| Checked | Name | Title |
|---|
| ☐ | SV-216011r603268_rule | The audit system must produce records containing sufficient information to establish the identity of any user/subject associated with the event. |
| ☐ | SV-216014r603268_rule | The operating system must provide the capability to automatically process audit records for events of interest based upon selectable, event criteria. |
| ☐ | SV-216015r603268_rule | The audit records must provide data for all auditable events defined at the organizational level for the organization-defined information system components. |
| ☐ | SV-216016r603268_rule | The operating system must generate audit records for the selected list of auditable events as defined in DoD list of events. |
| ☐ | SV-216018r603268_rule | Audit records must include what type of events occurred. |
| ☐ | SV-216019r603268_rule | Audit records must include when (date and time) the events occurred. |
| ☐ | SV-216020r603268_rule | Audit records must include where the events occurred. |
| ☐ | SV-216021r603268_rule | Audit records must include the sources of the events that occurred. |
| ☐ | SV-216022r603268_rule | Audit records must include the outcome (success or failure) of the events that occurred. |
| ☐ | SV-216023r603268_rule | The audit system must be configured to audit file deletions. |
| ☐ | SV-216024r603268_rule | The audit system must be configured to audit account creation. |
| ☐ | SV-216025r603268_rule | The audit system must be configured to audit account modification. |
| ☐ | SV-216026r603268_rule | The operating system must automatically audit account disabling actions. |
| ☐ | SV-216027r603268_rule | The operating system must automatically audit account termination. |
| ☐ | SV-216028r603268_rule | The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked. |
| ☐ | SV-216029r603268_rule | The audit system must be configured to audit all administrative, privileged, and security actions. |
| ☐ | SV-216030r603268_rule | The audit system must be configured to audit login, logout, and session initiation. |
| ☐ | SV-216033r603268_rule | The audit system must be configured to audit failed attempts to access files and programs. |
| ☐ | SV-216034r603268_rule | The operating system must protect against an individual falsely denying having performed a particular action. In order to do so the system must be configured to send audit records to a remote audit server. |
| ☐ | SV-216035r603268_rule | The auditing system must not define a different auditing level for specific users. |
| ☐ | SV-216038r603268_rule | The operating system must alert designated organizational officials in the event of an audit processing failure. |
| ☐ | SV-216041r603268_rule | The operating system must shut down by default upon audit failure (unless availability is an overriding concern). |
| ☐ | SV-216042r603268_rule | The operating system must protect audit information from unauthorized access. |
| ☐ | SV-216045r603268_rule | The System packages must be up to date with the most recent vendor updates and security fixes. |
| ☐ | SV-216047r603268_rule | The operating system must protect audit tools from unauthorized access. |
| ☐ | SV-216048r603268_rule | The operating system must protect audit tools from unauthorized modification. |
| ☐ | SV-216049r603268_rule | The operating system must protect audit tools from unauthorized deletion. |
| ☐ | SV-216050r603268_rule | System packages must be configured with the vendor-provided files, permissions, and ownerships. |
| ☐ | SV-216051r603268_rule | The finger daemon package must not be installed. |
| ☐ | SV-216052r603268_rule | The legacy remote network access utilities daemons must not be installed. |
| ☐ | SV-216053r603268_rule | The NIS package must not be installed. |
| ☐ | SV-216054r603268_rule | The pidgin IM client package must not be installed. |
| ☐ | SV-216055r603268_rule | The FTP daemon must not be installed unless required. |
| ☐ | SV-216056r603268_rule | The TFTP service daemon must not be installed unless required. |
| ☐ | SV-216057r603268_rule | The telnet service daemon must not be installed unless required. |
| ☐ | SV-216058r603268_rule | The UUCP service daemon must not be installed unless required. |
| ☐ | SV-216059r603268_rule | The rpcbind service must be configured for local only services unless organizationally defined. |
| ☐ | SV-216060r603268_rule | The VNC server package must not be installed unless required. |
| ☐ | SV-216062r603268_rule | The operating system must be configured to provide essential capabilities. |
| ☐ | SV-216064r603268_rule | All run control scripts must have mode 0755 or less permissive. |
| ☐ | SV-216065r603268_rule | All run control scripts must have no extended ACLs. |
| ☐ | SV-216066r603268_rule | Run control scripts executable search paths must contain only authorized paths. |
| ☐ | SV-216067r603268_rule | Run control scripts library search paths must contain only authorized paths. |
| ☐ | SV-216068r603268_rule | Run control scripts lists of preloaded libraries must contain only authorized paths. |
