Major Hayden bfcf6c7423 Initial import of openstack-ansible-security role

This role contains around 150 controls from the 270+ controls that exist
in the RHEL 6 STIG. New controls are still being added.

Implements: blueprint security-hardening

Change-Id: I0578f86bf42d55242bc72b97b40a5935a3cb18d6

2015-10-07 07:27:39 -05:00

61 KiB

Raw Blame History

Home Security hardening for openstack-ansible

Category 1 (Low) configurations

V-38649: The system default umask for the csh shell must be 077.

The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.

Details: V-38649 in STIG Viewer.

Developer Notes

V-38648: The qpidd service must not be running.

The qpidd service is automatically installed when the "base" package selection is selected during installation. The qpidd service listens for network connections which increases the attack surface of the system. If the system is not intended to receive AMQP traffic then the "qpidd" service is not needed and should be disabled or removed.

Details: V-38648 in STIG Viewer.

Developer Notes

V-38642: The system default umask for daemons must be 027 or 022.

The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions.

Details: V-38642 in STIG Viewer.

Developer Notes

V-38641: The atd service must be disabled.

The "atd" service could be used by an unsophisticated insider to carry out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with "at" or "batch" is not common.

Details: V-38641 in STIG Viewer.

Developer Notes

V-38640: The Automatic Bug Reporting Tool (abrtd) service must not be running.

Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the local machine, as well as sensitive information from within a process's address space or registers.

Details: V-38640 in STIG Viewer.

Developer Notes

V-38647: The system default umask in /etc/profile must be 077.

Details: V-38647 in STIG Viewer.

Developer Notes

V-38646: The oddjobd service must not be running.

The "oddjobd" service may provide necessary functionality in some environments but it can be disabled if it is not needed. Execution of tasks by privileged programs, on behalf of unprivileged ones, has traditionally been a source of privilege escalation security issues.

Details: V-38646 in STIG Viewer.

Developer Notes

V-38645: The system default umask in /etc/login.defs must be 077.

Details: V-38645 in STIG Viewer.

Developer Notes

V-38644: The ntpdate service must not be running.

The "ntpdate" service may only be suitable for systems which are rebooted frequently enough that clock drift does not cause problems between reboots. In any event, the functionality of the ntpdate service is now available in the ntpd program and should be considered deprecated.

Details: V-38644 in STIG Viewer.

Developer Notes

V-51369: The system must use a Linux Security Module configured to limit the privileges of system services.

Setting the SELinux policy to "targeted" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.

Details: V-51369 in STIG Viewer.

Developer Notes

V-38452: The system package management tool must verify permissions on all files and directories associated with packages.

Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.

Details: V-38452 in STIG Viewer.

Developer Notes

V-38453: The system package management tool must verify group-ownership on all files and directories associated with packages.

Group-ownership of system binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The group-ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.

Details: V-38453 in STIG Viewer.

Developer Notes

V-38608: The SSH daemon must set a timeout interval on idle sessions.

Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another.

Details: V-38608 in STIG Viewer.

Developer Notes

V-38447: The system package management tool must verify contents of all files associated with packages.

The hash on important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.

Details: V-38447 in STIG Viewer.

Developer Notes

V-38659: The operating system must employ cryptographic mechanisms to protect information in storage.

The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.

Details: V-38659 in STIG Viewer.

Developer Notes

V-38650: The rdisc service must not be running.

General-purpose systems typically have their network and routing information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information.

Details: V-38650 in STIG Viewer.

Developer Notes

V-38651: The system default umask for the bash shell must be 077.

Details: V-38651 in STIG Viewer.

Developer Notes

V-38656: The system must use SMB client signing for connecting to samba servers using smbclient.

Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.

Details: V-38656 in STIG Viewer.

Developer Notes

V-38657: The system must use SMB client signing for connecting to samba servers using mount.cifs.

Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.

Details: V-38657 in STIG Viewer.

Developer Notes

V-38437: Automated file system mounting tools must not be enabled unless needed.

