row in reader:
metadata = {
'id': row[0],
'title': "{0}: {1}".format(row[0], row[2]),
'desc': fill(row[3], width=78),
'fixtext': row[7],
'checktext': row[9],
'severity': row[1],
'stigviewer': stigviewer_url.format(row[0]),
}
template = Template(stig_note_template)
with open("stig-notes/{0}.rst".format(metadata['id']), 'w') as rstfile:
rstfile.write(template.render(metadata))
stigs.append(metadata)
category_template = """.. include:: <xhtml1-lat1.txt>
`Home <index.html>`__ |raquo| Security hardening for openstack-ansible
Category {{ level }} ({{ name | capitalize }}) configurations
================================
.. toctree::
:maxdepth: 1
"""
categories = {
'low': 1,
'medium': 2,
'high': 3,
}
for category_name, category_level in categories.items():
matching_stigs = [x for x in stigs if x['severity'] == category_name]
cat_file = open("configurations-cat{0}.rst".format(category_level), 'w')
template = Template(category_template)
cat_file.write(template.render(name=category_name,
level=category_level))
include_template = ".. include:: stig-notes/{0}.rst\n\n"
for matching_stig in sorted(matching_stigs, key=lambda k: k['id']):
cat_file.write(include_template.format(matching_stig['id']))

3378
doc/source/rhel6stig.csv Normal file
View File

File diff suppressed because it is too large Load Diff

22
doc/source/stig-notes/V-38437.rst Normal file
View File

@ -0,0 +1,22 @@
V-38437: Automated file system mounting tools must not be enabled unless needed.
--------------------------------------------------------------------------------
All filesystems that are required for the successful operation of the system
should be explicitly listed in "/etc/fstab" by an administrator. New
filesystems should not be arbitrarily introduced via the automounter. The
"autofs" daemon mounts and unmounts filesystems, such as user home directories
shared via NFS, on demand. In addition, autofs can be used to handle removable
media, and the default configuration provides the cdrom device as "/misc/cd".
However, this method of providing access to removable media is not common, so
autofs can almost always be disabled if NFS is not in use. Even if NFS is
required, it is almost always possible to configure filesystem mounts
statically by editing "/etc/fstab" rather than relying on the automounter.
Details: `V-38437 in STIG Viewer`_.
.. _V-38437 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38437
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38437.rst

16
doc/source/stig-notes/V-38438.rst Normal file
View File

@ -0,0 +1,16 @@
V-38438: Auditing must be enabled at boot by setting a kernel parameter.
------------------------------------------------------------------------
Each process on the system carries an "auditable" flag which indicates whether
its activities can be audited. Although "auditd" takes care of enabling this
for all processes which launch after it does, adding the kernel argument
ensures it is set for every process during boot.
Details: `V-38438 in STIG Viewer`_.
.. _V-38438 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38438
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38438.rst

18
doc/source/stig-notes/V-38439.rst Normal file
View File

@ -0,0 +1,18 @@
V-38439: The system must provide automated support for account management functions.
------------------------------------------------------------------------------------
A comprehensive account management process that includes automation helps to
ensure the accounts designated as requiring attention are consistently and
promptly addressed. Enterprise environments make user account management
challenging and complex. A user management process requiring administrators to
manually address account management functions adds risk of potential
oversight.
Details: `V-38439 in STIG Viewer`_.
.. _V-38439 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38439
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38439.rst

14
doc/source/stig-notes/V-38443.rst Normal file
View File

@ -0,0 +1,14 @@
V-38443: The /etc/gshadow file must be owned by root.
-----------------------------------------------------
The "/etc/gshadow" file contains group password hashes. Protection of this
file is critical for system security.
Details: `V-38443 in STIG Viewer`_.
.. _V-38443 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38443
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38443.rst

16
doc/source/stig-notes/V-38444.rst Normal file
View File

@ -0,0 +1,16 @@
V-38444: The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets.
------------------------------------------------------------------------------------------------------------------
In "ip6tables" the default policy is applied only after all the applicable
rules in the table are examined for a match. Setting the default policy to
"DROP" implements proper design for a firewall, i.e., any packets which are
not explicitly permitted should not be accepted.
Details: `V-38444 in STIG Viewer`_.
.. _V-38444 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38444
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38444.rst

14
doc/source/stig-notes/V-38445.rst Normal file
View File

@ -0,0 +1,14 @@
V-38445: Audit log files must be group-owned by root.
-----------------------------------------------------
If non-privileged users can write to audit logs, audit trails can be modified
or destroyed.
Details: `V-38445 in STIG Viewer`_.
.. _V-38445 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38445
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38445.rst

15
doc/source/stig-notes/V-38446.rst Normal file
View File

@ -0,0 +1,15 @@
V-38446: The mail system must forward all mail for root to one or more system administrators.
---------------------------------------------------------------------------------------------
A number of system services utilize email messages sent to the root user to
notify system administrators of active or impending issues. These messages
must be forwarded to at least one monitored email address.
Details: `V-38446 in STIG Viewer`_.
.. _V-38446 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38446
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38446.rst

15
doc/source/stig-notes/V-38447.rst Normal file
View File

@ -0,0 +1,15 @@
V-38447: The system package management tool must verify contents of all files associated with packages.
-------------------------------------------------------------------------------------------------------
The hash on important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.
Details: `V-38447 in STIG Viewer`_.
.. _V-38447 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38447
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38447.rst