| ☐ | SV-216069r603268_rule | Run control scripts must not execute world writable programs or scripts. |
| ☐ | SV-216070r603268_rule | All system start-up files must be owned by root. |
| ☐ | SV-216071r603268_rule | All system start-up files must be group-owned by root, sys, or bin. |
| ☐ | SV-216072r603268_rule | System start-up files must only execute programs owned by a privileged UID or an application. |
| ☐ | SV-216073r603268_rule | Any X Windows host must write .Xauthority files. |
| ☐ | SV-216074r603268_rule | All .Xauthority files must have mode 0600 or less permissive. |
| ☐ | SV-216075r603268_rule | The .Xauthority files must not have extended ACLs. |
| ☐ | SV-216076r603268_rule | X displays must not be exported to the world. |
| ☐ | SV-216077r603870_rule | .Xauthority or X*.hosts (or equivalent) file(s) must be used to restrict access to the X server. |
| ☐ | SV-216078r603268_rule | The .Xauthority utility must only permit access to authorized hosts. |
| ☐ | SV-216079r603268_rule | X Window System connections that are not required must be disabled. |
| ☐ | SV-216080r603268_rule | The graphical login service provides the capability of logging into the system using an X-Windows type interface from the console. If graphical login access for the console is required, the service must be in local-only mode. |
| ☐ | SV-216081r603268_rule | Generic Security Services (GSS) must be disabled. |
| ☐ | SV-216082r603268_rule | Systems services that are not required must be disabled. |
| ☐ | SV-216083r603268_rule | TCP Wrappers must be enabled and configured per site policy to only allow access by approved hosts and services. |
| ☐ | SV-216086r646931_rule | User passwords must be changed at least every 60 days. |
| ☐ | SV-216087r603268_rule | The operating system must automatically terminate temporary accounts within 72 hours. |
| ☐ | SV-216088r603876_rule | The operating system must enforce minimum password lifetime restrictions. |
| ☐ | SV-216089r603268_rule | User passwords must be at least 15 characters in length. |
| ☐ | SV-216090r603268_rule | Users must not reuse the last 5 passwords. |
| ☐ | SV-216091r603268_rule | The system must require at least eight characters be changed between the old and new passwords during a password change. |
| ☐ | SV-216092r603268_rule | The system must require passwords to contain at least one uppercase alphabetic character. |
| ☐ | SV-216093r603268_rule | The operating system must enforce password complexity requiring that at least one lowercase character is used. |
| ☐ | SV-216094r603268_rule | The system must require passwords to contain at least one numeric character. |
| ☐ | SV-216095r603268_rule | The system must require passwords to contain at least one special character. |
| ☐ | SV-216096r603268_rule | The system must require passwords to contain no more than three consecutive repeating characters. |
| ☐ | SV-216097r603268_rule | The system must not have accounts configured with blank or null passwords. |
| ☐ | SV-216098r603268_rule | Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. |
| ☐ | SV-216099r603268_rule | The system must disable accounts after three consecutive unsuccessful login attempts. |
| ☐ | SV-216100r603268_rule | The delay between login prompts following a failed login attempt must be at least 4 seconds. |
| ☐ | SV-216101r603268_rule | The system must require users to re-authenticate to unlock a graphical desktop environment. |
| ☐ | SV-216102r603268_rule | Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity. |
| ☐ | SV-216103r603268_rule | The system must prevent the use of dictionary words for passwords. |
| ☐ | SV-216105r603268_rule | The operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator. |
| ☐ | SV-216106r603268_rule | The default umask for system and users must be 077. |
| ☐ | SV-216107r603268_rule | The default umask for FTP users must be 077. |
| ☐ | SV-216108r603268_rule | The value mesg n must be configured as the default setting for all users. |
| ☐ | SV-216109r603268_rule | User accounts must be locked after 35 days of inactivity. |
| ☐ | SV-216112r603268_rule | Login services for serial ports must be disabled. |
| ☐ | SV-216113r603268_rule | The nobody access for RPC encryption key storage service must be disabled. |
| ☐ | SV-216114r603268_rule | X11 forwarding for SSH must be disabled. |
| ☐ | SV-216115r603268_rule | Consecutive login attempts for SSH must be limited to 3. |
| ☐ | SV-216116r603268_rule | The rhost-based authentication for SSH must be disabled. |
| ☐ | SV-216117r603268_rule | Direct root account login must not be permitted for SSH access. |
| ☐ | SV-216118r603268_rule | Login must not be permitted with empty/null passwords for SSH. |
| ☐ | SV-216119r603268_rule | The operating system must terminate the network connection associated with a communications session at the end of the session or after 10 minutes of inactivity. |
| ☐ | SV-216120r603268_rule | Host-based authentication for login-based services must be disabled. |
| ☐ | SV-216121r603268_rule | The use of FTP must be restricted. |