All filesystems that are required for the successful operation of the system should be explicitly listed in "/etc/fstab" by an administrator. New filesystems should not be arbitrarily introduced via the automounter. The "autofs" daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as "/misc/cd". However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it is almost always possible to configure filesystem mounts statically by editing "/etc/fstab" rather than relying on the automounter.

Details: V-38437 in STIG Viewer.

Developer Notes

V-51379: All device files must be monitored by the system Linux Security Module.

If a device file carries the SELinux type "unlabeled_t", then SELinux cannot properly restrict access to the device file.

Details: V-51379 in STIG Viewer.

Developer Notes

V-38527: The audit system must be configured to audit all attempts to alter system time through clock_settime.

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

Details: V-38527 in STIG Viewer.

Developer Notes

V-38525: The audit system must be configured to audit all attempts to alter system time through stime.

Details: V-38525 in STIG Viewer.

Developer Notes

V-38522: The audit system must be configured to audit all attempts to alter system time through settimeofday.

Details: V-38522 in STIG Viewer.

Developer Notes

V-38487: The system package management tool must cryptographically verify the authenticity of all software packages during installation.

Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering.

Details: V-38487 in STIG Viewer.

Developer Notes

V-38480: Users must be warned 7 days in advance of password expiration.

Setting the password warning age enables users to make the change at a practical time.

Details: V-38480 in STIG Viewer.

Developer Notes

V-38528: The system must log Martian packets.

The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.

Details: V-38528 in STIG Viewer.

Developer Notes

V-38661: The operating system must protect the confidentiality and integrity of data at rest.

Details: V-38661 in STIG Viewer.

Developer Notes

V-38662: The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of data at rest unless otherwise protected by alternative physical measures.

Details: V-38662 in STIG Viewer.

Developer Notes

V-38669: The postfix service must be enabled for mail delivery.

Local mail delivery is essential to some system maintenance and notification tasks.

Details: V-38669 in STIG Viewer.

Developer Notes

V-38467: The system must use a separate file system for the system audit data path.

Placing "/var/log/audit" in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.

Details: V-38467 in STIG Viewer.

Developer Notes

V-38463: The system must use a separate file system for /var/log.

Placing "/var/log" in its own partition enables better separation between log files and other files in "/var/".

Details: V-38463 in STIG Viewer.

Developer Notes

V-38460: The NFS server must not have the all_squash option enabled.

The "all_squash" option maps all client requests to a single anonymous uid/gid on the NFS server, negating the ability to track file access by user ID.

Details: V-38460 in STIG Viewer.

Developer Notes

V-38702: The FTP daemon must be configured for logging or verbose mode.

To trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to the ftp server are logged using the verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log.

Details: V-38702 in STIG Viewer.

Developer Notes

V-38552: The audit system must be configured to audit all discretionary access control permission modifications using fchown.

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Details: V-38552 in STIG Viewer.

Developer Notes

V-38550: The audit system must be configured to audit all discretionary access control permission modifications using fchmodat.

Details: V-38550 in STIG Viewer.

Developer Notes

V-38557: The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr.

Details: V-38557 in STIG Viewer.

Developer Notes

V-38556: The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr.

Details: V-38556 in STIG Viewer.

Developer Notes

V-38554: The audit system must be configured to audit all discretionary access control permission modifications using fchownat.

Details: V-38554 in STIG Viewer.

Developer Notes

V-38559: The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr.

Details: V-38559 in STIG Viewer.

Developer Notes

V-38558: The audit system must be configured to audit all discretionary access control permission modifications using lchown.

Details: V-38558 in STIG Viewer.

Developer Notes

V-38494: The system must prevent the root account from logging in from serial consoles.

Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account.

Details: V-38494 in STIG Viewer.

Developer Notes

V-38672: The netconsole service must be disabled unless required.

The "netconsole" service is not necessary unless there is a need to debug kernel panics, which is not common.

Details: V-38672 in STIG Viewer.

Developer Notes

V-38676: The xorg-x11-server-common (X Windows) package must not be installed, unless required.

Unnecessary packages should not be installed to decrease the attack surface of the system.

Details: V-38676 in STIG Viewer.

Developer Notes

V-38675: Process core dumps must be disabled unless needed.

A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.

Details: V-38675 in STIG Viewer.