14
doc/source/stig-notes/V-38448.rst Normal file
View File

@ -0,0 +1,14 @@
V-38448: The /etc/gshadow file must be group-owned by root.
-----------------------------------------------------------
The "/etc/gshadow" file contains group password hashes. Protection of this
file is critical for system security.
Details: `V-38448 in STIG Viewer`_.
.. _V-38448 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38448
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38448.rst

14
doc/source/stig-notes/V-38449.rst Normal file
View File

@ -0,0 +1,14 @@
V-38449: The /etc/gshadow file must have mode 0000.
---------------------------------------------------
The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security.
Details: `V-38449 in STIG Viewer`_.
.. _V-38449 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38449
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38449.rst

15
doc/source/stig-notes/V-38450.rst Normal file
View File

@ -0,0 +1,15 @@
V-38450: The /etc/passwd file must be owned by root.
----------------------------------------------------
The "/etc/passwd" file contains information about the users that are
configured on the system. Protection of this file is critical for system
security.
Details: `V-38450 in STIG Viewer`_.
.. _V-38450 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38450
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38450.rst

15
doc/source/stig-notes/V-38451.rst Normal file
View File

@ -0,0 +1,15 @@
V-38451: The /etc/passwd file must be group-owned by root.
----------------------------------------------------------
The "/etc/passwd" file contains information about the users that are
configured on the system. Protection of this file is critical for system
security.
Details: `V-38451 in STIG Viewer`_.
.. _V-38451 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38451
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38451.rst

16
doc/source/stig-notes/V-38452.rst Normal file
View File

@ -0,0 +1,16 @@
V-38452: The system package management tool must verify permissions on all files and directories associated with packages.
--------------------------------------------------------------------------------------------------------------------------
Permissions on system binaries and configuration files that are too generous
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated.
Details: `V-38452 in STIG Viewer`_.
.. _V-38452 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38452
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38452.rst

16
doc/source/stig-notes/V-38453.rst Normal file
View File

@ -0,0 +1,16 @@
V-38453: The system package management tool must verify group-ownership on all files and directories associated with packages.
------------------------------------------------------------------------------------------------------------------------------
Group-ownership of system binaries and configuration files that is incorrect
could allow an unauthorized user to gain privileges that they should not have.
The group-ownership set by the vendor should be maintained. Any deviations
from this baseline should be investigated.
Details: `V-38453 in STIG Viewer`_.
.. _V-38453 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38453
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38453.rst

16
doc/source/stig-notes/V-38454.rst Normal file
View File

@ -0,0 +1,16 @@
V-38454: The system package management tool must verify ownership on all files and directories associated with packages.
------------------------------------------------------------------------------------------------------------------------
Ownership of system binaries and configuration files that is incorrect could
allow an unauthorized user to gain privileges that they should not have. The
ownership set by the vendor should be maintained. Any deviations from this
baseline should be investigated.
Details: `V-38454 in STIG Viewer`_.
.. _V-38454 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38454
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38454.rst

15
doc/source/stig-notes/V-38455.rst Normal file
View File

@ -0,0 +1,15 @@
V-38455: The system must use a separate file system for /tmp.
-------------------------------------------------------------
The "/tmp" partition is used as temporary storage by many programs. Placing
"/tmp" in its own partition enables the setting of more restrictive mount
options, which can help protect programs which use it.
Details: `V-38455 in STIG Viewer`_.
.. _V-38455 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38455
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38455.rst

17
doc/source/stig-notes/V-38456.rst Normal file
View File

@ -0,0 +1,17 @@
V-38456: The system must use a separate file system for /var.
-------------------------------------------------------------
Ensuring that "/var" is mounted on its own partition enables the setting of
more restrictive mount options. This helps protect system services such as
daemons or other programs which use it. It is not uncommon for the "/var"
directory to contain world-writable directories, installed by other software
packages.
Details: `V-38456 in STIG Viewer`_.
.. _V-38456 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38456
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38456.rst

16
doc/source/stig-notes/V-38457.rst Normal file
View File

@ -0,0 +1,16 @@
V-38457: The /etc/passwd file must have mode 0644 or less permissive.
---------------------------------------------------------------------
If the "/etc/passwd" file is writable by a group-owner or the world the risk
of its compromise is increased. The file contains the list of accounts on the
system and associated information, and protection of this file is critical for
system security.
Details: `V-38457 in STIG Viewer`_.
.. _V-38457 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38457
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38457.rst

15
doc/source/stig-notes/V-38458.rst Normal file
View File

@ -0,0 +1,15 @@
V-38458: The /etc/group file must be owned by root.
---------------------------------------------------
The "/etc/group" file contains information regarding groups that are
configured on the system. Protection of this file is important for system
security.
Details: `V-38458 in STIG Viewer`_.
.. _V-38458 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38458
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38458.rst

15
doc/source/stig-notes/V-38459.rst Normal file
View File

@ -0,0 +1,15 @@
V-38459: The /etc/group file must be group-owned by root.
---------------------------------------------------------
The "/etc/group" file contains information regarding groups that are
configured on the system. Protection of this file is important for system
security.
Details: `V-38459 in STIG Viewer`_.
.. _V-38459 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38459
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38459.rst

14
doc/source/stig-notes/V-38460.rst Normal file
View File

@ -0,0 +1,14 @@
V-38460: The NFS server must not have the all_squash option enabled.
--------------------------------------------------------------------
The "all_squash" option maps all client requests to a single anonymous uid/gid
on the NFS server, negating the ability to track file access by user ID.
Details: `V-38460 in STIG Viewer`_.
.. _V-38460 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38460
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38460.rst

15
doc/source/stig-notes/V-38461.rst Normal file
View File

@ -0,0 +1,15 @@
V-38461: The /etc/group file must have mode 0644 or less permissive.
--------------------------------------------------------------------
The "/etc/group" file contains information regarding groups that are
configured on the system. Protection of this file is important for system
security.
Details: `V-38461 in STIG Viewer`_.
.. _V-38461 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38461
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38461.rst

15
doc/source/stig-notes/V-38462.rst Normal file
View File

@ -0,0 +1,15 @@
V-38462: The RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
-------------------------------------------------------------------------------------------------------------------------------------
Ensuring all packages' cryptographic signatures are valid prior to
installation ensures the provenance of the software and protects against
malicious tampering.
Details: `V-38462 in STIG Viewer`_.
.. _V-38462 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38462
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38462.rst

14
doc/source/stig-notes/V-38463.rst Normal file
View File

@ -0,0 +1,14 @@
V-38463: The system must use a separate file system for /var/log.
-----------------------------------------------------------------
Placing "/var/log" in its own partition enables better separation between log
files and other files in "/var/".
Details: `V-38463 in STIG Viewer`_.
.. _V-38463 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38463
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38463.rst

14
doc/source/stig-notes/V-38464.rst Normal file
View File

@ -0,0 +1,14 @@
V-38464: The audit system must take appropriate action when there are disk errors on the audit storage volume.
--------------------------------------------------------------------------------------------------------------
Taking appropriate action in case of disk errors will minimize the possibility
of losing audit records.
Details: `V-38464 in STIG Viewer`_.
.. _V-38464 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38464
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38464.rst

15
doc/source/stig-notes/V-38465.rst Normal file
View File

@ -0,0 +1,15 @@
V-38465: Library files must have mode 0755 or less permissive.
--------------------------------------------------------------
Files from shared library directories are loaded into the address space of
processes (including privileged ones) or of the kernel itself at runtime.
Restrictive permissions are necessary to protect the integrity of the system.
Details: `V-38465 in STIG Viewer`_.
.. _V-38465 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38465
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38465.rst

15
doc/source/stig-notes/V-38466.rst Normal file
View File

@ -0,0 +1,15 @@
V-38466: Library files must be owned by root.
---------------------------------------------
Files from shared library directories are loaded into the address space of
processes (including privileged ones) or of the kernel itself at runtime.
Proper ownership is necessary to protect the integrity of the system.
Details: `V-38466 in STIG Viewer`_.
.. _V-38466 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38466
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38466.rst

15
doc/source/stig-notes/V-38467.rst Normal file
View File

@ -0,0 +1,15 @@
V-38467: The system must use a separate file system for the system audit data path.
-----------------------------------------------------------------------------------
Placing "/var/log/audit" in its own partition enables better separation
between audit files and other files, and helps ensure that auditing cannot be
halted due to the partition running out of space.
Details: `V-38467 in STIG Viewer`_.
.. _V-38467 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38467
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38467.rst

14
doc/source/stig-notes/V-38468.rst Normal file
View File

@ -0,0 +1,14 @@
V-38468: The audit system must take appropriate action when the audit storage volume is full.
---------------------------------------------------------------------------------------------
Taking appropriate action in case of a filled audit storage volume will
minimize the possibility of losing audit records.
Details: `V-38468 in STIG Viewer`_.
.. _V-38468 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38468
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38468.rst

15
doc/source/stig-notes/V-38469.rst Normal file
View File

@ -0,0 +1,15 @@
V-38469: All system command files must have mode 755 or less permissive.
------------------------------------------------------------------------
System binaries are executed by privileged users, as well as system services,
and restrictive permissions are necessary to ensure execution of these
programs cannot be co-opted.
Details: `V-38469 in STIG Viewer`_.
.. _V-38469 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38469
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38469.rst

14
doc/source/stig-notes/V-38470.rst Normal file
View File

@ -0,0 +1,14 @@
V-38470: The audit system must alert designated staff members when the audit storage volume approaches capacity.
----------------------------------------------------------------------------------------------------------------
Notifying administrators of an impending disk space problem may allow them to
take corrective action prior to any disruption.
Details: `V-38470 in STIG Viewer`_.
.. _V-38470 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38470
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38470.rst

16
doc/source/stig-notes/V-38471.rst Normal file
View File

@ -0,0 +1,16 @@
V-38471: The system must forward audit records to the syslog service.
---------------------------------------------------------------------
The auditd service does not include the ability to send audit records to a
centralized server for management directly. It does, however, include an
audit event multiplexor plugin (audispd) to pass audit records to the local
syslog server.
Details: `V-38471 in STIG Viewer`_.
.. _V-38471 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38471
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38471.rst

15
doc/source/stig-notes/V-38472.rst Normal file
View File

@ -0,0 +1,15 @@
V-38472: All system command files must be owned by root.
--------------------------------------------------------
System binaries are executed by privileged users as well as system services,
and restrictive permissions are necessary to ensure that their execution of
these programs cannot be co-opted.
Details: `V-38472 in STIG Viewer`_.
.. _V-38472 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38472
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38472.rst

15
doc/source/stig-notes/V-38473.rst Normal file
View File

@ -0,0 +1,15 @@
V-38473: The system must use a separate file system for user home directories.
------------------------------------------------------------------------------
Ensuring that "/home" is mounted on its own partition enables the setting of
more restrictive mount options, and also helps ensure that users cannot
trivially fill partitions used for log or audit data storage.
Details: `V-38473 in STIG Viewer`_.
.. _V-38473 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38473
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38473.rst