| ☐ | SV-216122r603268_rule | The system must not allow autologin capabilities from the GNOME desktop. |
| ☐ | SV-216123r603268_rule | Unauthorized use of the at or cron capabilities must not be permitted. |
| ☐ | SV-216124r603268_rule | Logins to the root account must be restricted to the system console only. |
| ☐ | SV-216125r603268_rule | The operating system, upon successful logon, must display to the user the date and time of the last logon (access). |
| ☐ | SV-216126r603268_rule | The operating system must provide the capability for users to directly initiate session lock mechanisms. |
| ☐ | SV-216127r603268_rule | The operating system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen. |
| ☐ | SV-216128r603268_rule | The operating system must not allow logins for users with blank passwords. |
| ☐ | SV-216129r603268_rule | The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks. |
| ☐ | SV-216130r603268_rule | The operating system must limit the number of concurrent sessions for each account to an organization-defined number of sessions. |
| ☐ | SV-216131r603268_rule | The system must disable directed broadcast packet forwarding. |
| ☐ | SV-216132r603268_rule | The system must not respond to ICMP timestamp requests. |
| ☐ | SV-216133r603268_rule | The system must not respond to ICMP broadcast timestamp requests. |
| ☐ | SV-216134r603268_rule | The system must not respond to ICMP broadcast netmask requests. |
| ☐ | SV-216135r603268_rule | The system must not respond to broadcast ICMP echo requests. |
| ☐ | SV-216136r603268_rule | The system must not respond to multicast echo requests. |
| ☐ | SV-216137r603268_rule | The system must ignore ICMP redirect messages. |
| ☐ | SV-216138r603268_rule | The system must set strict multihoming. |
| ☐ | SV-216139r603268_rule | The system must disable ICMP redirect messages. |
| ☐ | SV-216140r603268_rule | The system must disable TCP reverse IP source routing. |
| ☐ | SV-216141r603268_rule | The system must set maximum number of half-open TCP connections to 4096. |
| ☐ | SV-216142r603268_rule | The system must set maximum number of incoming connections to 1024. |
| ☐ | SV-216143r603268_rule | The system must disable network routing unless required. |
| ☐ | SV-216144r603268_rule | The system must implement TCP Wrappers. |
| ☐ | SV-216150r646934_rule | The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception). |
| ☐ | SV-216157r603268_rule | The system must prevent local applications from generating source-routed packets. |
| ☐ | SV-216158r603268_rule | The operating system must display the DoD approved system use notification message or banner before granting access to the system for general system logons. |
| ☐ | SV-216159r603268_rule | The operating system must display the DoD approved system use notification message or banner for SSH connections. |
| ☐ | SV-216160r603268_rule | The GNOME service must display the DoD approved system use notification message or banner before granting access to the system. |
| ☐ | SV-216161r603268_rule | The FTP service must display the DoD approved system use notification message or banner before granting access to the system. |
| ☐ | SV-216162r603268_rule | The operating system must terminate all sessions and network connections when non-local maintenance is completed. |
| ☐ | SV-216163r603268_rule | The operating system must prevent internal users from sending out packets which attempt to manipulate or spoof invalid IP addresses. |
| ☐ | SV-216164r603268_rule | Wireless network adapters must be disabled. |
| ☐ | SV-216165r603268_rule | The operating system must use mechanisms for authentication to a cryptographic module meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for such authentication. |
| ☐ | SV-216173r603879_rule | The operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions. |
| ☐ | SV-216174r603268_rule | The operating system must use cryptographic mechanisms to protect and restrict access to information on portable digital media. |
| ☐ | SV-216176r603268_rule | The operating system must protect the confidentiality and integrity of information at rest. |
| ☐ | SV-216178r603268_rule | The operating system must use cryptographic mechanisms to protect the integrity of audit information. |
| ☐ | SV-216180r603268_rule | The sticky bit must be set on all world writable directories. |
| ☐ | SV-216181r603268_rule | Permissions on user home directories must be 750 or less permissive. |
| ☐ | SV-216182r603268_rule | Permissions on user . (hidden) files must be 750 or less permissive. |
| ☐ | SV-216183r603268_rule | Permissions on user .netrc files must be 750 or less permissive. |
| ☐ | SV-216184r603268_rule | There must be no user .rhosts files. |
| ☐ | SV-216185r603268_rule | Groups assigned to users must exist in the /etc/group file. |
| ☐ | SV-216186r603268_rule | Users must have a valid home directory assignment. |
| ☐ | SV-216187r603268_rule | All user accounts must be configured to use a home directory that exists. |