Developer Notes

V-38474: The system must allow locking of graphical desktop sessions.

The ability to lock graphical desktop sessions manually allows users to easily secure their accounts should they need to depart from their workstations temporarily.

Details: V-38474 in STIG Viewer.

Developer Notes

V-38471: The system must forward audit records to the syslog service.

The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include an audit event multiplexor plugin (audispd) to pass audit records to the local syslog server.

Details: V-38471 in STIG Viewer.

Developer Notes

V-38473: The system must use a separate file system for user home directories.

Ensuring that "/home" is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.

Details: V-38473 in STIG Viewer.

Developer Notes

V-38536: The operating system must automatically audit account disabling actions.

In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

Details: V-38536 in STIG Viewer.

Developer Notes

V-38478: The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite.

Although systems management and patching is extremely important to system security, management by a system outside the enterprise enclave is not desirable for some environments. However, if the system is being managed by RHN or RHN Satellite Server the "rhnsd" daemon can remain on.

Details: V-38478 in STIG Viewer.

Developer Notes

V-38540: The audit system must be configured to audit modifications to the systems network configuration.

The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.

Details: V-38540 in STIG Viewer.

Developer Notes

V-38541: The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux).

The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.

Details: V-38541 in STIG Viewer.

Developer Notes

V-38543: The audit system must be configured to audit all discretionary access control permission modifications using chmod.

Details: V-38543 in STIG Viewer.

Developer Notes

V-38547: The audit system must be configured to audit all discretionary access control permission modifications using fchmod.

Details: V-38547 in STIG Viewer.

Developer Notes

V-38482: The system must require passwords to contain at least one numeric character.

Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.

Details: V-38482 in STIG Viewer.

Developer Notes

V-38454: The system package management tool must verify ownership on all files and directories associated with packages.

Ownership of system binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.

Details: V-38454 in STIG Viewer.

Developer Notes

V-38687: The system must provide VPN connectivity for communications over untrusted networks.

Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network.

Details: V-38687 in STIG Viewer.

Developer Notes

V-38685: Temporary accounts must be provisioned with an expiration date.

When temporary accounts are created, there is a risk they may remain in place and active after the need for them no longer exists. Account expiration greatly reduces the risk of accounts being misused or hijacked.

Details: V-38685 in STIG Viewer.

Developer Notes

V-38684: The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.

Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions.

Details: V-38684 in STIG Viewer.

Developer Notes

V-38683: All accounts on the system must have unique user or account names

Unique usernames allow for accountability on the system.

Details: V-38683 in STIG Viewer.

Developer Notes

V-38681: All GIDs referenced in /etc/passwd must be defined in /etc/group

Inconsistency in GIDs between /etc/passwd and /etc/group could lead to a user having unintended rights.

Details: V-38681 in STIG Viewer.

Developer Notes

V-38530: The audit system must be configured to audit all attempts to alter system time through /etc/localtime.

Details: V-38530 in STIG Viewer.

Developer Notes

V-38578: The audit system must be configured to audit changes to the /etc/sudoers file.

The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.

Details: V-38578 in STIG Viewer.

Developer Notes

V-38575: The audit system must be configured to audit user deletions of files and programs.

Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as detecting malicious processes that attempt to delete log files to conceal their presence.

Details: V-38575 in STIG Viewer.

Developer Notes

V-38571: The system must require passwords to contain at least one lowercase alphabetic character.

Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.

Details: V-38571 in STIG Viewer.

Developer Notes

V-38572: The system must require at least four characters be changed between the old and new passwords during a password change.

Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.

Details: V-38572 in STIG Viewer.

Developer Notes

V-38699: All public directories must be owned by a system account.

Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.

Details: V-38699 in STIG Viewer.

Developer Notes

V-38516: The Reliable Datagram Sockets (RDS) protocol must be disabled unless required.

Disabling RDS protects the system against exploitation of any flaws in its implementation.

Details: V-38516 in STIG Viewer.

Developer Notes

V-38690: Emergency accounts must be provisioned with an expiration date.

When emergency accounts are created, there is a risk they may remain in place and active after the need for them no longer exists. Account expiration greatly reduces the risk of accounts being misused or hijacked.

Details: V-38690 in STIG Viewer.

Developer Notes

V-38693: The system must require passwords to contain no more than three consecutive repeating characters.

Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.

Details: V-38693 in STIG Viewer.

Developer Notes

V-38590: The system must allow locking of the console screen in text mode.

Installing "screen" ensures a console locking capability is available for users who may need to suspend console logins.

Details: V-38590 in STIG Viewer.

Developer Notes

V-38456: The system must use a separate file system for /var.

Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the "/var" directory to contain world-writable directories, installed by other software packages.

Details: V-38456 in STIG Viewer.

Developer Notes

V-38455: The system must use a separate file system for /tmp.

The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.

Details: V-38455 in STIG Viewer.

Developer Notes

V-38618: The avahi service must be disabled.

Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted.

Details: V-38618 in STIG Viewer.

Developer Notes

V-38570: The system must require passwords to contain at least one special character.

Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.

Details: V-38570 in STIG Viewer.

Developer Notes

V-38568: The audit system must be configured to audit successful file system mounts.

The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.

Details: V-38568 in STIG Viewer.

Developer Notes

V-38569: The system must require passwords to contain at least one uppercase alphabetic character.

Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space.

Details: V-38569 in STIG Viewer.

Developer Notes

V-38561: The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr.

Details: V-38561 in STIG Viewer.

Developer Notes

V-38566: The audit system must be configured to audit failed attempts to access files and programs.

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Details: V-38566 in STIG Viewer.

Developer Notes

V-38567: The audit system must be configured to audit all use of setuid and setgid programs.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

Details: V-38567 in STIG Viewer.

Developer Notes

V-38565: The audit system must be configured to audit all discretionary access control permission modifications using setxattr.

Details: V-38565 in STIG Viewer.

Developer Notes

V-38537: The system must ignore ICMPv4 bogus error responses.

Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.

Details: V-38537 in STIG Viewer.

Developer Notes

V-38624: System logs must be rotated daily.

Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.

Details: V-38624 in STIG Viewer.

Developer Notes

V-38627: The openldap-servers package must not be installed unless required.

Unnecessary packages should not be installed to decrease the attack surface of the system.

Details: V-38627 in STIG Viewer.

Developer Notes

V-38584: The xinetd service must be uninstalled if no network services utilizing it are enabled.

Removing the "xinetd" package decreases the risk of the xinetd service's accidental (or intentional) activation.

Details: V-38584 in STIG Viewer.

Developer Notes

V-38694: The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity.

Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.

Details: V-38694 in STIG Viewer.

Developer Notes

V-38545: The audit system must be configured to audit all discretionary access control permission modifications using chown.

Details: V-38545 in STIG Viewer.

Developer Notes

V-38538: The operating system must automatically audit account termination.

Details: V-38538 in STIG Viewer.

Developer Notes

V-38697: The sticky bit must be set on all public directories.

Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure. The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, and by users for temporary file storage -such as /tmp - and for directories requiring global read/write access.

Details: V-38697 in STIG Viewer.

Developer Notes

V-38531: The operating system must automatically audit account creation.

Details: V-38531 in STIG Viewer.

Developer Notes

V-38533: The system must ignore ICMPv4 redirect messages by default.

This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Details: V-38533 in STIG Viewer.

Developer Notes

V-38535: The system must not respond to ICMPv4 sent to a broadcast address.

Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.

Details: V-38535 in STIG Viewer.

Developer Notes

V-38534: The operating system must automatically audit account modification.

Details: V-38534 in STIG Viewer.

Developer Notes

V-38655: The noexec option must be added to removable media partitions.

Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise.

Details: V-38655 in STIG Viewer.

Developer Notes

V-38438: Auditing must be enabled at boot by setting a kernel parameter.

Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although "auditd" takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.

Details: V-38438 in STIG Viewer.

Developer Notes

V-38692: Accounts must be locked upon 35 days of inactivity.

Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.

Details: V-38692 in STIG Viewer.

Developer Notes

V-38639: The system must display a publicly-viewable pattern during a graphical desktop environment session lock.

Setting the screensaver mode to blank-only conceals the contents of the display from passersby.

Details: V-38639 in STIG Viewer.

Developer Notes

V-38635: The audit system must be configured to audit all attempts to alter system time through adjtimex.

Details: V-38635 in STIG Viewer.

Developer Notes

V-38616: The SSH daemon must not permit user environment settings.

SSH environment options potentially allow users to bypass access restriction in some configurations.

Details: V-38616 in STIG Viewer.

Developer Notes

V-38563: The audit system must be configured to audit all discretionary access control permission modifications using removexattr.

Details: V-38563 in STIG Viewer.

Developer Notes

V-38610: The SSH daemon must set a timeout count on idle sessions.

This ensures a user login will be terminated as soon as the "ClientAliveCountMax" is reached.

Details: V-38610 in STIG Viewer.

61 KiB Raw Blame History

Category 1 (Low) configurations

V-38649: The system default umask for the csh shell must be 077.

Developer Notes

V-38648: The qpidd service must not be running.

Developer Notes

V-38642: The system default umask for daemons must be 027 or 022.

Developer Notes

V-38641: The atd service must be disabled.

Developer Notes

V-38640: The Automatic Bug Reporting Tool (abrtd) service must not be running.

Developer Notes

V-38647: The system default umask in /etc/profile must be 077.

Developer Notes

V-38646: The oddjobd service must not be running.

Developer Notes

V-38645: The system default umask in /etc/login.defs must be 077.

Developer Notes

V-38644: The ntpdate service must not be running.

Developer Notes

V-51369: The system must use a Linux Security Module configured to limit the privileges of system services.

Developer Notes

V-38452: The system package management tool must verify permissions on all files and directories associated with packages.

Developer Notes

V-38453: The system package management tool must verify group-ownership on all files and directories associated with packages.

Developer Notes

V-38608: The SSH daemon must set a timeout interval on idle sessions.

Developer Notes

V-38447: The system package management tool must verify contents of all files associated with packages.

Developer Notes

V-38659: The operating system must employ cryptographic mechanisms to protect information in storage.

Developer Notes

V-38650: The rdisc service must not be running.

Developer Notes

V-38651: The system default umask for the bash shell must be 077.

Developer Notes

V-38656: The system must use SMB client signing for connecting to samba servers using smbclient.

Developer Notes

V-38657: The system must use SMB client signing for connecting to samba servers using mount.cifs.

Developer Notes

V-38437: Automated file system mounting tools must not be enabled unless needed.

Developer Notes

V-51379: All device files must be monitored by the system Linux Security Module.

Developer Notes

V-38527: The audit system must be configured to audit all attempts to alter system time through clock_settime.

Developer Notes

V-38525: The audit system must be configured to audit all attempts to alter system time through stime.

Developer Notes

V-38522: The audit system must be configured to audit all attempts to alter system time through settimeofday.

Developer Notes

V-38487: The system package management tool must cryptographically verify the authenticity of all software packages during installation.

Developer Notes

V-38480: Users must be warned 7 days in advance of password expiration.

Developer Notes

V-38528: The system must log Martian packets.

Developer Notes

V-38661: The operating system must protect the confidentiality and integrity of data at rest.

Developer Notes

V-38662: The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of data at rest unless otherwise protected by alternative physical measures.

Developer Notes

V-38669: The postfix service must be enabled for mail delivery.

Developer Notes

V-38467: The system must use a separate file system for the system audit data path.

Developer Notes

V-38463: The system must use a separate file system for /var/log.

Developer Notes

V-38460: The NFS server must not have the all_squash option enabled.

Developer Notes

V-38702: The FTP daemon must be configured for logging or verbose mode.

Developer Notes

V-38552: The audit system must be configured to audit all discretionary access control permission modifications using fchown.

Developer Notes

V-38550: The audit system must be configured to audit all discretionary access control permission modifications using fchmodat.

Developer Notes

V-38557: The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr.

Developer Notes

V-38556: The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr.

Developer Notes

V-38554: The audit system must be configured to audit all discretionary access control permission modifications using fchownat.

Developer Notes

61 KiB

Raw Blame History