15
doc/source/stig-notes/V-38474.rst Normal file
View File

@ -0,0 +1,15 @@
V-38474: The system must allow locking of graphical desktop sessions.
---------------------------------------------------------------------
The ability to lock graphical desktop sessions manually allows users to easily
secure their accounts should they need to depart from their workstations
temporarily.
Details: `V-38474 in STIG Viewer`_.
.. _V-38474 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38474
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38474.rst

19
doc/source/stig-notes/V-38475.rst Normal file
View File

@ -0,0 +1,19 @@
V-38475: The system must require passwords to contain a minimum of 14 characters.
---------------------------------------------------------------------------------
Requiring a minimum password length makes password cracking attacks more
difficult by ensuring a larger search space. However, any security benefit
from an onerous requirement must be carefully weighed against usability
problems, support costs, or counterproductive behavior that may result. While
it does not negate the password length requirement, it is preferable to
migrate from a password-based authentication scheme to a stronger one based on
PKI (public key infrastructure).
Details: `V-38475 in STIG Viewer`_.
.. _V-38475 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38475
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38475.rst

14
doc/source/stig-notes/V-38476.rst Normal file
View File

@ -0,0 +1,14 @@
V-38476: Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
-----------------------------------------------------------------------------------------------------------------
The Red Hat GPG keys are necessary to cryptographically verify packages are
from Red Hat.
Details: `V-38476 in STIG Viewer`_.
.. _V-38476 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38476
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38476.rst

14
doc/source/stig-notes/V-38477.rst Normal file
View File

@ -0,0 +1,14 @@
V-38477: Users must not be able to change passwords more than once every 24 hours.
----------------------------------------------------------------------------------
Setting the minimum password age protects against users cycling back to a
favorite password after satisfying the password reuse requirement.
Details: `V-38477 in STIG Viewer`_.
.. _V-38477 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38477
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38477.rst

16
doc/source/stig-notes/V-38478.rst Normal file
View File

@ -0,0 +1,16 @@
V-38478: The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite.
---------------------------------------------------------------------------------------------------------------
Although systems management and patching is extremely important to system
security, management by a system outside the enterprise enclave is not
desirable for some environments. However, if the system is being managed by
RHN or RHN Satellite Server the "rhnsd" daemon can remain on.
Details: `V-38478 in STIG Viewer`_.
.. _V-38478 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38478
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38478.rst

17
doc/source/stig-notes/V-38479.rst Normal file
View File

@ -0,0 +1,17 @@
V-38479: User passwords must be changed at least every 60 days.
---------------------------------------------------------------
Setting the password maximum age ensures users are required to periodically
change their passwords. This could possibly decrease the utility of a stolen
password. Requiring shorter password lifetimes increases the risk of users
writing down the password in a convenient location subject to physical
compromise.
Details: `V-38479 in STIG Viewer`_.
.. _V-38479 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38479
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38479.rst

14
doc/source/stig-notes/V-38480.rst Normal file
View File

@ -0,0 +1,14 @@
V-38480: Users must be warned 7 days in advance of password expiration.
-----------------------------------------------------------------------
Setting the password warning age enables users to make the change at a
practical time.
Details: `V-38480 in STIG Viewer`_.
.. _V-38480 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38480
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38480.rst

14
doc/source/stig-notes/V-38481.rst Normal file
View File

@ -0,0 +1,14 @@
V-38481: System security patches and updates must be installed and up-to-date.
------------------------------------------------------------------------------
Installing software updates is a fundamental mitigation against the
exploitation of publicly-known vulnerabilities.
Details: `V-38481 in STIG Viewer`_.
.. _V-38481 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38481
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38481.rst

14
doc/source/stig-notes/V-38482.rst Normal file
View File

@ -0,0 +1,14 @@
V-38482: The system must require passwords to contain at least one numeric character.
-------------------------------------------------------------------------------------
Requiring digits makes password guessing attacks more difficult by ensuring a
larger search space.
Details: `V-38482 in STIG Viewer`_.
.. _V-38482 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38482
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38482.rst

15
doc/source/stig-notes/V-38483.rst Normal file
View File

@ -0,0 +1,15 @@
V-38483: The system package management tool must cryptographically verify the authenticity of system software packages during installation.
-------------------------------------------------------------------------------------------------------------------------------------------
Ensuring the validity of packages' cryptographic signatures prior to
installation ensures the provenance of the software and protects against
malicious tampering.
Details: `V-38483 in STIG Viewer`_.
.. _V-38483 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38483
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38483.rst

17
doc/source/stig-notes/V-38484.rst Normal file
View File

@ -0,0 +1,17 @@
V-38484: The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh.
-------------------------------------------------------------------------------------------------------------------------------------
Users need to be aware of activity that occurs regarding their account.
Providing users with information regarding the date and time of their last
successful login allows the user to determine if any unauthorized activity has
occurred and gives them an opportunity to notify administrators. At ssh
login, a user must be presented with the last successful login date and time.
Details: `V-38484 in STIG Viewer`_.
.. _V-38484 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38484
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38484.rst

16
doc/source/stig-notes/V-38486.rst Normal file
View File

@ -0,0 +1,16 @@
V-38486: The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Operating system backup is a critical step in maintaining data assurance and
availability. System-level information includes system-state information,
operating system and application software, and licenses. Backups must be
consistent with organizational recovery time and recovery point objectives.
Details: `V-38486 in STIG Viewer`_.
.. _V-38486 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38486
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38486.rst

15
doc/source/stig-notes/V-38487.rst Normal file
View File

@ -0,0 +1,15 @@
V-38487: The system package management tool must cryptographically verify the authenticity of all software packages during installation.
----------------------------------------------------------------------------------------------------------------------------------------
Ensuring all packages' cryptographic signatures are valid prior to
installation ensures the provenance of the software and protects against
malicious tampering.
Details: `V-38487 in STIG Viewer`_.
.. _V-38487 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38487
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38487.rst

16
doc/source/stig-notes/V-38488.rst Normal file
View File

@ -0,0 +1,16 @@
V-38488: The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Operating system backup is a critical step in maintaining data assurance and
availability. User-level information is data generated by information system
and/or application users. Backups shall be consistent with organizational
recovery time and recovery point objectives.
Details: `V-38488 in STIG Viewer`_.
.. _V-38488 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38488
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38488.rst

14
doc/source/stig-notes/V-38489.rst Normal file
View File

@ -0,0 +1,14 @@
V-38489: A file integrity tool must be installed.
-------------------------------------------------
The AIDE package must be installed if it is to be available for integrity
checking.
Details: `V-38489 in STIG Viewer`_.
.. _V-38489 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38489
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38489.rst

15
doc/source/stig-notes/V-38490.rst Normal file
View File

@ -0,0 +1,15 @@
V-38490: The operating system must enforce requirements for the connection of mobile devices to operating systems.
------------------------------------------------------------------------------------------------------------------
USB storage devices such as thumb drives can be used to introduce unauthorized
software and other vulnerabilities. Support for these devices should be
disabled and the devices themselves should be tightly controlled.
Details: `V-38490 in STIG Viewer`_.
.. _V-38490 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38490
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38490.rst

14
doc/source/stig-notes/V-38491.rst Normal file
View File

@ -0,0 +1,14 @@
V-38491: There must be no .rhosts or hosts.equiv files on the system.
---------------------------------------------------------------------
Trust files are convenient, but when used in conjunction with the R-services,
they can allow unauthenticated access to a system.
Details: `V-38491 in STIG Viewer`_.
.. _V-38491 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38491
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38491.rst

14
doc/source/stig-notes/V-38492.rst Normal file
View File

@ -0,0 +1,14 @@
V-38492: The system must prevent the root account from logging in from virtual consoles.
----------------------------------------------------------------------------------------
Preventing direct root login to virtual console devices helps ensure
accountability for actions taken on the system using the root account.
Details: `V-38492 in STIG Viewer`_.
.. _V-38492 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38492
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38492.rst

13
doc/source/stig-notes/V-38493.rst Normal file
View File

@ -0,0 +1,13 @@
V-38493: Audit log directories must have mode 0755 or less permissive.
----------------------------------------------------------------------
If users can delete audit logs, audit trails can be modified or destroyed.
Details: `V-38493 in STIG Viewer`_.
.. _V-38493 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38493
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38493.rst

14
doc/source/stig-notes/V-38494.rst Normal file
View File

@ -0,0 +1,14 @@
V-38494: The system must prevent the root account from logging in from serial consoles.
---------------------------------------------------------------------------------------
Preventing direct root login to serial port interfaces helps ensure
accountability for actions taken on the systems using the root account.
Details: `V-38494 in STIG Viewer`_.
.. _V-38494 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38494
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38494.rst

14
doc/source/stig-notes/V-38495.rst Normal file
View File

@ -0,0 +1,14 @@
V-38495: Audit log files must be owned by root.
-----------------------------------------------
If non-privileged users can write to audit logs, audit trails can be modified
or destroyed.
Details: `V-38495 in STIG Viewer`_.
.. _V-38495 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38495
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38495.rst

14
doc/source/stig-notes/V-38496.rst Normal file
View File

@ -0,0 +1,14 @@
V-38496: Default operating system accounts, other than root, must be locked.
----------------------------------------------------------------------------
Disabling authentication for default system accounts makes it more difficult
for attackers to make use of them to compromise a system.
Details: `V-38496 in STIG Viewer`_.
.. _V-38496 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38496
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38496.rst

15
doc/source/stig-notes/V-38497.rst Normal file
View File

@ -0,0 +1,15 @@
V-38497: The system must not have accounts configured with blank or null passwords.
-----------------------------------------------------------------------------------
If an account has an empty password, anyone could log in and run commands with
the privileges of that account. Accounts with empty passwords should never be
used in operational environments.
Details: `V-38497 in STIG Viewer`_.
.. _V-38497 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38497
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38497.rst

13
doc/source/stig-notes/V-38498.rst Normal file
View File

@ -0,0 +1,13 @@
V-38498: Audit log files must have mode 0640 or less permissive.
----------------------------------------------------------------
If users can write to audit logs, audit trails can be modified or destroyed.
Details: `V-38498 in STIG Viewer`_.
.. _V-38498 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38498
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38498.rst

14
doc/source/stig-notes/V-38499.rst Normal file
View File

@ -0,0 +1,14 @@
V-38499: The /etc/passwd file must not contain password hashes.
---------------------------------------------------------------
The hashes for all user account passwords should be stored in the file
"/etc/shadow" and never in "/etc/passwd", which is readable by all users.
Details: `V-38499 in STIG Viewer`_.
.. _V-38499 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38499
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38499.rst

17
doc/source/stig-notes/V-38500.rst Normal file
View File

@ -0,0 +1,17 @@
V-38500: The root account must be the only account having a UID of 0.
---------------------------------------------------------------------
An account has root authority if it has a UID of 0. Multiple accounts with a
UID of 0 afford more opportunity for potential intruders to guess a password
for a privileged account. Proper configuration of sudo is recommended to
afford multiple system administrators access to root privileges in an
accountable manner.
Details: `V-38500 in STIG Viewer`_.
.. _V-38500 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38500
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38500.rst

14
doc/source/stig-notes/V-38501.rst Normal file
View File

@ -0,0 +1,14 @@
V-38501: The system must disable accounts after excessive login failures within a 15-minute interval.
-----------------------------------------------------------------------------------------------------
Locking out user accounts after a number of incorrect attempts within a
specific period of time prevents direct password guessing attacks.
Details: `V-38501 in STIG Viewer`_.
.. _V-38501 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38501
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38501.rst

17
doc/source/stig-notes/V-38502.rst Normal file
View File

@ -0,0 +1,17 @@
V-38502: The /etc/shadow file must be owned by root.
----------------------------------------------------
The "/etc/shadow" file contains the list of local system accounts and stores
password hashes. Protection of this file is critical for system security.
Failure to give ownership of this file to root provides the designated owner
with access to sensitive information which could weaken the system security
posture.
Details: `V-38502 in STIG Viewer`_.
.. _V-38502 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38502
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38502.rst

14
doc/source/stig-notes/V-38503.rst Normal file
View File

@ -0,0 +1,14 @@
V-38503: The /etc/shadow file must be group-owned by root.
----------------------------------------------------------
The "/etc/shadow" file stores password hashes. Protection of this file is
critical for system security.
Details: `V-38503 in STIG Viewer`_.
.. _V-38503 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38503
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38503.rst

17
doc/source/stig-notes/V-38504.rst Normal file
View File

@ -0,0 +1,17 @@
V-38504: The /etc/shadow file must have mode 0000.
--------------------------------------------------
The "/etc/shadow" file contains the list of local system accounts and stores
password hashes. Protection of this file is critical for system security.
Failure to give ownership of this file to root provides the designated owner
with access to sensitive information which could weaken the system security
posture.
Details: `V-38504 in STIG Viewer`_.
.. _V-38504 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38504
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38504.rst

15
doc/source/stig-notes/V-38511.rst Normal file
View File

@ -0,0 +1,15 @@
V-38511: IP forwarding for IPv4 must not be enabled, unless the system is a router.
-----------------------------------------------------------------------------------
IP forwarding permits the kernel to forward packets from one network interface
to another. The ability to forward packets between two networks is only
appropriate for systems acting as routers.
Details: `V-38511 in STIG Viewer`_.
.. _V-38511 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38511
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38511.rst

14
doc/source/stig-notes/V-38512.rst Normal file
View File

@ -0,0 +1,14 @@
V-38512: The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The "iptables" service provides the system's host-based firewalling capability
for IPv4 and ICMP.
Details: `V-38512 in STIG Viewer`_.
.. _V-38512 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38512
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38512.rst

16
doc/source/stig-notes/V-38513.rst Normal file
View File

@ -0,0 +1,16 @@
V-38513: The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets.
------------------------------------------------------------------------------------------------------------------
In "iptables" the default policy is applied only after all the applicable
rules in the table are examined for a match. Setting the default policy to
"DROP" implements proper design for a firewall, i.e., any packets which are
not explicitly permitted should not be accepted.
Details: `V-38513 in STIG Viewer`_.
.. _V-38513 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38513
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38513.rst

14
doc/source/stig-notes/V-38514.rst Normal file
View File

@ -0,0 +1,14 @@
V-38514: The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.
------------------------------------------------------------------------------------------
Disabling DCCP protects the system against exploitation of any flaws in its
implementation.
Details: `V-38514 in STIG Viewer`_.
.. _V-38514 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38514
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38514.rst

14
doc/source/stig-notes/V-38515.rst Normal file
View File

@ -0,0 +1,14 @@
V-38515: The Stream Control Transmission Protocol (SCTP) must be disabled unless required.
------------------------------------------------------------------------------------------
Disabling SCTP protects the system against exploitation of any flaws in its
implementation.
Details: `V-38515 in STIG Viewer`_.
.. _V-38515 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38515
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38515.rst

14
doc/source/stig-notes/V-38516.rst Normal file
View File

@ -0,0 +1,14 @@
V-38516: The Reliable Datagram Sockets (RDS) protocol must be disabled unless required.
---------------------------------------------------------------------------------------
Disabling RDS protects the system against exploitation of any flaws in its
implementation.
Details: `V-38516 in STIG Viewer`_.
.. _V-38516 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38516
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38516.rst

14
doc/source/stig-notes/V-38517.rst Normal file
View File

@ -0,0 +1,14 @@
V-38517: The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required.
------------------------------------------------------------------------------------------------------
Disabling TIPC protects the system against exploitation of any flaws in its
implementation.
Details: `V-38517 in STIG Viewer`_.
.. _V-38517 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38517
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38517.rst

15
doc/source/stig-notes/V-38518.rst Normal file
View File

@ -0,0 +1,15 @@
V-38518: All rsyslog-generated log files must be owned by root.
---------------------------------------------------------------
The log files generated by rsyslog contain valuable information regarding
system configuration, user authentication, and other such information. Log
files should be protected from unauthorized access.
Details: `V-38518 in STIG Viewer`_.
.. _V-38518 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38518
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38518.rst

15
doc/source/stig-notes/V-38519.rst Normal file
View File

@ -0,0 +1,15 @@
V-38519: All rsyslog-generated log files must be group-owned by root.
---------------------------------------------------------------------
The log files generated by rsyslog contain valuable information regarding
system configuration, user authentication, and other such information. Log
files should be protected from unauthorized access.
Details: `V-38519 in STIG Viewer`_.
.. _V-38519 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38519
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38519.rst

17
doc/source/stig-notes/V-38520.rst Normal file
View File

@ -0,0 +1,17 @@
V-38520: The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited.
-------------------------------------------------------------------------------------------------------------------------------------------------------------
A log server (loghost) receives syslog messages from one or more systems. This
data can be used as an additional log source in the event a system is
compromised and its local logs are suspect. Forwarding log messages to a
remote loghost also provides system administrators with a centralized place to
view the status of multiple hosts within the enterprise.
Details: `V-38520 in STIG Viewer`_.
.. _V-38520 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38520
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38520.rst

17
doc/source/stig-notes/V-38521.rst Normal file
View File

@ -0,0 +1,17 @@
V-38521: The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
A log server (loghost) receives syslog messages from one or more systems. This
data can be used as an additional log source in the event a system is
compromised and its local logs are suspect. Forwarding log messages to a
remote loghost also provides system administrators with a centralized place to
view the status of multiple hosts within the enterprise.
Details: `V-38521 in STIG Viewer`_.
.. _V-38521 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38521
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38521.rst

16
doc/source/stig-notes/V-38522.rst Normal file
View File

@ -0,0 +1,16 @@
V-38522: The audit system must be configured to audit all attempts to alter system time through settimeofday.
-------------------------------------------------------------------------------------------------------------
Arbitrary changes to the system time can be used to obfuscate nefarious
activities in log files, as well as to confuse network services that are
highly dependent upon an accurate system time (such as sshd). All changes to
the system time should be audited.
Details: `V-38522 in STIG Viewer`_.
.. _V-38522 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38522
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38522.rst

14
doc/source/stig-notes/V-38523.rst Normal file
View File

@ -0,0 +1,14 @@
V-38523: The system must not accept IPv4 source-routed packets on any interface.
--------------------------------------------------------------------------------
Accepting source-routed packets in the IPv4 protocol has few legitimate uses.
It should be disabled unless it is absolutely required.
Details: `V-38523 in STIG Viewer`_.
.. _V-38523 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38523
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38523.rst

14
doc/source/stig-notes/V-38524.rst Normal file
View File

@ -0,0 +1,14 @@
V-38524: The system must not accept ICMPv4 redirect packets on any interface.
-----------------------------------------------------------------------------
Accepting ICMP redirects has few legitimate uses. It should be disabled unless
it is absolutely required.
Details: `V-38524 in STIG Viewer`_.
.. _V-38524 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38524
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38524.rst

16
doc/source/stig-notes/V-38525.rst Normal file
View File

@ -0,0 +1,16 @@
V-38525: The audit system must be configured to audit all attempts to alter system time through stime.
------------------------------------------------------------------------------------------------------
Arbitrary changes to the system time can be used to obfuscate nefarious
activities in log files, as well as to confuse network services that are
highly dependent upon an accurate system time (such as sshd). All changes to
the system time should be audited.
Details: `V-38525 in STIG Viewer`_.
.. _V-38525 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38525
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38525.rst

15
doc/source/stig-notes/V-38526.rst Normal file
View File

@ -0,0 +1,15 @@
V-38526: The system must not accept ICMPv4 secure redirect packets on any interface.
------------------------------------------------------------------------------------
Accepting "secure" ICMP redirects (from those gateways listed as default
gateways) has few legitimate uses. It should be disabled unless it is
absolutely required.
Details: `V-38526 in STIG Viewer`_.
.. _V-38526 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38526
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38526.rst

16
doc/source/stig-notes/V-38527.rst Normal file
View File

@ -0,0 +1,16 @@
V-38527: The audit system must be configured to audit all attempts to alter system time through clock_settime.
--------------------------------------------------------------------------------------------------------------
Arbitrary changes to the system time can be used to obfuscate nefarious
activities in log files, as well as to confuse network services that are
highly dependent upon an accurate system time (such as sshd). All changes to
the system time should be audited.
Details: `V-38527 in STIG Viewer`_.
.. _V-38527 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38527
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38527.rst

16
doc/source/stig-notes/V-38528.rst Normal file
View File

@ -0,0 +1,16 @@
V-38528: The system must log Martian packets.
---------------------------------------------
The presence of "martian" packets (which have impossible addresses) as well as
spoofed packets, source-routed packets, and redirects could be a sign of
nefarious network activity. Logging these packets enables this activity to be
detected.
Details: `V-38528 in STIG Viewer`_.
.. _V-38528 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38528
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38528.rst

14
doc/source/stig-notes/V-38529.rst Normal file
View File

@ -0,0 +1,14 @@
V-38529: The system must not accept IPv4 source-routed packets by default.
--------------------------------------------------------------------------
Accepting source-routed packets in the IPv4 protocol has few legitimate uses.
It should be disabled unless it is absolutely required.
Details: `V-38529 in STIG Viewer`_.
.. _V-38529 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38529
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38529.rst

16
doc/source/stig-notes/V-38530.rst Normal file
View File

@ -0,0 +1,16 @@
V-38530: The audit system must be configured to audit all attempts to alter system time through /etc/localtime.
---------------------------------------------------------------------------------------------------------------
Arbitrary changes to the system time can be used to obfuscate nefarious
activities in log files, as well as to confuse network services that are
highly dependent upon an accurate system time (such as sshd). All changes to
the system time should be audited.
Details: `V-38530 in STIG Viewer`_.
.. _V-38530 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38530
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38530.rst

15
doc/source/stig-notes/V-38531.rst Normal file
View File

@ -0,0 +1,15 @@
V-38531: The operating system must automatically audit account creation.
------------------------------------------------------------------------
In addition to auditing new user and group accounts, these watches will alert
the system administrator(s) to any modifications. Any unexpected users,
groups, or modifications should be investigated for legitimacy.
Details: `V-38531 in STIG Viewer`_.
.. _V-38531 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38531
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38531.rst

15
doc/source/stig-notes/V-38532.rst Normal file
View File

@ -0,0 +1,15 @@
V-38532: The system must not accept ICMPv4 secure redirect packets by default.
------------------------------------------------------------------------------
Accepting "secure" ICMP redirects (from those gateways listed as default
gateways) has few legitimate uses. It should be disabled unless it is
absolutely required.
Details: `V-38532 in STIG Viewer`_.
.. _V-38532 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38532
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38532.rst

14
doc/source/stig-notes/V-38533.rst Normal file
View File

@ -0,0 +1,14 @@
V-38533: The system must ignore ICMPv4 redirect messages by default.
--------------------------------------------------------------------
This feature of the IPv4 protocol has few legitimate uses. It should be
disabled unless it is absolutely required.
Details: `V-38533 in STIG Viewer`_.
.. _V-38533 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38533
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38533.rst

15
doc/source/stig-notes/V-38534.rst Normal file
View File

@ -0,0 +1,15 @@
V-38534: The operating system must automatically audit account modification.
----------------------------------------------------------------------------
In addition to auditing new user and group accounts, these watches will alert
the system administrator(s) to any modifications. Any unexpected users,
groups, or modifications should be investigated for legitimacy.
Details: `V-38534 in STIG Viewer`_.
.. _V-38534 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38534
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38534.rst

14
doc/source/stig-notes/V-38535.rst Normal file
View File

@ -0,0 +1,14 @@
V-38535: The system must not respond to ICMPv4 sent to a broadcast address.
---------------------------------------------------------------------------
Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses
makes the system slightly more difficult to enumerate on the network.
Details: `V-38535 in STIG Viewer`_.
.. _V-38535 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38535
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38535.rst

15
doc/source/stig-notes/V-38536.rst Normal file
View File

@ -0,0 +1,15 @@
V-38536: The operating system must automatically audit account disabling actions.
---------------------------------------------------------------------------------
In addition to auditing new user and group accounts, these watches will alert
the system administrator(s) to any modifications. Any unexpected users,
groups, or modifications should be investigated for legitimacy.
Details: `V-38536 in STIG Viewer`_.
.. _V-38536 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38536
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38536.rst

14
doc/source/stig-notes/V-38537.rst Normal file
View File

@ -0,0 +1,14 @@
V-38537: The system must ignore ICMPv4 bogus error responses.
-------------------------------------------------------------
Ignoring bogus ICMP error responses reduces log size, although some activity
would not be logged.
Details: `V-38537 in STIG Viewer`_.
.. _V-38537 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38537
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38537.rst

15
doc/source/stig-notes/V-38538.rst Normal file
View File

@ -0,0 +1,15 @@
V-38538: The operating system must automatically audit account termination.
---------------------------------------------------------------------------
In addition to auditing new user and group accounts, these watches will alert
the system administrator(s) to any modifications. Any unexpected users,
groups, or modifications should be investigated for legitimacy.
Details: `V-38538 in STIG Viewer`_.
.. _V-38538 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38538
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38538.rst

18
doc/source/stig-notes/V-38539.rst Normal file
View File

@ -0,0 +1,18 @@
V-38539: The system must be configured to use TCP syncookies when experiencing a TCP SYN flood.
-----------------------------------------------------------------------------------------------
A TCP SYN flood attack can cause a denial of service by filling a system's TCP
connection table with connections in the SYN_RCVD state. Syncookies can be
used to track a connection when a subsequent ACK is received, verifying the
initiator is attempting a valid connection and is not a flood source. This
feature is activated when a flood condition is detected, and enables the
system to continue servicing valid connection requests.
Details: `V-38539 in STIG Viewer`_.
.. _V-38539 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38539
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38539.rst

14
doc/source/stig-notes/V-38540.rst Normal file
View File

@ -0,0 +1,14 @@
V-38540: The audit system must be configured to audit modifications to the systems network configuration.
---------------------------------------------------------------------------------------------------------
The network environment should not be modified by anything other than
administrator action. Any change to network parameters should be audited.
Details: `V-38540 in STIG Viewer`_.
.. _V-38540 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38540
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38540.rst

15
doc/source/stig-notes/V-38541.rst Normal file
View File

@ -0,0 +1,15 @@
V-38541: The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux).
------------------------------------------------------------------------------------------------------------------------------------------
The system's mandatory access policy (SELinux) should not be arbitrarily
changed by anything other than administrator action. All changes to MAC policy
should be audited.
Details: `V-38541 in STIG Viewer`_.
.. _V-38541 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38541
Notes for deployers
~~~~~~~~~~~~~~~~~~~
.. include:: developer-notes/V-38541.rst

Some files were not shown because too many files have changed in this diff Show More