| ☐ | SV-216188r603268_rule | All home directories must be owned by the respective user assigned to it in /etc/passwd. |
| ☐ | SV-216189r603268_rule | Duplicate User IDs (UIDs) must not exist for users within the organization. |
| ☐ | SV-216190r603268_rule | Duplicate UIDs must not exist for multiple non-organizational users. |
| ☐ | SV-216191r603268_rule | Duplicate Group IDs (GIDs) must not exist for multiple groups. |
| ☐ | SV-216192r603268_rule | Reserved UIDs 0-99 must only be used by system accounts. |
| ☐ | SV-216193r603268_rule | Duplicate user names must not exist. |
| ☐ | SV-216194r603881_rule | Duplicate group names must not exist. |
| ☐ | SV-216195r603268_rule | User .netrc files must not exist. |
| ☐ | SV-216196r603268_rule | The system must not allow users to configure .forward files. |
| ☐ | SV-216197r603268_rule | World-writable files must not exist. |
| ☐ | SV-216198r603268_rule | All valid SUID/SGID files must be documented. |
| ☐ | SV-216199r603268_rule | The operating system must have no unowned files. |
| ☐ | SV-216200r603268_rule | The operating system must have no files with extended attributes. |
| ☐ | SV-216201r603268_rule | The root account must be the only account with GID of 0. |
| ☐ | SV-216202r603268_rule | The operating system must reveal error messages only to authorized personnel. |
| ☐ | SV-216204r603268_rule | The operator must document all file system objects that have non-standard access control list settings. |
| ☐ | SV-216205r603268_rule | The operating system must be a supported release. |
| ☐ | SV-216206r603268_rule | The system must implement non-executable program stacks. |
| ☐ | SV-216207r603268_rule | Address Space Layout Randomization (ASLR) must be enabled. |
| ☐ | SV-216208r603268_rule | Process core dumps must be disabled unless needed. |
| ☐ | SV-216209r603268_rule | The system must be configured to store any process core dumps in a specific, centralized directory. |
| ☐ | SV-216210r603268_rule | The centralized process core dump data directory must be owned by root. |
| ☐ | SV-216211r603268_rule | The centralized process core dump data directory must be group-owned by root, bin, or sys. |
| ☐ | SV-216212r603268_rule | The centralized process core dump data directory must have mode 0700 or less permissive. |
| ☐ | SV-216213r603268_rule | Kernel core dumps must be disabled unless needed. |
| ☐ | SV-216214r603268_rule | The kernel core dump data directory must be owned by root. |
| ☐ | SV-216215r603268_rule | The kernel core dump data directory must be group-owned by root. |
| ☐ | SV-216216r603268_rule | The kernel core dump data directory must have mode 0700 or less permissive. |
| ☐ | SV-216217r603268_rule | System BIOS or system controllers supporting password protection must have administrator accounts/passwords configured, and no others. (Intel) |
| ☐ | SV-216218r603268_rule | The system must require authentication before allowing modification of the boot devices or menus. Secure the GRUB Menu (Intel). |
| ☐ | SV-216219r603268_rule | The operating system must implement transaction recovery for transaction-based systems. |
| ☐ | SV-216220r603268_rule | SNMP communities, users, and passphrases must be changed from the default. |
| ☐ | SV-216221r603268_rule | A file integrity baseline must be created, maintained, and reviewed on at least weekly to determine if unauthorized changes have been made to important system files located in the root file system. |
| ☐ | SV-216223r603268_rule | Direct logins must not be permitted to shared, default, application, or utility accounts. |
| ☐ | SV-216224r603268_rule | The system must not have any unnecessary accounts. |
| ☐ | SV-216225r603268_rule | The operating system must conduct backups of user-level information contained in the operating system per organization-defined frequency to conduct backups consistent with recovery time and recovery point objectives. |
| ☐ | SV-216226r603268_rule | The operating system must conduct backups of system-level information contained in the information system per organization-defined frequency to conduct backups that are consistent with recovery time and recovery point objectives. |
| ☐ | SV-216227r603268_rule | The operating system must conduct backups of operating system documentation including security-related documentation per organization-defined frequency to conduct backups that is consistent with recovery time and recovery point objectives. |
| ☐ | SV-216228r603268_rule | The operating system must prevent the execution of prohibited mobile code. |
| ☐ | SV-216229r603268_rule | The operating system must employ PKI solutions at workstations, servers, or mobile computing devices on the network to create, manage, distribute, use, store, and revoke digital certificates. |
| ☐ | SV-216231r603268_rule | The operating system must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means. |
| ☐ | SV-216232r603268_rule | The operating system must have malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means. |
| ☐ | SV-216233r603268_rule | The operating system must back up audit records at least every seven days onto a different system or system component than the system or component being audited. |
| ☐ | SV-216234r603268_rule | All manual editing of system-relevant files shall be done using the pfedit command, which logs changes made to the files. |
| ☐ | SV-216237r603268_rule | The operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks. |
| ☐ | SV-216238r603268_rule | The /etc/zones directory, and its contents, must have the vendor default owner, group, and permissions. |
| ☐ | SV-216239r603268_rule | The limitpriv zone option must be set to the vendor default or less permissive. |
| ☐ | SV-216240r603268_rule | The systems physical devices must not be assigned to non-global zones. |
| ☐ | SV-216241r603268_rule | The audit system must identify in which zone an event occurred. |
| ☐ | SV-216242r603268_rule | The audit system must maintain a central audit trail for all zones. |
| ☐ | SV-216243r603268_rule | The operating system must monitor for unauthorized connections of mobile devices to organizational information systems. |
| ☐ | SV-219988r603268_rule | The audit system must support an audit reduction capability. |
| ☐ | SV-219989r603268_rule | The audit system records must be able to be used by a report generation capability. |
| ☐ | SV-219990r603268_rule | The operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance. |
| ☐ | SV-219991r603268_rule | The audit system must be configured to audit all discretionary access control permission modifications. |
| ☐ | SV-219992r603268_rule | The audit system must be configured to audit the loading and unloading of dynamic kernel modules. |
| ☐ | SV-219993r603268_rule | The audit system must alert the SA when the audit storage volume approaches its capacity. |
| ☐ | SV-219994r603268_rule | The audit system must alert the System Administrator (SA) if there is any type of audit failure. |
| ☐ | SV-219995r603268_rule | The operating system must allocate audit record storage capacity. |
| ☐ | SV-219996r603268_rule | The operating system must configure auditing to reduce the likelihood of storage capacity being exceeded. |
| ☐ | SV-219997r603268_rule | The system must verify that package updates are digitally signed. |
| ☐ | SV-219998r603268_rule | The operating system must employ automated mechanisms, per organization-defined frequency, to detect the addition of unauthorized components/devices into the operating system. |
| ☐ | SV-219999r603268_rule | The operating system must employ automated mechanisms to prevent program execution in accordance with the organization-defined specifications. |
| ☐ | SV-220000r603268_rule | The operating system must disable information system functionality that provides the capability for automatic execution of code on mobile devices without user direction. |
| ☐ | SV-220001r603268_rule | The system must restrict the ability of users to assume excessive privileges to members of a defined group and prevent unauthorized users from accessing administrative tools. |
| ☐ | SV-220003r603268_rule | The operating system must employ FIPS-validate or NSA-approved cryptography to implement digital signatures. |
| ☐ | SV-220004r603268_rule | The operating system must protect the integrity of transmitted information. |
| ☐ | SV-220005r603268_rule | The operating system must employ cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures. |
| ☐ | SV-220006r603268_rule | The operating system must maintain the integrity of information during aggregation, packaging, and transformation in preparation for transmission. |
| ☐ | SV-220007r603268_rule | The operating system must protect the confidentiality of transmitted information. |
| ☐ | SV-220008r603268_rule | The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures. |
| ☐ | SV-220009r603268_rule | The operating system must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission. |
| ☐ | SV-220010r603268_rule | The operating system must employ cryptographic mechanisms to protect information in storage. |
| ☐ | SV-220011r603268_rule | The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures. |
| ☐ | SV-220012r603268_rule | The operating system must protect the integrity of transmitted information. |
| ☐ | SV-220013r603268_rule | The operating system must protect the audit records resulting from non-local accesses to privileged accounts and the execution of privileged functions. |
| ☐ | SV-220014r603268_rule | The operating system must synchronize internal information system clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). |
| ☐ | SV-220015r603268_rule | The operating system must verify the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification). |
| ☐ | SV-224672r603268_rule | The operating system must prevent non-privileged users from circumventing malicious code protection capabilities. |
| ☐ | SV-224673r603268_rule | The operating system must identify potentially security-relevant error conditions. |
| ☐ | SV-233301r603283_rule | The sshd server must bind the X11 forwarding server to the loopback address. |
STIGQter: STIG Summary: