diff --git a/.gitignore b/.gitignore
index 2dbb4d0f..64b8b4a9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -65,3 +65,6 @@ releasenotes/build
# Vagrant testing artifacts
.vagrant
+
+# Automatically generated documentation
+doc/source/auto_*
diff --git a/doc/metadata/U_RedHat_6_V1R12_Manual-xccdf.xml b/doc/metadata/U_RedHat_6_V1R12_Manual-xccdf.xml
new file mode 100644
index 00000000..e1ef90a5
--- /dev/null
+++ b/doc/metadata/U_RedHat_6_V1R12_Manual-xccdf.xml
@@ -0,0 +1,3168 @@
+acceptedRed Hat Enterprise Linux 6 Security Technical Implementation GuideThe Red Hat Enterprise Linux 6 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 12 Benchmark Date: 22 Jul 20161I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000526Automated file system mounting tools must not be enabled unless needed.<VulnDiscussion>All filesystems that are required for the successful operation of the system should be explicitly listed in "/etc/fstab" by an administrator. New filesystems should not be arbitrarily introduced via the automounter.
+
+The "autofs" daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as "/misc/cd". However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it is almost always possible to configure filesystem mounts statically by editing "/etc/fstab" rather than relying on the automounter. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366If the "autofs" service is not needed to dynamically mount NFS filesystems or removable media, disable the service for all runlevels:
+
+# chkconfig --level 0123456 autofs off
+
+Stop the service if it is already running:
+
+# service autofs stopTo verify the "autofs" service is disabled, run the following command:
+
+chkconfig --list autofs
+
+If properly configured, the output should be the following:
+
+autofs 0:off 1:off 2:off 3:off 4:off 5:off 6:off
+
+Verify the "autofs" service is not running:
+
+# service autofs status
+
+If the autofs service is enabled or running, this is a finding.SRG-OS-000062<GroupDescription></GroupDescription>RHEL-06-000525Auditing must be enabled at boot by setting a kernel parameter.<VulnDiscussion>Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although "auditd" takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000169To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument "audit=1" to the kernel line in "/boot/grub/grub.conf", in the manner below:
+
+kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1
+
+UEFI systems may prepend "/boot" to the "/vmlinuz-version" argument. Inspect the kernel boot arguments (which follow the word "kernel") in "/boot/grub/grub.conf". If they include "audit=1", then auditing is enabled at boot time.
+
+If auditing is not enabled at boot time, this is a finding.SRG-OS-000001<GroupDescription></GroupDescription>RHEL-06-000524The system must provide automated support for account management functions.<VulnDiscussion>A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. Enterprise environments make user account management challenging and complex. A user management process requiring administrators to manually address account management functions adds risk of potential oversight.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000015Implement an automated system for managing user accounts that minimizes the risk of errors, either intentional or deliberate. If possible, this system should integrate with an existing enterprise user management system, such as, one based Active Directory or Kerberos.Interview the SA to determine if there is an automated system for managing user accounts, preferably integrated with an existing enterprise user management system.
+
+If there is not, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000036The /etc/gshadow file must be owned by root.<VulnDiscussion>The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To properly set the owner of "/etc/gshadow", run the command:
+
+# chown root /etc/gshadowTo check the ownership of "/etc/gshadow", run the command:
+
+$ ls -l /etc/gshadow
+
+If properly configured, the output should indicate the following owner: "root"
+If it does not, this is a finding.SRG-OS-000231<GroupDescription></GroupDescription>RHEL-06-000523The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets.<VulnDiscussion>In "ip6tables" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to "DROP" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000066To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in "/etc/sysconfig/ip6tables":
+
+:INPUT DROP [0:0]
+
+Restart the IPv6 firewall:
+
+# service ip6tables restartIf IPv6 is disabled, this is not applicable.
+
+Inspect the file "/etc/sysconfig/ip6tables" to determine the default policy for the INPUT chain. It should be set to DROP:
+
+# grep ":INPUT" /etc/sysconfig/ip6tables
+
+If the default policy for the INPUT chain is not set to DROP, this is a finding. SRG-OS-000057<GroupDescription></GroupDescription>RHEL-06-000522Audit log files must be group-owned by root.<VulnDiscussion>If non-privileged users can write to audit logs, audit trails can be modified or destroyed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000162Change the group owner of the audit log files with the following command:
+
+# chgrp root [audit_file]Run the following command to check the group owner of the system audit logs:
+
+grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//|xargs stat -c %G:%n
+
+Audit logs must be group-owned by root.
+If they are not, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000521The mail system must forward all mail for root to one or more system administrators.<VulnDiscussion>A number of system services utilize email messages sent to the root user to notify system administrators of active or impending issues. These messages must be forwarded to at least one monitored email address.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366Set up an alias for root that forwards to a monitored email address:
+
+# echo "root: <system.administrator>@mail.mil" >> /etc/aliases
+# newaliasesFind the list of alias maps used by the Postfix mail server:
+
+# postconf alias_maps
+
+Query the Postfix alias maps for an alias for "root":
+
+# postmap -q root <alias_map>
+
+If there are no aliases configured for root that forward to a monitored email address, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000519The system package management tool must verify contents of all files associated with packages.<VulnDiscussion>The hash on important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366The RPM package management system can check the hashes of installed software packages, including many that are important to system security. Run the following command to list which files on the system have hashes that differ from what is expected by the RPM database:
+
+# rpm -Va | grep '^..5'
+
+A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file that has changed was not expected to then refresh from distribution media or online repositories.
+
+rpm -Uvh [affected_package]
+
+OR
+
+yum reinstall [affected_package]The following command will list which files on the system have file hashes different from what is expected by the RPM database.
+
+# rpm -Va | awk '$1 ~ /..5/ && $2 != "c"'
+
+
+If there is output, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000037The /etc/gshadow file must be group-owned by root.<VulnDiscussion>The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To properly set the group owner of "/etc/gshadow", run the command:
+
+# chgrp root /etc/gshadowTo check the group ownership of "/etc/gshadow", run the command:
+
+$ ls -l /etc/gshadow
+
+If properly configured, the output should indicate the following group-owner. "root"
+If it does not, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000038The /etc/gshadow file must have mode 0000.<VulnDiscussion>The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To properly set the permissions of "/etc/gshadow", run the command:
+
+# chmod 0000 /etc/gshadowTo check the permissions of "/etc/gshadow", run the command:
+
+$ ls -l /etc/gshadow
+
+If properly configured, the output should indicate the following permissions: "----------"
+If it does not, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000039The /etc/passwd file must be owned by root.<VulnDiscussion>The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To properly set the owner of "/etc/passwd", run the command:
+
+# chown root /etc/passwdTo check the ownership of "/etc/passwd", run the command:
+
+$ ls -l /etc/passwd
+
+If properly configured, the output should indicate the following owner: "root"
+If it does not, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000040The /etc/passwd file must be group-owned by root.<VulnDiscussion>The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To properly set the group owner of "/etc/passwd", run the command:
+
+# chgrp root /etc/passwdTo check the group ownership of "/etc/passwd", run the command:
+
+$ ls -l /etc/passwd
+
+If properly configured, the output should indicate the following group-owner. "root"
+If it does not, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000518The system package management tool must verify permissions on all files and directories associated with packages.<VulnDiscussion>Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366The RPM package management system can restore file access permissions of package files and directories. The following command will update permissions on files and directories with permissions different from what is expected by the RPM database:
+
+# rpm --setperms [package]The following command will list which files and directories on the system have permissions different from what is expected by the RPM database:
+
+# rpm -Va | grep '^.M'
+
+If there is any output, for each file or directory found, find the associated RPM package and compare the RPM-expected permissions with the actual permissions on the file or directory:
+
+# rpm -qf [file or directory name]
+# rpm -q --queryformat "[%{FILENAMES} %{FILEMODES:perms}\n]" [package] | grep [filename]
+# ls -dlL [filename]
+
+If the existing permissions are more permissive than those expected by RPM, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000517The system package management tool must verify group-ownership on all files and directories associated with packages.<VulnDiscussion>Group-ownership of system binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The group-ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366The RPM package management system can restore group-ownership of the package files and directories. The following command will update files and directories with group-ownership different from what is expected by the RPM database:
+
+# rpm -qf [file or directory name]
+# rpm --setugids [package]The following command will list which files on the system have group-ownership different from what is expected by the RPM database:
+
+# rpm -Va | grep '^......G'
+
+
+If there is output, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000516The system package management tool must verify ownership on all files and directories associated with packages.<VulnDiscussion>Ownership of system binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366The RPM package management system can restore ownership of package files and directories. The following command will update files and directories with ownership different from what is expected by the RPM database:
+
+# rpm -qf [file or directory name]
+# rpm --setugids [package]The following command will list which files on the system have ownership different from what is expected by the RPM database:
+
+# rpm -Va | grep '^.....U'
+
+
+If there is output, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000001The system must use a separate file system for /tmp.<VulnDiscussion>The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366The "/tmp" directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.Run the following command to determine if "/tmp" is on its own partition or logical volume:
+
+$ mount | grep "on /tmp "
+
+If "/tmp" has its own partition or volume group, a line will be returned.
+If no line is returned, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000002The system must use a separate file system for /var.<VulnDiscussion>Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the "/var" directory to contain world-writable directories, installed by other software packages.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366The "/var" directory is used by daemons and other system services to store frequently-changing data. Ensure that "/var" has its own partition or logical volume at installation time, or migrate it using LVM.Run the following command to determine if "/var" is on its own partition or logical volume:
+
+$ mount | grep "on /var "
+
+If "/var" has its own partition or volume group, a line will be returned.
+If no line is returned, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000041The /etc/passwd file must have mode 0644 or less permissive.<VulnDiscussion>If the "/etc/passwd" file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To properly set the permissions of "/etc/passwd", run the command:
+
+# chmod 0644 /etc/passwdTo check the permissions of "/etc/passwd", run the command:
+
+$ ls -l /etc/passwd
+
+If properly configured, the output should indicate the following permissions: "-rw-r--r--"
+If it does not, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000042The /etc/group file must be owned by root.<VulnDiscussion>The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To properly set the owner of "/etc/group", run the command:
+
+# chown root /etc/groupTo check the ownership of "/etc/group", run the command:
+
+$ ls -l /etc/group
+
+If properly configured, the output should indicate the following owner: "root"
+If it does not, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000043The /etc/group file must be group-owned by root.<VulnDiscussion>The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To properly set the group owner of "/etc/group", run the command:
+
+# chgrp root /etc/groupTo check the group ownership of "/etc/group", run the command:
+
+$ ls -l /etc/group
+
+If properly configured, the output should indicate the following group-owner. "root"
+If it does not, this is a finding.SRG-OS-000104<GroupDescription></GroupDescription>RHEL-06-000515The NFS server must not have the all_squash option enabled.<VulnDiscussion>The "all_squash" option maps all client requests to a single anonymous uid/gid on the NFS server, negating the ability to track file access by user ID.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000764Remove any instances of the "all_squash" option from the file "/etc/exports". Restart the NFS daemon for the changes to take effect.
+
+# service nfs restartIf the NFS server is read-only, in support of unrestricted access to organizational content, this is not applicable.
+
+The related "root_squash" option provides protection against remote administrator-level access to NFS server content. Its use is not a finding.
+
+To verify the "all_squash" option has been disabled, run the following command:
+
+# grep all_squash /etc/exports
+
+
+If there is output, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000044The /etc/group file must have mode 0644 or less permissive.<VulnDiscussion>The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To properly set the permissions of "/etc/group", run the command:
+
+# chmod 644 /etc/groupTo check the permissions of "/etc/group", run the command:
+
+$ ls -l /etc/group
+
+If properly configured, the output should indicate the following permissions: "-rw-r--r--"
+If it does not, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000003The system must use a separate file system for /var/log.<VulnDiscussion>Placing "/var/log" in its own partition enables better separation between log files and other files in "/var/".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366System logs are stored in the "/var/log" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.Run the following command to determine if "/var/log" is on its own partition or logical volume:
+
+$ mount | grep "on /var/log "
+
+If "/var/log" has its own partition or volume group, a line will be returned.
+If no line is returned, this is a finding.SRG-OS-000047<GroupDescription></GroupDescription>RHEL-06-000511The audit system must take appropriate action when there are disk errors on the audit storage volume.<VulnDiscussion>Taking appropriate action in case of disk errors will minimize the possibility of losing audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000140Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately:
+
+disk_error_action = [ACTION]
+
+Possible values for [ACTION] are described in the "auditd.conf" man page. These include:
+
+"ignore"
+"syslog"
+"exec"
+"suspend"
+"single"
+"halt"
+
+
+Set this to "syslog", "exec", "single", or "halt".Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to take appropriate action when disk errors occur:
+
+# grep disk_error_action /etc/audit/auditd.conf
+disk_error_action = [ACTION]
+
+
+If the system is configured to "suspend" when disk errors occur or "ignore" them, this is a finding.SRG-OS-000259<GroupDescription></GroupDescription>RHEL-06-000045Library files must have mode 0755 or less permissive.<VulnDiscussion>Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001499System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
+
+/lib
+/lib64
+/usr/lib
+/usr/lib64
+
+If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command:
+
+# chmod go-w [FILE]System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
+
+/lib
+/lib64
+/usr/lib
+/usr/lib64
+
+
+Kernel modules, which can be added to the kernel during runtime, are stored in "/lib/modules". All files in these directories should not be group-writable or world-writable. To find shared libraries that are group-writable or world-writable, run the following command for each directory [DIR] which contains shared libraries:
+
+$ find -L [DIR] -perm /022 -type f
+
+
+If any of these files (excluding broken symlinks) are group-writable or world-writable, this is a finding.SRG-OS-000259<GroupDescription></GroupDescription>RHEL-06-000046Library files must be owned by a system account.<VulnDiscussion>Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001499System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
+
+/lib
+/lib64
+/usr/lib
+/usr/lib64
+/usr/local/lib
+/usr/local/lib64
+
+If any file in these directories is found to be owned by a user other than “root” and does not match what is expected by the RPM, correct its ownership by running one of the following commands:
+
+
+# rpm --setugids [PACKAGE_NAME]
+
+Or
+
+# chown root [FILE]System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
+
+/lib
+/lib64
+/usr/lib
+/usr/lib64
+/usr/local/lib
+/usr/local/lib64
+
+Kernel modules, which can be added to the kernel during runtime, are stored in "/lib/modules". All files in these directories should not be group-writable or world-writable. To find shared libraries that are not owned by "root" and do not match what is expected by the RPM, run the following command:
+
+for i in /lib /lib64 /usr/lib /usr/lib64
+do
+ for j in `find -L $i \! -user root`
+ do
+ rpm -V -f $j | grep '^.....U'
+ done
+done
+
+
+If the command returns any results, this is a finding.SRG-OS-000044<GroupDescription></GroupDescription>RHEL-06-000004The system must use a separate file system for the system audit data path.<VulnDiscussion>Placing "/var/log/audit" in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000137Audit logs are stored in the "/var/log/audit" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.Run the following command to determine if "/var/log/audit" is on its own partition or logical volume:
+
+$ mount | grep "on /var/log/audit "
+
+If "/var/log/audit" has its own partition or volume group, a line will be returned.
+If no line is returned, this is a finding.SRG-OS-000047<GroupDescription></GroupDescription>RHEL-06-000510The audit system must take appropriate action when the audit storage volume is full.<VulnDiscussion>Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000140The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately:
+
+disk_full_action = [ACTION]
+
+Possible values for [ACTION] are described in the "auditd.conf" man page. These include:
+
+"ignore"
+"syslog"
+"exec"
+"suspend"
+"single"
+"halt"
+
+
+Set this to "syslog", "exec", "single", or "halt".Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to take appropriate action when the audit storage volume is full:
+
+# grep disk_full_action /etc/audit/auditd.conf
+disk_full_action = [ACTION]
+
+
+If the system is configured to "suspend" when the volume is full or "ignore" that it is full, this is a finding.SRG-OS-000259<GroupDescription></GroupDescription>RHEL-06-000047All system command files must have mode 755 or less permissive.<VulnDiscussion>System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001499System executables are stored in the following directories by default:
+
+/bin
+/usr/bin
+/usr/local/bin
+/sbin
+/usr/sbin
+/usr/local/sbin
+
+If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command:
+
+# chmod go-w [FILE]System executables are stored in the following directories by default:
+
+/bin
+/usr/bin
+/usr/local/bin
+/sbin
+/usr/sbin
+/usr/local/sbin
+
+All files in these directories should not be group-writable or world-writable. To find system executables that are group-writable or world-writable, run the following command for each directory [DIR] which contains system executables:
+
+$ find -L [DIR] -perm /022 -type f
+
+If any system executables are found to be group-writable or world-writable, this is a finding.SRG-OS-000045<GroupDescription></GroupDescription>RHEL-06-000005The audit system must alert designated staff members when the audit storage volume approaches capacity.<VulnDiscussion>Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000138The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately:
+
+space_left_action = [ACTION]
+
+Possible values for [ACTION] are described in the "auditd.conf" man page. These include:
+
+"ignore"
+"syslog"
+"email"
+"exec"
+"suspend"
+"single"
+"halt"
+
+
+Set this to "email" (instead of the default, which is "suspend") as it is more likely to get prompt attention. The "syslog" option is acceptable, provided the local log management infrastructure notifies an appropriate administrator in a timely manner.
+
+RHEL-06-000521 ensures that the email generated through the operation "space_left_action" will be sent to an administrator.Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to email the administrator when disk space is starting to run low:
+
+# grep space_left_action /etc/audit/auditd.conf
+space_left_action = email
+
+
+If the system is not configured to send an email to the system administrator when disk space is starting to run low, this is a finding. The "syslog" option is acceptable when it can be demonstrated that the local log management infrastructure notifies an appropriate administrator in a timely manner.SRG-OS-000043<GroupDescription></GroupDescription>RHEL-06-000509The system must forward audit records to the syslog service.<VulnDiscussion>The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include an audit event multiplexor plugin (audispd) to pass audit records to the local syslog server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000136Set the "active" line in "/etc/audisp/plugins.d/syslog.conf" to "yes". Restart the auditd process.
+
+# service auditd restartVerify the audispd plugin is active:
+
+# grep active /etc/audisp/plugins.d/syslog.conf
+
+If the "active" setting is missing or set to "no", this is a finding.SRG-OS-000259<GroupDescription></GroupDescription>RHEL-06-000048All system command files must be owned by root.<VulnDiscussion>System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001499System executables are stored in the following directories by default:
+
+/bin
+/usr/bin
+/usr/local/bin
+/sbin
+/usr/sbin
+/usr/local/sbin
+
+If any file [FILE] in these directories is found to be owned by a user other than root, correct its ownership with the following command:
+
+# chown root [FILE]System executables are stored in the following directories by default:
+
+/bin
+/usr/bin
+/usr/local/bin
+/sbin
+/usr/sbin
+/usr/local/sbin
+
+All files in these directories should not be group-writable or world-writable. To find system executables that are not owned by "root", run the following command for each directory [DIR] which contains system executables:
+
+$ find -L [DIR] \! -user root
+
+
+If any system executables are found to not be owned by root, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000007The system must use a separate file system for user home directories.<VulnDiscussion>Ensuring that "/home" is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366If user home directories will be stored locally, create a separate partition for "/home" at installation time (or migrate it later using LVM). If "/home" will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.Run the following command to determine if "/home" is on its own partition or logical volume:
+
+$ mount | grep "on /home "
+
+If "/home" has its own partition or volume group, a line will be returned.
+If no line is returned, this is a finding.SRG-OS-000030<GroupDescription></GroupDescription>RHEL-06-000508The system must allow locking of graphical desktop sessions.<VulnDiscussion>The ability to lock graphical desktop sessions manually allows users to easily secure their accounts should they need to depart from their workstations temporarily.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000058Run the following command to set the Gnome desktop keybinding for locking the screen:
+
+# gconftool-2
+--direct \
+--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
+--type string \
+--set /apps/gnome_settings_daemon/keybindings/screensaver "<Control><Alt>l"
+
+Another keyboard sequence may be substituted for "<Control><Alt>l", which is the default for the Gnome desktop.If the GConf2 package is not installed, this is not applicable.
+
+Verify the keybindings for the Gnome screensaver:
+
+# gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome_settings_daemon/keybindings/screensaver
+
+If no output is visible, this is a finding.SRG-OS-000078<GroupDescription></GroupDescription>RHEL-06-000050The system must require passwords to contain a minimum of 15 characters.<VulnDiscussion>Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result.
+
+While it does not negate the password length requirement, it is preferable to migrate from a password-based authentication scheme to a stronger one based on PKI (public key infrastructure).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000205To specify password length requirements for new accounts, edit the file "/etc/login.defs" and add or correct the following lines:
+
+PASS_MIN_LEN 15
+
+The DoD requirement is "15". If a program consults "/etc/login.defs" and also another PAM module (such as "pam_cracklib") during a password change operation, then the most restrictive must be satisfied.To check the minimum password length, run the command:
+
+$ grep PASS_MIN_LEN /etc/login.defs
+
+The DoD requirement is "15".
+If it is not set to the required value, this is a finding.SRG-OS-000090<GroupDescription></GroupDescription>RHEL-06-000008Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.<VulnDiscussion>The Red Hat GPG keys are necessary to cryptographically verify packages are from Red Hat. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000352To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG keys must be installed properly. To install the Red Hat GPG keys, run:
+
+# rhn_register
+
+If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG keys from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in "/media/cdrom", use the following command as the root user to import them into the keyring:
+
+# rpm --import /media/cdrom/RPM-GPG-KEYTo ensure that the GPG keys are installed, run:
+
+$ rpm -q gpg-pubkey
+
+The command should return the strings below:
+
+gpg-pubkey-fd431d51-4ae0493b
+gpg-pubkey-2fa658e0-45700c69
+
+If the Red Hat GPG Keys are not installed, this is a finding.SRG-OS-000075<GroupDescription></GroupDescription>RHEL-06-000051Users must not be able to change passwords more than once every 24 hours.<VulnDiscussion>Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000198To specify password minimum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately:
+
+PASS_MIN_DAYS [DAYS]
+
+A value of 1 day is considered sufficient for many environments. The DoD requirement is 1.To check the minimum password age, run the command:
+
+$ grep PASS_MIN_DAYS /etc/login.defs
+
+The DoD requirement is 1.
+If it is not set to the required value, this is a finding.SRG-OS-000096<GroupDescription></GroupDescription>RHEL-06-000009The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite.<VulnDiscussion>Although systems management and patching is extremely important to system security, management by a system outside the enterprise enclave is not desirable for some environments. However, if the system is being managed by RHN or RHN Satellite Server the "rhnsd" daemon can remain on.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000382The Red Hat Network service automatically queries Red Hat Network servers to determine whether there are any actions that should be executed, such as package updates. This only occurs if the system was registered to an RHN server or satellite and managed as such. The "rhnsd" service can be disabled with the following commands:
+
+# chkconfig rhnsd off
+# service rhnsd stopIf the system uses RHN or an RHN Satellite, this is not applicable.
+
+To check that the "rhnsd" service is disabled in system boot configuration, run the following command:
+
+# chkconfig "rhnsd" --list
+
+Output should indicate the "rhnsd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:
+
+# chkconfig "rhnsd" --list
+"rhnsd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off
+
+Run the following command to verify "rhnsd" is disabled through current runtime configuration:
+
+# service rhnsd status
+
+If the service is disabled the command will return the following output:
+
+rhnsd is stopped
+
+
+If the service is running, this is a finding.SRG-OS-000076<GroupDescription></GroupDescription>RHEL-06-000053User passwords must be changed at least every 60 days.<VulnDiscussion>Setting the password maximum age ensures users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000199To specify password maximum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately:
+
+PASS_MAX_DAYS [DAYS]
+
+The DoD requirement is 60.To check the maximum password age, run the command:
+
+$ grep PASS_MAX_DAYS /etc/login.defs
+
+The DoD requirement is 60.
+If it is not set to the required value, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000054Users must be warned 7 days in advance of password expiration.<VulnDiscussion>Setting the password warning age enables users to make the change at a practical time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To specify how many days prior to password expiration that a warning will be issued to users, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately:
+
+PASS_WARN_AGE [DAYS]
+
+The DoD requirement is 7.To check the password warning age, run the command:
+
+$ grep PASS_WARN_AGE /etc/login.defs
+
+The DoD requirement is 7.
+If it is not set to the required value, this is a finding.SRG-OS-000191<GroupDescription></GroupDescription>RHEL-06-000011System security patches and updates must be installed and up-to-date.<VulnDiscussion>Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001233If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates:
+
+# yum update
+
+If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using "rpm".If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server which provides updates, invoking the following command will indicate if updates are available:
+
+# yum check-update
+
+If the system is not configured to update from one of these sources, run the following command to list when each package was last updated:
+
+$ rpm -qa -last
+
+Compare this to Red Hat Security Advisories (RHSA) listed at https://access.redhat.com/security/updates/active/ to determine whether the system is missing applicable security and bugfix updates.
+If updates are not installed, this is a finding.SRG-OS-000071<GroupDescription></GroupDescription>RHEL-06-000056The system must require passwords to contain at least one numeric character.<VulnDiscussion>Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000194The pam_cracklib module's "dcredit" parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Add "dcredit=-1" after pam_cracklib.so to require use of a digit in passwords.To check how many digits are required in a password, run the following command:
+
+$ grep pam_cracklib /etc/pam.d/system-auth
+
+The "dcredit" parameter (as a negative number) will indicate how many digits are required. The DoD requires at least one digit in a password. This would appear as "dcredit=-1".
+If dcredit is not found or not set to the required value, this is a finding.SRG-OS-000103<GroupDescription></GroupDescription>RHEL-06-000013The system package management tool must cryptographically verify the authenticity of system software packages during installation.<VulnDiscussion>Ensuring the validity of packages' cryptographic signatures prior to installation ensures the provenance of the software and protects against malicious tampering.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000663The "gpgcheck" option should be used to ensure checking of an RPM package's signature always occurs prior to its installation. To configure yum to check package signatures before installing them, ensure the following line appears in "/etc/yum.conf" in the "[main]" section:
+
+gpgcheck=1To determine whether "yum" is configured to use "gpgcheck", inspect "/etc/yum.conf" and ensure the following appears in the "[main]" section:
+
+gpgcheck=1
+
+A value of "1" indicates that "gpgcheck" is enabled. Absence of a "gpgcheck" line or a setting of "0" indicates that it is disabled.
+If GPG checking is not enabled, this is a finding.
+
+If the "yum" system package management tool is not used to update the system, verify with the SA that installed packages are cryptographically signed.SRG-OS-000025<GroupDescription></GroupDescription>RHEL-06-000507The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh.<VulnDiscussion>Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.
+
+At ssh login, a user must be presented with the last successful login date and time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000052Update the "PrintLastLog" keyword to "yes" in /etc/ssh/sshd_config:
+
+PrintLastLog yes
+
+While it is acceptable to remove the keyword entirely since the default action for the SSH daemon is to print the last logon date and time, it is preferred to have the value explicitly documented.Verify the value associated with the "PrintLastLog" keyword in /etc/ssh/sshd_config:
+
+# grep -i "^PrintLastLog" /etc/ssh/sshd_config
+
+If the "PrintLastLog" keyword is not present, this is not a finding. If the value is not set to "yes", this is a finding.SRG-OS-000100<GroupDescription></GroupDescription>RHEL-06-000505The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.<VulnDiscussion>Operating system backup is a critical step in maintaining data assurance and availability. System-level information includes system-state information, operating system and application software, and licenses. Backups must be consistent with organizational recovery time and recovery point objectives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000537Procedures to back up OS data from the system must be established and executed. The Red Hat operating system provides utilities for automating such a process. Commercial and open-source products are also available.
+
+Implement a process whereby OS data is backed up from the system in accordance with local policies.Ask an administrator if a process exists to back up OS data from the system, including configuration data.
+
+If such a process does not exist, this is a finding.SRG-OS-000103<GroupDescription></GroupDescription>RHEL-06-000015The system package management tool must cryptographically verify the authenticity of all software packages during installation.<VulnDiscussion>Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000663To ensure signature checking is not disabled for any repos, remove any lines from files in "/etc/yum.repos.d" of the form:
+
+gpgcheck=0To determine whether "yum" has been configured to disable "gpgcheck" for any repos, inspect all files in "/etc/yum.repos.d" and ensure the following does not appear in any sections:
+
+gpgcheck=0
+
+A value of "0" indicates that "gpgcheck" has been disabled for that repo.
+If GPG checking is disabled, this is a finding.
+
+If the "yum" system package management tool is not used to update the system, verify with the SA that installed packages are cryptographically signed.SRG-OS-000099<GroupDescription></GroupDescription>RHEL-06-000504The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives.<VulnDiscussion>Operating system backup is a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. Backups shall be consistent with organizational recovery time and recovery point objectives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000535Procedures to back up user data from the system must be established and executed. The Red Hat operating system provides utilities for automating such a process. Commercial and open-source products are also available.
+
+Implement a process whereby user data is backed up from the system in accordance with local policies.Ask an administrator if a process exists to back up user data from the system.
+
+If such a process does not exist, this is a finding.SRG-OS-000232<GroupDescription></GroupDescription>RHEL-06-000016A file integrity tool must be installed.<VulnDiscussion>The AIDE package must be installed if it is to be available for integrity checking.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001069Install the AIDE package with the command:
+
+# yum install aideIf another file integrity tool is installed, this is not a finding.
+
+Run the following command to determine if the "aide" package is installed:
+
+# rpm -q aide
+
+
+If the package is not installed, this is a finding.SRG-OS-000273<GroupDescription></GroupDescription>RHEL-06-000503The operating system must enforce requirements for the connection of mobile devices to operating systems.<VulnDiscussion>USB storage devices such as thumb drives can be used to introduce unauthorized software and other vulnerabilities. Support for these devices should be disabled and the devices themselves should be tightly controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000086To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the "usb-storage" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d":
+
+install usb-storage /bin/true
+
+This will prevent the "modprobe" program from loading the "usb-storage" module, but will not prevent an administrator (or another program) from using the "insmod" program to load the module manually.If the system is configured to prevent the loading of the "usb-storage" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf":
+
+$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d
+
+If no line is returned, this is a finding.SRG-OS-000248<GroupDescription></GroupDescription>RHEL-06-000019There must be no .rhosts or hosts.equiv files on the system.<VulnDiscussion>Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001436The files "/etc/hosts.equiv" and "~/.rhosts" (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location.
+
+# rm /etc/hosts.equiv
+
+
+
+$ rm ~/.rhostsThe existence of the file "/etc/hosts.equiv" or a file named ".rhosts" inside a user home directory indicates the presence of an Rsh trust relationship.
+If these files exist, this is a finding.SRG-OS-000109<GroupDescription></GroupDescription>RHEL-06-000027The system must prevent the root account from logging in from virtual consoles.<VulnDiscussion>Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000770To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in "/etc/securetty":
+
+vc/1
+vc/2
+vc/3
+vc/4
+
+Note: Virtual console entries are not limited to those listed above. Any lines starting with "vc/" followed by numerals should be removed.To check for virtual console entries which permit root login, run the following command:
+
+# grep '^vc/[0-9]' /etc/securetty
+
+If any output is returned, then root logins over virtual console devices is permitted.
+If root login over virtual console devices is permitted, this is a finding.SRG-OS-000059<GroupDescription></GroupDescription>RHEL-06-000385Audit log directories must have mode 0755 or less permissive.<VulnDiscussion>If users can delete audit logs, audit trails can be modified or destroyed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000164Change the mode of the audit log directories with the following command:
+
+# chmod go-w [audit_directory]Run the following command to check the mode of the system audit directories:
+
+grep "^log_file" /etc/audit/auditd.conf|sed 's/^[^/]*//; s/[^/]*$//'|xargs stat -c %a:%n
+
+Audit directories must be mode 0755 or less permissive.
+If any are more permissive, this is a finding.SRG-OS-000109<GroupDescription></GroupDescription>RHEL-06-000028The system must prevent the root account from logging in from serial consoles.<VulnDiscussion>Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000770To restrict root logins on serial ports, ensure lines of this form do not appear in "/etc/securetty":
+
+ttyS0
+ttyS1
+
+Note: Serial port entries are not limited to those listed above. Any lines starting with "ttyS" followed by numerals should be removedTo check for serial port entries which permit root login, run the following command:
+
+# grep '^ttyS[0-9]' /etc/securetty
+
+If any output is returned, then root login over serial ports is permitted.
+If root login over serial ports is permitted, this is a finding.SRG-OS-000057<GroupDescription></GroupDescription>RHEL-06-000384Audit log files must be owned by root.<VulnDiscussion>If non-privileged users can write to audit logs, audit trails can be modified or destroyed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000162Change the owner of the audit log files with the following command:
+
+# chown root [audit_file]Run the following command to check the owner of the system audit logs:
+
+grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//|xargs stat -c %U:%n
+
+Audit logs must be owned by root.
+If they are not, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000029Default operating system accounts, other than root, must be locked.<VulnDiscussion>Disabling authentication for default system accounts makes it more difficult for attackers to make use of them to compromise a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366Some accounts are not associated with a human user of the system, and exist to perform some administrative function. An attacker should not be able to log into these accounts.
+
+Disable logon access to these accounts with the command:
+
+# passwd -l [SYSACCT]To obtain a listing of all users and the contents of their shadow password field, run the command:
+
+$ awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 ":" $2}' /etc/shadow
+
+Identify the operating system accounts from this listing. These will primarily be the accounts with UID numbers less than 500, other than root.
+
+If any default operating system account (other than root) has a valid password hash, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000030The system must not have accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366If an account is configured for password authentication but does not have an assigned password, it may be possible to log onto the account without authentication. Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" to prevent logons with empty passwords.To verify that null passwords cannot be used, run the following command:
+
+# grep nullok /etc/pam.d/system-auth
+
+If this produces any output, it may be possible to log into accounts with empty passwords.
+If NULL passwords can be used, this is a finding.SRG-OS-000058<GroupDescription></GroupDescription>RHEL-06-000383Audit log files must have mode 0640 or less permissive.<VulnDiscussion>If users can write to audit logs, audit trails can be modified or destroyed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000163Change the mode of the audit log files with the following command:
+
+# chmod 0640 [audit_file]Run the following command to check the mode of the system audit logs:
+
+grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//|xargs stat -c %a:%n
+
+Audit logs must be mode 0640 or less permissive.
+If any are more permissive, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000031The /etc/passwd file must not contain password hashes.<VulnDiscussion>The hashes for all user account passwords should be stored in the file "/etc/shadow" and never in "/etc/passwd", which is readable by all users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366If any password hashes are stored in "/etc/passwd" (in the second field, instead of an "x"), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely.To check that no password hashes are stored in "/etc/passwd", run the following command:
+
+# awk -F: '($2 != "x") {print}' /etc/passwd
+
+If it produces any output, then a password hash is stored in "/etc/passwd".
+If any stored hashes are found in /etc/passwd, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000032The root account must be the only account having a UID of 0.<VulnDiscussion>An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.To list all password file entries for accounts with UID 0, run the following command:
+
+# awk -F: '($3 == 0) {print}' /etc/passwd
+
+This should print only one line, for the user root.
+If any account other than root has a UID of 0, this is a finding.SRG-OS-000249<GroupDescription></GroupDescription>RHEL-06-000357The system must disable accounts after excessive login failures within a 15-minute interval.<VulnDiscussion>Locking out user accounts after a number of incorrect attempts within a specific period of time prevents direct password guessing attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001452Utilizing "pam_faillock.so", the "fail_interval" directive configures the system to lock out accounts after a number of incorrect logon attempts. Modify the content of both "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" as follows:
+
+Add the following line immediately before the "pam_unix.so" statement in the "AUTH" section:
+
+auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900
+
+Add the following line immediately after the "pam_unix.so" statement in the "AUTH" section:
+
+auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
+
+Add the following line immediately before the "pam_unix.so" statement in the "ACCOUNT" section:
+
+account required pam_faillock.so
+
+Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.To ensure the failed password attempt policy is configured correctly, run the following command:
+
+$ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
+
+For each file, the output should show "fail_interval=<interval-in-seconds>" where "interval-in-seconds" is 900 (15 minutes) or greater. If the "fail_interval" parameter is not set, the default setting of 900 seconds is acceptable. If that is not the case, this is a finding. SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000033The /etc/shadow file must be owned by root.<VulnDiscussion>The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To properly set the owner of "/etc/shadow", run the command:
+
+# chown root /etc/shadowTo check the ownership of "/etc/shadow", run the command:
+
+$ ls -l /etc/shadow
+
+If properly configured, the output should indicate the following owner: "root"
+If it does not, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000034The /etc/shadow file must be group-owned by root.<VulnDiscussion>The "/etc/shadow" file stores password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To properly set the group owner of "/etc/shadow", run the command:
+
+# chgrp root /etc/shadowTo check the group ownership of "/etc/shadow", run the command:
+
+$ ls -l /etc/shadow
+
+If properly configured, the output should indicate the following group-owner. "root"
+If it does not, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000035The /etc/shadow file must have mode 0000.<VulnDiscussion>The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To properly set the permissions of "/etc/shadow", run the command:
+
+# chmod 0000 /etc/shadowTo check the permissions of "/etc/shadow", run the command:
+
+$ ls -l /etc/shadow
+
+If properly configured, the output should indicate the following permissions: "----------"
+If it does not, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000082IP forwarding for IPv4 must not be enabled, unless the system is a router.<VulnDiscussion>IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To set the runtime status of the "net.ipv4.ip_forward" kernel parameter, run the following command:
+
+# sysctl -w net.ipv4.ip_forward=0
+
+If this is not the system's default value, add the following line to "/etc/sysctl.conf":
+
+net.ipv4.ip_forward = 0The status of the "net.ipv4.ip_forward" kernel parameter can be queried by running the following command:
+
+$ sysctl net.ipv4.ip_forward
+
+The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".
+
+$ grep net.ipv4.ip_forward /etc/sysctl.conf
+
+The ability to forward packets is only appropriate for routers. If the correct value is not returned, this is a finding. SRG-OS-000146<GroupDescription></GroupDescription>RHEL-06-000117The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.<VulnDiscussion>The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001100The "iptables" service can be enabled with the following commands:
+
+# chkconfig iptables on
+# service iptables startIf the system is a cross-domain system, this is not applicable.
+
+Run the following command to determine the current status of the "iptables" service:
+
+# service iptables status
+
+If the service is not running, it should return the following:
+
+iptables: Firewall is not running.
+
+
+If the service is not running, this is a finding.SRG-OS-000231<GroupDescription></GroupDescription>RHEL-06-000120The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets.<VulnDiscussion>In "iptables" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to "DROP" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000066To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in "/etc/sysconfig/iptables":
+
+:INPUT DROP [0:0]Inspect the file "/etc/sysconfig/iptables" to determine the default policy for the INPUT chain. It should be set to DROP.
+
+# grep ":INPUT" /etc/sysconfig/iptables
+
+If the default policy for the INPUT chain is not set to DROP, this is a finding.SRG-OS-000096<GroupDescription></GroupDescription>RHEL-06-000124The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.<VulnDiscussion>Disabling DCCP protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000382The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the "dccp" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d":
+
+install dccp /bin/trueIf the system is configured to prevent the loading of the "dccp" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf":
+
+$ grep -r dccp /etc/modprobe.conf /etc/modprobe.d
+
+If no line is returned, this is a finding.SRG-OS-000096<GroupDescription></GroupDescription>RHEL-06-000125The Stream Control Transmission Protocol (SCTP) must be disabled unless required.<VulnDiscussion>Disabling SCTP protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000382The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the "sctp" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d":
+
+install sctp /bin/trueIf the system is configured to prevent the loading of the "sctp" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf":
+
+$ grep -r sctp /etc/modprobe.conf /etc/modprobe.d
+
+If no line is returned, this is a finding.SRG-OS-000096<GroupDescription></GroupDescription>RHEL-06-000126The Reliable Datagram Sockets (RDS) protocol must be disabled unless required.<VulnDiscussion>Disabling RDS protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000382The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high-bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the "rds" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d":
+
+install rds /bin/trueIf the system is configured to prevent the loading of the "rds" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated "/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf":
+
+$ grep -r rds /etc/modprobe.conf /etc/modprobe.d
+
+If no line is returned, this is a finding.SRG-OS-000096<GroupDescription></GroupDescription>RHEL-06-000127The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required.<VulnDiscussion>Disabling TIPC protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000382The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the "tipc" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d":
+
+install tipc /bin/trueIf the system is configured to prevent the loading of the "tipc" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf":
+
+$ grep -r tipc /etc/modprobe.conf /etc/modprobe.d
+
+If no line is returned, this is a finding.SRG-OS-000206<GroupDescription></GroupDescription>RHEL-06-000133All rsyslog-generated log files must be owned by root.<VulnDiscussion>The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001314The owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's owner:
+
+$ ls -l [LOGFILE]
+
+If the owner is not "root", run the following command to correct this:
+
+# chown root [LOGFILE]The owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". To see the owner of a given log file, run the following command:
+
+$ ls -l [LOGFILE]
+
+Some log files referenced in /etc/rsyslog.conf may be created by other programs and may require exclusion from consideration.
+
+If the owner is not root, this is a finding. SRG-OS-000206<GroupDescription></GroupDescription>RHEL-06-000134All rsyslog-generated log files must be group-owned by root.<VulnDiscussion>The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001314The group-owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's group owner:
+
+$ ls -l [LOGFILE]
+
+If the owner is not "root", run the following command to correct this:
+
+# chgrp root [LOGFILE]The group-owner of all log files written by "rsyslog" should be root. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". To see the group-owner of a given log file, run the following command:
+
+$ ls -l [LOGFILE]
+
+Some log files referenced in /etc/rsyslog.conf may be created by other programs and may require exclusion from consideration.
+
+If the group-owner is not root, this is a finding.SRG-OS-000215<GroupDescription></GroupDescription>RHEL-06-000136The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited.<VulnDiscussion>A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001348To configure rsyslog to send logs to a remote log server, open "/etc/rsyslog.conf" and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting "[loghost.example.com]" appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments.
+To use UDP for log message delivery:
+
+*.* @[loghost.example.com]
+
+
+To use TCP for log message delivery:
+
+*.* @@[loghost.example.com]
+
+
+To use RELP for log message delivery:
+
+*.* :omrelp:[loghost.example.com]To ensure logs are sent to a remote host, examine the file "/etc/rsyslog.conf". If using UDP, a line similar to the following should be present:
+
+*.* @[loghost.example.com]
+
+If using TCP, a line similar to the following should be present:
+
+*.* @@[loghost.example.com]
+
+If using RELP, a line similar to the following should be present:
+
+*.* :omrelp:[loghost.example.com]
+
+
+If none of these are present, this is a finding.SRG-OS-000043<GroupDescription></GroupDescription>RHEL-06-000137The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components.<VulnDiscussion>A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000169To configure rsyslog to send logs to a remote log server, open "/etc/rsyslog.conf" and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting "[loghost.example.com]" appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments.
+To use UDP for log message delivery:
+
+*.* @[loghost.example.com]
+
+
+To use TCP for log message delivery:
+
+*.* @@[loghost.example.com]
+
+
+To use RELP for log message delivery:
+
+*.* :omrelp:[loghost.example.com]To ensure logs are sent to a remote host, examine the file "/etc/rsyslog.conf". If using UDP, a line similar to the following should be present:
+
+*.* @[loghost.example.com]
+
+If using TCP, a line similar to the following should be present:
+
+*.* @@[loghost.example.com]
+
+If using RELP, a line similar to the following should be present:
+
+*.* :omrelp:[loghost.example.com]
+
+
+If none of these are present, this is a finding.SRG-OS-000062<GroupDescription></GroupDescription>RHEL-06-000167The audit system must be configured to audit all attempts to alter system time through settimeofday.<VulnDiscussion>Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000169On a 32-bit system, add the following to "/etc/audit/audit.rules":
+
+# audit_time_rules
+-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules
+
+On a 64-bit system, add the following to "/etc/audit/audit.rules":
+
+# audit_time_rules
+-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules
+
+The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
+
+-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rulesTo determine if the system is configured to audit calls to the "settimeofday" system call, run the following command:
+
+$ sudo grep -w "settimeofday" /etc/audit/audit.rules
+
+If the system is configured to audit this activity, it will return a line.
+
+If the system is not configured to audit time changes, this is a finding. SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000083The system must not accept IPv4 source-routed packets on any interface.<VulnDiscussion>Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To set the runtime status of the "net.ipv4.conf.all.accept_source_route" kernel parameter, run the following command:
+
+# sysctl -w net.ipv4.conf.all.accept_source_route=0
+
+If this is not the system's default value, add the following line to "/etc/sysctl.conf":
+
+net.ipv4.conf.all.accept_source_route = 0The status of the "net.ipv4.conf.all.accept_source_route" kernel parameter can be queried by running the following command:
+
+$ sysctl net.ipv4.conf.all.accept_source_route
+
+The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".
+
+$ grep net.ipv4.conf.all.accept_source_route /etc/sysctl.conf
+
+If the correct value is not returned, this is a finding. SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000084The system must not accept ICMPv4 redirect packets on any interface.<VulnDiscussion>Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To set the runtime status of the "net.ipv4.conf.all.accept_redirects" kernel parameter, run the following command:
+
+# sysctl -w net.ipv4.conf.all.accept_redirects=0
+
+If this is not the system's default value, add the following line to "/etc/sysctl.conf":
+
+net.ipv4.conf.all.accept_redirects = 0The status of the "net.ipv4.conf.all.accept_redirects" kernel parameter can be queried by running the following command:
+
+$ sysctl net.ipv4.conf.all.accept_redirects
+
+The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".
+
+$ grep net.ipv4.conf.all.accept_redirects /etc/sysctl.conf
+
+If the correct value is not returned, this is a finding. SRG-OS-000062<GroupDescription></GroupDescription>RHEL-06-000169The audit system must be configured to audit all attempts to alter system time through stime.<VulnDiscussion>Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000169On a 32-bit system, add the following to "/etc/audit/audit.rules":
+
+# audit_time_rules
+-a always,exit -F arch=b32 -S stime -k audit_time_rules
+
+On a 64-bit system, the "-S stime" is not necessary. The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
+
+-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rulesIf the system is 64-bit only, this is not applicable.
+
+To determine if the system is configured to audit calls to the "stime" system call, run the following command:
+
+$ sudo grep -w "stime" /etc/audit/audit.rules
+
+If the system is configured to audit this activity, it will return a line.
+
+If the system is not configured to audit time changes, this is a finding. SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000086The system must not accept ICMPv4 secure redirect packets on any interface.<VulnDiscussion>Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To set the runtime status of the "net.ipv4.conf.all.secure_redirects" kernel parameter, run the following command:
+
+# sysctl -w net.ipv4.conf.all.secure_redirects=0
+
+If this is not the system's default value, add the following line to "/etc/sysctl.conf":
+
+net.ipv4.conf.all.secure_redirects = 0The status of the "net.ipv4.conf.all.secure_redirects" kernel parameter can be queried by running the following command:
+
+$ sysctl net.ipv4.conf.all.secure_redirects
+
+The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".
+
+$ grep net.ipv4.conf.all.secure_redirects /etc/sysctl.conf
+
+If the correct value is not returned, this is a finding.SRG-OS-000062<GroupDescription></GroupDescription>RHEL-06-000171The audit system must be configured to audit all attempts to alter system time through clock_settime.<VulnDiscussion>Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000169On a 32-bit system, add the following to "/etc/audit/audit.rules":
+
+# audit_time_rules
+-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules
+
+On a 64-bit system, add the following to "/etc/audit/audit.rules":
+
+# audit_time_rules
+-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules
+
+The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
+
+-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rulesTo determine if the system is configured to audit calls to the "clock_settime" system call, run the following command:
+
+$ sudo grep -w "clock_settime" /etc/audit/audit.rules
+
+If the system is configured to audit this activity, it will return a line.
+
+If the system is not configured to audit time changes, this is a finding. SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000088The system must log Martian packets.<VulnDiscussion>The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To set the runtime status of the "net.ipv4.conf.all.log_martians" kernel parameter, run the following command:
+
+# sysctl -w net.ipv4.conf.all.log_martians=1
+
+If this is not the system's default value, add the following line to "/etc/sysctl.conf":
+
+net.ipv4.conf.all.log_martians = 1The status of the "net.ipv4.conf.all.log_martians" kernel parameter can be queried by running the following command:
+
+$ sysctl net.ipv4.conf.all.log_martians
+
+The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".
+
+$ grep net.ipv4.conf.all.log_martians /etc/sysctl.conf
+
+If the correct value is not returned, this is a finding. SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000089The system must not accept IPv4 source-routed packets by default.<VulnDiscussion>Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To set the runtime status of the "net.ipv4.conf.default.accept_source_route" kernel parameter, run the following command:
+
+# sysctl -w net.ipv4.conf.default.accept_source_route=0
+
+If this is not the system's default value, add the following line to "/etc/sysctl.conf":
+
+net.ipv4.conf.default.accept_source_route = 0The status of the "net.ipv4.conf.default.accept_source_route" kernel parameter can be queried by running the following command:
+
+$ sysctl net.ipv4.conf.default.accept_source_route
+
+The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".
+
+$ grep net.ipv4.conf.default.accept_source_route /etc/sysctl.conf
+
+If the correct value is not returned, this is a finding. SRG-OS-000062<GroupDescription></GroupDescription>RHEL-06-000173The audit system must be configured to audit all attempts to alter system time through /etc/localtime.<VulnDiscussion>Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000169Add the following to "/etc/audit/audit.rules":
+
+-w /etc/localtime -p wa -k audit_time_rules
+
+The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.To determine if the system is configured to audit attempts to alter time via the /etc/localtime file, run the following command:
+
+$ sudo grep -w "/etc/localtime" /etc/audit/audit.rules
+
+If the system is configured to audit this activity, it will return a line.
+
+If the system is not configured to audit time changes, this is a finding.SRG-OS-000004<GroupDescription></GroupDescription>RHEL-06-000174The operating system must automatically audit account creation.<VulnDiscussion>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000018Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes:
+
+# audit_account_changes
+-w /etc/group -p wa -k audit_account_changes
+-w /etc/passwd -p wa -k audit_account_changes
+-w /etc/gshadow -p wa -k audit_account_changes
+-w /etc/shadow -p wa -k audit_account_changes
+-w /etc/security/opasswd -p wa -k audit_account_changesTo determine if the system is configured to audit account changes, run the following command:
+
+$ sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules
+
+If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each).
+
+If the system is not configured to audit account changes, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000090The system must not accept ICMPv4 secure redirect packets by default.<VulnDiscussion>Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To set the runtime status of the "net.ipv4.conf.default.secure_redirects" kernel parameter, run the following command:
+
+# sysctl -w net.ipv4.conf.default.secure_redirects=0
+
+If this is not the system's default value, add the following line to "/etc/sysctl.conf":
+
+net.ipv4.conf.default.secure_redirects = 0The status of the "net.ipv4.conf.default.secure_redirects" kernel parameter can be queried by running the following command:
+
+$ sysctl net.ipv4.conf.default.secure_redirects
+
+The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".
+
+$ grep net.ipv4.conf.default.secure_redirects /etc/sysctl.conf
+
+If the correct value is not returned, this is a finding. SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000091The system must ignore ICMPv4 redirect messages by default.<VulnDiscussion>This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To set the runtime status of the "net.ipv4.conf.default.accept_redirects" kernel parameter, run the following command:
+
+# sysctl -w net.ipv4.conf.default.accept_redirects=0
+
+If this is not the system's default value, add the following line to "/etc/sysctl.conf":
+
+net.ipv4.conf.default.accept_redirects = 0The status of the "net.ipv4.conf.default.accept_redirects" kernel parameter can be queried by running the following command:
+
+$ sysctl net.ipv4.conf.default.accept_redirects
+
+The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".
+
+$ grep net.ipv4.conf.default.accept_redirects /etc/sysctl.conf
+
+If the correct value is not returned, this is a finding. SRG-OS-000239<GroupDescription></GroupDescription>RHEL-06-000175The operating system must automatically audit account modification.<VulnDiscussion>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001403Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes:
+
+# audit_account_changes
+-w /etc/group -p wa -k audit_account_changes
+-w /etc/passwd -p wa -k audit_account_changes
+-w /etc/gshadow -p wa -k audit_account_changes
+-w /etc/shadow -p wa -k audit_account_changes
+-w /etc/security/opasswd -p wa -k audit_account_changesTo determine if the system is configured to audit account changes, run the following command:
+
+$sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules
+
+If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each).
+
+If the system is not configured to audit account changes, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000092The system must not respond to ICMPv4 sent to a broadcast address.<VulnDiscussion>Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To set the runtime status of the "net.ipv4.icmp_echo_ignore_broadcasts" kernel parameter, run the following command:
+
+# sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
+
+If this is not the system's default value, add the following line to "/etc/sysctl.conf":
+
+net.ipv4.icmp_echo_ignore_broadcasts = 1The status of the "net.ipv4.icmp_echo_ignore_broadcasts" kernel parameter can be queried by running the following command:
+
+$ sysctl net.ipv4.icmp_echo_ignore_broadcasts
+
+The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".
+
+$ grep net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf
+
+If the correct value is not returned, this is a finding. SRG-OS-000240<GroupDescription></GroupDescription>RHEL-06-000176The operating system must automatically audit account disabling actions.<VulnDiscussion>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001404Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes:
+
+# audit_account_changes
+-w /etc/group -p wa -k audit_account_changes
+-w /etc/passwd -p wa -k audit_account_changes
+-w /etc/gshadow -p wa -k audit_account_changes
+-w /etc/shadow -p wa -k audit_account_changes
+-w /etc/security/opasswd -p wa -k audit_account_changesTo determine if the system is configured to audit account changes, run the following command:
+
+$sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules
+
+If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each).
+
+If the system is not configured to audit account changes, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000093The system must ignore ICMPv4 bogus error responses.<VulnDiscussion>Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To set the runtime status of the "net.ipv4.icmp_ignore_bogus_error_responses" kernel parameter, run the following command:
+
+# sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
+
+If this is not the system's default value, add the following line to "/etc/sysctl.conf":
+
+net.ipv4.icmp_ignore_bogus_error_responses = 1The status of the "net.ipv4.icmp_ignore_bogus_error_responses" kernel parameter can be queried by running the following command:
+
+$ sysctl net.ipv4.icmp_ignore_bogus_error_responses
+
+The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".
+
+$ grep net.ipv4.icmp_ignore_bogus_error_responses /etc/sysctl.conf
+
+If the correct value is not returned, this is a finding. SRG-OS-000241<GroupDescription></GroupDescription>RHEL-06-000177The operating system must automatically audit account termination.<VulnDiscussion>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001405Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes:
+
+# audit_account_changes
+-w /etc/group -p wa -k audit_account_changes
+-w /etc/passwd -p wa -k audit_account_changes
+-w /etc/gshadow -p wa -k audit_account_changes
+-w /etc/shadow -p wa -k audit_account_changes
+-w /etc/security/opasswd -p wa -k audit_account_changesTo determine if the system is configured to audit account changes, run the following command:
+
+$sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules
+
+If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each).
+
+If the system is not configured to audit account changes, this is a finding.SRG-OS-000142<GroupDescription></GroupDescription>RHEL-06-000095The system must be configured to use TCP syncookies when experiencing a TCP SYN flood.<VulnDiscussion>A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001095To set the runtime status of the "net.ipv4.tcp_syncookies" kernel parameter, run the following command:
+
+# sysctl -w net.ipv4.tcp_syncookies=1
+
+If this is not the system's default value, add the following line to "/etc/sysctl.conf":
+
+net.ipv4.tcp_syncookies = 1The status of the "net.ipv4.tcp_syncookies" kernel parameter can be queried by running the following command:
+
+$ sysctl net.ipv4.tcp_syncookies
+
+The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".
+
+$ grep net.ipv4.tcp_syncookies /etc/sysctl.conf
+
+If the correct value is not returned, this is a finding. SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000182The audit system must be configured to audit modifications to the systems network configuration.<VulnDiscussion>The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366Add the following to "/etc/audit/audit.rules", setting ARCH to either b32 or b64 as appropriate for your system:
+
+# audit_network_modifications
+-a always,exit -F arch=ARCH -S sethostname -S setdomainname -k audit_network_modifications
+-w /etc/issue -p wa -k audit_network_modifications
+-w /etc/issue.net -p wa -k audit_network_modifications
+-w /etc/hosts -p wa -k audit_network_modifications
+-w /etc/sysconfig/network -p wa -k audit_network_modificationsIf you are running x86_64 architecture, determine the values for sethostname:
+$ uname -m; ausyscall i386 sethostname; ausyscall x86_64 sethostname
+
+If the values returned are not identical verify that the system is configured to monitor network configuration changes for the i386 and x86_64 architectures:
+
+$ sudo egrep -w '(sethostname|setdomainname|/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)' /etc/audit/audit.rules
+
+-a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_network_modifications
+-w /etc/issue -p wa -k audit_network_modifications
+-w /etc/issue.net -p wa -k audit_network_modifications
+-w /etc/hosts -p wa -k audit_network_modifications
+-w /etc/sysconfig/network -p wa -k audit_network_modifications
+
+-a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_network_modifications
+-w /etc/issue -p wa -k audit_network_modifications
+-w /etc/issue.net -p wa -k audit_network_modifications
+-w /etc/hosts -p wa -k audit_network_modifications
+-w /etc/sysconfig/network -p wa -k audit_network_modifications
+
+If the system is configured to watch for network configuration changes, a line should be returned for each file specified for both (and "-p wa" should be indicated for each).
+
+If the system is not configured to audit changes of the network configuration, this is a finding.
+SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000183The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux).<VulnDiscussion>The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366Add the following to "/etc/audit/audit.rules":
+
+-w /etc/selinux/ -p wa -k MAC-policyTo determine if the system is configured to audit changes to its SELinux configuration files, run the following command:
+
+$ sudo grep -w "/etc/selinux" /etc/audit/audit.rules
+
+If the system is configured to watch for changes to its SELinux configuration, a line should be returned (including "-p wa" indicating permissions that are watched).
+
+If the system is not configured to audit attempts to change the MAC policy, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000096The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.<VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To set the runtime status of the "net.ipv4.conf.all.rp_filter" kernel parameter, run the following command:
+
+# sysctl -w net.ipv4.conf.all.rp_filter=1
+
+If this is not the system's default value, add the following line to "/etc/sysctl.conf":
+
+net.ipv4.conf.all.rp_filter = 1The status of the "net.ipv4.conf.all.rp_filter" kernel parameter can be queried by running the following command:
+
+$ sysctl net.ipv4.conf.all.rp_filter
+
+The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".
+
+$ grep net.ipv4.conf.all.rp_filter /etc/sysctl.conf
+
+If the correct value is not returned, this is a finding. SRG-OS-000064<GroupDescription></GroupDescription>RHEL-06-000184The audit system must be configured to audit all discretionary access control permission modifications using chmod.<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000172At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules":
+
+-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 \
+-k perm_mod
+-a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod
+
+If the system is 64-bit, then also add the following:
+
+-a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 \
+-k perm_mod
+-a always,exit -F arch=b64 -S chmod -F auid=0 -k perm_modTo determine if the system is configured to audit calls to the "chmod" system call, run the following command:
+
+$ sudo grep -w "chmod" /etc/audit/audit.rules
+
+If the system is configured to audit this activity, it will return several lines.
+
+If the system is not configured to audit permission changes, this is a finding. SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000097The system must use a reverse-path filter for IPv4 network traffic when possible by default.<VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To set the runtime status of the "net.ipv4.conf.default.rp_filter" kernel parameter, run the following command:
+
+# sysctl -w net.ipv4.conf.default.rp_filter=1
+
+If this is not the system's default value, add the following line to "/etc/sysctl.conf":
+
+net.ipv4.conf.default.rp_filter = 1The status of the "net.ipv4.conf.default.rp_filter" kernel parameter can be queried by running the following command:
+
+$ sysctl net.ipv4.conf.default.rp_filter
+
+The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".
+
+$ grep net.ipv4.conf.default.rp_filter /etc/sysctl.conf
+
+If the correct value is not returned, this is a finding. SRG-OS-000064<GroupDescription></GroupDescription>RHEL-06-000185The audit system must be configured to audit all discretionary access control permission modifications using chown.<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000172At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules":
+
+-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 \
+-k perm_mod
+-a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod
+
+If the system is 64-bit, then also add the following:
+
+-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 \
+-k perm_mod
+-a always,exit -F arch=b64 -S chown -F auid=0 -k perm_modTo determine if the system is configured to audit calls to the "chown" system call, run the following command:
+
+$ sudo grep -w "chown" /etc/audit/audit.rules
+
+If the system is configured to audit this activity, it will return several lines.
+
+If no line is returned, this is a finding. SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000098The IPv6 protocol handler must not be bound to the network stack unless needed.<VulnDiscussion>Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To prevent the IPv6 kernel module ("ipv6") from binding to the IPv6 networking stack, add the following line to "/etc/modprobe.d/disabled.conf" (or another file in "/etc/modprobe.d"):
+
+options ipv6 disable=1
+
+This permits the IPv6 module to be loaded (and thus satisfy other modules that depend on it), while disabling support for the IPv6 protocol.
+
+Or add the following line to "/etc/sysctl.conf" to unhook the module:
+
+net.ipv6.conf.all.disable_ipv6 = 1
+If the system uses IPv6, this is not applicable.
+
+If the system is configured to disable the "ipv6" kernel module, it will contain a line of the form:
+
+options ipv6 disable=1
+
+Such lines may be inside any file in "/etc/modprobe.d" or the deprecated "/etc/modprobe.conf". This permits insertion of the IPv6 kernel module (which other parts of the system expect to be present), but otherwise keeps it inactive. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf":
+
+$ grep -r ipv6 /etc/modprobe.conf /etc/modprobe.d
+
+If the IPv6 kernel module is not disabled, look to see if it is unhooked by inspecting the "sysctl.conf" file for the following output:
+
+$ grep -r ipv6 /etc/sysctl.conf
+net.ipv6.conf.all.disable_ipv6 = 1
+
+If the IPv6 kernel module is not disabled or unhooked, this is a finding.SRG-OS-000064<GroupDescription></GroupDescription>RHEL-06-000186The audit system must be configured to audit all discretionary access control permission modifications using fchmod.<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000172At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules":
+
+-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 \
+-k perm_mod
+-a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod
+
+If the system is 64-bit, then also add the following:
+
+-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 \
+-k perm_mod
+-a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_modTo determine if the system is configured to audit calls to the "fchmod" system call, run the following command:
+
+$ sudo grep -w "fchmod" /etc/audit/audit.rules
+
+If the system is configured to audit this activity, it will return several lines.
+
+If no line is returned, this is a finding. SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000099The system must ignore ICMPv6 redirects by default.<VulnDiscussion>An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To set the runtime status of the "net.ipv6.conf.default.accept_redirects" kernel parameter, run the following command:
+
+# sysctl -w net.ipv6.conf.default.accept_redirects=0
+
+If this is not the system's default value, add the following line to "/etc/sysctl.conf":
+
+net.ipv6.conf.default.accept_redirects = 0If IPv6 is disabled, this is not applicable.
+
+The status of the "net.ipv6.conf.default.accept_redirects" kernel parameter can be queried by running the following command:
+
+$ sysctl net.ipv6.conf.default.accept_redirects
+
+The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".
+
+$ grep net.ipv6.conf.default.accept_redirects /etc/sysctl.conf
+
+If the correct value is not returned, this is a finding. SRG-OS-000152<GroupDescription></GroupDescription>RHEL-06-000103The system must employ a local IPv6 firewall.<VulnDiscussion>The "ip6tables" service provides the system's host-based firewalling capability for IPv6 and ICMPv6.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001118The "ip6tables" service can be enabled with the following commands:
+
+# chkconfig ip6tables on
+# service ip6tables startIf the system is a cross-domain system, this is not applicable.
+
+If IPv6 is disabled, this is not applicable.
+
+Run the following command to determine the current status of the "ip6tables" service:
+
+# service ip6tables status
+
+If the service is not running, it should return the following:
+
+ip6tables: Firewall is not running.
+
+
+If the service is not running, this is a finding.SRG-OS-000064<GroupDescription></GroupDescription>RHEL-06-000187The audit system must be configured to audit all discretionary access control permission modifications using fchmodat.<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000172At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules":
+
+-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 \
+-k perm_mod
+-a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod
+
+If the system is 64-bit, then also add the following:
+
+-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 \
+-k perm_mod
+-a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_modTo determine if the system is configured to audit calls to the "fchmodat" system call, run the following command:
+
+$ sudo grep -w "fchmodat" /etc/audit/audit.rules
+
+If the system is configured to audit this activity, it will return several lines.
+
+If no line is returned, this is a finding. SRG-OS-000145<GroupDescription></GroupDescription>RHEL-06-000106The operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.<VulnDiscussion>The "ip6tables" service provides the system's host-based firewalling capability for IPv6 and ICMPv6.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001098The "ip6tables" service can be enabled with the following commands:
+
+# chkconfig ip6tables on
+# service ip6tables startIf the system is a cross-domain system, this is not applicable.
+
+If IPV6 is disabled, this is not applicable.
+
+Run the following command to determine the current status of the "ip6tables" service:
+
+# service ip6tables status
+
+If the service is not running, it should return the following:
+
+ip6tables: Firewall is not running.
+
+
+If the service is not running, this is a finding.SRG-OS-000064<GroupDescription></GroupDescription>RHEL-06-000188The audit system must be configured to audit all discretionary access control permission modifications using fchown.<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000172At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules":
+
+-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 \
+-k perm_mod
+-a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod
+
+If the system is 64-bit, then also add the following:
+
+-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 \
+-k perm_mod
+-a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_modTo determine if the system is configured to audit calls to the "fchown" system call, run the following command:
+
+$ sudo grep -w "fchown" /etc/audit/audit.rules
+
+If the system is configured to audit this activity, it will return several lines.
+
+If no line is returned, this is a finding. SRG-OS-000146<GroupDescription></GroupDescription>RHEL-06-000107The operating system must prevent public IPv6 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.<VulnDiscussion>The "ip6tables" service provides the system's host-based firewalling capability for IPv6 and ICMPv6.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001100The "ip6tables" service can be enabled with the following commands:
+
+# chkconfig ip6tables on
+# service ip6tables startIf the system is a cross-domain system, this is not applicable.
+
+If IPv6 is disabled, this is not applicable.
+
+Run the following command to determine the current status of the "ip6tables" service:
+
+# service ip6tables status
+
+If the service is not running, it should return the following:
+
+ip6tables: Firewall is not running.
+
+
+If the service is not running, this is a finding.SRG-OS-000064<GroupDescription></GroupDescription>RHEL-06-000189The audit system must be configured to audit all discretionary access control permission modifications using fchownat.<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000172At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules":
+
+-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 \
+-k perm_mod
+-a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod
+
+If the system is 64-bit, then also add the following:
+
+-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 \
+-k perm_mod
+-a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_modTo determine if the system is configured to audit calls to the "fchownat" system call, run the following command:
+
+$ sudo grep -w "fchownat" /etc/audit/audit.rules
+
+If the system is configured to audit this activity, it will return several lines.
+
+If no line is returned, this is a finding. SRG-OS-000152<GroupDescription></GroupDescription>RHEL-06-000113The system must employ a local IPv4 firewall.<VulnDiscussion>The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001118The "iptables" service can be enabled with the following commands:
+
+# chkconfig iptables on
+# service iptables startIf the system is a cross-domain system, this is not applicable.
+
+Run the following command to determine the current status of the "iptables" service:
+
+# service iptables status
+
+If the service is not running, it should return the following:
+
+iptables: Firewall is not running.
+
+
+If the service is not running, this is a finding.SRG-OS-000064<GroupDescription></GroupDescription>RHEL-06-000190The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr.<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000172At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules":
+
+-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 \
+-k perm_mod
+-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod
+
+If the system is 64-bit, then also add the following:
+
+-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 \
+-k perm_mod
+-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_modTo determine if the system is configured to audit calls to the "fremovexattr" system call, run the following command:
+
+$ sudo grep -w "fremovexattr" /etc/audit/audit.rules
+
+If the system is configured to audit this activity, it will return several lines.
+
+If no line is returned, this is a finding. SRG-OS-000064<GroupDescription></GroupDescription>RHEL-06-000191The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr.<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000172At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules":
+
+-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 \
+-k perm_mod
+-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod
+
+If the system is 64-bit, then also add the following:
+
+-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 \
+-k perm_mod
+-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_modTo determine if the system is configured to audit calls to the "fsetxattr" system call, run the following command:
+
+$ sudo grep -w "fsetxattr" /etc/audit/audit.rules
+
+If the system is configured to audit this activity, it will return several lines.
+
+If no line is returned, this is a finding. SRG-OS-000064<GroupDescription></GroupDescription>RHEL-06-000192The audit system must be configured to audit all discretionary access control permission modifications using lchown.<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000172At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules":
+
+-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 \
+-k perm_mod
+-a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod
+
+If the system is 64-bit, then also add the following:
+
+-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 \
+-k perm_mod
+-a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_modTo determine if the system is configured to audit calls to the "lchown" system call, run the following command:
+
+$ sudo grep -w "lchown" /etc/audit/audit.rules
+
+If the system is configured to audit this activity, it will return several lines.
+
+If no line is returned, this is a finding. SRG-OS-000064<GroupDescription></GroupDescription>RHEL-06-000193The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr.<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000172At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules":
+
+-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 \
+-k perm_mod
+-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod
+
+If the system is 64-bit, then also add the following:
+
+-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 \
+-k perm_mod
+-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_modTo determine if the system is configured to audit calls to the "lremovexattr" system call, run the following command:
+
+$ sudo grep -w "lremovexattr" /etc/audit/audit.rules
+
+If the system is configured to audit this activity, it will return several lines.
+
+If no line is returned, this is a finding. SRG-OS-000145<GroupDescription></GroupDescription>RHEL-06-000116The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.<VulnDiscussion>The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001098The "iptables" service can be enabled with the following commands:
+
+# chkconfig iptables on
+# service iptables startIf the system is a cross-domain system, this is not applicable.
+
+Run the following command to determine the current status of the "iptables" service:
+
+# service iptables status
+
+If the service is not running, it should return the following:
+
+iptables: Firewall is not running.
+
+
+If the service is not running, this is a finding.SRG-OS-000064<GroupDescription></GroupDescription>RHEL-06-000194The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr.<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000172At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules":
+
+-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 \
+-k perm_mod
+-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod
+
+If the system is 64-bit, then also add the following:
+
+-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 \
+-k perm_mod
+-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_modTo determine if the system is configured to audit calls to the "lsetxattr" system call, run the following command:
+
+$ sudo grep -w "lsetxattr" /etc/audit/audit.rules
+
+If the system is configured to audit this activity, it will return several lines.
+
+If no line is returned, this is a finding. SRG-OS-000064<GroupDescription></GroupDescription>RHEL-06-000195The audit system must be configured to audit all discretionary access control permission modifications using removexattr.<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000172At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules":
+
+-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 \
+-k perm_mod
+-a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod
+
+If the system is 64-bit, then also add the following:
+
+-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 \
+-k perm_mod
+-a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_modTo determine if the system is configured to audit calls to the "removexattr" system call, run the following command:
+
+$ sudo grep -w "removexattr" /etc/audit/audit.rules
+
+If the system is configured to audit this activity, it will return several lines.
+
+If no line is returned, this is a finding.SRG-OS-000064<GroupDescription></GroupDescription>RHEL-06-000196The audit system must be configured to audit all discretionary access control permission modifications using setxattr.<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000172At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules":
+
+-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 \
+-k perm_mod
+-a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod
+
+If the system is 64-bit, then also add the following:
+
+-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 \
+-k perm_mod
+-a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_modTo determine if the system is configured to audit calls to the "setxattr" system call, run the following command:
+
+$ sudo grep -w "setxattr" /etc/audit/audit.rules
+
+If the system is configured to audit this activity, it will return several lines.
+
+If no line is returned, this is a finding. SRG-OS-000064<GroupDescription></GroupDescription>RHEL-06-000197The audit system must be configured to audit failed attempts to access files and programs.<VulnDiscussion>Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000172At a minimum, the audit system should collect unauthorized file accesses for all users and root. Add the following to "/etc/audit/audit.rules", setting ARCH to either b32 or b64 as appropriate for your system:
+
+-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \
+-S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
+-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \
+-S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
+-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \
+-S ftruncate -F exit=-EACCES -F auid=0 -k access
+-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \
+-S ftruncate -F exit=-EPERM -F auid=0 -k accessTo verify that the audit system collects unauthorized file accesses, run the following commands:
+
+# grep EACCES /etc/audit/audit.rules
+
+
+
+# grep EPERM /etc/audit/audit.rules
+
+
+If either command lacks output, this is a finding.SRG-OS-000020<GroupDescription></GroupDescription>RHEL-06-000198The audit system must be configured to audit all use of setuid and setgid programs.<VulnDiscussion>Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000040At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition [PART]:
+
+$ sudo find [PART] -xdev -type f -perm /6000 2>/dev/null
+
+Then, for each setuid / setgid program on the system, add a line of the following form to "/etc/audit/audit.rules", where [SETUID_PROG_PATH] is the full path to each setuid / setgid program in the list:
+
+-a always,exit -F path=[SETUID_PROG_PATH] -F perm=x -F auid>=500 -F auid!=4294967295 -k privilegedTo verify that auditing of privileged command use is configured, run the following command once for each local partition [PART] to find relevant setuid / setgid programs:
+
+$ sudo find [PART] -xdev -type f -perm /6000 2>/dev/null
+
+Run the following command to verify entries in the audit rules for all programs found with the previous command:
+
+$ sudo grep path /etc/audit/audit.rules
+
+It should be the case that all relevant setuid / setgid programs have a line in the audit rules. If that is not the case, this is a finding. SRG-OS-000064<GroupDescription></GroupDescription>RHEL-06-000199The audit system must be configured to audit successful file system mounts.<VulnDiscussion>The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000172At a minimum, the audit system should collect media exportation events for all users and root. Add the following to "/etc/audit/audit.rules", setting ARCH to either b32 or b64 as appropriate for your system:
+
+-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export
+-a always,exit -F arch=ARCH -S mount -F auid=0 -k exportTo verify that auditing is configured for all media exportation events, run the following command:
+
+$ sudo grep -w "mount" /etc/audit/audit.rules
+
+If the system is configured to audit this activity, it will return several lines.
+
+If no line is returned, this is a finding. SRG-OS-000069<GroupDescription></GroupDescription>RHEL-06-000057The system must require passwords to contain at least one uppercase alphabetic character.<VulnDiscussion>Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000192The pam_cracklib module's "ucredit=" parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. Add "ucredit=-1" after pam_cracklib.so to require use of an uppercase character in passwords.To check how many uppercase characters are required in a password, run the following command:
+
+$ grep pam_cracklib /etc/pam.d/system-auth
+
+The "ucredit" parameter (as a negative number) will indicate how many uppercase characters are required. The DoD requires at least one uppercase character in a password. This would appear as "ucredit=-1".
+If ucredit is not found or not set to the required value, this is a finding.SRG-OS-000266<GroupDescription></GroupDescription>RHEL-06-000058The system must require passwords to contain at least one special character.<VulnDiscussion>Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001619The pam_cracklib module's "ocredit=" parameter controls requirements for usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. Add "ocredit=-1" after pam_cracklib.so to require use of a special character in passwords.To check how many special characters are required in a password, run the following command:
+
+$ grep pam_cracklib /etc/pam.d/system-auth
+
+The "ocredit" parameter (as a negative number) will indicate how many special characters are required. The DoD requires at least one special character in a password. This would appear as "ocredit=-1".
+If ocredit is not found or not set to the required value, this is a finding.SRG-OS-000070<GroupDescription></GroupDescription>RHEL-06-000059The system must require passwords to contain at least one lower-case alphabetic character.<VulnDiscussion>Requiring a minimum number of lower-case characters makes password guessing attacks more difficult by ensuring a larger search space.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000193The pam_cracklib module's "lcredit=" parameter controls requirements for usage of lower-case letters in a password. When set to a negative number, any password will be required to contain that many lower-case characters. Add "lcredit=-1" after pam_cracklib.so to require use of a lower-case character in passwords.To check how many lower-case characters are required in a password, run the following command:
+
+$ grep pam_cracklib /etc/pam.d/system-auth
+
+The "lcredit" parameter (as a negative number) will indicate how many lower-case characters are required. The DoD requires at least one lower-case character in a password. This would appear as "lcredit=-1".
+
+If lcredit is not found or not set to the required value, this is a finding.
+SRG-OS-000072<GroupDescription></GroupDescription>RHEL-06-000060The system must require at least eight characters be changed between the old and new passwords during a password change.<VulnDiscussion>Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000195The pam_cracklib module's "difok" parameter controls requirements for usage of different characters during a password change. Add "difok=[NUM]" after pam_cracklib.so to require differing characters when changing passwords, substituting [NUM] appropriately. The DoD requirement is 8.To check how many characters must differ during a password change, run the following command:
+
+$ grep pam_cracklib /etc/pam.d/system-auth
+
+The "difok" parameter will indicate how many characters must differ. The DoD requires eight characters differ during a password change. This would appear as "difok=8".
+
+If difok is not found or not set to the required value, this is a finding.SRG-OS-000021<GroupDescription></GroupDescription>RHEL-06-000061The system must disable accounts after three consecutive unsuccessful logon attempts.<VulnDiscussion>Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000044To configure the system to lock out accounts after a number of incorrect logon attempts using "pam_faillock.so", modify the content of both "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" as follows:
+
+Add the following line immediately before the "pam_unix.so" statement in the "AUTH" section:
+
+auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900
+
+Add the following line immediately after the "pam_unix.so" statement in the "AUTH" section:
+
+auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
+
+Add the following line immediately before the "pam_unix.so" statement in the "ACCOUNT" section:
+
+account required pam_faillock.so
+
+Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.To ensure the failed password attempt policy is configured correctly, run the following command:
+
+# grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
+
+The output should show "deny=3" for both files.
+If that is not the case, this is a finding.SRG-OS-000120<GroupDescription></GroupDescription>RHEL-06-000062The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth).<VulnDiscussion>Using a stronger hashing algorithm makes password cracking attacks more difficult.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000803In "/etc/pam.d/system-auth" and "/etc/pam.d/system-auth-ac", among potentially other files, the "password" section of the files control which PAM modules execute during a password change. Set the "pam_unix.so" module in the "password" section to include the argument "sha512", as shown below:
+
+password sufficient pam_unix.so sha512 [other arguments...]
+
+This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.
+
+Note that any updates made to "/etc/pam.d/system-auth" will be overwritten by the "authconfig" program. The "authconfig" program should not be used.Inspect the "password" section of "/etc/pam.d/system-auth", "/etc/pam.d/system-auth-ac", and other files in "/etc/pam.d" and ensure that the "pam_unix.so" module includes the argument "sha512".
+
+$ grep password /etc/pam.d/* | grep pam_unix.so | grep sha512
+
+If it does not, this is a finding.SRG-OS-000064<GroupDescription></GroupDescription>RHEL-06-000200The audit system must be configured to audit user deletions of files and programs.<VulnDiscussion>Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as detecting malicious processes that attempt to delete log files to conceal their presence.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000172At a minimum, the audit system should collect file deletion events for all users and root. Add the following (or equivalent) to "/etc/audit/audit.rules", setting ARCH to either b32 or b64 as appropriate for your system:
+
+-a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
+-a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete
+
+To determine if the system is configured to audit calls to the "rmdir" system call, run the following command:
+
+$ sudo grep -w "rmdir" /etc/audit/audit.rules
+
+If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the "unlink" system call, run the following command:
+
+$ sudo grep -w "unlink" /etc/audit/audit.rules
+
+If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the "unlinkat" system call, run the following command:
+
+$ sudo grep -w "unlinkat" /etc/audit/audit.rules
+
+If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the "rename" system call, run the following command:
+
+$ sudo grep -w "rename" /etc/audit/audit.rules
+
+If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the "renameat" system call, run the following command:
+
+$ sudo grep -w "renameat" /etc/audit/audit.rules
+
+If the system is configured to audit this activity, it will return a line.
+
+If no line is returned, this is a finding. SRG-OS-000120<GroupDescription></GroupDescription>RHEL-06-000063The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs).<VulnDiscussion>Using a stronger hashing algorithm makes password cracking attacks more difficult.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000803In "/etc/login.defs", add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm:
+
+ENCRYPT_METHOD SHA512Inspect "/etc/login.defs" and ensure the following line appears:
+
+ENCRYPT_METHOD SHA512
+
+
+If it does not, this is a finding.SRG-OS-000120<GroupDescription></GroupDescription>RHEL-06-000064The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf).<VulnDiscussion>Using a stronger hashing algorithm makes password cracking attacks more difficult.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000803In "/etc/libuser.conf", add or correct the following line in its "[defaults]" section to ensure the system will use the SHA-512 algorithm for password hashing:
+
+crypt_style = sha512Inspect "/etc/libuser.conf" and ensure the following line appears in the "[default]" section:
+
+crypt_style = sha512
+
+
+If it does not, this is a finding.SRG-OS-000064<GroupDescription></GroupDescription>RHEL-06-000201The audit system must be configured to audit changes to the /etc/sudoers file.<VulnDiscussion>The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000172At a minimum, the audit system should collect administrator actions for all users and root. Add the following to "/etc/audit/audit.rules":
+
+-w /etc/sudoers -p wa -k actionsTo verify that auditing is configured for system administrator actions, run the following command:
+
+$ sudo grep -w "/etc/sudoers" /etc/audit/audit.rules
+
+If the system is configured to watch for changes to its sudoers configuration, a line should be returned (including "-p wa" indicating permissions that are watched).
+
+If there is no output, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000065The system boot loader configuration file(s) must be owned by root.<VulnDiscussion>Only root should be able to modify important boot parameters.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366The file "/boot/grub/grub.conf" should be owned by the "root" user to prevent destruction or modification of the file. To properly set the owner of "/boot/grub/grub.conf", run the command:
+
+# chown root /boot/grub/grub.confTo check the ownership of "/boot/grub/grub.conf", run the command:
+
+$ ls -lL /boot/grub/grub.conf
+
+If properly configured, the output should indicate that the owner is "root".
+If it does not, this is a finding.SRG-OS-000064<GroupDescription></GroupDescription>RHEL-06-000202The audit system must be configured to audit the loading and unloading of dynamic kernel modules.<VulnDiscussion>The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000172Add the following to "/etc/audit/audit.rules" in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
+
+-w /sbin/insmod -p x -k modules
+-w /sbin/rmmod -p x -k modules
+-w /sbin/modprobe -p x -k modules
+-a always,exit -F arch=[ARCH] -S init_module -S delete_module -k modulesTo determine if the system is configured to audit execution of module management programs, run the following commands:
+
+$ sudo egrep -e "(-w |-F path=)/sbin/insmod" /etc/audit/audit.rules
+$ sudo egrep -e "(-w |-F path=)/sbin/rmmod" /etc/audit/audit.rules
+$ sudo egrep -e "(-w |-F path=)/sbin/modprobe" /etc/audit/audit.rules
+
+If the system is configured to audit this activity, it will return a line.
+
+To determine if the system is configured to audit calls to the "init_module" system call, run the following command:
+
+$ sudo grep -w "init_module" /etc/audit/audit.rules
+
+If the system is configured to audit this activity, it will return a line.
+
+To determine if the system is configured to audit calls to the "delete_module" system call, run the following command:
+
+$ sudo grep -w "delete_module" /etc/audit/audit.rules
+
+If the system is configured to audit this activity, it will return a line.
+
+If no line is returned for any of these commands, this is a finding. SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000066The system boot loader configuration file(s) must be group-owned by root.<VulnDiscussion>The "root" group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366The file "/boot/grub/grub.conf" should be group-owned by the "root" group to prevent destruction or modification of the file. To properly set the group owner of "/boot/grub/grub.conf", run the command:
+
+# chgrp root /boot/grub/grub.confTo check the group ownership of "/boot/grub/grub.conf", run the command:
+
+$ ls -lL /boot/grub/grub.conf
+
+If properly configured, the output should indicate the group-owner is "root".
+If it does not, this is a finding.SRG-OS-000096<GroupDescription></GroupDescription>RHEL-06-000203The xinetd service must be disabled if no network services utilizing it are enabled.<VulnDiscussion>The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000382The "xinetd" service can be disabled with the following commands:
+
+# chkconfig xinetd off
+# service xinetd stopIf network services are using the xinetd service, this is not applicable.
+
+To check that the "xinetd" service is disabled in system boot configuration, run the following command:
+
+# chkconfig "xinetd" --list
+
+Output should indicate the "xinetd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:
+
+# chkconfig "xinetd" --list
+"xinetd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off
+
+Run the following command to verify "xinetd" is disabled through current runtime configuration:
+
+# service xinetd status
+
+If the service is disabled the command will return the following output:
+
+xinetd is stopped
+
+
+If the service is running, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000067The system boot loader configuration file(s) must have mode 0600 or less permissive.<VulnDiscussion>Proper permissions ensure that only the root user can modify important boot parameters.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366File permissions for "/boot/grub/grub.conf" should be set to 600, which is the default. To properly set the permissions of "/boot/grub/grub.conf", run the command:
+
+# chmod 600 /boot/grub/grub.conf
+
+Boot partitions based on VFAT, NTFS, or other non-standard configurations may require alternative measures.To check the permissions of "/boot/grub/grub.conf", run the command:
+
+$ sudo ls -lL /boot/grub/grub.conf
+
+If properly configured, the output should indicate the following permissions: "-rw-------"
+If it does not, this is a finding. SRG-OS-000096<GroupDescription></GroupDescription>RHEL-06-000204The xinetd service must be uninstalled if no network services utilizing it are enabled.<VulnDiscussion>Removing the "xinetd" package decreases the risk of the xinetd service's accidental (or intentional) activation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000382The "xinetd" package can be uninstalled with the following command:
+
+# yum erase xinetdIf network services are using the xinetd service, this is not applicable.
+
+Run the following command to determine if the "xinetd" package is installed:
+
+# rpm -q xinetd
+
+
+If the package is installed, this is a finding.SRG-OS-000080<GroupDescription></GroupDescription>RHEL-06-000068The system boot loader must require authentication.<VulnDiscussion>Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000213The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command:
+
+# grub-crypt --sha-512
+
+When prompted to enter a password, insert the following line into "/boot/grub/grub.conf" immediately after the header comments. (Use the output from "grub-crypt" as the value of [password-hash]):
+
+password --encrypted [password-hash]To verify the boot loader password has been set and encrypted, run the following command:
+
+# grep password /boot/grub/grub.conf
+
+The output should show the following:
+
+password --encrypted $6$[rest-of-the-password-hash]
+
+If it does not, this is a finding.SRG-OS-000080<GroupDescription></GroupDescription>RHEL-06-000069The system must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000213Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected.
+
+To require entry of the root password even if the system is started in single-user mode, add or correct the following line in the file "/etc/sysconfig/init":
+
+SINGLE=/sbin/suloginTo check if authentication is required for single-user mode, run the following command:
+
+$ grep SINGLE /etc/sysconfig/init
+
+The output should be the following:
+
+SINGLE=/sbin/sulogin
+
+
+If the output is different, this is a finding.SRG-OS-000095<GroupDescription></GroupDescription>RHEL-06-000206The telnet-server package must not be installed.<VulnDiscussion>Removing the "telnet-server" package decreases the risk of the unencrypted telnet service's accidental (or intentional) activation.
+
+Mitigation: If the telnet-server package is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000381The "telnet-server" package can be uninstalled with the following command:
+
+# yum erase telnet-serverRun the following command to determine if the "telnet-server" package is installed:
+
+# rpm -q telnet-server
+
+
+If the package is installed, this is a finding.SRG-OS-000080<GroupDescription></GroupDescription>RHEL-06-000070The system must not permit interactive boot.<VulnDiscussion>Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000213To disable the ability for users to perform interactive startups, edit the file "/etc/sysconfig/init". Add or correct the line:
+
+PROMPT=no
+
+The "PROMPT" option allows the console user to perform an interactive system startup, in which it is possible to select the set of services which are started on boot.To check whether interactive boot is disabled, run the following command:
+
+$ grep PROMPT /etc/sysconfig/init
+
+If interactive boot is disabled, the output will show:
+
+PROMPT=no
+
+
+If it does not, this is a finding.SRG-OS-000129<GroupDescription></GroupDescription>RHEL-06-000211The telnet daemon must not be running.<VulnDiscussion>The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks.
+
+Mitigation: If an enabled telnet daemon is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000888The "telnet" service can be disabled with the following command:
+
+# chkconfig telnet offTo check that the "telnet" service is disabled in system boot configuration, run the following command:
+
+# chkconfig "telnet" --list
+
+Output should indicate the "telnet" service has either not been installed, or has been disabled, as shown in the example below:
+
+# chkconfig "telnet" --list
+telnet off
+OR
+error reading information on service telnet: No such file or directory
+
+
+If the service is running, this is a finding.SRG-OS-000030<GroupDescription></GroupDescription>RHEL-06-000071The system must allow locking of the console screen in text mode.<VulnDiscussion>Installing "screen" ensures a console locking capability is available for users who may need to suspend console logins.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000058To enable console screen locking when in text mode, install the "screen" package:
+
+# yum install screen
+
+Instruct users to begin new terminal sessions with the following command:
+
+$ screen
+
+The console can now be locked with the following key combination:
+
+ctrl+a xRun the following command to determine if the "screen" package is installed:
+
+# rpm -q screen
+
+
+If the package is not installed, this is a finding.SRG-OS-000095<GroupDescription></GroupDescription>RHEL-06-000213The rsh-server package must not be installed.<VulnDiscussion>The "rsh-server" package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000381The "rsh-server" package can be uninstalled with the following command:
+
+# yum erase rsh-serverRun the following command to determine if the "rsh-server" package is installed:
+
+# rpm -q rsh-server
+
+
+If the package is installed, this is a finding.SRG-OS-000022<GroupDescription></GroupDescription>RHEL-06-000356The system must require administrator action to unlock an account locked by excessive failed login attempts.<VulnDiscussion>Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000047To configure the system to lock out accounts after a number of incorrect logon attempts and require an administrator to unlock the account using "pam_faillock.so", modify the content of both "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" as follows:
+
+Add the following line immediately before the "pam_unix.so" statement in the "AUTH" section:
+
+auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900
+
+Add the following line immediately after the "pam_unix.so" statement in the "AUTH" section:
+
+auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
+
+Add the following line immediately before the "pam_unix.so" statement in the "ACCOUNT" section:
+
+account required pam_faillock.so
+
+Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.To ensure the failed password attempt policy is configured correctly, run the following command:
+
+# grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
+
+The output should show "unlock_time=<some-large-number>"; the largest acceptable value is 604800 seconds (one week).
+If that is not the case, this is a finding.SRG-OS-000228<GroupDescription></GroupDescription>RHEL-06-000073The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.<VulnDiscussion>An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001384CCI-001385CCI-001386CCI-001387CCI-001388To configure the system login banner:
+
+Edit "/etc/issue". Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:
+
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+-At any time, the USG may inspect and seize data stored on this IS.
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
+
+OR:
+
+"I've read & consent to terms in IS user agreem't."To check if the system login banner is compliant, run the following command:
+
+$ cat /etc/issue
+
+
+If it does not display the required banner, this is a finding.SRG-OS-000033<GroupDescription></GroupDescription>RHEL-06-000214The rshd service must not be running.<VulnDiscussion>The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000068The "rsh" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rsh" service can be disabled with the following command:
+
+# chkconfig rsh offTo check that the "rsh" service is disabled in system boot configuration, run the following command:
+
+# chkconfig "rsh" --list
+
+Output should indicate the "rsh" service has either not been installed, or has been disabled, as shown in the example below:
+
+# chkconfig "rsh" --list
+rsh off
+OR
+error reading information on service rsh: No such file or directory
+
+
+If the service is running, this is a finding.SRG-OS-000105<GroupDescription></GroupDescription>RHEL-06-000349The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.<VulnDiscussion>Smart card login provides two-factor authentication stronger than that provided by a username/password combination. Smart cards leverage a PKI (public key infrastructure) in order to provide and verify credentials.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000765To enable smart card authentication, consult the documentation at:
+
+https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html
+
+For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at:
+
+https://access.redhat.com/solutions/82273Interview the SA to determine if all accounts not exempted by policy are using CAC authentication. For DoD systems, the following systems and accounts are exempt from using smart card (CAC) authentication:
+
+Standalone systems
+Application accounts
+Temporary employee accounts, such as students or interns, who cannot easily receive a CAC or PIV
+Operational tactical locations that are not collocated with RAPIDS workstations to issue CAC or ALT
+Test systems, such as those with an Interim Approval to Test (IATT) and use a separate VPN, firewall, or security measure preventing access to network and system components from outside the protection boundary documented in the IATT.
+
+
+
+If non-exempt accounts are not using CAC authentication, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000078The system must implement virtual address space randomization.<VulnDiscussion>Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return oriented programming (ROP) techniques.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To set the runtime status of the "kernel.randomize_va_space" kernel parameter, run the following command:
+
+# sysctl -w kernel.randomize_va_space=2
+
+If this is not the system's default value, add the following line to "/etc/sysctl.conf":
+
+kernel.randomize_va_space = 2The status of the "kernel.randomize_va_space" kernel parameter can be queried by running the following commands:
+
+$ sysctl kernel.randomize_va_space
+$ grep kernel.randomize_va_space /etc/sysctl.conf
+
+The output of the command should indicate a value of at least "1" (preferably "2"). If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".
+If the correct value is not returned, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000079The system must limit the ability of processes to have simultaneous write and execute access to memory.<VulnDiscussion>ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To set the runtime status of the "kernel.exec-shield" kernel parameter, run the following command:
+
+# sysctl -w kernel.exec-shield=1
+
+If this is not the system's default value, add the following line to "/etc/sysctl.conf":
+
+kernel.exec-shield = 1The status of the "kernel.exec-shield" kernel parameter can be queried by running the following command:
+
+$ sysctl kernel.exec-shield
+$ grep kernel.exec-shield /etc/sysctl.conf
+
+The output of the command should indicate a value of "1". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".
+If the correct value is not returned, this is a finding.SRG-OS-000033<GroupDescription></GroupDescription>RHEL-06-000216The rexecd service must not be running.<VulnDiscussion>The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000068The "rexec" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rexec" service can be disabled with the following command:
+
+# chkconfig rexec offTo check that the "rexec" service is disabled in system boot configuration, run the following command:
+
+# chkconfig "rexec" --list
+
+Output should indicate the "rexec" service has either not been installed, or has been disabled, as shown in the example below:
+
+# chkconfig "rexec" --list
+rexec off
+OR
+error reading information on service rexec: No such file or directory
+
+
+If the service is running, this is a finding.SRG-OS-000023<GroupDescription></GroupDescription>RHEL-06-000348The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.<VulnDiscussion>This setting will cause the system greeting banner to be used for FTP connections as well.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000048Edit the vsftpd configuration file, which resides at "/etc/vsftpd/vsftpd.conf" by default. Add or correct the following configuration options.
+
+banner_file=/etc/issue
+
+Restart the vsftpd daemon.
+
+# service vsftpd restartTo verify this configuration, run the following command:
+
+grep "banner_file" /etc/vsftpd/vsftpd.conf
+
+The output should show the value of "banner_file" is set to "/etc/issue", an example of which is shown below.
+
+# grep "banner_file" /etc/vsftpd/vsftpd.conf
+banner_file=/etc/issue
+
+
+If it does not, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000080The system must not send ICMPv4 redirects by default.<VulnDiscussion>Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To set the runtime status of the "net.ipv4.conf.default.send_redirects" kernel parameter, run the following command:
+
+# sysctl -w net.ipv4.conf.default.send_redirects=0
+
+If this is not the system's default value, add the following line to "/etc/sysctl.conf":
+
+net.ipv4.conf.default.send_redirects = 0The status of the "net.ipv4.conf.default.send_redirects" kernel parameter can be queried by running the following command:
+
+$ sysctl net.ipv4.conf.default.send_redirects
+
+The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".
+
+$ grep net.ipv4.conf.default.send_redirects /etc/sysctl.conf
+
+If the correct value is not returned, this is a finding. SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000081The system must not send ICMPv4 redirects from any interface.<VulnDiscussion>Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To set the runtime status of the "net.ipv4.conf.all.send_redirects" kernel parameter, run the following command:
+
+# sysctl -w net.ipv4.conf.all.send_redirects=0
+
+If this is not the system's default value, add the following line to "/etc/sysctl.conf":
+
+net.ipv4.conf.all.send_redirects = 0The status of the "net.ipv4.conf.all.send_redirects" kernel parameter can be queried by running the following command:
+
+$ sysctl net.ipv4.conf.all.send_redirects
+
+The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".
+
+$ grep net.ipv4.conf.all.send_redirects /etc/sysctl.conf
+
+If the correct value is not returned, this is a finding. SRG-OS-000248<GroupDescription></GroupDescription>RHEL-06-000218The rlogind service must not be running.<VulnDiscussion>The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001436The "rlogin" service, which is available with the "rsh-server" package and runs as a service through xinetd, should be disabled. The "rlogin" service can be disabled with the following command:
+
+# chkconfig rlogin off
+To check that the "rlogin" service is disabled in system boot configuration, run the following command:
+
+# chkconfig "rlogin" --list
+
+Output should indicate the "rlogin" service has either not been installed, or has been disabled, as shown in the example below:
+
+# chkconfig "rlogin" --list
+rlogin off
+OR
+error reading information on service rlogin: No such file or directory
+
+
+If the service is running, this is a finding.SRG-OS-000095<GroupDescription></GroupDescription>RHEL-06-000220The ypserv package must not be installed.<VulnDiscussion>Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000381The "ypserv" package can be uninstalled with the following command:
+
+# yum erase ypservRun the following command to determine if the "ypserv" package is installed:
+
+# rpm -q ypserv
+
+
+If the package is installed, this is a finding.SRG-OS-000096<GroupDescription></GroupDescription>RHEL-06-000221The ypbind service must not be running.<VulnDiscussion>Disabling the "ypbind" service ensures the system is not acting as a client in a NIS or NIS+ domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000382The "ypbind" service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The "ypbind" service can be disabled with the following commands:
+
+# chkconfig ypbind off
+# service ypbind stopTo check that the "ypbind" service is disabled in system boot configuration, run the following command:
+
+# chkconfig "ypbind" --list
+
+Output should indicate the "ypbind" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:
+
+# chkconfig "ypbind" --list
+"ypbind" 0:off 1:off 2:off 3:off 4:off 5:off 6:off
+
+Run the following command to verify "ypbind" is disabled through current runtime configuration:
+
+# service ypbind status
+
+If the service is disabled the command will return the following output:
+
+ypbind is stopped
+
+
+If the service is running, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000224The cron service must be running.<VulnDiscussion>Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366The "crond" service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The "crond" service can be enabled with the following commands:
+
+# chkconfig crond on
+# service crond startRun the following command to determine the current status of the "crond" service:
+
+# service crond status
+
+If the service is enabled, it should return the following:
+
+crond is running...
+
+
+If the service is not running, this is a finding.SRG-OS-000095<GroupDescription></GroupDescription>RHEL-06-000222The tftp-server package must not be installed unless required.<VulnDiscussion>Removing the "tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000381The "tftp-server" package can be removed with the following command:
+
+# yum erase tftp-serverRun the following command to determine if the "tftp-server" package is installed:
+
+# rpm -q tftp-server
+
+
+If the package is installed, this is a finding.SRG-OS-000112<GroupDescription></GroupDescription>RHEL-06-000227The SSH daemon must be configured to use only the SSHv2 protocol.<VulnDiscussion>SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000774Only SSH protocol version 2 connections should be permitted. The default setting in "/etc/ssh/sshd_config" is correct, and can be verified by ensuring that the following line appears:
+
+Protocol 2To check which SSH protocol version is allowed, run the following command:
+
+# grep Protocol /etc/ssh/sshd_config
+
+If configured properly, output should be
+
+Protocol 2
+
+
+If it is not, this is a finding.SRG-OS-000163<GroupDescription></GroupDescription>RHEL-06-000230The SSH daemon must set a timeout interval on idle sessions.<VulnDiscussion>Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001133SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out.
+
+To set an idle timeout interval, edit the following line in "/etc/ssh/sshd_config" as follows:
+
+ClientAliveInterval [interval]
+
+The timeout [interval] is given in seconds. To have a timeout of 15 minutes, set [interval] to 900.
+
+If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.Run the following command to see what the timeout interval is:
+
+# grep ClientAliveInterval /etc/ssh/sshd_config
+
+If properly configured, the output should be:
+
+ClientAliveInterval 900
+
+
+If it is not, this is a finding.SRG-OS-000248<GroupDescription></GroupDescription>RHEL-06-000223The TFTP service must not be running.<VulnDiscussion>Disabling the "tftp" service ensures the system is not acting as a tftp server, which does not provide encryption or authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001436The "tftp" service should be disabled. The "tftp" service can be disabled with the following command:
+
+# chkconfig tftp offTo check that the "tftp" service is disabled in system boot configuration, run the following command:
+
+# chkconfig "tftp" --list
+
+Output should indicate the "tftp" service has either not been installed, or has been disabled, as shown in the example below:
+
+# chkconfig "tftp" --list
+tftp off
+OR
+error reading information on service tftp: No such file or directory
+
+
+If the service is running, this is a finding.SRG-OS-000126<GroupDescription></GroupDescription>RHEL-06-000231The SSH daemon must set a timeout count on idle sessions.<VulnDiscussion>This ensures a user login will be terminated as soon as the "ClientAliveCountMax" is reached.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000879To ensure the SSH idle timeout occurs precisely when the "ClientAliveCountMax" is set, edit "/etc/ssh/sshd_config" as follows:
+
+ClientAliveCountMax 0To ensure the SSH idle timeout will occur when the "ClientAliveCountMax" is set, run the following command:
+
+# grep ClientAliveCountMax /etc/ssh/sshd_config
+
+If properly configured, output should be:
+
+ClientAliveCountMax 0
+
+
+If it is not, this is a finding.SRG-OS-000106<GroupDescription></GroupDescription>RHEL-06-000234The SSH daemon must ignore .rhosts files.<VulnDiscussion>SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000766SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via ".rhosts" files.
+
+To ensure this behavior is disabled, add or correct the following line in "/etc/ssh/sshd_config":
+
+IgnoreRhosts yesTo determine how the SSH daemon's "IgnoreRhosts" option is set, run the following command:
+
+# grep -i IgnoreRhosts /etc/ssh/sshd_config
+
+If no line, a commented line, or a line indicating the value "yes" is returned, then the required value is set.
+If the required value is not set, this is a finding.SRG-OS-000106<GroupDescription></GroupDescription>RHEL-06-000236The SSH daemon must not allow host-based authentication.<VulnDiscussion>SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000766SSH's cryptographic host-based authentication is more secure than ".rhosts" authentication, since hosts are cryptographically authenticated. However, it is not recommended that hosts unilaterally trust one another, even within an organization.
+
+To disable host-based authentication, add or correct the following line in "/etc/ssh/sshd_config":
+
+HostbasedAuthentication noTo determine how the SSH daemon's "HostbasedAuthentication" option is set, run the following command:
+
+# grep -i HostbasedAuthentication /etc/ssh/sshd_config
+
+If no line, a commented line, or a line indicating the value "no" is returned, then the required value is set.
+If the required value is not set, this is a finding.SRG-OS-000109<GroupDescription></GroupDescription>RHEL-06-000237The system must not permit root logins using remote access programs such as ssh.<VulnDiscussion>Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000770The root user should never be allowed to log in to a system directly over a network. To disable root login via SSH, add or correct the following line in "/etc/ssh/sshd_config":
+
+PermitRootLogin noTo determine how the SSH daemon's "PermitRootLogin" option is set, run the following command:
+
+# grep -i PermitRootLogin /etc/ssh/sshd_config
+
+If a line indicating "no" is returned, then the required value is set.
+If the required value is not set, this is a finding.SRG-OS-000106<GroupDescription></GroupDescription>RHEL-06-000239The SSH daemon must not allow authentication using an empty password.<VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000766To explicitly disallow remote login from accounts with empty passwords, add or correct the following line in "/etc/ssh/sshd_config":
+
+PermitEmptyPasswords no
+
+Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.To determine how the SSH daemon's "PermitEmptyPasswords" option is set, run the following command:
+
+# grep -i PermitEmptyPasswords /etc/ssh/sshd_config
+
+If no line, a commented line, or a line indicating the value "no" is returned, then the required value is set.
+If the required value is not set, this is a finding.SRG-OS-000023<GroupDescription></GroupDescription>RHEL-06-000240The SSH daemon must be configured with the Department of Defense (DoD) login banner.<VulnDiscussion>The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000048To enable the warning banner and ensure it is consistent across the system, add or correct the following line in "/etc/ssh/sshd_config":
+
+Banner /etc/issue
+
+Another section contains information on how to create an appropriate system-wide warning banner.To determine how the SSH daemon's "Banner" option is set, run the following command:
+
+# grep -i Banner /etc/ssh/sshd_config
+
+If a line indicating /etc/issue is returned, then the required value is set.
+If the required value is not set, this is a finding.SRG-OS-000242<GroupDescription></GroupDescription>RHEL-06-000241The SSH daemon must not permit user environment settings.<VulnDiscussion>SSH environment options potentially allow users to bypass access restriction in some configurations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001414To ensure users are not able to present environment options to the SSH daemon, add or correct the following line in "/etc/ssh/sshd_config":
+
+PermitUserEnvironment noTo ensure users are not able to present environment daemons, run the following command:
+
+# grep PermitUserEnvironment /etc/ssh/sshd_config
+
+If properly configured, output should be:
+
+PermitUserEnvironment no
+
+
+If it is not, this is a finding.SRG-OS-000169<GroupDescription></GroupDescription>RHEL-06-000243The SSH daemon must be configured to use only FIPS 140-2 approved ciphers.<VulnDiscussion>Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001144Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in "/etc/ssh/sshd_config" demonstrates use of FIPS-approved ciphers:
+
+Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
+
+The man page "sshd_config(5)" contains a list of supported ciphers.Only FIPS-approved ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command:
+
+# grep Ciphers /etc/ssh/sshd_config
+
+The output should contain only those ciphers which are FIPS-approved, namely, the AES and 3DES ciphers.
+If that is not the case, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000246The avahi service must be disabled.<VulnDiscussion>Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366The "avahi-daemon" service can be disabled with the following commands:
+
+# chkconfig avahi-daemon off
+# service avahi-daemon stopTo check that the "avahi-daemon" service is disabled in system boot configuration, run the following command:
+
+# chkconfig "avahi-daemon" --list
+
+Output should indicate the "avahi-daemon" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:
+
+# chkconfig "avahi-daemon" --list
+"avahi-daemon" 0:off 1:off 2:off 3:off 4:off 5:off 6:off
+
+Run the following command to verify "avahi-daemon" is disabled through current runtime configuration:
+
+# service avahi-daemon status
+
+If the service is disabled the command will return the following output:
+
+avahi-daemon is stopped
+
+
+If the service is running, this is a finding.SRG-OS-000073<GroupDescription></GroupDescription>RHEL-06-000347There must be no .netrc files on the system.<VulnDiscussion>Unencrypted passwords for remote FTP servers may be stored in ".netrc" files. DoD policy requires passwords be encrypted in storage and not used in access scripts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000196The ".netrc" files contain logon information used to auto-logon into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any ".netrc" files should be removed.To check the system for the existence of any ".netrc" files, run the following command:
+
+$ sudo find /root /home -xdev -name .netrc
+
+If any .netrc files exist, this is a finding.SRG-OS-000056<GroupDescription></GroupDescription>RHEL-06-000247The system clock must be synchronized continuously, or at least daily.<VulnDiscussion>Enabling the "ntpd" service ensures that the "ntpd" service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000160The "ntpd" service can be enabled with the following command:
+
+# chkconfig ntpd on
+# service ntpd startRun the following command to determine the current status of the "ntpd" service:
+
+# service ntpd status
+
+If the service is enabled, it should return the following:
+
+ntpd is running...
+
+
+If the service is not running, this is a finding.SRG-OS-000056<GroupDescription></GroupDescription>RHEL-06-000248The system clock must be synchronized to an authoritative DoD time source.<VulnDiscussion>Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. Using a trusted NTP server provided by your organization is recommended.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000160To specify a remote NTP server for time synchronization, edit the file "/etc/ntp.conf". Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver.
+
+server [ntpserver]
+
+This instructs the NTP software to contact that remote server to obtain time data.A remote NTP server should be configured for time synchronization. To verify one is configured, open the following file.
+
+/etc/ntp.conf
+
+In the file, there should be a section similar to the following:
+
+# --- OUR TIMESERVERS -----
+server [ntpserver]
+
+
+If this is not the case, this is a finding.SRG-OS-000096<GroupDescription></GroupDescription>RHEL-06-000249Mail relaying must be restricted.<VulnDiscussion>This ensures "postfix" accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000382Edit the file "/etc/postfix/main.cf" to ensure that only the following "inet_interfaces" line appears:
+
+inet_interfaces = localhostIf the system is an authorized mail relay host, this is not applicable.
+
+Run the following command to ensure postfix accepts mail messages from only the local system:
+
+$ grep inet_interfaces /etc/postfix/main.cf
+
+If properly configured, the output should show only "localhost".
+If it does not, this is a finding.SRG-OS-000206<GroupDescription></GroupDescription>RHEL-06-000135All rsyslog-generated log files must have mode 0600 or less permissive.<VulnDiscussion>Log files can contain valuable information regarding system configuration. If the system log files are not protected, unauthorized users could change the logged data, eliminating their forensic value.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001314The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's permissions:
+
+$ ls -l [LOGFILE]
+
+If the permissions are not 600 or more restrictive, run the following command to correct this:
+
+# chmod 0600 [LOGFILE]The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in "/etc/rsyslog.conf" and typically all appear in "/var/log". For each log file [LOGFILE] referenced in "/etc/rsyslog.conf", run the following command to inspect the file's permissions:
+
+$ ls -l [LOGFILE]
+
+The permissions should be 600, or more restrictive. Some log files referenced in /etc/rsyslog.conf may be created by other programs and may require exclusion from consideration.
+
+If the permissions are not correct, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000138System logs must be rotated daily.<VulnDiscussion>Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366The "logrotate" service should be installed or reinstalled if it is not installed and operating properly, by running the following command:
+
+# yum reinstall logrotateRun the following commands to determine the current status of the "logrotate" service:
+
+# grep logrotate /var/log/cron*
+
+If the logrotate service is not run on a daily basis by cron, this is a finding.SRG-OS-000250<GroupDescription></GroupDescription>RHEL-06-000252If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms.<VulnDiscussion>The LDAP server will use unencrypted connections by default. If the LDAP daemon is not configured to use” ldaps:///”, all communications between the client and the server will not be encrypted. The LDAP server should be configured to use “ldaps:///” over the default “ldap:///”.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance>If the LDAP server is using ldap:///, run the following command:
+
+# openssl s_client -connect [HOST]:389 -tls-1_1
+
+If the client successfully connects to the LDAP sever using TLSv1.1, this finding can be downgraded to a CAT III.</SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001453Configure the LDAP server to enforce TLS use.If the system does not use LDAP for authentication or account information, this is not applicable.
+
+To ensure LDAP is configured to use TLS for all transactions, run the following command:
+
+# ps –ef | grep “slapd”
+
+If the LDAP daemon is not using “ldaps:///”, this is a finding.
+
+If the LDAP daemon is using “ldap:///”, this is a finding.
+
+Verify that the LDAP client cannot connect using an unencrypted method.
+# openssl s_client –connect [HOST]:389
+
+If the following line is not returned, this is a finding:
+Socket: Connection refused.
+
+Note: The default port for unencrypted LDAP connections is 389.SRG-OS-000113<GroupDescription></GroupDescription>RHEL-06-000253The LDAP client must use a TLS connection using trust certificates signed by the site CA.<VulnDiscussion>The tls_cacertdir or tls_cacertfile directives are required when tls_checkpeer is configured (which is the default for openldap versions 2.1 and up). These directives define the path to the trust certificates signed by the site CA.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000776Ensure a copy of the site's CA certificate has been placed in the file "/etc/pki/tls/CA/cacert.pem". Configure LDAP to enforce TLS use and to trust certificates signed by the site's CA. First, edit the file "/etc/pam_ldap.conf", and add or correct either of the following lines:
+
+tls_cacertdir /etc/pki/tls/CA
+
+or
+
+tls_cacertfile /etc/pki/tls/CA/cacert.pem
+
+Then review the LDAP server and ensure TLS has been configured.If the system does not use LDAP for authentication or account information, this is not applicable.
+
+To ensure TLS is configured with trust certificates, run the following command:
+
+# grep cert /etc/pam_ldap.conf
+
+
+If there is no output, or the lines are commented out, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000256The openldap-servers package must not be installed unless required.<VulnDiscussion>Unnecessary packages should not be installed to decrease the attack surface of the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366The "openldap-servers" package should be removed if not in use. Is this machine the OpenLDAP server? If not, remove the package.
+
+# yum erase openldap-servers
+
+The openldap-servers RPM is not installed by default on RHEL6 machines. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed.To verify the "openldap-servers" package is not installed, run the following command:
+
+$ rpm -q openldap-servers
+
+The output should show the following.
+
+package openldap-servers is not installed
+
+
+If it does not, this is a finding.SRG-OS-000255<GroupDescription></GroupDescription>RHEL-06-000145The operating system must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event.<VulnDiscussion>Ensuring the "auditd" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001487The "auditd" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The "auditd" service can be enabled with the following commands:
+
+# chkconfig auditd on
+# service auditd startRun the following command to determine the current status of the "auditd" service:
+
+# service auditd status
+
+If the service is enabled, it should return the following:
+
+auditd is running...
+
+
+If the service is not running, this is a finding.SRG-OS-000029<GroupDescription></GroupDescription>RHEL-06-000257The graphical desktop environment must set the idle timeout to no more than 15 minutes.<VulnDiscussion>Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000057Run the following command to set the idle time-out value for inactivity in the GNOME desktop to 15 minutes:
+
+# gconftool-2 \
+--direct \
+--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
+--type int \
+--set /apps/gnome-screensaver/idle_delay 15If the GConf2 package is not installed, this is not applicable.
+
+To check the current idle time-out value, run the following command:
+
+$ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_delay
+
+If properly configured, the output should be "15".
+
+If it is not, this is a finding.SRG-OS-000029<GroupDescription></GroupDescription>RHEL-06-000258The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment.<VulnDiscussion>Enabling idle activation of the screen saver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000057Run the following command to activate the screensaver in the GNOME desktop after a period of inactivity:
+
+# gconftool-2 --direct \
+--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
+--type bool \
+--set /apps/gnome-screensaver/idle_activation_enabled trueIf the GConf2 package is not installed, this is not applicable.
+
+To check the screensaver mandatory use status, run the following command:
+
+$ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_activation_enabled
+
+If properly configured, the output should be "true".
+
+If it is not, this is a finding.SRG-OS-000032<GroupDescription></GroupDescription>RHEL-06-000148The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods.<VulnDiscussion>Ensuring the "auditd" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000067The "auditd" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The "auditd" service can be enabled with the following commands:
+
+# chkconfig auditd on
+# service auditd startRun the following command to determine the current status of the "auditd" service:
+
+# service auditd status
+
+If the service is enabled, it should return the following:
+
+auditd is running...
+
+
+If the service is not running, this is a finding.SRG-OS-000037<GroupDescription></GroupDescription>RHEL-06-000154The operating system must produce audit records containing sufficient information to establish what type of events occurred.<VulnDiscussion>Ensuring the "auditd" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000130The "auditd" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The "auditd" service can be enabled with the following commands:
+
+# chkconfig auditd on
+# service auditd startRun the following command to determine the current status of the "auditd" service:
+
+# service auditd status
+
+If the service is enabled, it should return the following:
+
+auditd is running...
+
+
+If the service is not running, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000160The system must set a maximum audit log file size.<VulnDiscussion>The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting the correct value for [STOREMB]:
+
+max_log_file = [STOREMB]
+
+Set the value to "6" (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.Inspect "/etc/audit/auditd.conf" and locate the following line to determine how much data the system will retain in each audit log file: "# grep max_log_file /etc/audit/auditd.conf"
+
+max_log_file = 6
+
+
+If the system audit data threshold hasn't been properly set up, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000161The system must rotate audit log files that reach the maximum file size.<VulnDiscussion>Automatically rotating logs (by setting this to "rotate") minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, "keep_logs" can be employed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by "auditd", add or correct the line in "/etc/audit/auditd.conf":
+
+max_log_file_action = [ACTION]
+
+Possible values for [ACTION] are described in the "auditd.conf" man page. These include:
+
+"ignore"
+"syslog"
+"suspend"
+"rotate"
+"keep_logs"
+
+
+Set the "[ACTION]" to "rotate" to ensure log rotation occurs. This is the default. The setting is case-insensitive.Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to rotate logs when they reach their maximum size:
+
+# grep max_log_file_action /etc/audit/auditd.conf
+max_log_file_action = rotate
+
+If the "keep_logs" option is configured for the "max_log_file_action" line in "/etc/audit/auditd.conf" and an alternate process is in place to ensure audit data does not overwhelm local audit storage, this is not a finding.
+
+If the system has not been properly set up to rotate audit logs, this is a finding.SRG-OS-000062<GroupDescription></GroupDescription>RHEL-06-000165The audit system must be configured to audit all attempts to alter system time through adjtimex.<VulnDiscussion>Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000169On a 32-bit system, add the following to "/etc/audit/audit.rules":
+
+# audit_time_rules
+-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules
+
+On a 64-bit system, add the following to "/etc/audit/audit.rules":
+
+# audit_time_rules
+-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules
+
+The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
+
+-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rulesTo determine if the system is configured to audit calls to the "adjtimex" system call, run the following command:
+
+$ sudo grep -w "adjtimex" /etc/audit/audit.rules
+
+If the system is configured to audit this activity, it will return a line.
+
+If the system is not configured to audit time changes, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000159The system must retain enough rotated audit logs to cover the required log retention period.<VulnDiscussion>The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366Determine how many log files "auditd" should retain when it rotates logs. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [NUMLOGS] with the correct value:
+
+num_logs = [NUMLOGS]
+
+Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.Inspect "/etc/audit/auditd.conf" and locate the following line to determine how many logs the system is configured to retain after rotation: "# grep num_logs /etc/audit/auditd.conf"
+
+num_logs = 5
+
+
+If the overall system log file(s) retention hasn't been properly set up, this is a finding.SRG-OS-000278<GroupDescription></GroupDescription>RHEL-06-000281The system package management tool must verify contents of all files associated with the audit package.<VulnDiscussion>The hash on important files like audit system executables should match the information given by the RPM database. Audit executables with erroneous hashes could be a sign of nefarious activity on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001496The RPM package management system can check the hashes of audit system package files. Run the following command to list which audit files on the system have hashes that differ from what is expected by the RPM database:
+
+# rpm -V audit | grep '^..5'
+
+A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file that has changed was not expected to then refresh from distribution media or online repositories.
+
+rpm -Uvh [affected_package]
+
+OR
+
+yum reinstall [affected_package]The following command will list which audit files on the system have file hashes different from what is expected by the RPM database.
+
+# rpm -V audit | awk '$1 ~ /..5/ && $2 != "c"'
+
+
+If there is output, this is a finding.SRG-OS-000029<GroupDescription></GroupDescription>RHEL-06-000259The graphical desktop environment must have automatic lock enabled.<VulnDiscussion>Enabling the activation of the screen lock after an idle period ensures password entry will be required in order to access the system, preventing access by passersby.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000057Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated:
+
+# gconftool-2 --direct \
+--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
+--type bool \
+--set /apps/gnome-screensaver/lock_enabled trueIf the GConf2 package is not installed, this is not applicable.
+
+To check the status of the idle screen lock activation, run the following command:
+
+$ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/lock_enabled
+
+If properly configured, the output should be "true".
+If it is not, this is a finding.SRG-OS-000031<GroupDescription></GroupDescription>RHEL-06-000260The system must display a publicly-viewable pattern during a graphical desktop environment session lock.<VulnDiscussion>Setting the screensaver mode to blank-only conceals the contents of the display from passersby.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000060Run the following command to set the screensaver mode in the GNOME desktop to a blank screen:
+
+# gconftool-2 \
+--direct \
+--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
+--type string \
+--set /apps/gnome-screensaver/mode blank-onlyIf the GConf2 package is not installed, this is not applicable.
+
+To ensure the screensaver is configured to be blank, run the following command:
+
+$ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/mode
+
+If properly configured, the output should be "blank-only".
+If it is not, this is a finding.SRG-OS-000096<GroupDescription></GroupDescription>RHEL-06-000261The Automatic Bug Reporting Tool (abrtd) service must not be running.<VulnDiscussion>Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the local machine, as well as sensitive information from within a process's address space or registers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000382The Automatic Bug Reporting Tool ("abrtd") daemon collects and reports crash data when an application crash is detected. Using a variety of plugins, abrtd can email crash reports to system administrators, log crash reports to files, or forward crash reports to a centralized issue tracking system such as RHTSupport. The "abrtd" service can be disabled with the following commands:
+
+# chkconfig abrtd off
+# service abrtd stopTo check that the "abrtd" service is disabled in system boot configuration, run the following command:
+
+# chkconfig "abrtd" --list
+
+Output should indicate the "abrtd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:
+
+# chkconfig "abrtd" --list
+"abrtd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off
+
+Run the following command to verify "abrtd" is disabled through current runtime configuration:
+
+# service abrtd status
+
+If the service is disabled the command will return the following output:
+
+abrtd is stopped
+
+
+If the service is running, this is a finding.SRG-OS-000096<GroupDescription></GroupDescription>RHEL-06-000262The atd service must be disabled.<VulnDiscussion>The "atd" service could be used by an unsophisticated insider to carry out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with "at" or "batch" is not common.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000382The "at" and "batch" commands can be used to schedule tasks that are meant to be executed only once. This allows delayed execution in a manner similar to cron, except that it is not recurring. The daemon "atd" keeps track of tasks scheduled via "at" and "batch", and executes them at the specified time. The "atd" service can be disabled with the following commands:
+
+# chkconfig atd off
+# service atd stopIf the system uses the "atd" service, this is not applicable.
+
+To check that the "atd" service is disabled in system boot configuration, run the following command:
+
+# chkconfig "atd" --list
+
+Output should indicate the "atd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:
+
+# chkconfig "atd" --list
+"atd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off
+
+Run the following command to verify "atd" is disabled through current runtime configuration:
+
+# service atd status
+
+If the service is disabled the command will return the following output:
+
+atd is stopped
+
+
+If the service is running, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000346The system default umask for daemons must be 027 or 022.<VulnDiscussion>The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366The file "/etc/init.d/functions" includes initialization parameters for most or all daemons started at boot time. The default umask of 022 prevents creation of group- or world-writable files. To set the default umask for daemons, edit the following line, inserting 022 or 027 for [UMASK] appropriately:
+
+umask [UMASK]
+
+Setting the umask to too restrictive a setting can cause serious errors at runtime. Many daemons on the system already individually restrict themselves to a umask of 077 in their own init scripts.To check the value of the "umask", run the following command:
+
+$ grep umask /etc/init.d/functions
+
+The output should show either "022" or "027".
+If it does not, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000282There must be no world-writable files on the system.<VulnDiscussion>Data in world-writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account.To find world-writable files, run the following command for each local partition [PART], excluding special filesystems such as /selinux, /proc, or /sys:
+
+# find [PART] -xdev -type f -perm -002
+
+If there is output, this is a finding.SRG-OS-000096<GroupDescription></GroupDescription>RHEL-06-000265The ntpdate service must not be running.<VulnDiscussion>The "ntpdate" service may only be suitable for systems which are rebooted frequently enough that clock drift does not cause problems between reboots. In any event, the functionality of the ntpdate service is now available in the ntpd program and should be considered deprecated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000382The ntpdate service sets the local hardware clock by polling NTP servers when the system boots. It synchronizes to the NTP servers listed in "/etc/ntp/step-tickers" or "/etc/ntp.conf" and then sets the local hardware clock to the newly synchronized system time. The "ntpdate" service can be disabled with the following commands:
+
+# chkconfig ntpdate off
+# service ntpdate stopTo check that the "ntpdate" service is disabled in system boot configuration, run the following command:
+
+# chkconfig "ntpdate" --list
+
+Output should indicate the "ntpdate" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:
+
+# chkconfig "ntpdate" --list
+"ntpdate" 0:off 1:off 2:off 3:off 4:off 5:off 6:off
+
+Run the following command to verify "ntpdate" is disabled through current runtime configuration:
+
+# service ntpdate status
+
+If the service is disabled the command will return the following output:
+
+ntpdate is stopped
+
+
+If the service is running, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000345The system default umask in /etc/login.defs must be 077.<VulnDiscussion>The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To ensure the default umask controlled by "/etc/login.defs" is set properly, add or correct the "umask" setting in "/etc/login.defs" to read as follows:
+
+UMASK 077Verify the "umask" setting is configured correctly in the "/etc/login.defs" file by running the following command:
+
+# grep -i "umask" /etc/login.defs
+
+All output must show the value of "umask" set to 077, as shown in the below:
+
+# grep -i "umask" /etc/login.defs
+UMASK 077
+
+
+If the above command returns no output, or if the umask is configured incorrectly, this is a finding.SRG-OS-000096<GroupDescription></GroupDescription>RHEL-06-000266The oddjobd service must not be running.<VulnDiscussion>The "oddjobd" service may provide necessary functionality in some environments but it can be disabled if it is not needed. Execution of tasks by privileged programs, on behalf of unprivileged ones, has traditionally been a source of privilege escalation security issues.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000382The "oddjobd" service exists to provide an interface and access control mechanism through which specified privileged tasks can run tasks for unprivileged client applications. Communication with "oddjobd" is through the system message bus. The "oddjobd" service can be disabled with the following commands:
+
+# chkconfig oddjobd off
+# service oddjobd stopTo check that the "oddjobd" service is disabled in system boot configuration, run the following command:
+
+# chkconfig "oddjobd" --list
+
+Output should indicate the "oddjobd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:
+
+# chkconfig "oddjobd" --list
+"oddjobd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off
+
+Run the following command to verify "oddjobd" is disabled through current runtime configuration:
+
+# service oddjobd status
+
+If the service is disabled the command will return the following output:
+
+oddjobd is stopped
+
+
+If the service is running, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000344The system default umask in /etc/profile must be 077.<VulnDiscussion>The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To ensure the default umask controlled by "/etc/profile" is set properly, add or correct the "umask" setting in "/etc/profile" to read as follows:
+
+umask 077Verify the "umask" setting is configured correctly in the "/etc/profile" file by running the following command:
+
+# grep "umask" /etc/profile
+
+All output must show the value of "umask" set to 077, as shown in the below:
+
+# grep "umask" /etc/profile
+umask 077
+
+
+If the above command returns no output, or if the umask is configured incorrectly, this is a finding.SRG-OS-000096<GroupDescription></GroupDescription>RHEL-06-000267The qpidd service must not be running.<VulnDiscussion>The qpidd service is automatically installed when the "base" package selection is selected during installation. The qpidd service listens for network connections which increases the attack surface of the system. If the system is not intended to receive AMQP traffic then the "qpidd" service is not needed and should be disabled or removed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000382The "qpidd" service provides high speed, secure, guaranteed delivery services. It is an implementation of the Advanced Message Queuing Protocol. By default the qpidd service will bind to port 5672 and listen for connection attempts. The "qpidd" service can be disabled with the following commands:
+
+# chkconfig qpidd off
+# service qpidd stopTo check that the "qpidd" service is disabled in system boot configuration, run the following command:
+
+# chkconfig "qpidd" --list
+
+Output should indicate the "qpidd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:
+
+# chkconfig "qpidd" --list
+"qpidd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off
+
+Run the following command to verify "qpidd" is disabled through current runtime configuration:
+
+# service qpidd status
+
+If the service is disabled the command will return the following output:
+
+qpidd is stopped
+
+
+If the service is running, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000343The system default umask for the csh shell must be 077.<VulnDiscussion>The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To ensure the default umask for users of the C shell is set properly, add or correct the "umask" setting in "/etc/csh.cshrc" to read as follows:
+
+umask 077Verify the "umask" setting is configured correctly in the "/etc/csh.cshrc" file by running the following command:
+
+# grep "umask" /etc/csh.cshrc
+
+All output must show the value of "umask" set to 077, as shown in the below:
+
+# grep "umask" /etc/csh.cshrc
+umask 077
+
+
+If the above command returns no output, or if the umask is configured incorrectly, this is a finding.SRG-OS-000096<GroupDescription></GroupDescription>RHEL-06-000268The rdisc service must not be running.<VulnDiscussion>General-purpose systems typically have their network and routing information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000382The "rdisc" service implements the client side of the ICMP Internet Router Discovery Protocol (IRDP), which allows discovery of routers on the local subnet. If a router is discovered then the local routing table is updated with a corresponding default route. By default this daemon is disabled. The "rdisc" service can be disabled with the following commands:
+
+# chkconfig rdisc off
+# service rdisc stopTo check that the "rdisc" service is disabled in system boot configuration, run the following command:
+
+# chkconfig "rdisc" --list
+
+Output should indicate the "rdisc" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:
+
+# chkconfig "rdisc" --list
+"rdisc" 0:off 1:off 2:off 3:off 4:off 5:off 6:off
+
+Run the following command to verify "rdisc" is disabled through current runtime configuration:
+
+# service rdisc status
+
+If the service is disabled the command will return the following output:
+
+rdisc is stopped
+
+
+If the service is running, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000342The system default umask for the bash shell must be 077.<VulnDiscussion>The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To ensure the default umask for users of the Bash shell is set properly, add or correct the "umask" setting in "/etc/bashrc" to read as follows:
+
+umask 077Verify the "umask" setting is configured correctly in the "/etc/bashrc" file by running the following command:
+
+# grep "umask" /etc/bashrc
+
+All output must show the value of "umask" set to 077, as shown below:
+
+# grep "umask" /etc/bashrc
+umask 077
+umask 077
+
+
+If the above command returns no output, or if the umask is configured incorrectly, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000269Remote file systems must be mounted with the nodev option.<VulnDiscussion>Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366Add the "nodev" option to the fourth column of "/etc/fstab" for the line which controls mounting of any NFS mounts.To verify the "nodev" option is configured for all NFS mounts, run the following command:
+
+$ mount | grep "nfs "
+
+All NFS mounts should show the "nodev" setting in parentheses, along with other mount options.
+If the setting does not show, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000341The snmpd service must not use a default password.<VulnDiscussion>Presence of the default SNMP password enables querying of different system aspects and could result in unauthorized knowledge of the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366Edit "/etc/snmp/snmpd.conf", remove default community string "public". Upon doing that, restart the SNMP service:
+
+# service snmpd restartTo ensure the default password is not set, run the following command:
+
+# grep -v "^#" /etc/snmp/snmpd.conf| grep public
+
+There should be no output.
+If there is output, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000270Remote file systems must be mounted with the nosuid option.<VulnDiscussion>NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366Add the "nosuid" option to the fourth column of "/etc/fstab" for the line which controls mounting of any NFS mounts.To verify the "nosuid" option is configured for all NFS mounts, run the following command:
+
+$ mount | grep nfs
+
+All NFS mounts should show the "nosuid" setting in parentheses, along with other mount options.
+If the setting does not show, this is a finding.SRG-OS-000035<GroupDescription></GroupDescription>RHEL-06-000271The noexec option must be added to removable media partitions.<VulnDiscussion>Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000087The "noexec" mount option prevents the direct execution of binaries on the mounted filesystem. Users should not be allowed to execute binaries that exist on partitions mounted from removable media (such as a USB key). The "noexec" option prevents code from being executed directly from the media itself, and may therefore provide a line of defense against certain types of worms or malicious code. Add the "noexec" option to the fourth column of "/etc/fstab" for the line which controls mounting of any removable media partitions.To verify that binaries cannot be directly executed from removable media, run the following command:
+
+# grep noexec /etc/fstab
+
+The output should show "noexec" in use.
+If it does not, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000272The system must use SMB client signing for connecting to samba servers using smbclient.<VulnDiscussion>Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To require samba clients running "smbclient" to use packet signing, add the following to the "[global]" section of the Samba configuration file in "/etc/samba/smb.conf":
+
+client signing = mandatory
+
+Requiring samba clients such as "smbclient" to use packet signing ensures they can only communicate with servers that support packet signing.To verify that Samba clients running smbclient must use packet signing, run the following command:
+
+# grep signing /etc/samba/smb.conf
+
+The output should show:
+
+client signing = mandatory
+
+
+If it is not, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000273The system must use SMB client signing for connecting to samba servers using mount.cifs.<VulnDiscussion>Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366Require packet signing of clients who mount Samba shares using the "mount.cifs" program (e.g., those who specify shares in "/etc/fstab"). To do so, ensure signing options (either "sec=krb5i" or "sec=ntlmv2i") are used.
+
+See the "mount.cifs(8)" man page for more information. A Samba client should only communicate with servers who can support SMB packet signing.If Samba is not in use, this is not applicable.
+
+To verify that Samba clients using mount.cifs must use packet signing, run the following command:
+
+# grep sec /etc/fstab /etc/mtab
+
+The output should show either "krb5i" or "ntlmv2i" in use.
+If it does not, this is a finding.SRG-OS-000077<GroupDescription></GroupDescription>RHEL-06-000274The system must prohibit the reuse of passwords within five iterations.<VulnDiscussion>Preventing reuse of previous passwords helps ensure that a compromised password is not reused by a user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000200Do not allow users to reuse recent passwords. This can be accomplished by using the "remember" option for the "pam_pwhistory" PAM module. In the file "/etc/pam.d/system-auth", append "remember=5" to the line which refers to the "pam_pwhistory.so" module, as shown:
+
+password sufficient pam_pwhistory.so [existing_options] remember=5
+
+The DoD requirement is five passwords. To verify the password reuse setting is compliant, run the following command:
+
+# grep remember /etc/pam.d/system-auth
+
+The output must be a line beginning with "password sufficient pam_pwhistory.so" and ending with "remember=5".
+
+If the line is commented out, the line does not contain the specified elements, or the value for "remember" is less than 5, this is a finding.SRG-OS-000131<GroupDescription></GroupDescription>RHEL-06-000275The operating system must employ cryptographic mechanisms to protect information in storage.<VulnDiscussion>The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001019Red Hat Enterprise Linux 6 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time.
+
+For manual installations, select the "Encrypt" checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots.
+
+For automated/unattended installations, it is possible to use Kickstart by adding the "--encrypted" and "--passphrase=" options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition:
+
+part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE]
+
+Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the "--passphrase=" option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation.
+
+Detailed information on encrypting partitions using LUKS can be found on the Red Hat Documentation web site:
+
+https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.htmlDetermine if encryption must be used to protect data on the system.
+If encryption must be used and is not employed, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000340The snmpd service must use only SNMP protocol version 3 or newer.<VulnDiscussion>Earlier versions of SNMP are considered insecure, as they potentially allow unauthorized access to detailed system management information.
+</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366Edit "/etc/snmp/snmpd.conf", removing any references to "v1", "v2c", or "com2sec". Upon doing that, restart the SNMP service:
+
+# service snmpd restartTo ensure only SNMPv3 or newer is used, run the following command:
+
+# grep 'v1\|v2c\|com2sec' /etc/snmp/snmpd.conf | grep -v '^#'
+
+There should be no output.
+If there is output, this is a finding.SRG-OS-000185<GroupDescription></GroupDescription>RHEL-06-000276The operating system must protect the confidentiality and integrity of data at rest. <VulnDiscussion>The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001199Red Hat Enterprise Linux 6 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time.
+
+For manual installations, select the "Encrypt" checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots.
+
+For automated/unattended installations, it is possible to use Kickstart by adding the "--encrypted" and "--passphrase=" options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition:
+
+part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE]
+
+Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the "--passphrase=" option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation.
+
+Detailed information on encrypting partitions using LUKS can be found on the Red Hat Documentation web site:
+
+https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.htmlDetermine if encryption must be used to protect data on the system.
+If encryption must be used and is not employed, this is a finding.SRG-OS-000230<GroupDescription></GroupDescription>RHEL-06-000277The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of data at rest unless otherwise protected by alternative physical measures.<VulnDiscussion>The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001200Red Hat Enterprise Linux 6 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time.
+
+For manual installations, select the "Encrypt" checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots.
+
+For automated/unattended installations, it is possible to use Kickstart by adding the "--encrypted" and "--passphrase=" options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition:
+
+part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE]
+
+Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the "--passphrase=" option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation.
+
+Detailed information on encrypting partitions using LUKS can be found on the Red Hat Documentation web site:
+
+https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.htmlDetermine if encryption must be used to protect data on the system.
+If encryption must be used and is not employed, this is a finding.SRG-OS-000256<GroupDescription></GroupDescription>RHEL-06-000278The system package management tool must verify permissions on all files and directories associated with the audit package.<VulnDiscussion>Permissions on audit binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001493The RPM package management system can restore file access permissions of the audit package files and directories. The following command will update audit files with permissions different from what is expected by the RPM database:
+
+# rpm --setperms auditThe following command will list which audit files on the system have permissions different from what is expected by the RPM database:
+
+# rpm -V audit | grep '^.M'
+
+If there is any output, for each file or directory found, compare the RPM-expected permissions with the permissions on the file or directory:
+
+# rpm -q --queryformat "[%{FILENAMES} %{FILEMODES:perms}\n]" audit | grep [filename]
+# ls -lL [filename]
+
+If the existing permissions are more permissive than those expected by RPM, this is a finding.SRG-OS-000257<GroupDescription></GroupDescription>RHEL-06-000279The system package management tool must verify ownership on all files and directories associated with the audit package.<VulnDiscussion>Ownership of audit binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001494The RPM package management system can restore file ownership of the audit package files and directories. The following command will update audit files with ownership different from what is expected by the RPM database:
+
+# rpm --setugids auditThe following command will list which audit files on the system have ownership different from what is expected by the RPM database:
+
+# rpm -V audit | grep '^.....U'
+
+
+If there is output, this is a finding.SRG-OS-000258<GroupDescription></GroupDescription>RHEL-06-000280The system package management tool must verify group-ownership on all files and directories associated with the audit package.<VulnDiscussion>Group-ownership of audit binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The group-ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001495The RPM package management system can restore file group-ownership of the audit package files and directories. The following command will update audit files with group-ownership different from what is expected by the RPM database:
+
+# rpm --setugids auditThe following command will list which audit files on the system have group-ownership different from what is expected by the RPM database:
+
+# rpm -V audit | grep '^......G'
+
+
+If there is output, this is a finding.SRG-OS-000270<GroupDescription></GroupDescription>RHEL-06-000284The system must use and update a DoD-approved virus scan program.<VulnDiscussion>Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001668Install virus scanning software, which uses signatures to search for the presence of viruses on the filesystem.
+
+The McAfee VirusScan Enterprise for Linux virus scanning tool is provided for DoD systems. Ensure virus definition files are no older than 7 days, or their last release.
+
+Configure the virus scanning software to perform scans dynamically on all accessed files. If this is not possible, configure the system to scan all altered files on the system on a daily basis. If the system processes inbound SMTP mail, configure the virus scanner to scan all received mail. Inspect the system for a cron job or system service which executes a virus scanning tool regularly.
+To verify the McAfee VSEL system service is operational, run the following command:
+
+# /etc/init.d/nails status
+
+To check on the age of uvscan virus definition files, run the following command:
+
+# cd /opt/NAI/LinuxShield/engine/dat
+# ls -la avvscan.dat avvnames.dat avvclean.dat
+
+If virus scanning software does not run continuously, or at least daily, or has signatures that are out of date, this is a finding. SRG-OS-000196<GroupDescription></GroupDescription>RHEL-06-000285The system must have a host-based intrusion detection tool installed.<VulnDiscussion>Adding host-based intrusion detection tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001263The base Red Hat platform already includes a sophisticated auditing system that can detect intruder activity, as well as SELinux, which provides host-based intrusion prevention capabilities by confining privileged programs and user sessions which may become compromised.
+
+In DoD environments, supplemental intrusion detection tools, such as, the McAfee Host-based Security System, are available to integrate with existing infrastructure. When these supplemental tools interfere with the proper functioning of SELinux, SELinux takes precedence. Inspect the system to determine if intrusion detection software has been installed. Verify the intrusion detection software is active.
+If no host-based intrusion detection tools are installed, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000286The x86 Ctrl-Alt-Delete key sequence must be disabled.<VulnDiscussion>A locally logged-in user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366By default, the system includes the following line in "/etc/init/control-alt-delete.conf" to reboot the system when the Ctrl-Alt-Delete key sequence is pressed:
+
+exec /sbin/shutdown -r now "Ctrl-Alt-Delete pressed"
+
+
+To configure the system to log a message instead of rebooting the system, add the following line to "/etc/init/control-alt-delete.override" to read as follows:
+
+exec /usr/bin/logger -p security.info "Ctrl-Alt-Delete pressed"To ensure the system is configured to log a message instead of rebooting the system when Ctrl-Alt-Delete is pressed, ensure the following line is in "/etc/init/control-alt-delete.override":
+
+exec /usr/bin/logger -p security.info "Ctrl-Alt-Delete pressed"
+
+If the system is not configured to block the shutdown command when Ctrl-Alt-Delete is pressed, this is a finding. SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000287The postfix service must be enabled for mail delivery.<VulnDiscussion>Local mail delivery is essential to some system maintenance and notification tasks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366The Postfix mail transfer agent is used for local mail delivery within the system. The default configuration only listens for connections to the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is recommended to leave this service enabled for local mail delivery. The "postfix" service can be enabled with the following command:
+
+# chkconfig postfix on
+# service postfix startRun the following command to determine the current status of the "postfix" service:
+
+# service postfix status
+
+If the service is enabled, it should return the following:
+
+postfix is running...
+
+If the service is not enabled, this is a finding.SRG-OS-000202<GroupDescription></GroupDescription>RHEL-06-000306The operating system must detect unauthorized changes to software and information. <VulnDiscussion>By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001297AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
+
+05 4 * * * root /usr/sbin/aide --check
+
+AIDE can be executed periodically through other means; this is merely one example.To determine that periodic AIDE execution has been scheduled, run the following command:
+
+# grep aide /etc/crontab /etc/cron.*/*
+
+If there is no output, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000288The sendmail package must be removed.<VulnDiscussion>The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366Sendmail is not the default mail transfer agent and is not installed by default. The "sendmail" package can be removed with the following command:
+
+# yum erase sendmailRun the following command to determine if the "sendmail" package is installed:
+
+# rpm -q sendmail
+
+
+If the package is installed, this is a finding.SRG-OS-000096<GroupDescription></GroupDescription>RHEL-06-000289The netconsole service must be disabled unless required.<VulnDiscussion>The "netconsole" service is not necessary unless there is a need to debug kernel panics, which is not common.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000382The "netconsole" service is responsible for loading the netconsole kernel module, which logs kernel printk messages over UDP to a syslog server. This allows debugging of problems where disk logging fails and serial consoles are impractical. The "netconsole" service can be disabled with the following commands:
+
+# chkconfig netconsole off
+# service netconsole stopTo check that the "netconsole" service is disabled in system boot configuration, run the following command:
+
+# chkconfig "netconsole" --list
+
+Output should indicate the "netconsole" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:
+
+# chkconfig "netconsole" --list
+"netconsole" 0:off 1:off 2:off 3:off 4:off 5:off 6:off
+
+Run the following command to verify "netconsole" is disabled through current runtime configuration:
+
+# service netconsole status
+
+If the service is disabled the command will return the following output:
+
+netconsole is stopped
+
+
+If the service is running, this is a finding.SRG-OS-000265<GroupDescription></GroupDescription>RHEL-06-000307The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.<VulnDiscussion>By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001589AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
+
+05 4 * * * root /usr/sbin/aide --check
+
+AIDE can be executed periodically through other means; this is merely one example.To determine that periodic AIDE execution has been scheduled, run the following command:
+
+# grep aide /etc/crontab /etc/cron.*/*
+
+If there is no output, this is a finding.SRG-OS-000248<GroupDescription></GroupDescription>RHEL-06-000290X Windows must not be enabled unless required.<VulnDiscussion>Unnecessary services should be disabled to decrease the attack surface of the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001436Setting the system's runlevel to 3 will prevent automatic startup of the X server. To do so, ensure the following line in "/etc/inittab" features a "3" as shown:
+
+id:3:initdefault:To verify the default runlevel is 3, run the following command:
+
+# grep initdefault /etc/inittab
+
+The output should show the following:
+
+id:3:initdefault:
+
+
+If it does not, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000308Process core dumps must be disabled unless needed.<VulnDiscussion>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To disable core dumps for all users, add the following line to "/etc/security/limits.conf":
+
+* hard core 0To verify that core dumps are disabled for all users, run the following command:
+
+$ grep core /etc/security/limits.conf /etc/security/limits.d/*.conf
+
+The output should be:
+
+* hard core 0
+
+If it is not, this is a finding. SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000291The xorg-x11-server-common (X Windows) package must not be installed, unless required.<VulnDiscussion>Unnecessary packages should not be installed to decrease the attack surface of the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366Removing all packages which constitute the X Window System ensures users or malicious software cannot start X. To do so, run the following command:
+
+# yum groupremove "X Window System"To ensure the X Windows package group is removed, run the following command:
+
+$ rpm -qi xorg-x11-server-common
+
+The output should be:
+
+package xorg-x11-server-common is not installed
+
+
+If it is not, this is a finding.SRG-OS-000104<GroupDescription></GroupDescription>RHEL-06-000309The NFS server must not have the insecure file locking option enabled.<VulnDiscussion>Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000764By default the NFS server requires secure file-lock requests, which require credentials from the client in order to lock a file. Most NFS clients send credentials with file lock requests, however, there are a few clients that do not send credentials when requesting a file-lock, allowing the client to only be able to lock world-readable files. To get around this, the "insecure_locks" option can be used so these clients can access the desired export. This poses a security risk by potentially allowing the client access to data for which it does not have authorization. Remove any instances of the "insecure_locks" option from the file "/etc/exports".To verify insecure file locking has been disabled, run the following command:
+
+# grep insecure_locks /etc/exports
+
+
+If there is output, this is a finding.SRG-OS-000048<GroupDescription></GroupDescription>RHEL-06-000311The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity.<VulnDiscussion>Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000143The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [num_megabytes] appropriately:
+
+space_left = [num_megabytes]
+
+The "num_megabytes" value should be set to a fraction of the total audit storage capacity available that will allow a system administrator to be notified with enough time to respond to the situation causing the capacity issues. This value must also be documented locally.Inspect "/etc/audit/auditd.conf" and locate the following line to determine whether the system is configured to email the administrator when disk space is starting to run low:
+
+# grep space_left /etc/audit/auditd.conf
+
+space_left = [num_megabytes]
+
+
+If the "num_megabytes" value does not correspond to a documented value for remaining audit partition capacity or if there is no locally documented value for remaining audit partition capacity, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000292The DHCP client must be disabled if not needed.<VulnDiscussion>DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366For each interface [IFACE] on the system (e.g. eth0), edit "/etc/sysconfig/network-scripts/ifcfg-[IFACE]" and make the following changes.
+
+Correct the BOOTPROTO line to read:
+
+BOOTPROTO=none
+
+
+Add or correct the following lines, substituting the appropriate values based on your site's addressing scheme:
+
+NETMASK=[local LAN netmask]
+IPADDR=[assigned IP address]
+GATEWAY=[local LAN default gateway]To verify that DHCP is not being used, examine the following file for each interface.
+
+# /etc/sysconfig/network-scripts/ifcfg-[IFACE]
+
+If there is any network interface without a associated "ifcfg" file, this is a finding.
+
+Look for the following:
+
+BOOTPROTO=none
+
+Also verify the following, substituting the appropriate values based on your site's addressing scheme:
+
+NETMASK=[local LAN netmask]
+IPADDR=[assigned IP address]
+GATEWAY=[local LAN default gateway]
+
+
+If it does not, this is a finding.SRG-OS-000046<GroupDescription></GroupDescription>RHEL-06-000313The audit system must identify staff members to receive notifications of audit log storage volume capacity issues.<VulnDiscussion>Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000139The "auditd" service can be configured to send email to a designated account in certain situations. Add or correct the following line in "/etc/audit/auditd.conf" to ensure that administrators are notified via email for those situations:
+
+action_mail_acct = rootInspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to send email to an account when it needs to notify an administrator:
+
+action_mail_acct = root
+
+
+If auditd is not configured to send emails per identified actions, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000294All GIDs referenced in /etc/passwd must be defined in /etc/group<VulnDiscussion>Inconsistency in GIDs between /etc/passwd and /etc/group could lead to a user having unintended rights.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366Add a group to the system for each GID referenced without a corresponding group.To ensure all GIDs referenced in /etc/passwd are defined in /etc/group, run the following command:
+
+# pwck -r | grep 'no group'
+
+There should be no output.
+If there is output, this is a finding.SRG-OS-000034<GroupDescription></GroupDescription>RHEL-06-000315The Bluetooth kernel module must be disabled.<VulnDiscussion>If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000085The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate "/etc/modprobe.d" configuration file to prevent the loading of the Bluetooth module:
+
+install net-pf-31 /bin/true
+install bluetooth /bin/trueIf the system is configured to prevent the loading of the "bluetooth" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf":
+
+$ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d
+
+If the system is configured to prevent the loading of the "net-pf-31" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf":
+
+$ grep -r net-pf-31 /etc/modprobe.conf /etc/modprobe.d
+
+If no line is returned, this is a finding.SRG-OS-000121<GroupDescription></GroupDescription>RHEL-06-000296All accounts on the system must have unique user or account names<VulnDiscussion>Unique usernames allow for accountability on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000804Change usernames, or delete accounts, so each has a unique name.Run the following command to check for duplicate account names:
+
+# pwck -rq
+
+If there are no duplicate names, no line will be returned.
+If a line is returned, this is a finding.SRG-OS-000027<GroupDescription></GroupDescription>RHEL-06-000319The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.<VulnDiscussion>Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000054Limiting the number of allowed users and sessions per user can limit risks related to denial of service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in "/etc/security/limits.conf":
+
+* hard maxlogins 10
+
+A documented site-defined number may be substituted for 10 in the above.Run the following command to ensure the "maxlogins" value is configured for all users on the system:
+
+$ grep "maxlogins" /etc/security/limits.conf /etc/security/limits.d/*.conf
+
+You should receive output similar to the following:
+
+* hard maxlogins 10
+
+If it is not similar, this is a finding. SRG-OS-000002<GroupDescription></GroupDescription>RHEL-06-000297Temporary accounts must be provisioned with an expiration date.<VulnDiscussion>When temporary accounts are created, there is a risk they may remain in place and active after the need for them no longer exists. Account expiration greatly reduces the risk of accounts being misused or hijacked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000016In the event temporary accounts are required, configure the system to terminate them after a documented time period. For every temporary account, run the following command to set an expiration date on it, substituting "[USER]" and "[YYYY-MM-DD]" appropriately:
+
+# chage -E [YYYY-MM-DD] [USER]
+
+"[YYYY-MM-DD]" indicates the documented expiration date for the account.For every temporary account, run the following command to obtain its account aging and expiration information:
+
+# chage -l [USER]
+
+Verify each of these accounts has an expiration date set as documented.
+If any temporary accounts have no expiration date set or do not expire within a documented time frame, this is a finding.SRG-OS-000147<GroupDescription></GroupDescription>RHEL-06-000320The systems local firewall must implement a deny-all, allow-by-exception policy for forwarded packets.<VulnDiscussion>In "iptables" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to "DROP" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001109To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, add or correct the following line in "/etc/sysconfig/iptables":
+
+:FORWARD DROP [0:0]Run the following command to ensure the default "FORWARD" policy is "DROP":
+
+grep ":FORWARD" /etc/sysconfig/iptables
+
+The output must be the following:
+
+# grep ":FORWARD" /etc/sysconfig/iptables
+:FORWARD DROP [0:0]
+
+If it is not, this is a finding.SRG-OS-000160<GroupDescription></GroupDescription>RHEL-06-000321The system must provide VPN connectivity for communications over untrusted networks.<VulnDiscussion>Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001130The Openswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The "openswan" package can be installed with the following command:
+
+# yum install openswanIf the system does not communicate over untrusted networks, this is not applicable.
+
+Run the following command to determine if the "openswan" package is installed:
+
+# rpm -q openswan
+
+
+If the package is not installed, this is a finding.SRG-OS-000024<GroupDescription></GroupDescription>RHEL-06-000324A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.<VulnDiscussion>An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000050To enable displaying a login warning banner in the GNOME Display Manager's login screen, run the following command:
+
+# gconftool-2 --direct \
+--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
+--type bool \
+--set /apps/gdm/simple-greeter/banner_message_enable true
+
+To display a banner, this setting must be enabled and then banner text must also be set.If the GConf2 package is not installed, this is not applicable.
+
+To ensure a login warning banner is enabled, run the following:
+
+$ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gdm/simple-greeter/banner_message_enable
+
+Search for the "banner_message_enable" schema. If properly configured, the "default" value should be "true".
+If it is not, this is a finding.SRG-OS-000228<GroupDescription></GroupDescription>RHEL-06-000326The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.<VulnDiscussion>An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001384CCI-001385CCI-001386CCI-001387CCI-001388To set the text shown by the GNOME Display Manager in the login screen, run the following command:
+
+# gconftool-2
+--direct \
+--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
+--type string \
+--set /apps/gdm/simple-greeter/banner_message_text \
+"[DoD required text]"
+
+Where the DoD required text is either:
+
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+-At any time, the USG may inspect and seize data stored on this IS.
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
+
+OR:
+
+"I've read & consent to terms in IS user agreem't."
+
+When entering a warning banner that spans several lines, remember to begin and end the string with """. This command writes directly to the file "/etc/gconf/gconf.xml.mandatory/apps/gdm/simple-greeter/%gconf.xml", and this file can later be edited directly if necessary.If the GConf2 package is not installed, this is not applicable.
+
+To ensure login warning banner text is properly set, run the following:
+
+$ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gdm/simple-greeter/banner_message_text
+
+If properly configured, the proper banner text will appear within this schema.
+
+The DoD required text is either:
+
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+-At any time, the USG may inspect and seize data stored on this IS.
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
+
+OR:
+
+"I've read & consent to terms in IS user agreem't."
+
+If the DoD required banner text does not appear in the schema, this is a finding.SRG-OS-000123<GroupDescription></GroupDescription>RHEL-06-000298Emergency accounts must be provisioned with an expiration date.
+<VulnDiscussion>When emergency accounts are created, there is a risk they may remain in place and active after the need for them no longer exists. Account expiration greatly reduces the risk of accounts being misused or hijacked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001682In the event emergency accounts are required, configure the system to terminate them after a documented time period. For every emergency account, run the following command to set an expiration date on it, substituting "[USER]" and "[YYYY-MM-DD]" appropriately:
+
+# chage -E [YYYY-MM-DD] [USER]
+
+"[YYYY-MM-DD]" indicates the documented expiration date for the account.For every emergency account, run the following command to obtain its account aging and expiration information:
+
+# chage -l [USER]
+
+Verify each of these accounts has an expiration date set as documented.
+If any emergency accounts have no expiration date set or do not expire within a documented time frame, this is a finding.SRG-OS-000034<GroupDescription></GroupDescription>RHEL-06-000331The Bluetooth service must be disabled.<VulnDiscussion>Disabling the "bluetooth" service prevents the system from attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000085The "bluetooth" service can be disabled with the following command:
+
+# chkconfig bluetooth off
+
+
+
+# service bluetooth stopTo check that the "bluetooth" service is disabled in system boot configuration, run the following command:
+
+# chkconfig "bluetooth" --list
+
+Output should indicate the "bluetooth" service has either not been installed or has been disabled at all runlevels, as shown in the example below:
+
+# chkconfig "bluetooth" --list
+"bluetooth" 0:off 1:off 2:off 3:off 4:off 5:off 6:off
+
+
+If the service is configured to run, this is a finding.GEN006660<GroupDescription></GroupDescription>RHEL-06-000334Accounts must be locked upon 35 days of inactivity.<VulnDiscussion>Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000017To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in "/etc/default/useradd", substituting "[NUM_DAYS]" appropriately:
+
+INACTIVE=[NUM_DAYS]
+
+A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the "useradd" man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.To verify the "INACTIVE" setting, run the following command:
+
+grep "INACTIVE" /etc/default/useradd
+
+The output should indicate the "INACTIVE" configuration option is set to an appropriate integer as shown in the example below:
+
+# grep "INACTIVE" /etc/default/useradd
+INACTIVE=35
+
+If it does not, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000299The system must require passwords to contain no more than three consecutive repeating characters.<VulnDiscussion>Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366The pam_cracklib module's "maxrepeat" parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Add "maxrepeat=3" after pam_cracklib.so to prevent a run of (3 + 1) or more identical characters.
+
+password required pam_cracklib.so maxrepeat=3 To check the maximum value for consecutive repeating characters, run the following command:
+
+$ grep pam_cracklib /etc/pam.d/system-auth
+
+Look for the value of the "maxrepeat" parameter. The DoD requirement is 3.
+If maxrepeat is not found or not set to the required value, this is a finding.SRG-OS-000118<GroupDescription></GroupDescription>RHEL-06-000335The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity.<VulnDiscussion>Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000795To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in "/etc/default/useradd", substituting "[NUM_DAYS]" appropriately:
+
+INACTIVE=[NUM_DAYS]
+
+A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the "useradd" man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.To verify the "INACTIVE" setting, run the following command:
+
+grep "INACTIVE" /etc/default/useradd
+
+The output should indicate the "INACTIVE" configuration option is set to an appropriate integer as shown in the example below:
+
+# grep "INACTIVE" /etc/default/useradd
+INACTIVE=35
+
+If it does not, this is a finding.SRG-OS-000094<GroupDescription></GroupDescription>RHEL-06-000302A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.<VulnDiscussion>By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000374AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
+
+05 4 * * * root /usr/sbin/aide --check
+
+AIDE can be executed periodically through other means; this is merely one example.To determine that periodic AIDE execution has been scheduled, run the following command:
+
+# grep aide /etc/crontab /etc/cron.*/*
+
+If there is no output or if aide is not run at least weekly, this is a finding.SRG-OS-000098<GroupDescription></GroupDescription>RHEL-06-000303The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system.<VulnDiscussion>By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000416AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
+
+05 4 * * * root /usr/sbin/aide --check
+
+AIDE can be executed periodically through other means; this is merely one example.To determine that periodic AIDE execution has been scheduled, run the following command:
+
+# grep aide /etc/crontab /etc/cron.*/*
+
+If there is no output, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000336The sticky bit must be set on all public directories.<VulnDiscussion>Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure.
+
+The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, and by users for temporary file storage - such as /tmp - and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other's files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application's documentation instead of blindly changing modes.
+To set the sticky bit on a world-writable directory [DIR], run the following command:
+
+# chmod +t [DIR]To find world-writable directories that lack the sticky bit, run the following command for each local partition [PART]:
+
+# find [PART] -xdev -type d -perm -002 \! -perm -1000
+
+
+If any world-writable directories are missing the sticky bit, this is a finding.SRG-OS-000232<GroupDescription></GroupDescription>RHEL-06-000304The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency.<VulnDiscussion>By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001069AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
+
+05 4 * * * root /usr/sbin/aide --check
+
+AIDE can be executed periodically through other means; this is merely one example.To determine that periodic AIDE execution has been scheduled, run the following command:
+
+# grep aide /etc/crontab /etc/cron.*/*
+
+If there is no output, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000337All public directories must be owned by a system account.<VulnDiscussion>Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.The following command will discover and print world-writable directories that are not owned by a system account, given the assumption that only system accounts have a uid lower than 500. Run it once for each local partition [PART]:
+
+# find [PART] -xdev -type d -perm -0002 -uid +499 -print
+
+
+If there is output, this is a finding.SRG-OS-000196<GroupDescription></GroupDescription>RHEL-06-000305The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs. <VulnDiscussion>By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-001263AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
+
+05 4 * * * root /usr/sbin/aide --check
+
+AIDE can be executed periodically through other means; this is merely one example.To determine that periodic AIDE execution has been scheduled, run the following command:
+
+# grep aide /etc/crontab /etc/cron.*/*
+
+If there is no output, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000338The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.<VulnDiscussion>Using the "-s" option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally specified directory reduces the risk of sharing files which should remain private.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366If running the "tftp" service is necessary, it should be configured to change its root directory at startup. To do so, ensure "/etc/xinetd.d/tftp" includes "-s" as a command line argument, as shown in the following example (which is also the default):
+
+server_args = -s /var/lib/tftpbootVerify "tftp" is configured by with the "-s" option by running the following command:
+
+grep "server_args" /etc/xinetd.d/tftp
+
+The output should indicate the "server_args" variable is configured with the "-s" flag, matching the example below:
+
+# grep "server_args" /etc/xinetd.d/tftp
+server_args = -s /var/lib/tftpboot
+
+If it does not, this is a finding.SRG-OS-000037<GroupDescription></GroupDescription>RHEL-06-000339The FTP daemon must be configured for logging or verbose mode.<VulnDiscussion>To trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to the ftp server are logged using the verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000130Add or correct the following configuration options within the "vsftpd" configuration file, located at "/etc/vsftpd/vsftpd.conf".
+
+xferlog_enable=YES
+xferlog_std_format=NO
+log_ftp_protocol=YESFind if logging is applied to the ftp daemon.
+
+Procedures:
+
+If vsftpd is started by xinetd the following command will indicate the xinetd.d startup file.
+
+# grep vsftpd /etc/xinetd.d/*
+
+
+
+# grep server_args [vsftpd xinetd.d startup file]
+
+This will indicate the vsftpd config file used when starting through xinetd. If the [server_args]line is missing or does not include the vsftpd configuration file, then the default config file (/etc/vsftpd/vsftpd.conf) is used.
+
+# grep xferlog_enable [vsftpd config file]
+
+
+If xferlog_enable is missing, or is not set to yes, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000527The login user list must be disabled.<VulnDiscussion>Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled.
+
+Run the following command to disable the user list:
+
+$ sudo gconftool-2 --direct \
+--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
+--type bool --set /apps/gdm/simple-greeter/disable_user_list trueIf the GConf2 package is not installed, this is not applicable.
+
+To ensure the user list is disabled, run the following command:
+
+$ gconftool-2 --direct \
+--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
+--get /apps/gdm/simple-greeter/disable_user_list
+
+The output should be "true". If it is not, this is a finding. SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000017The system must use a Linux Security Module at boot time.<VulnDiscussion>Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366SELinux can be disabled at boot time by an argument in "/boot/grub/grub.conf". Remove any instances of "selinux=0" from the kernel arguments in that file to prevent SELinux from being disabled at boot. Inspect "/boot/grub/grub.conf" for any instances of "selinux=0" in the kernel boot arguments. Presence of "selinux=0" indicates that SELinux is disabled at boot time. If SELinux is disabled at boot time, this is a finding.SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000020The system must use a Linux Security Module configured to enforce limits on system services.<VulnDiscussion>Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366The SELinux state should be set to "enforcing" at system boot time. In the file "/etc/selinux/config", add or correct the following line to configure the system to boot into enforcing mode:
+
+SELINUX=enforcingCheck the file "/etc/selinux/config" and ensure the following line appears:
+
+SELINUX=enforcing
+
+If SELINUX is not set to enforcing, this is a finding. SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000023The system must use a Linux Security Module configured to limit the privileges of system services.<VulnDiscussion>Setting the SELinux policy to "targeted" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366The SELinux "targeted" policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in "/etc/selinux/config":
+
+SELINUXTYPE=targeted
+
+Other policies, such as "mls", provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases. Check the file "/etc/selinux/config" and ensure the following line appears:
+
+SELINUXTYPE=targeted
+
+If it does not, this is a finding. SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000025All device files must be monitored by the system Linux Security Module.<VulnDiscussion>If a device file carries the SELinux type "unlabeled_t", then SELinux cannot properly restrict access to the device file. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files carry the SELinux type "unlabeled_t", investigate the cause and correct the file's context. To check for unlabeled device files, run the following command:
+
+# ls -RZ /dev | grep unlabeled_t
+
+It should produce no output in a well-configured system.
+
+If there is output, this is a finding. SRG-OS-000232<GroupDescription></GroupDescription>RHEL-06-000018A file integrity baseline must be created.<VulnDiscussion>For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366Run the following command to generate a new database:
+
+# /usr/sbin/aide --init
+
+By default, the database will be written to the file "/var/lib/aide/aide.db.new.gz". Storing the database, the configuration file "/etc/aide.conf", and the binary "/usr/sbin/aide" (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows:
+
+# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
+
+To initiate a manual check, run the following command:
+
+# /usr/sbin/aide --check
+
+If this check produces any unexpected output, investigate. To find the location of the AIDE database file, run the following command:
+
+# grep DBDIR /etc/aide.conf
+
+Using the defined values of the [DBDIR] and [database] variables, verify the existence of the AIDE database file:
+
+# ls -l [DBDIR]/[database_file_name]
+
+If there is no database file, this is a finding. SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000372The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access.<VulnDiscussion>Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366To configure the system to notify users of last logon/access using "pam_lastlog", add the following line immediately after "session required pam_limits.so":
+
+session required pam_lastlog.so showfailedTo ensure that last logon/access notification is configured correctly, run the following command:
+
+# grep pam_lastlog.so /etc/pam.d/system-auth
+
+The output should show output "showfailed". If that is not the case, this is a finding. SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000163The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low.<VulnDiscussion>Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000366The "auditd" service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [ACTION] appropriately:
+
+admin_space_left_action = [ACTION]
+
+Set this value to "single" to cause the system to switch to single-user mode for corrective action. Acceptable values also include "suspend" and "halt". For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for [ACTION] are described in the "auditd.conf" man page. Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to either suspend, switch to single-user mode, or halt when disk space has run low:
+
+admin_space_left_action = single
+
+If the system is not configured to switch to single-user mode, suspend, or halt for corrective action, this is a finding. SRG-OS-999999<GroupDescription></GroupDescription>RHEL-06-000528The noexec option must be added to the /tmp partition.<VulnDiscussion>Allowing users to execute binaries from world-writable directories such as "/tmp" should never be necessary in normal operation and can expose the system to potential compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-000381The "noexec" mount option can be used to prevent binaries from being executed out of "/tmp". Add the "noexec" option to the fourth column of "/etc/fstab" for the line which controls mounting of "/tmp".To verify that binaries cannot be directly executed from the /tmp directory, run the following command:
+
+$ grep '\s/tmp' /etc/fstab
+
+The resulting output will show whether the /tmp partition has the "noexec" flag set. If the /tmp partition does not have the noexec flag set, this is a finding.SRG-OS-000373<GroupDescription></GroupDescription>RHEL-06-000529The sudo command must require authentication.<VulnDiscussion>The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 6DISADPMS TargetRed Hat 62367CCI-002038Update the "/etc/sudoers" or other sudo configuration files to remove or comment out lines utilizing the "NOPASSWD" and "!authenticate" options.
+
+# visudo
+# visudo -f [other sudo configuration file]Verify neither the "NOPASSWD" option nor the "!authenticate" option is configured for use in "/etc/sudoers" and associated files. Note that the "#include" and "#includedir" directives may be used to include configuration data from locations other than the defaults enumerated here.
+
+# egrep '^[^#]*NOPASSWD' /etc/sudoers /etc/sudoers.d/*
+# egrep '^[^#]*!authenticate' /etc/sudoers /etc/sudoers.d/*
+
+If the "NOPASSWD" or "!authenticate" options are configured for use in "/etc/sudoers" or associated files, this is a finding.
\ No newline at end of file
diff --git a/doc/metadata/import-existing-notes.py b/doc/metadata/import-existing-notes.py
new file mode 100644
index 00000000..51b36276
--- /dev/null
+++ b/doc/metadata/import-existing-notes.py
@@ -0,0 +1,61 @@
+#!/usr/bin/env python
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Import existing developer notes into base YAML format."""
+import os
+
+
+import jinja2
+
+
+SCRIPT_DIR = os.path.dirname(os.path.abspath(__file__))
+METADATA_DIR = "{0}/rhel6".format(SCRIPT_DIR)
+NOTES_DIR = "{0}/../source/stig-notes".format(SCRIPT_DIR)
+
+yaml_tmp = """---
+id: {{ note_data['id'] }}
+status: {{ note_data['status'] }}
+tag: {{ note_data['tag'] }}
+---
+
+{{ note_data['deployer_notes'] }}
+"""
+
+
+note_files = [x for x in os.listdir(NOTES_DIR) if 'developer' in x]
+for note_file in note_files:
+ stig_id = note_file[0:7]
+
+ with open("{0}/{1}".format(NOTES_DIR, note_file), 'r') as f:
+ content = f.read()
+
+ first_line = content.splitlines()[0]
+ print(first_line)
+ if 'exception' in first_line.lower():
+ status = 'exception'
+ elif 'opt-in' in first_line.lower():
+ status = 'opt-in'
+ else:
+ status = 'implemented'
+
+ note_data = {
+ 'id': stig_id,
+ 'status': status,
+ 'tag': 'misc',
+ 'deployer_notes': content
+ }
+
+ with open("{0}/{1}.rst".format(METADATA_DIR, stig_id), 'w') as f:
+ template = jinja2.Template(yaml_tmp)
+ f.write(template.render(note_data=note_data))
diff --git a/doc/source/stig-notes/V-38437_developer.rst b/doc/metadata/rhel6/V-38437.rst
similarity index 77%
rename from doc/source/stig-notes/V-38437_developer.rst
rename to doc/metadata/rhel6/V-38437.rst
index b98be695..35fc9733 100644
--- a/doc/source/stig-notes/V-38437_developer.rst
+++ b/doc/metadata/rhel6/V-38437.rst
@@ -1,3 +1,9 @@
+---
+id: V-38437
+status: implemented
+tag: misc
+---
+
If ``autofs`` is installed, it will be disabled by Ansible tasks. To opt-out
of this change, adjust the following variable:
diff --git a/doc/source/stig-notes/V-38438_developer.rst b/doc/metadata/rhel6/V-38438.rst
similarity index 60%
rename from doc/source/stig-notes/V-38438_developer.rst
rename to doc/metadata/rhel6/V-38438.rst
index 3adf0927..ac6846a1 100644
--- a/doc/source/stig-notes/V-38438_developer.rst
+++ b/doc/metadata/rhel6/V-38438.rst
@@ -1,7 +1,10 @@
-The role will add ``audit=1`` to the ``GRUB_CMDLINE_LINUX_DEFAULT`` variable
-in the GRUB configuration within ``/etc/default/grub.d/`` and it will also
-update the active ``grub.cfg`` so that the change takes effect on the next
-boot.
+---
+id: V-38438
+status: exception
+tag: misc
+---
+
+**Exception**
To opt-out of the change, set the following variable:
diff --git a/doc/source/stig-notes/V-38439_developer.rst b/doc/metadata/rhel6/V-38439.rst
similarity index 81%
rename from doc/source/stig-notes/V-38439_developer.rst
rename to doc/metadata/rhel6/V-38439.rst
index d06d35fe..632a4a0d 100644
--- a/doc/source/stig-notes/V-38439_developer.rst
+++ b/doc/metadata/rhel6/V-38439.rst
@@ -1,3 +1,9 @@
+---
+id: V-38439
+status: exception
+tag: misc
+---
+
**Exception**
Although adding centralized authentication and carefully managing user
diff --git a/doc/source/stig-notes/V-38443_developer.rst b/doc/metadata/rhel6/V-38443.rst
similarity index 75%
rename from doc/source/stig-notes/V-38443_developer.rst
rename to doc/metadata/rhel6/V-38443.rst
index a41c8833..3062e6dd 100644
--- a/doc/source/stig-notes/V-38443_developer.rst
+++ b/doc/metadata/rhel6/V-38443.rst
@@ -1,2 +1,8 @@
+---
+id: V-38443
+status: implemented
+tag: misc
+---
+
The ``/etc/gshadow`` file is owned by root by default on Ubuntu 14.04, Ubuntu
16.04 and CentOS 7. The security role ensures that the file is owned by root.
diff --git a/doc/source/stig-notes/V-38444_developer.rst b/doc/metadata/rhel6/V-38444.rst
similarity index 69%
rename from doc/source/stig-notes/V-38444_developer.rst
rename to doc/metadata/rhel6/V-38444.rst
index eaea8db5..ba17b514 100644
--- a/doc/source/stig-notes/V-38444_developer.rst
+++ b/doc/metadata/rhel6/V-38444.rst
@@ -1,3 +1,9 @@
+---
+id: V-38444
+status: exception
+tag: misc
+---
+
**Exception**
See V-38551 for additional details. IPv6 configuration and filtering is left
diff --git a/doc/source/stig-notes/V-38445_developer.rst b/doc/metadata/rhel6/V-38445.rst
similarity index 78%
rename from doc/source/stig-notes/V-38445_developer.rst
rename to doc/metadata/rhel6/V-38445.rst
index 0b3e7a37..255e015e 100644
--- a/doc/source/stig-notes/V-38445_developer.rst
+++ b/doc/metadata/rhel6/V-38445.rst
@@ -1,3 +1,9 @@
+---
+id: V-38445
+status: implemented
+tag: misc
+---
+
The logs generated by the audit daemon are owned by root in Ubuntu 14.04,
Ubuntu 16.04 and CentOS 7. The Ansible task for V-38445 ensures that the files
are owned by the root user.
diff --git a/doc/source/stig-notes/V-38446_developer.rst b/doc/metadata/rhel6/V-38446.rst
similarity index 84%
rename from doc/source/stig-notes/V-38446_developer.rst
rename to doc/metadata/rhel6/V-38446.rst
index ef72f854..5f13c273 100644
--- a/doc/source/stig-notes/V-38446_developer.rst
+++ b/doc/metadata/rhel6/V-38446.rst
@@ -1,3 +1,9 @@
+---
+id: V-38446
+status: implemented
+tag: misc
+---
+
Forwarding root's email to another user is highly recommended, but the Ansible
tasks won't configure an email address to receive root's email unless that
email address is configured. Set ``security_root_forward_email`` to an email
diff --git a/doc/source/stig-notes/V-38454_developer.rst b/doc/metadata/rhel6/V-38447.rst
similarity index 95%
rename from doc/source/stig-notes/V-38454_developer.rst
rename to doc/metadata/rhel6/V-38447.rst
index de10ab7d..c7c84bdf 100644
--- a/doc/source/stig-notes/V-38454_developer.rst
+++ b/doc/metadata/rhel6/V-38447.rst
@@ -1,3 +1,9 @@
+---
+id: V-38447
+status: exception
+tag: misc
+---
+
**Exception**
Although Ubuntu provides the ``debsums`` command for checking the contents of
diff --git a/doc/source/stig-notes/V-38448_developer.rst b/doc/metadata/rhel6/V-38448.rst
similarity index 72%
rename from doc/source/stig-notes/V-38448_developer.rst
rename to doc/metadata/rhel6/V-38448.rst
index ef9023ab..aa220470 100644
--- a/doc/source/stig-notes/V-38448_developer.rst
+++ b/doc/metadata/rhel6/V-38448.rst
@@ -1,2 +1,8 @@
+---
+id: V-38448
+status: implemented
+tag: misc
+---
+
Although the ``/etc/gshadow`` file is group-owned by root by default, the
Ansible tasks will ensure that it is configured that way.
diff --git a/doc/source/stig-notes/V-38449_developer.rst b/doc/metadata/rhel6/V-38449.rst
similarity index 67%
rename from doc/source/stig-notes/V-38449_developer.rst
rename to doc/metadata/rhel6/V-38449.rst
index c4746e25..3411c84a 100644
--- a/doc/source/stig-notes/V-38449_developer.rst
+++ b/doc/metadata/rhel6/V-38449.rst
@@ -1,2 +1,8 @@
+---
+id: V-38449
+status: implemented
+tag: misc
+---
+
The ``/etc/gshadow`` file's permissions will be changed to ``0000`` to meet
the requirements of the STIG.
diff --git a/doc/source/stig-notes/V-38450_developer.rst b/doc/metadata/rhel6/V-38450.rst
similarity index 53%
rename from doc/source/stig-notes/V-38450_developer.rst
rename to doc/metadata/rhel6/V-38450.rst
index e697cf70..0c1da8f2 100644
--- a/doc/source/stig-notes/V-38450_developer.rst
+++ b/doc/metadata/rhel6/V-38450.rst
@@ -1 +1,7 @@
+---
+id: V-38450
+status: implemented
+tag: misc
+---
+
The ownership of ``/etc/passwd`` will be changed to root.
diff --git a/doc/source/stig-notes/V-38451_developer.rst b/doc/metadata/rhel6/V-38451.rst
similarity index 54%
rename from doc/source/stig-notes/V-38451_developer.rst
rename to doc/metadata/rhel6/V-38451.rst
index 6bc4e6e8..618cec4d 100644
--- a/doc/source/stig-notes/V-38451_developer.rst
+++ b/doc/metadata/rhel6/V-38451.rst
@@ -1 +1,7 @@
+---
+id: V-38451
+status: implemented
+tag: misc
+---
+
The group ownership for ``/etc/passwd`` will be set to root.
diff --git a/doc/source/stig-notes/V-38447_developer.rst b/doc/metadata/rhel6/V-38452.rst
similarity index 95%
rename from doc/source/stig-notes/V-38447_developer.rst
rename to doc/metadata/rhel6/V-38452.rst
index de10ab7d..d32dd45a 100644
--- a/doc/source/stig-notes/V-38447_developer.rst
+++ b/doc/metadata/rhel6/V-38452.rst
@@ -1,3 +1,9 @@
+---
+id: V-38452
+status: exception
+tag: misc
+---
+
**Exception**
Although Ubuntu provides the ``debsums`` command for checking the contents of
diff --git a/doc/source/stig-notes/V-38665_developer.rst b/doc/metadata/rhel6/V-38453.rst
similarity index 84%
rename from doc/source/stig-notes/V-38665_developer.rst
rename to doc/metadata/rhel6/V-38453.rst
index 94b7b403..12396a40 100644
--- a/doc/source/stig-notes/V-38665_developer.rst
+++ b/doc/metadata/rhel6/V-38453.rst
@@ -1,3 +1,9 @@
+---
+id: V-38453
+status: exception
+tag: misc
+---
+
**Exception for Ubuntu**
Verifying ownership and permissions of installed packages isn't possible in the
diff --git a/doc/source/stig-notes/V-38452_developer.rst b/doc/metadata/rhel6/V-38454.rst
similarity index 95%
rename from doc/source/stig-notes/V-38452_developer.rst
rename to doc/metadata/rhel6/V-38454.rst
index de10ab7d..5c6fb091 100644
--- a/doc/source/stig-notes/V-38452_developer.rst
+++ b/doc/metadata/rhel6/V-38454.rst
@@ -1,3 +1,9 @@
+---
+id: V-38454
+status: exception
+tag: misc
+---
+
**Exception**
Although Ubuntu provides the ``debsums`` command for checking the contents of
diff --git a/doc/source/stig-notes/V-38455_developer.rst b/doc/metadata/rhel6/V-38455.rst
similarity index 85%
rename from doc/source/stig-notes/V-38455_developer.rst
rename to doc/metadata/rhel6/V-38455.rst
index 6e7733fd..dd5d336d 100644
--- a/doc/source/stig-notes/V-38455_developer.rst
+++ b/doc/metadata/rhel6/V-38455.rst
@@ -1,3 +1,9 @@
+---
+id: V-38455
+status: exception
+tag: misc
+---
+
**Exception**
Configuring another mount for ``/tmp`` can disrupt a running system and this
diff --git a/doc/source/stig-notes/V-38456_developer.rst b/doc/metadata/rhel6/V-38456.rst
similarity index 85%
rename from doc/source/stig-notes/V-38456_developer.rst
rename to doc/metadata/rhel6/V-38456.rst
index 9f10cedf..ff11426f 100644
--- a/doc/source/stig-notes/V-38456_developer.rst
+++ b/doc/metadata/rhel6/V-38456.rst
@@ -1,3 +1,9 @@
+---
+id: V-38456
+status: exception
+tag: misc
+---
+
**Exception**
Configuring another mount for ``/var`` can disrupt a running system and this
diff --git a/doc/source/stig-notes/V-38457_developer.rst b/doc/metadata/rhel6/V-38457.rst
similarity index 54%
rename from doc/source/stig-notes/V-38457_developer.rst
rename to doc/metadata/rhel6/V-38457.rst
index 76d83a9e..4a4ca46f 100644
--- a/doc/source/stig-notes/V-38457_developer.rst
+++ b/doc/metadata/rhel6/V-38457.rst
@@ -1 +1,7 @@
+---
+id: V-38457
+status: implemented
+tag: misc
+---
+
The permissions for ``/etc/passwd`` will be set to ``0644``.
diff --git a/doc/source/stig-notes/V-38458_developer.rst b/doc/metadata/rhel6/V-38458.rst
similarity index 62%
rename from doc/source/stig-notes/V-38458_developer.rst
rename to doc/metadata/rhel6/V-38458.rst
index 8711a5d5..cd140460 100644
--- a/doc/source/stig-notes/V-38458_developer.rst
+++ b/doc/metadata/rhel6/V-38458.rst
@@ -1,2 +1,8 @@
+---
+id: V-38458
+status: implemented
+tag: misc
+---
+
The Ansible task will ensure that the ``/etc/group`` file is owned by the root
user.
diff --git a/doc/source/stig-notes/V-38459_developer.rst b/doc/metadata/rhel6/V-38459.rst
similarity index 63%
rename from doc/source/stig-notes/V-38459_developer.rst
rename to doc/metadata/rhel6/V-38459.rst
index da7989da..db089eff 100644
--- a/doc/source/stig-notes/V-38459_developer.rst
+++ b/doc/metadata/rhel6/V-38459.rst
@@ -1,2 +1,8 @@
+---
+id: V-38459
+status: implemented
+tag: misc
+---
+
The tasks in file_perms.yml will ensure that "/etc/group" is owned by
the root account.
diff --git a/doc/source/stig-notes/V-38460_developer.rst b/doc/metadata/rhel6/V-38460.rst
similarity index 83%
rename from doc/source/stig-notes/V-38460_developer.rst
rename to doc/metadata/rhel6/V-38460.rst
index 3333843d..57182280 100644
--- a/doc/source/stig-notes/V-38460_developer.rst
+++ b/doc/metadata/rhel6/V-38460.rst
@@ -1,3 +1,9 @@
+---
+id: V-38460
+status: implemented
+tag: misc
+---
+
The Ansible tasks will check for ``all_squash`` in ``/etc/exports`` (if it is
present). If found, a warning message will be printed. No configuration
changes will be made since neither Ubuntu or openstack-ansible configures
diff --git a/doc/source/stig-notes/V-38461_developer.rst b/doc/metadata/rhel6/V-38461.rst
similarity index 73%
rename from doc/source/stig-notes/V-38461_developer.rst
rename to doc/metadata/rhel6/V-38461.rst
index b10c0988..bf6f6e24 100644
--- a/doc/source/stig-notes/V-38461_developer.rst
+++ b/doc/metadata/rhel6/V-38461.rst
@@ -1,2 +1,8 @@
+---
+id: V-38461
+status: implemented
+tag: misc
+---
+
Ubuntu sets the mode of ``/etc/group`` to ``0644`` by default and the Ansible
task will ensure that it is current set to those permissions.
diff --git a/doc/source/stig-notes/V-38462_developer.rst b/doc/metadata/rhel6/V-38462.rst
similarity index 94%
rename from doc/source/stig-notes/V-38462_developer.rst
rename to doc/metadata/rhel6/V-38462.rst
index 464a3ed1..402c5c1c 100644
--- a/doc/source/stig-notes/V-38462_developer.rst
+++ b/doc/metadata/rhel6/V-38462.rst
@@ -1,3 +1,9 @@
+---
+id: V-38462
+status: implemented
+tag: misc
+---
+
All versions of Ubuntu and CentOS supported by the role verify packages against
GPG signatures by default.
diff --git a/doc/source/stig-notes/V-38463_developer.rst b/doc/metadata/rhel6/V-38463.rst
similarity index 87%
rename from doc/source/stig-notes/V-38463_developer.rst
rename to doc/metadata/rhel6/V-38463.rst
index 91a1a032..77be6cc7 100644
--- a/doc/source/stig-notes/V-38463_developer.rst
+++ b/doc/metadata/rhel6/V-38463.rst
@@ -1,3 +1,9 @@
+---
+id: V-38463
+status: exception
+tag: misc
+---
+
**Exception**
Configuring a separate partition for ``/var/log`` is currently left up to the
diff --git a/doc/source/stig-notes/V-38464_developer.rst b/doc/metadata/rhel6/V-38464.rst
similarity index 94%
rename from doc/source/stig-notes/V-38464_developer.rst
rename to doc/metadata/rhel6/V-38464.rst
index 1fe85e6d..b299a65c 100644
--- a/doc/source/stig-notes/V-38464_developer.rst
+++ b/doc/metadata/rhel6/V-38464.rst
@@ -1,3 +1,9 @@
+---
+id: V-38464
+status: implemented
+tag: misc
+---
+
The default configuration for ``disk_error_action`` is ``SUSPEND``, which
only suspends audit logging when there is a disk error on the system.
Suspending audit logging can lead to security problems because the system is no
diff --git a/doc/source/stig-notes/V-38465_developer.rst b/doc/metadata/rhel6/V-38465.rst
similarity index 83%
rename from doc/source/stig-notes/V-38465_developer.rst
rename to doc/metadata/rhel6/V-38465.rst
index 0b8d5bbc..ecda4f1e 100644
--- a/doc/source/stig-notes/V-38465_developer.rst
+++ b/doc/metadata/rhel6/V-38465.rst
@@ -1,3 +1,9 @@
+---
+id: V-38465
+status: exception
+tag: misc
+---
+
**Exception**
Ubuntu 14.04, Ubuntu 16.04 and CentOS 7 set library files to have ``0755`` (or
diff --git a/doc/source/stig-notes/V-38466_developer.rst b/doc/metadata/rhel6/V-38466.rst
similarity index 80%
rename from doc/source/stig-notes/V-38466_developer.rst
rename to doc/metadata/rhel6/V-38466.rst
index 3675eda1..40912e91 100644
--- a/doc/source/stig-notes/V-38466_developer.rst
+++ b/doc/metadata/rhel6/V-38466.rst
@@ -1,3 +1,9 @@
+---
+id: V-38466
+status: exception
+tag: misc
+---
+
**Exception**
As with V-38465, Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the ownership of
diff --git a/doc/source/stig-notes/V-38467_developer.rst b/doc/metadata/rhel6/V-38467.rst
similarity index 76%
rename from doc/source/stig-notes/V-38467_developer.rst
rename to doc/metadata/rhel6/V-38467.rst
index 88931522..afb1f739 100644
--- a/doc/source/stig-notes/V-38467_developer.rst
+++ b/doc/metadata/rhel6/V-38467.rst
@@ -1,3 +1,9 @@
+---
+id: V-38467
+status: exception
+tag: misc
+---
+
**Exception**
Storing audit logs on a separate partition is recommended, but this change
diff --git a/doc/source/stig-notes/V-38468_developer.rst b/doc/metadata/rhel6/V-38468.rst
similarity index 95%
rename from doc/source/stig-notes/V-38468_developer.rst
rename to doc/metadata/rhel6/V-38468.rst
index 5782c35f..289b4e14 100644
--- a/doc/source/stig-notes/V-38468_developer.rst
+++ b/doc/metadata/rhel6/V-38468.rst
@@ -1,3 +1,9 @@
+---
+id: V-38468
+status: implemented
+tag: misc
+---
+
The default configuration for ``disk_full_action`` is ``SUSPEND``, which only
suspends audit logging. Suspending audit logging can lead to security problems
because the system is no longer keeping track of which syscalls were made.
diff --git a/doc/source/stig-notes/V-38469_developer.rst b/doc/metadata/rhel6/V-38469.rst
similarity index 82%
rename from doc/source/stig-notes/V-38469_developer.rst
rename to doc/metadata/rhel6/V-38469.rst
index 2548bd03..7f314e10 100644
--- a/doc/source/stig-notes/V-38469_developer.rst
+++ b/doc/metadata/rhel6/V-38469.rst
@@ -1,3 +1,9 @@
+---
+id: V-38469
+status: exception
+tag: misc
+---
+
**Exception**
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the permissions for system
diff --git a/doc/source/stig-notes/V-38470_developer.rst b/doc/metadata/rhel6/V-38470.rst
similarity index 95%
rename from doc/source/stig-notes/V-38470_developer.rst
rename to doc/metadata/rhel6/V-38470.rst
index aa61babd..c3cceec5 100644
--- a/doc/source/stig-notes/V-38470_developer.rst
+++ b/doc/metadata/rhel6/V-38470.rst
@@ -1,3 +1,9 @@
+---
+id: V-38470
+status: implemented
+tag: misc
+---
+
The default configuration for ``security_space_left_action`` is ``SUSPEND``,
which actually only suspends audit logging. Suspending audit logging can lead
to security problems because the system is no longer keeping track of which
diff --git a/doc/source/stig-notes/V-38471_developer.rst b/doc/metadata/rhel6/V-38471.rst
similarity index 82%
rename from doc/source/stig-notes/V-38471_developer.rst
rename to doc/metadata/rhel6/V-38471.rst
index 64c61b21..80de8a2f 100644
--- a/doc/source/stig-notes/V-38471_developer.rst
+++ b/doc/metadata/rhel6/V-38471.rst
@@ -1,3 +1,9 @@
+---
+id: V-38471
+status: implemented
+tag: misc
+---
+
An Ansible task will adjust ``active`` from `no` to `yes` in
``/etc/audisp/plugins.d/syslog.conf`` so that auditd records are forwarded to
syslog automatically. The auditd daemon will be restarted if the configuration
diff --git a/doc/source/stig-notes/V-38472_developer.rst b/doc/metadata/rhel6/V-38472.rst
similarity index 82%
rename from doc/source/stig-notes/V-38472_developer.rst
rename to doc/metadata/rhel6/V-38472.rst
index b97e47e2..138501a6 100644
--- a/doc/source/stig-notes/V-38472_developer.rst
+++ b/doc/metadata/rhel6/V-38472.rst
@@ -1,3 +1,9 @@
+---
+id: V-38472
+status: exception
+tag: misc
+---
+
**Exception**
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set system commands to be owned by
diff --git a/doc/source/stig-notes/V-38473_developer.rst b/doc/metadata/rhel6/V-38473.rst
similarity index 76%
rename from doc/source/stig-notes/V-38473_developer.rst
rename to doc/metadata/rhel6/V-38473.rst
index 10f99698..9728abea 100644
--- a/doc/source/stig-notes/V-38473_developer.rst
+++ b/doc/metadata/rhel6/V-38473.rst
@@ -1,3 +1,9 @@
+---
+id: V-38473
+status: exception
+tag: misc
+---
+
**Exception**
Creating ``/home`` on a different partition is highly recommended but it is
diff --git a/doc/source/stig-notes/V-38474_developer.rst b/doc/metadata/rhel6/V-38474.rst
similarity index 70%
rename from doc/source/stig-notes/V-38474_developer.rst
rename to doc/metadata/rhel6/V-38474.rst
index e6e70aff..8879af0c 100644
--- a/doc/source/stig-notes/V-38474_developer.rst
+++ b/doc/metadata/rhel6/V-38474.rst
@@ -1,3 +1,9 @@
+---
+id: V-38474
+status: exception
+tag: misc
+---
+
**Exception**
The openstack-ansible roles don't install X by default, so there is no
diff --git a/doc/source/stig-notes/V-38475_developer.rst b/doc/metadata/rhel6/V-38475.rst
similarity index 85%
rename from doc/source/stig-notes/V-38475_developer.rst
rename to doc/metadata/rhel6/V-38475.rst
index f3051e18..f2dbaf6e 100644
--- a/doc/source/stig-notes/V-38475_developer.rst
+++ b/doc/metadata/rhel6/V-38475.rst
@@ -1,3 +1,9 @@
+---
+id: V-38475
+status: implemented
+tag: misc
+---
+
**Configuration required**
The STIG recommends passwords to be a minimum of 14 characters in length. To
diff --git a/doc/source/stig-notes/V-38476_developer.rst b/doc/metadata/rhel6/V-38476.rst
similarity index 88%
rename from doc/source/stig-notes/V-38476_developer.rst
rename to doc/metadata/rhel6/V-38476.rst
index ed8c0724..58485283 100644
--- a/doc/source/stig-notes/V-38476_developer.rst
+++ b/doc/metadata/rhel6/V-38476.rst
@@ -1,3 +1,9 @@
+---
+id: V-38476
+status: implemented
+tag: misc
+---
+
The security role verifies that the GPG keys that correspond to each supported
Linux distribution are installed on each host. If the GPG keys are not found,
or if they differ from the list of trusted GPG keys, the playbook execution
diff --git a/doc/source/stig-notes/V-38477_developer.rst b/doc/metadata/rhel6/V-38477.rst
similarity index 80%
rename from doc/source/stig-notes/V-38477_developer.rst
rename to doc/metadata/rhel6/V-38477.rst
index 98fec31c..37dd10ab 100644
--- a/doc/source/stig-notes/V-38477_developer.rst
+++ b/doc/metadata/rhel6/V-38477.rst
@@ -1,3 +1,9 @@
+---
+id: V-38477
+status: implemented
+tag: misc
+---
+
**Configuration required**
The STIG recommends setting a limit of one password change per day. To enable
diff --git a/doc/source/stig-notes/V-38478_developer.rst b/doc/metadata/rhel6/V-38478.rst
similarity index 83%
rename from doc/source/stig-notes/V-38478_developer.rst
rename to doc/metadata/rhel6/V-38478.rst
index 9234f912..fa4e67ee 100644
--- a/doc/source/stig-notes/V-38478_developer.rst
+++ b/doc/metadata/rhel6/V-38478.rst
@@ -1,3 +1,9 @@
+---
+id: V-38478
+status: exception
+tag: misc
+---
+
**Exception**
Ubuntu and CentOS do not use the Red Hat Network Service. However, there are
diff --git a/doc/source/stig-notes/V-38479_developer.rst b/doc/metadata/rhel6/V-38479.rst
similarity index 81%
rename from doc/source/stig-notes/V-38479_developer.rst
rename to doc/metadata/rhel6/V-38479.rst
index 380a480e..3dfd9c77 100644
--- a/doc/source/stig-notes/V-38479_developer.rst
+++ b/doc/metadata/rhel6/V-38479.rst
@@ -1,3 +1,9 @@
+---
+id: V-38479
+status: implemented
+tag: misc
+---
+
**Configuration required**
The STIG recommends setting a limit of 60 days before a password must
diff --git a/doc/source/stig-notes/V-38480_developer.rst b/doc/metadata/rhel6/V-38480.rst
similarity index 87%
rename from doc/source/stig-notes/V-38480_developer.rst
rename to doc/metadata/rhel6/V-38480.rst
index 8ef8b4ca..fa6f08fd 100644
--- a/doc/source/stig-notes/V-38480_developer.rst
+++ b/doc/metadata/rhel6/V-38480.rst
@@ -1,3 +1,9 @@
+---
+id: V-38480
+status: implemented
+tag: misc
+---
+
**Configuration required**
After enabling password age limits in V-38479, be sure to configure
diff --git a/doc/source/stig-notes/V-38481_developer.rst b/doc/metadata/rhel6/V-38481.rst
similarity index 95%
rename from doc/source/stig-notes/V-38481_developer.rst
rename to doc/metadata/rhel6/V-38481.rst
index 9d4a54bd..639b157c 100644
--- a/doc/source/stig-notes/V-38481_developer.rst
+++ b/doc/metadata/rhel6/V-38481.rst
@@ -1,3 +1,9 @@
+---
+id: V-38481
+status: opt-in
+tag: misc
+---
+
**Opt-in required**
Operating system patching policies vary from organization to organization and
diff --git a/doc/source/stig-notes/V-38569_developer.rst b/doc/metadata/rhel6/V-38482.rst
similarity index 89%
rename from doc/source/stig-notes/V-38569_developer.rst
rename to doc/metadata/rhel6/V-38482.rst
index 344697e5..efec833d 100644
--- a/doc/source/stig-notes/V-38569_developer.rst
+++ b/doc/metadata/rhel6/V-38482.rst
@@ -1,3 +1,9 @@
+---
+id: V-38482
+status: exception
+tag: misc
+---
+
**Exception**
Password complexity requirements are left up to the deployer. Deployers are
diff --git a/doc/source/stig-notes/V-38483_developer.rst b/doc/metadata/rhel6/V-38483.rst
similarity index 81%
rename from doc/source/stig-notes/V-38483_developer.rst
rename to doc/metadata/rhel6/V-38483.rst
index 6d52ce1a..364dac22 100644
--- a/doc/source/stig-notes/V-38483_developer.rst
+++ b/doc/metadata/rhel6/V-38483.rst
@@ -1,3 +1,9 @@
+---
+id: V-38483
+status: implemented
+tag: misc
+---
+
The Ansible task for V-38462 already checks for configurations that would
disable any GPG checks when installing packages. However, it is possible for
the root user to override these configurations via command line parameters.
diff --git a/doc/source/stig-notes/V-38484_developer.rst b/doc/metadata/rhel6/V-38484.rst
similarity index 81%
rename from doc/source/stig-notes/V-38484_developer.rst
rename to doc/metadata/rhel6/V-38484.rst
index 750685d5..9b261b03 100644
--- a/doc/source/stig-notes/V-38484_developer.rst
+++ b/doc/metadata/rhel6/V-38484.rst
@@ -1,3 +1,9 @@
+---
+id: V-38484
+status: implemented
+tag: misc
+---
+
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 already enable the display of the last
successful login for a user immediately after login. An Ansible task ensures
this setting is applied and restarts the ssh daemon if necessary.
diff --git a/doc/source/stig-notes/V-38486_developer.rst b/doc/metadata/rhel6/V-38486.rst
similarity index 79%
rename from doc/source/stig-notes/V-38486_developer.rst
rename to doc/metadata/rhel6/V-38486.rst
index df0448e0..6ab69cec 100644
--- a/doc/source/stig-notes/V-38486_developer.rst
+++ b/doc/metadata/rhel6/V-38486.rst
@@ -1,3 +1,9 @@
+---
+id: V-38486
+status: exception
+tag: misc
+---
+
**Exception**
System backups are left to the deployer to configure. Deployers are stringly
diff --git a/doc/source/stig-notes/V-38487_developer.rst b/doc/metadata/rhel6/V-38487.rst
similarity index 81%
rename from doc/source/stig-notes/V-38487_developer.rst
rename to doc/metadata/rhel6/V-38487.rst
index 071c1b7e..fba16e46 100644
--- a/doc/source/stig-notes/V-38487_developer.rst
+++ b/doc/metadata/rhel6/V-38487.rst
@@ -1,3 +1,9 @@
+---
+id: V-38487
+status: implemented
+tag: misc
+---
+
The Ansible task for V-38462 already checks for apt configurations that would
disable any GPG checks when installing packages. However, it's possible for
the root user to override these configurations via command line parameters.
diff --git a/doc/source/stig-notes/V-38488_developer.rst b/doc/metadata/rhel6/V-38488.rst
similarity index 79%
rename from doc/source/stig-notes/V-38488_developer.rst
rename to doc/metadata/rhel6/V-38488.rst
index df0448e0..37b5168c 100644
--- a/doc/source/stig-notes/V-38488_developer.rst
+++ b/doc/metadata/rhel6/V-38488.rst
@@ -1,3 +1,9 @@
+---
+id: V-38488
+status: exception
+tag: misc
+---
+
**Exception**
System backups are left to the deployer to configure. Deployers are stringly
diff --git a/doc/source/stig-notes/V-38489_developer.rst b/doc/metadata/rhel6/V-38489.rst
similarity index 68%
rename from doc/source/stig-notes/V-38489_developer.rst
rename to doc/metadata/rhel6/V-38489.rst
index 11839511..788d0849 100644
--- a/doc/source/stig-notes/V-38489_developer.rst
+++ b/doc/metadata/rhel6/V-38489.rst
@@ -1,2 +1,8 @@
+---
+id: V-38489
+status: implemented
+tag: misc
+---
+
The security role installs and configures the ``aide`` package to provide file
integrity monitoring on the host.
diff --git a/doc/source/stig-notes/V-38490_developer.rst b/doc/metadata/rhel6/V-38490.rst
similarity index 87%
rename from doc/source/stig-notes/V-38490_developer.rst
rename to doc/metadata/rhel6/V-38490.rst
index db1bb537..206127a1 100644
--- a/doc/source/stig-notes/V-38490_developer.rst
+++ b/doc/metadata/rhel6/V-38490.rst
@@ -1,3 +1,9 @@
+---
+id: V-38490
+status: exception
+tag: misc
+---
+
**Exception**
Disabling the ``usb-storage`` module can add extra security, but it's not
diff --git a/doc/source/stig-notes/V-38491_developer.rst b/doc/metadata/rhel6/V-38491.rst
similarity index 84%
rename from doc/source/stig-notes/V-38491_developer.rst
rename to doc/metadata/rhel6/V-38491.rst
index c8e0a1e4..1c0feb11 100644
--- a/doc/source/stig-notes/V-38491_developer.rst
+++ b/doc/metadata/rhel6/V-38491.rst
@@ -1,3 +1,9 @@
+---
+id: V-38491
+status: implemented
+tag: misc
+---
+
The Ansible task will check for the presence of ``/etc/hosts.equiv`` and
``/root/.rhosts``. Both of those files could potentially be used with ``rsh``
for host access.
diff --git a/doc/source/stig-notes/V-38492_developer.rst b/doc/metadata/rhel6/V-38492.rst
similarity index 90%
rename from doc/source/stig-notes/V-38492_developer.rst
rename to doc/metadata/rhel6/V-38492.rst
index 32b98f7e..ee1e0b7a 100644
--- a/doc/source/stig-notes/V-38492_developer.rst
+++ b/doc/metadata/rhel6/V-38492.rst
@@ -1,3 +1,9 @@
+---
+id: V-38492
+status: exception
+tag: misc
+---
+
**Exception**
Virtual consoles are helpful during an emergency and they can only be reached
diff --git a/doc/source/stig-notes/V-38493_developer.rst b/doc/metadata/rhel6/V-38493.rst
similarity index 81%
rename from doc/source/stig-notes/V-38493_developer.rst
rename to doc/metadata/rhel6/V-38493.rst
index ba05ae92..9b1addf5 100644
--- a/doc/source/stig-notes/V-38493_developer.rst
+++ b/doc/metadata/rhel6/V-38493.rst
@@ -1,3 +1,9 @@
+---
+id: V-38493
+status: implemented
+tag: misc
+---
+
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the mode of ``/var/log/audit/`` to
``0750`` by default. The Ansible task for this requirement ensures that the
mode is ``0750`` (which is more strict than the STIG requirement).
diff --git a/doc/source/stig-notes/V-38494_developer.rst b/doc/metadata/rhel6/V-38494.rst
similarity index 88%
rename from doc/source/stig-notes/V-38494_developer.rst
rename to doc/metadata/rhel6/V-38494.rst
index 092a8113..d40af463 100644
--- a/doc/source/stig-notes/V-38494_developer.rst
+++ b/doc/metadata/rhel6/V-38494.rst
@@ -1,3 +1,9 @@
+---
+id: V-38494
+status: exception
+tag: misc
+---
+
**Exception**
Removing serial consoles from ``/etc/securetty`` can make troubleshooting
diff --git a/doc/source/stig-notes/V-38495_developer.rst b/doc/metadata/rhel6/V-38495.rst
similarity index 64%
rename from doc/source/stig-notes/V-38495_developer.rst
rename to doc/metadata/rhel6/V-38495.rst
index f6c42e3a..7ca44ae0 100644
--- a/doc/source/stig-notes/V-38495_developer.rst
+++ b/doc/metadata/rhel6/V-38495.rst
@@ -1,2 +1,8 @@
+---
+id: V-38495
+status: implemented
+tag: misc
+---
+
The Ansible tasks will ensure that files in ``/var/log/audit`` are owned
by the root user.
diff --git a/doc/source/stig-notes/V-38496_developer.rst b/doc/metadata/rhel6/V-38496.rst
similarity index 92%
rename from doc/source/stig-notes/V-38496_developer.rst
rename to doc/metadata/rhel6/V-38496.rst
index 27275b4d..9f42f9b8 100644
--- a/doc/source/stig-notes/V-38496_developer.rst
+++ b/doc/metadata/rhel6/V-38496.rst
@@ -1,3 +1,9 @@
+---
+id: V-38496
+status: exception
+tag: misc
+---
+
**Exception**
The Ansible tasks will check for default system accounts (other than root)
diff --git a/doc/source/stig-notes/V-38497_developer.rst b/doc/metadata/rhel6/V-38497.rst
similarity index 93%
rename from doc/source/stig-notes/V-38497_developer.rst
rename to doc/metadata/rhel6/V-38497.rst
index c6f1abef..be43a526 100644
--- a/doc/source/stig-notes/V-38497_developer.rst
+++ b/doc/metadata/rhel6/V-38497.rst
@@ -1,3 +1,9 @@
+---
+id: V-38497
+status: implemented
+tag: misc
+---
+
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 allow accounts with null passwords to
authenticate via PAM by default. This STIG requires that those login attempts
are blocked.
diff --git a/doc/source/stig-notes/V-38498_developer.rst b/doc/metadata/rhel6/V-38498.rst
similarity index 89%
rename from doc/source/stig-notes/V-38498_developer.rst
rename to doc/metadata/rhel6/V-38498.rst
index 50961e5c..7f5791db 100644
--- a/doc/source/stig-notes/V-38498_developer.rst
+++ b/doc/metadata/rhel6/V-38498.rst
@@ -1,3 +1,9 @@
+---
+id: V-38498
+status: implemented
+tag: misc
+---
+
Ubuntu and CentOS set the current audit log (the one that is actively being
written to) to ``0600`` so that only the root user can read and write to it.
The older, rotated logs are set to ``0400`` since they should not receive
diff --git a/doc/source/stig-notes/V-38499_developer.rst b/doc/metadata/rhel6/V-38499.rst
similarity index 69%
rename from doc/source/stig-notes/V-38499_developer.rst
rename to doc/metadata/rhel6/V-38499.rst
index 00a1219d..f444132a 100644
--- a/doc/source/stig-notes/V-38499_developer.rst
+++ b/doc/metadata/rhel6/V-38499.rst
@@ -1,2 +1,8 @@
+---
+id: V-38499
+status: implemented
+tag: misc
+---
+
The Ansible task will search for password hashes in ``/etc/passwd`` using
awk and report a failure if any are found.
diff --git a/doc/source/stig-notes/V-38500_developer.rst b/doc/metadata/rhel6/V-38500.rst
similarity index 88%
rename from doc/source/stig-notes/V-38500_developer.rst
rename to doc/metadata/rhel6/V-38500.rst
index 3e39edc5..801e6ead 100644
--- a/doc/source/stig-notes/V-38500_developer.rst
+++ b/doc/metadata/rhel6/V-38500.rst
@@ -1,3 +1,9 @@
+---
+id: V-38500
+status: implemented
+tag: misc
+---
+
The Ansible tasks will search for accounts in ``/etc/passwd`` that have UID 0
that aren't the normal root account. If any matching accounts are found, a
warning is printed to stdout and the Ansible play will fail.
diff --git a/doc/source/stig-notes/V-38573_developer.rst b/doc/metadata/rhel6/V-38501.rst
similarity index 97%
rename from doc/source/stig-notes/V-38573_developer.rst
rename to doc/metadata/rhel6/V-38501.rst
index 51220cf4..72612a19 100644
--- a/doc/source/stig-notes/V-38573_developer.rst
+++ b/doc/metadata/rhel6/V-38501.rst
@@ -1,3 +1,9 @@
+---
+id: V-38501
+status: exception
+tag: misc
+---
+
**Exception and opt-in alternative**
Adjusting PAM configurations is very risky since it affects how all users
diff --git a/doc/source/stig-notes/V-38502_developer.rst b/doc/metadata/rhel6/V-38502.rst
similarity index 71%
rename from doc/source/stig-notes/V-38502_developer.rst
rename to doc/metadata/rhel6/V-38502.rst
index c5070d2d..4eeaf8c1 100644
--- a/doc/source/stig-notes/V-38502_developer.rst
+++ b/doc/metadata/rhel6/V-38502.rst
@@ -1,2 +1,8 @@
+---
+id: V-38502
+status: implemented
+tag: misc
+---
+
The user and group ownership of ``/etc/passwd`` is root by default. The Ansible
task will ensure that the default is maintained.
diff --git a/doc/source/stig-notes/V-38503_developer.rst b/doc/metadata/rhel6/V-38503.rst
similarity index 71%
rename from doc/source/stig-notes/V-38503_developer.rst
rename to doc/metadata/rhel6/V-38503.rst
index c5070d2d..18971266 100644
--- a/doc/source/stig-notes/V-38503_developer.rst
+++ b/doc/metadata/rhel6/V-38503.rst
@@ -1,2 +1,8 @@
+---
+id: V-38503
+status: implemented
+tag: misc
+---
+
The user and group ownership of ``/etc/passwd`` is root by default. The Ansible
task will ensure that the default is maintained.
diff --git a/doc/source/stig-notes/V-38504_developer.rst b/doc/metadata/rhel6/V-38504.rst
similarity index 91%
rename from doc/source/stig-notes/V-38504_developer.rst
rename to doc/metadata/rhel6/V-38504.rst
index 24bf6207..36b962da 100644
--- a/doc/source/stig-notes/V-38504_developer.rst
+++ b/doc/metadata/rhel6/V-38504.rst
@@ -1,3 +1,9 @@
+---
+id: V-38504
+status: implemented
+tag: misc
+---
+
Ubuntu 14.04 and Ubuntu 16.04 set the mode of ``/etc/shadow`` to ``0640``, but
CentOS 7 sets it to ``000``. The STIG requires the mode to be ``000`` and the
Ansible tasks in the security role ensure that the mode meets the requirement.
diff --git a/doc/source/stig-notes/V-38511_developer.rst b/doc/metadata/rhel6/V-38511.rst
similarity index 81%
rename from doc/source/stig-notes/V-38511_developer.rst
rename to doc/metadata/rhel6/V-38511.rst
index 7e872ff9..c8539d60 100644
--- a/doc/source/stig-notes/V-38511_developer.rst
+++ b/doc/metadata/rhel6/V-38511.rst
@@ -1,3 +1,9 @@
+---
+id: V-38511
+status: implemented
+tag: misc
+---
+
**Special Case**
Running virtual infrastructure requires IP forwarding to be enabled on various
diff --git a/doc/source/stig-notes/V-38686_developer.rst b/doc/metadata/rhel6/V-38512.rst
similarity index 89%
rename from doc/source/stig-notes/V-38686_developer.rst
rename to doc/metadata/rhel6/V-38512.rst
index 63471791..f2116873 100644
--- a/doc/source/stig-notes/V-38686_developer.rst
+++ b/doc/metadata/rhel6/V-38512.rst
@@ -1,3 +1,9 @@
+---
+id: V-38512
+status: exception
+tag: misc
+---
+
**Exception**
Although a minimal set of iptables rules are configured on openstack-ansible
diff --git a/doc/source/stig-notes/V-38512_developer.rst b/doc/metadata/rhel6/V-38513.rst
similarity index 89%
rename from doc/source/stig-notes/V-38512_developer.rst
rename to doc/metadata/rhel6/V-38513.rst
index 63471791..0b2a0c6b 100644
--- a/doc/source/stig-notes/V-38512_developer.rst
+++ b/doc/metadata/rhel6/V-38513.rst
@@ -1,3 +1,9 @@
+---
+id: V-38513
+status: exception
+tag: misc
+---
+
**Exception**
Although a minimal set of iptables rules are configured on openstack-ansible
diff --git a/doc/source/stig-notes/V-38514_developer.rst b/doc/metadata/rhel6/V-38514.rst
similarity index 89%
rename from doc/source/stig-notes/V-38514_developer.rst
rename to doc/metadata/rhel6/V-38514.rst
index 18dbd3ca..74132e98 100644
--- a/doc/source/stig-notes/V-38514_developer.rst
+++ b/doc/metadata/rhel6/V-38514.rst
@@ -1,3 +1,9 @@
+---
+id: V-38514
+status: implemented
+tag: misc
+---
+
The Datagram Congestion Control Protocol (DCCP) must be disabled if it's not
needed. Although this protocol is occasionally used in some OpenStack
environments for quality of service functions, it is not in the default
diff --git a/doc/source/stig-notes/V-38515_developer.rst b/doc/metadata/rhel6/V-38515.rst
similarity index 83%
rename from doc/source/stig-notes/V-38515_developer.rst
rename to doc/metadata/rhel6/V-38515.rst
index a1d548fd..67d833e2 100644
--- a/doc/source/stig-notes/V-38515_developer.rst
+++ b/doc/metadata/rhel6/V-38515.rst
@@ -1,3 +1,9 @@
+---
+id: V-38515
+status: implemented
+tag: misc
+---
+
The Stream Control Transmission Protocol (SCTP) must be disabled. To opt-out of
this change, set the following variable to ``no``:
diff --git a/doc/source/stig-notes/V-38516_developer.rst b/doc/metadata/rhel6/V-38516.rst
similarity index 88%
rename from doc/source/stig-notes/V-38516_developer.rst
rename to doc/metadata/rhel6/V-38516.rst
index de5131fa..11ba5c57 100644
--- a/doc/source/stig-notes/V-38516_developer.rst
+++ b/doc/metadata/rhel6/V-38516.rst
@@ -1,3 +1,9 @@
+---
+id: V-38516
+status: implemented
+tag: misc
+---
+
The `Reliable Datagram Sockets (RDS)`_ protocol must be disabled. The Ansible
tasks in this role will disable the module.
diff --git a/doc/source/stig-notes/V-38517_developer.rst b/doc/metadata/rhel6/V-38517.rst
similarity index 87%
rename from doc/source/stig-notes/V-38517_developer.rst
rename to doc/metadata/rhel6/V-38517.rst
index 6b63c125..7f0130e9 100644
--- a/doc/source/stig-notes/V-38517_developer.rst
+++ b/doc/metadata/rhel6/V-38517.rst
@@ -1,3 +1,9 @@
+---
+id: V-38517
+status: implemented
+tag: misc
+---
+
The `Transparent Inter-Process Communication (TIPC)`_ protocol must be
disabled. To opt-out of this change, set the following variable to ``no``:
diff --git a/doc/source/stig-notes/V-38518_developer.rst b/doc/metadata/rhel6/V-38518.rst
similarity index 87%
rename from doc/source/stig-notes/V-38518_developer.rst
rename to doc/metadata/rhel6/V-38518.rst
index 4cd1dd97..7628d22d 100644
--- a/doc/source/stig-notes/V-38518_developer.rst
+++ b/doc/metadata/rhel6/V-38518.rst
@@ -1,3 +1,9 @@
+---
+id: V-38518
+status: exception
+tag: misc
+---
+
**Exception**
Different systems may have different log files populated depending on the type
diff --git a/doc/source/stig-notes/V-38519_developer.rst b/doc/metadata/rhel6/V-38519.rst
similarity index 87%
rename from doc/source/stig-notes/V-38519_developer.rst
rename to doc/metadata/rhel6/V-38519.rst
index 4cd1dd97..e4599e70 100644
--- a/doc/source/stig-notes/V-38519_developer.rst
+++ b/doc/metadata/rhel6/V-38519.rst
@@ -1,3 +1,9 @@
+---
+id: V-38519
+status: exception
+tag: misc
+---
+
**Exception**
Different systems may have different log files populated depending on the type
diff --git a/doc/source/stig-notes/V-38520_developer.rst b/doc/metadata/rhel6/V-38520.rst
similarity index 87%
rename from doc/source/stig-notes/V-38520_developer.rst
rename to doc/metadata/rhel6/V-38520.rst
index 013b4a7e..bc9c2491 100644
--- a/doc/source/stig-notes/V-38520_developer.rst
+++ b/doc/metadata/rhel6/V-38520.rst
@@ -1,3 +1,9 @@
+---
+id: V-38520
+status: exception
+tag: misc
+---
+
**Exception**
At the moment, openstack-ansible already sends logs to the rsyslog container
diff --git a/doc/source/stig-notes/V-38521_developer.rst b/doc/metadata/rhel6/V-38521.rst
similarity index 87%
rename from doc/source/stig-notes/V-38521_developer.rst
rename to doc/metadata/rhel6/V-38521.rst
index 013b4a7e..cadb48cc 100644
--- a/doc/source/stig-notes/V-38521_developer.rst
+++ b/doc/metadata/rhel6/V-38521.rst
@@ -1,3 +1,9 @@
+---
+id: V-38521
+status: exception
+tag: misc
+---
+
**Exception**
At the moment, openstack-ansible already sends logs to the rsyslog container
diff --git a/doc/source/stig-notes/V-38522_developer.rst b/doc/metadata/rhel6/V-38522.rst
similarity index 60%
rename from doc/source/stig-notes/V-38522_developer.rst
rename to doc/metadata/rhel6/V-38522.rst
index 1fb1e67a..c785ed94 100644
--- a/doc/source/stig-notes/V-38522_developer.rst
+++ b/doc/metadata/rhel6/V-38522.rst
@@ -1 +1,7 @@
+---
+id: V-38522
+status: implemented
+tag: misc
+---
+
Rules are added for auditing changes to system time made via ``settimeofday``.
diff --git a/doc/source/stig-notes/V-38523_developer.rst b/doc/metadata/rhel6/V-38523.rst
similarity index 93%
rename from doc/source/stig-notes/V-38523_developer.rst
rename to doc/metadata/rhel6/V-38523.rst
index 3c57bba8..e8c20ab0 100644
--- a/doc/source/stig-notes/V-38523_developer.rst
+++ b/doc/metadata/rhel6/V-38523.rst
@@ -1,3 +1,9 @@
+---
+id: V-38523
+status: exception
+tag: misc
+---
+
**Exception**
The STIG makes several requirements for IPv4 network restrictions, but these
diff --git a/doc/source/stig-notes/V-38524_developer.rst b/doc/metadata/rhel6/V-38524.rst
similarity index 89%
rename from doc/source/stig-notes/V-38524_developer.rst
rename to doc/metadata/rhel6/V-38524.rst
index 9b35cacc..defc0ac2 100644
--- a/doc/source/stig-notes/V-38524_developer.rst
+++ b/doc/metadata/rhel6/V-38524.rst
@@ -1,3 +1,9 @@
+---
+id: V-38524
+status: implemented
+tag: misc
+---
+
This patch disables ICMPv4 redirects feature on the host.
Accepting ICMP redirects has few legitimate uses.
It should be disabled unless it is absolutely required.
diff --git a/doc/source/stig-notes/V-38525_developer.rst b/doc/metadata/rhel6/V-38525.rst
similarity index 58%
rename from doc/source/stig-notes/V-38525_developer.rst
rename to doc/metadata/rhel6/V-38525.rst
index eb832856..3a28fa31 100644
--- a/doc/source/stig-notes/V-38525_developer.rst
+++ b/doc/metadata/rhel6/V-38525.rst
@@ -1 +1,7 @@
+---
+id: V-38525
+status: implemented
+tag: misc
+---
+
Rules are added for auditing changes to system time done via ``stime``.
diff --git a/doc/source/stig-notes/V-38526_developer.rst b/doc/metadata/rhel6/V-38526.rst
similarity index 90%
rename from doc/source/stig-notes/V-38526_developer.rst
rename to doc/metadata/rhel6/V-38526.rst
index 4e62ad76..2a448505 100644
--- a/doc/source/stig-notes/V-38526_developer.rst
+++ b/doc/metadata/rhel6/V-38526.rst
@@ -1,3 +1,9 @@
+---
+id: V-38526
+status: opt-in
+tag: misc
+---
+
**Opt-in required**
The STIG requires that secure ICMP redirects are disabled, but this can cause
diff --git a/doc/source/stig-notes/V-38527_developer.rst b/doc/metadata/rhel6/V-38527.rst
similarity index 61%
rename from doc/source/stig-notes/V-38527_developer.rst
rename to doc/metadata/rhel6/V-38527.rst
index 26fb737f..7f451cfb 100644
--- a/doc/source/stig-notes/V-38527_developer.rst
+++ b/doc/metadata/rhel6/V-38527.rst
@@ -1,2 +1,8 @@
+---
+id: V-38527
+status: implemented
+tag: misc
+---
+
Rules are added for auditing changes to system time done via
``clock_settime``.
diff --git a/doc/source/stig-notes/V-38528_developer.rst b/doc/metadata/rhel6/V-38528.rst
similarity index 94%
rename from doc/source/stig-notes/V-38528_developer.rst
rename to doc/metadata/rhel6/V-38528.rst
index 9ac26ca2..241f1fc3 100644
--- a/doc/source/stig-notes/V-38528_developer.rst
+++ b/doc/metadata/rhel6/V-38528.rst
@@ -1,3 +1,9 @@
+---
+id: V-38528
+status: exception
+tag: misc
+---
+
**Exception**
The STIG requires that all martian packets are logged by setting the sysctl
diff --git a/doc/source/stig-notes/V-38532_developer.rst b/doc/metadata/rhel6/V-38529.rst
similarity index 93%
rename from doc/source/stig-notes/V-38532_developer.rst
rename to doc/metadata/rhel6/V-38529.rst
index 3c57bba8..7861b0a9 100644
--- a/doc/source/stig-notes/V-38532_developer.rst
+++ b/doc/metadata/rhel6/V-38529.rst
@@ -1,3 +1,9 @@
+---
+id: V-38529
+status: exception
+tag: misc
+---
+
**Exception**
The STIG makes several requirements for IPv4 network restrictions, but these
diff --git a/doc/source/stig-notes/V-38530_developer.rst b/doc/metadata/rhel6/V-38530.rst
similarity index 65%
rename from doc/source/stig-notes/V-38530_developer.rst
rename to doc/metadata/rhel6/V-38530.rst
index 3c3b37c9..53f3cc34 100644
--- a/doc/source/stig-notes/V-38530_developer.rst
+++ b/doc/metadata/rhel6/V-38530.rst
@@ -1,2 +1,8 @@
+---
+id: V-38530
+status: implemented
+tag: misc
+---
+
Rules are added to auditd to log all attempts to change the system time using
``/etc/localtime``.
diff --git a/doc/source/stig-notes/V-38538_developer.rst b/doc/metadata/rhel6/V-38531.rst
similarity index 63%
rename from doc/source/stig-notes/V-38538_developer.rst
rename to doc/metadata/rhel6/V-38531.rst
index c3ef2294..b47dc9e1 100644
--- a/doc/source/stig-notes/V-38538_developer.rst
+++ b/doc/metadata/rhel6/V-38531.rst
@@ -1,3 +1,9 @@
+---
+id: V-38531
+status: exception
+tag: misc
+---
+
**Exception**
The audit rules from V-38534 already cover all account modifications.
diff --git a/doc/source/stig-notes/V-38529_developer.rst b/doc/metadata/rhel6/V-38532.rst
similarity index 93%
rename from doc/source/stig-notes/V-38529_developer.rst
rename to doc/metadata/rhel6/V-38532.rst
index 3c57bba8..8c488ba1 100644
--- a/doc/source/stig-notes/V-38529_developer.rst
+++ b/doc/metadata/rhel6/V-38532.rst
@@ -1,3 +1,9 @@
+---
+id: V-38532
+status: exception
+tag: misc
+---
+
**Exception**
The STIG makes several requirements for IPv4 network restrictions, but these
diff --git a/doc/source/stig-notes/V-38533_developer.rst b/doc/metadata/rhel6/V-38533.rst
similarity index 93%
rename from doc/source/stig-notes/V-38533_developer.rst
rename to doc/metadata/rhel6/V-38533.rst
index 3c57bba8..63365865 100644
--- a/doc/source/stig-notes/V-38533_developer.rst
+++ b/doc/metadata/rhel6/V-38533.rst
@@ -1,3 +1,9 @@
+---
+id: V-38533
+status: exception
+tag: misc
+---
+
**Exception**
The STIG makes several requirements for IPv4 network restrictions, but these
diff --git a/doc/source/stig-notes/V-38534_developer.rst b/doc/metadata/rhel6/V-38534.rst
similarity index 77%
rename from doc/source/stig-notes/V-38534_developer.rst
rename to doc/metadata/rhel6/V-38534.rst
index 7a16b83c..64feb972 100644
--- a/doc/source/stig-notes/V-38534_developer.rst
+++ b/doc/metadata/rhel6/V-38534.rst
@@ -1,3 +1,9 @@
+---
+id: V-38534
+status: implemented
+tag: misc
+---
+
Audit rules are added in a task so that any events associated with
account modifications are logged. The new audit rule will be loaded immediately
with ``augenrules --load``.
diff --git a/doc/source/stig-notes/V-38535_developer.rst b/doc/metadata/rhel6/V-38535.rst
similarity index 77%
rename from doc/source/stig-notes/V-38535_developer.rst
rename to doc/metadata/rhel6/V-38535.rst
index fd9273bf..7d3bfa46 100644
--- a/doc/source/stig-notes/V-38535_developer.rst
+++ b/doc/metadata/rhel6/V-38535.rst
@@ -1,3 +1,9 @@
+---
+id: V-38535
+status: implemented
+tag: misc
+---
+
By default, Ubuntu 14.04 rejects ICMPv4 packets sent to a broadcast address.
The Ansible tasks for this STIG configuration ensures that the secure default
setting is maintained.
diff --git a/doc/source/stig-notes/V-38536_developer.rst b/doc/metadata/rhel6/V-38536.rst
similarity index 63%
rename from doc/source/stig-notes/V-38536_developer.rst
rename to doc/metadata/rhel6/V-38536.rst
index c3ef2294..564d115e 100644
--- a/doc/source/stig-notes/V-38536_developer.rst
+++ b/doc/metadata/rhel6/V-38536.rst
@@ -1,3 +1,9 @@
+---
+id: V-38536
+status: exception
+tag: misc
+---
+
**Exception**
The audit rules from V-38534 already cover all account modifications.
diff --git a/doc/source/stig-notes/V-38537_developer.rst b/doc/metadata/rhel6/V-38537.rst
similarity index 71%
rename from doc/source/stig-notes/V-38537_developer.rst
rename to doc/metadata/rhel6/V-38537.rst
index beea151d..45f5b5b3 100644
--- a/doc/source/stig-notes/V-38537_developer.rst
+++ b/doc/metadata/rhel6/V-38537.rst
@@ -1,2 +1,8 @@
+---
+id: V-38537
+status: implemented
+tag: misc
+---
+
Ubuntu already ignores ICMPv4 bogus error messages by default. The role will
ensure that this default setting is maintained.
diff --git a/doc/source/stig-notes/V-38531_developer.rst b/doc/metadata/rhel6/V-38538.rst
similarity index 63%
rename from doc/source/stig-notes/V-38531_developer.rst
rename to doc/metadata/rhel6/V-38538.rst
index c3ef2294..3d0d6b58 100644
--- a/doc/source/stig-notes/V-38531_developer.rst
+++ b/doc/metadata/rhel6/V-38538.rst
@@ -1,3 +1,9 @@
+---
+id: V-38538
+status: exception
+tag: misc
+---
+
**Exception**
The audit rules from V-38534 already cover all account modifications.
diff --git a/doc/source/stig-notes/V-38539_developer.rst b/doc/metadata/rhel6/V-38539.rst
similarity index 95%
rename from doc/source/stig-notes/V-38539_developer.rst
rename to doc/metadata/rhel6/V-38539.rst
index 9098a259..dbecc3dd 100644
--- a/doc/source/stig-notes/V-38539_developer.rst
+++ b/doc/metadata/rhel6/V-38539.rst
@@ -1,3 +1,9 @@
+---
+id: V-38539
+status: implemented
+tag: misc
+---
+
The STIG recommends enabling TCP SYN cookies to deal with TCP SYN floods.
Note that high-traffic environments may require TCP SYN cookies to be disabled.
diff --git a/doc/source/stig-notes/V-38540_developer.rst b/doc/metadata/rhel6/V-38540.rst
similarity index 79%
rename from doc/source/stig-notes/V-38540_developer.rst
rename to doc/metadata/rhel6/V-38540.rst
index 6a356ed1..4ae33ec2 100644
--- a/doc/source/stig-notes/V-38540_developer.rst
+++ b/doc/metadata/rhel6/V-38540.rst
@@ -1,3 +1,9 @@
+---
+id: V-38540
+status: implemented
+tag: misc
+---
+
Rules are added for auditing network configuration changes. The path to
Ubuntu's standard network configuration location has replaced the path
to Red Hat's default network configuration location.
diff --git a/doc/source/stig-notes/V-38541_developer.rst b/doc/metadata/rhel6/V-38541.rst
similarity index 86%
rename from doc/source/stig-notes/V-38541_developer.rst
rename to doc/metadata/rhel6/V-38541.rst
index f764ee67..e654273b 100644
--- a/doc/source/stig-notes/V-38541_developer.rst
+++ b/doc/metadata/rhel6/V-38541.rst
@@ -1,3 +1,9 @@
+---
+id: V-38541
+status: implemented
+tag: misc
+---
+
For Ubuntu, rules are added to auditd that will log any changes made in the
``/etc/apparmor`` directory.
diff --git a/doc/metadata/rhel6/V-38542.rst b/doc/metadata/rhel6/V-38542.rst
new file mode 100644
index 00000000..323e8bec
--- /dev/null
+++ b/doc/metadata/rhel6/V-38542.rst
@@ -0,0 +1,19 @@
+---
+id: V-38542
+status: exception
+tag: misc
+---
+
+**Exception**
+
+The STIG makes several requirements for IPv4 network restrictions, but these
+restrictions can impact certain network interfaces and cause service
+disruptions. Some security configurations make sense for certain types of
+network interfaces, like bridges, but other restrictions cause the network
+interface to stop passing valid traffic between hosts, containers, or virtual
+machines.
+
+The default network scripts and LXC userspace tools already configure various
+network devices to their most secure setting. Since some hosts will act as
+routers, enabling security configurations that restrict network traffic can
+cause service disruptions for OpenStack environments.
diff --git a/doc/source/stig-notes/V-38550_developer.rst b/doc/metadata/rhel6/V-38543.rst
similarity index 90%
rename from doc/source/stig-notes/V-38550_developer.rst
rename to doc/metadata/rhel6/V-38543.rst
index 17fe6b19..496c5353 100644
--- a/doc/source/stig-notes/V-38550_developer.rst
+++ b/doc/metadata/rhel6/V-38543.rst
@@ -1,3 +1,9 @@
+---
+id: V-38543
+status: exception
+tag: misc
+---
+
**Exception**
The audit rules which monitor ``chmod``, ``fchmod``, and ``fchmodat``
diff --git a/doc/metadata/rhel6/V-38544.rst b/doc/metadata/rhel6/V-38544.rst
new file mode 100644
index 00000000..abb1de7e
--- /dev/null
+++ b/doc/metadata/rhel6/V-38544.rst
@@ -0,0 +1,19 @@
+---
+id: V-38544
+status: exception
+tag: misc
+---
+
+**Exception**
+
+The STIG makes several requirements for IPv4 network restrictions, but these
+restrictions can impact certain network interfaces and cause service
+disruptions. Some security configurations make sense for certain types of
+network interfaces, like bridges, but other restrictions cause the network
+interface to stop passing valid traffic between hosts, containers, or virtual
+machines.
+
+The default network scripts and LXC userspace tools already configure various
+network devices to their most secure setting. Since some hosts will act as
+routers, enabling security configurations that restrict network traffic can
+cause service disruptions for OpenStack environments.
diff --git a/doc/source/stig-notes/V-38545_developer.rst b/doc/metadata/rhel6/V-38545.rst
similarity index 87%
rename from doc/source/stig-notes/V-38545_developer.rst
rename to doc/metadata/rhel6/V-38545.rst
index e5ae1a96..5802c980 100644
--- a/doc/source/stig-notes/V-38545_developer.rst
+++ b/doc/metadata/rhel6/V-38545.rst
@@ -1,3 +1,9 @@
+---
+id: V-38545
+status: exception
+tag: misc
+---
+
**Exception**
The audit rules for permission changes made with ``chown`` are disabled by
diff --git a/doc/source/stig-notes/V-38546_developer.rst b/doc/metadata/rhel6/V-38546.rst
similarity index 90%
rename from doc/source/stig-notes/V-38546_developer.rst
rename to doc/metadata/rhel6/V-38546.rst
index 99eb7110..ca38da02 100644
--- a/doc/source/stig-notes/V-38546_developer.rst
+++ b/doc/metadata/rhel6/V-38546.rst
@@ -1,3 +1,9 @@
+---
+id: V-38546
+status: opt-in
+tag: misc
+---
+
**Opt-in required**
The STIG requires IPv6 to be disabled system-wide unless it is needed for the
diff --git a/doc/source/stig-notes/V-38547_developer.rst b/doc/metadata/rhel6/V-38547.rst
similarity index 90%
rename from doc/source/stig-notes/V-38547_developer.rst
rename to doc/metadata/rhel6/V-38547.rst
index 17fe6b19..51e96b94 100644
--- a/doc/source/stig-notes/V-38547_developer.rst
+++ b/doc/metadata/rhel6/V-38547.rst
@@ -1,3 +1,9 @@
+---
+id: V-38547
+status: exception
+tag: misc
+---
+
**Exception**
The audit rules which monitor ``chmod``, ``fchmod``, and ``fchmodat``
diff --git a/doc/source/stig-notes/V-38548_developer.rst b/doc/metadata/rhel6/V-38548.rst
similarity index 92%
rename from doc/source/stig-notes/V-38548_developer.rst
rename to doc/metadata/rhel6/V-38548.rst
index 62fd715a..d6e9a110 100644
--- a/doc/source/stig-notes/V-38548_developer.rst
+++ b/doc/metadata/rhel6/V-38548.rst
@@ -1,3 +1,9 @@
+---
+id: V-38548
+status: opt-in
+tag: misc
+---
+
**Opt-in required**
Accepting ICMP redirects has few legitimate uses. It should be disabled unless
diff --git a/doc/source/stig-notes/V-38549_developer.rst b/doc/metadata/rhel6/V-38549.rst
similarity index 84%
rename from doc/source/stig-notes/V-38549_developer.rst
rename to doc/metadata/rhel6/V-38549.rst
index 737ff656..028cd9bd 100644
--- a/doc/source/stig-notes/V-38549_developer.rst
+++ b/doc/metadata/rhel6/V-38549.rst
@@ -1,3 +1,9 @@
+---
+id: V-38549
+status: exception
+tag: misc
+---
+
**Exception**
Adding IPv6 firewalling on OpenStack hosts is left up to the deployer to
diff --git a/doc/source/stig-notes/V-38543_developer.rst b/doc/metadata/rhel6/V-38550.rst
similarity index 90%
rename from doc/source/stig-notes/V-38543_developer.rst
rename to doc/metadata/rhel6/V-38550.rst
index 17fe6b19..169d880a 100644
--- a/doc/source/stig-notes/V-38543_developer.rst
+++ b/doc/metadata/rhel6/V-38550.rst
@@ -1,3 +1,9 @@
+---
+id: V-38550
+status: exception
+tag: misc
+---
+
**Exception**
The audit rules which monitor ``chmod``, ``fchmod``, and ``fchmodat``
diff --git a/doc/source/stig-notes/V-38551_developer.rst b/doc/metadata/rhel6/V-38551.rst
similarity index 95%
rename from doc/source/stig-notes/V-38551_developer.rst
rename to doc/metadata/rhel6/V-38551.rst
index 031ababd..1a0acfff 100644
--- a/doc/source/stig-notes/V-38551_developer.rst
+++ b/doc/metadata/rhel6/V-38551.rst
@@ -1,3 +1,9 @@
+---
+id: V-38551
+status: exception
+tag: misc
+---
+
**Exception**
Filtering IPv6 traffic is left up to the deployer to implement. The
diff --git a/doc/source/stig-notes/V-38552_developer.rst b/doc/metadata/rhel6/V-38552.rst
similarity index 87%
rename from doc/source/stig-notes/V-38552_developer.rst
rename to doc/metadata/rhel6/V-38552.rst
index 7d722fb6..89baba56 100644
--- a/doc/source/stig-notes/V-38552_developer.rst
+++ b/doc/metadata/rhel6/V-38552.rst
@@ -1,3 +1,9 @@
+---
+id: V-38552
+status: exception
+tag: misc
+---
+
**Exception**
The audit rules for permission changes made with ``fchown`` are disabled by
diff --git a/doc/source/stig-notes/V-38553_developer.rst b/doc/metadata/rhel6/V-38553.rst
similarity index 84%
rename from doc/source/stig-notes/V-38553_developer.rst
rename to doc/metadata/rhel6/V-38553.rst
index 737ff656..d9f6c830 100644
--- a/doc/source/stig-notes/V-38553_developer.rst
+++ b/doc/metadata/rhel6/V-38553.rst
@@ -1,3 +1,9 @@
+---
+id: V-38553
+status: exception
+tag: misc
+---
+
**Exception**
Adding IPv6 firewalling on OpenStack hosts is left up to the deployer to
diff --git a/doc/source/stig-notes/V-38554_developer.rst b/doc/metadata/rhel6/V-38554.rst
similarity index 88%
rename from doc/source/stig-notes/V-38554_developer.rst
rename to doc/metadata/rhel6/V-38554.rst
index e8a4a6ad..5153d2d4 100644
--- a/doc/source/stig-notes/V-38554_developer.rst
+++ b/doc/metadata/rhel6/V-38554.rst
@@ -1,3 +1,9 @@
+---
+id: V-38554
+status: exception
+tag: misc
+---
+
**Exception**
The audit rules for permission changes made with ``fchownat`` are disabled by
diff --git a/doc/source/stig-notes/V-38555_developer.rst b/doc/metadata/rhel6/V-38555.rst
similarity index 84%
rename from doc/source/stig-notes/V-38555_developer.rst
rename to doc/metadata/rhel6/V-38555.rst
index 1ecb440d..b0a67a60 100644
--- a/doc/source/stig-notes/V-38555_developer.rst
+++ b/doc/metadata/rhel6/V-38555.rst
@@ -1,3 +1,9 @@
+---
+id: V-38555
+status: exception
+tag: misc
+---
+
**Exception**
Adding IPv4 firewalling on OpenStack hosts is left up to the deployer to
diff --git a/doc/source/stig-notes/V-38556_developer.rst b/doc/metadata/rhel6/V-38556.rst
similarity index 88%
rename from doc/source/stig-notes/V-38556_developer.rst
rename to doc/metadata/rhel6/V-38556.rst
index deae7093..824060ec 100644
--- a/doc/source/stig-notes/V-38556_developer.rst
+++ b/doc/metadata/rhel6/V-38556.rst
@@ -1,3 +1,9 @@
+---
+id: V-38556
+status: exception
+tag: misc
+---
+
**Exception**
The audit rules for permission changes made with ``fremovexattr`` are disabled
diff --git a/doc/source/stig-notes/V-38557_developer.rst b/doc/metadata/rhel6/V-38557.rst
similarity index 88%
rename from doc/source/stig-notes/V-38557_developer.rst
rename to doc/metadata/rhel6/V-38557.rst
index a264edfa..fac6dada 100644
--- a/doc/source/stig-notes/V-38557_developer.rst
+++ b/doc/metadata/rhel6/V-38557.rst
@@ -1,3 +1,9 @@
+---
+id: V-38557
+status: exception
+tag: misc
+---
+
**Exception**
The audit rules for permission changes made with ``fsetxattr`` are disabled by
diff --git a/doc/source/stig-notes/V-38558_developer.rst b/doc/metadata/rhel6/V-38558.rst
similarity index 87%
rename from doc/source/stig-notes/V-38558_developer.rst
rename to doc/metadata/rhel6/V-38558.rst
index 1143b17b..cc03c7d4 100644
--- a/doc/source/stig-notes/V-38558_developer.rst
+++ b/doc/metadata/rhel6/V-38558.rst
@@ -1,3 +1,9 @@
+---
+id: V-38558
+status: exception
+tag: misc
+---
+
**Exception**
The audit rules for permission changes made with ``lchown`` are disabled by
diff --git a/doc/source/stig-notes/V-38559_developer.rst b/doc/metadata/rhel6/V-38559.rst
similarity index 88%
rename from doc/source/stig-notes/V-38559_developer.rst
rename to doc/metadata/rhel6/V-38559.rst
index 70e98861..39fa3bd5 100644
--- a/doc/source/stig-notes/V-38559_developer.rst
+++ b/doc/metadata/rhel6/V-38559.rst
@@ -1,3 +1,9 @@
+---
+id: V-38559
+status: exception
+tag: misc
+---
+
**Exception**
The audit rules for permission changes made with ``lremovexattr`` are disabled
diff --git a/doc/source/stig-notes/V-38560_developer.rst b/doc/metadata/rhel6/V-38560.rst
similarity index 84%
rename from doc/source/stig-notes/V-38560_developer.rst
rename to doc/metadata/rhel6/V-38560.rst
index 1ecb440d..114424f5 100644
--- a/doc/source/stig-notes/V-38560_developer.rst
+++ b/doc/metadata/rhel6/V-38560.rst
@@ -1,3 +1,9 @@
+---
+id: V-38560
+status: exception
+tag: misc
+---
+
**Exception**
Adding IPv4 firewalling on OpenStack hosts is left up to the deployer to
diff --git a/doc/source/stig-notes/V-38561_developer.rst b/doc/metadata/rhel6/V-38561.rst
similarity index 88%
rename from doc/source/stig-notes/V-38561_developer.rst
rename to doc/metadata/rhel6/V-38561.rst
index 0b995aa6..582c589f 100644
--- a/doc/source/stig-notes/V-38561_developer.rst
+++ b/doc/metadata/rhel6/V-38561.rst
@@ -1,3 +1,9 @@
+---
+id: V-38561
+status: exception
+tag: misc
+---
+
**Exception**
The audit rules for permission changes made with ``lxsetxattr`` are disabled by
diff --git a/doc/source/stig-notes/V-38563_developer.rst b/doc/metadata/rhel6/V-38563.rst
similarity index 81%
rename from doc/source/stig-notes/V-38563_developer.rst
rename to doc/metadata/rhel6/V-38563.rst
index 09642b61..fa8dcc97 100644
--- a/doc/source/stig-notes/V-38563_developer.rst
+++ b/doc/metadata/rhel6/V-38563.rst
@@ -1,3 +1,9 @@
+---
+id: V-38563
+status: implemented
+tag: misc
+---
+
Audit rules are added in a task so that any events associated with the
discretionary access controls (DAC) permission modifications are logged.
The new audit rule will be loaded immediately with ``augenrules --load``.
diff --git a/doc/source/stig-notes/V-38565_developer.rst b/doc/metadata/rhel6/V-38565.rst
similarity index 88%
rename from doc/source/stig-notes/V-38565_developer.rst
rename to doc/metadata/rhel6/V-38565.rst
index f67ccfaf..affe8a3a 100644
--- a/doc/source/stig-notes/V-38565_developer.rst
+++ b/doc/metadata/rhel6/V-38565.rst
@@ -1,3 +1,9 @@
+---
+id: V-38565
+status: exception
+tag: misc
+---
+
**Exception**
The audit rules for permission changes made with ``setxattr`` are disabled by
diff --git a/doc/source/stig-notes/V-38566_developer.rst b/doc/metadata/rhel6/V-38566.rst
similarity index 87%
rename from doc/source/stig-notes/V-38566_developer.rst
rename to doc/metadata/rhel6/V-38566.rst
index d5e927d0..4d7f260f 100644
--- a/doc/source/stig-notes/V-38566_developer.rst
+++ b/doc/metadata/rhel6/V-38566.rst
@@ -1,3 +1,9 @@
+---
+id: V-38566
+status: exception
+tag: misc
+---
+
**Exception**
The audit rules for logging failed access attempts can generate significant
diff --git a/doc/source/stig-notes/V-38567_developer.rst b/doc/metadata/rhel6/V-38567.rst
similarity index 84%
rename from doc/source/stig-notes/V-38567_developer.rst
rename to doc/metadata/rhel6/V-38567.rst
index 7b598281..8329f94d 100644
--- a/doc/source/stig-notes/V-38567_developer.rst
+++ b/doc/metadata/rhel6/V-38567.rst
@@ -1,3 +1,9 @@
+---
+id: V-38567
+status: exception
+tag: misc
+---
+
**Exception**
Keeping the list of setuid/setgid applications up to date and adding the paths
diff --git a/doc/source/stig-notes/V-38568_developer.rst b/doc/metadata/rhel6/V-38568.rst
similarity index 55%
rename from doc/source/stig-notes/V-38568_developer.rst
rename to doc/metadata/rhel6/V-38568.rst
index 6b50b462..01b5f0cf 100644
--- a/doc/source/stig-notes/V-38568_developer.rst
+++ b/doc/metadata/rhel6/V-38568.rst
@@ -1 +1,7 @@
+---
+id: V-38568
+status: implemented
+tag: misc
+---
+
Rules are added for auditd to log successful filesystem mounts.
diff --git a/doc/source/stig-notes/V-38570_developer.rst b/doc/metadata/rhel6/V-38569.rst
similarity index 89%
rename from doc/source/stig-notes/V-38570_developer.rst
rename to doc/metadata/rhel6/V-38569.rst
index 344697e5..cd165127 100644
--- a/doc/source/stig-notes/V-38570_developer.rst
+++ b/doc/metadata/rhel6/V-38569.rst
@@ -1,3 +1,9 @@
+---
+id: V-38569
+status: exception
+tag: misc
+---
+
**Exception**
Password complexity requirements are left up to the deployer. Deployers are
diff --git a/doc/source/stig-notes/V-38571_developer.rst b/doc/metadata/rhel6/V-38570.rst
similarity index 89%
rename from doc/source/stig-notes/V-38571_developer.rst
rename to doc/metadata/rhel6/V-38570.rst
index 344697e5..3b0d443f 100644
--- a/doc/source/stig-notes/V-38571_developer.rst
+++ b/doc/metadata/rhel6/V-38570.rst
@@ -1,3 +1,9 @@
+---
+id: V-38570
+status: exception
+tag: misc
+---
+
**Exception**
Password complexity requirements are left up to the deployer. Deployers are
diff --git a/doc/source/stig-notes/V-38482_developer.rst b/doc/metadata/rhel6/V-38571.rst
similarity index 89%
rename from doc/source/stig-notes/V-38482_developer.rst
rename to doc/metadata/rhel6/V-38571.rst
index 344697e5..89005ed6 100644
--- a/doc/source/stig-notes/V-38482_developer.rst
+++ b/doc/metadata/rhel6/V-38571.rst
@@ -1,3 +1,9 @@
+---
+id: V-38571
+status: exception
+tag: misc
+---
+
**Exception**
Password complexity requirements are left up to the deployer. Deployers are
diff --git a/doc/metadata/rhel6/V-38572.rst b/doc/metadata/rhel6/V-38572.rst
new file mode 100644
index 00000000..11b2becd
--- /dev/null
+++ b/doc/metadata/rhel6/V-38572.rst
@@ -0,0 +1,16 @@
+---
+id: V-38572
+status: exception
+tag: misc
+---
+
+**Exception**
+
+Password complexity requirements are left up to the deployer. Deployers are
+urged to rely on SSH keys as often as possible to avoid problems with
+passwords.
+
+Review the pam_cracklib documentation by running ``man pam_cracklib`` or
+read the `detailed documentation from Hal Pomeranz`_.
+
+.. _detailed documentation from Hal Pomeranz: http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html
diff --git a/doc/source/stig-notes/V-38501_developer.rst b/doc/metadata/rhel6/V-38573.rst
similarity index 97%
rename from doc/source/stig-notes/V-38501_developer.rst
rename to doc/metadata/rhel6/V-38573.rst
index 51220cf4..ffb2dbb8 100644
--- a/doc/source/stig-notes/V-38501_developer.rst
+++ b/doc/metadata/rhel6/V-38573.rst
@@ -1,3 +1,9 @@
+---
+id: V-38573
+status: exception
+tag: misc
+---
+
**Exception and opt-in alternative**
Adjusting PAM configurations is very risky since it affects how all users
diff --git a/doc/source/stig-notes/V-38574_developer.rst b/doc/metadata/rhel6/V-38574.rst
similarity index 92%
rename from doc/source/stig-notes/V-38574_developer.rst
rename to doc/metadata/rhel6/V-38574.rst
index 6f75a7cf..e348b511 100644
--- a/doc/source/stig-notes/V-38574_developer.rst
+++ b/doc/metadata/rhel6/V-38574.rst
@@ -1,3 +1,9 @@
+---
+id: V-38574
+status: implemented
+tag: misc
+---
+
The STIG requires SHA512 to be used for hashing password since it is
in the list of FIPS 140-2 approved hashing algorithms. This is also the
default in Ubuntu 14.04, Ubuntu 16.04, and CentOS 7.
diff --git a/doc/source/stig-notes/V-38575_developer.rst b/doc/metadata/rhel6/V-38575.rst
similarity index 89%
rename from doc/source/stig-notes/V-38575_developer.rst
rename to doc/metadata/rhel6/V-38575.rst
index cdf6866e..92678d78 100644
--- a/doc/source/stig-notes/V-38575_developer.rst
+++ b/doc/metadata/rhel6/V-38575.rst
@@ -1,3 +1,9 @@
+---
+id: V-38575
+status: exception
+tag: misc
+---
+
**Exception**
The audit rules for monitoring deleted files can cause very high system load
diff --git a/doc/source/stig-notes/V-38576_developer.rst b/doc/metadata/rhel6/V-38576.rst
similarity index 91%
rename from doc/source/stig-notes/V-38576_developer.rst
rename to doc/metadata/rhel6/V-38576.rst
index 5221492b..acd24a64 100644
--- a/doc/source/stig-notes/V-38576_developer.rst
+++ b/doc/metadata/rhel6/V-38576.rst
@@ -1,3 +1,9 @@
+---
+id: V-38576
+status: implemented
+tag: misc
+---
+
The STIG requires SHA512 to be used for hashing password since it is
in the list of FIPS 140-2 approved hashing algorithms. This is also the
default in Ubuntu 14.04, Ubuntu 16.04, and CentOS 7.
diff --git a/doc/source/stig-notes/V-38577_developer.rst b/doc/metadata/rhel6/V-38577.rst
similarity index 94%
rename from doc/source/stig-notes/V-38577_developer.rst
rename to doc/metadata/rhel6/V-38577.rst
index 15427cd6..b9027082 100644
--- a/doc/source/stig-notes/V-38577_developer.rst
+++ b/doc/metadata/rhel6/V-38577.rst
@@ -1,3 +1,9 @@
+---
+id: V-38577
+status: implemented
+tag: misc
+---
+
The STIG requires SHA512 to be used for hashing password since it is
in the list of FIPS 140-2 approved hashing algorithms. This is also the
default in Ubuntu 14.04, Ubuntu 16.04, and CentOS 7.
diff --git a/doc/source/stig-notes/V-38578_developer.rst b/doc/metadata/rhel6/V-38578.rst
similarity index 51%
rename from doc/source/stig-notes/V-38578_developer.rst
rename to doc/metadata/rhel6/V-38578.rst
index 4e89e176..3a7115c9 100644
--- a/doc/source/stig-notes/V-38578_developer.rst
+++ b/doc/metadata/rhel6/V-38578.rst
@@ -1 +1,7 @@
+---
+id: V-38578
+status: implemented
+tag: misc
+---
+
Rules are added to audit changes to ``/etc/sudoers``.
diff --git a/doc/source/stig-notes/V-38579_developer.rst b/doc/metadata/rhel6/V-38579.rst
similarity index 89%
rename from doc/source/stig-notes/V-38579_developer.rst
rename to doc/metadata/rhel6/V-38579.rst
index cf6fbbb5..89972ecd 100644
--- a/doc/source/stig-notes/V-38579_developer.rst
+++ b/doc/metadata/rhel6/V-38579.rst
@@ -1,3 +1,9 @@
+---
+id: V-38579
+status: implemented
+tag: misc
+---
+
Ubuntu 14.04 sets the ownership on ``/boot/grub/grub.cfg`` to root by default.
The Ansible task will ensure that the secure default is maintained.
diff --git a/doc/source/stig-notes/V-38580_developer.rst b/doc/metadata/rhel6/V-38580.rst
similarity index 66%
rename from doc/source/stig-notes/V-38580_developer.rst
rename to doc/metadata/rhel6/V-38580.rst
index e1f619f4..b6a53b73 100644
--- a/doc/source/stig-notes/V-38580_developer.rst
+++ b/doc/metadata/rhel6/V-38580.rst
@@ -1,2 +1,8 @@
+---
+id: V-38580
+status: implemented
+tag: misc
+---
+
Rules will be added to auditd so that any kernel module loading or unloading
events will be logged.
diff --git a/doc/source/stig-notes/V-38581_developer.rst b/doc/metadata/rhel6/V-38581.rst
similarity index 58%
rename from doc/source/stig-notes/V-38581_developer.rst
rename to doc/metadata/rhel6/V-38581.rst
index f602bf2d..e7a9dc78 100644
--- a/doc/source/stig-notes/V-38581_developer.rst
+++ b/doc/metadata/rhel6/V-38581.rst
@@ -1 +1,7 @@
+---
+id: V-38581
+status: implemented
+tag: misc
+---
+
The group ownership for ``/boot/grub/grub.cfg`` will be set to `root`.
diff --git a/doc/source/stig-notes/V-38582_developer.rst b/doc/metadata/rhel6/V-38582.rst
similarity index 85%
rename from doc/source/stig-notes/V-38582_developer.rst
rename to doc/metadata/rhel6/V-38582.rst
index 6a133b18..30296bc6 100644
--- a/doc/source/stig-notes/V-38582_developer.rst
+++ b/doc/metadata/rhel6/V-38582.rst
@@ -1,3 +1,9 @@
+---
+id: V-38582
+status: implemented
+tag: misc
+---
+
If the ``xinetd`` package is installed, it will be stopped immediately and
will not start on the next boot. No action is taken if xinetd isn't installed.
diff --git a/doc/source/stig-notes/V-38583_developer.rst b/doc/metadata/rhel6/V-38583.rst
similarity index 88%
rename from doc/source/stig-notes/V-38583_developer.rst
rename to doc/metadata/rhel6/V-38583.rst
index d64107b9..d41b73a9 100644
--- a/doc/source/stig-notes/V-38583_developer.rst
+++ b/doc/metadata/rhel6/V-38583.rst
@@ -1,3 +1,9 @@
+---
+id: V-38583
+status: exception
+tag: misc
+---
+
**Exception for grub2**
For Ubuntu 14.04, the permissions on ``/boot/grub/grub.cfg`` will be set to
diff --git a/doc/source/stig-notes/V-38584_developer.rst b/doc/metadata/rhel6/V-38584.rst
similarity index 80%
rename from doc/source/stig-notes/V-38584_developer.rst
rename to doc/metadata/rhel6/V-38584.rst
index c1fb4d40..cb3e10be 100644
--- a/doc/source/stig-notes/V-38584_developer.rst
+++ b/doc/metadata/rhel6/V-38584.rst
@@ -1,3 +1,9 @@
+---
+id: V-38584
+status: implemented
+tag: misc
+---
+
The ``xinetd`` service will be removed by the Ansible tasks, if it is
installed. To opt-out of this change, adjust the following variable
to ``no``:
diff --git a/doc/source/stig-notes/V-38585_developer.rst b/doc/metadata/rhel6/V-38585.rst
similarity index 86%
rename from doc/source/stig-notes/V-38585_developer.rst
rename to doc/metadata/rhel6/V-38585.rst
index a741c460..cfddc354 100644
--- a/doc/source/stig-notes/V-38585_developer.rst
+++ b/doc/metadata/rhel6/V-38585.rst
@@ -1,3 +1,9 @@
+---
+id: V-38585
+status: exception
+tag: misc
+---
+
**Exception**
Configuring a password for the bootloader is left up to the deployer to
diff --git a/doc/source/stig-notes/V-38586_developer.rst b/doc/metadata/rhel6/V-38586.rst
similarity index 87%
rename from doc/source/stig-notes/V-38586_developer.rst
rename to doc/metadata/rhel6/V-38586.rst
index be76e902..deb465cd 100644
--- a/doc/source/stig-notes/V-38586_developer.rst
+++ b/doc/metadata/rhel6/V-38586.rst
@@ -1,3 +1,9 @@
+---
+id: V-38586
+status: exception
+tag: misc
+---
+
**Exception**
As with V-38585, this is left to the deployer to configure bassed on their
diff --git a/doc/source/stig-notes/V-38587_developer.rst b/doc/metadata/rhel6/V-38587.rst
similarity index 80%
rename from doc/source/stig-notes/V-38587_developer.rst
rename to doc/metadata/rhel6/V-38587.rst
index 1c2b872a..6895c6bf 100644
--- a/doc/source/stig-notes/V-38587_developer.rst
+++ b/doc/metadata/rhel6/V-38587.rst
@@ -1,3 +1,9 @@
+---
+id: V-38587
+status: implemented
+tag: misc
+---
+
The ``telnetd`` service will be removed by the Ansible tasks, if it is
installed. To opt-out of this change, adjust the following variable
to ``no``:
diff --git a/doc/source/stig-notes/V-38588_developer.rst b/doc/metadata/rhel6/V-38588.rst
similarity index 78%
rename from doc/source/stig-notes/V-38588_developer.rst
rename to doc/metadata/rhel6/V-38588.rst
index 029f79e5..3d4012bb 100644
--- a/doc/source/stig-notes/V-38588_developer.rst
+++ b/doc/metadata/rhel6/V-38588.rst
@@ -1,3 +1,9 @@
+---
+id: V-38588
+status: exception
+tag: misc
+---
+
**Exception**
As with V-38585, this configuration is left up to the deployer to determine
diff --git a/doc/source/stig-notes/V-38589_developer.rst b/doc/metadata/rhel6/V-38589.rst
similarity index 83%
rename from doc/source/stig-notes/V-38589_developer.rst
rename to doc/metadata/rhel6/V-38589.rst
index 1d12ee3c..fcfd8e3d 100644
--- a/doc/source/stig-notes/V-38589_developer.rst
+++ b/doc/metadata/rhel6/V-38589.rst
@@ -1,3 +1,9 @@
+---
+id: V-38589
+status: implemented
+tag: misc
+---
+
**Fixed by V-38587**
Running a telnet daemon isn't recommended under most situations, so the telnet
diff --git a/doc/source/stig-notes/V-38590_developer.rst b/doc/metadata/rhel6/V-38590.rst
similarity index 90%
rename from doc/source/stig-notes/V-38590_developer.rst
rename to doc/metadata/rhel6/V-38590.rst
index 4662bf00..f09e374e 100644
--- a/doc/source/stig-notes/V-38590_developer.rst
+++ b/doc/metadata/rhel6/V-38590.rst
@@ -1,3 +1,9 @@
+---
+id: V-38590
+status: exception
+tag: misc
+---
+
**Exception**
While providing text screen locking does add additional security, deployers
diff --git a/doc/source/stig-notes/V-38591_developer.rst b/doc/metadata/rhel6/V-38591.rst
similarity index 80%
rename from doc/source/stig-notes/V-38591_developer.rst
rename to doc/metadata/rhel6/V-38591.rst
index a6762c42..1a1e75db 100644
--- a/doc/source/stig-notes/V-38591_developer.rst
+++ b/doc/metadata/rhel6/V-38591.rst
@@ -1,3 +1,9 @@
+---
+id: V-38591
+status: implemented
+tag: misc
+---
+
The ``rshd`` service will be removed by the Ansible tasks, if it is
installed. To opt-out of this change, adjust the following variable
to ``no``:
diff --git a/doc/source/stig-notes/V-38592_developer.rst b/doc/metadata/rhel6/V-38592.rst
similarity index 88%
rename from doc/source/stig-notes/V-38592_developer.rst
rename to doc/metadata/rhel6/V-38592.rst
index 0ec38280..255960a8 100644
--- a/doc/source/stig-notes/V-38592_developer.rst
+++ b/doc/metadata/rhel6/V-38592.rst
@@ -1,3 +1,9 @@
+---
+id: V-38592
+status: exception
+tag: misc
+---
+
**Exception**
Adjusting PAM configurations on a running system carries a fair amount of risk,
diff --git a/doc/source/stig-notes/V-38593_developer.rst b/doc/metadata/rhel6/V-38593.rst
similarity index 73%
rename from doc/source/stig-notes/V-38593_developer.rst
rename to doc/metadata/rhel6/V-38593.rst
index bd1a290a..9bfdca1d 100644
--- a/doc/source/stig-notes/V-38593_developer.rst
+++ b/doc/metadata/rhel6/V-38593.rst
@@ -1,2 +1,8 @@
+---
+id: V-38593
+status: implemented
+tag: misc
+---
+
A default warning banner will replace the contents of ``/etc/issue.net``. To
configure the banner, simply edit ``files/login_banner.txt``.
diff --git a/doc/source/stig-notes/V-38594_developer.rst b/doc/metadata/rhel6/V-38594.rst
similarity index 83%
rename from doc/source/stig-notes/V-38594_developer.rst
rename to doc/metadata/rhel6/V-38594.rst
index 3720e8f3..c29db4b0 100644
--- a/doc/source/stig-notes/V-38594_developer.rst
+++ b/doc/metadata/rhel6/V-38594.rst
@@ -1,3 +1,9 @@
+---
+id: V-38594
+status: implemented
+tag: misc
+---
+
**Fixed by V-38591**
Running a rsh daemon isn't recommended under most situations, so the rsh server
diff --git a/doc/source/stig-notes/V-38595_developer.rst b/doc/metadata/rhel6/V-38595.rst
similarity index 71%
rename from doc/source/stig-notes/V-38595_developer.rst
rename to doc/metadata/rhel6/V-38595.rst
index bd257e6a..50060386 100644
--- a/doc/source/stig-notes/V-38595_developer.rst
+++ b/doc/metadata/rhel6/V-38595.rst
@@ -1,3 +1,9 @@
+---
+id: V-38595
+status: exception
+tag: misc
+---
+
**Exception**
Use of additional factors for authentication is left up to the deployer, but
diff --git a/doc/source/stig-notes/V-38596_developer.rst b/doc/metadata/rhel6/V-38596.rst
similarity index 81%
rename from doc/source/stig-notes/V-38596_developer.rst
rename to doc/metadata/rhel6/V-38596.rst
index 0af84334..a5f157ae 100644
--- a/doc/source/stig-notes/V-38596_developer.rst
+++ b/doc/metadata/rhel6/V-38596.rst
@@ -1,3 +1,9 @@
+---
+id: V-38596
+status: implemented
+tag: misc
+---
+
The Ansible tasks will set ``kernel.randomize_va_space=2`` immediately and
will also ensure that the setting is applied on the next boot. This setting
is currently the default in Ubuntu 14.04, Ubuntu 16.04, and CentOS 7.
diff --git a/doc/source/stig-notes/V-38597_developer.rst b/doc/metadata/rhel6/V-38597.rst
similarity index 85%
rename from doc/source/stig-notes/V-38597_developer.rst
rename to doc/metadata/rhel6/V-38597.rst
index 57098070..96e435c1 100644
--- a/doc/source/stig-notes/V-38597_developer.rst
+++ b/doc/metadata/rhel6/V-38597.rst
@@ -1,3 +1,9 @@
+---
+id: V-38597
+status: implemented
+tag: misc
+---
+
Non-Executable Memory (NX) is the successor to ExecShield, and it is enabled by
default on Ubuntu 14.04, Ubuntu 16.04, and CentOS 7.
diff --git a/doc/source/stig-notes/V-38598_developer.rst b/doc/metadata/rhel6/V-38598.rst
similarity index 88%
rename from doc/source/stig-notes/V-38598_developer.rst
rename to doc/metadata/rhel6/V-38598.rst
index 894df0a1..82cff4c2 100644
--- a/doc/source/stig-notes/V-38598_developer.rst
+++ b/doc/metadata/rhel6/V-38598.rst
@@ -1,3 +1,9 @@
+---
+id: V-38598
+status: implemented
+tag: misc
+---
+
**Fixed by V-38591**
On Ubuntu, the ``rexecd`` daemon is part of the package that contains the
diff --git a/doc/source/stig-notes/V-38599_developer.rst b/doc/metadata/rhel6/V-38599.rst
similarity index 81%
rename from doc/source/stig-notes/V-38599_developer.rst
rename to doc/metadata/rhel6/V-38599.rst
index fdf2b51c..1be08353 100644
--- a/doc/source/stig-notes/V-38599_developer.rst
+++ b/doc/metadata/rhel6/V-38599.rst
@@ -1,3 +1,9 @@
+---
+id: V-38599
+status: implemented
+tag: misc
+---
+
If the ``vsftpd`` package is installed, a login banner will be applied so that
users will see if after logging in. This package isn't installed by default
in Ubuntu 14.04 and it isn't installed by openstack-ansible either.
diff --git a/doc/source/stig-notes/V-38600_developer.rst b/doc/metadata/rhel6/V-38600.rst
similarity index 83%
rename from doc/source/stig-notes/V-38600_developer.rst
rename to doc/metadata/rhel6/V-38600.rst
index 3e5634dc..19957933 100644
--- a/doc/source/stig-notes/V-38600_developer.rst
+++ b/doc/metadata/rhel6/V-38600.rst
@@ -1,3 +1,9 @@
+---
+id: V-38600
+status: implemented
+tag: misc
+---
+
The Ansible tasks will disable the sending of ICMPv4 redirects by setting
the sysctl variable ``net.ipv4.conf.default.send_redirects=0``. However,
bridging still requires redirects to be enabled, so those interfaces won't
diff --git a/doc/source/stig-notes/V-38601_developer.rst b/doc/metadata/rhel6/V-38601.rst
similarity index 50%
rename from doc/source/stig-notes/V-38601_developer.rst
rename to doc/metadata/rhel6/V-38601.rst
index 9bb669db..3cd776d5 100644
--- a/doc/source/stig-notes/V-38601_developer.rst
+++ b/doc/metadata/rhel6/V-38601.rst
@@ -1 +1,7 @@
+---
+id: V-38601
+status: implemented
+tag: misc
+---
+
See the documentation for V-38600 for more details.
diff --git a/doc/source/stig-notes/V-38602_developer.rst b/doc/metadata/rhel6/V-38602.rst
similarity index 88%
rename from doc/source/stig-notes/V-38602_developer.rst
rename to doc/metadata/rhel6/V-38602.rst
index b657301f..2b1317b8 100644
--- a/doc/source/stig-notes/V-38602_developer.rst
+++ b/doc/metadata/rhel6/V-38602.rst
@@ -1,3 +1,9 @@
+---
+id: V-38602
+status: implemented
+tag: misc
+---
+
**Fixed by V-38591**
In Ubuntu, the ``rlogind`` daemon is part of the package that contains the
diff --git a/doc/source/stig-notes/V-38603_developer.rst b/doc/metadata/rhel6/V-38603.rst
similarity index 87%
rename from doc/source/stig-notes/V-38603_developer.rst
rename to doc/metadata/rhel6/V-38603.rst
index a77ce713..01697944 100644
--- a/doc/source/stig-notes/V-38603_developer.rst
+++ b/doc/metadata/rhel6/V-38603.rst
@@ -1,3 +1,9 @@
+---
+id: V-38603
+status: implemented
+tag: misc
+---
+
This packages is named differently depending on the Linux distribution:
* Ubuntu 14.04: ``nis``
diff --git a/doc/source/stig-notes/V-38604_developer.rst b/doc/metadata/rhel6/V-38604.rst
similarity index 55%
rename from doc/source/stig-notes/V-38604_developer.rst
rename to doc/metadata/rhel6/V-38604.rst
index 0cc02333..6c7874d7 100644
--- a/doc/source/stig-notes/V-38604_developer.rst
+++ b/doc/metadata/rhel6/V-38604.rst
@@ -1 +1,7 @@
+---
+id: V-38604
+status: implemented
+tag: misc
+---
+
The ``ypbind`` service is removed entirely as part of V-38603.
diff --git a/doc/source/stig-notes/V-38605_developer.rst b/doc/metadata/rhel6/V-38605.rst
similarity index 83%
rename from doc/source/stig-notes/V-38605_developer.rst
rename to doc/metadata/rhel6/V-38605.rst
index 22cba2b1..13e60799 100644
--- a/doc/source/stig-notes/V-38605_developer.rst
+++ b/doc/metadata/rhel6/V-38605.rst
@@ -1,3 +1,9 @@
+---
+id: V-38605
+status: implemented
+tag: misc
+---
+
The ``cron`` service is running by default in Ubuntu 14.04, Ubuntu 16.04, and
CentOS 7. It is required for various OpenStack services to function properly.
The Ansible tasks in this role will ensure that ``cron`` is running and is
diff --git a/doc/source/stig-notes/V-38606_developer.rst b/doc/metadata/rhel6/V-38606.rst
similarity index 88%
rename from doc/source/stig-notes/V-38606_developer.rst
rename to doc/metadata/rhel6/V-38606.rst
index e299c0ff..32e5e06d 100644
--- a/doc/source/stig-notes/V-38606_developer.rst
+++ b/doc/metadata/rhel6/V-38606.rst
@@ -1,3 +1,9 @@
+---
+id: V-38606
+status: implemented
+tag: misc
+---
+
The package containing the tftp daemon has different names depending on the
Linux distribution:
diff --git a/doc/source/stig-notes/V-38607_developer.rst b/doc/metadata/rhel6/V-38607.rst
similarity index 66%
rename from doc/source/stig-notes/V-38607_developer.rst
rename to doc/metadata/rhel6/V-38607.rst
index 0413ccae..83ffafa4 100644
--- a/doc/source/stig-notes/V-38607_developer.rst
+++ b/doc/metadata/rhel6/V-38607.rst
@@ -1,2 +1,8 @@
+---
+id: V-38607
+status: implemented
+tag: misc
+---
+
The tasks in ``sshd.yml`` will ensure that SSH requires all connections to use
protocol version 2.
diff --git a/doc/source/stig-notes/V-38608_developer.rst b/doc/metadata/rhel6/V-38608.rst
similarity index 87%
rename from doc/source/stig-notes/V-38608_developer.rst
rename to doc/metadata/rhel6/V-38608.rst
index 204794a0..f12c65da 100644
--- a/doc/source/stig-notes/V-38608_developer.rst
+++ b/doc/metadata/rhel6/V-38608.rst
@@ -1,3 +1,9 @@
+---
+id: V-38608
+status: implemented
+tag: misc
+---
+
The ``ClientAliveInterval`` in the ssh configuration will be set to 15 minutes
as recommended by the STIG. However, this time is configurable by setting
``security_ssh_client_alive_interval`` to another value, in seconds.
diff --git a/doc/source/stig-notes/V-38609_developer.rst b/doc/metadata/rhel6/V-38609.rst
similarity index 57%
rename from doc/source/stig-notes/V-38609_developer.rst
rename to doc/metadata/rhel6/V-38609.rst
index 60b49792..cf382b47 100644
--- a/doc/source/stig-notes/V-38609_developer.rst
+++ b/doc/metadata/rhel6/V-38609.rst
@@ -1 +1,7 @@
+---
+id: V-38609
+status: implemented
+tag: misc
+---
+
The package containing the ``tftpd`` service is removed by V-38606.
diff --git a/doc/source/stig-notes/V-38610_developer.rst b/doc/metadata/rhel6/V-38610.rst
similarity index 85%
rename from doc/source/stig-notes/V-38610_developer.rst
rename to doc/metadata/rhel6/V-38610.rst
index 59acaebc..9e837b8f 100644
--- a/doc/source/stig-notes/V-38610_developer.rst
+++ b/doc/metadata/rhel6/V-38610.rst
@@ -1,3 +1,9 @@
+---
+id: V-38610
+status: implemented
+tag: misc
+---
+
The STIG recommends setting ``ClientAliveCountMax`` to ensure that ssh
connections will close after reaching the ``ClientAliveInterval`` one
time. To change this setting, simply change this configuration option
diff --git a/doc/source/stig-notes/V-38611_developer.rst b/doc/metadata/rhel6/V-38611.rst
similarity index 79%
rename from doc/source/stig-notes/V-38611_developer.rst
rename to doc/metadata/rhel6/V-38611.rst
index d340df83..11066b8d 100644
--- a/doc/source/stig-notes/V-38611_developer.rst
+++ b/doc/metadata/rhel6/V-38611.rst
@@ -1,3 +1,9 @@
+---
+id: V-38611
+status: implemented
+tag: misc
+---
+
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 configure the ssh daemon so that rsh's
.rhosts files are ignored by default. The Ansible tasks will ensure that this
setting has not changed from the default.
diff --git a/doc/source/stig-notes/V-38612_developer.rst b/doc/metadata/rhel6/V-38612.rst
similarity index 67%
rename from doc/source/stig-notes/V-38612_developer.rst
rename to doc/metadata/rhel6/V-38612.rst
index af6a2b9d..1fd92eb4 100644
--- a/doc/source/stig-notes/V-38612_developer.rst
+++ b/doc/metadata/rhel6/V-38612.rst
@@ -1,2 +1,8 @@
+---
+id: V-38612
+status: implemented
+tag: misc
+---
+
The Ansible tasks in the security role ensure that the ssh daemon does not
allow host based authentication.
diff --git a/doc/source/stig-notes/V-38613_developer.rst b/doc/metadata/rhel6/V-38613.rst
similarity index 92%
rename from doc/source/stig-notes/V-38613_developer.rst
rename to doc/metadata/rhel6/V-38613.rst
index 28ba14d7..21b5ae2a 100644
--- a/doc/source/stig-notes/V-38613_developer.rst
+++ b/doc/metadata/rhel6/V-38613.rst
@@ -1,3 +1,9 @@
+---
+id: V-38613
+status: implemented
+tag: misc
+---
+
Although the STIG recommends disabling root logins via ssh, the default in
this role is to allow it. The openstack-ansible deployment uses the root
user by default at this time, but that may change later and allow for this
diff --git a/doc/source/stig-notes/V-38614_developer.rst b/doc/metadata/rhel6/V-38614.rst
similarity index 60%
rename from doc/source/stig-notes/V-38614_developer.rst
rename to doc/metadata/rhel6/V-38614.rst
index 100fdd15..dec8b269 100644
--- a/doc/source/stig-notes/V-38614_developer.rst
+++ b/doc/metadata/rhel6/V-38614.rst
@@ -1 +1,7 @@
+---
+id: V-38614
+status: implemented
+tag: misc
+---
+
The tasks in ``sshd.yml`` will ensure that SSH does not allow empty passwords.
diff --git a/doc/source/stig-notes/V-38615_developer.rst b/doc/metadata/rhel6/V-38615.rst
similarity index 75%
rename from doc/source/stig-notes/V-38615_developer.rst
rename to doc/metadata/rhel6/V-38615.rst
index 702271dd..15cce350 100644
--- a/doc/source/stig-notes/V-38615_developer.rst
+++ b/doc/metadata/rhel6/V-38615.rst
@@ -1,3 +1,9 @@
+---
+id: V-38615
+status: implemented
+tag: misc
+---
+
The ssh daemon will be configured so that a warning banner will be displayed
after login. To configure the banner, edit the ``files/login_banner.txt``
file.
diff --git a/doc/source/stig-notes/V-38616_developer.rst b/doc/metadata/rhel6/V-38616.rst
similarity index 73%
rename from doc/source/stig-notes/V-38616_developer.rst
rename to doc/metadata/rhel6/V-38616.rst
index 50c8e6cf..cec16957 100644
--- a/doc/source/stig-notes/V-38616_developer.rst
+++ b/doc/metadata/rhel6/V-38616.rst
@@ -1,2 +1,8 @@
+---
+id: V-38616
+status: implemented
+tag: misc
+---
+
The ssh daemon will be configured to disallow user environment settings that
may allow users to bypass access restrictions in some cases.
diff --git a/doc/source/stig-notes/V-38617_developer.rst b/doc/metadata/rhel6/V-38617.rst
similarity index 65%
rename from doc/source/stig-notes/V-38617_developer.rst
rename to doc/metadata/rhel6/V-38617.rst
index 072acace..b0747522 100644
--- a/doc/source/stig-notes/V-38617_developer.rst
+++ b/doc/metadata/rhel6/V-38617.rst
@@ -1,2 +1,8 @@
+---
+id: V-38617
+status: implemented
+tag: misc
+---
+
The ssh daemon will be configured to use the approved list of ciphers as
recommended by the STIG.
diff --git a/doc/source/stig-notes/V-38618_developer.rst b/doc/metadata/rhel6/V-38618.rst
similarity index 55%
rename from doc/source/stig-notes/V-38618_developer.rst
rename to doc/metadata/rhel6/V-38618.rst
index 14531666..bf48e046 100644
--- a/doc/source/stig-notes/V-38618_developer.rst
+++ b/doc/metadata/rhel6/V-38618.rst
@@ -1 +1,7 @@
+---
+id: V-38618
+status: implemented
+tag: misc
+---
+
The avahi daemon will be disabled if the package is installed.
diff --git a/doc/source/stig-notes/V-38619_developer.rst b/doc/metadata/rhel6/V-38619.rst
similarity index 72%
rename from doc/source/stig-notes/V-38619_developer.rst
rename to doc/metadata/rhel6/V-38619.rst
index d7b6b1f7..4b27f4a9 100644
--- a/doc/source/stig-notes/V-38619_developer.rst
+++ b/doc/metadata/rhel6/V-38619.rst
@@ -1,2 +1,8 @@
+---
+id: V-38619
+status: implemented
+tag: misc
+---
+
The Ansible tasks will check for ``.netrc`` files in ``/root`` and
``/home`` on the system and print a failure warning if any are found.
diff --git a/doc/source/stig-notes/V-38620_developer.rst b/doc/metadata/rhel6/V-38620.rst
similarity index 94%
rename from doc/source/stig-notes/V-38620_developer.rst
rename to doc/metadata/rhel6/V-38620.rst
index 5de1db52..ab716357 100644
--- a/doc/source/stig-notes/V-38620_developer.rst
+++ b/doc/metadata/rhel6/V-38620.rst
@@ -1,3 +1,9 @@
+---
+id: V-38620
+status: implemented
+tag: misc
+---
+
The ``chrony`` service is installed to manage clock synchronization for hosts
and to serve as an NTP server for NTP clients. Chrony was chosen over ntpd
because it's actively maintained and has some enhancements for virtualized
diff --git a/doc/source/stig-notes/V-38621_developer.rst b/doc/metadata/rhel6/V-38621.rst
similarity index 86%
rename from doc/source/stig-notes/V-38621_developer.rst
rename to doc/metadata/rhel6/V-38621.rst
index e1fa428b..0dd69d4e 100644
--- a/doc/source/stig-notes/V-38621_developer.rst
+++ b/doc/metadata/rhel6/V-38621.rst
@@ -1,3 +1,9 @@
+---
+id: V-38621
+status: implemented
+tag: misc
+---
+
**Fixed by another STIG**
The Ansible tasks for V-38620 will configure the ``chrony`` daemon and allow
diff --git a/doc/source/stig-notes/V-38622_developer.rst b/doc/metadata/rhel6/V-38622.rst
similarity index 94%
rename from doc/source/stig-notes/V-38622_developer.rst
rename to doc/metadata/rhel6/V-38622.rst
index 167f95cf..913853f4 100644
--- a/doc/source/stig-notes/V-38622_developer.rst
+++ b/doc/metadata/rhel6/V-38622.rst
@@ -1,3 +1,9 @@
+---
+id: V-38622
+status: implemented
+tag: misc
+---
+
The STIG requires that postfix only listens on the localhost so that it isn't
abused as a mail relay. The Ansible task will adjust the ``inet_interfaces``
line in the Postfix configuration and restart postfix if the line is changed.
diff --git a/doc/source/stig-notes/V-38623_developer.rst b/doc/metadata/rhel6/V-38623.rst
similarity index 89%
rename from doc/source/stig-notes/V-38623_developer.rst
rename to doc/metadata/rhel6/V-38623.rst
index fdd6ac32..20163520 100644
--- a/doc/source/stig-notes/V-38623_developer.rst
+++ b/doc/metadata/rhel6/V-38623.rst
@@ -1,3 +1,9 @@
+---
+id: V-38623
+status: implemented
+tag: misc
+---
+
The mode on rsyslog files is set to ``0640`` by default in Ubuntu 14.04 and
Ubuntu 16.04 by default. CentOS 7 sets the mode to ``0600`` by default. The
Ansible tasks will adjust the rsyslog configuration so that any new log files
diff --git a/doc/source/stig-notes/V-38624_developer.rst b/doc/metadata/rhel6/V-38624.rst
similarity index 86%
rename from doc/source/stig-notes/V-38624_developer.rst
rename to doc/metadata/rhel6/V-38624.rst
index 78090030..52c9a40f 100644
--- a/doc/source/stig-notes/V-38624_developer.rst
+++ b/doc/metadata/rhel6/V-38624.rst
@@ -1,3 +1,9 @@
+---
+id: V-38624
+status: implemented
+tag: misc
+---
+
The STIG requires that system logs are rotate daily, but the check only
involves verifying that logrotate is installed and activated by cron. The
openstack-ansible project already configures weekly log rotation with
diff --git a/doc/source/stig-notes/V-38625_developer.rst b/doc/metadata/rhel6/V-38625.rst
similarity index 89%
rename from doc/source/stig-notes/V-38625_developer.rst
rename to doc/metadata/rhel6/V-38625.rst
index c897b216..99e11a33 100644
--- a/doc/source/stig-notes/V-38625_developer.rst
+++ b/doc/metadata/rhel6/V-38625.rst
@@ -1,3 +1,9 @@
+---
+id: V-38625
+status: exception
+tag: misc
+---
+
**Exception**
Deployers that use LDAP authentication for systems are strongly urged to use
diff --git a/doc/source/stig-notes/V-38626_developer.rst b/doc/metadata/rhel6/V-38626.rst
similarity index 89%
rename from doc/source/stig-notes/V-38626_developer.rst
rename to doc/metadata/rhel6/V-38626.rst
index c897b216..e655ea98 100644
--- a/doc/source/stig-notes/V-38626_developer.rst
+++ b/doc/metadata/rhel6/V-38626.rst
@@ -1,3 +1,9 @@
+---
+id: V-38626
+status: exception
+tag: misc
+---
+
**Exception**
Deployers that use LDAP authentication for systems are strongly urged to use
diff --git a/doc/source/stig-notes/V-38627_developer.rst b/doc/metadata/rhel6/V-38627.rst
similarity index 84%
rename from doc/source/stig-notes/V-38627_developer.rst
rename to doc/metadata/rhel6/V-38627.rst
index b45a6c4b..06e86b4c 100644
--- a/doc/source/stig-notes/V-38627_developer.rst
+++ b/doc/metadata/rhel6/V-38627.rst
@@ -1,3 +1,9 @@
+---
+id: V-38627
+status: implemented
+tag: misc
+---
+
The STIG requires that any LDAP server packages on the system are removed.
The Ansible role will remove ``slapd`` from the server if it is present.
diff --git a/doc/metadata/rhel6/V-38628.rst b/doc/metadata/rhel6/V-38628.rst
new file mode 100644
index 00000000..5a18ebff
--- /dev/null
+++ b/doc/metadata/rhel6/V-38628.rst
@@ -0,0 +1,7 @@
+---
+id: V-38628
+status: implemented
+tag: misc
+---
+
+This STIG requirement overlaps with V-38632.
diff --git a/doc/source/stig-notes/V-38629_developer.rst b/doc/metadata/rhel6/V-38629.rst
similarity index 81%
rename from doc/source/stig-notes/V-38629_developer.rst
rename to doc/metadata/rhel6/V-38629.rst
index 4828fe1e..311495bf 100644
--- a/doc/source/stig-notes/V-38629_developer.rst
+++ b/doc/metadata/rhel6/V-38629.rst
@@ -1,3 +1,9 @@
+---
+id: V-38629
+status: exception
+tag: misc
+---
+
**Exception**
Deployers are urged to use graphical desktops only on client machines that
diff --git a/doc/source/stig-notes/V-38630_developer.rst b/doc/metadata/rhel6/V-38630.rst
similarity index 81%
rename from doc/source/stig-notes/V-38630_developer.rst
rename to doc/metadata/rhel6/V-38630.rst
index 4828fe1e..fe4cca62 100644
--- a/doc/source/stig-notes/V-38630_developer.rst
+++ b/doc/metadata/rhel6/V-38630.rst
@@ -1,3 +1,9 @@
+---
+id: V-38630
+status: exception
+tag: misc
+---
+
**Exception**
Deployers are urged to use graphical desktops only on client machines that
diff --git a/doc/metadata/rhel6/V-38631.rst b/doc/metadata/rhel6/V-38631.rst
new file mode 100644
index 00000000..cfdfef70
--- /dev/null
+++ b/doc/metadata/rhel6/V-38631.rst
@@ -0,0 +1,7 @@
+---
+id: V-38631
+status: implemented
+tag: misc
+---
+
+This STIG requirement overlaps with V-38632.
diff --git a/doc/source/stig-notes/V-38632_developer.rst b/doc/metadata/rhel6/V-38632.rst
similarity index 70%
rename from doc/source/stig-notes/V-38632_developer.rst
rename to doc/metadata/rhel6/V-38632.rst
index 628e3852..d006a3b6 100644
--- a/doc/source/stig-notes/V-38632_developer.rst
+++ b/doc/metadata/rhel6/V-38632.rst
@@ -1,3 +1,9 @@
+---
+id: V-38632
+status: implemented
+tag: misc
+---
+
The tasks in auth.yml will install `auditd`_ and ensure it is running.
.. _auditd: http://people.redhat.com/sgrubb/audit/
diff --git a/doc/source/stig-notes/V-38633_developer.rst b/doc/metadata/rhel6/V-38633.rst
similarity index 89%
rename from doc/source/stig-notes/V-38633_developer.rst
rename to doc/metadata/rhel6/V-38633.rst
index 03553f64..ab01de9e 100644
--- a/doc/source/stig-notes/V-38633_developer.rst
+++ b/doc/metadata/rhel6/V-38633.rst
@@ -1,3 +1,9 @@
+---
+id: V-38633
+status: implemented
+tag: misc
+---
+
The default setting for ``security_max_log_file`` in Ubuntu 14.04, Ubuntu
16.04, and CentOS 7 matches the STIG requirement of rotating logs when they
reach 6MB. The Ansible task for this STIG requirement ensures that the secure
diff --git a/doc/source/stig-notes/V-38634_developer.rst b/doc/metadata/rhel6/V-38634.rst
similarity index 90%
rename from doc/source/stig-notes/V-38634_developer.rst
rename to doc/metadata/rhel6/V-38634.rst
index 4d7adaa7..c2d5cc88 100644
--- a/doc/source/stig-notes/V-38634_developer.rst
+++ b/doc/metadata/rhel6/V-38634.rst
@@ -1,3 +1,9 @@
+---
+id: V-38634
+status: implemented
+tag: misc
+---
+
The default action for ``security_max_log_file_action`` on Ubuntu 14.04, Ubuntu
16.04, and CentOS 7 is to rotate the logs. This meets the STIG requirements and
the Ansible task will ensure that the secure default is maintained.
diff --git a/doc/source/stig-notes/V-38635_developer.rst b/doc/metadata/rhel6/V-38635.rst
similarity index 77%
rename from doc/source/stig-notes/V-38635_developer.rst
rename to doc/metadata/rhel6/V-38635.rst
index 0b3241ab..fb5d0d13 100644
--- a/doc/source/stig-notes/V-38635_developer.rst
+++ b/doc/metadata/rhel6/V-38635.rst
@@ -1,3 +1,9 @@
+---
+id: V-38635
+status: implemented
+tag: misc
+---
+
Audit rules are added in a task so that any events associated with altering
system time are logged. The new audit rule will be loaded immediately with
``augenrules --load``.
diff --git a/doc/source/stig-notes/V-38636_developer.rst b/doc/metadata/rhel6/V-38636.rst
similarity index 86%
rename from doc/source/stig-notes/V-38636_developer.rst
rename to doc/metadata/rhel6/V-38636.rst
index 06253ad8..2d73f947 100644
--- a/doc/source/stig-notes/V-38636_developer.rst
+++ b/doc/metadata/rhel6/V-38636.rst
@@ -1,3 +1,9 @@
+---
+id: V-38636
+status: implemented
+tag: misc
+---
+
Ubuntu keeps 5 rotated logs with the ``security_num_logs`` option and this
meets the STIG requirement. The Ansible task will ensure that the secure
default is maintained.
diff --git a/doc/source/stig-notes/V-38637_developer.rst b/doc/metadata/rhel6/V-38637.rst
similarity index 87%
rename from doc/source/stig-notes/V-38637_developer.rst
rename to doc/metadata/rhel6/V-38637.rst
index d11034a9..5d05b56a 100644
--- a/doc/source/stig-notes/V-38637_developer.rst
+++ b/doc/metadata/rhel6/V-38637.rst
@@ -1,3 +1,9 @@
+---
+id: V-38637
+status: implemented
+tag: misc
+---
+
The auditd package is verified with ``debsums`` in Ubuntu and with ``rpm`` in
CentOS. The playbook will fail immediately if any of the files from the auditd
package have been altered. This could be the sign of a system compromise.
diff --git a/doc/source/stig-notes/V-38638_developer.rst b/doc/metadata/rhel6/V-38638.rst
similarity index 81%
rename from doc/source/stig-notes/V-38638_developer.rst
rename to doc/metadata/rhel6/V-38638.rst
index 4828fe1e..da11ae34 100644
--- a/doc/source/stig-notes/V-38638_developer.rst
+++ b/doc/metadata/rhel6/V-38638.rst
@@ -1,3 +1,9 @@
+---
+id: V-38638
+status: exception
+tag: misc
+---
+
**Exception**
Deployers are urged to use graphical desktops only on client machines that
diff --git a/doc/source/stig-notes/V-38639_developer.rst b/doc/metadata/rhel6/V-38639.rst
similarity index 81%
rename from doc/source/stig-notes/V-38639_developer.rst
rename to doc/metadata/rhel6/V-38639.rst
index 4828fe1e..919c4bc3 100644
--- a/doc/source/stig-notes/V-38639_developer.rst
+++ b/doc/metadata/rhel6/V-38639.rst
@@ -1,3 +1,9 @@
+---
+id: V-38639
+status: exception
+tag: misc
+---
+
**Exception**
Deployers are urged to use graphical desktops only on client machines that
diff --git a/doc/source/stig-notes/V-38640_developer.rst b/doc/metadata/rhel6/V-38640.rst
similarity index 81%
rename from doc/source/stig-notes/V-38640_developer.rst
rename to doc/metadata/rhel6/V-38640.rst
index 94fd4e6e..76778afd 100644
--- a/doc/source/stig-notes/V-38640_developer.rst
+++ b/doc/metadata/rhel6/V-38640.rst
@@ -1,3 +1,9 @@
+---
+id: V-38640
+status: implemented
+tag: misc
+---
+
The Ansible tasks in the security role will disable the abrtd service and stop
the service immediately. To opt-out of this change, set the following Ansible
variable:
diff --git a/doc/source/stig-notes/V-38641_developer.rst b/doc/metadata/rhel6/V-38641.rst
similarity index 80%
rename from doc/source/stig-notes/V-38641_developer.rst
rename to doc/metadata/rhel6/V-38641.rst
index 50587459..590736ba 100644
--- a/doc/source/stig-notes/V-38641_developer.rst
+++ b/doc/metadata/rhel6/V-38641.rst
@@ -1,3 +1,9 @@
+---
+id: V-38641
+status: implemented
+tag: misc
+---
+
The Ansible tasks in the security role will disable the atd service and stop
the service immediately. To opt-out of this change, set the following Ansible
variable:
diff --git a/doc/source/stig-notes/V-38642_developer.rst b/doc/metadata/rhel6/V-38642.rst
similarity index 86%
rename from doc/source/stig-notes/V-38642_developer.rst
rename to doc/metadata/rhel6/V-38642.rst
index d9e24fa7..cbb8c98e 100644
--- a/doc/source/stig-notes/V-38642_developer.rst
+++ b/doc/metadata/rhel6/V-38642.rst
@@ -1,3 +1,9 @@
+---
+id: V-38642
+status: opt-in
+tag: misc
+---
+
**Opt-in required**
The STIG requires that daemons have their umask set to ``027`` or ``022``.
diff --git a/doc/source/stig-notes/V-38643_developer.rst b/doc/metadata/rhel6/V-38643.rst
similarity index 94%
rename from doc/source/stig-notes/V-38643_developer.rst
rename to doc/metadata/rhel6/V-38643.rst
index f47d7db3..ab612f82 100644
--- a/doc/source/stig-notes/V-38643_developer.rst
+++ b/doc/metadata/rhel6/V-38643.rst
@@ -1,3 +1,9 @@
+---
+id: V-38643
+status: exception
+tag: misc
+---
+
**Exception**
Searching for world-writable files on a host deployed with openstack-ansible
diff --git a/doc/source/stig-notes/V-38644_developer.rst b/doc/metadata/rhel6/V-38644.rst
similarity index 73%
rename from doc/source/stig-notes/V-38644_developer.rst
rename to doc/metadata/rhel6/V-38644.rst
index 94ea3c0a..d33604d3 100644
--- a/doc/source/stig-notes/V-38644_developer.rst
+++ b/doc/metadata/rhel6/V-38644.rst
@@ -1,2 +1,8 @@
+---
+id: V-38644
+status: implemented
+tag: misc
+---
+
Time synchronization is added within the fixes for V-38620 (where ``chrony`` is
installed and configured). The ``ntpdate`` service is not used.
diff --git a/doc/source/stig-notes/V-38645_developer.rst b/doc/metadata/rhel6/V-38645.rst
similarity index 83%
rename from doc/source/stig-notes/V-38645_developer.rst
rename to doc/metadata/rhel6/V-38645.rst
index 5478d66f..dad263b0 100644
--- a/doc/source/stig-notes/V-38645_developer.rst
+++ b/doc/metadata/rhel6/V-38645.rst
@@ -1,3 +1,9 @@
+---
+id: V-38645
+status: exception
+tag: misc
+---
+
**Exception**
Changing umask settings can disrupt some systems and this change requires a
diff --git a/doc/source/stig-notes/V-38646_developer.rst b/doc/metadata/rhel6/V-38646.rst
similarity index 82%
rename from doc/source/stig-notes/V-38646_developer.rst
rename to doc/metadata/rhel6/V-38646.rst
index b0163c2d..4ebe4436 100644
--- a/doc/source/stig-notes/V-38646_developer.rst
+++ b/doc/metadata/rhel6/V-38646.rst
@@ -1,3 +1,9 @@
+---
+id: V-38646
+status: implemented
+tag: misc
+---
+
**Special case**
Very few environments run the ``oddjobd`` service, and those that do run it are
diff --git a/doc/source/stig-notes/V-38647_developer.rst b/doc/metadata/rhel6/V-38647.rst
similarity index 85%
rename from doc/source/stig-notes/V-38647_developer.rst
rename to doc/metadata/rhel6/V-38647.rst
index bf5b4e9d..ab0355a7 100644
--- a/doc/source/stig-notes/V-38647_developer.rst
+++ b/doc/metadata/rhel6/V-38647.rst
@@ -1,3 +1,9 @@
+---
+id: V-38647
+status: implemented
+tag: misc
+---
+
**Fixed by another STIG**
Ubuntu 14.04 doesn't use umask settings in ``/etc/profile``. Those settings
diff --git a/doc/source/stig-notes/V-38648_developer.rst b/doc/metadata/rhel6/V-38648.rst
similarity index 89%
rename from doc/source/stig-notes/V-38648_developer.rst
rename to doc/metadata/rhel6/V-38648.rst
index 5b7a43ee..257bc671 100644
--- a/doc/source/stig-notes/V-38648_developer.rst
+++ b/doc/metadata/rhel6/V-38648.rst
@@ -1,3 +1,9 @@
+---
+id: V-38648
+status: implemented
+tag: misc
+---
+
Although some OpenStack implementations use ``qpidd`` for their messaging hub,
neither Ubuntu or openstack-ansible configures the service on the hosts by
default. The Ansible task for this STIG will check to see if the init script
diff --git a/doc/source/stig-notes/V-38649_developer.rst b/doc/metadata/rhel6/V-38649.rst
similarity index 90%
rename from doc/source/stig-notes/V-38649_developer.rst
rename to doc/metadata/rhel6/V-38649.rst
index 5fbefb7f..8b3e1103 100644
--- a/doc/source/stig-notes/V-38649_developer.rst
+++ b/doc/metadata/rhel6/V-38649.rst
@@ -1,3 +1,9 @@
+---
+id: V-38649
+status: opt-in
+tag: misc
+---
+
**Opt-in required**
Since umask changes can be disruptive on some systems, the deployer must opt-in
diff --git a/doc/source/stig-notes/V-38650_developer.rst b/doc/metadata/rhel6/V-38650.rst
similarity index 85%
rename from doc/source/stig-notes/V-38650_developer.rst
rename to doc/metadata/rhel6/V-38650.rst
index 36983381..c2992682 100644
--- a/doc/source/stig-notes/V-38650_developer.rst
+++ b/doc/metadata/rhel6/V-38650.rst
@@ -1,3 +1,9 @@
+---
+id: V-38650
+status: implemented
+tag: misc
+---
+
Ubuntu doesn't provide packages containing the ``rdisc`` service at this time.
In CentOS, the ``rdisc`` service will be stopped and disabled if it is present
diff --git a/doc/source/stig-notes/V-38651_developer.rst b/doc/metadata/rhel6/V-38651.rst
similarity index 83%
rename from doc/source/stig-notes/V-38651_developer.rst
rename to doc/metadata/rhel6/V-38651.rst
index 6f69e283..f095591c 100644
--- a/doc/source/stig-notes/V-38651_developer.rst
+++ b/doc/metadata/rhel6/V-38651.rst
@@ -1,3 +1,9 @@
+---
+id: V-38651
+status: opt-in
+tag: misc
+---
+
**Opt-in required**
Changing the umask for the bash shell is an opt-in setting. Deployers that
diff --git a/doc/source/stig-notes/V-38652_developer.rst b/doc/metadata/rhel6/V-38652.rst
similarity index 83%
rename from doc/source/stig-notes/V-38652_developer.rst
rename to doc/metadata/rhel6/V-38652.rst
index fc554ff2..36a615bb 100644
--- a/doc/source/stig-notes/V-38652_developer.rst
+++ b/doc/metadata/rhel6/V-38652.rst
@@ -1,3 +1,9 @@
+---
+id: V-38652
+status: exception
+tag: misc
+---
+
**Exception**
Deployers are urged to use the ``nodev`` option on any remotely mounted
diff --git a/doc/source/stig-notes/V-38653_developer.rst b/doc/metadata/rhel6/V-38653.rst
similarity index 80%
rename from doc/source/stig-notes/V-38653_developer.rst
rename to doc/metadata/rhel6/V-38653.rst
index 69b73914..c4fa2332 100644
--- a/doc/source/stig-notes/V-38653_developer.rst
+++ b/doc/metadata/rhel6/V-38653.rst
@@ -1,3 +1,9 @@
+---
+id: V-38653
+status: exception
+tag: misc
+---
+
**Exception**
The OpenStack-Ansible project doesn't install snmpd by default. Deployers are
diff --git a/doc/source/stig-notes/V-38654_developer.rst b/doc/metadata/rhel6/V-38654.rst
similarity index 83%
rename from doc/source/stig-notes/V-38654_developer.rst
rename to doc/metadata/rhel6/V-38654.rst
index be52f203..76555b96 100644
--- a/doc/source/stig-notes/V-38654_developer.rst
+++ b/doc/metadata/rhel6/V-38654.rst
@@ -1,3 +1,9 @@
+---
+id: V-38654
+status: exception
+tag: misc
+---
+
**Exception**
Deployers are urged to use the ``nosuid`` option on any remotely mounted
diff --git a/doc/source/stig-notes/V-38655_developer.rst b/doc/metadata/rhel6/V-38655.rst
similarity index 88%
rename from doc/source/stig-notes/V-38655_developer.rst
rename to doc/metadata/rhel6/V-38655.rst
index a697eb1f..1e5090dd 100644
--- a/doc/source/stig-notes/V-38655_developer.rst
+++ b/doc/metadata/rhel6/V-38655.rst
@@ -1,3 +1,9 @@
+---
+id: V-38655
+status: exception
+tag: misc
+---
+
**Exception**
Deployers are strongly urged to mount any additional disks with the ``noexec``
diff --git a/doc/source/stig-notes/V-38656_developer.rst b/doc/metadata/rhel6/V-38656.rst
similarity index 76%
rename from doc/source/stig-notes/V-38656_developer.rst
rename to doc/metadata/rhel6/V-38656.rst
index e8cf0ede..74675058 100644
--- a/doc/source/stig-notes/V-38656_developer.rst
+++ b/doc/metadata/rhel6/V-38656.rst
@@ -1,3 +1,9 @@
+---
+id: V-38656
+status: implemented
+tag: misc
+---
+
The Ansible tasks will check to see if the package is installed and the
configuration file will be adjusted. If adjustments are made, the service will
be restarted.
diff --git a/doc/source/stig-notes/V-38657_developer.rst b/doc/metadata/rhel6/V-38657.rst
similarity index 72%
rename from doc/source/stig-notes/V-38657_developer.rst
rename to doc/metadata/rhel6/V-38657.rst
index 24b7770e..44d05c22 100644
--- a/doc/source/stig-notes/V-38657_developer.rst
+++ b/doc/metadata/rhel6/V-38657.rst
@@ -1,3 +1,9 @@
+---
+id: V-38657
+status: exception
+tag: misc
+---
+
**Exception**
Deployers are urged to require SMB client signing if they ever mount samba
diff --git a/doc/source/stig-notes/V-38658_developer.rst b/doc/metadata/rhel6/V-38658.rst
similarity index 84%
rename from doc/source/stig-notes/V-38658_developer.rst
rename to doc/metadata/rhel6/V-38658.rst
index 06685c51..4d642b43 100644
--- a/doc/source/stig-notes/V-38658_developer.rst
+++ b/doc/metadata/rhel6/V-38658.rst
@@ -1,3 +1,9 @@
+---
+id: V-38658
+status: exception
+tag: misc
+---
+
**Exception**
Making adjustments to PAM configurations via automated methods is risky since
diff --git a/doc/source/stig-notes/V-38659_developer.rst b/doc/metadata/rhel6/V-38659.rst
similarity index 91%
rename from doc/source/stig-notes/V-38659_developer.rst
rename to doc/metadata/rhel6/V-38659.rst
index a7573757..01d64160 100644
--- a/doc/source/stig-notes/V-38659_developer.rst
+++ b/doc/metadata/rhel6/V-38659.rst
@@ -1,3 +1,9 @@
+---
+id: V-38659
+status: exception
+tag: misc
+---
+
**Exception**
Creating encrypted storage is left up to the deployer to consider and
diff --git a/doc/source/stig-notes/V-38660_developer.rst b/doc/metadata/rhel6/V-38660.rst
similarity index 92%
rename from doc/source/stig-notes/V-38660_developer.rst
rename to doc/metadata/rhel6/V-38660.rst
index aed091a7..46db6ed8 100644
--- a/doc/source/stig-notes/V-38660_developer.rst
+++ b/doc/metadata/rhel6/V-38660.rst
@@ -1,3 +1,9 @@
+---
+id: V-38660
+status: implemented
+tag: misc
+---
+
The Ansible tasks will check to see if the SNMP configuration file is present.
If the file is present, and the file contains configurations for insecure SNMP
protocols, an error will be printed and the playbook will fail.
diff --git a/doc/source/stig-notes/V-38661_developer.rst b/doc/metadata/rhel6/V-38661.rst
similarity index 91%
rename from doc/source/stig-notes/V-38661_developer.rst
rename to doc/metadata/rhel6/V-38661.rst
index a7573757..5c4cf9e4 100644
--- a/doc/source/stig-notes/V-38661_developer.rst
+++ b/doc/metadata/rhel6/V-38661.rst
@@ -1,3 +1,9 @@
+---
+id: V-38661
+status: exception
+tag: misc
+---
+
**Exception**
Creating encrypted storage is left up to the deployer to consider and
diff --git a/doc/source/stig-notes/V-38662_developer.rst b/doc/metadata/rhel6/V-38662.rst
similarity index 91%
rename from doc/source/stig-notes/V-38662_developer.rst
rename to doc/metadata/rhel6/V-38662.rst
index a7573757..02d75db9 100644
--- a/doc/source/stig-notes/V-38662_developer.rst
+++ b/doc/metadata/rhel6/V-38662.rst
@@ -1,3 +1,9 @@
+---
+id: V-38662
+status: exception
+tag: misc
+---
+
**Exception**
Creating encrypted storage is left up to the deployer to consider and
diff --git a/doc/source/stig-notes/V-38663_developer.rst b/doc/metadata/rhel6/V-38663.rst
similarity index 84%
rename from doc/source/stig-notes/V-38663_developer.rst
rename to doc/metadata/rhel6/V-38663.rst
index 94b7b403..ad079751 100644
--- a/doc/source/stig-notes/V-38663_developer.rst
+++ b/doc/metadata/rhel6/V-38663.rst
@@ -1,3 +1,9 @@
+---
+id: V-38663
+status: exception
+tag: misc
+---
+
**Exception for Ubuntu**
Verifying ownership and permissions of installed packages isn't possible in the
diff --git a/doc/source/stig-notes/V-38453_developer.rst b/doc/metadata/rhel6/V-38664.rst
similarity index 84%
rename from doc/source/stig-notes/V-38453_developer.rst
rename to doc/metadata/rhel6/V-38664.rst
index 94b7b403..b8d6e659 100644
--- a/doc/source/stig-notes/V-38453_developer.rst
+++ b/doc/metadata/rhel6/V-38664.rst
@@ -1,3 +1,9 @@
+---
+id: V-38664
+status: exception
+tag: misc
+---
+
**Exception for Ubuntu**
Verifying ownership and permissions of installed packages isn't possible in the
diff --git a/doc/source/stig-notes/V-38664_developer.rst b/doc/metadata/rhel6/V-38665.rst
similarity index 84%
rename from doc/source/stig-notes/V-38664_developer.rst
rename to doc/metadata/rhel6/V-38665.rst
index 94b7b403..50e8c920 100644
--- a/doc/source/stig-notes/V-38664_developer.rst
+++ b/doc/metadata/rhel6/V-38665.rst
@@ -1,3 +1,9 @@
+---
+id: V-38665
+status: exception
+tag: misc
+---
+
**Exception for Ubuntu**
Verifying ownership and permissions of installed packages isn't possible in the
diff --git a/doc/source/stig-notes/V-38666_developer.rst b/doc/metadata/rhel6/V-38666.rst
similarity index 93%
rename from doc/source/stig-notes/V-38666_developer.rst
rename to doc/metadata/rhel6/V-38666.rst
index 8558465f..2993802e 100644
--- a/doc/source/stig-notes/V-38666_developer.rst
+++ b/doc/metadata/rhel6/V-38666.rst
@@ -1,3 +1,9 @@
+---
+id: V-38666
+status: exception
+tag: misc
+---
+
**Exception**
The installation of an antivirus program is left up to the deployer. There are
diff --git a/doc/source/stig-notes/V-38667_developer.rst b/doc/metadata/rhel6/V-38667.rst
similarity index 83%
rename from doc/source/stig-notes/V-38667_developer.rst
rename to doc/metadata/rhel6/V-38667.rst
index 488b3ef7..0f64863a 100644
--- a/doc/source/stig-notes/V-38667_developer.rst
+++ b/doc/metadata/rhel6/V-38667.rst
@@ -1,3 +1,9 @@
+---
+id: V-38667
+status: implemented
+tag: misc
+---
+
**Fixed by another STIG**
The openstack-ansible project already installs and configures AppArmor, which
diff --git a/doc/source/stig-notes/V-38668_developer.rst b/doc/metadata/rhel6/V-38668.rst
similarity index 87%
rename from doc/source/stig-notes/V-38668_developer.rst
rename to doc/metadata/rhel6/V-38668.rst
index fb9071de..08b69731 100644
--- a/doc/source/stig-notes/V-38668_developer.rst
+++ b/doc/metadata/rhel6/V-38668.rst
@@ -1,3 +1,9 @@
+---
+id: V-38668
+status: implemented
+tag: misc
+---
+
In Ubuntu 14.04, the Ansible tasks disable the control-alt-delete keyboard
sequence via a configuration in ``/etc/init/control-alt-delete.conf``. A
reboot is recommended to apply the change.
diff --git a/doc/source/stig-notes/V-38669_developer.rst b/doc/metadata/rhel6/V-38669.rst
similarity index 82%
rename from doc/source/stig-notes/V-38669_developer.rst
rename to doc/metadata/rhel6/V-38669.rst
index c192168c..9d24a71d 100644
--- a/doc/source/stig-notes/V-38669_developer.rst
+++ b/doc/metadata/rhel6/V-38669.rst
@@ -1,3 +1,9 @@
+---
+id: V-38669
+status: implemented
+tag: misc
+---
+
The ``postfix`` package will be installed and configured to run at boot time.
Review the documentation for V-38446 to ensure that root's email is
forwarded to an email account that can monitor for critical alerts and other
diff --git a/doc/source/stig-notes/V-38670_developer.rst b/doc/metadata/rhel6/V-38670.rst
similarity index 85%
rename from doc/source/stig-notes/V-38670_developer.rst
rename to doc/metadata/rhel6/V-38670.rst
index 4a37b92f..fbab0813 100644
--- a/doc/source/stig-notes/V-38670_developer.rst
+++ b/doc/metadata/rhel6/V-38670.rst
@@ -1,3 +1,9 @@
+---
+id: V-38670
+status: implemented
+tag: misc
+---
+
The AIDE package is already installed as part of the Ansible tasks to fix
V-38429, but these Ansible tasks will verify that the cron job file is actually
in place. The cron job is installed as part of the aide package installation.
diff --git a/doc/source/stig-notes/V-38671_developer.rst b/doc/metadata/rhel6/V-38671.rst
similarity index 80%
rename from doc/source/stig-notes/V-38671_developer.rst
rename to doc/metadata/rhel6/V-38671.rst
index f5bbc98e..41e5a106 100644
--- a/doc/source/stig-notes/V-38671_developer.rst
+++ b/doc/metadata/rhel6/V-38671.rst
@@ -1,3 +1,9 @@
+---
+id: V-38671
+status: implemented
+tag: misc
+---
+
The security role will remove the sendmail package if it exists on the system.
To opt-out of this change, adjust the following Ansible variable to ``no``:
diff --git a/doc/source/stig-notes/V-38672_developer.rst b/doc/metadata/rhel6/V-38672.rst
similarity index 87%
rename from doc/source/stig-notes/V-38672_developer.rst
rename to doc/metadata/rhel6/V-38672.rst
index 6a038be5..3a578652 100644
--- a/doc/source/stig-notes/V-38672_developer.rst
+++ b/doc/metadata/rhel6/V-38672.rst
@@ -1,3 +1,9 @@
+---
+id: V-38672
+status: implemented
+tag: misc
+---
+
Ubuntu doesn't provide the netconsole package and the daemon isn't included
in any other Ubuntu packages.
diff --git a/doc/source/stig-notes/V-38673_developer.rst b/doc/metadata/rhel6/V-38673.rst
similarity index 87%
rename from doc/source/stig-notes/V-38673_developer.rst
rename to doc/metadata/rhel6/V-38673.rst
index c6b11189..ee4e47e1 100644
--- a/doc/source/stig-notes/V-38673_developer.rst
+++ b/doc/metadata/rhel6/V-38673.rst
@@ -1,3 +1,9 @@
+---
+id: V-38673
+status: exception
+tag: misc
+---
+
**Exception**
Installing AIDE on Ubuntu isn't an issue, but there's a bug that causes AIDE
diff --git a/doc/source/stig-notes/V-38674_developer.rst b/doc/metadata/rhel6/V-38674.rst
similarity index 95%
rename from doc/source/stig-notes/V-38674_developer.rst
rename to doc/metadata/rhel6/V-38674.rst
index 86cd5031..3f5b4aab 100644
--- a/doc/source/stig-notes/V-38674_developer.rst
+++ b/doc/metadata/rhel6/V-38674.rst
@@ -1,3 +1,9 @@
+---
+id: V-38674
+status: implemented
+tag: misc
+---
+
In Ubuntu 14.04, the upstart init system looks for the default runlevel in the
``/etc/init/rc-sysinit.conf`` file. The tasks in the security role will ensure
that the ``DEFAULT_RUNLEVEL`` environment variable is set to ``2``, which is a
diff --git a/doc/source/stig-notes/V-38675_developer.rst b/doc/metadata/rhel6/V-38675.rst
similarity index 86%
rename from doc/source/stig-notes/V-38675_developer.rst
rename to doc/metadata/rhel6/V-38675.rst
index af81cd39..9be319e1 100644
--- a/doc/source/stig-notes/V-38675_developer.rst
+++ b/doc/metadata/rhel6/V-38675.rst
@@ -1,3 +1,9 @@
+---
+id: V-38675
+status: implemented
+tag: misc
+---
+
The security role will add a file in ``/etc/security/limits.d/`` that disables
core dumps for all users. Although this setting is more secure, it can prevent
users from debugging kernel errors.
diff --git a/doc/source/stig-notes/V-38676_developer.rst b/doc/metadata/rhel6/V-38676.rst
similarity index 79%
rename from doc/source/stig-notes/V-38676_developer.rst
rename to doc/metadata/rhel6/V-38676.rst
index 42a6c74a..06345842 100644
--- a/doc/source/stig-notes/V-38676_developer.rst
+++ b/doc/metadata/rhel6/V-38676.rst
@@ -1,3 +1,9 @@
+---
+id: V-38676
+status: implemented
+tag: misc
+---
+
The Ansible tasks will remove the ``xserver-xorg`` package if it is present.
To opt-out of the change, set the following Ansible variable to ``no``:
diff --git a/doc/source/stig-notes/V-38677_developer.rst b/doc/metadata/rhel6/V-38677.rst
similarity index 72%
rename from doc/source/stig-notes/V-38677_developer.rst
rename to doc/metadata/rhel6/V-38677.rst
index f1c85060..9ab064c6 100644
--- a/doc/source/stig-notes/V-38677_developer.rst
+++ b/doc/metadata/rhel6/V-38677.rst
@@ -1,2 +1,8 @@
+---
+id: V-38677
+status: implemented
+tag: misc
+---
+
The tasks in nfsd.yml first check to see if the system has nfs exports. If
so, it then checks for the presence of 'insecure_locks'.
diff --git a/doc/source/stig-notes/V-38678_developer.rst b/doc/metadata/rhel6/V-38678.rst
similarity index 89%
rename from doc/source/stig-notes/V-38678_developer.rst
rename to doc/metadata/rhel6/V-38678.rst
index cd38775d..7ec968de 100644
--- a/doc/source/stig-notes/V-38678_developer.rst
+++ b/doc/metadata/rhel6/V-38678.rst
@@ -1,3 +1,9 @@
+---
+id: V-38678
+status: implemented
+tag: misc
+---
+
When auditd notices that free disk space on its logging partition is low, it
will trigger the ``security_space_left_action``. The threshold of remaining
disk space is configured by ``security_space_left`` in
diff --git a/doc/source/stig-notes/V-38679_developer.rst b/doc/metadata/rhel6/V-38679.rst
similarity index 81%
rename from doc/source/stig-notes/V-38679_developer.rst
rename to doc/metadata/rhel6/V-38679.rst
index 80ee7ad9..3e0e93c6 100644
--- a/doc/source/stig-notes/V-38679_developer.rst
+++ b/doc/metadata/rhel6/V-38679.rst
@@ -1,3 +1,9 @@
+---
+id: V-38679
+status: exception
+tag: misc
+---
+
**Exception**
The DHCP client is needed for containers to function properly and may be
diff --git a/doc/source/stig-notes/V-38680_developer.rst b/doc/metadata/rhel6/V-38680.rst
similarity index 87%
rename from doc/source/stig-notes/V-38680_developer.rst
rename to doc/metadata/rhel6/V-38680.rst
index 31164aa7..5d5c4dd7 100644
--- a/doc/source/stig-notes/V-38680_developer.rst
+++ b/doc/metadata/rhel6/V-38680.rst
@@ -1,3 +1,9 @@
+---
+id: V-38680
+status: implemented
+tag: misc
+---
+
By default, Ubuntu sets the default recipient for storage capacity issues in
auditd to the root user. The Ansible task ensures that the default remains set.
diff --git a/doc/source/stig-notes/V-38681_developer.rst b/doc/metadata/rhel6/V-38681.rst
similarity index 89%
rename from doc/source/stig-notes/V-38681_developer.rst
rename to doc/metadata/rhel6/V-38681.rst
index dabfed00..16b51d8f 100644
--- a/doc/source/stig-notes/V-38681_developer.rst
+++ b/doc/metadata/rhel6/V-38681.rst
@@ -1,3 +1,9 @@
+---
+id: V-38681
+status: implemented
+tag: misc
+---
+
The Ansible tasks will run ``pwck`` to find any groups that are defined in
``/etc/passwd`` but not in ``/etc/group``. This could be a sign of an
accidental misconfiguration or a more serious security problem. If the command
diff --git a/doc/source/stig-notes/V-38682_developer.rst b/doc/metadata/rhel6/V-38682.rst
similarity index 84%
rename from doc/source/stig-notes/V-38682_developer.rst
rename to doc/metadata/rhel6/V-38682.rst
index 61ef5c05..1becedac 100644
--- a/doc/source/stig-notes/V-38682_developer.rst
+++ b/doc/metadata/rhel6/V-38682.rst
@@ -1,3 +1,9 @@
+---
+id: V-38682
+status: implemented
+tag: misc
+---
+
The Ansible task will disable the bluetooth kernel modules to meet the STIG
requirements. To opt-out of this change, adjust the following Ansible variable
to ``no``:
diff --git a/doc/source/stig-notes/V-38683_developer.rst b/doc/metadata/rhel6/V-38683.rst
similarity index 90%
rename from doc/source/stig-notes/V-38683_developer.rst
rename to doc/metadata/rhel6/V-38683.rst
index 5818a09b..f2f9b8b2 100644
--- a/doc/source/stig-notes/V-38683_developer.rst
+++ b/doc/metadata/rhel6/V-38683.rst
@@ -1,3 +1,9 @@
+---
+id: V-38683
+status: implemented
+tag: misc
+---
+
The Ansible task will use the ``pwck`` command to search for non-unique
usernames on the system. If any matching usernames are found, an error
will be printed and the playbook will fail.
diff --git a/doc/source/stig-notes/V-38684_developer.rst b/doc/metadata/rhel6/V-38684.rst
similarity index 86%
rename from doc/source/stig-notes/V-38684_developer.rst
rename to doc/metadata/rhel6/V-38684.rst
index f6523962..0d9981e9 100644
--- a/doc/source/stig-notes/V-38684_developer.rst
+++ b/doc/metadata/rhel6/V-38684.rst
@@ -1,3 +1,9 @@
+---
+id: V-38684
+status: opt-in
+tag: misc
+---
+
**Opt-in required**
Ubuntu does not set a limit on the maximum number of active sessions that
diff --git a/doc/source/stig-notes/V-38685_developer.rst b/doc/metadata/rhel6/V-38685.rst
similarity index 86%
rename from doc/source/stig-notes/V-38685_developer.rst
rename to doc/metadata/rhel6/V-38685.rst
index e391573e..e1d854f6 100644
--- a/doc/source/stig-notes/V-38685_developer.rst
+++ b/doc/metadata/rhel6/V-38685.rst
@@ -1,3 +1,9 @@
+---
+id: V-38685
+status: exception
+tag: misc
+---
+
**Exception**
It's not possible to determine which accounts may be temporary or permanent
diff --git a/doc/source/stig-notes/V-38513_developer.rst b/doc/metadata/rhel6/V-38686.rst
similarity index 89%
rename from doc/source/stig-notes/V-38513_developer.rst
rename to doc/metadata/rhel6/V-38686.rst
index 63471791..2fe0ed2d 100644
--- a/doc/source/stig-notes/V-38513_developer.rst
+++ b/doc/metadata/rhel6/V-38686.rst
@@ -1,3 +1,9 @@
+---
+id: V-38686
+status: exception
+tag: misc
+---
+
**Exception**
Although a minimal set of iptables rules are configured on openstack-ansible
diff --git a/doc/source/stig-notes/V-38687_developer.rst b/doc/metadata/rhel6/V-38687.rst
similarity index 74%
rename from doc/source/stig-notes/V-38687_developer.rst
rename to doc/metadata/rhel6/V-38687.rst
index 8cd7d43c..c9279e8a 100644
--- a/doc/source/stig-notes/V-38687_developer.rst
+++ b/doc/metadata/rhel6/V-38687.rst
@@ -1,3 +1,9 @@
+---
+id: V-38687
+status: exception
+tag: misc
+---
+
**Exception**
The configuration of encrypted tunnels between deployers and their OpenStack
diff --git a/doc/metadata/rhel6/V-38688.rst b/doc/metadata/rhel6/V-38688.rst
new file mode 100644
index 00000000..095c4c67
--- /dev/null
+++ b/doc/metadata/rhel6/V-38688.rst
@@ -0,0 +1,11 @@
+---
+id: V-38688
+status: exception
+tag: misc
+---
+
+**Exception**
+
+Deployers are urged to use graphical desktops only on client machines that
+connect to the OpenStack environment, rather than configuring graphical
+desktops within the OpenStack infrastructure itself.
diff --git a/doc/metadata/rhel6/V-38689.rst b/doc/metadata/rhel6/V-38689.rst
new file mode 100644
index 00000000..7f80a2bc
--- /dev/null
+++ b/doc/metadata/rhel6/V-38689.rst
@@ -0,0 +1,11 @@
+---
+id: V-38689
+status: exception
+tag: misc
+---
+
+**Exception**
+
+Deployers are urged to use graphical desktops only on client machines that
+connect to the OpenStack environment, rather than configuring graphical
+desktops within the OpenStack infrastructure itself.
diff --git a/doc/source/stig-notes/V-38690_developer.rst b/doc/metadata/rhel6/V-38690.rst
similarity index 86%
rename from doc/source/stig-notes/V-38690_developer.rst
rename to doc/metadata/rhel6/V-38690.rst
index e391573e..4ec56199 100644
--- a/doc/source/stig-notes/V-38690_developer.rst
+++ b/doc/metadata/rhel6/V-38690.rst
@@ -1,3 +1,9 @@
+---
+id: V-38690
+status: exception
+tag: misc
+---
+
**Exception**
It's not possible to determine which accounts may be temporary or permanent
diff --git a/doc/source/stig-notes/V-38691_developer.rst b/doc/metadata/rhel6/V-38691.rst
similarity index 82%
rename from doc/source/stig-notes/V-38691_developer.rst
rename to doc/metadata/rhel6/V-38691.rst
index 3a36fd49..dbe24f4c 100644
--- a/doc/source/stig-notes/V-38691_developer.rst
+++ b/doc/metadata/rhel6/V-38691.rst
@@ -1,3 +1,9 @@
+---
+id: V-38691
+status: implemented
+tag: misc
+---
+
The Ansible tasks will disable the ``bluetooth`` service and stop it if it is
running on the system.
diff --git a/doc/source/stig-notes/V-38694_developer.rst b/doc/metadata/rhel6/V-38692.rst
similarity index 88%
rename from doc/source/stig-notes/V-38694_developer.rst
rename to doc/metadata/rhel6/V-38692.rst
index 2cb57a36..77584efc 100644
--- a/doc/source/stig-notes/V-38694_developer.rst
+++ b/doc/metadata/rhel6/V-38692.rst
@@ -1,3 +1,9 @@
+---
+id: V-38692
+status: opt-in
+tag: misc
+---
+
**Opt-in required**
Deployers must opt-in for this change by setting the following Ansible
diff --git a/doc/metadata/rhel6/V-38693.rst b/doc/metadata/rhel6/V-38693.rst
new file mode 100644
index 00000000..1d343625
--- /dev/null
+++ b/doc/metadata/rhel6/V-38693.rst
@@ -0,0 +1,16 @@
+---
+id: V-38693
+status: exception
+tag: misc
+---
+
+**Exception**
+
+Password complexity requirements are left up to the deployer. Deployers are
+urged to rely on SSH keys as often as possible to avoid problems with
+passwords.
+
+Review the pam_cracklib documentation by running ``man pam_cracklib`` or
+read the `detailed documentation from Hal Pomeranz`_.
+
+.. _detailed documentation from Hal Pomeranz: http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html
diff --git a/doc/source/stig-notes/V-38692_developer.rst b/doc/metadata/rhel6/V-38694.rst
similarity index 88%
rename from doc/source/stig-notes/V-38692_developer.rst
rename to doc/metadata/rhel6/V-38694.rst
index 2cb57a36..6d105879 100644
--- a/doc/source/stig-notes/V-38692_developer.rst
+++ b/doc/metadata/rhel6/V-38694.rst
@@ -1,3 +1,9 @@
+---
+id: V-38694
+status: opt-in
+tag: misc
+---
+
**Opt-in required**
Deployers must opt-in for this change by setting the following Ansible
diff --git a/doc/source/stig-notes/V-38695_developer.rst b/doc/metadata/rhel6/V-38695.rst
similarity index 85%
rename from doc/source/stig-notes/V-38695_developer.rst
rename to doc/metadata/rhel6/V-38695.rst
index 4a37b92f..1687da60 100644
--- a/doc/source/stig-notes/V-38695_developer.rst
+++ b/doc/metadata/rhel6/V-38695.rst
@@ -1,3 +1,9 @@
+---
+id: V-38695
+status: implemented
+tag: misc
+---
+
The AIDE package is already installed as part of the Ansible tasks to fix
V-38429, but these Ansible tasks will verify that the cron job file is actually
in place. The cron job is installed as part of the aide package installation.
diff --git a/doc/source/stig-notes/V-38696_developer.rst b/doc/metadata/rhel6/V-38696.rst
similarity index 85%
rename from doc/source/stig-notes/V-38696_developer.rst
rename to doc/metadata/rhel6/V-38696.rst
index 4a37b92f..07dfa974 100644
--- a/doc/source/stig-notes/V-38696_developer.rst
+++ b/doc/metadata/rhel6/V-38696.rst
@@ -1,3 +1,9 @@
+---
+id: V-38696
+status: implemented
+tag: misc
+---
+
The AIDE package is already installed as part of the Ansible tasks to fix
V-38429, but these Ansible tasks will verify that the cron job file is actually
in place. The cron job is installed as part of the aide package installation.
diff --git a/doc/source/stig-notes/V-38697_developer.rst b/doc/metadata/rhel6/V-38697.rst
similarity index 87%
rename from doc/source/stig-notes/V-38697_developer.rst
rename to doc/metadata/rhel6/V-38697.rst
index e75e0f4b..d5afd3d9 100644
--- a/doc/source/stig-notes/V-38697_developer.rst
+++ b/doc/metadata/rhel6/V-38697.rst
@@ -1,3 +1,9 @@
+---
+id: V-38697
+status: exception
+tag: misc
+---
+
**Exception**
Running a ``find`` command on the system during the playbook run is
diff --git a/doc/source/stig-notes/V-38698_developer.rst b/doc/metadata/rhel6/V-38698.rst
similarity index 85%
rename from doc/source/stig-notes/V-38698_developer.rst
rename to doc/metadata/rhel6/V-38698.rst
index 4a37b92f..1d0b85bb 100644
--- a/doc/source/stig-notes/V-38698_developer.rst
+++ b/doc/metadata/rhel6/V-38698.rst
@@ -1,3 +1,9 @@
+---
+id: V-38698
+status: implemented
+tag: misc
+---
+
The AIDE package is already installed as part of the Ansible tasks to fix
V-38429, but these Ansible tasks will verify that the cron job file is actually
in place. The cron job is installed as part of the aide package installation.
diff --git a/doc/source/stig-notes/V-38699_developer.rst b/doc/metadata/rhel6/V-38699.rst
similarity index 92%
rename from doc/source/stig-notes/V-38699_developer.rst
rename to doc/metadata/rhel6/V-38699.rst
index a6c415ed..b1aac9c4 100644
--- a/doc/source/stig-notes/V-38699_developer.rst
+++ b/doc/metadata/rhel6/V-38699.rst
@@ -1,3 +1,9 @@
+---
+id: V-38699
+status: exception
+tag: misc
+---
+
**Exception**
The STIG requires administrators to search for directories meeting all of the
diff --git a/doc/metadata/rhel6/V-38700.rst b/doc/metadata/rhel6/V-38700.rst
new file mode 100644
index 00000000..758d2a2f
--- /dev/null
+++ b/doc/metadata/rhel6/V-38700.rst
@@ -0,0 +1,11 @@
+---
+id: V-38700
+status: implemented
+tag: misc
+---
+
+The AIDE package is already installed as part of the Ansible tasks to fix
+V-38429, but these Ansible tasks will verify that the cron job file is actually
+in place. The cron job is installed as part of the aide package installation.
+If the cron job is missing, an error will be printed and the playbook will
+fail.
diff --git a/doc/source/stig-notes/V-38701_developer.rst b/doc/metadata/rhel6/V-38701.rst
similarity index 85%
rename from doc/source/stig-notes/V-38701_developer.rst
rename to doc/metadata/rhel6/V-38701.rst
index 286c6209..7dd4653e 100644
--- a/doc/source/stig-notes/V-38701_developer.rst
+++ b/doc/metadata/rhel6/V-38701.rst
@@ -1,3 +1,9 @@
+---
+id: V-38701
+status: exception
+tag: misc
+---
+
**Exception**
Neither OpenStack-Ansible or any of the operating systems supported by the
diff --git a/doc/source/stig-notes/V-38702_developer.rst b/doc/metadata/rhel6/V-38702.rst
similarity index 82%
rename from doc/source/stig-notes/V-38702_developer.rst
rename to doc/metadata/rhel6/V-38702.rst
index 85b9806c..72bb0433 100644
--- a/doc/source/stig-notes/V-38702_developer.rst
+++ b/doc/metadata/rhel6/V-38702.rst
@@ -1,3 +1,9 @@
+---
+id: V-38702
+status: implemented
+tag: misc
+---
+
The security role will ensure that the appropriate log configuration lines are
applied to ``/etc/vsftpd.conf`` to meet the STIG requirements. If the
``vsftpd`` package isn't installed, the Ansible tasks won't make any changes to
diff --git a/doc/metadata/rhel6/V-43150.rst b/doc/metadata/rhel6/V-43150.rst
new file mode 100644
index 00000000..fc18d33a
--- /dev/null
+++ b/doc/metadata/rhel6/V-43150.rst
@@ -0,0 +1,11 @@
+---
+id: V-43150
+status: exception
+tag: misc
+---
+
+**Exception**
+
+Deployers are urged to use graphical desktops only on client machines that
+connect to the OpenStack environment, rather than configuring graphical
+desktops within the OpenStack infrastructure itself.
diff --git a/doc/source/stig-notes/V-51337_developer.rst b/doc/metadata/rhel6/V-51337.rst
similarity index 97%
rename from doc/source/stig-notes/V-51337_developer.rst
rename to doc/metadata/rhel6/V-51337.rst
index a3973060..881444bf 100644
--- a/doc/source/stig-notes/V-51337_developer.rst
+++ b/doc/metadata/rhel6/V-51337.rst
@@ -1,3 +1,9 @@
+---
+id: V-51337
+status: implemented
+tag: misc
+---
+
The tasks in the security role will enable the Linux Security
Module (LSM) that is appropriate for the Linux distribution in use.
diff --git a/doc/source/stig-notes/V-51363_developer.rst b/doc/metadata/rhel6/V-51363.rst
similarity index 88%
rename from doc/source/stig-notes/V-51363_developer.rst
rename to doc/metadata/rhel6/V-51363.rst
index f352ac7f..e48ccddd 100644
--- a/doc/source/stig-notes/V-51363_developer.rst
+++ b/doc/metadata/rhel6/V-51363.rst
@@ -1,3 +1,9 @@
+---
+id: V-51363
+status: implemented
+tag: misc
+---
+
For Ubuntu, the standard AppArmor policies provided by the AppArmor package are
loaded. The OpenStack-Ansible project also configures AppArmor to limit the
actions of containers and reduce the changes (and potential damages) of a
diff --git a/doc/source/stig-notes/V-51369_developer.rst b/doc/metadata/rhel6/V-51369.rst
similarity index 88%
rename from doc/source/stig-notes/V-51369_developer.rst
rename to doc/metadata/rhel6/V-51369.rst
index 95de5874..b2b82d0a 100644
--- a/doc/source/stig-notes/V-51369_developer.rst
+++ b/doc/metadata/rhel6/V-51369.rst
@@ -1,3 +1,9 @@
+---
+id: V-51369
+status: implemented
+tag: misc
+---
+
Although SELinux is available on Ubuntu 14.04, the policies aren't maintained
as well as they are on Red Hat-based systems. The openstack-ansible project
has chosen to use the more Ubuntu-compatible Linux security module, AppArmor.
diff --git a/doc/source/stig-notes/V-51379_developer.rst b/doc/metadata/rhel6/V-51379.rst
similarity index 90%
rename from doc/source/stig-notes/V-51379_developer.rst
rename to doc/metadata/rhel6/V-51379.rst
index ad0db536..7d089ad9 100644
--- a/doc/source/stig-notes/V-51379_developer.rst
+++ b/doc/metadata/rhel6/V-51379.rst
@@ -1,3 +1,9 @@
+---
+id: V-51379
+status: exception
+tag: misc
+---
+
**Exception for Ubuntu**
The security role will search for unlabeled devices on CentOS and the playbook
diff --git a/doc/source/stig-notes/V-51391_developer.rst b/doc/metadata/rhel6/V-51391.rst
similarity index 91%
rename from doc/source/stig-notes/V-51391_developer.rst
rename to doc/metadata/rhel6/V-51391.rst
index c7d3222c..745a4476 100644
--- a/doc/source/stig-notes/V-51391_developer.rst
+++ b/doc/metadata/rhel6/V-51391.rst
@@ -1,3 +1,9 @@
+---
+id: V-51391
+status: implemented
+tag: misc
+---
+
When AIDE is first installed for V-38429, a new database will be created.
The creation process takes some time because AIDE needs to review each file
in its list of monitored files to get timestamps and hashes. The
diff --git a/doc/source/stig-notes/V-51875_developer.rst b/doc/metadata/rhel6/V-51875.rst
similarity index 81%
rename from doc/source/stig-notes/V-51875_developer.rst
rename to doc/metadata/rhel6/V-51875.rst
index f4d8f4eb..d92b78e6 100644
--- a/doc/source/stig-notes/V-51875_developer.rst
+++ b/doc/metadata/rhel6/V-51875.rst
@@ -1,3 +1,9 @@
+---
+id: V-51875
+status: implemented
+tag: misc
+---
+
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 already enable the display of the last
successful login for a user immediately after login. An Ansible task ensures
this setting is applied and restarts the ssh daemon if necessary.
diff --git a/doc/source/stig-notes/V-54381_developer.rst b/doc/metadata/rhel6/V-54381.rst
similarity index 93%
rename from doc/source/stig-notes/V-54381_developer.rst
rename to doc/metadata/rhel6/V-54381.rst
index 07b4c587..03a250ac 100644
--- a/doc/source/stig-notes/V-54381_developer.rst
+++ b/doc/metadata/rhel6/V-54381.rst
@@ -1,3 +1,9 @@
+---
+id: V-54381
+status: exception
+tag: misc
+---
+
**Exception**
The STIG requires that the audit system must switch the entire system into
diff --git a/doc/source/stig-notes/V-57569_developer.rst b/doc/metadata/rhel6/V-57569.rst
similarity index 84%
rename from doc/source/stig-notes/V-57569_developer.rst
rename to doc/metadata/rhel6/V-57569.rst
index 001084a8..ab1e4d13 100644
--- a/doc/source/stig-notes/V-57569_developer.rst
+++ b/doc/metadata/rhel6/V-57569.rst
@@ -1,3 +1,9 @@
+---
+id: V-57569
+status: exception
+tag: misc
+---
+
**Exception**
Altering partitions and how they are mounted is left up to the deployer
diff --git a/doc/source/stig-notes/V-58901_developer.rst b/doc/metadata/rhel6/V-58901.rst
similarity index 95%
rename from doc/source/stig-notes/V-58901_developer.rst
rename to doc/metadata/rhel6/V-58901.rst
index ef88dfd7..ecc08d16 100644
--- a/doc/source/stig-notes/V-58901_developer.rst
+++ b/doc/metadata/rhel6/V-58901.rst
@@ -1,3 +1,9 @@
+---
+id: V-58901
+status: implemented
+tag: misc
+---
+
This STIG requires that ``NOPASSWD`` and ``!authenticate`` are not used within
the sudoers configuration files. Using these directives reduces the security
of the system.
diff --git a/doc/metadata/template_all.j2 b/doc/metadata/template_all.j2
new file mode 100644
index 00000000..43fbb7d4
--- /dev/null
+++ b/doc/metadata/template_all.j2
@@ -0,0 +1,22 @@
+{% set page_title = "Review All STIG Controls" %}
+{{ "=" * page_title | length }}
+{{ page_title }}
+{{ "=" * page_title | length }}
+
+Navigating the list
+===================
+
+Use your browser's search function (usually CTRL-f or ⌘-f) to find the
+security configuration in the full list shown here. You can search for STIG
+ID numbers, such as ``V-38463``, or for particular topics, like ``audit``.
+
+----
+
+{% for stig_id in stig_ids | sort %}
+.. include:: auto_{{ stig_id }}.rst
+
+{% if not loop.last %}
+----
+{% endif %}
+
+{% endfor %}
diff --git a/doc/metadata/template_doc.j2 b/doc/metadata/template_doc.j2
new file mode 100644
index 00000000..fd55cb88
--- /dev/null
+++ b/doc/metadata/template_doc.j2
@@ -0,0 +1,18 @@
+{% set page_title = rule['title'] | trim + ' (' + rule['id'] + ')'%}
+{{ page_title }}
+{{ "-" * page_title | length }}
+
+{{ rule['description']}}
+
+Details: `{{ rule['id'] }} in STIG Viewer`_
+
+.. _{{ rule['id'] }} in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/{{ rule['id'] }}
+
+Notes for deployers and auditors
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+**Implementation Status:** {{ notes['status'] | title }}
+
+{{ notes['content'] }}
+
+
diff --git a/doc/metadata/template_toc.j2 b/doc/metadata/template_toc.j2
new file mode 100644
index 00000000..4aa57bd6
--- /dev/null
+++ b/doc/metadata/template_toc.j2
@@ -0,0 +1,24 @@
+{% set page_title = "STIG Controls by " + toc_type | title %}
+{{ "=" * page_title | length }}
+{{ page_title }}
+{{ "=" * page_title | length }}
+
+{% for section_header, stig_id_list in stig_dict.items() %}
+
+.. contents::
+ :depth: 2
+ :backlinks: none
+
+{% set section_title = section_header | title + " (" + stig_id_list | length | string + " controls)" %}
+{{ section_title }}
+{{ "=" * section_title | length }}
+
+{% for stig_id in stig_id_list | sort %}
+.. include:: auto_{{ stig_id }}.rst
+
+{% if not loop.last %}
+----
+{% endif %}
+
+{% endfor %}
+{% endfor %}
diff --git a/doc/source/_exts/metadata-docs.py b/doc/source/_exts/metadata-docs.py
new file mode 100644
index 00000000..f51d859c
--- /dev/null
+++ b/doc/source/_exts/metadata-docs.py
@@ -0,0 +1,210 @@
+#!/usr/bin/env python
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Build documentation from STIG and deployer notes."""
+from __future__ import print_function, unicode_literals
+from collections import defaultdict, OrderedDict
+import os
+import re
+from textwrap import fill
+import yaml
+
+
+import jinja2
+from lxml import etree
+
+
+SCRIPT_DIR = os.path.dirname(os.path.abspath(__file__))
+METADATA_DIR = "{0}/../../metadata".format(SCRIPT_DIR)
+DOC_SOURCE_DIR = "{0}/..".format(SCRIPT_DIR)
+JINJA_ENV = jinja2.Environment(
+ loader=jinja2.FileSystemLoader(METADATA_DIR),
+ trim_blocks=True,
+ keep_trailing_newline=False,
+)
+
+XCCDF_FILE = 'U_RedHat_6_V1R12_Manual-xccdf.xml'
+XCCDF_NAMESPACE = {'x': 'http://checklists.nist.gov/xccdf/1.1'}
+
+
+def read_xml():
+ """Read XCCDF XML file and parse it into an etree."""
+ with open("{0}/{1}".format(METADATA_DIR, XCCDF_FILE), 'r') as f:
+ tree = etree.parse(f)
+ return tree
+
+
+def element_flatten(element):
+ """Flatten the element into a single item if it's a single item list."""
+ # If there's only one result in the list, then return that single result.
+ if isinstance(element, list) and len(element) == 1:
+ return element[0]
+ else:
+ return element
+
+
+def extract_description(description_text):
+ """Take the description text and extract the VulnDiscussion tag."""
+ parser = etree.XMLParser(recover=True)
+ temp_string = "{0}".format(description_text)
+ temp = etree.fromstring(temp_string, parser)
+ return next(x.text for x in temp.iter() if x.tag == 'VulnDiscussion')
+
+
+def filter_xpath(tree, xpath_string):
+ """Apply an xpath filter to the XML and return data."""
+ element = tree.xpath(xpath_string, namespaces=XCCDF_NAMESPACE)
+ return element_flatten(element)
+
+
+def filter_find(tree, xpath_string):
+ """Do a find on the tree to get specific data."""
+ element = tree.find(xpath_string, namespaces=XCCDF_NAMESPACE)
+ return element_flatten(element)
+
+
+def filter_findall(tree, xpath_string):
+ """Do a find on the tree to get specific data."""
+ element = tree.findall(xpath_string, namespaces=XCCDF_NAMESPACE)
+ return element_flatten(element)
+
+
+def get_deployer_notes(stig_id):
+ """Read deployer notes based on the STIG ID."""
+ filename = "{0}/rhel6/{1}.rst".format(METADATA_DIR, stig_id)
+
+ # Does this deployer note exist?
+ if not os.path.isfile(filename):
+ return False
+
+ # Read the note and parse it with YAML
+ with open(filename, 'r') as f:
+ rst_file = f.read()
+
+ # Split the RST into frontmatter and text
+ # NOTE(mhayden): Can't use the standard yaml.load_all() here at it will
+ # have scanner errors in documents that have colons (:).
+ yaml_boundary = re.compile(r'^-{3,}$', re.MULTILINE)
+ _, metadata, text = yaml_boundary.split(rst_file, 2)
+
+ # Assemble the metadata and the text from the deployer note.
+ post = yaml.load(metadata)
+ post['content'] = text
+
+ return post
+
+
+def render_all(stig_ids):
+ """Generate documentation RST for each STIG configuration."""
+ template = JINJA_ENV.get_template('template_all.j2')
+ return template.render(
+ stig_ids=stig_ids
+ )
+
+
+def render_doc(stig_rule, deployer_notes):
+ """Generate documentation RST for each STIG configuration."""
+ template = JINJA_ENV.get_template('template_doc.j2')
+ return template.render(
+ rule=stig_rule,
+ notes=deployer_notes
+ )
+
+
+def render_toc(toc_type, stig_dict):
+ """Generate documentation RST for each STIG configuration."""
+ template = JINJA_ENV.get_template('template_toc.j2')
+ return template.render(
+ toc_type=toc_type,
+ stig_dict=stig_dict
+ )
+
+
+def write_file(filename, content):
+ """Write contents to files."""
+ file_path = "{0}/{1}".format(DOC_SOURCE_DIR, filename)
+ with open(file_path, 'w') as f:
+ f.write(content.encode('utf-8'))
+
+ return True
+
+
+def generate_docs():
+ """The main function."""
+ tree = read_xml()
+
+ # Create a simple list to capture all of the STIGs
+ stig_ids = []
+
+ # Create defaultdicts to hold information to build our table of
+ # contents files for sphinx.
+ severity = defaultdict(list)
+ tag = defaultdict(list)
+ status = defaultdict(list)
+
+ # Loop through the groups and extract rules
+ group_elements = filter_xpath(tree, "/x:Benchmark/x:Group")
+ for group_element in group_elements:
+ rule_element = filter_find(group_element, 'x:Rule')
+
+ # We have to extract a piece of the description since it contains
+ # multiple sections. We only want the VulnDiscussion section.
+ raw_description = filter_find(rule_element,
+ 'x:description').text
+ description = fill(extract_description(raw_description), width=78)
+
+ # Build a dictionary with all of our rule data.
+ rule = {
+ 'id': group_element.attrib['id'],
+ 'title': filter_find(rule_element, 'x:title').text,
+ 'severity': rule_element.attrib['severity'],
+ 'description': description,
+ 'fix': filter_find(rule_element, 'x:fixtext').text,
+ 'check': filter_find(rule_element,
+ 'x:check/x:check-content').text,
+ }
+
+ # Get the deployer notes from YAML
+ deployer_notes = get_deployer_notes(rule['id'])
+
+ # Render our documentation
+ doc_rst = render_doc(rule, deployer_notes)
+ all_filename = "auto_{0}.rst".format(rule['id'])
+ write_file(all_filename, doc_rst)
+
+ stig_ids.append(rule['id'])
+ severity[rule['severity']].append(rule['id'])
+ status[deployer_notes['status']].append(rule['id'])
+ tag[deployer_notes['tag']].append(rule['id'])
+
+ keyorder = ['high', 'medium', 'low']
+ severity = OrderedDict(sorted(severity.items(),
+ key=lambda x: keyorder.index(x[0])))
+ status = OrderedDict(sorted(status.items(), key=lambda x: x[0]))
+ tag = OrderedDict(sorted(tag.items(), key=lambda x: x[0]))
+
+ all_toc = render_all(stig_ids)
+ severity_toc = render_toc('severity', severity)
+ status_toc = render_toc('implementation status', status)
+ tag_toc = render_toc('tag', tag)
+
+ write_file("auto_controls-all.rst", all_toc)
+ write_file("auto_controls-by-severity.rst", severity_toc)
+ write_file("auto_controls-by-status.rst", status_toc)
+ write_file("auto_controls-by-tag.rst", tag_toc)
+
+
+def setup(app):
+ """Set up the Sphinx extension."""
+ generate_docs()
diff --git a/doc/source/conf.py b/doc/source/conf.py
index c17b6751..8aec2d65 100644
--- a/doc/source/conf.py
+++ b/doc/source/conf.py
@@ -21,15 +21,17 @@
#
# All configuration values have a default; values that are commented out
# serve to show the default.
+import os
+import sys
+
import openstackdocstheme
-import os
import pbr.version
# If extensions (or modules to document with autodoc) are in another directory,
# add these directories to sys.path here. If the directory is relative to the
# documentation root, use os.path.abspath to make it absolute, like shown here.
-# sys.path.insert(0, os.path.abspath('.'))
+sys.path.insert(0, os.path.join(os.path.abspath('.'), '_exts'))
# -- General configuration ------------------------------------------------
@@ -39,7 +41,9 @@ import pbr.version
# Add any Sphinx extension module names here, as strings. They can be
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
# ones.
-extensions = []
+extensions = [
+ 'metadata-docs',
+]
# Add any paths that contain templates here, relative to this directory.
# templates_path = ['_templates']
@@ -107,7 +111,8 @@ language = None
# directories to ignore when looking for source files.
exclude_patterns = [
'developer-notes/*.rst',
- 'stig-notes/*.rst'
+ 'stig-notes/*.rst',
+ 'auto_V-*.rst'
]
# The reST default role (used for this markup: `text`) to use for all
diff --git a/doc/source/controls-cat1.rst b/doc/source/controls-cat1.rst
deleted file mode 100644
index fd12c1db..00000000
--- a/doc/source/controls-cat1.rst
+++ /dev/null
@@ -1,609 +0,0 @@
-.. include::
-`Home `__ |raquo| Security hardening for openstack-ansible
-
-Category 1 (Low) controls
-================================
-
-.. include:: stig-notes/V-38437.rst
-
-.. include:: stig-notes/V-38437_developer.rst
-
-----
-
-.. include:: stig-notes/V-38438.rst
-
-.. include:: stig-notes/V-38438_developer.rst
-
-----
-
-.. include:: stig-notes/V-38447.rst
-
-.. include:: stig-notes/V-38447_developer.rst
-
-----
-
-.. include:: stig-notes/V-38452.rst
-
-.. include:: stig-notes/V-38452_developer.rst
-
-----
-
-.. include:: stig-notes/V-38453.rst
-
-.. include:: stig-notes/V-38453_developer.rst
-
-----
-
-.. include:: stig-notes/V-38454.rst
-
-.. include:: stig-notes/V-38454_developer.rst
-
-----
-
-.. include:: stig-notes/V-38455.rst
-
-.. include:: stig-notes/V-38455_developer.rst
-
-----
-
-.. include:: stig-notes/V-38456.rst
-
-.. include:: stig-notes/V-38456_developer.rst
-
-----
-
-.. include:: stig-notes/V-38460.rst
-
-.. include:: stig-notes/V-38460_developer.rst
-
-----
-
-.. include:: stig-notes/V-38463.rst
-
-.. include:: stig-notes/V-38463_developer.rst
-
-----
-
-.. include:: stig-notes/V-38467.rst
-
-.. include:: stig-notes/V-38467_developer.rst
-
-----
-
-.. include:: stig-notes/V-38471.rst
-
-.. include:: stig-notes/V-38471_developer.rst
-
-----
-
-.. include:: stig-notes/V-38473.rst
-
-.. include:: stig-notes/V-38473_developer.rst
-
-----
-
-.. include:: stig-notes/V-38474.rst
-
-.. include:: stig-notes/V-38474_developer.rst
-
-----
-
-.. include:: stig-notes/V-38478.rst
-
-.. include:: stig-notes/V-38478_developer.rst
-
-----
-
-.. include:: stig-notes/V-38480.rst
-
-.. include:: stig-notes/V-38480_developer.rst
-
-----
-
-.. include:: stig-notes/V-38482.rst
-
-.. include:: stig-notes/V-38482_developer.rst
-
-----
-
-.. include:: stig-notes/V-38487.rst
-
-.. include:: stig-notes/V-38487_developer.rst
-
-----
-
-.. include:: stig-notes/V-38494.rst
-
-.. include:: stig-notes/V-38494_developer.rst
-
-----
-
-.. include:: stig-notes/V-38516.rst
-
-.. include:: stig-notes/V-38516_developer.rst
-
-----
-
-.. include:: stig-notes/V-38522.rst
-
-.. include:: stig-notes/V-38522_developer.rst
-
-----
-
-.. include:: stig-notes/V-38525.rst
-
-.. include:: stig-notes/V-38525_developer.rst
-
-----
-
-.. include:: stig-notes/V-38527.rst
-
-.. include:: stig-notes/V-38527_developer.rst
-
-----
-
-.. include:: stig-notes/V-38528.rst
-
-.. include:: stig-notes/V-38528_developer.rst
-
-----
-
-.. include:: stig-notes/V-38530.rst
-
-.. include:: stig-notes/V-38530_developer.rst
-
-----
-
-.. include:: stig-notes/V-38531.rst
-
-.. include:: stig-notes/V-38531_developer.rst
-
-----
-
-.. include:: stig-notes/V-38533.rst
-
-.. include:: stig-notes/V-38533_developer.rst
-
-----
-
-.. include:: stig-notes/V-38534.rst
-
-.. include:: stig-notes/V-38534_developer.rst
-
-----
-
-.. include:: stig-notes/V-38535.rst
-
-.. include:: stig-notes/V-38535_developer.rst
-
-----
-
-.. include:: stig-notes/V-38536.rst
-
-.. include:: stig-notes/V-38536_developer.rst
-
-----
-
-.. include:: stig-notes/V-38537.rst
-
-.. include:: stig-notes/V-38537_developer.rst
-
-----
-
-.. include:: stig-notes/V-38538.rst
-
-.. include:: stig-notes/V-38538_developer.rst
-
-----
-
-.. include:: stig-notes/V-38540.rst
-
-.. include:: stig-notes/V-38540_developer.rst
-
-----
-
-.. include:: stig-notes/V-38541.rst
-
-.. include:: stig-notes/V-38541_developer.rst
-
-----
-
-.. include:: stig-notes/V-38543.rst
-
-.. include:: stig-notes/V-38543_developer.rst
-
-----
-
-.. include:: stig-notes/V-38545.rst
-
-.. include:: stig-notes/V-38545_developer.rst
-
-----
-
-.. include:: stig-notes/V-38547.rst
-
-.. include:: stig-notes/V-38547_developer.rst
-
-----
-
-.. include:: stig-notes/V-38550.rst
-
-.. include:: stig-notes/V-38550_developer.rst
-
-----
-
-.. include:: stig-notes/V-38552.rst
-
-.. include:: stig-notes/V-38552_developer.rst
-
-----
-
-.. include:: stig-notes/V-38554.rst
-
-.. include:: stig-notes/V-38554_developer.rst
-
-----
-
-.. include:: stig-notes/V-38556.rst
-
-.. include:: stig-notes/V-38556_developer.rst
-
-----
-
-.. include:: stig-notes/V-38557.rst
-
-.. include:: stig-notes/V-38557_developer.rst
-
-----
-
-.. include:: stig-notes/V-38558.rst
-
-.. include:: stig-notes/V-38558_developer.rst
-
-----
-
-.. include:: stig-notes/V-38559.rst
-
-.. include:: stig-notes/V-38559_developer.rst
-
-----
-
-.. include:: stig-notes/V-38561.rst
-
-.. include:: stig-notes/V-38561_developer.rst
-
-----
-
-.. include:: stig-notes/V-38563.rst
-
-.. include:: stig-notes/V-38563_developer.rst
-
-----
-
-.. include:: stig-notes/V-38565.rst
-
-.. include:: stig-notes/V-38565_developer.rst
-
-----
-
-.. include:: stig-notes/V-38566.rst
-
-.. include:: stig-notes/V-38566_developer.rst
-
-----
-
-.. include:: stig-notes/V-38567.rst
-
-.. include:: stig-notes/V-38567_developer.rst
-
-----
-
-.. include:: stig-notes/V-38568.rst
-
-.. include:: stig-notes/V-38568_developer.rst
-
-----
-
-.. include:: stig-notes/V-38569.rst
-
-.. include:: stig-notes/V-38569_developer.rst
-
-----
-
-.. include:: stig-notes/V-38570.rst
-
-.. include:: stig-notes/V-38570_developer.rst
-
-----
-
-.. include:: stig-notes/V-38571.rst
-
-.. include:: stig-notes/V-38571_developer.rst
-
-----
-
-.. include:: stig-notes/V-38572.rst
-
-.. include:: stig-notes/V-38572_developer.rst
-
-----
-
-.. include:: stig-notes/V-38575.rst
-
-.. include:: stig-notes/V-38575_developer.rst
-
-----
-
-.. include:: stig-notes/V-38578.rst
-
-.. include:: stig-notes/V-38578_developer.rst
-
-----
-
-.. include:: stig-notes/V-38584.rst
-
-.. include:: stig-notes/V-38584_developer.rst
-
-----
-
-.. include:: stig-notes/V-38590.rst
-
-.. include:: stig-notes/V-38590_developer.rst
-
-----
-
-.. include:: stig-notes/V-38608.rst
-
-.. include:: stig-notes/V-38608_developer.rst
-
-----
-
-.. include:: stig-notes/V-38610.rst
-
-.. include:: stig-notes/V-38610_developer.rst
-
-----
-
-.. include:: stig-notes/V-38616.rst
-
-.. include:: stig-notes/V-38616_developer.rst
-
-----
-
-.. include:: stig-notes/V-38618.rst
-
-.. include:: stig-notes/V-38618_developer.rst
-
-----
-
-.. include:: stig-notes/V-38624.rst
-
-.. include:: stig-notes/V-38624_developer.rst
-
-----
-
-.. include:: stig-notes/V-38627.rst
-
-.. include:: stig-notes/V-38627_developer.rst
-
-----
-
-.. include:: stig-notes/V-38635.rst
-
-.. include:: stig-notes/V-38635_developer.rst
-
-----
-
-.. include:: stig-notes/V-38639.rst
-
-.. include:: stig-notes/V-38639_developer.rst
-
-----
-
-.. include:: stig-notes/V-38640.rst
-
-.. include:: stig-notes/V-38640_developer.rst
-
-----
-
-.. include:: stig-notes/V-38641.rst
-
-.. include:: stig-notes/V-38641_developer.rst
-
-----
-
-.. include:: stig-notes/V-38642.rst
-
-.. include:: stig-notes/V-38642_developer.rst
-
-----
-
-.. include:: stig-notes/V-38644.rst
-
-.. include:: stig-notes/V-38644_developer.rst
-
-----
-
-.. include:: stig-notes/V-38645.rst
-
-.. include:: stig-notes/V-38645_developer.rst
-
-----
-
-.. include:: stig-notes/V-38646.rst
-
-.. include:: stig-notes/V-38646_developer.rst
-
-----
-
-.. include:: stig-notes/V-38647.rst
-
-.. include:: stig-notes/V-38647_developer.rst
-
-----
-
-.. include:: stig-notes/V-38648.rst
-
-.. include:: stig-notes/V-38648_developer.rst
-
-----
-
-.. include:: stig-notes/V-38649.rst
-
-.. include:: stig-notes/V-38649_developer.rst
-
-----
-
-.. include:: stig-notes/V-38650.rst
-
-.. include:: stig-notes/V-38650_developer.rst
-
-----
-
-.. include:: stig-notes/V-38651.rst
-
-.. include:: stig-notes/V-38651_developer.rst
-
-----
-
-.. include:: stig-notes/V-38655.rst
-
-.. include:: stig-notes/V-38655_developer.rst
-
-----
-
-.. include:: stig-notes/V-38656.rst
-
-.. include:: stig-notes/V-38656_developer.rst
-
-----
-
-.. include:: stig-notes/V-38657.rst
-
-.. include:: stig-notes/V-38657_developer.rst
-
-----
-
-.. include:: stig-notes/V-38659.rst
-
-.. include:: stig-notes/V-38659_developer.rst
-
-----
-
-.. include:: stig-notes/V-38661.rst
-
-.. include:: stig-notes/V-38661_developer.rst
-
-----
-
-.. include:: stig-notes/V-38662.rst
-
-.. include:: stig-notes/V-38662_developer.rst
-
-----
-
-.. include:: stig-notes/V-38669.rst
-
-.. include:: stig-notes/V-38669_developer.rst
-
-----
-
-.. include:: stig-notes/V-38672.rst
-
-.. include:: stig-notes/V-38672_developer.rst
-
-----
-
-.. include:: stig-notes/V-38675.rst
-
-.. include:: stig-notes/V-38675_developer.rst
-
-----
-
-.. include:: stig-notes/V-38676.rst
-
-.. include:: stig-notes/V-38676_developer.rst
-
-----
-
-.. include:: stig-notes/V-38681.rst
-
-.. include:: stig-notes/V-38681_developer.rst
-
-----
-
-.. include:: stig-notes/V-38683.rst
-
-.. include:: stig-notes/V-38683_developer.rst
-
-----
-
-.. include:: stig-notes/V-38684.rst
-
-.. include:: stig-notes/V-38684_developer.rst
-
-----
-
-.. include:: stig-notes/V-38685.rst
-
-.. include:: stig-notes/V-38685_developer.rst
-
-----
-
-.. include:: stig-notes/V-38687.rst
-
-.. include:: stig-notes/V-38687_developer.rst
-
-----
-
-.. include:: stig-notes/V-38690.rst
-
-.. include:: stig-notes/V-38690_developer.rst
-
-----
-
-.. include:: stig-notes/V-38692.rst
-
-.. include:: stig-notes/V-38692_developer.rst
-
-----
-
-.. include:: stig-notes/V-38693.rst
-
-.. include:: stig-notes/V-38693_developer.rst
-
-----
-
-.. include:: stig-notes/V-38694.rst
-
-.. include:: stig-notes/V-38694_developer.rst
-
-----
-
-.. include:: stig-notes/V-38697.rst
-
-.. include:: stig-notes/V-38697_developer.rst
-
-----
-
-.. include:: stig-notes/V-38699.rst
-
-.. include:: stig-notes/V-38699_developer.rst
-
-----
-
-.. include:: stig-notes/V-38702.rst
-
-.. include:: stig-notes/V-38702_developer.rst
-
-----
-
-.. include:: stig-notes/V-51369.rst
-
-.. include:: stig-notes/V-51369_developer.rst
-
-----
-
-.. include:: stig-notes/V-51379.rst
-
-.. include:: stig-notes/V-51379_developer.rst
diff --git a/doc/source/controls-cat2.rst b/doc/source/controls-cat2.rst
deleted file mode 100644
index 5e5d05c6..00000000
--- a/doc/source/controls-cat2.rst
+++ /dev/null
@@ -1,882 +0,0 @@
-.. include::
-`Home `__ |raquo| Security hardening for openstack-ansible
-
-Category 2 (Medium) controls
-================================
-
-.. toctree::
- :maxdepth: 1
-
-.. include:: stig-notes/V-38439.rst
-
-.. include:: stig-notes/V-38439_developer.rst
-
-----
-
-.. include:: stig-notes/V-38443.rst
-
-.. include:: stig-notes/V-38443_developer.rst
-
-----
-
-.. include:: stig-notes/V-38444.rst
-
-.. include:: stig-notes/V-38444_developer.rst
-
-----
-
-.. include:: stig-notes/V-38445.rst
-
-.. include:: stig-notes/V-38445_developer.rst
-
-----
-
-.. include:: stig-notes/V-38446.rst
-
-.. include:: stig-notes/V-38446_developer.rst
-
-----
-
-.. include:: stig-notes/V-38448.rst
-
-.. include:: stig-notes/V-38448_developer.rst
-
-----
-
-.. include:: stig-notes/V-38449.rst
-
-.. include:: stig-notes/V-38449_developer.rst
-
-----
-
-.. include:: stig-notes/V-38450.rst
-
-.. include:: stig-notes/V-38450_developer.rst
-
-----
-
-.. include:: stig-notes/V-38451.rst
-
-.. include:: stig-notes/V-38451_developer.rst
-
-----
-
-.. include:: stig-notes/V-38457.rst
-
-.. include:: stig-notes/V-38457_developer.rst
-
-----
-
-.. include:: stig-notes/V-38458.rst
-
-.. include:: stig-notes/V-38458_developer.rst
-
-----
-
-.. include:: stig-notes/V-38459.rst
-
-.. include:: stig-notes/V-38459_developer.rst
-
-----
-
-.. include:: stig-notes/V-38461.rst
-
-.. include:: stig-notes/V-38461_developer.rst
-
-----
-
-.. include:: stig-notes/V-38464.rst
-
-.. include:: stig-notes/V-38464_developer.rst
-
-----
-
-.. include:: stig-notes/V-38465.rst
-
-.. include:: stig-notes/V-38465_developer.rst
-
-----
-
-.. include:: stig-notes/V-38466.rst
-
-.. include:: stig-notes/V-38466_developer.rst
-
-----
-
-.. include:: stig-notes/V-38468.rst
-
-.. include:: stig-notes/V-38468_developer.rst
-
-----
-
-.. include:: stig-notes/V-38469.rst
-
-.. include:: stig-notes/V-38469_developer.rst
-
-----
-
-.. include:: stig-notes/V-38470.rst
-
-.. include:: stig-notes/V-38470_developer.rst
-
-----
-
-.. include:: stig-notes/V-38472.rst
-
-.. include:: stig-notes/V-38472_developer.rst
-
-----
-
-.. include:: stig-notes/V-38475.rst
-
-.. include:: stig-notes/V-38475_developer.rst
-
-----
-
-.. include:: stig-notes/V-38477.rst
-
-.. include:: stig-notes/V-38477_developer.rst
-
-----
-
-.. include:: stig-notes/V-38479.rst
-
-.. include:: stig-notes/V-38479_developer.rst
-
-----
-
-.. include:: stig-notes/V-38481.rst
-
-.. include:: stig-notes/V-38481_developer.rst
-
-----
-
-.. include:: stig-notes/V-38483.rst
-
-.. include:: stig-notes/V-38483_developer.rst
-
-----
-
-.. include:: stig-notes/V-38484.rst
-
-.. include:: stig-notes/V-38484_developer.rst
-
-----
-
-.. include:: stig-notes/V-38486.rst
-
-.. include:: stig-notes/V-38486_developer.rst
-
-----
-
-.. include:: stig-notes/V-38488.rst
-
-.. include:: stig-notes/V-38488_developer.rst
-
-----
-
-.. include:: stig-notes/V-38489.rst
-
-.. include:: stig-notes/V-38489_developer.rst
-
-----
-
-.. include:: stig-notes/V-38490.rst
-
-.. include:: stig-notes/V-38490_developer.rst
-
-----
-
-.. include:: stig-notes/V-38492.rst
-
-.. include:: stig-notes/V-38492_developer.rst
-
-----
-
-.. include:: stig-notes/V-38493.rst
-
-.. include:: stig-notes/V-38493_developer.rst
-
-----
-
-.. include:: stig-notes/V-38495.rst
-
-.. include:: stig-notes/V-38495_developer.rst
-
-----
-
-.. include:: stig-notes/V-38496.rst
-
-.. include:: stig-notes/V-38496_developer.rst
-
-----
-
-.. include:: stig-notes/V-38498.rst
-
-.. include:: stig-notes/V-38498_developer.rst
-
-----
-
-.. include:: stig-notes/V-38499.rst
-
-.. include:: stig-notes/V-38499_developer.rst
-
-----
-
-.. include:: stig-notes/V-38500.rst
-
-.. include:: stig-notes/V-38500_developer.rst
-
-----
-
-.. include:: stig-notes/V-38501.rst
-
-.. include:: stig-notes/V-38501_developer.rst
-
-----
-
-.. include:: stig-notes/V-38502.rst
-
-.. include:: stig-notes/V-38502_developer.rst
-
-----
-
-.. include:: stig-notes/V-38503.rst
-
-.. include:: stig-notes/V-38503_developer.rst
-
-----
-
-.. include:: stig-notes/V-38504.rst
-
-.. include:: stig-notes/V-38504_developer.rst
-
-----
-
-.. include:: stig-notes/V-38511.rst
-
-.. include:: stig-notes/V-38511_developer.rst
-
-----
-
-.. include:: stig-notes/V-38512.rst
-
-.. include:: stig-notes/V-38512_developer.rst
-
-----
-
-.. include:: stig-notes/V-38513.rst
-
-.. include:: stig-notes/V-38513_developer.rst
-
-----
-
-.. include:: stig-notes/V-38514.rst
-
-.. include:: stig-notes/V-38514_developer.rst
-
-----
-
-.. include:: stig-notes/V-38515.rst
-
-.. include:: stig-notes/V-38515_developer.rst
-
-----
-
-.. include:: stig-notes/V-38517.rst
-
-.. include:: stig-notes/V-38517_developer.rst
-
-----
-
-.. include:: stig-notes/V-38518.rst
-
-.. include:: stig-notes/V-38518_developer.rst
-
-----
-
-.. include:: stig-notes/V-38519.rst
-
-.. include:: stig-notes/V-38519_developer.rst
-
-----
-
-.. include:: stig-notes/V-38520.rst
-
-.. include:: stig-notes/V-38520_developer.rst
-
-----
-
-.. include:: stig-notes/V-38521.rst
-
-.. include:: stig-notes/V-38521_developer.rst
-
-----
-
-.. include:: stig-notes/V-38523.rst
-
-.. include:: stig-notes/V-38523_developer.rst
-
-----
-
-.. include:: stig-notes/V-38524.rst
-
-.. include:: stig-notes/V-38524_developer.rst
-
-----
-
-.. include:: stig-notes/V-38526.rst
-
-.. include:: stig-notes/V-38526_developer.rst
-
-----
-
-.. include:: stig-notes/V-38529.rst
-
-.. include:: stig-notes/V-38529_developer.rst
-
-----
-
-.. include:: stig-notes/V-38532.rst
-
-.. include:: stig-notes/V-38532_developer.rst
-
-----
-
-.. include:: stig-notes/V-38539.rst
-
-.. include:: stig-notes/V-38539_developer.rst
-
-----
-
-.. include:: stig-notes/V-38542.rst
-
-.. include:: stig-notes/V-38542_developer.rst
-
-----
-
-.. include:: stig-notes/V-38544.rst
-
-.. include:: stig-notes/V-38544_developer.rst
-
-----
-
-.. include:: stig-notes/V-38546.rst
-
-.. include:: stig-notes/V-38546_developer.rst
-
-----
-
-.. include:: stig-notes/V-38548.rst
-
-.. include:: stig-notes/V-38548_developer.rst
-
-----
-
-.. include:: stig-notes/V-38549.rst
-
-.. include:: stig-notes/V-38549_developer.rst
-
-----
-
-.. include:: stig-notes/V-38551.rst
-
-.. include:: stig-notes/V-38551_developer.rst
-
-----
-
-.. include:: stig-notes/V-38553.rst
-
-.. include:: stig-notes/V-38553_developer.rst
-
-----
-
-.. include:: stig-notes/V-38555.rst
-
-.. include:: stig-notes/V-38555_developer.rst
-
-----
-
-.. include:: stig-notes/V-38560.rst
-
-.. include:: stig-notes/V-38560_developer.rst
-
-----
-
-.. include:: stig-notes/V-38573.rst
-
-.. include:: stig-notes/V-38573_developer.rst
-
-----
-
-.. include:: stig-notes/V-38574.rst
-
-.. include:: stig-notes/V-38574_developer.rst
-
-----
-
-.. include:: stig-notes/V-38576.rst
-
-.. include:: stig-notes/V-38576_developer.rst
-
-----
-
-.. include:: stig-notes/V-38577.rst
-
-.. include:: stig-notes/V-38577_developer.rst
-
-----
-
-.. include:: stig-notes/V-38579.rst
-
-.. include:: stig-notes/V-38579_developer.rst
-
-----
-
-.. include:: stig-notes/V-38580.rst
-
-.. include:: stig-notes/V-38580_developer.rst
-
-----
-
-.. include:: stig-notes/V-38581.rst
-
-.. include:: stig-notes/V-38581_developer.rst
-
-----
-
-.. include:: stig-notes/V-38582.rst
-
-.. include:: stig-notes/V-38582_developer.rst
-
-----
-
-.. include:: stig-notes/V-38583.rst
-
-.. include:: stig-notes/V-38583_developer.rst
-
-----
-
-.. include:: stig-notes/V-38585.rst
-
-.. include:: stig-notes/V-38585_developer.rst
-
-----
-
-.. include:: stig-notes/V-38586.rst
-
-.. include:: stig-notes/V-38586_developer.rst
-
-----
-
-.. include:: stig-notes/V-38588.rst
-
-.. include:: stig-notes/V-38588_developer.rst
-
-----
-
-.. include:: stig-notes/V-38592.rst
-
-.. include:: stig-notes/V-38592_developer.rst
-
-----
-
-.. include:: stig-notes/V-38593.rst
-
-.. include:: stig-notes/V-38593_developer.rst
-
-----
-
-.. include:: stig-notes/V-38595.rst
-
-.. include:: stig-notes/V-38595_developer.rst
-
-----
-
-.. include:: stig-notes/V-38596.rst
-
-.. include:: stig-notes/V-38596_developer.rst
-
-----
-
-.. include:: stig-notes/V-38597.rst
-
-.. include:: stig-notes/V-38597_developer.rst
-
-----
-
-.. include:: stig-notes/V-38599.rst
-
-.. include:: stig-notes/V-38599_developer.rst
-
-----
-
-.. include:: stig-notes/V-38600.rst
-
-.. include:: stig-notes/V-38600_developer.rst
-
-----
-
-.. include:: stig-notes/V-38601.rst
-
-.. include:: stig-notes/V-38601_developer.rst
-
-----
-
-.. include:: stig-notes/V-38603.rst
-
-.. include:: stig-notes/V-38603_developer.rst
-
-----
-
-.. include:: stig-notes/V-38604.rst
-
-.. include:: stig-notes/V-38604_developer.rst
-
-----
-
-.. include:: stig-notes/V-38605.rst
-
-.. include:: stig-notes/V-38605_developer.rst
-
-----
-
-.. include:: stig-notes/V-38606.rst
-
-.. include:: stig-notes/V-38606_developer.rst
-
-----
-
-.. include:: stig-notes/V-38609.rst
-
-.. include:: stig-notes/V-38609_developer.rst
-
-----
-
-.. include:: stig-notes/V-38611.rst
-
-.. include:: stig-notes/V-38611_developer.rst
-
-----
-
-.. include:: stig-notes/V-38612.rst
-
-.. include:: stig-notes/V-38612_developer.rst
-
-----
-
-.. include:: stig-notes/V-38613.rst
-
-.. include:: stig-notes/V-38613_developer.rst
-
-----
-
-.. include:: stig-notes/V-38615.rst
-
-.. include:: stig-notes/V-38615_developer.rst
-
-----
-
-.. include:: stig-notes/V-38617.rst
-
-.. include:: stig-notes/V-38617_developer.rst
-
-----
-
-.. include:: stig-notes/V-38619.rst
-
-.. include:: stig-notes/V-38619_developer.rst
-
-----
-
-.. include:: stig-notes/V-38620.rst
-
-.. include:: stig-notes/V-38620_developer.rst
-
-----
-
-.. include:: stig-notes/V-38621.rst
-
-.. include:: stig-notes/V-38621_developer.rst
-
-----
-
-.. include:: stig-notes/V-38622.rst
-
-.. include:: stig-notes/V-38622_developer.rst
-
-----
-
-.. include:: stig-notes/V-38623.rst
-
-.. include:: stig-notes/V-38623_developer.rst
-
-----
-
-.. include:: stig-notes/V-38625.rst
-
-.. include:: stig-notes/V-38625_developer.rst
-
-----
-
-.. include:: stig-notes/V-38626.rst
-
-.. include:: stig-notes/V-38626_developer.rst
-
-----
-
-.. include:: stig-notes/V-38628.rst
-
-.. include:: stig-notes/V-38628_developer.rst
-
-----
-
-.. include:: stig-notes/V-38629.rst
-
-.. include:: stig-notes/V-38629_developer.rst
-
-----
-
-.. include:: stig-notes/V-38630.rst
-
-.. include:: stig-notes/V-38630_developer.rst
-
-----
-
-.. include:: stig-notes/V-38631.rst
-
-.. include:: stig-notes/V-38631_developer.rst
-
-----
-
-.. include:: stig-notes/V-38632.rst
-
-.. include:: stig-notes/V-38632_developer.rst
-
-----
-
-.. include:: stig-notes/V-38633.rst
-
-.. include:: stig-notes/V-38633_developer.rst
-
-----
-
-.. include:: stig-notes/V-38634.rst
-
-.. include:: stig-notes/V-38634_developer.rst
-
-----
-
-.. include:: stig-notes/V-38636.rst
-
-.. include:: stig-notes/V-38636_developer.rst
-
-----
-
-.. include:: stig-notes/V-38637.rst
-
-.. include:: stig-notes/V-38637_developer.rst
-
-----
-
-.. include:: stig-notes/V-38638.rst
-
-.. include:: stig-notes/V-38638_developer.rst
-
-----
-
-.. include:: stig-notes/V-38643.rst
-
-.. include:: stig-notes/V-38643_developer.rst
-
-----
-
-.. include:: stig-notes/V-38652.rst
-
-.. include:: stig-notes/V-38652_developer.rst
-
-----
-
-.. include:: stig-notes/V-38654.rst
-
-.. include:: stig-notes/V-38654_developer.rst
-
-----
-
-.. include:: stig-notes/V-38658.rst
-
-.. include:: stig-notes/V-38658_developer.rst
-
-----
-
-.. include:: stig-notes/V-38660.rst
-
-.. include:: stig-notes/V-38660_developer.rst
-
-----
-
-.. include:: stig-notes/V-38663.rst
-
-.. include:: stig-notes/V-38663_developer.rst
-
-----
-
-.. include:: stig-notes/V-38664.rst
-
-.. include:: stig-notes/V-38664_developer.rst
-
-----
-
-.. include:: stig-notes/V-38665.rst
-
-.. include:: stig-notes/V-38665_developer.rst
-
-----
-
-.. include:: stig-notes/V-38667.rst
-
-.. include:: stig-notes/V-38667_developer.rst
-
-----
-
-.. include:: stig-notes/V-38670.rst
-
-.. include:: stig-notes/V-38670_developer.rst
-
-----
-
-.. include:: stig-notes/V-38671.rst
-
-.. include:: stig-notes/V-38671_developer.rst
-
-----
-
-.. include:: stig-notes/V-38673.rst
-
-.. include:: stig-notes/V-38673_developer.rst
-
-----
-
-.. include:: stig-notes/V-38674.rst
-
-.. include:: stig-notes/V-38674_developer.rst
-
-----
-
-.. include:: stig-notes/V-38678.rst
-
-.. include:: stig-notes/V-38678_developer.rst
-
-----
-
-.. include:: stig-notes/V-38679.rst
-
-.. include:: stig-notes/V-38679_developer.rst
-
-----
-
-.. include:: stig-notes/V-38680.rst
-
-.. include:: stig-notes/V-38680_developer.rst
-
-----
-
-.. include:: stig-notes/V-38682.rst
-
-.. include:: stig-notes/V-38682_developer.rst
-
-----
-
-.. include:: stig-notes/V-38686.rst
-
-.. include:: stig-notes/V-38686_developer.rst
-
-----
-
-.. include:: stig-notes/V-38688.rst
-
-.. include:: stig-notes/V-38688_developer.rst
-
-----
-
-.. include:: stig-notes/V-38689.rst
-
-.. include:: stig-notes/V-38689_developer.rst
-
-----
-
-.. include:: stig-notes/V-38691.rst
-
-.. include:: stig-notes/V-38691_developer.rst
-
-----
-
-.. include:: stig-notes/V-38695.rst
-
-.. include:: stig-notes/V-38695_developer.rst
-
-----
-
-.. include:: stig-notes/V-38696.rst
-
-.. include:: stig-notes/V-38696_developer.rst
-
-----
-
-.. include:: stig-notes/V-38698.rst
-
-.. include:: stig-notes/V-38698_developer.rst
-
-----
-
-.. include:: stig-notes/V-38700.rst
-
-.. include:: stig-notes/V-38700_developer.rst
-
-----
-
-.. include:: stig-notes/V-43150.rst
-
-.. include:: stig-notes/V-43150_developer.rst
-
-----
-
-.. include:: stig-notes/V-51337.rst
-
-.. include:: stig-notes/V-51337_developer.rst
-
-----
-
-.. include:: stig-notes/V-51363.rst
-
-.. include:: stig-notes/V-51363_developer.rst
-
-----
-
-.. include:: stig-notes/V-51391.rst
-
-.. include:: stig-notes/V-51391_developer.rst
-
-----
-
-.. include:: stig-notes/V-51875.rst
-
-.. include:: stig-notes/V-51875_developer.rst
-
-----
-
-.. include:: stig-notes/V-54381.rst
-
-.. include:: stig-notes/V-54381_developer.rst
-
-----
-
-.. include:: stig-notes/V-57569.rst
-
-.. include:: stig-notes/V-57569_developer.rst
-
-----
-
-.. include:: stig-notes/V-58901.rst
-
-.. include:: stig-notes/V-58901_developer.rst
diff --git a/doc/source/controls-cat3.rst b/doc/source/controls-cat3.rst
deleted file mode 100644
index 7810bf56..00000000
--- a/doc/source/controls-cat3.rst
+++ /dev/null
@@ -1,108 +0,0 @@
-.. include::
-`Home `__ |raquo| Security hardening for openstack-ansible
-
-Category 3 (High) controls
-================================
-
-.. toctree::
- :maxdepth: 1
-
-.. include:: stig-notes/V-38462.rst
-
-.. include:: stig-notes/V-38462_developer.rst
-
-----
-
-.. include:: stig-notes/V-38476.rst
-
-.. include:: stig-notes/V-38476_developer.rst
-
-----
-
-.. include:: stig-notes/V-38491.rst
-
-.. include:: stig-notes/V-38491_developer.rst
-
-----
-
-.. include:: stig-notes/V-38497.rst
-
-.. include:: stig-notes/V-38497_developer.rst
-
-----
-
-.. include:: stig-notes/V-38587.rst
-
-.. include:: stig-notes/V-38587_developer.rst
-
-----
-
-.. include:: stig-notes/V-38589.rst
-
-.. include:: stig-notes/V-38589_developer.rst
-
-----
-
-.. include:: stig-notes/V-38591.rst
-
-.. include:: stig-notes/V-38591_developer.rst
-
-----
-
-.. include:: stig-notes/V-38594.rst
-
-.. include:: stig-notes/V-38594_developer.rst
-
-----
-
-.. include:: stig-notes/V-38598.rst
-
-.. include:: stig-notes/V-38598_developer.rst
-
-----
-
-.. include:: stig-notes/V-38602.rst
-
-.. include:: stig-notes/V-38602_developer.rst
-
-----
-
-.. include:: stig-notes/V-38607.rst
-
-.. include:: stig-notes/V-38607_developer.rst
-
-----
-
-.. include:: stig-notes/V-38614.rst
-
-.. include:: stig-notes/V-38614_developer.rst
-
-----
-
-.. include:: stig-notes/V-38653.rst
-
-.. include:: stig-notes/V-38653_developer.rst
-
-----
-
-.. include:: stig-notes/V-38666.rst
-
-.. include:: stig-notes/V-38666_developer.rst
-
-----
-
-.. include:: stig-notes/V-38668.rst
-
-.. include:: stig-notes/V-38668_developer.rst
-
-----
-
-.. include:: stig-notes/V-38677.rst
-
-.. include:: stig-notes/V-38677_developer.rst
-
-----
-
-.. include:: stig-notes/V-38701.rst
-
-.. include:: stig-notes/V-38701_developer.rst
diff --git a/doc/source/controls.rst b/doc/source/controls.rst
index 128fbc28..a479c8b9 100644
--- a/doc/source/controls.rst
+++ b/doc/source/controls.rst
@@ -1,12 +1,39 @@
.. include::
-`Home `__ |raquo| Security hardening for openstack-ansible
+`Home `__ |raquo| Security hardening for OpenStack-Ansible
Security hardening controls in detail
=====================================
-.. toctree::
- :maxdepth: 2
+The Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux
+6 contains over 200 security controls. The links below will allow you to review
+each control based on a certain set of criteria.
- controls-cat1.rst
- controls-cat2.rst
- controls-cat3.rst
+Controls are divided into groups based on certain properties:
+
+* **Severity:** Normally high, medium and low. High severity items are the ones
+ which should be completed first, since they pose the greatest threat to the
+ security of a system.
+ *(These severity levels are set within the STIG.)*
+
+* **Implementation status:** Each control is assessed thoroughly before Ansible
+ tasks are written. Some controls may be listed as *exceptions* since they
+ can't be implemented with automation, or they could cause damage to an
+ existing system. Other controls are listed as *opt-in* when they are
+ implemented, but they require a deployer to enable them.
+ *(This categorization comes from openstack-ansible-security, not the STIG.)*
+
+* **Tag:** The controls are also separated based on which parts of the system
+ they act upon. Something that secures ``grub`` would be tagged with *boot*
+ while controls for ``sshd`` would be tagged with *auth*.
+ *(This categorization comes from openstack-ansible-security, not the STIG.)*
+
+You can also review the STIG controls in one very large page. This can be
+helpful when you need to search using your web browser.
+
+.. toctree::
+ :titlesonly:
+
+ auto_controls-by-severity.rst
+ auto_controls-by-status.rst
+ auto_controls-by-tag.rst
+ auto_controls-all.rst
diff --git a/doc/source/developer-notes/CVE-2016-5696.rst b/doc/source/developer-notes/CVE-2016-5696.rst
deleted file mode 100644
index 261fd668..00000000
--- a/doc/source/developer-notes/CVE-2016-5696.rst
+++ /dev/null
@@ -1,11 +0,0 @@
-This task in the security role will set the global challenge ACK counter
-to a large value to protect systems for a vulnerability in TCP stack
-implementation of the Linux kernel (`CVE-2016-5696`_).
-
-To opt-out of this change, adjust the following variable:
-
-.. code-block:: yaml
-
- security_set_tcp_challenge_ack_limit: no
-
-.. _CVE-2016-5696: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5696
diff --git a/doc/source/generate_docs.py b/doc/source/generate_docs.py
deleted file mode 100644
index e0fe02bd..00000000
--- a/doc/source/generate_docs.py
+++ /dev/null
@@ -1,96 +0,0 @@
-#!/usr/bin/env python
-# Copyright 2015, Rackspace US, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-"""Generates the documentation scaffolding."""
-import csv
-from jinja2 import Template
-from textwrap import fill
-
-
-def reindent(string_to_indent, numSpaces):
- """Indent strings with spaces."""
- s = string_to_indent.splitlines()
- s = [(numSpaces * ' ') + line.lstrip() for line in s]
- return '\n'.join(s)
-
-
-stigviewer_url = ("https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/"
- "2015-05-26/finding/{0}")
-
-stig_note_template = """{{ title }}
-{{ '-' * title | length }}
-
-{{ desc }}
-
-Details: `{{ id }} in STIG Viewer`_.
-
-.. _{{ id }} in STIG Viewer: {{ stigviewer }}
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
-
-.. include:: developer-notes/{{ id }}.rst
-
-"""
-
-stigs = []
-
-with open('rhel6stig.csv', 'r') as csvfile:
- reader = csv.reader(csvfile)
- for row in reader:
- metadata = {
- 'id': row[0],
- 'title': "{0}: {1}".format(row[0], row[2]),
- 'desc': fill(row[3], width=78),
- 'fixtext': row[7],
- 'checktext': row[9],
- 'severity': row[1],
- 'stigviewer': stigviewer_url.format(row[0]),
- }
- template = Template(stig_note_template)
- with open("stig-notes/{0}.rst".format(metadata['id']), 'w') as rstfile:
- rstfile.write(template.render(metadata))
-
- stigs.append(metadata)
-
-
-category_template = """.. include::
-`Home `__ |raquo| Security hardening for openstack-ansible
-
-Category {{ level }} ({{ name | capitalize }}) controls
-================================
-
-.. toctree::
- :maxdepth: 1
-
-
-"""
-
-
-categories = {
- 'low': 1,
- 'medium': 2,
- 'high': 3,
-}
-
-for category_name, category_level in categories.items():
- matching_stigs = [x for x in stigs if x['severity'] == category_name]
- cat_file = open("controls-cat{0}.rst".format(category_level), 'w')
- template = Template(category_template)
- cat_file.write(template.render(name=category_name,
- level=category_level))
-
- include_template = ".. include:: stig-notes/{0}.rst\n\n"
- for matching_stig in sorted(matching_stigs, key=lambda k: k['id']):
- cat_file.write(include_template.format(matching_stig['id']))
diff --git a/doc/source/index.rst b/doc/source/index.rst
index 4ca8b1af..f31165c0 100644
--- a/doc/source/index.rst
+++ b/doc/source/index.rst
@@ -1,6 +1,6 @@
-========================================
-Security hardening for OpenStack-Ansible
-========================================
+==========================================
+OpenStack-Ansible: Host security hardening
+==========================================
Abstract
~~~~~~~~
diff --git a/doc/source/rhel6stig.csv b/doc/source/rhel6stig.csv
deleted file mode 100644
index 1eb0cf78..00000000
--- a/doc/source/rhel6stig.csv
+++ /dev/null
@@ -1,3378 +0,0 @@
-id,severity,title,description,iacontrols,ruleID,fixid,fixtext,checkid,checktext
-V-38612,medium,The SSH daemon must not allow host-based authentication.,SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.,None,SV-50413r1_rule,F-43560r1_fix,"SSH's cryptographic host-based authentication is more secure than "".rhosts"" authentication, since hosts are cryptographically authenticated. However, it is not recommended that hosts unilaterally trust one another, even within an organization.
-
-To disable host-based authentication, add or correct the following line in ""/etc/ssh/sshd_config"":
-
-HostbasedAuthentication no",C-46170r1_chk,"To determine how the SSH daemon's ""HostbasedAuthentication"" option is set, run the following command:
-
-# grep -i HostbasedAuthentication /etc/ssh/sshd_config
-
-If no line, a commented line, or a line indicating the value ""no"" is returned, then the required value is set.
-If the required value is not set, this is a finding."
-V-38580,medium,The audit system must be configured to audit the loading and unloading of dynamic kernel modules.,The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.,None,SV-50381r2_rule,F-43528r2_fix,"Add the following to ""/etc/audit/audit.rules"" in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-
--w /sbin/insmod -p x -k modules
--w /sbin/rmmod -p x -k modules
--w /sbin/modprobe -p x -k modules
--a always,exit -F arch=[ARCH] -S init_module -S delete_module -k modules",C-46138r3_chk,"To determine if the system is configured to audit execution of module management programs, run the following commands:
-
-$ sudo egrep -e ""(-w |-F path=)/sbin/insmod"" /etc/audit/audit.rules
-$ sudo egrep -e ""(-w |-F path=)/sbin/rmmod"" /etc/audit/audit.rules
-$ sudo egrep -e ""(-w |-F path=)/sbin/modprobe"" /etc/audit/audit.rules
-
-If the system is configured to audit this activity, it will return a line.
-
-To determine if the system is configured to audit calls to the ""init_module"" system call, run the following command:
-
-$ sudo grep -w ""init_module"" /etc/audit/audit.rules
-
-If the system is configured to audit this activity, it will return a line.
-
-To determine if the system is configured to audit calls to the ""delete_module"" system call, run the following command:
-
-$ sudo grep -w ""delete_module"" /etc/audit/audit.rules
-
-If the system is configured to audit this activity, it will return a line.
-
-If no line is returned for any of these commands, this is a finding. "
-V-38459,medium,The /etc/group file must be group-owned by root.,"The ""/etc/group"" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.",None,SV-50259r1_rule,F-43404r1_fix,"To properly set the group owner of ""/etc/group"", run the command:
-
-# chgrp root /etc/group",C-46014r1_chk,"To check the group ownership of ""/etc/group"", run the command:
-
-$ ls -l /etc/group
-
-If properly configured, the output should indicate the following group-owner. ""root""
-If it does not, this is a finding."
-V-38649,low,The system default umask for the csh shell must be 077.,The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.,None,SV-50450r1_rule,F-43598r1_fix,"To ensure the default umask for users of the C shell is set properly, add or correct the ""umask"" setting in ""/etc/csh.cshrc"" to read as follows:
-
-umask 077",C-46209r1_chk,"Verify the ""umask"" setting is configured correctly in the ""/etc/csh.cshrc"" file by running the following command:
-
-# grep ""umask"" /etc/csh.cshrc
-
-All output must show the value of ""umask"" set to 077, as shown in the below:
-
-# grep ""umask"" /etc/csh.cshrc
-umask 077
-
-
-If the above command returns no output, or if the umask is configured incorrectly, this is a finding."
-V-38648,low,The qpidd service must not be running.,"The qpidd service is automatically installed when the ""base"" package selection is selected during installation. The qpidd service listens for network connections which increases the attack surface of the system. If the system is not intended to receive AMQP traffic then the ""qpidd"" service is not needed and should be disabled or removed.",None,SV-50449r2_rule,F-43597r2_fix,"The ""qpidd"" service provides high speed, secure, guaranteed delivery services. It is an implementation of the Advanced Message Queuing Protocol. By default the qpidd service will bind to port 5672 and listen for connection attempts. The ""qpidd"" service can be disabled with the following commands:
-
-# chkconfig qpidd off
-# service qpidd stop",C-46208r2_chk,"To check that the ""qpidd"" service is disabled in system boot configuration, run the following command:
-
-# chkconfig ""qpidd"" --list
-
-Output should indicate the ""qpidd"" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:
-
-# chkconfig ""qpidd"" --list
-""qpidd"" 0:off 1:off 2:off 3:off 4:off 5:off 6:off
-
-Run the following command to verify ""qpidd"" is disabled through current runtime configuration:
-
-# service qpidd status
-
-If the service is disabled the command will return the following output:
-
-qpidd is stopped
-
-
-If the service is running, this is a finding."
-V-38643,medium,There must be no world-writable files on the system.,"Data in world-writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files.",None,SV-50444r3_rule,F-43591r1_fix,"It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account.",C-46202r3_chk,"To find world-writable files, run the following command for each local partition [PART], excluding special filesystems such as /selinux, /proc, or /sys:
-
-# find [PART] -xdev -type f -perm -002
-
-If there is output, this is a finding."
-V-38642,low,The system default umask for daemons must be 027 or 022.,The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions.,None,SV-50443r1_rule,F-43592r1_fix,"The file ""/etc/init.d/functions"" includes initialization parameters for most or all daemons started at boot time. The default umask of 022 prevents creation of group- or world-writable files. To set the default umask for daemons, edit the following line, inserting 022 or 027 for [UMASK] appropriately:
-
-umask [UMASK]
-
-Setting the umask to too restrictive a setting can cause serious errors at runtime. Many daemons on the system already individually restrict themselves to a umask of 077 in their own init scripts.",C-46203r1_chk,"To check the value of the ""umask"", run the following command:
-
-$ grep umask /etc/init.d/functions
-
-The output should show either ""022"" or ""027"".
-If it does not, this is a finding."
-V-38641,low,The atd service must be disabled.,"The ""atd"" service could be used by an unsophisticated insider to carry out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with ""at"" or ""batch"" is not common.",None,SV-50442r2_rule,F-43590r2_fix,"The ""at"" and ""batch"" commands can be used to schedule tasks that are meant to be executed only once. This allows delayed execution in a manner similar to cron, except that it is not recurring. The daemon ""atd"" keeps track of tasks scheduled via ""at"" and ""batch"", and executes them at the specified time. The ""atd"" service can be disabled with the following commands:
-
-# chkconfig atd off
-# service atd stop",C-46201r2_chk,"If the system uses the ""atd"" service, this is not applicable.
-
-To check that the ""atd"" service is disabled in system boot configuration, run the following command:
-
-# chkconfig ""atd"" --list
-
-Output should indicate the ""atd"" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:
-
-# chkconfig ""atd"" --list
-""atd"" 0:off 1:off 2:off 3:off 4:off 5:off 6:off
-
-Run the following command to verify ""atd"" is disabled through current runtime configuration:
-
-# service atd status
-
-If the service is disabled the command will return the following output:
-
-atd is stopped
-
-
-If the service is running, this is a finding."
-V-38640,low,The Automatic Bug Reporting Tool (abrtd) service must not be running.,"Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the local machine, as well as sensitive information from within a process's address space or registers.",None,SV-50441r2_rule,F-43589r2_fix,"The Automatic Bug Reporting Tool (""abrtd"") daemon collects and reports crash data when an application crash is detected. Using a variety of plugins, abrtd can email crash reports to system administrators, log crash reports to files, or forward crash reports to a centralized issue tracking system such as RHTSupport. The ""abrtd"" service can be disabled with the following commands:
-
-# chkconfig abrtd off
-# service abrtd stop",C-46200r1_chk,"To check that the ""abrtd"" service is disabled in system boot configuration, run the following command:
-
-# chkconfig ""abrtd"" --list
-
-Output should indicate the ""abrtd"" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:
-
-# chkconfig ""abrtd"" --list
-""abrtd"" 0:off 1:off 2:off 3:off 4:off 5:off 6:off
-
-Run the following command to verify ""abrtd"" is disabled through current runtime configuration:
-
-# service abrtd status
-
-If the service is disabled the command will return the following output:
-
-abrtd is stopped
-
-
-If the service is running, this is a finding."
-V-38647,low,The system default umask in /etc/profile must be 077.,The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.,None,SV-50448r1_rule,F-43596r1_fix,"To ensure the default umask controlled by ""/etc/profile"" is set properly, add or correct the ""umask"" setting in ""/etc/profile"" to read as follows:
-
-umask 077",C-46207r1_chk,"Verify the ""umask"" setting is configured correctly in the ""/etc/profile"" file by running the following command:
-
-# grep ""umask"" /etc/profile
-
-All output must show the value of ""umask"" set to 077, as shown in the below:
-
-# grep ""umask"" /etc/profile
-umask 077
-
-
-If the above command returns no output, or if the umask is configured incorrectly, this is a finding."
-V-38646,low,The oddjobd service must not be running.,"The ""oddjobd"" service may provide necessary functionality in some environments but it can be disabled if it is not needed. Execution of tasks by privileged programs, on behalf of unprivileged ones, has traditionally been a source of privilege escalation security issues.",None,SV-50447r2_rule,F-43595r2_fix,"The ""oddjobd"" service exists to provide an interface and access control mechanism through which specified privileged tasks can run tasks for unprivileged client applications. Communication with ""oddjobd"" is through the system message bus. The ""oddjobd"" service can be disabled with the following commands:
-
-# chkconfig oddjobd off
-# service oddjobd stop",C-46206r2_chk,"To check that the ""oddjobd"" service is disabled in system boot configuration, run the following command:
-
-# chkconfig ""oddjobd"" --list
-
-Output should indicate the ""oddjobd"" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:
-
-# chkconfig ""oddjobd"" --list
-""oddjobd"" 0:off 1:off 2:off 3:off 4:off 5:off 6:off
-
-Run the following command to verify ""oddjobd"" is disabled through current runtime configuration:
-
-# service oddjobd status
-
-If the service is disabled the command will return the following output:
-
-oddjobd is stopped
-
-
-If the service is running, this is a finding."
-V-38645,low,The system default umask in /etc/login.defs must be 077.,The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.,None,SV-50446r1_rule,F-43594r1_fix,"To ensure the default umask controlled by ""/etc/login.defs"" is set properly, add or correct the ""umask"" setting in ""/etc/login.defs"" to read as follows:
-
-UMASK 077",C-46205r1_chk,"Verify the ""umask"" setting is configured correctly in the ""/etc/login.defs"" file by running the following command:
-
-# grep -i ""umask"" /etc/login.defs
-
-All output must show the value of ""umask"" set to 077, as shown in the below:
-
-# grep -i ""umask"" /etc/login.defs
-UMASK 077
-
-
-If the above command returns no output, or if the umask is configured incorrectly, this is a finding."
-V-38644,low,The ntpdate service must not be running.,"The ""ntpdate"" service may only be suitable for systems which are rebooted frequently enough that clock drift does not cause problems between reboots. In any event, the functionality of the ntpdate service is now available in the ntpd program and should be considered deprecated.",None,SV-50445r2_rule,F-43593r2_fix,"The ntpdate service sets the local hardware clock by polling NTP servers when the system boots. It synchronizes to the NTP servers listed in ""/etc/ntp/step-tickers"" or ""/etc/ntp.conf"" and then sets the local hardware clock to the newly synchronized system time. The ""ntpdate"" service can be disabled with the following commands:
-
-# chkconfig ntpdate off
-# service ntpdate stop",C-46204r1_chk,"To check that the ""ntpdate"" service is disabled in system boot configuration, run the following command:
-
-# chkconfig ""ntpdate"" --list
-
-Output should indicate the ""ntpdate"" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:
-
-# chkconfig ""ntpdate"" --list
-""ntpdate"" 0:off 1:off 2:off 3:off 4:off 5:off 6:off
-
-Run the following command to verify ""ntpdate"" is disabled through current runtime configuration:
-
-# service ntpdate status
-
-If the service is disabled the command will return the following output:
-
-ntpdate is stopped
-
-
-If the service is running, this is a finding."
-V-51369,low,The system must use a Linux Security Module configured to limit the privileges of system services.,"Setting the SELinux policy to ""targeted"" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services. ",None,SV-65579r1_rule,F-56171r1_fix,"The SELinux ""targeted"" policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in ""/etc/selinux/config"":
-
-SELINUXTYPE=targeted
-
-Other policies, such as ""mls"", provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases. ",C-53711r1_chk,"Check the file ""/etc/selinux/config"" and ensure the following line appears:
-
-SELINUXTYPE=targeted
-
-If it does not, this is a finding. "
-V-38452,low,The system package management tool must verify permissions on all files and directories associated with packages.,Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.,None,SV-50252r1_rule,F-43398r1_fix,"The RPM package management system can restore file access permissions of package files and directories. The following command will update permissions on files and directories with permissions different from what is expected by the RPM database:
-
-# rpm --setperms [package]",C-46008r1_chk,"The following command will list which files and directories on the system have permissions different from what is expected by the RPM database:
-
-# rpm -Va | grep '^.M'
-
-If there is any output, for each file or directory found, find the associated RPM package and compare the RPM-expected permissions with the actual permissions on the file or directory:
-
-# rpm -qf [file or directory name]
-# rpm -q --queryformat ""[%{FILENAMES} %{FILEMODES:perms}\n]"" [package] | grep [filename]
-# ls -lL [filename]
-
-If the existing permissions are more permissive than those expected by RPM, this is a finding."
-V-38551,medium,The operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.,"The ""ip6tables"" service provides the system's host-based firewalling capability for IPv6 and ICMPv6.",None,SV-50352r3_rule,F-43499r2_fix,"The ""ip6tables"" service can be enabled with the following commands:
-
-# chkconfig ip6tables on
-# service ip6tables start",C-46109r3_chk,"If the system is a cross-domain system, this is not applicable.
-
-If IPV6 is disabled, this is not applicable.
-
-Run the following command to determine the current status of the ""ip6tables"" service:
-
-# service ip6tables status
-
-If the service is not running, it should return the following:
-
-ip6tables: Firewall is not running.
-
-
-If the service is not running, this is a finding."
-V-51363,medium,The system must use a Linux Security Module configured to enforce limits on system services.,"Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. ",None,SV-65573r1_rule,F-56165r1_fix,"The SELinux state should be set to ""enforcing"" at system boot time. In the file ""/etc/selinux/config"", add or correct the following line to configure the system to boot into enforcing mode:
-
-SELINUX=enforcing",C-53703r1_chk,"Check the file ""/etc/selinux/config"" and ensure the following line appears:
-
-SELINUX=enforcing
-
-If SELINUX is not set to enforcing, this is a finding. "
-V-38453,low,The system package management tool must verify group-ownership on all files and directories associated with packages.,Group-ownership of system binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The group-ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.,None,SV-50253r1_rule,F-43399r1_fix,"The RPM package management system can restore group-ownership of the package files and directories. The following command will update files and directories with group-ownership different from what is expected by the RPM database:
-
-# rpm -qf [file or directory name]
-# rpm --setugids [package]",C-46009r1_chk,"The following command will list which files on the system have group-ownership different from what is expected by the RPM database:
-
-# rpm -Va | grep '^......G'
-
-
-If there is output, this is a finding."
-V-38608,low,The SSH daemon must set a timeout interval on idle sessions.,Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another.,None,SV-50409r1_rule,F-43556r1_fix,"SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out.
-
-To set an idle timeout interval, edit the following line in ""/etc/ssh/sshd_config"" as follows:
-
-ClientAliveInterval [interval]
-
-The timeout [interval] is given in seconds. To have a timeout of 15 minutes, set [interval] to 900.
-
-If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.",C-46167r1_chk,"Run the following command to see what the timeout interval is:
-
-# grep ClientAliveInterval /etc/ssh/sshd_config
-
-If properly configured, the output should be:
-
-ClientAliveInterval 900
-
-
-If it is not, this is a finding."
-V-38499,medium,The /etc/passwd file must not contain password hashes.,"The hashes for all user account passwords should be stored in the file ""/etc/shadow"" and never in ""/etc/passwd"", which is readable by all users.",None,SV-50300r1_rule,F-43446r1_fix,"If any password hashes are stored in ""/etc/passwd"" (in the second field, instead of an ""x""), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely.",C-46056r1_chk,"To check that no password hashes are stored in ""/etc/passwd"", run the following command:
-
-# awk -F: '($2 != ""x"") {print}' /etc/passwd
-
-If it produces any output, then a password hash is stored in ""/etc/passwd"".
-If any stored hashes are found in /etc/passwd, this is a finding."
-V-38450,medium,The /etc/passwd file must be owned by root.,"The ""/etc/passwd"" file contains information about the users that are configured on the system. Protection of this file is critical for system security.",None,SV-50250r1_rule,F-43395r1_fix,"To properly set the owner of ""/etc/passwd"", run the command:
-
-# chown root /etc/passwd",C-46005r1_chk,"To check the ownership of ""/etc/passwd"", run the command:
-
-$ ls -l /etc/passwd
-
-If properly configured, the output should indicate the following owner: ""root""
-If it does not, this is a finding."
-V-38581,medium,The system boot loader configuration file(s) must be group-owned by root.,"The ""root"" group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.",None,SV-50382r1_rule,F-43529r1_fix,"The file ""/etc/grub.conf"" should be group-owned by the ""root"" group to prevent destruction or modification of the file. To properly set the group owner of ""/etc/grub.conf"", run the command:
-
-# chgrp root /etc/grub.conf",C-46139r1_chk,"To check the group ownership of ""/etc/grub.conf"", run the command:
-
-$ ls -lL /etc/grub.conf
-
-If properly configured, the output should indicate the following group-owner. ""root""
-If it does not, this is a finding."
-V-38451,medium,The /etc/passwd file must be group-owned by root.,"The ""/etc/passwd"" file contains information about the users that are configured on the system. Protection of this file is critical for system security.",None,SV-50251r1_rule,F-43396r1_fix,"To properly set the group owner of ""/etc/passwd"", run the command:
-
-# chgrp root /etc/passwd",C-46006r1_chk,"To check the group ownership of ""/etc/passwd"", run the command:
-
-$ ls -l /etc/passwd
-
-If properly configured, the output should indicate the following group-owner. ""root""
-If it does not, this is a finding."
-V-38458,medium,The /etc/group file must be owned by root.,"The ""/etc/group"" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.",None,SV-50258r1_rule,F-43403r1_fix,"To properly set the owner of ""/etc/group"", run the command:
-
-# chown root /etc/group",C-46013r1_chk,"To check the ownership of ""/etc/group"", run the command:
-
-$ ls -l /etc/group
-
-If properly configured, the output should indicate the following owner: ""root""
-If it does not, this is a finding."
-V-38447,low,The system package management tool must verify contents of all files associated with packages.,The hash on important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.,None,SV-50247r2_rule,F-43392r1_fix,"The RPM package management system can check the hashes of installed software packages, including many that are important to system security. Run the following command to list which files on the system have hashes that differ from what is expected by the RPM database:
-
-# rpm -Va | grep '^..5'
-
-A ""c"" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file that has changed was not expected to then refresh from distribution media or online repositories.
-
-rpm -Uvh [affected_package]
-
-OR
-
-yum reinstall [affected_package]",C-46002r3_chk,"The following command will list which files on the system have file hashes different from what is expected by the RPM database.
-
-# rpm -Va | awk '$1 ~ /..5/ && $2 != ""c""'
-
-
-If there is output, this is a finding."
-V-38658,medium,The system must prohibit the reuse of passwords within twenty-four iterations.,Preventing reuse of previous passwords helps ensure that a compromised password is not reused by a user.,None,SV-50459r1_rule,F-43608r1_fix,"Do not allow users to reuse recent passwords. This can be accomplished by using the ""remember"" option for the ""pam_unix"" PAM module. In the file ""/etc/pam.d/system-auth"", append ""remember=24"" to the line which refers to the ""pam_unix.so"" module, as shown:
-
-password sufficient pam_unix.so [existing_options] remember=24
-
-The DoD requirement is 24 passwords.",C-46219r1_chk,"To verify the password reuse setting is compliant, run the following command:
-
-$ grep remember /etc/pam.d/system-auth
-
-The output should show the following at the end of the line:
-
-remember=24
-
-
-If it does not, this is a finding."
-V-38659,low,The operating system must employ cryptographic mechanisms to protect information in storage.,"The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.",None,SV-50460r1_rule,F-43609r1_fix,"Red Hat Enterprise Linux 6 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time.
-
-For manual installations, select the ""Encrypt"" checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots.
-
-For automated/unattended installations, it is possible to use Kickstart by adding the ""--encrypted"" and ""--passphrase="" options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition:
-
-part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE]
-
-Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the ""--passphrase="" option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation.
-
-Detailed information on encrypting partitions using LUKS can be found on the Red Had Documentation web site:
-https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html",C-46220r1_chk,"Determine if encryption must be used to protect data on the system.
-If encryption must be used and is not employed, this is a finding."
-V-38582,medium,The xinetd service must be disabled if no network services utilizing it are enabled.,"The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself.",None,SV-50383r2_rule,F-43530r2_fix,"The ""xinetd"" service can be disabled with the following commands:
-
-# chkconfig xinetd off
-# service xinetd stop",C-46140r2_chk,"If network services are using the xinetd service, this is not applicable.
-
-To check that the ""xinetd"" service is disabled in system boot configuration, run the following command:
-
-# chkconfig ""xinetd"" --list
-
-Output should indicate the ""xinetd"" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:
-
-# chkconfig ""xinetd"" --list
-""xinetd"" 0:off 1:off 2:off 3:off 4:off 5:off 6:off
-
-Run the following command to verify ""xinetd"" is disabled through current runtime configuration:
-
-# service xinetd status
-
-If the service is disabled the command will return the following output:
-
-xinetd is stopped
-
-
-If the service is running, this is a finding."
-V-38650,low,The rdisc service must not be running.,General-purpose systems typically have their network and routing information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information.,None,SV-50451r2_rule,F-43599r2_fix,"The ""rdisc"" service implements the client side of the ICMP Internet Router Discovery Protocol (IRDP), which allows discovery of routers on the local subnet. If a router is discovered then the local routing table is updated with a corresponding default route. By default this daemon is disabled. The ""rdisc"" service can be disabled with the following commands:
-
-# chkconfig rdisc off
-# service rdisc stop",C-46210r1_chk,"To check that the ""rdisc"" service is disabled in system boot configuration, run the following command:
-
-# chkconfig ""rdisc"" --list
-
-Output should indicate the ""rdisc"" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:
-
-# chkconfig ""rdisc"" --list
-""rdisc"" 0:off 1:off 2:off 3:off 4:off 5:off 6:off
-
-Run the following command to verify ""rdisc"" is disabled through current runtime configuration:
-
-# service rdisc status
-
-If the service is disabled the command will return the following output:
-
-rdisc is stopped
-
-
-If the service is running, this is a finding."
-V-38651,low,The system default umask for the bash shell must be 077.,The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.,None,SV-50452r1_rule,F-43600r1_fix,"To ensure the default umask for users of the Bash shell is set properly, add or correct the ""umask"" setting in ""/etc/bashrc"" to read as follows:
-
-umask 077",C-46211r1_chk,"Verify the ""umask"" setting is configured correctly in the ""/etc/bashrc"" file by running the following command:
-
-# grep ""umask"" /etc/bashrc
-
-All output must show the value of ""umask"" set to 077, as shown below:
-
-# grep ""umask"" /etc/bashrc
-umask 077
-umask 077
-
-
-If the above command returns no output, or if the umask is configured incorrectly, this is a finding."
-V-38652,medium,Remote file systems must be mounted with the nodev option.,Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users.,None,SV-50453r2_rule,F-43601r1_fix,"Add the ""nodev"" option to the fourth column of ""/etc/fstab"" for the line which controls mounting of any NFS mounts.",C-46212r2_chk,"To verify the ""nodev"" option is configured for all NFS mounts, run the following command:
-
-$ mount | grep ""nfs ""
-
-All NFS mounts should show the ""nodev"" setting in parentheses, along with other mount options.
-If the setting does not show, this is a finding."
-V-38653,high,The snmpd service must not use a default password.,Presence of the default SNMP password enables querying of different system aspects and could result in unauthorized knowledge of the system.,None,SV-50454r1_rule,F-43602r1_fix,"Edit ""/etc/snmp/snmpd.conf"", remove default community string ""public"". Upon doing that, restart the SNMP service:
-
-# service snmpd restart",C-46213r1_chk,"To ensure the default password is not set, run the following command:
-
-# grep -v ""^#"" /etc/snmp/snmpd.conf| grep public
-
-There should be no output.
-If there is output, this is a finding."
-V-38654,medium,Remote file systems must be mounted with the nosuid option.,NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem.,None,SV-50455r2_rule,F-43603r1_fix,"Add the ""nosuid"" option to the fourth column of ""/etc/fstab"" for the line which controls mounting of any NFS mounts.",C-46214r3_chk,"To verify the ""nosuid"" option is configured for all NFS mounts, run the following command:
-
-$ mount | grep nfs
-
-All NFS mounts should show the ""nosuid"" setting in parentheses, along with other mount options.
-If the setting does not show, this is a finding."
-V-38490,medium,The operating system must enforce requirements for the connection of mobile devices to operating systems.,USB storage devices such as thumb drives can be used to introduce unauthorized software and other vulnerabilities. Support for these devices should be disabled and the devices themselves should be tightly controlled.,None,SV-50291r4_rule,F-43437r3_fix,"To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the ""usb-storage"" kernel module from being loaded, add the following line to a file in the directory ""/etc/modprobe.d"":
-
-install usb-storage /bin/true
-
-This will prevent the ""modprobe"" program from loading the ""usb-storage"" module, but will not prevent an administrator (or another program) from using the ""insmod"" program to load the module manually.",C-46047r3_chk,"If the system is configured to prevent the loading of the ""usb-storage"" kernel module, it will contain lines inside any file in ""/etc/modprobe.d"" or the deprecated""/etc/modprobe.conf"". These lines instruct the module loading system to run another program (such as ""/bin/true"") upon a module ""install"" event. Run the following command to search for such lines in all files in ""/etc/modprobe.d"" and the deprecated ""/etc/modprobe.conf"":
-
-$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d
-
-If no line is returned, this is a finding."
-V-38656,low,The system must use SMB client signing for connecting to samba servers using smbclient.,Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.,None,SV-50457r1_rule,F-43606r1_fix,"To require samba clients running ""smbclient"" to use packet signing, add the following to the ""[global]"" section of the Samba configuration file in ""/etc/samba/smb.conf"":
-
-client signing = mandatory
-
-Requiring samba clients such as ""smbclient"" to use packet signing ensures they can only communicate with servers that support packet signing.",C-46217r1_chk,"To verify that Samba clients running smbclient must use packet signing, run the following command:
-
-# grep signing /etc/samba/smb.conf
-
-The output should show:
-
-client signing = mandatory
-
-
-If it is not, this is a finding."
-V-38657,low,The system must use SMB client signing for connecting to samba servers using mount.cifs.,Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.,None,SV-50458r2_rule,F-43607r1_fix,"Require packet signing of clients who mount Samba shares using the ""mount.cifs"" program (e.g., those who specify shares in ""/etc/fstab""). To do so, ensure signing options (either ""sec=krb5i"" or ""sec=ntlmv2i"") are used.
-
-See the ""mount.cifs(8)"" man page for more information. A Samba client should only communicate with servers who can support SMB packet signing.",C-46218r4_chk,"If Samba is not in use, this is not applicable.
-
-To verify that Samba clients using mount.cifs must use packet signing, run the following command:
-
-# grep sec /etc/fstab /etc/mtab
-
-The output should show either ""krb5i"" or ""ntlmv2i"" in use.
-If it does not, this is a finding."
-V-38437,low,Automated file system mounting tools must not be enabled unless needed.,"All filesystems that are required for the successful operation of the system should be explicitly listed in ""/etc/fstab"" by an administrator. New filesystems should not be arbitrarily introduced via the automounter.
-
-The ""autofs"" daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as ""/misc/cd"". However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it is almost always possible to configure filesystem mounts statically by editing ""/etc/fstab"" rather than relying on the automounter. ",None,SV-50237r1_rule,F-43381r1_fix,"If the ""autofs"" service is not needed to dynamically mount NFS filesystems or removable media, disable the service for all runlevels:
-
-# chkconfig --level 0123456 autofs off
-
-Stop the service if it is already running:
-
-# service autofs stop",C-45991r1_chk,"To verify the ""autofs"" service is disabled, run the following command:
-
-chkconfig --list autofs
-
-If properly configured, the output should be the following:
-
-autofs 0:off 1:off 2:off 3:off 4:off 5:off 6:off
-
-Verify the ""autofs"" service is not running:
-
-# service autofs status
-
-If the autofs service is enabled or running, this is a finding."
-V-51379,low,All device files must be monitored by the system Linux Security Module.,"If a device file carries the SELinux type ""unlabeled_t"", then SELinux cannot properly restrict access to the device file. ",None,SV-65589r1_rule,F-56179r1_fix,"Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files carry the SELinux type ""unlabeled_t"", investigate the cause and correct the file's context. ",C-53719r1_chk,"To check for unlabeled device files, run the following command:
-
-# ls -RZ /dev | grep unlabeled_t
-
-It should produce no output in a well-configured system.
-
-If there is output, this is a finding. "
-V-38443,medium,The /etc/gshadow file must be owned by root.,"The ""/etc/gshadow"" file contains group password hashes. Protection of this file is critical for system security.",None,SV-50243r1_rule,F-43388r1_fix,"To properly set the owner of ""/etc/gshadow"", run the command:
-
-# chown root /etc/gshadow",C-45998r1_chk,"To check the ownership of ""/etc/gshadow"", run the command:
-
-$ ls -l /etc/gshadow
-
-If properly configured, the output should indicate the following owner: ""root""
-If it does not, this is a finding."
-V-38526,medium,The system must not accept ICMPv4 secure redirect packets on any interface.,"Accepting ""secure"" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.",None,SV-50327r2_rule,F-43474r1_fix,"To set the runtime status of the ""net.ipv4.conf.all.secure_redirects"" kernel parameter, run the following command:
-
-# sysctl -w net.ipv4.conf.all.secure_redirects=0
-
-If this is not the system's default value, add the following line to ""/etc/sysctl.conf"":
-
-net.ipv4.conf.all.secure_redirects = 0",C-46084r2_chk,"The status of the ""net.ipv4.conf.all.secure_redirects"" kernel parameter can be queried by running the following command:
-
-$ sysctl net.ipv4.conf.all.secure_redirects
-
-The output of the command should indicate a value of ""0"". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in ""/etc/sysctl.conf"".
-
-$ grep net.ipv4.conf.all.secure_redirects /etc/sysctl.conf
-
-If the correct value is not returned, this is a finding."
-V-38527,low,The audit system must be configured to audit all attempts to alter system time through clock_settime.,"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.",None,SV-50328r3_rule,F-43475r2_fix,"On a 32-bit system, add the following to ""/etc/audit/audit.rules"":
-
-# audit_time_rules
--a always,exit -F arch=b32 -S clock_settime -k audit_time_rules
-
-On a 64-bit system, add the following to ""/etc/audit/audit.rules"":
-
-# audit_time_rules
--a always,exit -F arch=b64 -S clock_settime -k audit_time_rules
-
-The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
-
--a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules",C-46085r2_chk,"To determine if the system is configured to audit calls to the ""clock_settime"" system call, run the following command:
-
-$ sudo grep -w ""clock_settime"" /etc/audit/audit.rules
-
-If the system is configured to audit this activity, it will return a line.
-
-If the system is not configured to audit time changes, this is a finding. "
-V-38524,medium,The system must not accept ICMPv4 redirect packets on any interface.,Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required.,None,SV-50325r2_rule,F-43472r1_fix,"To set the runtime status of the ""net.ipv4.conf.all.accept_redirects"" kernel parameter, run the following command:
-
-# sysctl -w net.ipv4.conf.all.accept_redirects=0
-
-If this is not the system's default value, add the following line to ""/etc/sysctl.conf"":
-
-net.ipv4.conf.all.accept_redirects = 0",C-46082r2_chk,"The status of the ""net.ipv4.conf.all.accept_redirects"" kernel parameter can be queried by running the following command:
-
-$ sysctl net.ipv4.conf.all.accept_redirects
-
-The output of the command should indicate a value of ""0"". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in ""/etc/sysctl.conf"".
-
-$ grep net.ipv4.conf.all.accept_redirects /etc/sysctl.conf
-
-If the correct value is not returned, this is a finding. "
-V-38525,low,The audit system must be configured to audit all attempts to alter system time through stime.,"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.",None,SV-50326r4_rule,F-43473r4_fix,"On a 32-bit system, add the following to ""/etc/audit/audit.rules"":
-
-# audit_time_rules
--a always,exit -F arch=b32 -S stime -k audit_time_rules
-
-On a 64-bit system, the ""-S stime"" is not necessary. The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
-
--a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules",C-46083r3_chk,"If the system is 64-bit only, this is not applicable.
-
-To determine if the system is configured to audit calls to the ""stime"" system call, run the following command:
-
-$ sudo grep -w ""stime"" /etc/audit/audit.rules
-
-If the system is configured to audit this activity, it will return a line.
-
-If the system is not configured to audit time changes, this is a finding. "
-V-38522,low,The audit system must be configured to audit all attempts to alter system time through settimeofday.,"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.",None,SV-50323r3_rule,F-43470r2_fix,"On a 32-bit system, add the following to ""/etc/audit/audit.rules"":
-
-# audit_time_rules
--a always,exit -F arch=b32 -S settimeofday -k audit_time_rules
-
-On a 64-bit system, add the following to ""/etc/audit/audit.rules"":
-
-# audit_time_rules
--a always,exit -F arch=b64 -S settimeofday -k audit_time_rules
-
-The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
-
--a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules",C-46080r2_chk,"To determine if the system is configured to audit calls to the ""settimeofday"" system call, run the following command:
-
-$ sudo grep -w ""settimeofday"" /etc/audit/audit.rules
-
-If the system is configured to audit this activity, it will return a line.
-
-If the system is not configured to audit time changes, this is a finding. "
-V-38488,medium,The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives.,Operating system backup is a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. Backups shall be consistent with organizational recovery time and recovery point objectives.,None,SV-50289r1_rule,F-43435r1_fix,"Procedures to back up user data from the system must be established and executed. The Red Hat operating system provides utilities for automating such a process. Commercial and open-source products are also available.
-
-Implement a process whereby user data is backed up from the system in accordance with local policies.",C-46045r1_chk,"Ask an administrator if a process exists to back up user data from the system.
-
-If such a process does not exist, this is a finding."
-V-38520,medium,The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited.,A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.,None,SV-50321r1_rule,F-43468r1_fix,"To configure rsyslog to send logs to a remote log server, open ""/etc/rsyslog.conf"" and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting ""[loghost.example.com]"" appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments.
-To use UDP for log message delivery:
-
-*.* @[loghost.example.com]
-
-
-To use TCP for log message delivery:
-
-*.* @@[loghost.example.com]
-
-
-To use RELP for log message delivery:
-
-*.* :omrelp:[loghost.example.com]",C-46078r1_chk,"To ensure logs are sent to a remote host, examine the file ""/etc/rsyslog.conf"". If using UDP, a line similar to the following should be present:
-
-*.* @[loghost.example.com]
-
-If using TCP, a line similar to the following should be present:
-
-*.* @@[loghost.example.com]
-
-If using RELP, a line similar to the following should be present:
-
-*.* :omrelp:[loghost.example.com]
-
-
-If none of these are present, this is a finding."
-V-38521,medium,The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components.,A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.,None,SV-50322r1_rule,F-43656r1_fix,"To configure rsyslog to send logs to a remote log server, open ""/etc/rsyslog.conf"" and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting ""[loghost.example.com]"" appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments.
-To use UDP for log message delivery:
-
-*.* @[loghost.example.com]
-
-
-To use TCP for log message delivery:
-
-*.* @@[loghost.example.com]
-
-
-To use RELP for log message delivery:
-
-*.* :omrelp:[loghost.example.com]",C-46269r1_chk,"To ensure logs are sent to a remote host, examine the file ""/etc/rsyslog.conf"". If using UDP, a line similar to the following should be present:
-
-*.* @[loghost.example.com]
-
-If using TCP, a line similar to the following should be present:
-
-*.* @@[loghost.example.com]
-
-If using RELP, a line similar to the following should be present:
-
-*.* :omrelp:[loghost.example.com]
-
-
-If none of these are present, this is a finding."
-V-38484,medium,"The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh.","Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.
-
-At ssh login, a user must be presented with the last successful login date and time.",None,SV-50285r2_rule,F-43431r2_fix,"Update the ""PrintLastLog"" keyword to ""yes"" in /etc/ssh/sshd_config:
-
-PrintLastLog yes
-
-While it is acceptable to remove the keyword entirely since the default action for the SSH daemon is to print the last logon date and time, it is preferred to have the value explicitly documented.",C-46041r2_chk,"Verify the value associated with the ""PrintLastLog"" keyword in /etc/ssh/sshd_config:
-
-# grep -i ""^PrintLastLog"" /etc/ssh/sshd_config
-
-If the ""PrintLastLog"" keyword is not present, this is not a finding. If the value is not set to ""yes"", this is a finding."
-V-38487,low,The system package management tool must cryptographically verify the authenticity of all software packages during installation.,Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering.,None,SV-50288r1_rule,F-43433r1_fix,"To ensure signature checking is not disabled for any repos, remove any lines from files in ""/etc/yum.repos.d"" of the form:
-
-gpgcheck=0",C-46043r1_chk,"To determine whether ""yum"" has been configured to disable ""gpgcheck"" for any repos, inspect all files in ""/etc/yum.repos.d"" and ensure the following does not appear in any sections:
-
-gpgcheck=0
-
-A value of ""0"" indicates that ""gpgcheck"" has been disabled for that repo.
-If GPG checking is disabled, this is a finding.
-
-If the ""yum"" system package management tool is not used to update the system, verify with the SA that installed packages are cryptographically signed."
-V-38486,medium,The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.,"Operating system backup is a critical step in maintaining data assurance and availability. System-level information includes system-state information, operating system and application software, and licenses. Backups must be consistent with organizational recovery time and recovery point objectives.",None,SV-50287r1_rule,F-43434r1_fix,"Procedures to back up OS data from the system must be established and executed. The Red Hat operating system provides utilities for automating such a process. Commercial and open-source products are also available.
-
-Implement a process whereby OS data is backed up from the system in accordance with local policies.",C-46044r1_chk,"Ask an administrator if a process exists to back up OS data from the system, including configuration data.
-
-If such a process does not exist, this is a finding."
-V-38481,medium,System security patches and updates must be installed and up-to-date.,Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities.,None,SV-50281r1_rule,F-43426r1_fix,"If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates:
-
-# yum update
-
-If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using ""rpm"".",C-46036r1_chk,"If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server which provides updates, invoking the following command will indicate if updates are available:
-
-# yum check-update
-
-If the system is not configured to update from one of these sources, run the following command to list when each package was last updated:
-
-$ rpm -qa -last
-
-Compare this to Red Hat Security Advisories (RHSA) listed at https://access.redhat.com/security/updates/active/ to determine whether the system is missing applicable security and bugfix updates.
-If updates are not installed, this is a finding."
-V-38480,low,Users must be warned 7 days in advance of password expiration.,Setting the password warning age enables users to make the change at a practical time.,None,SV-50280r1_rule,F-43425r1_fix,"To specify how many days prior to password expiration that a warning will be issued to users, edit the file ""/etc/login.defs"" and add or correct the following line, replacing [DAYS] appropriately:
-
-PASS_WARN_AGE [DAYS]
-
-The DoD requirement is 7.",C-46035r1_chk,"To check the password warning age, run the command:
-
-$ grep PASS_WARN_AGE /etc/login.defs
-
-The DoD requirement is 7.
-If it is not set to the required value, this is a finding."
-V-38528,low,The system must log Martian packets.,"The presence of ""martian"" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.",None,SV-50329r2_rule,F-43476r1_fix,"To set the runtime status of the ""net.ipv4.conf.all.log_martians"" kernel parameter, run the following command:
-
-# sysctl -w net.ipv4.conf.all.log_martians=1
-
-If this is not the system's default value, add the following line to ""/etc/sysctl.conf"":
-
-net.ipv4.conf.all.log_martians = 1",C-46086r3_chk,"The status of the ""net.ipv4.conf.all.log_martians"" kernel parameter can be queried by running the following command:
-
-$ sysctl net.ipv4.conf.all.log_martians
-
-The output of the command should indicate a value of ""1"". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in ""/etc/sysctl.conf"".
-
-$ grep net.ipv4.conf.all.log_martians /etc/sysctl.conf
-
-If the correct value is not returned, this is a finding. "
-V-38529,medium,The system must not accept IPv4 source-routed packets by default.,Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.,None,SV-50330r2_rule,F-43478r1_fix,"To set the runtime status of the ""net.ipv4.conf.default.accept_source_route"" kernel parameter, run the following command:
-
-# sysctl -w net.ipv4.conf.default.accept_source_route=0
-
-If this is not the system's default value, add the following line to ""/etc/sysctl.conf"":
-
-net.ipv4.conf.default.accept_source_route = 0",C-46088r2_chk,"The status of the ""net.ipv4.conf.default.accept_source_route"" kernel parameter can be queried by running the following command:
-
-$ sysctl net.ipv4.conf.default.accept_source_route
-
-The output of the command should indicate a value of ""0"". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in ""/etc/sysctl.conf"".
-
-$ grep net.ipv4.conf.default.accept_source_route /etc/sysctl.conf
-
-If the correct value is not returned, this is a finding. "
-V-38665,medium,The system package management tool must verify group-ownership on all files and directories associated with the audit package.,Group-ownership of audit binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The group-ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.,None,SV-50466r1_rule,F-43614r1_fix,"The RPM package management system can restore file group-ownership of the audit package files and directories. The following command will update audit files with group-ownership different from what is expected by the RPM database:
-
-# rpm --setugids audit",C-46225r1_chk,"The following command will list which audit files on the system have group-ownership different from what is expected by the RPM database:
-
-# rpm -V audit | grep '^......G'
-
-
-If there is output, this is a finding."
-V-38664,medium,The system package management tool must verify ownership on all files and directories associated with the audit package.,Ownership of audit binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.,None,SV-50465r1_rule,F-43613r1_fix,"The RPM package management system can restore file ownership of the audit package files and directories. The following command will update audit files with ownership different from what is expected by the RPM database:
-
-# rpm --setugids audit",C-46224r1_chk,"The following command will list which audit files on the system have ownership different from what is expected by the RPM database:
-
-# rpm -V audit | grep '^.....U'
-
-
-If there is output, this is a finding."
-V-38667,medium,The system must have a host-based intrusion detection tool installed.,"Adding host-based intrusion detection tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of system, which may not otherwise exist in an organization's systems management regime.",None,SV-50468r2_rule,F-43616r2_fix,"The base Red Hat platform already includes a sophisticated auditing system that can detect intruder activity, as well as SELinux, which provides host-based intrusion prevention capabilities by confining privileged programs and user sessions which may become compromised.
-
-In DoD environments, supplemental intrusion detection tools, such as, the McAfee Host-based Security System, are available to integrate with existing infrastructure. When these supplemental tools interfere with the proper functioning of SELinux, SELinux takes precedence. ",C-46227r1_chk,"Inspect the system to determine if intrusion detection software has been installed. Verify the intrusion detection software is active.
-If no host-based intrusion detection tools are installed, this is a finding."
-V-38666,high,The system must use and update a DoD-approved virus scan program.,"Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems.",None,SV-50467r2_rule,F-43615r2_fix,"Install virus scanning software, which uses signatures to search for the presence of viruses on the filesystem.
-
-The McAfee VirusScan Enterprise for Linux virus scanning tool is provided for DoD systems. Ensure virus definition files are no older than 7 days, or their last release.
-
-Configure the virus scanning software to perform scans dynamically on all accessed files. If this is not possible, configure the system to scan all altered files on the system on a daily basis. If the system processes inbound SMTP mail, configure the virus scanner to scan all received mail. ",C-46226r2_chk,"Inspect the system for a cron job or system service which executes a virus scanning tool regularly.
-To verify the McAfee VSEL system service is operational, run the following command:
-
-# /etc/init.d/nails status
-
-To check on the age of uvscan virus definition files, run the following command:
-
-# cd /opt/NAI/LinuxShield/engine/dat
-# ls -la avvscan.dat avvnames.dat avvclean.dat
-
-If virus scanning software does not run continuously, or at least daily, or has signatures that are out of date, this is a finding. "
-V-38661,low,The operating system must protect the confidentiality and integrity of data at rest. ,"The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.",None,SV-50462r1_rule,F-43610r1_fix,"Red Hat Enterprise Linux 6 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time.
-
-For manual installations, select the ""Encrypt"" checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots.
-
-For automated/unattended installations, it is possible to use Kickstart by adding the ""--encrypted"" and ""--passphrase="" options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition:
-
-part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE]
-
-Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the ""--passphrase="" option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation.
-
-Detailed information on encrypting partitions using LUKS can be found on the Red Had Documentation web site:
-https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html",C-46221r1_chk,"Determine if encryption must be used to protect data on the system.
-If encryption must be used and is not employed, this is a finding."
-V-38660,medium,The snmpd service must use only SNMP protocol version 3 or newer.,"Earlier versions of SNMP are considered insecure, as they potentially allow unauthorized access to detailed system management information.
-",None,SV-50461r1_rule,F-43604r1_fix,"Edit ""/etc/snmp/snmpd.conf"", removing any references to ""v1"", ""v2c"", or ""com2sec"". Upon doing that, restart the SNMP service:
-
-# service snmpd restart",C-46215r1_chk,"To ensure only SNMPv3 or newer is used, run the following command:
-
-# grep 'v1\|v2c\|com2sec' /etc/snmp/snmpd.conf | grep -v '^#'
-
-There should be no output.
-If there is output, this is a finding."
-V-38663,medium,The system package management tool must verify permissions on all files and directories associated with the audit package.,Permissions on audit binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.,None,SV-50464r1_rule,F-43612r1_fix,"The RPM package management system can restore file access permissions of the audit package files and directories. The following command will update audit files with permissions different from what is expected by the RPM database:
-
-# rpm --setperms audit",C-46223r1_chk,"The following command will list which audit files on the system have permissions different from what is expected by the RPM database:
-
-# rpm -V audit | grep '^.M'
-
-If there is any output, for each file or directory found, compare the RPM-expected permissions with the permissions on the file or directory:
-
-# rpm -q --queryformat ""[%{FILENAMES} %{FILEMODES:perms}\n]"" audit | grep [filename]
-# ls -lL [filename]
-
-If the existing permissions are more permissive than those expected by RPM, this is a finding."
-V-38662,low,The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of data at rest unless otherwise protected by alternative physical measures.,"The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.",None,SV-50463r1_rule,F-43611r1_fix,"Red Hat Enterprise Linux 6 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time.
-
-For manual installations, select the ""Encrypt"" checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots.
-
-For automated/unattended installations, it is possible to use Kickstart by adding the ""--encrypted"" and ""--passphrase="" options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition:
-
-part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE]
-
-Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the ""--passphrase="" option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation.
-
-Detailed information on encrypting partitions using LUKS can be found on the Red Had Documentation web site:
-https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html",C-46222r1_chk,"Determine if encryption must be used to protect data on the system.
-If encryption must be used and is not employed, this is a finding."
-V-38446,medium,The mail system must forward all mail for root to one or more system administrators.,A number of system services utilize email messages sent to the root user to notify system administrators of active or impending issues. These messages must be forwarded to at least one monitored email address.,None,SV-50246r1_rule,F-43391r1_fix,"Set up an alias for root that forwards to a monitored email address:
-
-# echo ""root: @mail.mil"" >> /etc/aliases
-# newaliases",C-46001r1_chk,"Find the list of alias maps used by the Postfix mail server:
-
-# postconf alias_maps
-
-Query the Postfix alias maps for an alias for ""root"":
-
-# postmap -q root
-
-If there are no aliases configured for root that forward to a monitored email address, this is a finding."
-V-38669,low,The postfix service must be enabled for mail delivery.,Local mail delivery is essential to some system maintenance and notification tasks.,None,SV-50470r1_rule,F-43618r1_fix,"The Postfix mail transfer agent is used for local mail delivery within the system. The default configuration only listens for connections to the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is recommended to leave this service enabled for local mail delivery. The ""postfix"" service can be enabled with the following command:
-
-# chkconfig postfix on
-# service postfix start",C-46230r1_chk,"Run the following command to determine the current status of the ""postfix"" service:
-
-# service postfix status
-
-If the service is enabled, it should return the following:
-
-postfix is running...
-
-If the service is not enabled, this is a finding."
-V-38668,high,The x86 Ctrl-Alt-Delete key sequence must be disabled.,"A locally logged-in user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.",None,SV-50469r2_rule,F-43617r2_fix,"By default, the system includes the following line in ""/etc/init/control-alt-delete.conf"" to reboot the system when the Ctrl-Alt-Delete key sequence is pressed:
-
-exec /sbin/shutdown -r now ""Ctrl-Alt-Delete pressed""
-
-
-To configure the system to log a message instead of rebooting the system, add the following line to ""/etc/init/control-alt-delete.override"" to read as follows:
-
-exec /usr/bin/logger -p security.info ""Ctrl-Alt-Delete pressed""",C-46228r2_chk,"To ensure the system is configured to log a message instead of rebooting the system when Ctrl-Alt-Delete is pressed, ensure the following line is in ""/etc/init/control-alt-delete.override"":
-
-exec /usr/bin/logger -p security.info ""Control-Alt-Delete pressed""
-
-If the system is not configured to block the shutdown command when Ctrl-Alt-Delete is pressed, this is a finding. "
-V-38467,low,The system must use a separate file system for the system audit data path.,"Placing ""/var/log/audit"" in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.",None,SV-50267r1_rule,F-43412r1_fix,"Audit logs are stored in the ""/var/log/audit"" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.",C-46022r1_chk,"Run the following command to determine if ""/var/log/audit"" is on its own partition or logical volume:
-
-$ mount | grep ""on /var/log/audit ""
-
-If ""/var/log/audit"" has its own partition or volume group, a line will be returned.
-If no line is returned, this is a finding."
-V-38466,medium,Library files must be owned by root.,Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system.,None,SV-50266r1_rule,F-43411r1_fix,"System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
-
-/lib
-/lib64
-/usr/lib
-/usr/lib64
-
-If any file in these directories is found to be owned by a user other than root, correct its ownership with the following command:
-
-# chown root [FILE]",C-46021r1_chk,"System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
-
-/lib
-/lib64
-/usr/lib
-/usr/lib64
-
-
-Kernel modules, which can be added to the kernel during runtime, are stored in ""/lib/modules"". All files in these directories should not be group-writable or world-writable. To find shared libraries that are not owned by ""root"", run the following command for each directory [DIR] which contains shared libraries:
-
-$ find -L [DIR] \! -user root
-
-
-If any of these files are not owned by root, this is a finding."
-V-38465,medium,Library files must have mode 0755 or less permissive.,Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system.,None,SV-50265r3_rule,F-43409r2_fix,"System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
-
-/lib
-/lib64
-/usr/lib
-/usr/lib64
-
-If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command:
-
-# chmod go-w [FILE]",C-46019r4_chk,"System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
-
-/lib
-/lib64
-/usr/lib
-/usr/lib64
-
-
-Kernel modules, which can be added to the kernel during runtime, are stored in ""/lib/modules"". All files in these directories should not be group-writable or world-writable. To find shared libraries that are group-writable or world-writable, run the following command for each directory [DIR] which contains shared libraries:
-
-$ find -L [DIR] -perm /022 -type f
-
-
-If any of these files (excluding broken symlinks) are group-writable or world-writable, this is a finding."
-V-38464,medium,The audit system must take appropriate action when there are disk errors on the audit storage volume.,Taking appropriate action in case of disk errors will minimize the possibility of losing audit records.,None,SV-50264r1_rule,F-43410r1_fix,"Edit the file ""/etc/audit/auditd.conf"". Modify the following line, substituting [ACTION] appropriately:
-
-disk_error_action = [ACTION]
-
-Possible values for [ACTION] are described in the ""auditd.conf"" man page. These include:
-
-""ignore""
-""syslog""
-""exec""
-""suspend""
-""single""
-""halt""
-
-
-Set this to ""syslog"", ""exec"", ""single"", or ""halt"".",C-46020r1_chk,"Inspect ""/etc/audit/auditd.conf"" and locate the following line to determine if the system is configured to take appropriate action when disk errors occur:
-
-# grep disk_error_action /etc/audit/auditd.conf
-disk_error_action = [ACTION]
-
-
-If the system is configured to ""suspend"" when disk errors occur or ""ignore"" them, this is a finding."
-V-38463,low,The system must use a separate file system for /var/log.,"Placing ""/var/log"" in its own partition enables better separation between log files and other files in ""/var/"".",None,SV-50263r1_rule,F-43408r1_fix,"System logs are stored in the ""/var/log"" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.",C-46018r1_chk,"Run the following command to determine if ""/var/log"" is on its own partition or logical volume:
-
-$ mount | grep ""on /var/log ""
-
-If ""/var/log"" has its own partition or volume group, a line will be returned.
-If no line is returned, this is a finding."
-V-38462,high,The RPM package management tool must cryptographically verify the authenticity of all software packages during installation.,Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering.,None,SV-50262r1_rule,F-43407r1_fix,"Edit the RPM configuration files containing the ""nosignature"" option and remove the option.",C-46017r1_chk,"Verify RPM signature validation is not disabled:
-# grep nosignature /etc/rpmrc /usr/lib/rpm/rpmrc /usr/lib/rpm/redhat/rpmrc ~root/.rpmrc
-If any configuration is found, this is a finding."
-V-38461,medium,The /etc/group file must have mode 0644 or less permissive.,"The ""/etc/group"" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.",None,SV-50261r1_rule,F-43406r1_fix,"To properly set the permissions of ""/etc/group"", run the command:
-
-# chmod 644 /etc/group",C-46015r1_chk,"To check the permissions of ""/etc/group"", run the command:
-
-$ ls -l /etc/group
-
-If properly configured, the output should indicate the following permissions: ""-rw-r--r--""
-If it does not, this is a finding."
-V-38460,low,The NFS server must not have the all_squash option enabled.,"The ""all_squash"" option maps all client requests to a single anonymous uid/gid on the NFS server, negating the ability to track file access by user ID.",None,SV-50260r1_rule,F-43405r1_fix,"Remove any instances of the ""all_squash"" option from the file ""/etc/exports"". Restart the NFS daemon for the changes to take effect.
-
-# service nfs restart",C-46016r1_chk,"If the NFS server is read-only, in support of unrestricted access to organizational content, this is not applicable.
-
-The related ""root_squash"" option provides protection against remote administrator-level access to NFS server content. Its use is not a finding.
-
-To verify the ""all_squash"" option has been disabled, run the following command:
-
-# grep all_squash /etc/exports
-
-
-If there is output, this is a finding."
-V-38492,medium,The system must prevent the root account from logging in from virtual consoles.,Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. ,None,SV-50293r1_rule,F-43439r2_fix,"To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in ""/etc/securetty"":
-
-vc/1
-vc/2
-vc/3
-vc/4
-
-Note: Virtual console entries are not limited to those listed above. Any lines starting with ""vc/"" followed by numerals should be removed.",C-46049r1_chk,"To check for virtual console entries which permit root login, run the following command:
-
-# grep '^vc/[0-9]' /etc/securetty
-
-If any output is returned, then root logins over virtual console devices is permitted.
-If root login over virtual console devices is permitted, this is a finding."
-V-38702,low,The FTP daemon must be configured for logging or verbose mode.,"To trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to the ftp server are logged using the verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log.",None,SV-50503r1_rule,F-43651r1_fix,"Add or correct the following configuration options within the ""vsftpd"" configuration file, located at ""/etc/vsftpd/vsftpd.conf"".
-
-xferlog_enable=YES
-xferlog_std_format=NO
-log_ftp_protocol=YES",C-46264r1_chk,"Find if logging is applied to the ftp daemon.
-
-Procedures:
-
-If vsftpd is started by xinetd the following command will indicate the xinetd.d startup file.
-
-# grep vsftpd /etc/xinetd.d/*
-
-
-
-# grep server_args [vsftpd xinetd.d startup file]
-
-This will indicate the vsftpd config file used when starting through xinetd. If the [server_args]line is missing or does not include the vsftpd configuration file, then the default config file (/etc/vsftpd/vsftpd.conf) is used.
-
-# grep xferlog_enable [vsftpd config file]
-
-
-If xferlog_enable is missing, or is not set to yes, this is a finding."
-V-38469,medium,All system command files must have mode 755 or less permissive.,"System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.",None,SV-50269r3_rule,F-43414r1_fix,"System executables are stored in the following directories by default:
-
-/bin
-/usr/bin
-/usr/local/bin
-/sbin
-/usr/sbin
-/usr/local/sbin
-
-If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command:
-
-# chmod go-w [FILE]",C-46024r3_chk,"System executables are stored in the following directories by default:
-
-/bin
-/usr/bin
-/usr/local/bin
-/sbin
-/usr/sbin
-/usr/local/sbin
-
-All files in these directories should not be group-writable or world-writable. To find system executables that are group-writable or world-writable, run the following command for each directory [DIR] which contains system executables:
-
-$ find -L [DIR] -perm /022 -type f
-
-If any system executables are found to be group-writable or world-writable, this is a finding."
-V-38468,medium,The audit system must take appropriate action when the audit storage volume is full.,Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.,None,SV-50268r1_rule,F-43413r1_fix,"The ""auditd"" service can be configured to take an action when disk space starts to run low. Edit the file ""/etc/audit/auditd.conf"". Modify the following line, substituting [ACTION] appropriately:
-
-disk_full_action = [ACTION]
-
-Possible values for [ACTION] are described in the ""auditd.conf"" man page. These include:
-
-""ignore""
-""syslog""
-""exec""
-""suspend""
-""single""
-""halt""
-
-
-Set this to ""syslog"", ""exec"", ""single"", or ""halt"".",C-46023r1_chk,"Inspect ""/etc/audit/auditd.conf"" and locate the following line to determine if the system is configured to take appropriate action when the audit storage volume is full:
-
-# grep disk_full_action /etc/audit/auditd.conf
-disk_full_action = [ACTION]
-
-
-If the system is configured to ""suspend"" when the volume is full or ""ignore"" that it is full, this is a finding."
-V-38553,medium,"The operating system must prevent public IPv6 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.","The ""ip6tables"" service provides the system's host-based firewalling capability for IPv6 and ICMPv6.",None,SV-50354r3_rule,F-43501r2_fix,"The ""ip6tables"" service can be enabled with the following commands:
-
-# chkconfig ip6tables on
-# service ip6tables start",C-46111r3_chk,"If the system is a cross-domain system, this is not applicable.
-
-If IPv6 is disabled, this is not applicable.
-
-Run the following command to determine the current status of the ""ip6tables"" service:
-
-# service ip6tables status
-
-If the service is not running, it should return the following:
-
-ip6tables: Firewall is not running.
-
-
-If the service is not running, this is a finding."
-V-38552,low,The audit system must be configured to audit all discretionary access control permission modifications using fchown.,The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.,None,SV-50353r3_rule,F-43500r2_fix,"At a minimum, the audit system should collect file permission changes for all users and root. Add the following to ""/etc/audit/audit.rules"":
-
--a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 \
--k perm_mod
--a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod
-
-If the system is 64-bit, then also add the following:
-
--a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 \
--k perm_mod
--a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod",C-46110r2_chk,"To determine if the system is configured to audit calls to the ""fchown"" system call, run the following command:
-
-$ sudo grep -w ""fchown"" /etc/audit/audit.rules
-
-If the system is configured to audit this activity, it will return several lines.
-
-If no line is returned, this is a finding. "
-V-38498,medium,Audit log files must have mode 0640 or less permissive.,"If users can write to audit logs, audit trails can be modified or destroyed.",None,SV-50299r1_rule,F-43445r1_fix,"Change the mode of the audit log files with the following command:
-
-# chmod 0640 [audit_file]",C-46055r1_chk,"Run the following command to check the mode of the system audit logs:
-
-grep ""^log_file"" /etc/audit/auditd.conf|sed s/^[^\/]*//|xargs stat -c %a:%n
-
-Audit logs must be mode 0640 or less permissive.
-If any are more permissive, this is a finding."
-V-38550,low,The audit system must be configured to audit all discretionary access control permission modifications using fchmodat.,The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.,None,SV-50351r3_rule,F-43498r2_fix,"At a minimum, the audit system should collect file permission changes for all users and root. Add the following to ""/etc/audit/audit.rules"":
-
--a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 \
--k perm_mod
--a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod
-
-If the system is 64-bit, then also add the following:
-
--a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 \
--k perm_mod
--a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod",C-46108r2_chk,"To determine if the system is configured to audit calls to the ""fchmodat"" system call, run the following command:
-
-$ sudo grep -w ""fchmodat"" /etc/audit/audit.rules
-
-If the system is configured to audit this activity, it will return several lines.
-
-If no line is returned, this is a finding. "
-V-38557,low,The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr.,The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.,None,SV-50358r3_rule,F-43505r2_fix,"At a minimum, the audit system should collect file permission changes for all users and root. Add the following to ""/etc/audit/audit.rules"":
-
--a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 \
--k perm_mod
--a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod
-
-If the system is 64-bit, then also add the following:
-
--a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 \
--k perm_mod
--a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod",C-46115r2_chk,"To determine if the system is configured to audit calls to the ""fsetxattr"" system call, run the following command:
-
-$ sudo grep -w ""fsetxattr"" /etc/audit/audit.rules
-
-If the system is configured to audit this activity, it will return several lines.
-
-If no line is returned, this is a finding. "
-V-38556,low,The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr.,The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.,None,SV-50357r3_rule,F-43504r2_fix,"At a minimum, the audit system should collect file permission changes for all users and root. Add the following to ""/etc/audit/audit.rules"":
-
--a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 \
--k perm_mod
--a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod
-
-If the system is 64-bit, then also add the following:
-
--a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 \
--k perm_mod
--a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod",C-46114r2_chk,"To determine if the system is configured to audit calls to the ""fremovexattr"" system call, run the following command:
-
-$ sudo grep -w ""fremovexattr"" /etc/audit/audit.rules
-
-If the system is configured to audit this activity, it will return several lines.
-
-If no line is returned, this is a finding. "
-V-38555,medium,The system must employ a local IPv4 firewall.,"The ""iptables"" service provides the system's host-based firewalling capability for IPv4 and ICMP.",None,SV-50356r2_rule,F-43503r2_fix,"The ""iptables"" service can be enabled with the following commands:
-
-# chkconfig iptables on
-# service iptables start",C-46113r2_chk,"If the system is a cross-domain system, this is not applicable.
-
-Run the following command to determine the current status of the ""iptables"" service:
-
-# service iptables status
-
-If the service is not running, it should return the following:
-
-iptables: Firewall is not running.
-
-
-If the service is not running, this is a finding."
-V-38554,low,The audit system must be configured to audit all discretionary access control permission modifications using fchownat.,The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.,None,SV-50355r3_rule,F-43502r2_fix,"At a minimum, the audit system should collect file permission changes for all users and root. Add the following to ""/etc/audit/audit.rules"":
-
--a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 \
--k perm_mod
--a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod
-
-If the system is 64-bit, then also add the following:
-
--a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 \
--k perm_mod
--a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod",C-46112r2_chk,"To determine if the system is configured to audit calls to the ""fchownat"" system call, run the following command:
-
-$ sudo grep -w ""fchownat"" /etc/audit/audit.rules
-
-If the system is configured to audit this activity, it will return several lines.
-
-If no line is returned, this is a finding. "
-V-51875,medium,"The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access.",Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. ,None,SV-66089r1_rule,F-56701r1_fix,"To configure the system to notify users of last logon/access using ""pam_lastlog"", add the following line immediately after ""session required pam_limits.so"":
-
-session required pam_lastlog.so showfailed",C-54013r1_chk,"To ensure that last logon/access notification is configured correctly, run the following command:
-
-# grep pam_lastlog.so /etc/pam.d/system-auth
-
-The output should show output ""showfailed"". If that is not the case, this is a finding. "
-V-38493,medium,Audit log directories must have mode 0755 or less permissive.,"If users can delete audit logs, audit trails can be modified or destroyed.",None,SV-50294r1_rule,F-43440r1_fix,"Change the mode of the audit log directories with the following command:
-
-# chmod go-w [audit_directory]",C-46050r1_chk,"Run the following command to check the mode of the system audit directories:
-
-grep ""^log_file"" /etc/audit/auditd.conf|sed 's/^[^/]*//; s/[^/]*$//'|xargs stat -c %a:%n
-
-Audit directories must be mode 0755 or less permissive.
-If any are more permissive, this is a finding."
-V-38559,low,The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr.,The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.,None,SV-50360r3_rule,F-43507r2_fix,"At a minimum, the audit system should collect file permission changes for all users and root. Add the following to ""/etc/audit/audit.rules"":
-
--a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 \
--k perm_mod
--a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod
-
-If the system is 64-bit, then also add the following:
-
--a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 \
--k perm_mod
--a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod",C-46117r2_chk,"To determine if the system is configured to audit calls to the ""lremovexattr"" system call, run the following command:
-
-$ sudo grep -w ""lremovexattr"" /etc/audit/audit.rules
-
-If the system is configured to audit this activity, it will return several lines.
-
-If no line is returned, this is a finding. "
-V-38558,low,The audit system must be configured to audit all discretionary access control permission modifications using lchown.,The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.,None,SV-50359r3_rule,F-43506r2_fix,"At a minimum, the audit system should collect file permission changes for all users and root. Add the following to ""/etc/audit/audit.rules"":
-
--a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 \
--k perm_mod
--a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod
-
-If the system is 64-bit, then also add the following:
-
--a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 \
--k perm_mod
--a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod",C-46116r2_chk,"To determine if the system is configured to audit calls to the ""lchown"" system call, run the following command:
-
-$ sudo grep -w ""lchown"" /etc/audit/audit.rules
-
-If the system is configured to audit this activity, it will return several lines.
-
-If no line is returned, this is a finding. "
-V-38496,medium,"Default operating system accounts, other than root, must be locked.",Disabling authentication for default system accounts makes it more difficult for attackers to make use of them to compromise a system.,None,SV-50297r3_rule,F-43442r2_fix,"Some accounts are not associated with a human user of the system, and exist to perform some administrative function. An attacker should not be able to log into these accounts.
-
-Disable logon access to these accounts with the command:
-
-# passwd -l [SYSACCT]",C-46052r2_chk,"To obtain a listing of all users and the contents of their shadow password field, run the command:
-
-$ awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 "":"" $2}' /etc/shadow
-
-Identify the operating system accounts from this listing. These will primarily be the accounts with UID numbers less than 500, other than root.
-
-If any default operating system account (other than root) has a valid password hash, this is a finding."
-V-38497,high,The system must not have accounts configured with blank or null passwords.,"If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.",None,SV-50298r2_rule,F-43444r4_fix,"If an account is configured for password authentication but does not have an assigned password, it may be possible to log onto the account without authentication. Remove any instances of the ""nullok"" option in ""/etc/pam.d/system-auth"" to prevent logons with empty passwords.",C-46054r2_chk,"To verify that null passwords cannot be used, run the following command:
-
-# grep nullok /etc/pam.d/system-auth
-
-If this produces any output, it may be possible to log into accounts with empty passwords.
-If NULL passwords can be used, this is a finding."
-V-38494,low,The system must prevent the root account from logging in from serial consoles.,Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account.,None,SV-50295r1_rule,F-43441r1_fix,"To restrict root logins on serial ports, ensure lines of this form do not appear in ""/etc/securetty"":
-
-ttyS0
-ttyS1
-
-Note: Serial port entries are not limited to those listed above. Any lines starting with ""ttyS"" followed by numerals should be removed",C-46051r1_chk,"To check for serial port entries which permit root login, run the following command:
-
-# grep '^ttyS[0-9]' /etc/securetty
-
-If any output is returned, then root login over serial ports is permitted.
-If root login over serial ports is permitted, this is a finding."
-V-38523,medium,The system must not accept IPv4 source-routed packets on any interface.,Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.,None,SV-50324r2_rule,F-43471r1_fix,"To set the runtime status of the ""net.ipv4.conf.all.accept_source_route"" kernel parameter, run the following command:
-
-# sysctl -w net.ipv4.conf.all.accept_source_route=0
-
-If this is not the system's default value, add the following line to ""/etc/sysctl.conf"":
-
-net.ipv4.conf.all.accept_source_route = 0",C-46081r3_chk,"The status of the ""net.ipv4.conf.all.accept_source_route"" kernel parameter can be queried by running the following command:
-
-$ sysctl net.ipv4.conf.all.accept_source_route
-
-The output of the command should indicate a value of ""0"". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in ""/etc/sysctl.conf"".
-
-$ grep net.ipv4.conf.all.accept_source_route /etc/sysctl.conf
-
-If the correct value is not returned, this is a finding. "
-V-38672,low,The netconsole service must be disabled unless required.,"The ""netconsole"" service is not necessary unless there is a need to debug kernel panics, which is not common.",None,SV-50473r2_rule,F-43622r2_fix,"The ""netconsole"" service is responsible for loading the netconsole kernel module, which logs kernel printk messages over UDP to a syslog server. This allows debugging of problems where disk logging fails and serial consoles are impractical. The ""netconsole"" service can be disabled with the following commands:
-
-# chkconfig netconsole off
-# service netconsole stop",C-46233r1_chk,"To check that the ""netconsole"" service is disabled in system boot configuration, run the following command:
-
-# chkconfig ""netconsole"" --list
-
-Output should indicate the ""netconsole"" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:
-
-# chkconfig ""netconsole"" --list
-""netconsole"" 0:off 1:off 2:off 3:off 4:off 5:off 6:off
-
-Run the following command to verify ""netconsole"" is disabled through current runtime configuration:
-
-# service netconsole status
-
-If the service is disabled the command will return the following output:
-
-netconsole is stopped
-
-
-If the service is running, this is a finding."
-V-38673,medium,"The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.","By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.",None,SV-50474r2_rule,F-43621r1_fix,"AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
-
-05 4 * * * root /usr/sbin/aide --check
-
-AIDE can be executed periodically through other means; this is merely one example.",C-46232r2_chk,"To determine that periodic AIDE execution has been scheduled, run the following command:
-
-# grep aide /etc/crontab /etc/cron.*/*
-
-If there is no output, this is a finding."
-V-38670,medium,The operating system must detect unauthorized changes to software and information. ,"By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.",None,SV-50471r2_rule,F-43619r1_fix,"AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
-
-05 4 * * * root /usr/sbin/aide --check
-
-AIDE can be executed periodically through other means; this is merely one example.",C-46229r2_chk,"To determine that periodic AIDE execution has been scheduled, run the following command:
-
-# grep aide /etc/crontab /etc/cron.*/*
-
-If there is no output, this is a finding."
-V-38671,medium,The sendmail package must be removed.,The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead.,None,SV-50472r1_rule,F-43620r1_fix,"Sendmail is not the default mail transfer agent and is not installed by default. The ""sendmail"" package can be removed with the following command:
-
-# yum erase sendmail",C-46231r1_chk,"Run the following command to determine if the ""sendmail"" package is installed:
-
-# rpm -q sendmail
-
-
-If the package is installed, this is a finding."
-V-38676,low,"The xorg-x11-server-common (X Windows) package must not be installed, unless required.",Unnecessary packages should not be installed to decrease the attack surface of the system.,None,SV-50477r2_rule,F-43625r1_fix,"Removing all packages which constitute the X Window System ensures users or malicious software cannot start X. To do so, run the following command:
-
-# yum groupremove ""X Window System""",C-46236r1_chk,"To ensure the X Windows package group is removed, run the following command:
-
-$ rpm -qi xorg-x11-server-common
-
-The output should be:
-
-package xorg-x11-server-common is not installed
-
-
-If it is not, this is a finding."
-V-38677,high,The NFS server must not have the insecure file locking option enabled.,Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user.,None,SV-50478r1_rule,F-43626r1_fix,"By default the NFS server requires secure file-lock requests, which require credentials from the client in order to lock a file. Most NFS clients send credentials with file lock requests, however, there are a few clients that do not send credentials when requesting a file-lock, allowing the client to only be able to lock world-readable files. To get around this, the ""insecure_locks"" option can be used so these clients can access the desired export. This poses a security risk by potentially allowing the client access to data for which it does not have authorization. Remove any instances of the ""insecure_locks"" option from the file ""/etc/exports"".",C-46239r1_chk,"To verify insecure file locking has been disabled, run the following command:
-
-# grep insecure_locks /etc/exports
-
-
-If there is output, this is a finding."
-V-38674,medium,X Windows must not be enabled unless required.,Unnecessary services should be disabled to decrease the attack surface of the system.,None,SV-50475r1_rule,F-43623r1_fix,"Setting the system's runlevel to 3 will prevent automatic startup of the X server. To do so, ensure the following line in ""/etc/inittab"" features a ""3"" as shown:
-
-id:3:initdefault:",C-46234r1_chk,"To verify the default runlevel is 3, run the following command:
-
-# grep initdefault /etc/inittab
-
-The output should show the following:
-
-id:3:initdefault:
-
-
-If it does not, this is a finding."
-V-38675,low,Process core dumps must be disabled unless needed.,A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.,None,SV-50476r2_rule,F-43624r1_fix,"To disable core dumps for all users, add the following line to ""/etc/security/limits.conf"":
-
-* hard core 0",C-46235r2_chk,"To verify that core dumps are disabled for all users, run the following command:
-
-$ grep core /etc/security/limits.conf /etc/security/limits.d/*.conf
-
-The output should be:
-
-* hard core 0
-
-If it is not, this is a finding. "
-V-38630,medium,The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment.,"Enabling idle activation of the screen saver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area.",None,SV-50431r3_rule,F-43579r1_fix,"Run the following command to activate the screensaver in the GNOME desktop after a period of inactivity:
-
-# gconftool-2 --direct \
---config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
---type bool \
---set /apps/gnome-screensaver/idle_activation_enabled true",C-46189r3_chk,"If the GConf2 package is not installed, this is not applicable.
-
-To check the screensaver mandatory use status, run the following command:
-
-$ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_activation_enabled
-
-If properly configured, the output should be ""true"".
-
-If it is not, this is a finding."
-V-38678,medium,The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity.,Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.,None,SV-50479r2_rule,F-43627r2_fix,"The ""auditd"" service can be configured to take an action when disk space starts to run low. Edit the file ""/etc/audit/auditd.conf"". Modify the following line, substituting [num_megabytes] appropriately:
-
-space_left = [num_megabytes]
-
-The ""num_megabytes"" value should be set to a fraction of the total audit storage capacity available that will allow a system administrator to be notified with enough time to respond to the situation causing the capacity issues. This value must also be documented locally.",C-46240r1_chk,"Inspect ""/etc/audit/auditd.conf"" and locate the following line to determine whether the system is configured to email the administrator when disk space is starting to run low:
-
-# grep space_left /etc/audit/auditd.conf
-
-space_left = [num_megabytes]
-
-
-If the ""num_megabytes"" value does not correspond to a documented value for remaining audit partition capacity or if there is no locally documented value for remaining audit partition capacity, this is a finding."
-V-58901,medium,The sudo command must require authentication.,"The ""sudo"" command allows authorized users to run programs (including shells) as other users, system users, and root. The ""/etc/sudoers"" file is used to configure authorized ""sudo"" users as well as the programs they are allowed to run. Some configuration options in the ""/etc/sudoers"" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts.",None,SV-73331r1_rule,F-64285r1_fix,"Update the ""/etc/sudoers"" or other sudo configuration files to remove or comment out lines utilizing the ""NOPASSWD"" and ""!authenticate"" options.
-
-# visudo
-# visudo -f [other sudo configuration file]",C-59747r1_chk,"Verify neither the ""NOPASSWD"" option nor the ""!authenticate"" option is configured for use in ""/etc/sudoers"" and associated files. Note that the ""#include"" and ""#includedir"" directives may be used to include configuration data from locations other than the defaults enumerated here.
-
-# egrep '^[^#]*NOPASSWD' /etc/sudoers /etc/sudoers.d/*
-# egrep '^[^#]*!authenticate' /etc/sudoers /etc/sudoers.d/*
-
-If the ""NOPASSWD"" or ""!authenticate"" options are configured for use in ""/etc/sudoers"" or associated files, this is a finding."
-V-38474,low,The system must allow locking of graphical desktop sessions.,The ability to lock graphical desktop sessions manually allows users to easily secure their accounts should they need to depart from their workstations temporarily.,None,SV-50274r2_rule,F-43420r1_fix,"Run the following command to set the Gnome desktop keybinding for locking the screen:
-
-# gconftool-2
---direct \
---config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
---type string \
---set /apps/gnome_settings_daemon/keybindings/screensaver ""l""
-
-Another keyboard sequence may be substituted for ""l"", which is the default for the Gnome desktop.",C-46030r2_chk,"If the GConf2 package is not installed, this is not applicable.
-
-Verify the keybindings for the Gnome screensaver:
-
-# gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome_settings_daemon/keybindings/screensaver
-
-If no output is visible, this is a finding."
-V-38475,medium,The system must require passwords to contain a minimum of 14 characters.,"Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result.
-
-While it does not negate the password length requirement, it is preferable to migrate from a password-based authentication scheme to a stronger one based on PKI (public key infrastructure).",None,SV-50275r1_rule,F-43419r1_fix,"To specify password length requirements for new accounts, edit the file ""/etc/login.defs"" and add or correct the following lines:
-
-PASS_MIN_LEN 14
-
-
-
-The DoD requirement is ""14"". If a program consults ""/etc/login.defs"" and also another PAM module (such as ""pam_cracklib"") during a password change operation, then the most restrictive must be satisfied.",C-46029r1_chk,"To check the minimum password length, run the command:
-
-$ grep PASS_MIN_LEN /etc/login.defs
-
-The DoD requirement is ""14"".
-If it is not set to the required value, this is a finding."
-V-38476,high,Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.,The Red Hat GPG keys are necessary to cryptographically verify packages are from Red Hat. ,None,SV-50276r3_rule,F-43421r3_fix,"To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG keys must be installed properly. To install the Red Hat GPG keys, run:
-
-# rhn_register
-
-If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG keys from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in ""/media/cdrom"", use the following command as the root user to import them into the keyring:
-
-# rpm --import /media/cdrom/RPM-GPG-KEY",C-46031r3_chk,"To ensure that the GPG keys are installed, run:
-
-$ rpm -q gpg-pubkey
-
-The command should return the strings below:
-
-gpg-pubkey-fd431d51-4ae0493b
-gpg-pubkey-2fa658e0-45700c69
-
-If the Red Hat GPG Keys are not installed, this is a finding."
-V-38477,medium,Users must not be able to change passwords more than once every 24 hours.,Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.,None,SV-50277r1_rule,F-43422r1_fix,"To specify password minimum age for new accounts, edit the file ""/etc/login.defs"" and add or correct the following line, replacing [DAYS] appropriately:
-
-PASS_MIN_DAYS [DAYS]
-
-A value of 1 day is considered sufficient for many environments. The DoD requirement is 1.",C-46032r1_chk,"To check the minimum password age, run the command:
-
-$ grep PASS_MIN_DAYS /etc/login.defs
-
-The DoD requirement is 1.
-If it is not set to the required value, this is a finding."
-V-38470,medium,The audit system must alert designated staff members when the audit storage volume approaches capacity.,Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.,None,SV-50270r2_rule,F-43415r2_fix,"The ""auditd"" service can be configured to take an action when disk space starts to run low. Edit the file ""/etc/audit/auditd.conf"". Modify the following line, substituting [ACTION] appropriately:
-
-space_left_action = [ACTION]
-
-Possible values for [ACTION] are described in the ""auditd.conf"" man page. These include:
-
-""ignore""
-""syslog""
-""email""
-""exec""
-""suspend""
-""single""
-""halt""
-
-
-Set this to ""email"" (instead of the default, which is ""suspend"") as it is more likely to get prompt attention. The ""syslog"" option is acceptable, provided the local log management infrastructure notifies an appropriate administrator in a timely manner.
-
-RHEL-06-000521 ensures that the email generated through the operation ""space_left_action"" will be sent to an administrator.",C-46025r3_chk,"Inspect ""/etc/audit/auditd.conf"" and locate the following line to determine if the system is configured to email the administrator when disk space is starting to run low:
-
-# grep space_left_action /etc/audit/auditd.conf
-space_left_action = email
-
-
-If the system is not configured to send an email to the system administrator when disk space is starting to run low, this is a finding. The ""syslog"" option is acceptable when it can be demonstrated that the local log management infrastructure notifies an appropriate administrator in a timely manner."
-V-38471,low,The system must forward audit records to the syslog service.,"The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include an audit event multiplexor plugin (audispd) to pass audit records to the local syslog server.",None,SV-50271r1_rule,F-43416r1_fix,"Set the ""active"" line in ""/etc/audisp/plugins.d/syslog.conf"" to ""yes"". Restart the auditd process.
-
-# service auditd restart",C-46026r1_chk,"Verify the audispd plugin is active:
-
-# grep active /etc/audisp/plugins.d/syslog.conf
-
-If the ""active"" setting is missing or set to ""no"", this is a finding."
-V-38679,medium,The DHCP client must be disabled if not needed.,"DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances.",None,SV-50480r2_rule,F-43628r2_fix,"For each interface [IFACE] on the system (e.g. eth0), edit ""/etc/sysconfig/network-scripts/ifcfg-[IFACE]"" and make the following changes.
-
-Correct the BOOTPROTO line to read:
-
-BOOTPROTO=none
-
-
-Add or correct the following lines, substituting the appropriate values based on your site's addressing scheme:
-
-NETMASK=[local LAN netmask]
-IPADDR=[assigned IP address]
-GATEWAY=[local LAN default gateway]",C-46242r2_chk,"To verify that DHCP is not being used, examine the following file for each interface.
-
-# /etc/sysconfig/network-scripts/ifcfg-[IFACE]
-
-If there is any network interface without a associated ""ifcfg"" file, this is a finding.
-
-Look for the following:
-
-BOOTPROTO=none
-
-Also verify the following, substituting the appropriate values based on your site's addressing scheme:
-
-NETMASK=[local LAN netmask]
-IPADDR=[assigned IP address]
-GATEWAY=[local LAN default gateway]
-
-
-If it does not, this is a finding."
-V-38473,low,The system must use a separate file system for user home directories.,"Ensuring that ""/home"" is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.",None,SV-50273r1_rule,F-43418r1_fix,"If user home directories will be stored locally, create a separate partition for ""/home"" at installation time (or migrate it later using LVM). If ""/home"" will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.",C-46028r1_chk,"Run the following command to determine if ""/home"" is on its own partition or logical volume:
-
-$ mount | grep ""on /home ""
-
-If ""/home"" has its own partition or volume group, a line will be returned.
-If no line is returned, this is a finding."
-V-38536,low,The operating system must automatically audit account disabling actions.,"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.",None,SV-50337r1_rule,F-43484r1_fix,"Add the following to ""/etc/audit/audit.rules"", in order to capture events that modify account changes:
-
-# audit_account_changes
--w /etc/group -p wa -k audit_account_changes
--w /etc/passwd -p wa -k audit_account_changes
--w /etc/gshadow -p wa -k audit_account_changes
--w /etc/shadow -p wa -k audit_account_changes
--w /etc/security/opasswd -p wa -k audit_account_changes",C-46094r1_chk,"To determine if the system is configured to audit account changes, run the following command:
-
-auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'
-
-If the system is configured to watch for account changes, lines should be returned for each file specified (and with ""perm=wa"" for each).
-If the system is not configured to audit account changes, this is a finding."
-V-38478,low,"The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite.","Although systems management and patching is extremely important to system security, management by a system outside the enterprise enclave is not desirable for some environments. However, if the system is being managed by RHN or RHN Satellite Server the ""rhnsd"" daemon can remain on.",None,SV-50278r2_rule,F-43423r2_fix,"The Red Hat Network service automatically queries Red Hat Network servers to determine whether there are any actions that should be executed, such as package updates. This only occurs if the system was registered to an RHN server or satellite and managed as such. The ""rhnsd"" service can be disabled with the following commands:
-
-# chkconfig rhnsd off
-# service rhnsd stop",C-46033r2_chk,"If the system uses RHN or an RHN Satellite, this is not applicable.
-
-To check that the ""rhnsd"" service is disabled in system boot configuration, run the following command:
-
-# chkconfig ""rhnsd"" --list
-
-Output should indicate the ""rhnsd"" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:
-
-# chkconfig ""rhnsd"" --list
-""rhnsd"" 0:off 1:off 2:off 3:off 4:off 5:off 6:off
-
-Run the following command to verify ""rhnsd"" is disabled through current runtime configuration:
-
-# service rhnsd status
-
-If the service is disabled the command will return the following output:
-
-rhnsd is stopped
-
-
-If the service is running, this is a finding."
-V-38479,medium,User passwords must be changed at least every 60 days.,Setting the password maximum age ensures users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.,None,SV-50279r1_rule,F-43424r1_fix,"To specify password maximum age for new accounts, edit the file ""/etc/login.defs"" and add or correct the following line, replacing [DAYS] appropriately:
-
-PASS_MAX_DAYS [DAYS]
-
-The DoD requirement is 60.",C-46034r1_chk,"To check the maximum password age, run the command:
-
-$ grep PASS_MAX_DAYS /etc/login.defs
-
-The DoD requirement is 60.
-If it is not set to the required value, this is a finding."
-V-54381,medium,The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low.,"Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur. ",None,SV-68627r1_rule,F-59235r2_fix,"The ""auditd"" service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file ""/etc/audit/auditd.conf"". Add or modify the following line, substituting [ACTION] appropriately:
-
-admin_space_left_action = [ACTION]
-
-Set this value to ""single"" to cause the system to switch to single-user mode for corrective action. Acceptable values also include ""suspend"" and ""halt"". For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for [ACTION] are described in the ""auditd.conf"" man page. ",C-54997r2_chk,"Inspect ""/etc/audit/auditd.conf"" and locate the following line to determine if the system is configured to either suspend, switch to single-user mode, or halt when disk space has run low:
-
-admin_space_left_action single
-
-If the system is not configured to switch to single-user mode for corrective action, this is a finding. "
-V-38445,medium,Audit log files must be group-owned by root.,"If non-privileged users can write to audit logs, audit trails can be modified or destroyed.",None,SV-50245r2_rule,F-43390r1_fix,"Change the group owner of the audit log files with the following command:
-
-# chgrp root [audit_file]",C-46000r1_chk,"Run the following command to check the group owner of the system audit logs:
-
-grep ""^log_file"" /etc/audit/auditd.conf|sed s/^[^\/]*//|xargs stat -c %G:%n
-
-Audit logs must be group-owned by root.
-If they are not, this is a finding."
-V-38540,low,The audit system must be configured to audit modifications to the systems network configuration.,The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.,None,SV-50341r2_rule,F-43488r2_fix,"Add the following to ""/etc/audit/audit.rules"", setting ARCH to either b32 or b64 as appropriate for your system:
-
-# audit_network_modifications
--a always,exit -F arch=ARCH -S sethostname -S setdomainname -k audit_network_modifications
--w /etc/issue -p wa -k audit_network_modifications
--w /etc/issue.net -p wa -k audit_network_modifications
--w /etc/hosts -p wa -k audit_network_modifications
--w /etc/sysconfig/network -p wa -k audit_network_modifications",C-46098r1_chk,"To determine if the system is configured to audit changes to its network configuration, run the following command:
-
-auditctl -l | egrep '(sethostname|setdomainname|/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)'
-
-If the system is configured to watch for network configuration changes, a line should be returned for each file specified (and ""perm=wa"" should be indicated for each).
-If the system is not configured to audit changes of the network configuration, this is a finding."
-V-38541,low,The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux).,The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.,None,SV-50342r1_rule,F-43489r1_fix,"Add the following to ""/etc/audit/audit.rules"":
-
--w /etc/selinux/ -p wa -k MAC-policy",C-46099r1_chk,"To determine if the system is configured to audit changes to its SELinux configuration files, run the following command:
-
-# auditctl -l | grep ""dir=/etc/selinux""
-
-If the system is configured to watch for changes to its SELinux configuration, a line should be returned (including ""perm=wa"" indicating permissions that are watched).
-If the system is not configured to audit attempts to change the MAC policy, this is a finding."
-V-38542,medium,The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.,"Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.",None,SV-50343r2_rule,F-43490r1_fix,"To set the runtime status of the ""net.ipv4.conf.all.rp_filter"" kernel parameter, run the following command:
-
-# sysctl -w net.ipv4.conf.all.rp_filter=1
-
-If this is not the system's default value, add the following line to ""/etc/sysctl.conf"":
-
-net.ipv4.conf.all.rp_filter = 1",C-46100r2_chk,"The status of the ""net.ipv4.conf.all.rp_filter"" kernel parameter can be queried by running the following command:
-
-$ sysctl net.ipv4.conf.all.rp_filter
-
-The output of the command should indicate a value of ""1"". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in ""/etc/sysctl.conf"".
-
-$ grep net.ipv4.conf.all.rp_filter /etc/sysctl.conf
-
-If the correct value is not returned, this is a finding. "
-V-38543,low,The audit system must be configured to audit all discretionary access control permission modifications using chmod.,The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.,None,SV-50344r3_rule,F-43491r2_fix,"At a minimum, the audit system should collect file permission changes for all users and root. Add the following to ""/etc/audit/audit.rules"":
-
--a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 \
--k perm_mod
--a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod
-
-If the system is 64-bit, then also add the following:
-
--a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 \
--k perm_mod
--a always,exit -F arch=b64 -S chmod -F auid=0 -k perm_mod",C-46101r2_chk,"To determine if the system is configured to audit calls to the ""chmod"" system call, run the following command:
-
-$ sudo grep -w ""chmod"" /etc/audit/audit.rules
-
-If the system is configured to audit this activity, it will return several lines.
-
-If the system is not configured to audit permission changes, this is a finding. "
-V-38544,medium,The system must use a reverse-path filter for IPv4 network traffic when possible by default.,"Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.",None,SV-50345r2_rule,F-43492r1_fix,"To set the runtime status of the ""net.ipv4.conf.default.rp_filter"" kernel parameter, run the following command:
-
-# sysctl -w net.ipv4.conf.default.rp_filter=1
-
-If this is not the system's default value, add the following line to ""/etc/sysctl.conf"":
-
-net.ipv4.conf.default.rp_filter = 1",C-46102r2_chk,"The status of the ""net.ipv4.conf.default.rp_filter"" kernel parameter can be queried by running the following command:
-
-$ sysctl net.ipv4.conf.default.rp_filter
-
-The output of the command should indicate a value of ""1"". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in ""/etc/sysctl.conf"".
-
-$ grep net.ipv4.conf.default.rp_filter /etc/sysctl.conf
-
-If the correct value is not returned, this is a finding. "
-V-38491,high,There must be no .rhosts or hosts.equiv files on the system.,"Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.",None,SV-50292r1_rule,F-43438r1_fix,"The files ""/etc/hosts.equiv"" and ""~/.rhosts"" (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location.
-
-# rm /etc/hosts.equiv
-
-
-
-$ rm ~/.rhosts",C-46048r1_chk,"The existence of the file ""/etc/hosts.equiv"" or a file named "".rhosts"" inside a user home directory indicates the presence of an Rsh trust relationship.
-If these files exist, this is a finding."
-V-38546,medium,The IPv6 protocol handler must not be bound to the network stack unless needed.,"Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation.",None,SV-50347r2_rule,F-43494r2_fix,"To prevent the IPv6 kernel module (""ipv6"") from binding to the IPv6 networking stack, add the following line to ""/etc/modprobe.d/disabled.conf"" (or another file in ""/etc/modprobe.d""):
-
-options ipv6 disable=1
-
-This permits the IPv6 module to be loaded (and thus satisfy other modules that depend on it), while disabling support for the IPv6 protocol.",C-46104r2_chk,"If the system uses IPv6, this is not applicable.
-
-If the system is configured to disable the ""ipv6"" kernel module, it will contain a line of the form:
-
-options ipv6 disable=1
-
-Such lines may be inside any file in ""/etc/modprobe.d"" or the deprecated ""/etc/modprobe.conf"". This permits insertion of the IPv6 kernel module (which other parts of the system expect to be present), but otherwise keeps it inactive. Run the following command to search for such lines in all files in ""/etc/modprobe.d"" and the deprecated ""/etc/modprobe.conf"":
-
-$ grep -r ipv6 /etc/modprobe.conf /etc/modprobe.d
-
-
-If the IPv6 kernel module is not disabled, this is a finding."
-V-38547,low,The audit system must be configured to audit all discretionary access control permission modifications using fchmod.,The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.,None,SV-50348r3_rule,F-43495r2_fix,"At a minimum, the audit system should collect file permission changes for all users and root. Add the following to ""/etc/audit/audit.rules"":
-
--a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 \
--k perm_mod
--a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod
-
-If the system is 64-bit, then also add the following:
-
--a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 \
--k perm_mod
--a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod",C-46105r2_chk,"To determine if the system is configured to audit calls to the ""fchmod"" system call, run the following command:
-
-$ sudo grep -w ""fchmod"" /etc/audit/audit.rules
-
-If the system is configured to audit this activity, it will return several lines.
-
-If no line is returned, this is a finding. "
-V-38548,medium,The system must ignore ICMPv6 redirects by default.,An illicit ICMP redirect message could result in a man-in-the-middle attack.,None,SV-50349r3_rule,F-43496r1_fix,"To set the runtime status of the ""net.ipv6.conf.default.accept_redirects"" kernel parameter, run the following command:
-
-# sysctl -w net.ipv6.conf.default.accept_redirects=0
-
-If this is not the system's default value, add the following line to ""/etc/sysctl.conf"":
-
-net.ipv6.conf.default.accept_redirects = 0",C-46106r3_chk,"If IPv6 is disabled, this is not applicable.
-
-The status of the ""net.ipv6.conf.default.accept_redirects"" kernel parameter can be queried by running the following command:
-
-$ sysctl net.ipv6.conf.default.accept_redirects
-
-The output of the command should indicate a value of ""0"". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in ""/etc/sysctl.conf"".
-
-$ grep net.ipv6.conf.default.accept_redirects /etc/sysctl.conf
-
-If the correct value is not returned, this is a finding. "
-V-38549,medium,The system must employ a local IPv6 firewall.,"The ""ip6tables"" service provides the system's host-based firewalling capability for IPv6 and ICMPv6.",None,SV-50350r3_rule,F-43497r3_fix,"The ""ip6tables"" service can be enabled with the following commands:
-
-# chkconfig ip6tables on
-# service ip6tables start",C-46107r3_chk,"If the system is a cross-domain system, this is not applicable.
-
-If IPv6 is disabled, this is not applicable.
-
-Run the following command to determine the current status of the ""ip6tables"" service:
-
-# service ip6tables status
-
-If the service is not running, it should return the following:
-
-ip6tables: Firewall is not running.
-
-
-If the service is not running, this is a finding."
-V-38482,low,The system must require passwords to contain at least one numeric character.,Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.,None,SV-50282r1_rule,F-43427r1_fix,"The pam_cracklib module's ""dcredit"" parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Add ""dcredit=-1"" after pam_cracklib.so to require use of a digit in passwords.",C-46037r1_chk,"To check how many digits are required in a password, run the following command:
-
-$ grep pam_cracklib /etc/pam.d/system-auth
-
-The ""dcredit"" parameter (as a negative number) will indicate how many digits are required. The DoD requires at least one digit in a password. This would appear as ""dcredit=-1"".
-If dcredit is not found or not set to the required value, this is a finding."
-V-38454,low,The system package management tool must verify ownership on all files and directories associated with packages.,Ownership of system binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.,None,SV-50254r1_rule,F-43400r1_fix,"The RPM package management system can restore ownership of package files and directories. The following command will update files and directories with ownership different from what is expected by the RPM database:
-
-# rpm -qf [file or directory name]
-# rpm --setugids [package]",C-46010r1_chk,"The following command will list which files on the system have ownership different from what is expected by the RPM database:
-
-# rpm -Va | grep '^.....U'
-
-
-If there is output, this is a finding."
-V-38472,medium,All system command files must be owned by root.,"System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.",None,SV-50272r1_rule,F-43417r1_fix,"System executables are stored in the following directories by default:
-
-/bin
-/usr/bin
-/usr/local/bin
-/sbin
-/usr/sbin
-/usr/local/sbin
-
-If any file [FILE] in these directories is found to be owned by a user other than root, correct its ownership with the following command:
-
-# chown root [FILE]",C-46027r1_chk,"System executables are stored in the following directories by default:
-
-/bin
-/usr/bin
-/usr/local/bin
-/sbin
-/usr/sbin
-/usr/local/sbin
-
-All files in these directories should not be group-writable or world-writable. To find system executables that are not owned by ""root"", run the following command for each directory [DIR] which contains system executables:
-
-$ find -L [DIR] \! -user root
-
-
-If any system executables are found to not be owned by root, this is a finding."
-V-38689,medium,"The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.",An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.,None,SV-50490r3_rule,F-43638r2_fix,"To set the text shown by the GNOME Display Manager in the login screen, run the following command:
-
-# gconftool-2
---direct \
---config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
---type string \
---set /apps/gdm/simple-greeter/banner_message_text \
-""[DoD required text]""
-
-Where the DoD required text is either:
-
-""You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
--The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
--At any time, the USG may inspect and seize data stored on this IS.
--Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
--This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
--Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.""
-
-OR:
-
-""I've read & consent to terms in IS user agreem't.""
-
-When entering a warning banner that spans several lines, remember to begin and end the string with """""". This command writes directly to the file ""/var/lib/gdm/.gconf/apps/gdm/simple-greeter/%gconf.xml"", and this file can later be edited directly if necessary.",C-46252r3_chk,"If the GConf2 package is not installed, this is not applicable.
-
-To ensure login warning banner text is properly set, run the following:
-
-$ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gdm/simple-greeter/banner_message_text
-
-If properly configured, the proper banner text will appear within this schema.
-
-The DoD required text is either:
-
-""You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
--The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
--At any time, the USG may inspect and seize data stored on this IS.
--Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
--This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
--Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.""
-
-OR:
-
-""I've read & consent to terms in IS user agreem't.""
-
-If the DoD required banner text is not appear in the schema, this is a finding."
-V-38688,medium,"A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.",An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.,None,SV-50489r3_rule,F-43637r2_fix,"To enable displaying a login warning banner in the GNOME Display Manager's login screen, run the following command:
-
-# gconftool-2 --direct \
---config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
---type bool \
---set /apps/gdm/simple-greeter/banner_message_enable true
-
-To display a banner, this setting must be enabled and then banner text must also be set.",C-46250r3_chk,"If the GConf2 package is not installed, this is not applicable.
-
-To ensure a login warning banner is enabled, run the following:
-
-$ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gdm/simple-greeter/banner_message_enable
-
-Search for the ""banner_message_enable"" schema. If properly configured, the ""default"" value should be ""true"".
-If it is not, this is a finding."
-V-38687,low,The system must provide VPN connectivity for communications over untrusted networks.,Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network.,None,SV-50488r2_rule,F-43636r1_fix,"The Openswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The ""openswan"" package can be installed with the following command:
-
-# yum install openswan",C-46249r2_chk,"If the system does not communicate over untrusted networks, this is not applicable.
-
-Run the following command to determine if the ""openswan"" package is installed:
-
-# rpm -q openswan
-
-
-If the package is not installed, this is a finding."
-V-38686,medium,"The systems local firewall must implement a deny-all, allow-by-exception policy for forwarded packets.","In ""iptables"" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to ""DROP"" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted.",None,SV-50487r1_rule,F-43635r1_fix,"To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, add or correct the following line in ""/etc/sysconfig/iptables"":
-
-:FORWARD DROP [0:0]",C-46248r1_chk,"Run the following command to ensure the default ""FORWARD"" policy is ""DROP"":
-
-grep "":FORWARD"" /etc/sysconfig/iptables
-
-The output must be the following:
-
-# grep "":FORWARD"" /etc/sysconfig/iptables
-:FORWARD DROP [0:0]
-
-If it is not, this is a finding."
-V-38685,low,Temporary accounts must be provisioned with an expiration date.,"When temporary accounts are created, there is a risk they may remain in place and active after the need for them no longer exists. Account expiration greatly reduces the risk of accounts being misused or hijacked.",None,SV-50486r1_rule,F-43634r1_fix,"In the event temporary accounts are required, configure the system to terminate them after a documented time period. For every temporary account, run the following command to set an expiration date on it, substituting ""[USER]"" and ""[YYYY-MM-DD]"" appropriately:
-
-# chage -E [YYYY-MM-DD] [USER]
-
-""[YYYY-MM-DD]"" indicates the documented expiration date for the account.",C-46247r1_chk,"For every temporary account, run the following command to obtain its account aging and expiration information:
-
-# chage -l [USER]
-
-Verify each of these accounts has an expiration date set as documented.
-If any temporary accounts have no expiration date set or do not expire within a documented time frame, this is a finding."
-V-38684,low,"The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.",Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions.,None,SV-50485r2_rule,F-43633r1_fix,"Limiting the number of allowed users and sessions per user can limit risks related to denial of service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in ""/etc/security/limits.conf"":
-
-* hard maxlogins 10
-
-A documented site-defined number may be substituted for 10 in the above.",C-46246r2_chk,"Run the following command to ensure the ""maxlogins"" value is configured for all users on the system:
-
-$ grep ""maxlogins"" /etc/security/limits.conf /etc/security/limits.d/*.conf
-
-You should receive output similar to the following:
-
-* hard maxlogins 10
-
-If it is not similar, this is a finding. "
-V-38683,low,All accounts on the system must have unique user or account names,Unique usernames allow for accountability on the system.,None,SV-50484r1_rule,F-43632r1_fix,"Change usernames, or delete accounts, so each has a unique name.",C-46245r1_chk,"Run the following command to check for duplicate account names:
-
-# pwck -rq
-
-If there are no duplicate names, no line will be returned.
-If a line is returned, this is a finding."
-V-38682,medium,The Bluetooth kernel module must be disabled.,"If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.",None,SV-50483r3_rule,F-43631r3_fix,"The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate ""/etc/modprobe.d"" configuration file to prevent the loading of the Bluetooth module:
-
-install net-pf-31 /bin/true
-install bluetooth /bin/true",C-46244r3_chk,"If the system is configured to prevent the loading of the ""bluetooth"" kernel module, it will contain lines inside any file in ""/etc/modprobe.d"" or the deprecated""/etc/modprobe.conf"". These lines instruct the module loading system to run another program (such as ""/bin/true"") upon a module ""install"" event. Run the following command to search for such lines in all files in ""/etc/modprobe.d"" and the deprecated ""/etc/modprobe.conf"":
-
-$ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d
-
-If the system is configured to prevent the loading of the ""net-pf-31"" kernel module, it will contain lines inside any file in ""/etc/modprobe.d"" or the deprecated""/etc/modprobe.conf"". These lines instruct the module loading system to run another program (such as ""/bin/true"") upon a module ""install"" event. Run the following command to search for such lines in all files in ""/etc/modprobe.d"" and the deprecated ""/etc/modprobe.conf"":
-
-$ grep -r net-pf-31 /etc/modprobe.conf /etc/modprobe.d
-
-If no line is returned, this is a finding."
-V-38681,low,All GIDs referenced in /etc/passwd must be defined in /etc/group,Inconsistency in GIDs between /etc/passwd and /etc/group could lead to a user having unintended rights.,None,SV-50482r2_rule,F-43630r1_fix,Add a group to the system for each GID referenced without a corresponding group.,C-46243r2_chk,"To ensure all GIDs referenced in /etc/passwd are defined in /etc/group, run the following command:
-
-# pwck -r | grep 'no group'
-
-There should be no output.
-If there is output, this is a finding."
-V-38680,medium,The audit system must identify staff members to receive notifications of audit log storage volume capacity issues.,"Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.",None,SV-50481r1_rule,F-43629r1_fix,"The ""auditd"" service can be configured to send email to a designated account in certain situations. Add or correct the following line in ""/etc/audit/auditd.conf"" to ensure that administrators are notified via email for those situations:
-
-action_mail_acct = root",C-46241r1_chk,"Inspect ""/etc/audit/auditd.conf"" and locate the following line to determine if the system is configured to send email to an account when it needs to notify an administrator:
-
-action_mail_acct = root
-
-
-If auditd is not configured to send emails per identified actions, this is a finding."
-V-38607,high,The SSH daemon must be configured to use only the SSHv2 protocol.,SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used.,None,SV-50408r1_rule,F-43555r1_fix,"Only SSH protocol version 2 connections should be permitted. The default setting in ""/etc/ssh/sshd_config"" is correct, and can be verified by ensuring that the following line appears:
-
-Protocol 2",C-46165r1_chk,"To check which SSH protocol version is allowed, run the following command:
-
-# grep Protocol /etc/ssh/sshd_config
-
-If configured properly, output should be
-
-Protocol 2
-
-
-If it is not, this is a finding."
-V-38606,medium,The tftp-server package must not be installed unless required.,"Removing the ""tftp-server"" package decreases the risk of the accidental (or intentional) activation of tftp services.",None,SV-50407r2_rule,F-43554r1_fix,"The ""tftp-server"" package can be removed with the following command:
-
-# yum erase tftp-server",C-46164r1_chk,"Run the following command to determine if the ""tftp-server"" package is installed:
-
-# rpm -q tftp-server
-
-
-If the package is installed, this is a finding."
-V-38605,medium,The cron service must be running.,"Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.",None,SV-50406r2_rule,F-43553r2_fix,"The ""crond"" service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The ""crond"" service can be enabled with the following commands:
-
-# chkconfig crond on
-# service crond start",C-46163r1_chk,"Run the following command to determine the current status of the ""crond"" service:
-
-# service crond status
-
-If the service is enabled, it should return the following:
-
-crond is running...
-
-
-If the service is not running, this is a finding."
-V-38604,medium,The ypbind service must not be running.,"Disabling the ""ypbind"" service ensures the system is not acting as a client in a NIS or NIS+ domain.",None,SV-50405r2_rule,F-43552r2_fix,"The ""ypbind"" service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The ""ypbind"" service can be disabled with the following commands:
-
-# chkconfig ypbind off
-# service ypbind stop",C-46162r2_chk,"To check that the ""ypbind"" service is disabled in system boot configuration, run the following command:
-
-# chkconfig ""ypbind"" --list
-
-Output should indicate the ""ypbind"" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:
-
-# chkconfig ""ypbind"" --list
-""ypbind"" 0:off 1:off 2:off 3:off 4:off 5:off 6:off
-
-Run the following command to verify ""ypbind"" is disabled through current runtime configuration:
-
-# service ypbind status
-
-If the service is disabled the command will return the following output:
-
-ypbind is stopped
-
-
-If the service is running, this is a finding."
-V-38603,medium,The ypserv package must not be installed.,"Removing the ""ypserv"" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.",None,SV-50404r1_rule,F-43551r1_fix,"The ""ypserv"" package can be uninstalled with the following command:
-
-# yum erase ypserv",C-46161r1_chk,"Run the following command to determine if the ""ypserv"" package is installed:
-
-# rpm -q ypserv
-
-
-If the package is installed, this is a finding."
-V-38602,high,The rlogind service must not be running.,"The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.",None,SV-50403r2_rule,F-43549r3_fix,"The ""rlogin"" service, which is available with the ""rsh-server"" package and runs as a service through xinetd, should be disabled. The ""rlogin"" service can be disabled with the following command:
-
-# chkconfig rlogin off",C-46158r3_chk,"
-To check that the ""rlogin"" service is disabled in system boot configuration, run the following command:
-
-# chkconfig ""rlogin"" --list
-
-Output should indicate the ""rlogin"" service has either not been installed, or has been disabled, as shown in the example below:
-
-# chkconfig ""rlogin"" --list
-rlogin off
-OR
-error reading information on service rlogin: No such file or directory
-
-
-If the service is running, this is a finding."
-V-38601,medium,The system must not send ICMPv4 redirects from any interface.,Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.,None,SV-50402r2_rule,F-43548r1_fix,"To set the runtime status of the ""net.ipv4.conf.all.send_redirects"" kernel parameter, run the following command:
-
-# sysctl -w net.ipv4.conf.all.send_redirects=0
-
-If this is not the system's default value, add the following line to ""/etc/sysctl.conf"":
-
-net.ipv4.conf.all.send_redirects = 0",C-46159r2_chk,"The status of the ""net.ipv4.conf.all.send_redirects"" kernel parameter can be queried by running the following command:
-
-$ sysctl net.ipv4.conf.all.send_redirects
-
-The output of the command should indicate a value of ""0"". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in ""/etc/sysctl.conf"".
-
-$ grep net.ipv4.conf.all.send_redirects /etc/sysctl.conf
-
-If the correct value is not returned, this is a finding. "
-V-38600,medium,The system must not send ICMPv4 redirects by default.,Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.,None,SV-50401r2_rule,F-43547r1_fix,"To set the runtime status of the ""net.ipv4.conf.default.send_redirects"" kernel parameter, run the following command:
-
-# sysctl -w net.ipv4.conf.default.send_redirects=0
-
-If this is not the system's default value, add the following line to ""/etc/sysctl.conf"":
-
-net.ipv4.conf.default.send_redirects = 0",C-46157r2_chk,"The status of the ""net.ipv4.conf.default.send_redirects"" kernel parameter can be queried by running the following command:
-
-$ sysctl net.ipv4.conf.default.send_redirects
-
-The output of the command should indicate a value of ""0"". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in ""/etc/sysctl.conf"".
-
-$ grep net.ipv4.conf.default.send_redirects /etc/sysctl.conf
-
-If the correct value is not returned, this is a finding. "
-V-38449,medium,The /etc/gshadow file must have mode 0000.,The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.,None,SV-50249r1_rule,F-43394r1_fix,"To properly set the permissions of ""/etc/gshadow"", run the command:
-
-# chmod 0000 /etc/gshadow",C-46004r1_chk,"To check the permissions of ""/etc/gshadow"", run the command:
-
-$ ls -l /etc/gshadow
-
-If properly configured, the output should indicate the following permissions: ""----------""
-If it does not, this is a finding."
-V-38448,medium,The /etc/gshadow file must be group-owned by root.,"The ""/etc/gshadow"" file contains group password hashes. Protection of this file is critical for system security.",None,SV-50248r1_rule,F-43393r1_fix,"To properly set the group owner of ""/etc/gshadow"", run the command:
-
-# chgrp root /etc/gshadow",C-46003r1_chk,"To check the group ownership of ""/etc/gshadow"", run the command:
-
-$ ls -l /etc/gshadow
-
-If properly configured, the output should indicate the following group-owner. ""root""
-If it does not, this is a finding."
-V-38609,medium,The TFTP service must not be running.,"Disabling the ""tftp"" service ensures the system is not acting as a tftp server, which does not provide encryption or authentication.",None,SV-50410r2_rule,F-43557r4_fix,"The ""tftp"" service should be disabled. The ""tftp"" service can be disabled with the following command:
-
-# chkconfig tftp off",C-46166r2_chk,"To check that the ""tftp"" service is disabled in system boot configuration, run the following command:
-
-# chkconfig ""tftp"" --list
-
-Output should indicate the ""tftp"" service has either not been installed, or has been disabled, as shown in the example below:
-
-# chkconfig ""tftp"" --list
-tftp off
-OR
-error reading information on service tftp: No such file or directory
-
-
-If the service is running, this is a finding."
-V-51391,medium,A file integrity baseline must be created.,"For AIDE to be effective, an initial database of ""known-good"" information about files must be captured and it should be able to be verified against the installed files. ",None,SV-65601r1_rule,F-56189r1_fix,"Run the following command to generate a new database:
-
-# /usr/sbin/aide --init
-
-By default, the database will be written to the file ""/var/lib/aide/aide.db.new.gz"". Storing the database, the configuration file ""/etc/aide.conf"", and the binary ""/usr/sbin/aide"" (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows:
-
-# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
-
-To initiate a manual check, run the following command:
-
-# /usr/sbin/aide --check
-
-If this check produces any unexpected output, investigate. ",C-53727r1_chk,"To find the location of the AIDE database file, run the following command:
-
-# grep DBDIR /etc/aide.conf
-
-Using the defined values of the [DBDIR] and [database] variables, verify the existence of the AIDE database file:
-
-# ls -l [DBDIR]/[database_file_name]
-
-If there is no database file, this is a finding. "
-V-38530,low,The audit system must be configured to audit all attempts to alter system time through /etc/localtime.,"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.",None,SV-50331r1_rule,F-43477r1_fix,"Add the following to ""/etc/audit/audit.rules"":
-
--w /etc/localtime -p wa -k audit_time_rules
-
-The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.",C-46087r1_chk,"To determine if the system is configured to audit attempts to alter time via the /etc/localtime file, run the following command:
-
-# auditctl -l | grep ""watch=/etc/localtime""
-
-If the system is configured to audit this activity, it will return a line.
-If the system is not configured to audit time changes, this is a finding."
-V-38632,medium,The operating system must produce audit records containing sufficient information to establish what type of events occurred.,"Ensuring the ""auditd"" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.",None,SV-50433r2_rule,F-43581r2_fix,"The ""auditd"" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The ""auditd"" service can be enabled with the following commands:
-
-# chkconfig auditd on
-# service auditd start",C-46191r1_chk,"Run the following command to determine the current status of the ""auditd"" service:
-
-# service auditd status
-
-If the service is enabled, it should return the following:
-
-auditd is running...
-
-
-If the service is not running, this is a finding."
-V-38579,medium,The system boot loader configuration file(s) must be owned by root.,Only root should be able to modify important boot parameters.,None,SV-50380r1_rule,F-43527r1_fix,"The file ""/etc/grub.conf"" should be owned by the ""root"" user to prevent destruction or modification of the file. To properly set the owner of ""/etc/grub.conf"", run the command:
-
-# chown root /etc/grub.conf",C-46137r1_chk,"To check the ownership of ""/etc/grub.conf"", run the command:
-
-$ ls -lL /etc/grub.conf
-
-If properly configured, the output should indicate the following owner: ""root""
-If it does not, this is a finding."
-V-38578,low,The audit system must be configured to audit changes to the /etc/sudoers file.,"The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.",None,SV-50379r1_rule,F-43526r1_fix,"At a minimum, the audit system should collect administrator actions for all users and root. Add the following to ""/etc/audit/audit.rules"":
-
--w /etc/sudoers -p wa -k actions",C-46136r1_chk,"To verify that auditing is configured for system administrator actions, run the following command:
-
-# auditctl -l | grep ""watch=/etc/sudoers""
-
-
-If there is no output, this is a finding."
-V-38613,medium,The system must not permit root logins using remote access programs such as ssh.,Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password.,None,SV-50414r1_rule,F-43561r1_fix,"The root user should never be allowed to log in to a system directly over a network. To disable root login via SSH, add or correct the following line in ""/etc/ssh/sshd_config"":
-
-PermitRootLogin no",C-46171r1_chk,"To determine how the SSH daemon's ""PermitRootLogin"" option is set, run the following command:
-
-# grep -i PermitRootLogin /etc/ssh/sshd_config
-
-If a line indicating ""no"" is returned, then the required value is set.
-If the required value is not set, this is a finding."
-V-38575,low,The audit system must be configured to audit user deletions of files and programs.,"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as detecting malicious processes that attempt to delete log files to conceal their presence.",None,SV-50376r4_rule,F-43523r4_fix,"At a minimum, the audit system should collect file deletion events for all users and root. Add the following (or equivalent) to ""/etc/audit/audit.rules"", setting ARCH to either b32 or b64 as appropriate for your system:
-
--a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
--a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete
-
-",C-46133r3_chk,"To determine if the system is configured to audit calls to the ""rmdir"" system call, run the following command:
-
-$ sudo grep -w ""rmdir"" /etc/audit/audit.rules
-
-If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the ""unlink"" system call, run the following command:
-
-$ sudo grep -w ""unlink"" /etc/audit/audit.rules
-
-If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the ""unlinkat"" system call, run the following command:
-
-$ sudo grep -w ""unlinkat"" /etc/audit/audit.rules
-
-If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the ""rename"" system call, run the following command:
-
-$ sudo grep -w ""rename"" /etc/audit/audit.rules
-
-If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the ""renameat"" system call, run the following command:
-
-$ sudo grep -w ""renameat"" /etc/audit/audit.rules
-
-If the system is configured to audit this activity, it will return a line.
-
-If no line is returned, this is a finding. "
-V-38574,medium,The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth).,Using a stronger hashing algorithm makes password cracking attacks more difficult.,None,SV-50375r2_rule,F-43522r2_fix,"In ""/etc/pam.d/system-auth"" and ""/etc/pam.d/system-auth-ac"", among potentially other files, the ""password"" section of the files control which PAM modules execute during a password change. Set the ""pam_unix.so"" module in the ""password"" section to include the argument ""sha512"", as shown below:
-
-password sufficient pam_unix.so sha512 [other arguments...]
-
-This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.
-
-Note that any updates made to ""/etc/pam.d/system-auth"" will be overwritten by the ""authconfig"" program. The ""authconfig"" program should not be used.",C-46132r3_chk,"Inspect the ""password"" section of ""/etc/pam.d/system-auth"", ""/etc/pam.d/system-auth-ac"", and other files in ""/etc/pam.d"" and ensure that the ""pam_unix.so"" module includes the argument ""sha512"".
-
-$ grep password /etc/pam.d/* | grep pam_unix.so | grep sha512
-
-If it does not, this is a finding."
-V-38577,medium,The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf).,Using a stronger hashing algorithm makes password cracking attacks more difficult.,None,SV-50378r1_rule,F-43525r1_fix,"In ""/etc/libuser.conf"", add or correct the following line in its ""[defaults]"" section to ensure the system will use the SHA-512 algorithm for password hashing:
-
-crypt_style = sha512",C-46135r1_chk,"Inspect ""/etc/libuser.conf"" and ensure the following line appears in the ""[default]"" section:
-
-crypt_style = sha512
-
-
-If it does not, this is a finding."
-V-38576,medium,The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs).,Using a stronger hashing algorithm makes password cracking attacks more difficult.,None,SV-50377r1_rule,F-43524r1_fix,"In ""/etc/login.defs"", add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm:
-
-ENCRYPT_METHOD SHA512",C-46134r1_chk,"Inspect ""/etc/login.defs"" and ensure the following line appears:
-
-ENCRYPT_METHOD SHA512
-
-
-If it does not, this is a finding."
-V-38571,low,The system must require passwords to contain at least one lowercase alphabetic character.,Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.,None,SV-50372r1_rule,F-43519r1_fix,"The pam_cracklib module's ""lcredit="" parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each lowercase character. Add ""lcredit=-1"" after pam_cracklib.so to require use of a lowercase character in passwords.",C-46129r1_chk,"To check how many lowercase characters are required in a password, run the following command:
-
-$ grep pam_cracklib /etc/pam.d/system-auth
-
-The ""lcredit"" parameter (as a negative number) will indicate how many special characters are required. The DoD requires at least one lowercase character in a password. This would appear as ""lcredit=-1"".
-If lcredit is not found or not set to the required value, this is a finding."
-V-38489,medium,A file integrity tool must be installed.,The AIDE package must be installed if it is to be available for integrity checking.,None,SV-50290r1_rule,F-43436r1_fix,"Install the AIDE package with the command:
-
-# yum install aide",C-46046r1_chk,"If another file integrity tool is installed, this is not a finding.
-
-Run the following command to determine if the ""aide"" package is installed:
-
-# rpm -q aide
-
-
-If the package is not installed, this is a finding."
-V-38573,medium,The system must disable accounts after three consecutive unsuccessful logon attempts.,Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.,None,SV-50374r4_rule,F-43521r8_fix,"To configure the system to lock out accounts after a number of incorrect logon attempts using ""pam_faillock.so"", modify the content of both ""/etc/pam.d/system-auth"" and ""/etc/pam.d/password-auth"" as follows:
-
-Add the following line immediately before the ""pam_unix.so"" statement in the ""AUTH"" section:
-
-auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900
-
-Add the following line immediately after the ""pam_unix.so"" statement in the ""AUTH"" section:
-
-auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
-
-Add the following line immediately before the ""pam_unix.so"" statement in the ""ACCOUNT"" section:
-
-account required pam_faillock.so
-
-Note that any updates made to ""/etc/pam.d/system-auth"" and ""/etc/pam.d/password-auth"" may be overwritten by the ""authconfig"" program. The ""authconfig"" program should not be used.",C-46131r4_chk,"To ensure the failed password attempt policy is configured correctly, run the following command:
-
-# grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
-
-The output should show ""deny=3"" for both files.
-If that is not the case, this is a finding."
-V-38572,low,The system must require at least four characters be changed between the old and new passwords during a password change.,"Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.",None,SV-50373r1_rule,F-43520r1_fix,"The pam_cracklib module's ""difok"" parameter controls requirements for usage of different characters during a password change. Add ""difok=[NUM]"" after pam_cracklib.so to require differing characters when changing passwords, substituting [NUM] appropriately. The DoD requirement is 4.",C-46130r1_chk,"To check how many characters must differ during a password change, run the following command:
-
-$ grep pam_cracklib /etc/pam.d/system-auth
-
-The ""difok"" parameter will indicate how many characters must differ. The DoD requires four characters differ during a password change. This would appear as ""difok=4"".
-If difok is not found or not set to the required value, this is a finding."
-V-38698,medium,The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency.,"By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.",None,SV-50499r2_rule,F-43647r1_fix,"AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
-
-05 4 * * * root /usr/sbin/aide --check
-
-AIDE can be executed periodically through other means; this is merely one example.",C-46261r2_chk,"To determine that periodic AIDE execution has been scheduled, run the following command:
-
-# grep aide /etc/crontab /etc/cron.*/*
-
-If there is no output, this is a finding."
-V-38699,low,All public directories must be owned by a system account.,Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.,None,SV-50500r2_rule,F-43648r1_fix,"All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.",C-46260r3_chk,"The following command will discover and print world-writable directories that are not owned by a system account, given the assumption that only system accounts have a uid lower than 500. Run it once for each local partition [PART]:
-
-# find [PART] -xdev -type d -perm -0002 -uid +499 -print
-
-
-If there is output, this is a finding."
-V-38519,medium,All rsyslog-generated log files must be group-owned by root.,"The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.",None,SV-50320r2_rule,F-43466r1_fix,"The group-owner of all log files written by ""rsyslog"" should be root. These log files are determined by the second part of each Rule line in ""/etc/rsyslog.conf"" and typically all appear in ""/var/log"". For each log file [LOGFILE] referenced in ""/etc/rsyslog.conf"", run the following command to inspect the file's group owner:
-
-$ ls -l [LOGFILE]
-
-If the owner is not ""root"", run the following command to correct this:
-
-# chgrp root [LOGFILE]",C-46076r2_chk,"The group-owner of all log files written by ""rsyslog"" should be root. These log files are determined by the second part of each Rule line in ""/etc/rsyslog.conf"" and typically all appear in ""/var/log"". To see the group-owner of a given log file, run the following command:
-
-$ ls -l [LOGFILE]
-
-Some log files referenced in /etc/rsyslog.conf may be created by other programs and may require exclusion from consideration.
-
-If the group-owner is not root, this is a finding."
-V-38518,medium,All rsyslog-generated log files must be owned by root.,"The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.",None,SV-50319r2_rule,F-43465r1_fix,"The owner of all log files written by ""rsyslog"" should be root. These log files are determined by the second part of each Rule line in ""/etc/rsyslog.conf"" typically all appear in ""/var/log"". For each log file [LOGFILE] referenced in ""/etc/rsyslog.conf"", run the following command to inspect the file's owner:
-
-$ ls -l [LOGFILE]
-
-If the owner is not ""root"", run the following command to correct this:
-
-# chown root [LOGFILE]",C-46075r2_chk,"The owner of all log files written by ""rsyslog"" should be root. These log files are determined by the second part of each Rule line in ""/etc/rsyslog.conf"" and typically all appear in ""/var/log"". To see the owner of a given log file, run the following command:
-
-$ ls -l [LOGFILE]
-
-Some log files referenced in /etc/rsyslog.conf may be created by other programs and may require exclusion from consideration.
-
-If the owner is not root, this is a finding. "
-V-38517,medium,The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required.,Disabling TIPC protects the system against exploitation of any flaws in its implementation.,None,SV-50318r3_rule,F-43464r3_fix,"The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the ""tipc"" kernel module from being loaded, add the following line to a file in the directory ""/etc/modprobe.d"":
-
-install tipc /bin/true",C-46074r3_chk,"If the system is configured to prevent the loading of the ""tipc"" kernel module, it will contain lines inside any file in ""/etc/modprobe.d"" or the deprecated""/etc/modprobe.conf"". These lines instruct the module loading system to run another program (such as ""/bin/true"") upon a module ""install"" event. Run the following command to search for such lines in all files in ""/etc/modprobe.d"" and the deprecated ""/etc/modprobe.conf"":
-
-$ grep -r tipc /etc/modprobe.conf /etc/modprobe.d
-
-If no line is returned, this is a finding."
-V-38516,low,The Reliable Datagram Sockets (RDS) protocol must be disabled unless required.,Disabling RDS protects the system against exploitation of any flaws in its implementation.,None,SV-50317r3_rule,F-43463r4_fix,"The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high-bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the ""rds"" kernel module from being loaded, add the following line to a file in the directory ""/etc/modprobe.d"":
-
-install rds /bin/true",C-46073r3_chk,"If the system is configured to prevent the loading of the ""rds"" kernel module, it will contain lines inside any file in ""/etc/modprobe.d"" or the deprecated ""/etc/modprobe.conf"". These lines instruct the module loading system to run another program (such as ""/bin/true"") upon a module ""install"" event. Run the following command to search for such lines in all files in ""/etc/modprobe.d"" and the deprecated ""/etc/modprobe.conf"":
-
-$ grep -r rds /etc/modprobe.conf /etc/modprobe.d
-
-If no line is returned, this is a finding."
-V-38515,medium,The Stream Control Transmission Protocol (SCTP) must be disabled unless required.,Disabling SCTP protects the system against exploitation of any flaws in its implementation.,None,SV-50316r3_rule,F-43462r3_fix,"The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the ""sctp"" kernel module from being loaded, add the following line to a file in the directory ""/etc/modprobe.d"":
-
-install sctp /bin/true",C-46072r3_chk,"If the system is configured to prevent the loading of the ""sctp"" kernel module, it will contain lines inside any file in ""/etc/modprobe.d"" or the deprecated""/etc/modprobe.conf"". These lines instruct the module loading system to run another program (such as ""/bin/true"") upon a module ""install"" event. Run the following command to search for such lines in all files in ""/etc/modprobe.d"" and the deprecated ""/etc/modprobe.conf"":
-
-$ grep -r sctp /etc/modprobe.conf /etc/modprobe.d
-
-If no line is returned, this is a finding."
-V-38514,medium,The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.,Disabling DCCP protects the system against exploitation of any flaws in its implementation.,None,SV-50315r3_rule,F-43461r3_fix,"The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the ""dccp"" kernel module from being loaded, add the following line to a file in the directory ""/etc/modprobe.d"":
-
-install dccp /bin/true",C-46071r3_chk,"If the system is configured to prevent the loading of the ""dccp"" kernel module, it will contain lines inside any file in ""/etc/modprobe.d"" or the deprecated""/etc/modprobe.conf"". These lines instruct the module loading system to run another program (such as ""/bin/true"") upon a module ""install"" event. Run the following command to search for such lines in all files in ""/etc/modprobe.d"" and the deprecated ""/etc/modprobe.conf"":
-
-$ grep -r dccp /etc/modprobe.conf /etc/modprobe.d
-
-If no line is returned, this is a finding."
-V-38690,low,"Emergency accounts must be provisioned with an expiration date.
-","When emergency accounts are created, there is a risk they may remain in place and active after the need for them no longer exists. Account expiration greatly reduces the risk of accounts being misused or hijacked.",None,SV-50491r1_rule,F-43639r1_fix,"In the event emergency accounts are required, configure the system to terminate them after a documented time period. For every emergency account, run the following command to set an expiration date on it, substituting ""[USER]"" and ""[YYYY-MM-DD]"" appropriately:
-
-# chage -E [YYYY-MM-DD] [USER]
-
-""[YYYY-MM-DD]"" indicates the documented expiration date for the account.",C-46251r1_chk,"For every emergency account, run the following command to obtain its account aging and expiration information:
-
-# chage -l [USER]
-
-Verify each of these accounts has an expiration date set as documented.
-If any emergency accounts have no expiration date set or do not expire within a documented time frame, this is a finding."
-V-38691,medium,The Bluetooth service must be disabled.,"Disabling the ""bluetooth"" service prevents the system from attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range.",None,SV-50492r2_rule,F-43640r1_fix,"The ""bluetooth"" service can be disabled with the following command:
-
-# chkconfig bluetooth off
-
-
-
-# service bluetooth stop",C-46253r3_chk,"To check that the ""bluetooth"" service is disabled in system boot configuration, run the following command:
-
-# chkconfig ""bluetooth"" --list
-
-Output should indicate the ""bluetooth"" service has either not been installed or has been disabled at all runlevels, as shown in the example below:
-
-# chkconfig ""bluetooth"" --list
-""bluetooth"" 0:off 1:off 2:off 3:off 4:off 5:off 6:off
-
-
-If the service is configured to run, this is a finding."
-V-38511,medium,"IP forwarding for IPv4 must not be enabled, unless the system is a router.",IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.,None,SV-50312r2_rule,F-43458r2_fix,"To set the runtime status of the ""net.ipv4.ip_forward"" kernel parameter, run the following command:
-
-# sysctl -w net.ipv4.ip_forward=0
-
-If this is not the system's default value, add the following line to ""/etc/sysctl.conf"":
-
-net.ipv4.ip_forward = 0",C-46068r3_chk,"The status of the ""net.ipv4.ip_forward"" kernel parameter can be queried by running the following command:
-
-$ sysctl net.ipv4.ip_forward
-
-The output of the command should indicate a value of ""0"". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in ""/etc/sysctl.conf"".
-
-$ grep net.ipv4.ip_forward /etc/sysctl.conf
-
-The ability to forward packets is only appropriate for routers. If the correct value is not returned, this is a finding. "
-V-38693,low,The system must require passwords to contain no more than three consecutive repeating characters.,Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.,None,SV-50494r2_rule,F-43642r2_fix,"The pam_cracklib module's ""maxrepeat"" parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Add ""maxrepeat=3"" after pam_cracklib.so to prevent a run of (3 + 1) or more identical characters.
-
-password required pam_cracklib.so maxrepeat=3 ",C-46255r1_chk,"To check the maximum value for consecutive repeating characters, run the following command:
-
-$ grep pam_cracklib /etc/pam.d/system-auth
-
-Look for the value of the ""maxrepeat"" parameter. The DoD requirement is 3.
-If maxrepeat is not found or not set to the required value, this is a finding."
-V-38597,medium,The system must limit the ability of processes to have simultaneous write and execute access to memory.,"ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range.",None,SV-50398r2_rule,F-43545r1_fix,"To set the runtime status of the ""kernel.exec-shield"" kernel parameter, run the following command:
-
-# sysctl -w kernel.exec-shield=1
-
-If this is not the system's default value, add the following line to ""/etc/sysctl.conf"":
-
-kernel.exec-shield = 1",C-46155r3_chk,"The status of the ""kernel.exec-shield"" kernel parameter can be queried by running the following command:
-
-$ sysctl kernel.exec-shield
-$ grep kernel.exec-shield /etc/sysctl.conf
-
-The output of the command should indicate a value of ""1"". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in ""/etc/sysctl.conf"".
-If the correct value is not returned, this is a finding."
-V-38596,medium,The system must implement virtual address space randomization.,"Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return oriented programming (ROP) techniques.",None,SV-50397r2_rule,F-43543r1_fix,"To set the runtime status of the ""kernel.randomize_va_space"" kernel parameter, run the following command:
-
-# sysctl -w kernel.randomize_va_space=2
-
-If this is not the system's default value, add the following line to ""/etc/sysctl.conf"":
-
-kernel.randomize_va_space = 2",C-46153r2_chk,"The status of the ""kernel.randomize_va_space"" kernel parameter can be queried by running the following commands:
-
-$ sysctl kernel.randomize_va_space
-$ grep kernel.randomize_va_space /etc/sysctl.conf
-
-The output of the command should indicate a value of at least ""1"" (preferably ""2""). If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in ""/etc/sysctl.conf"".
-If the correct value is not returned, this is a finding."
-V-38595,medium,"The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.",Smart card login provides two-factor authentication stronger than that provided by a username/password combination. Smart cards leverage a PKI (public key infrastructure) in order to provide and verify credentials.,None,SV-50396r2_rule,F-43544r2_fix,"To enable smart card authentication, consult the documentation at:
-
-https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html
-
-For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at:
-
-https://access.redhat.com/solutions/82273",C-46154r1_chk,"Interview the SA to determine if all accounts not exempted by policy are using CAC authentication. For DoD systems, the following systems and accounts are exempt from using smart card (CAC) authentication:
-
-SIPRNET systems
-Standalone systems
-Application accounts
-Temporary employee accounts, such as students or interns, who cannot easily receive a CAC or PIV
-Operational tactical locations that are not collocated with RAPIDS workstations to issue CAC or ALT
-Test systems, such as those with an Interim Approval to Test (IATT) and use a separate VPN, firewall, or security measure preventing access to network and system components from outside the protection boundary documented in the IATT.
-
-
-
-If non-exempt accounts are not using CAC authentication, this is a finding."
-V-38594,high,The rshd service must not be running.,"The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.",None,SV-50395r2_rule,F-43542r3_fix,"The ""rsh"" service, which is available with the ""rsh-server"" package and runs as a service through xinetd, should be disabled. The ""rsh"" service can be disabled with the following command:
-
-# chkconfig rsh off",C-46152r2_chk,"To check that the ""rsh"" service is disabled in system boot configuration, run the following command:
-
-# chkconfig ""rsh"" --list
-
-Output should indicate the ""rsh"" service has either not been installed, or has been disabled, as shown in the example below:
-
-# chkconfig ""rsh"" --list
-rsh off
-OR
-error reading information on service rsh: No such file or directory
-
-
-If the service is running, this is a finding."
-V-38593,medium,"The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.",An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.,None,SV-50394r1_rule,F-43540r1_fix,"To configure the system login banner:
-
-Edit ""/etc/issue"". Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:
-
-""You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
--The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
--At any time, the USG may inspect and seize data stored on this IS.
--Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
--This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
--Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.""
-
-OR:
-
-""I've read & consent to terms in IS user agreem't.""",C-46150r1_chk,"To check if the system login banner is compliant, run the following command:
-
-$ cat /etc/issue
-
-
-If it does not display the required banner, this is a finding."
-V-38592,medium,The system must require administrator action to unlock an account locked by excessive failed login attempts.,Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations.,None,SV-50393r4_rule,F-43541r6_fix,"To configure the system to lock out accounts after a number of incorrect logon attempts and require an administrator to unlock the account using ""pam_faillock.so"", modify the content of both ""/etc/pam.d/system-auth"" and ""/etc/pam.d/password-auth"" as follows:
-
-Add the following line immediately before the ""pam_unix.so"" statement in the ""AUTH"" section:
-
-auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900
-
-Add the following line immediately after the ""pam_unix.so"" statement in the ""AUTH"" section:
-
-auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
-
-Add the following line immediately before the ""pam_unix.so"" statement in the ""ACCOUNT"" section:
-
-account required pam_faillock.so
-
-Note that any updates made to ""/etc/pam.d/system-auth"" and ""/etc/pam.d/password-auth"" may be overwritten by the ""authconfig"" program. The ""authconfig"" program should not be used.",C-46151r5_chk,"To ensure the failed password attempt policy is configured correctly, run the following command:
-
-# grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
-
-The output should show ""unlock_time=""; the largest acceptable value is 604800 seconds (one week).
-If that is not the case, this is a finding."
-V-38591,high,The rsh-server package must not be installed.,"The ""rsh-server"" package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation.",None,SV-50392r1_rule,F-43539r1_fix,"The ""rsh-server"" package can be uninstalled with the following command:
-
-# yum erase rsh-server",C-46149r1_chk,"Run the following command to determine if the ""rsh-server"" package is installed:
-
-# rpm -q rsh-server
-
-
-If the package is installed, this is a finding."
-V-38590,low,The system must allow locking of the console screen in text mode.,"Installing ""screen"" ensures a console locking capability is available for users who may need to suspend console logins.",None,SV-50391r1_rule,F-43538r1_fix,"To enable console screen locking when in text mode, install the ""screen"" package:
-
-# yum install screen
-
-Instruct users to begin new terminal sessions with the following command:
-
-$ screen
-
-The console can now be locked with the following key combination:
-
-ctrl+a x",C-46148r1_chk,"Run the following command to determine if the ""screen"" package is installed:
-
-# rpm -q screen
-
-
-If the package is not installed, this is a finding."
-V-38456,low,The system must use a separate file system for /var.,"Ensuring that ""/var"" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the ""/var"" directory to contain world-writable directories, installed by other software packages.",None,SV-50256r1_rule,F-43401r2_fix,"The ""/var"" directory is used by daemons and other system services to store frequently-changing data. Ensure that ""/var"" has its own partition or logical volume at installation time, or migrate it using LVM.",C-46011r2_chk,"Run the following command to determine if ""/var"" is on its own partition or logical volume:
-
-$ mount | grep ""on /var ""
-
-If ""/var"" has its own partition or volume group, a line will be returned.
-If no line is returned, this is a finding."
-V-38457,medium,The /etc/passwd file must have mode 0644 or less permissive.,"If the ""/etc/passwd"" file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.",None,SV-50257r1_rule,F-43397r1_fix,"To properly set the permissions of ""/etc/passwd"", run the command:
-
-# chmod 0644 /etc/passwd",C-46007r1_chk,"To check the permissions of ""/etc/passwd"", run the command:
-
-$ ls -l /etc/passwd
-
-If properly configured, the output should indicate the following permissions: ""-rw-r--r--""
-If it does not, this is a finding."
-V-38495,medium,Audit log files must be owned by root.,"If non-privileged users can write to audit logs, audit trails can be modified or destroyed.",None,SV-50296r1_rule,F-43443r1_fix,"Change the owner of the audit log files with the following command:
-
-# chown root [audit_file]",C-46053r1_chk,"Run the following command to check the owner of the system audit logs:
-
-grep ""^log_file"" /etc/audit/auditd.conf|sed s/^[^\/]*//|xargs stat -c %U:%n
-
-Audit logs must be owned by root.
-If they are not, this is a finding."
-V-38455,low,The system must use a separate file system for /tmp.,"The ""/tmp"" partition is used as temporary storage by many programs. Placing ""/tmp"" in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.",None,SV-50255r1_rule,F-43387r1_fix,"The ""/tmp"" directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.",C-45997r1_chk,"Run the following command to determine if ""/tmp"" is on its own partition or logical volume:
-
-$ mount | grep ""on /tmp ""
-
-If ""/tmp"" has its own partition or volume group, a line will be returned.
-If no line is returned, this is a finding."
-V-38618,low,The avahi service must be disabled.,"Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted.",None,SV-50419r2_rule,F-43567r2_fix,"The ""avahi-daemon"" service can be disabled with the following commands:
-
-# chkconfig avahi-daemon off
-# service avahi-daemon stop",C-46177r1_chk,"To check that the ""avahi-daemon"" service is disabled in system boot configuration, run the following command:
-
-# chkconfig ""avahi-daemon"" --list
-
-Output should indicate the ""avahi-daemon"" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:
-
-# chkconfig ""avahi-daemon"" --list
-""avahi-daemon"" 0:off 1:off 2:off 3:off 4:off 5:off 6:off
-
-Run the following command to verify ""avahi-daemon"" is disabled through current runtime configuration:
-
-# service avahi-daemon status
-
-If the service is disabled the command will return the following output:
-
-avahi-daemon is stopped
-
-
-If the service is running, this is a finding."
-V-38619,medium,There must be no .netrc files on the system.,"Unencrypted passwords for remote FTP servers may be stored in "".netrc"" files. DoD policy requires passwords be encrypted in storage and not used in access scripts.",None,SV-50420r2_rule,F-43569r2_fix,"The "".netrc"" files contain logon information used to auto-logon into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any "".netrc"" files should be removed.",C-46179r3_chk,"To check the system for the existence of any "".netrc"" files, run the following command:
-
-$ sudo find /root /home -xdev -name .netrc
-
-If any .netrc files exist, this is a finding."
-V-38599,medium,The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.,This setting will cause the system greeting banner to be used for FTP connections as well.,None,SV-50400r2_rule,F-43564r3_fix,"Edit the vsftpd configuration file, which resides at ""/etc/vsftpd/vsftpd.conf"" by default. Add or correct the following configuration options.
-
-banner_file=/etc/issue
-
-Restart the vsftpd daemon.
-
-# service vsftpd restart",C-46174r1_chk,"To verify this configuration, run the following command:
-
-grep ""banner_file"" /etc/vsftpd/vsftpd.conf
-
-The output should show the value of ""banner_file"" is set to ""/etc/issue"", an example of which is shown below.
-
-# grep ""banner_file"" /etc/vsftpd/vsftpd.conf
-banner_file=/etc/issue
-
-
-If it does not, this is a finding."
-V-38598,high,The rexecd service must not be running.,"The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.",None,SV-50399r2_rule,F-43546r3_fix,"The ""rexec"" service, which is available with the ""rsh-server"" package and runs as a service through xinetd, should be disabled. The ""rexec"" service can be disabled with the following command:
-
-# chkconfig rexec off",C-46156r3_chk,"To check that the ""rexec"" service is disabled in system boot configuration, run the following command:
-
-# chkconfig ""rexec"" --list
-
-Output should indicate the ""rexec"" service has either not been installed, or has been disabled, as shown in the example below:
-
-# chkconfig ""rexec"" --list
-rexec off
-OR
-error reading information on service rexec: No such file or directory
-
-
-If the service is running, this is a finding."
-V-51337,medium,The system must use a Linux Security Module at boot time.,"Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.",None,SV-65547r1_rule,F-56147r1_fix,"SELinux can be disabled at boot time by an argument in ""/etc/grub.conf"". Remove any instances of ""selinux=0"" from the kernel arguments in that file to prevent SELinux from being disabled at boot. ",C-54007r1_chk,"Inspect ""/etc/grub.conf"" for any instances of ""selinux=0"" in the kernel boot arguments. Presence of ""selinux=0"" indicates that SELinux is disabled at boot time. If SELinux is disabled at boot time, this is a finding."
-V-38585,medium,The system boot loader must require authentication.,"Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.",None,SV-50386r2_rule,F-43533r1_fix,"The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command:
-
-# grub-crypt --sha-512
-
-When prompted to enter a password, insert the following line into ""/etc/grub.conf"" immediately after the header comments. (Use the output from ""grub-crypt"" as the value of [password-hash]):
-
-password --encrypted [password-hash]",C-46143r2_chk,"To verify the boot loader password has been set and encrypted, run the following command:
-
-# grep password /etc/grub.conf
-
-The output should show the following:
-
-password --encrypted $6$[rest-of-the-password-hash]
-
-If it does not, this is a finding."
-V-43150,medium,The login user list must be disabled.,Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in.,None,SV-55880r2_rule,F-48722r2_fix,"In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled.
-
-Run the following command to disable the user list:
-
-$ sudo gconftool-2 --direct \
---config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
---type bool --set /apps/gdm/simple-greeter/disable_user_list true",C-49197r4_chk,"If the GConf2 package is not installed, this is not applicable.
-
-To ensure the user list is disabled, run the following command:
-
-$ gconftool-2 --direct \
---config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
---get /apps/gdm/simple-greeter/disable_user_list
-
-The output should be ""true"". If it is not, this is a finding. "
-V-38570,low,The system must require passwords to contain at least one special character.,Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.,None,SV-50371r1_rule,F-43518r1_fix,"The pam_cracklib module's ""ocredit="" parameter controls requirements for usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. Add ""ocredit=-1"" after pam_cracklib.so to require use of a special character in passwords.",C-46128r1_chk,"To check how many special characters are required in a password, run the following command:
-
-$ grep pam_cracklib /etc/pam.d/system-auth
-
-The ""ocredit"" parameter (as a negative number) will indicate how many special characters are required. The DoD requires at least one special character in a password. This would appear as ""ocredit=-1"".
-If ocredit is not found or not set to the required value, this is a finding."
-V-38568,low,The audit system must be configured to audit successful file system mounts.,"The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.",None,SV-50369r3_rule,F-43516r2_fix,"At a minimum, the audit system should collect media exportation events for all users and root. Add the following to ""/etc/audit/audit.rules"", setting ARCH to either b32 or b64 as appropriate for your system:
-
--a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export
--a always,exit -F arch=ARCH -S mount -F auid=0 -k export",C-46126r2_chk,"To verify that auditing is configured for all media exportation events, run the following command:
-
-$ sudo grep -w ""mount"" /etc/audit/audit.rules
-
-If the system is configured to audit this activity, it will return several lines.
-
-If no line is returned, this is a finding. "
-V-38569,low,The system must require passwords to contain at least one uppercase alphabetic character.,Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space.,None,SV-50370r1_rule,F-43517r1_fix,"The pam_cracklib module's ""ucredit="" parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. Add ""ucredit=-1"" after pam_cracklib.so to require use of an uppercase character in passwords.",C-46127r1_chk,"To check how many uppercase characters are required in a password, run the following command:
-
-$ grep pam_cracklib /etc/pam.d/system-auth
-
-The ""ucredit"" parameter (as a negative number) will indicate how many uppercase characters are required. The DoD requires at least one uppercase character in a password. This would appear as ""ucredit=-1"".
-If ucredit is not found or not set to the required value, this is a finding."
-V-57569,medium,The noexec option must be added to the /tmp partition.,"Allowing users to execute binaries from world-writable directories such as ""/tmp"" should never be necessary in normal operation and can expose the system to potential compromise.",None,SV-71919r1_rule,F-62639r1_fix,"The ""noexec"" mount option can be used to prevent binaries from being executed out of ""/tmp"". Add the ""noexec"" option to the fourth column of ""/etc/fstab"" for the line which controls mounting of ""/tmp"".",C-58279r1_chk,"To verify that binaries cannot be directly executed from the /tmp directory, run the following command:
-
-$ grep '\s/tmp' /etc/fstab
-
-The resulting output will show whether the /tmp partition has the ""noexec"" flag set. If the /tmp partition does not have the noexec flag set, this is a finding."
-V-38560,medium,The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.,"The ""iptables"" service provides the system's host-based firewalling capability for IPv4 and ICMP.",None,SV-50361r2_rule,F-43508r2_fix,"The ""iptables"" service can be enabled with the following commands:
-
-# chkconfig iptables on
-# service iptables start",C-46118r2_chk,"If the system is a cross-domain system, this is not applicable.
-
-Run the following command to determine the current status of the ""iptables"" service:
-
-# service iptables status
-
-If the service is not running, it should return the following:
-
-iptables: Firewall is not running.
-
-
-If the service is not running, this is a finding."
-V-38561,low,The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr.,The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.,None,SV-50362r3_rule,F-43509r2_fix,"At a minimum, the audit system should collect file permission changes for all users and root. Add the following to ""/etc/audit/audit.rules"":
-
--a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 \
--k perm_mod
--a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod
-
-If the system is 64-bit, then also add the following:
-
--a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 \
--k perm_mod
--a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod",C-46119r2_chk,"To determine if the system is configured to audit calls to the ""lsetxattr"" system call, run the following command:
-
-$ sudo grep -w ""lsetxattr"" /etc/audit/audit.rules
-
-If the system is configured to audit this activity, it will return several lines.
-
-If no line is returned, this is a finding. "
-V-38566,low,The audit system must be configured to audit failed attempts to access files and programs.,Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.,None,SV-50367r2_rule,F-43514r2_fix,"At a minimum, the audit system should collect unauthorized file accesses for all users and root. Add the following to ""/etc/audit/audit.rules"", setting ARCH to either b32 or b64 as appropriate for your system:
-
--a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \
--S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
--a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \
--S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
--a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \
--S ftruncate -F exit=-EACCES -F auid=0 -k access
--a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \
--S ftruncate -F exit=-EPERM -F auid=0 -k access",C-46124r1_chk,"To verify that the audit system collects unauthorized file accesses, run the following commands:
-
-# grep EACCES /etc/audit/audit.rules
-
-
-
-# grep EPERM /etc/audit/audit.rules
-
-
-If either command lacks output, this is a finding."
-V-38567,low,The audit system must be configured to audit all use of setuid and setgid programs.,"Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.",None,SV-50368r4_rule,F-43515r6_fix,"At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition [PART]:
-
-$ sudo find [PART] -xdev -type f -perm /6000 2>/dev/null
-
-Then, for each setuid / setgid program on the system, add a line of the following form to ""/etc/audit/audit.rules"", where [SETUID_PROG_PATH] is the full path to each setuid / setgid program in the list:
-
--a always,exit -F path=[SETUID_PROG_PATH] -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged",C-46125r7_chk,"To verify that auditing of privileged command use is configured, run the following command once for each local partition [PART] to find relevant setuid / setgid programs:
-
-$ sudo find [PART] -xdev -type f -perm /6000 2>/dev/null
-
-Run the following command to verify entries in the audit rules for all programs found with the previous command:
-
-$ sudo grep path /etc/audit/audit.rules
-
-It should be the case that all relevant setuid / setgid programs have a line in the audit rules. If that is not the case, this is a finding. "
-V-38565,low,The audit system must be configured to audit all discretionary access control permission modifications using setxattr.,The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.,None,SV-50366r3_rule,F-43513r2_fix,"At a minimum, the audit system should collect file permission changes for all users and root. Add the following to ""/etc/audit/audit.rules"":
-
--a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 \
--k perm_mod
--a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod
-
-If the system is 64-bit, then also add the following:
-
--a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 \
--k perm_mod
--a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod",C-46123r2_chk,"To determine if the system is configured to audit calls to the ""setxattr"" system call, run the following command:
-
-$ sudo grep -w ""setxattr"" /etc/audit/audit.rules
-
-If the system is configured to audit this activity, it will return several lines.
-
-If no line is returned, this is a finding. "
-V-38537,low,The system must ignore ICMPv4 bogus error responses.,"Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.",None,SV-50338r2_rule,F-43485r1_fix,"To set the runtime status of the ""net.ipv4.icmp_ignore_bogus_error_responses"" kernel parameter, run the following command:
-
-# sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
-
-If this is not the system's default value, add the following line to ""/etc/sysctl.conf"":
-
-net.ipv4.icmp_ignore_bogus_error_responses = 1",C-46095r2_chk,"The status of the ""net.ipv4.icmp_ignore_bogus_error_responses"" kernel parameter can be queried by running the following command:
-
-$ sysctl net.ipv4.icmp_ignore_bogus_error_responses
-
-The output of the command should indicate a value of ""1"". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in ""/etc/sysctl.conf"".
-
-$ grep net.ipv4.icmp_ignore_bogus_error_responses /etc/sysctl.conf
-
-If the correct value is not returned, this is a finding. "
-V-38444,medium,"The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets.","In ""ip6tables"" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to ""DROP"" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted.",None,SV-50244r2_rule,F-43389r3_fix,"To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in ""/etc/sysconfig/ip6tables"":
-
-:INPUT DROP [0:0]
-
-Restart the IPv6 firewall:
-
-# service ip6tables restart",C-45999r2_chk,"If IPv6 is disabled, this is not applicable.
-
-Inspect the file ""/etc/sysconfig/ip6tables"" to determine the default policy for the INPUT chain. It should be set to DROP:
-
-# grep "":INPUT"" /etc/sysconfig/ip6tables
-
-If the default policy for the INPUT chain is not set to DROP, this is a finding. "
-V-38504,medium,The /etc/shadow file must have mode 0000.,"The ""/etc/shadow"" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.",None,SV-50305r1_rule,F-43451r1_fix,"To properly set the permissions of ""/etc/shadow"", run the command:
-
-# chmod 0000 /etc/shadow",C-46061r2_chk,"To check the permissions of ""/etc/shadow"", run the command:
-
-$ ls -l /etc/shadow
-
-If properly configured, the output should indicate the following permissions: ""----------""
-If it does not, this is a finding."
-V-38583,medium,The system boot loader configuration file(s) must have mode 0600 or less permissive.,Proper permissions ensure that only the root user can modify important boot parameters.,None,SV-50384r2_rule,F-43531r2_fix,"File permissions for ""/boot/grub/grub.conf"" should be set to 600, which is the default. To properly set the permissions of ""/boot/grub/grub.conf"", run the command:
-
-# chmod 600 /boot/grub/grub.conf
-
-Boot partitions based on VFAT, NTFS, or other non-standard configurations may require alternative measures.",C-46141r2_chk,"To check the permissions of /etc/grub.conf, run the command:
-
-$ sudo ls -lL /etc/grub.conf
-
-If properly configured, the output should indicate the following permissions: ""-rw-------""
-If it does not, this is a finding. "
-V-38500,medium,The root account must be the only account having a UID of 0.,An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.,None,SV-50301r2_rule,F-43447r1_fix,"If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.",C-46057r2_chk,"To list all password file entries for accounts with UID 0, run the following command:
-
-# awk -F: '($3 == 0) {print}' /etc/passwd
-
-This should print only one line, for the user root.
-If any account other than root has a UID of 0, this is a finding."
-V-38501,medium,The system must disable accounts after excessive login failures within a 15-minute interval.,Locking out user accounts after a number of incorrect attempts within a specific period of time prevents direct password guessing attacks.,None,SV-50302r4_rule,F-43448r6_fix,"Utilizing ""pam_faillock.so"", the ""fail_interval"" directive configures the system to lock out accounts after a number of incorrect logon attempts. Modify the content of both ""/etc/pam.d/system-auth"" and ""/etc/pam.d/password-auth"" as follows:
-
-Add the following line immediately before the ""pam_unix.so"" statement in the ""AUTH"" section:
-
-auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900
-
-Add the following line immediately after the ""pam_unix.so"" statement in the ""AUTH"" section:
-
-auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
-
-Add the following line immediately before the ""pam_unix.so"" statement in the ""ACCOUNT"" section:
-
-account required pam_faillock.so
-
-Note that any updates made to ""/etc/pam.d/system-auth"" and ""/etc/pam.d/password-auth"" may be overwritten by the ""authconfig"" program. The ""authconfig"" program should not be used.",C-46058r2_chk,"To ensure the failed password attempt policy is configured correctly, run the following command:
-
-$ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
-
-For each file, the output should show ""fail_interval="" where ""interval-in-seconds"" is 900 (15 minutes) or greater. If the ""fail_interval"" parameter is not set, the default setting of 900 seconds is acceptable. If that is not the case, this is a finding. "
-V-38502,medium,The /etc/shadow file must be owned by root.,"The ""/etc/shadow"" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.",None,SV-50303r1_rule,F-43449r1_fix,"To properly set the owner of ""/etc/shadow"", run the command:
-
-# chown root /etc/shadow",C-46059r1_chk,"To check the ownership of ""/etc/shadow"", run the command:
-
-$ ls -l /etc/shadow
-
-If properly configured, the output should indicate the following owner: ""root""
-If it does not, this is a finding."
-V-38503,medium,The /etc/shadow file must be group-owned by root.,"The ""/etc/shadow"" file stores password hashes. Protection of this file is critical for system security.",None,SV-50304r1_rule,F-43450r1_fix,"To properly set the group owner of ""/etc/shadow"", run the command:
-
-# chgrp root /etc/shadow",C-46060r1_chk,"To check the group ownership of ""/etc/shadow"", run the command:
-
-$ ls -l /etc/shadow
-
-If properly configured, the output should indicate the following group-owner. ""root""
-If it does not, this is a finding."
-V-38621,medium,The system clock must be synchronized to an authoritative DoD time source.,Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. Using a trusted NTP server provided by your organization is recommended.,None,SV-50422r1_rule,F-43570r1_fix,"To specify a remote NTP server for time synchronization, edit the file ""/etc/ntp.conf"". Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver.
-
-server [ntpserver]
-
-This instructs the NTP software to contact that remote server to obtain time data.",C-46180r1_chk,"A remote NTP server should be configured for time synchronization. To verify one is configured, open the following file.
-
-/etc/ntp.conf
-
-In the file, there should be a section similar to the following:
-
-# --- OUR TIMESERVERS -----
-server [ntpserver]
-
-
-If this is not the case, this is a finding."
-V-38620,medium,"The system clock must be synchronized continuously, or at least daily.","Enabling the ""ntpd"" service ensures that the ""ntpd"" service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.",None,SV-50421r1_rule,F-43568r1_fix,"The ""ntpd"" service can be enabled with the following command:
-
-# chkconfig ntpd on
-# service ntpd start",C-46178r1_chk,"Run the following command to determine the current status of the ""ntpd"" service:
-
-# service ntpd status
-
-If the service is enabled, it should return the following:
-
-ntpd is running...
-
-
-If the service is not running, this is a finding."
-V-38623,medium,All rsyslog-generated log files must have mode 0600 or less permissive.,"Log files can contain valuable information regarding system configuration. If the system log files are not protected, unauthorized users could change the logged data, eliminating their forensic value.",None,SV-50424r2_rule,F-43571r1_fix,"The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in ""/etc/rsyslog.conf"" and typically all appear in ""/var/log"". For each log file [LOGFILE] referenced in ""/etc/rsyslog.conf"", run the following command to inspect the file's permissions:
-
-$ ls -l [LOGFILE]
-
-If the permissions are not 600 or more restrictive, run the following command to correct this:
-
-# chmod 0600 [LOGFILE]",C-46181r2_chk,"The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in ""/etc/rsyslog.conf"" and typically all appear in ""/var/log"". For each log file [LOGFILE] referenced in ""/etc/rsyslog.conf"", run the following command to inspect the file's permissions:
-
-$ ls -l [LOGFILE]
-
-The permissions should be 600, or more restrictive. Some log files referenced in /etc/rsyslog.conf may be created by other programs and may require exclusion from consideration.
-
-If the permissions are not correct, this is a finding."
-V-38587,high,The telnet-server package must not be installed.,"Removing the ""telnet-server"" package decreases the risk of the unencrypted telnet service's accidental (or intentional) activation.
-
-Mitigation: If the telnet-server package is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.",None,SV-50388r1_rule,F-43535r1_fix,"The ""telnet-server"" package can be uninstalled with the following command:
-
-# yum erase telnet-server",C-46144r1_chk,"Run the following command to determine if the ""telnet-server"" package is installed:
-
-# rpm -q telnet-server
-
-
-If the package is installed, this is a finding."
-V-38625,medium,"If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms.","The ssl directive specifies whether to use ssl or not. If not specified it will default to ""no"". It should be set to ""start_tls"" rather than doing LDAP over SSL.",None,SV-50426r1_rule,F-43574r1_fix,"Configure LDAP to enforce TLS use. First, edit the file ""/etc/pam_ldap.conf"", and add or correct the following lines:
-
-ssl start_tls
-
-Then review the LDAP server and ensure TLS has been configured.",C-46184r1_chk,"If the system does not use LDAP for authentication or account information, this is not applicable.
-
-To ensure LDAP is configured to use TLS for all transactions, run the following command:
-
-$ grep start_tls /etc/pam_ldap.conf
-
-
-If no lines are returned, this is a finding."
-V-38624,low,System logs must be rotated daily.,Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.,None,SV-50425r1_rule,F-43573r1_fix,"The ""logrotate"" service should be installed or reinstalled if it is not installed and operating properly, by running the following command:
-
-# yum reinstall logrotate",C-46183r1_chk,"Run the following commands to determine the current status of the ""logrotate"" service:
-
-# grep logrotate /var/log/cron*
-
-If the logrotate service is not run on a daily basis by cron, this is a finding."
-V-38627,low,The openldap-servers package must not be installed unless required.,Unnecessary packages should not be installed to decrease the attack surface of the system.,None,SV-50428r1_rule,F-43577r1_fix,"The ""openldap-servers"" package should be removed if not in use. Is this machine the OpenLDAP server? If not, remove the package.
-
-# yum erase openldap-servers
-
-The openldap-servers RPM is not installed by default on RHEL6 machines. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed.",C-46187r1_chk,"To verify the ""openldap-servers"" package is not installed, run the following command:
-
-$ rpm -q openldap-servers
-
-The output should show the following.
-
-package openldap-servers is not installed
-
-
-If it does not, this is a finding."
-V-38626,medium,The LDAP client must use a TLS connection using trust certificates signed by the site CA.,The tls_cacertdir or tls_cacertfile directives are required when tls_checkpeer is configured (which is the default for openldap versions 2.1 and up). These directives define the path to the trust certificates signed by the site CA.,None,SV-50427r1_rule,F-43575r1_fix,"Ensure a copy of the site's CA certificate has been placed in the file ""/etc/pki/tls/CA/cacert.pem"". Configure LDAP to enforce TLS use and to trust certificates signed by the site's CA. First, edit the file ""/etc/pam_ldap.conf"", and add or correct either of the following lines:
-
-tls_cacertdir /etc/pki/tls/CA
-
-or
-
-tls_cacertfile /etc/pki/tls/CA/cacert.pem
-
-Then review the LDAP server and ensure TLS has been configured.",C-46185r1_chk,"If the system does not use LDAP for authentication or account information, this is not applicable.
-
-To ensure TLS is configured with trust certificates, run the following command:
-
-# grep cert /etc/pam_ldap.conf
-
-
-If there is no output, or the lines are commented out, this is a finding."
-V-38629,medium,The graphical desktop environment must set the idle timeout to no more than 15 minutes.,"Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby.",None,SV-50430r3_rule,F-43578r1_fix,"Run the following command to set the idle time-out value for inactivity in the GNOME desktop to 15 minutes:
-
-# gconftool-2 \
---direct \
---config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
---type int \
---set /apps/gnome-screensaver/idle_delay 15",C-46188r3_chk,"If the GConf2 package is not installed, this is not applicable.
-
-To check the current idle time-out value, run the following command:
-
-$ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_delay
-
-If properly configured, the output should be ""15"".
-
-If it is not, this is a finding."
-V-38628,medium,The operating system must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event.,"Ensuring the ""auditd"" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.",None,SV-50429r2_rule,F-43576r2_fix,"The ""auditd"" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The ""auditd"" service can be enabled with the following commands:
-
-# chkconfig auditd on
-# service auditd start",C-46186r1_chk,"Run the following command to determine the current status of the ""auditd"" service:
-
-# service auditd status
-
-If the service is enabled, it should return the following:
-
-auditd is running...
-
-
-If the service is not running, this is a finding."
-V-38588,medium,The system must not permit interactive boot.,"Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security.",None,SV-50389r1_rule,F-43536r1_fix,"To disable the ability for users to perform interactive startups, edit the file ""/etc/sysconfig/init"". Add or correct the line:
-
-PROMPT=no
-
-The ""PROMPT"" option allows the console user to perform an interactive system startup, in which it is possible to select the set of services which are started on boot.",C-46146r1_chk,"To check whether interactive boot is disabled, run the following command:
-
-$ grep PROMPT /etc/sysconfig/init
-
-If interactive boot is disabled, the output will show:
-
-PROMPT=no
-
-
-If it does not, this is a finding."
-V-38589,high,The telnet daemon must not be running.,"The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks.
-
-Mitigation: If an enabled telnet daemon is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.",None,SV-50390r2_rule,F-43537r1_fix,"The ""telnet"" service can be disabled with the following command:
-
-# chkconfig telnet off",C-46147r3_chk,"To check that the ""telnet"" service is disabled in system boot configuration, run the following command:
-
-# chkconfig ""telnet"" --list
-
-Output should indicate the ""telnet"" service has either not been installed, or has been disabled, as shown in the example below:
-
-# chkconfig ""telnet"" --list
-telnet off
-OR
-error reading information on service telnet: No such file or directory
-
-
-If the service is running, this is a finding."
-V-38584,low,The xinetd service must be uninstalled if no network services utilizing it are enabled.,"Removing the ""xinetd"" package decreases the risk of the xinetd service's accidental (or intentional) activation.",None,SV-50385r1_rule,F-43532r1_fix,"The ""xinetd"" package can be uninstalled with the following command:
-
-# yum erase xinetd",C-46142r1_chk,"If network services are using the xinetd service, this is not applicable.
-
-Run the following command to determine if the ""xinetd"" package is installed:
-
-# rpm -q xinetd
-
-
-If the package is installed, this is a finding."
-V-38694,low,The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity.,Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.,None,SV-50495r1_rule,F-43643r2_fix,"To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in ""/etc/default/useradd"", substituting ""[NUM_DAYS]"" appropriately:
-
-INACTIVE=[NUM_DAYS]
-
-A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the ""useradd"" man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a ""normal"" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.",C-46256r1_chk,"To verify the ""INACTIVE"" setting, run the following command:
-
-grep ""INACTIVE"" /etc/default/useradd
-
-The output should indicate the ""INACTIVE"" configuration option is set to an appropriate integer as shown in the example below:
-
-# grep ""INACTIVE"" /etc/default/useradd
-INACTIVE=35
-
-If it does not, this is a finding."
-V-38700,medium,The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs. ,"By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.",None,SV-50501r2_rule,F-43649r1_fix,"AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
-
-05 4 * * * root /usr/sbin/aide --check
-
-AIDE can be executed periodically through other means; this is merely one example.",C-46262r2_chk,"To determine that periodic AIDE execution has been scheduled, run the following command:
-
-# grep aide /etc/crontab /etc/cron.*/*
-
-If there is no output, this is a finding."
-V-38695,medium,"A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.","By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.",None,SV-50496r2_rule,F-43644r1_fix,"AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
-
-05 4 * * * root /usr/sbin/aide --check
-
-AIDE can be executed periodically through other means; this is merely one example.",C-46257r2_chk,"To determine that periodic AIDE execution has been scheduled, run the following command:
-
-# grep aide /etc/crontab /etc/cron.*/*
-
-If there is no output or if aide is not run at least weekly, this is a finding."
-V-38701,high,The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.,"Using the ""-s"" option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally specified directory reduces the risk of sharing files which should remain private.",None,SV-50502r1_rule,F-43650r1_fix,"If running the ""tftp"" service is necessary, it should be configured to change its root directory at startup. To do so, ensure ""/etc/xinetd.d/tftp"" includes ""-s"" as a command line argument, as shown in the following example (which is also the default):
-
-server_args = -s /var/lib/tftpboot",C-46263r1_chk,"Verify ""tftp"" is configured by with the ""-s"" option by running the following command:
-
-grep ""server_args"" /etc/xinetd.d/tftp
-
-The output should indicate the ""server_args"" variable is configured with the ""-s"" flag, matching the example below:
-
-# grep ""server_args"" /etc/xinetd.d/tftp
-server_args = -s /var/lib/tftpboot
-
-If it does not, this is a finding."
-V-38483,medium,The system package management tool must cryptographically verify the authenticity of system software packages during installation.,Ensuring the validity of packages' cryptographic signatures prior to installation ensures the provenance of the software and protects against malicious tampering.,None,SV-50283r1_rule,F-43429r1_fix,"The ""gpgcheck"" option should be used to ensure checking of an RPM package's signature always occurs prior to its installation. To configure yum to check package signatures before installing them, ensure the following line appears in ""/etc/yum.conf"" in the ""[main]"" section:
-
-gpgcheck=1",C-46039r1_chk,"To determine whether ""yum"" is configured to use ""gpgcheck"", inspect ""/etc/yum.conf"" and ensure the following appears in the ""[main]"" section:
-
-gpgcheck=1
-
-A value of ""1"" indicates that ""gpgcheck"" is enabled. Absence of a ""gpgcheck"" line or a setting of ""0"" indicates that it is disabled.
-If GPG checking is not enabled, this is a finding.
-
-If the ""yum"" system package management tool is not used to update the system, verify with the SA that installed packages are cryptographically signed."
-V-38545,low,The audit system must be configured to audit all discretionary access control permission modifications using chown.,The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.,None,SV-50346r3_rule,F-43493r2_fix,"At a minimum, the audit system should collect file permission changes for all users and root. Add the following to ""/etc/audit/audit.rules"":
-
--a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 \
--k perm_mod
--a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod
-
-If the system is 64-bit, then also add the following:
-
--a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 \
--k perm_mod
--a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod",C-46103r2_chk,"To determine if the system is configured to audit calls to the ""chown"" system call, run the following command:
-
-$ sudo grep -w ""chown"" /etc/audit/audit.rules
-
-If the system is configured to audit this activity, it will return several lines.
-
-If no line is returned, this is a finding. "
-V-38539,medium,The system must be configured to use TCP syncookies when experiencing a TCP SYN flood.,"A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.",None,SV-50340r2_rule,F-43487r1_fix,"To set the runtime status of the ""net.ipv4.tcp_syncookies"" kernel parameter, run the following command:
-
-# sysctl -w net.ipv4.tcp_syncookies=1
-
-If this is not the system's default value, add the following line to ""/etc/sysctl.conf"":
-
-net.ipv4.tcp_syncookies = 1",C-46097r2_chk,"The status of the ""net.ipv4.tcp_syncookies"" kernel parameter can be queried by running the following command:
-
-$ sysctl net.ipv4.tcp_syncookies
-
-The output of the command should indicate a value of ""1"". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in ""/etc/sysctl.conf"".
-
-$ grep net.ipv4.tcp_syncookies /etc/sysctl.conf
-
-If the correct value is not returned, this is a finding. "
-V-38538,low,The operating system must automatically audit account termination.,"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.",None,SV-50339r1_rule,F-43486r1_fix,"Add the following to ""/etc/audit/audit.rules"", in order to capture events that modify account changes:
-
-# audit_account_changes
--w /etc/group -p wa -k audit_account_changes
--w /etc/passwd -p wa -k audit_account_changes
--w /etc/gshadow -p wa -k audit_account_changes
--w /etc/shadow -p wa -k audit_account_changes
--w /etc/security/opasswd -p wa -k audit_account_changes",C-46096r1_chk,"To determine if the system is configured to audit account changes, run the following command:
-
-auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'
-
-If the system is configured to watch for account changes, lines should be returned for each file specified (and with ""perm=wa"" for each).
-If the system is not configured to audit account changes, this is a finding."
-V-38697,low,The sticky bit must be set on all public directories.,"Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure.
-
-The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, and by users for temporary file storage - such as /tmp - and for directories requiring global read/write access.",None,SV-50498r2_rule,F-43646r1_fix,"When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other's files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application's documentation instead of blindly changing modes.
-To set the sticky bit on a world-writable directory [DIR], run the following command:
-
-# chmod +t [DIR]",C-46259r4_chk,"To find world-writable directories that lack the sticky bit, run the following command for each local partition [PART]:
-
-# find [PART] -xdev -type d -perm -002 \! -perm -1000
-
-
-If any world-writable directories are missing the sticky bit, this is a finding."
-V-38531,low,The operating system must automatically audit account creation.,"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.",None,SV-50332r1_rule,F-43480r1_fix,"Add the following to ""/etc/audit/audit.rules"", in order to capture events that modify account changes:
-
-# audit_account_changes
--w /etc/group -p wa -k audit_account_changes
--w /etc/passwd -p wa -k audit_account_changes
--w /etc/gshadow -p wa -k audit_account_changes
--w /etc/shadow -p wa -k audit_account_changes
--w /etc/security/opasswd -p wa -k audit_account_changes",C-46090r1_chk,"To determine if the system is configured to audit account changes, run the following command:
-
-auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'
-
-If the system is configured to watch for account changes, lines should be returned for each file specified (and with ""perm=wa"" for each).
-If the system is not configured to audit account changes, this is a finding."
-V-38513,medium,"The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets.","In ""iptables"" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to ""DROP"" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted.",None,SV-50314r1_rule,F-43460r1_fix,"To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in ""/etc/sysconfig/iptables"":
-
-:INPUT DROP [0:0]",C-46070r1_chk,"Inspect the file ""/etc/sysconfig/iptables"" to determine the default policy for the INPUT chain. It should be set to DROP.
-
-# grep "":INPUT"" /etc/sysconfig/iptables
-
-If the default policy for the INPUT chain is not set to DROP, this is a finding."
-V-38533,low,The system must ignore ICMPv4 redirect messages by default.,This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.,None,SV-50334r3_rule,F-43481r1_fix,"To set the runtime status of the ""net.ipv4.conf.default.accept_redirects"" kernel parameter, run the following command:
-
-# sysctl -w net.ipv4.conf.default.accept_redirects=0
-
-If this is not the system's default value, add the following line to ""/etc/sysctl.conf"":
-
-net.ipv4.conf.default.accept_redirects = 0",C-46091r2_chk,"The status of the ""net.ipv4.conf.default.accept_redirects"" kernel parameter can be queried by running the following command:
-
-$ sysctl net.ipv4.conf.default.accept_redirects
-
-The output of the command should indicate a value of ""0"". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in ""/etc/sysctl.conf"".
-
-$ grep net.ipv4.conf.default.accept_redirects /etc/sysctl.conf
-
-If the correct value is not returned, this is a finding. "
-V-38532,medium,The system must not accept ICMPv4 secure redirect packets by default.,"Accepting ""secure"" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.",None,SV-50333r2_rule,F-43479r1_fix,"To set the runtime status of the ""net.ipv4.conf.default.secure_redirects"" kernel parameter, run the following command:
-
-# sysctl -w net.ipv4.conf.default.secure_redirects=0
-
-If this is not the system's default value, add the following line to ""/etc/sysctl.conf"":
-
-net.ipv4.conf.default.secure_redirects = 0",C-46089r2_chk,"The status of the ""net.ipv4.conf.default.secure_redirects"" kernel parameter can be queried by running the following command:
-
-$ sysctl net.ipv4.conf.default.secure_redirects
-
-The output of the command should indicate a value of ""0"". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in ""/etc/sysctl.conf"".
-
-$ grep net.ipv4.conf.default.secure_redirects /etc/sysctl.conf
-
-If the correct value is not returned, this is a finding. "
-V-38535,low,The system must not respond to ICMPv4 sent to a broadcast address.,Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.,None,SV-50336r2_rule,F-43483r1_fix,"To set the runtime status of the ""net.ipv4.icmp_echo_ignore_broadcasts"" kernel parameter, run the following command:
-
-# sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
-
-If this is not the system's default value, add the following line to ""/etc/sysctl.conf"":
-
-net.ipv4.icmp_echo_ignore_broadcasts = 1",C-46093r2_chk,"The status of the ""net.ipv4.icmp_echo_ignore_broadcasts"" kernel parameter can be queried by running the following command:
-
-$ sysctl net.ipv4.icmp_echo_ignore_broadcasts
-
-The output of the command should indicate a value of ""1"". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in ""/etc/sysctl.conf"".
-
-$ grep net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf
-
-If the correct value is not returned, this is a finding. "
-V-38534,low,The operating system must automatically audit account modification.,"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.",None,SV-50335r1_rule,F-43482r1_fix,"Add the following to ""/etc/audit/audit.rules"", in order to capture events that modify account changes:
-
-# audit_account_changes
--w /etc/group -p wa -k audit_account_changes
--w /etc/passwd -p wa -k audit_account_changes
--w /etc/gshadow -p wa -k audit_account_changes
--w /etc/shadow -p wa -k audit_account_changes
--w /etc/security/opasswd -p wa -k audit_account_changes",C-46092r1_chk,"To determine if the system is configured to audit account changes, run the following command:
-
-auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'
-
-If the system is configured to watch for account changes, lines should be returned for each file specified (and with ""perm=wa"" for each).
-If the system is not configured to audit account changes, this is a finding."
-V-38655,low,The noexec option must be added to removable media partitions.,Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise.,None,SV-50456r1_rule,F-43605r1_fix,"The ""noexec"" mount option prevents the direct execution of binaries on the mounted filesystem. Users should not be allowed to execute binaries that exist on partitions mounted from removable media (such as a USB key). The ""noexec"" option prevents code from being executed directly from the media itself, and may therefore provide a line of defense against certain types of worms or malicious code. Add the ""noexec"" option to the fourth column of ""/etc/fstab"" for the line which controls mounting of any removable media partitions.",C-46216r1_chk,"To verify that binaries cannot be directly executed from removable media, run the following command:
-
-# grep noexec /etc/fstab
-
-The output should show ""noexec"" in use.
-If it does not, this is a finding."
-V-38512,medium,"The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.","The ""iptables"" service provides the system's host-based firewalling capability for IPv4 and ICMP.",None,SV-50313r2_rule,F-43459r2_fix,"The ""iptables"" service can be enabled with the following commands:
-
-# chkconfig iptables on
-# service iptables start",C-46069r2_chk,"If the system is a cross-domain system, this is not applicable.
-
-Run the following command to determine the current status of the ""iptables"" service:
-
-# service iptables status
-
-If the service is not running, it should return the following:
-
-iptables: Firewall is not running.
-
-
-If the service is not running, this is a finding."
-V-38438,low,Auditing must be enabled at boot by setting a kernel parameter.,"Each process on the system carries an ""auditable"" flag which indicates whether its activities can be audited. Although ""auditd"" takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.",None,SV-50238r2_rule,F-43382r2_fix,"To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument ""audit=1"" to the kernel line in ""/etc/grub.conf"", in the manner below:
-
-kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1
-
-UEFI systems may prepend ""/boot"" to the ""/vmlinuz-version"" argument. ",C-45992r2_chk,"Inspect the kernel boot arguments (which follow the word ""kernel"") in ""/etc/grub.conf"". If they include ""audit=1"", then auditing is enabled at boot time.
-
-If auditing is not enabled at boot time, this is a finding."
-V-38439,medium,The system must provide automated support for account management functions.,A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. Enterprise environments make user account management challenging and complex. A user management process requiring administrators to manually address account management functions adds risk of potential oversight.,None,SV-50239r1_rule,F-43384r1_fix,"Implement an automated system for managing user accounts that minimizes the risk of errors, either intentional or deliberate. If possible, this system should integrate with an existing enterprise user management system, such as, one based Active Directory or Kerberos.",C-45994r1_chk,"Interview the SA to determine if there is an automated system for managing user accounts, preferably integrated with an existing enterprise user management system.
-
-If there is not, this is a finding."
-V-38692,low,Accounts must be locked upon 35 days of inactivity.,Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.,None,SV-50493r1_rule,F-43641r2_fix,"To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in ""/etc/default/useradd"", substituting ""[NUM_DAYS]"" appropriately:
-
-INACTIVE=[NUM_DAYS]
-
-A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the ""useradd"" man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a ""normal"" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.",C-46254r2_chk,"To verify the ""INACTIVE"" setting, run the following command:
-
-grep ""INACTIVE"" /etc/default/useradd
-
-The output should indicate the ""INACTIVE"" configuration option is set to an appropriate integer as shown in the example below:
-
-# grep ""INACTIVE"" /etc/default/useradd
-INACTIVE=35
-
-If it does not, this is a finding."
-V-38638,medium,The graphical desktop environment must have automatic lock enabled.,"Enabling the activation of the screen lock after an idle period ensures password entry will be required in order to access the system, preventing access by passersby.",None,SV-50439r3_rule,F-43587r1_fix,"Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated:
-
-# gconftool-2 --direct \
---config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
---type bool \
---set /apps/gnome-screensaver/lock_enabled true",C-46198r3_chk,"If the GConf2 package is not installed, this is not applicable.
-
-To check the status of the idle screen lock activation, run the following command:
-
-$ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/lock_enabled
-
-If properly configured, the output should be ""true"".
-If it is not, this is a finding."
-V-38639,low,The system must display a publicly-viewable pattern during a graphical desktop environment session lock.,Setting the screensaver mode to blank-only conceals the contents of the display from passersby.,None,SV-50440r3_rule,F-43588r2_fix,"Run the following command to set the screensaver mode in the GNOME desktop to a blank screen:
-
-# gconftool-2 \
---direct \
---config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
---type string \
---set /apps/gnome-screensaver/mode blank-only",C-46199r4_chk,"If the GConf2 package is not installed, this is not applicable.
-
-To ensure the screensaver is configured to be blank, run the following command:
-
-$ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/mode
-
-If properly configured, the output should be ""blank-only"".
-If it is not, this is a finding."
-V-38636,medium,The system must retain enough rotated audit logs to cover the required log retention period.,The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.,None,SV-50437r1_rule,F-43585r1_fix,"Determine how many log files ""auditd"" should retain when it rotates logs. Edit the file ""/etc/audit/auditd.conf"". Add or modify the following line, substituting [NUMLOGS] with the correct value:
-
-num_logs = [NUMLOGS]
-
-Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.",C-46195r1_chk,"Inspect ""/etc/audit/auditd.conf"" and locate the following line to determine how many logs the system is configured to retain after rotation: ""# grep num_logs /etc/audit/auditd.conf""
-
-num_logs = 5
-
-
-If the overall system log file(s) retention hasn't been properly set up, this is a finding."
-V-38637,medium,The system package management tool must verify contents of all files associated with the audit package.,The hash on important files like audit system executables should match the information given by the RPM database. Audit executables with erroneous hashes could be a sign of nefarious activity on the system.,None,SV-50438r2_rule,F-43586r1_fix,"The RPM package management system can check the hashes of audit system package files. Run the following command to list which audit files on the system have hashes that differ from what is expected by the RPM database:
-
-# rpm -V audit | grep '^..5'
-
-A ""c"" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file that has changed was not expected to then refresh from distribution media or online repositories.
-
-rpm -Uvh [affected_package]
-
-OR
-
-yum reinstall [affected_package]",C-46196r3_chk,"The following command will list which audit files on the system have file hashes different from what is expected by the RPM database.
-
-# rpm -V audit | awk '$1 ~ /..5/ && $2 != ""c""'
-
-
-If there is output, this is a finding."
-V-38634,medium,The system must rotate audit log files that reach the maximum file size.,"Automatically rotating logs (by setting this to ""rotate"") minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, ""keep_logs"" can be employed.",None,SV-50435r2_rule,F-43583r1_fix,"The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by ""auditd"", add or correct the line in ""/etc/audit/auditd.conf"":
-
-max_log_file_action = [ACTION]
-
-Possible values for [ACTION] are described in the ""auditd.conf"" man page. These include:
-
-""ignore""
-""syslog""
-""suspend""
-""rotate""
-""keep_logs""
-
-
-Set the ""[ACTION]"" to ""rotate"" to ensure log rotation occurs. This is the default. The setting is case-insensitive.",C-46193r3_chk,"Inspect ""/etc/audit/auditd.conf"" and locate the following line to determine if the system is configured to rotate logs when they reach their maximum size:
-
-# grep max_log_file_action /etc/audit/auditd.conf
-max_log_file_action = rotate
-
-If the ""keep_logs"" option is configured for the ""max_log_file_action"" line in ""/etc/audit/auditd.conf"" and an alternate process is in place to ensure audit data does not overwhelm local audit storage, this is not a finding.
-
-If the system has not been properly set up to rotate audit logs, this is a finding."
-V-38635,low,The audit system must be configured to audit all attempts to alter system time through adjtimex.,"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.",None,SV-50436r3_rule,F-43584r2_fix,"On a 32-bit system, add the following to ""/etc/audit/audit.rules"":
-
-# audit_time_rules
--a always,exit -F arch=b32 -S adjtimex -k audit_time_rules
-
-On a 64-bit system, add the following to ""/etc/audit/audit.rules"":
-
-# audit_time_rules
--a always,exit -F arch=b64 -S adjtimex -k audit_time_rules
-
-The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
-
--a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules",C-46194r2_chk,"To determine if the system is configured to audit calls to the ""adjtimex"" system call, run the following command:
-
-$ sudo grep -w ""adjtimex"" /etc/audit/audit.rules
-
-If the system is configured to audit this activity, it will return a line.
-
-If the system is not configured to audit time changes, this is a finding."
-V-38696,medium,"The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system.","By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.",None,SV-50497r2_rule,F-43645r1_fix,"AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
-
-05 4 * * * root /usr/sbin/aide --check
-
-AIDE can be executed periodically through other means; this is merely one example.",C-46258r2_chk,"To determine that periodic AIDE execution has been scheduled, run the following command:
-
-# grep aide /etc/crontab /etc/cron.*/*
-
-If there is no output, this is a finding."
-V-38633,medium,The system must set a maximum audit log file size.,The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.,None,SV-50434r1_rule,F-43582r1_fix,"Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file ""/etc/audit/auditd.conf"". Add or modify the following line, substituting the correct value for [STOREMB]:
-
-max_log_file = [STOREMB]
-
-Set the value to ""6"" (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.",C-46192r1_chk,"Inspect ""/etc/audit/auditd.conf"" and locate the following line to determine how much data the system will retain in each audit log file: ""# grep max_log_file /etc/audit/auditd.conf""
-
-max_log_file = 6
-
-
-If the system audit data threshold hasn't been properly set up, this is a finding."
-V-38586,medium,The system must require authentication upon booting into single-user and maintenance modes.,This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.,None,SV-50387r1_rule,F-43534r1_fix,"Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected.
-
-To require entry of the root password even if the system is started in single-user mode, add or correct the following line in the file ""/etc/sysconfig/init"":
-
-SINGLE=/sbin/sulogin",C-46145r1_chk,"To check if authentication is required for single-user mode, run the following command:
-
-$ grep SINGLE /etc/sysconfig/init
-
-The output should be the following:
-
-SINGLE=/sbin/sulogin
-
-
-If the output is different, this is a finding."
-V-38631,medium,The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods.,"Ensuring the ""auditd"" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.",None,SV-50432r2_rule,F-43580r2_fix,"The ""auditd"" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The ""auditd"" service can be enabled with the following commands:
-
-# chkconfig auditd on
-# service auditd start",C-46190r1_chk,"Run the following command to determine the current status of the ""auditd"" service:
-
-# service auditd status
-
-If the service is enabled, it should return the following:
-
-auditd is running...
-
-
-If the service is not running, this is a finding."
-V-38614,high,The SSH daemon must not allow authentication using an empty password.,"Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.",None,SV-50415r1_rule,F-43562r1_fix,"To explicitly disallow remote login from accounts with empty passwords, add or correct the following line in ""/etc/ssh/sshd_config"":
-
-PermitEmptyPasswords no
-
-Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.",C-46172r1_chk,"To determine how the SSH daemon's ""PermitEmptyPasswords"" option is set, run the following command:
-
-# grep -i PermitEmptyPasswords /etc/ssh/sshd_config
-
-If no line, a commented line, or a line indicating the value ""no"" is returned, then the required value is set.
-If the required value is not set, this is a finding."
-V-38615,medium,The SSH daemon must be configured with the Department of Defense (DoD) login banner.,"The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.",None,SV-50416r1_rule,F-43563r1_fix,"To enable the warning banner and ensure it is consistent across the system, add or correct the following line in ""/etc/ssh/sshd_config"":
-
-Banner /etc/issue
-
-Another section contains information on how to create an appropriate system-wide warning banner.",C-46173r1_chk,"To determine how the SSH daemon's ""Banner"" option is set, run the following command:
-
-# grep -i Banner /etc/ssh/sshd_config
-
-If a line indicating /etc/issue is returned, then the required value is set.
-If the required value is not set, this is a finding."
-V-38622,medium,Mail relaying must be restricted.,"This ensures ""postfix"" accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack.",None,SV-50423r2_rule,F-43572r1_fix,"Edit the file ""/etc/postfix/main.cf"" to ensure that only the following ""inet_interfaces"" line appears:
-
-inet_interfaces = localhost",C-46182r2_chk,"If the system is an authorized mail relay host, this is not applicable.
-
-Run the following command to ensure postfix accepts mail messages from only the local system:
-
-$ grep inet_interfaces /etc/postfix/main.cf
-
-If properly configured, the output should show only ""localhost"".
-If it does not, this is a finding."
-V-38616,low,The SSH daemon must not permit user environment settings.,SSH environment options potentially allow users to bypass access restriction in some configurations.,None,SV-50417r1_rule,F-43565r1_fix,"To ensure users are not able to present environment options to the SSH daemon, add or correct the following line in ""/etc/ssh/sshd_config"":
-
-PermitUserEnvironment no",C-46175r1_chk,"To ensure users are not able to present environment daemons, run the following command:
-
-# grep PermitUserEnvironment /etc/ssh/sshd_config
-
-If properly configured, output should be:
-
-PermitUserEnvironment no
-
-
-If it is not, this is a finding."
-V-38563,low,The audit system must be configured to audit all discretionary access control permission modifications using removexattr.,The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.,None,SV-50364r3_rule,F-43511r2_fix,"At a minimum, the audit system should collect file permission changes for all users and root. Add the following to ""/etc/audit/audit.rules"":
-
--a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 \
--k perm_mod
--a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod
-
-If the system is 64-bit, then also add the following:
-
--a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 \
--k perm_mod
--a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod",C-46121r2_chk,"To determine if the system is configured to audit calls to the ""removexattr"" system call, run the following command:
-
-$ sudo grep -w ""removexattr"" /etc/audit/audit.rules
-
-If the system is configured to audit this activity, it will return several lines.
-
-If no line is returned, this is a finding."
-V-38617,medium,The SSH daemon must be configured to use only FIPS 140-2 approved ciphers.,Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance.,None,SV-50418r1_rule,F-43566r1_fix,"Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in ""/etc/ssh/sshd_config"" demonstrates use of FIPS-approved ciphers:
-
-Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
-
-The man page ""sshd_config(5)"" contains a list of supported ciphers.",C-46176r1_chk,"Only FIPS-approved ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command:
-
-# grep Ciphers /etc/ssh/sshd_config
-
-The output should contain only those ciphers which are FIPS-approved, namely, the AES and 3DES ciphers.
-If that is not the case, this is a finding."
-V-38610,low,The SSH daemon must set a timeout count on idle sessions.,"This ensures a user login will be terminated as soon as the ""ClientAliveCountMax"" is reached.",None,SV-50411r1_rule,F-43558r1_fix,"To ensure the SSH idle timeout occurs precisely when the ""ClientAliveCountMax"" is set, edit ""/etc/ssh/sshd_config"" as follows:
-
-ClientAliveCountMax 0",C-46168r1_chk,"To ensure the SSH idle timeout will occur when the ""ClientAliveCountMax"" is set, run the following command:
-
-# grep ClientAliveCountMax /etc/ssh/sshd_config
-
-If properly configured, output should be:
-
-ClientAliveCountMax 0
-
-
-If it is not, this is a finding."
-V-38611,medium,The SSH daemon must ignore .rhosts files.,SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.,None,SV-50412r1_rule,F-43559r1_fix,"SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via "".rhosts"" files.
-
-To ensure this behavior is disabled, add or correct the following line in ""/etc/ssh/sshd_config"":
-
-IgnoreRhosts yes",C-46169r1_chk,"To determine how the SSH daemon's ""IgnoreRhosts"" option is set, run the following command:
-
-# grep -i IgnoreRhosts /etc/ssh/sshd_config
-
-If no line, a commented line, or a line indicating the value ""yes"" is returned, then the required value is set.
-If the required value is not set, this is a finding."
diff --git a/doc/source/stig-notes/V-38437.rst b/doc/source/stig-notes/V-38437.rst
deleted file mode 100644
index d7313d9b..00000000
--- a/doc/source/stig-notes/V-38437.rst
+++ /dev/null
@@ -1,20 +0,0 @@
-V-38437: Automated file system mounting tools must not be enabled unless needed.
---------------------------------------------------------------------------------
-
-All filesystems that are required for the successful operation of the system
-should be explicitly listed in "/etc/fstab" by an administrator. New
-filesystems should not be arbitrarily introduced via the automounter. The
-"autofs" daemon mounts and unmounts filesystems, such as user home directories
-shared via NFS, on demand. In addition, autofs can be used to handle removable
-media, and the default configuration provides the cdrom device as "/misc/cd".
-However, this method of providing access to removable media is not common, so
-autofs can almost always be disabled if NFS is not in use. Even if NFS is
-required, it is almost always possible to configure filesystem mounts
-statically by editing "/etc/fstab" rather than relying on the automounter.
-
-Details: `V-38437 in STIG Viewer`_.
-
-.. _V-38437 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38437
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38438.rst b/doc/source/stig-notes/V-38438.rst
deleted file mode 100644
index 37b41863..00000000
--- a/doc/source/stig-notes/V-38438.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38438: Auditing must be enabled at boot by setting a kernel parameter.
-------------------------------------------------------------------------
-
-Each process on the system carries an "auditable" flag which indicates whether
-its activities can be audited. Although "auditd" takes care of enabling this
-for all processes which launch after it does, adding the kernel argument
-ensures it is set for every process during boot.
-
-Details: `V-38438 in STIG Viewer`_.
-
-.. _V-38438 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38438
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38439.rst b/doc/source/stig-notes/V-38439.rst
deleted file mode 100644
index 74582be9..00000000
--- a/doc/source/stig-notes/V-38439.rst
+++ /dev/null
@@ -1,16 +0,0 @@
-V-38439: The system must provide automated support for account management functions.
-------------------------------------------------------------------------------------
-
-A comprehensive account management process that includes automation helps to
-ensure the accounts designated as requiring attention are consistently and
-promptly addressed. Enterprise environments make user account management
-challenging and complex. A user management process requiring administrators to
-manually address account management functions adds risk of potential
-oversight.
-
-Details: `V-38439 in STIG Viewer`_.
-
-.. _V-38439 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38439
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38443.rst b/doc/source/stig-notes/V-38443.rst
deleted file mode 100644
index da04978e..00000000
--- a/doc/source/stig-notes/V-38443.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38443: The /etc/gshadow file must be owned by root.
------------------------------------------------------
-
-The "/etc/gshadow" file contains group password hashes. Protection of this
-file is critical for system security.
-
-Details: `V-38443 in STIG Viewer`_.
-
-.. _V-38443 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38443
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38444.rst b/doc/source/stig-notes/V-38444.rst
deleted file mode 100644
index ceb9f1cb..00000000
--- a/doc/source/stig-notes/V-38444.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38444: The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets.
-------------------------------------------------------------------------------------------------------------------
-
-In "ip6tables" the default policy is applied only after all the applicable
-rules in the table are examined for a match. Setting the default policy to
-"DROP" implements proper design for a firewall, i.e., any packets which are
-not explicitly permitted should not be accepted.
-
-Details: `V-38444 in STIG Viewer`_.
-
-.. _V-38444 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38444
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38445.rst b/doc/source/stig-notes/V-38445.rst
deleted file mode 100644
index 5ffabdf3..00000000
--- a/doc/source/stig-notes/V-38445.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38445: Audit log files must be group-owned by root.
------------------------------------------------------
-
-If non-privileged users can write to audit logs, audit trails can be modified
-or destroyed.
-
-Details: `V-38445 in STIG Viewer`_.
-
-.. _V-38445 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38445
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38446.rst b/doc/source/stig-notes/V-38446.rst
deleted file mode 100644
index 42c339b8..00000000
--- a/doc/source/stig-notes/V-38446.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38446: The mail system must forward all mail for root to one or more system administrators.
----------------------------------------------------------------------------------------------
-
-A number of system services utilize email messages sent to the root user to
-notify system administrators of active or impending issues. These messages
-must be forwarded to at least one monitored email address.
-
-Details: `V-38446 in STIG Viewer`_.
-
-.. _V-38446 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38446
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38447.rst b/doc/source/stig-notes/V-38447.rst
deleted file mode 100644
index 631f227b..00000000
--- a/doc/source/stig-notes/V-38447.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38447: The system package management tool must verify contents of all files associated with packages.
--------------------------------------------------------------------------------------------------------
-
-The hash on important files like system executables should match the
-information given by the RPM database. Executables with erroneous hashes could
-be a sign of nefarious activity on the system.
-
-Details: `V-38447 in STIG Viewer`_.
-
-.. _V-38447 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38447
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38448.rst b/doc/source/stig-notes/V-38448.rst
deleted file mode 100644
index 241eea62..00000000
--- a/doc/source/stig-notes/V-38448.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38448: The /etc/gshadow file must be group-owned by root.
------------------------------------------------------------
-
-The "/etc/gshadow" file contains group password hashes. Protection of this
-file is critical for system security.
-
-Details: `V-38448 in STIG Viewer`_.
-
-.. _V-38448 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38448
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38449.rst b/doc/source/stig-notes/V-38449.rst
deleted file mode 100644
index fdadc5f0..00000000
--- a/doc/source/stig-notes/V-38449.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38449: The /etc/gshadow file must have mode 0000.
----------------------------------------------------
-
-The /etc/gshadow file contains group password hashes. Protection of this file
-is critical for system security.
-
-Details: `V-38449 in STIG Viewer`_.
-
-.. _V-38449 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38449
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38450.rst b/doc/source/stig-notes/V-38450.rst
deleted file mode 100644
index 69fc27b6..00000000
--- a/doc/source/stig-notes/V-38450.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38450: The /etc/passwd file must be owned by root.
-----------------------------------------------------
-
-The "/etc/passwd" file contains information about the users that are
-configured on the system. Protection of this file is critical for system
-security.
-
-Details: `V-38450 in STIG Viewer`_.
-
-.. _V-38450 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38450
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38451.rst b/doc/source/stig-notes/V-38451.rst
deleted file mode 100644
index c6afa8c6..00000000
--- a/doc/source/stig-notes/V-38451.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38451: The /etc/passwd file must be group-owned by root.
-----------------------------------------------------------
-
-The "/etc/passwd" file contains information about the users that are
-configured on the system. Protection of this file is critical for system
-security.
-
-Details: `V-38451 in STIG Viewer`_.
-
-.. _V-38451 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38451
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38452.rst b/doc/source/stig-notes/V-38452.rst
deleted file mode 100644
index 1786b14a..00000000
--- a/doc/source/stig-notes/V-38452.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38452: The system package management tool must verify permissions on all files and directories associated with packages.
---------------------------------------------------------------------------------------------------------------------------
-
-Permissions on system binaries and configuration files that are too generous
-could allow an unauthorized user to gain privileges that they should not have.
-The permissions set by the vendor should be maintained. Any deviations from
-this baseline should be investigated.
-
-Details: `V-38452 in STIG Viewer`_.
-
-.. _V-38452 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38452
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38453.rst b/doc/source/stig-notes/V-38453.rst
deleted file mode 100644
index 87a3669d..00000000
--- a/doc/source/stig-notes/V-38453.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38453: The system package management tool must verify group-ownership on all files and directories associated with packages.
-------------------------------------------------------------------------------------------------------------------------------
-
-Group-ownership of system binaries and configuration files that is incorrect
-could allow an unauthorized user to gain privileges that they should not have.
-The group-ownership set by the vendor should be maintained. Any deviations
-from this baseline should be investigated.
-
-Details: `V-38453 in STIG Viewer`_.
-
-.. _V-38453 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38453
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38454.rst b/doc/source/stig-notes/V-38454.rst
deleted file mode 100644
index bfa8a682..00000000
--- a/doc/source/stig-notes/V-38454.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38454: The system package management tool must verify ownership on all files and directories associated with packages.
-------------------------------------------------------------------------------------------------------------------------
-
-Ownership of system binaries and configuration files that is incorrect could
-allow an unauthorized user to gain privileges that they should not have. The
-ownership set by the vendor should be maintained. Any deviations from this
-baseline should be investigated.
-
-Details: `V-38454 in STIG Viewer`_.
-
-.. _V-38454 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38454
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38455.rst b/doc/source/stig-notes/V-38455.rst
deleted file mode 100644
index 91672578..00000000
--- a/doc/source/stig-notes/V-38455.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38455: The system must use a separate file system for /tmp.
--------------------------------------------------------------
-
-The "/tmp" partition is used as temporary storage by many programs. Placing
-"/tmp" in its own partition enables the setting of more restrictive mount
-options, which can help protect programs which use it.
-
-Details: `V-38455 in STIG Viewer`_.
-
-.. _V-38455 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38455
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38456.rst b/doc/source/stig-notes/V-38456.rst
deleted file mode 100644
index 79ee330a..00000000
--- a/doc/source/stig-notes/V-38456.rst
+++ /dev/null
@@ -1,15 +0,0 @@
-V-38456: The system must use a separate file system for /var.
--------------------------------------------------------------
-
-Ensuring that "/var" is mounted on its own partition enables the setting of
-more restrictive mount options. This helps protect system services such as
-daemons or other programs which use it. It is not uncommon for the "/var"
-directory to contain world-writable directories, installed by other software
-packages.
-
-Details: `V-38456 in STIG Viewer`_.
-
-.. _V-38456 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38456
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38457.rst b/doc/source/stig-notes/V-38457.rst
deleted file mode 100644
index 156fe3f6..00000000
--- a/doc/source/stig-notes/V-38457.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38457: The /etc/passwd file must have mode 0644 or less permissive.
----------------------------------------------------------------------
-
-If the "/etc/passwd" file is writable by a group-owner or the world the risk
-of its compromise is increased. The file contains the list of accounts on the
-system and associated information, and protection of this file is critical for
-system security.
-
-Details: `V-38457 in STIG Viewer`_.
-
-.. _V-38457 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38457
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38458.rst b/doc/source/stig-notes/V-38458.rst
deleted file mode 100644
index facec83e..00000000
--- a/doc/source/stig-notes/V-38458.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38458: The /etc/group file must be owned by root.
----------------------------------------------------
-
-The "/etc/group" file contains information regarding groups that are
-configured on the system. Protection of this file is important for system
-security.
-
-Details: `V-38458 in STIG Viewer`_.
-
-.. _V-38458 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38458
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38459.rst b/doc/source/stig-notes/V-38459.rst
deleted file mode 100644
index 0d8e2a69..00000000
--- a/doc/source/stig-notes/V-38459.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38459: The /etc/group file must be group-owned by root.
----------------------------------------------------------
-
-The "/etc/group" file contains information regarding groups that are
-configured on the system. Protection of this file is important for system
-security.
-
-Details: `V-38459 in STIG Viewer`_.
-
-.. _V-38459 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38459
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38460.rst b/doc/source/stig-notes/V-38460.rst
deleted file mode 100644
index 13f8e935..00000000
--- a/doc/source/stig-notes/V-38460.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38460: The NFS server must not have the all_squash option enabled.
---------------------------------------------------------------------
-
-The "all_squash" option maps all client requests to a single anonymous uid/gid
-on the NFS server, negating the ability to track file access by user ID.
-
-Details: `V-38460 in STIG Viewer`_.
-
-.. _V-38460 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38460
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38461.rst b/doc/source/stig-notes/V-38461.rst
deleted file mode 100644
index 768ea064..00000000
--- a/doc/source/stig-notes/V-38461.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38461: The /etc/group file must have mode 0644 or less permissive.
---------------------------------------------------------------------
-
-The "/etc/group" file contains information regarding groups that are
-configured on the system. Protection of this file is important for system
-security.
-
-Details: `V-38461 in STIG Viewer`_.
-
-.. _V-38461 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38461
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38462.rst b/doc/source/stig-notes/V-38462.rst
deleted file mode 100644
index 646388af..00000000
--- a/doc/source/stig-notes/V-38462.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38462: The RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
--------------------------------------------------------------------------------------------------------------------------------------
-
-Ensuring all packages' cryptographic signatures are valid prior to
-installation ensures the provenance of the software and protects against
-malicious tampering.
-
-Details: `V-38462 in STIG Viewer`_.
-
-.. _V-38462 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38462
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38463.rst b/doc/source/stig-notes/V-38463.rst
deleted file mode 100644
index 5480e044..00000000
--- a/doc/source/stig-notes/V-38463.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38463: The system must use a separate file system for /var/log.
------------------------------------------------------------------
-
-Placing "/var/log" in its own partition enables better separation between log
-files and other files in "/var/".
-
-Details: `V-38463 in STIG Viewer`_.
-
-.. _V-38463 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38463
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38464.rst b/doc/source/stig-notes/V-38464.rst
deleted file mode 100644
index baa34258..00000000
--- a/doc/source/stig-notes/V-38464.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38464: The audit system must take appropriate action when there are disk errors on the audit storage volume.
---------------------------------------------------------------------------------------------------------------
-
-Taking appropriate action in case of disk errors will minimize the possibility
-of losing audit records.
-
-Details: `V-38464 in STIG Viewer`_.
-
-.. _V-38464 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38464
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38465.rst b/doc/source/stig-notes/V-38465.rst
deleted file mode 100644
index 5caa0036..00000000
--- a/doc/source/stig-notes/V-38465.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38465: Library files must have mode 0755 or less permissive.
---------------------------------------------------------------
-
-Files from shared library directories are loaded into the address space of
-processes (including privileged ones) or of the kernel itself at runtime.
-Restrictive permissions are necessary to protect the integrity of the system.
-
-Details: `V-38465 in STIG Viewer`_.
-
-.. _V-38465 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38465
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38466.rst b/doc/source/stig-notes/V-38466.rst
deleted file mode 100644
index bb7483dc..00000000
--- a/doc/source/stig-notes/V-38466.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38466: Library files must be owned by root.
----------------------------------------------
-
-Files from shared library directories are loaded into the address space of
-processes (including privileged ones) or of the kernel itself at runtime.
-Proper ownership is necessary to protect the integrity of the system.
-
-Details: `V-38466 in STIG Viewer`_.
-
-.. _V-38466 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38466
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38467.rst b/doc/source/stig-notes/V-38467.rst
deleted file mode 100644
index 99945d1c..00000000
--- a/doc/source/stig-notes/V-38467.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38467: The system must use a separate file system for the system audit data path.
------------------------------------------------------------------------------------
-
-Placing "/var/log/audit" in its own partition enables better separation
-between audit files and other files, and helps ensure that auditing cannot be
-halted due to the partition running out of space.
-
-Details: `V-38467 in STIG Viewer`_.
-
-.. _V-38467 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38467
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38468.rst b/doc/source/stig-notes/V-38468.rst
deleted file mode 100644
index e58242cc..00000000
--- a/doc/source/stig-notes/V-38468.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38468: The audit system must take appropriate action when the audit storage volume is full.
----------------------------------------------------------------------------------------------
-
-Taking appropriate action in case of a filled audit storage volume will
-minimize the possibility of losing audit records.
-
-Details: `V-38468 in STIG Viewer`_.
-
-.. _V-38468 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38468
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38469.rst b/doc/source/stig-notes/V-38469.rst
deleted file mode 100644
index b408a683..00000000
--- a/doc/source/stig-notes/V-38469.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38469: All system command files must have mode 755 or less permissive.
-------------------------------------------------------------------------
-
-System binaries are executed by privileged users, as well as system services,
-and restrictive permissions are necessary to ensure execution of these
-programs cannot be co-opted.
-
-Details: `V-38469 in STIG Viewer`_.
-
-.. _V-38469 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38469
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38470.rst b/doc/source/stig-notes/V-38470.rst
deleted file mode 100644
index cc7370ad..00000000
--- a/doc/source/stig-notes/V-38470.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38470: The audit system must alert designated staff members when the audit storage volume approaches capacity.
-----------------------------------------------------------------------------------------------------------------
-
-Notifying administrators of an impending disk space problem may allow them to
-take corrective action prior to any disruption.
-
-Details: `V-38470 in STIG Viewer`_.
-
-.. _V-38470 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38470
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38471.rst b/doc/source/stig-notes/V-38471.rst
deleted file mode 100644
index 7d9a19be..00000000
--- a/doc/source/stig-notes/V-38471.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38471: The system must forward audit records to the syslog service.
----------------------------------------------------------------------
-
-The auditd service does not include the ability to send audit records to a
-centralized server for management directly. It does, however, include an
-audit event multiplexor plugin (audispd) to pass audit records to the local
-syslog server.
-
-Details: `V-38471 in STIG Viewer`_.
-
-.. _V-38471 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38471
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38472.rst b/doc/source/stig-notes/V-38472.rst
deleted file mode 100644
index d3d8d132..00000000
--- a/doc/source/stig-notes/V-38472.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38472: All system command files must be owned by root.
---------------------------------------------------------
-
-System binaries are executed by privileged users as well as system services,
-and restrictive permissions are necessary to ensure that their execution of
-these programs cannot be co-opted.
-
-Details: `V-38472 in STIG Viewer`_.
-
-.. _V-38472 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38472
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38473.rst b/doc/source/stig-notes/V-38473.rst
deleted file mode 100644
index 12a0f871..00000000
--- a/doc/source/stig-notes/V-38473.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38473: The system must use a separate file system for user home directories.
-------------------------------------------------------------------------------
-
-Ensuring that "/home" is mounted on its own partition enables the setting of
-more restrictive mount options, and also helps ensure that users cannot
-trivially fill partitions used for log or audit data storage.
-
-Details: `V-38473 in STIG Viewer`_.
-
-.. _V-38473 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38473
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38474.rst b/doc/source/stig-notes/V-38474.rst
deleted file mode 100644
index 7ef12eef..00000000
--- a/doc/source/stig-notes/V-38474.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38474: The system must allow locking of graphical desktop sessions.
----------------------------------------------------------------------
-
-The ability to lock graphical desktop sessions manually allows users to easily
-secure their accounts should they need to depart from their workstations
-temporarily.
-
-Details: `V-38474 in STIG Viewer`_.
-
-.. _V-38474 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38474
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38475.rst b/doc/source/stig-notes/V-38475.rst
deleted file mode 100644
index e685f636..00000000
--- a/doc/source/stig-notes/V-38475.rst
+++ /dev/null
@@ -1,17 +0,0 @@
-V-38475: The system must require passwords to contain a minimum of 14 characters.
----------------------------------------------------------------------------------
-
-Requiring a minimum password length makes password cracking attacks more
-difficult by ensuring a larger search space. However, any security benefit
-from an onerous requirement must be carefully weighed against usability
-problems, support costs, or counterproductive behavior that may result. While
-it does not negate the password length requirement, it is preferable to
-migrate from a password-based authentication scheme to a stronger one based on
-PKI (public key infrastructure).
-
-Details: `V-38475 in STIG Viewer`_.
-
-.. _V-38475 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38475
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38476.rst b/doc/source/stig-notes/V-38476.rst
deleted file mode 100644
index 0769d783..00000000
--- a/doc/source/stig-notes/V-38476.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38476: Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
------------------------------------------------------------------------------------------------------------------
-
-The Red Hat GPG keys are necessary to cryptographically verify packages are
-from Red Hat.
-
-Details: `V-38476 in STIG Viewer`_.
-
-.. _V-38476 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38476
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38477.rst b/doc/source/stig-notes/V-38477.rst
deleted file mode 100644
index 586ed93a..00000000
--- a/doc/source/stig-notes/V-38477.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38477: Users must not be able to change passwords more than once every 24 hours.
-----------------------------------------------------------------------------------
-
-Setting the minimum password age protects against users cycling back to a
-favorite password after satisfying the password reuse requirement.
-
-Details: `V-38477 in STIG Viewer`_.
-
-.. _V-38477 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38477
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38478.rst b/doc/source/stig-notes/V-38478.rst
deleted file mode 100644
index 278951e0..00000000
--- a/doc/source/stig-notes/V-38478.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38478: The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite.
----------------------------------------------------------------------------------------------------------------
-
-Although systems management and patching is extremely important to system
-security, management by a system outside the enterprise enclave is not
-desirable for some environments. However, if the system is being managed by
-RHN or RHN Satellite Server the "rhnsd" daemon can remain on.
-
-Details: `V-38478 in STIG Viewer`_.
-
-.. _V-38478 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38478
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38479.rst b/doc/source/stig-notes/V-38479.rst
deleted file mode 100644
index 57617a1b..00000000
--- a/doc/source/stig-notes/V-38479.rst
+++ /dev/null
@@ -1,15 +0,0 @@
-V-38479: User passwords must be changed at least every 60 days.
----------------------------------------------------------------
-
-Setting the password maximum age ensures users are required to periodically
-change their passwords. This could possibly decrease the utility of a stolen
-password. Requiring shorter password lifetimes increases the risk of users
-writing down the password in a convenient location subject to physical
-compromise.
-
-Details: `V-38479 in STIG Viewer`_.
-
-.. _V-38479 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38479
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38480.rst b/doc/source/stig-notes/V-38480.rst
deleted file mode 100644
index 0c723c89..00000000
--- a/doc/source/stig-notes/V-38480.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38480: Users must be warned 7 days in advance of password expiration.
------------------------------------------------------------------------
-
-Setting the password warning age enables users to make the change at a
-practical time.
-
-Details: `V-38480 in STIG Viewer`_.
-
-.. _V-38480 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38480
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38481.rst b/doc/source/stig-notes/V-38481.rst
deleted file mode 100644
index 3adbc9f4..00000000
--- a/doc/source/stig-notes/V-38481.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38481: System security patches and updates must be installed and up-to-date.
-------------------------------------------------------------------------------
-
-Installing software updates is a fundamental mitigation against the
-exploitation of publicly-known vulnerabilities.
-
-Details: `V-38481 in STIG Viewer`_.
-
-.. _V-38481 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38481
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38482.rst b/doc/source/stig-notes/V-38482.rst
deleted file mode 100644
index a0bf0606..00000000
--- a/doc/source/stig-notes/V-38482.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38482: The system must require passwords to contain at least one numeric character.
--------------------------------------------------------------------------------------
-
-Requiring digits makes password guessing attacks more difficult by ensuring a
-larger search space.
-
-Details: `V-38482 in STIG Viewer`_.
-
-.. _V-38482 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38482
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38483.rst b/doc/source/stig-notes/V-38483.rst
deleted file mode 100644
index a0e09ebc..00000000
--- a/doc/source/stig-notes/V-38483.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38483: The system package management tool must cryptographically verify the authenticity of system software packages during installation.
--------------------------------------------------------------------------------------------------------------------------------------------
-
-Ensuring the validity of packages' cryptographic signatures prior to
-installation ensures the provenance of the software and protects against
-malicious tampering.
-
-Details: `V-38483 in STIG Viewer`_.
-
-.. _V-38483 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38483
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38484.rst b/doc/source/stig-notes/V-38484.rst
deleted file mode 100644
index 96d58f61..00000000
--- a/doc/source/stig-notes/V-38484.rst
+++ /dev/null
@@ -1,15 +0,0 @@
-V-38484: The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh.
--------------------------------------------------------------------------------------------------------------------------------------
-
-Users need to be aware of activity that occurs regarding their account.
-Providing users with information regarding the date and time of their last
-successful login allows the user to determine if any unauthorized activity has
-occurred and gives them an opportunity to notify administrators. At ssh
-login, a user must be presented with the last successful login date and time.
-
-Details: `V-38484 in STIG Viewer`_.
-
-.. _V-38484 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38484
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38486.rst b/doc/source/stig-notes/V-38486.rst
deleted file mode 100644
index f510b96c..00000000
--- a/doc/source/stig-notes/V-38486.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38486: The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
-Operating system backup is a critical step in maintaining data assurance and
-availability. System-level information includes system-state information,
-operating system and application software, and licenses. Backups must be
-consistent with organizational recovery time and recovery point objectives.
-
-Details: `V-38486 in STIG Viewer`_.
-
-.. _V-38486 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38486
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38487.rst b/doc/source/stig-notes/V-38487.rst
deleted file mode 100644
index bbf83e61..00000000
--- a/doc/source/stig-notes/V-38487.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38487: The system package management tool must cryptographically verify the authenticity of all software packages during installation.
-----------------------------------------------------------------------------------------------------------------------------------------
-
-Ensuring all packages' cryptographic signatures are valid prior to
-installation ensures the provenance of the software and protects against
-malicious tampering.
-
-Details: `V-38487 in STIG Viewer`_.
-
-.. _V-38487 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38487
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38488.rst b/doc/source/stig-notes/V-38488.rst
deleted file mode 100644
index 2bf1a641..00000000
--- a/doc/source/stig-notes/V-38488.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38488: The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
-Operating system backup is a critical step in maintaining data assurance and
-availability. User-level information is data generated by information system
-and/or application users. Backups shall be consistent with organizational
-recovery time and recovery point objectives.
-
-Details: `V-38488 in STIG Viewer`_.
-
-.. _V-38488 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38488
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38489.rst b/doc/source/stig-notes/V-38489.rst
deleted file mode 100644
index b324d46d..00000000
--- a/doc/source/stig-notes/V-38489.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38489: A file integrity tool must be installed.
--------------------------------------------------
-
-The AIDE package must be installed if it is to be available for integrity
-checking.
-
-Details: `V-38489 in STIG Viewer`_.
-
-.. _V-38489 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38489
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38490.rst b/doc/source/stig-notes/V-38490.rst
deleted file mode 100644
index aae35c7b..00000000
--- a/doc/source/stig-notes/V-38490.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38490: The operating system must enforce requirements for the connection of mobile devices to operating systems.
-------------------------------------------------------------------------------------------------------------------
-
-USB storage devices such as thumb drives can be used to introduce unauthorized
-software and other vulnerabilities. Support for these devices should be
-disabled and the devices themselves should be tightly controlled.
-
-Details: `V-38490 in STIG Viewer`_.
-
-.. _V-38490 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38490
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38491.rst b/doc/source/stig-notes/V-38491.rst
deleted file mode 100644
index 405fca5c..00000000
--- a/doc/source/stig-notes/V-38491.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38491: There must be no .rhosts or hosts.equiv files on the system.
----------------------------------------------------------------------
-
-Trust files are convenient, but when used in conjunction with the R-services,
-they can allow unauthenticated access to a system.
-
-Details: `V-38491 in STIG Viewer`_.
-
-.. _V-38491 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38491
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38492.rst b/doc/source/stig-notes/V-38492.rst
deleted file mode 100644
index aa338920..00000000
--- a/doc/source/stig-notes/V-38492.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38492: The system must prevent the root account from logging in from virtual consoles.
-----------------------------------------------------------------------------------------
-
-Preventing direct root login to virtual console devices helps ensure
-accountability for actions taken on the system using the root account.
-
-Details: `V-38492 in STIG Viewer`_.
-
-.. _V-38492 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38492
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38493.rst b/doc/source/stig-notes/V-38493.rst
deleted file mode 100644
index 0aedac87..00000000
--- a/doc/source/stig-notes/V-38493.rst
+++ /dev/null
@@ -1,11 +0,0 @@
-V-38493: Audit log directories must have mode 0755 or less permissive.
-----------------------------------------------------------------------
-
-If users can delete audit logs, audit trails can be modified or destroyed.
-
-Details: `V-38493 in STIG Viewer`_.
-
-.. _V-38493 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38493
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38494.rst b/doc/source/stig-notes/V-38494.rst
deleted file mode 100644
index 6f50bb63..00000000
--- a/doc/source/stig-notes/V-38494.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38494: The system must prevent the root account from logging in from serial consoles.
----------------------------------------------------------------------------------------
-
-Preventing direct root login to serial port interfaces helps ensure
-accountability for actions taken on the systems using the root account.
-
-Details: `V-38494 in STIG Viewer`_.
-
-.. _V-38494 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38494
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38495.rst b/doc/source/stig-notes/V-38495.rst
deleted file mode 100644
index 42d56ff8..00000000
--- a/doc/source/stig-notes/V-38495.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38495: Audit log files must be owned by root.
------------------------------------------------
-
-If non-privileged users can write to audit logs, audit trails can be modified
-or destroyed.
-
-Details: `V-38495 in STIG Viewer`_.
-
-.. _V-38495 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38495
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38496.rst b/doc/source/stig-notes/V-38496.rst
deleted file mode 100644
index 939a2aca..00000000
--- a/doc/source/stig-notes/V-38496.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38496: Default operating system accounts, other than root, must be locked.
-----------------------------------------------------------------------------
-
-Disabling authentication for default system accounts makes it more difficult
-for attackers to make use of them to compromise a system.
-
-Details: `V-38496 in STIG Viewer`_.
-
-.. _V-38496 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38496
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38497.rst b/doc/source/stig-notes/V-38497.rst
deleted file mode 100644
index caeb4097..00000000
--- a/doc/source/stig-notes/V-38497.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38497: The system must not have accounts configured with blank or null passwords.
------------------------------------------------------------------------------------
-
-If an account has an empty password, anyone could log in and run commands with
-the privileges of that account. Accounts with empty passwords should never be
-used in operational environments.
-
-Details: `V-38497 in STIG Viewer`_.
-
-.. _V-38497 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38497
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38498.rst b/doc/source/stig-notes/V-38498.rst
deleted file mode 100644
index 238539da..00000000
--- a/doc/source/stig-notes/V-38498.rst
+++ /dev/null
@@ -1,11 +0,0 @@
-V-38498: Audit log files must have mode 0640 or less permissive.
-----------------------------------------------------------------
-
-If users can write to audit logs, audit trails can be modified or destroyed.
-
-Details: `V-38498 in STIG Viewer`_.
-
-.. _V-38498 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38498
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38499.rst b/doc/source/stig-notes/V-38499.rst
deleted file mode 100644
index 6cc93e41..00000000
--- a/doc/source/stig-notes/V-38499.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38499: The /etc/passwd file must not contain password hashes.
----------------------------------------------------------------
-
-The hashes for all user account passwords should be stored in the file
-"/etc/shadow" and never in "/etc/passwd", which is readable by all users.
-
-Details: `V-38499 in STIG Viewer`_.
-
-.. _V-38499 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38499
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38500.rst b/doc/source/stig-notes/V-38500.rst
deleted file mode 100644
index bfc29e6d..00000000
--- a/doc/source/stig-notes/V-38500.rst
+++ /dev/null
@@ -1,15 +0,0 @@
-V-38500: The root account must be the only account having a UID of 0.
----------------------------------------------------------------------
-
-An account has root authority if it has a UID of 0. Multiple accounts with a
-UID of 0 afford more opportunity for potential intruders to guess a password
-for a privileged account. Proper configuration of sudo is recommended to
-afford multiple system administrators access to root privileges in an
-accountable manner.
-
-Details: `V-38500 in STIG Viewer`_.
-
-.. _V-38500 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38500
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38501.rst b/doc/source/stig-notes/V-38501.rst
deleted file mode 100644
index 5da54319..00000000
--- a/doc/source/stig-notes/V-38501.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38501: The system must disable accounts after excessive login failures within a 15-minute interval.
------------------------------------------------------------------------------------------------------
-
-Locking out user accounts after a number of incorrect attempts within a
-specific period of time prevents direct password guessing attacks.
-
-Details: `V-38501 in STIG Viewer`_.
-
-.. _V-38501 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38501
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38502.rst b/doc/source/stig-notes/V-38502.rst
deleted file mode 100644
index f1183f4d..00000000
--- a/doc/source/stig-notes/V-38502.rst
+++ /dev/null
@@ -1,15 +0,0 @@
-V-38502: The /etc/shadow file must be owned by root.
-----------------------------------------------------
-
-The "/etc/shadow" file contains the list of local system accounts and stores
-password hashes. Protection of this file is critical for system security.
-Failure to give ownership of this file to root provides the designated owner
-with access to sensitive information which could weaken the system security
-posture.
-
-Details: `V-38502 in STIG Viewer`_.
-
-.. _V-38502 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38502
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38503.rst b/doc/source/stig-notes/V-38503.rst
deleted file mode 100644
index 8d30c97d..00000000
--- a/doc/source/stig-notes/V-38503.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38503: The /etc/shadow file must be group-owned by root.
-----------------------------------------------------------
-
-The "/etc/shadow" file stores password hashes. Protection of this file is
-critical for system security.
-
-Details: `V-38503 in STIG Viewer`_.
-
-.. _V-38503 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38503
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38504.rst b/doc/source/stig-notes/V-38504.rst
deleted file mode 100644
index fc692957..00000000
--- a/doc/source/stig-notes/V-38504.rst
+++ /dev/null
@@ -1,15 +0,0 @@
-V-38504: The /etc/shadow file must have mode 0000.
---------------------------------------------------
-
-The "/etc/shadow" file contains the list of local system accounts and stores
-password hashes. Protection of this file is critical for system security.
-Failure to give ownership of this file to root provides the designated owner
-with access to sensitive information which could weaken the system security
-posture.
-
-Details: `V-38504 in STIG Viewer`_.
-
-.. _V-38504 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38504
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38511.rst b/doc/source/stig-notes/V-38511.rst
deleted file mode 100644
index 0d0bee1f..00000000
--- a/doc/source/stig-notes/V-38511.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38511: IP forwarding for IPv4 must not be enabled, unless the system is a router.
------------------------------------------------------------------------------------
-
-IP forwarding permits the kernel to forward packets from one network interface
-to another. The ability to forward packets between two networks is only
-appropriate for systems acting as routers.
-
-Details: `V-38511 in STIG Viewer`_.
-
-.. _V-38511 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38511
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38512.rst b/doc/source/stig-notes/V-38512.rst
deleted file mode 100644
index 6525ea09..00000000
--- a/doc/source/stig-notes/V-38512.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38512: The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
-The "iptables" service provides the system's host-based firewalling capability
-for IPv4 and ICMP.
-
-Details: `V-38512 in STIG Viewer`_.
-
-.. _V-38512 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38512
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38513.rst b/doc/source/stig-notes/V-38513.rst
deleted file mode 100644
index f8ee741c..00000000
--- a/doc/source/stig-notes/V-38513.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38513: The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets.
-------------------------------------------------------------------------------------------------------------------
-
-In "iptables" the default policy is applied only after all the applicable
-rules in the table are examined for a match. Setting the default policy to
-"DROP" implements proper design for a firewall, i.e., any packets which are
-not explicitly permitted should not be accepted.
-
-Details: `V-38513 in STIG Viewer`_.
-
-.. _V-38513 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38513
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38514.rst b/doc/source/stig-notes/V-38514.rst
deleted file mode 100644
index 8a44060e..00000000
--- a/doc/source/stig-notes/V-38514.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38514: The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.
-------------------------------------------------------------------------------------------
-
-Disabling DCCP protects the system against exploitation of any flaws in its
-implementation.
-
-Details: `V-38514 in STIG Viewer`_.
-
-.. _V-38514 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38514
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38515.rst b/doc/source/stig-notes/V-38515.rst
deleted file mode 100644
index 06a5750b..00000000
--- a/doc/source/stig-notes/V-38515.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38515: The Stream Control Transmission Protocol (SCTP) must be disabled unless required.
-------------------------------------------------------------------------------------------
-
-Disabling SCTP protects the system against exploitation of any flaws in its
-implementation.
-
-Details: `V-38515 in STIG Viewer`_.
-
-.. _V-38515 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38515
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38516.rst b/doc/source/stig-notes/V-38516.rst
deleted file mode 100644
index 6c55df5b..00000000
--- a/doc/source/stig-notes/V-38516.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38516: The Reliable Datagram Sockets (RDS) protocol must be disabled unless required.
----------------------------------------------------------------------------------------
-
-Disabling RDS protects the system against exploitation of any flaws in its
-implementation.
-
-Details: `V-38516 in STIG Viewer`_.
-
-.. _V-38516 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38516
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38517.rst b/doc/source/stig-notes/V-38517.rst
deleted file mode 100644
index dfe275e4..00000000
--- a/doc/source/stig-notes/V-38517.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38517: The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required.
-------------------------------------------------------------------------------------------------------
-
-Disabling TIPC protects the system against exploitation of any flaws in its
-implementation.
-
-Details: `V-38517 in STIG Viewer`_.
-
-.. _V-38517 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38517
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38518.rst b/doc/source/stig-notes/V-38518.rst
deleted file mode 100644
index 072c6aa4..00000000
--- a/doc/source/stig-notes/V-38518.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38518: All rsyslog-generated log files must be owned by root.
----------------------------------------------------------------
-
-The log files generated by rsyslog contain valuable information regarding
-system configuration, user authentication, and other such information. Log
-files should be protected from unauthorized access.
-
-Details: `V-38518 in STIG Viewer`_.
-
-.. _V-38518 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38518
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38519.rst b/doc/source/stig-notes/V-38519.rst
deleted file mode 100644
index 1e30a09e..00000000
--- a/doc/source/stig-notes/V-38519.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38519: All rsyslog-generated log files must be group-owned by root.
----------------------------------------------------------------------
-
-The log files generated by rsyslog contain valuable information regarding
-system configuration, user authentication, and other such information. Log
-files should be protected from unauthorized access.
-
-Details: `V-38519 in STIG Viewer`_.
-
-.. _V-38519 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38519
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38520.rst b/doc/source/stig-notes/V-38520.rst
deleted file mode 100644
index 5180256a..00000000
--- a/doc/source/stig-notes/V-38520.rst
+++ /dev/null
@@ -1,15 +0,0 @@
-V-38520: The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited.
--------------------------------------------------------------------------------------------------------------------------------------------------------------
-
-A log server (loghost) receives syslog messages from one or more systems. This
-data can be used as an additional log source in the event a system is
-compromised and its local logs are suspect. Forwarding log messages to a
-remote loghost also provides system administrators with a centralized place to
-view the status of multiple hosts within the enterprise.
-
-Details: `V-38520 in STIG Viewer`_.
-
-.. _V-38520 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38520
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38521.rst b/doc/source/stig-notes/V-38521.rst
deleted file mode 100644
index d7f49747..00000000
--- a/doc/source/stig-notes/V-38521.rst
+++ /dev/null
@@ -1,15 +0,0 @@
-V-38521: The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
-A log server (loghost) receives syslog messages from one or more systems. This
-data can be used as an additional log source in the event a system is
-compromised and its local logs are suspect. Forwarding log messages to a
-remote loghost also provides system administrators with a centralized place to
-view the status of multiple hosts within the enterprise.
-
-Details: `V-38521 in STIG Viewer`_.
-
-.. _V-38521 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38521
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38522.rst b/doc/source/stig-notes/V-38522.rst
deleted file mode 100644
index 8bfba367..00000000
--- a/doc/source/stig-notes/V-38522.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38522: The audit system must be configured to audit all attempts to alter system time through settimeofday.
--------------------------------------------------------------------------------------------------------------
-
-Arbitrary changes to the system time can be used to obfuscate nefarious
-activities in log files, as well as to confuse network services that are
-highly dependent upon an accurate system time (such as sshd). All changes to
-the system time should be audited.
-
-Details: `V-38522 in STIG Viewer`_.
-
-.. _V-38522 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38522
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38523.rst b/doc/source/stig-notes/V-38523.rst
deleted file mode 100644
index be01f139..00000000
--- a/doc/source/stig-notes/V-38523.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38523: The system must not accept IPv4 source-routed packets on any interface.
---------------------------------------------------------------------------------
-
-Accepting source-routed packets in the IPv4 protocol has few legitimate uses.
-It should be disabled unless it is absolutely required.
-
-Details: `V-38523 in STIG Viewer`_.
-
-.. _V-38523 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38523
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38524.rst b/doc/source/stig-notes/V-38524.rst
deleted file mode 100644
index 2c4e9ed4..00000000
--- a/doc/source/stig-notes/V-38524.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38524: The system must not accept ICMPv4 redirect packets on any interface.
------------------------------------------------------------------------------
-
-Accepting ICMP redirects has few legitimate uses. It should be disabled unless
-it is absolutely required.
-
-Details: `V-38524 in STIG Viewer`_.
-
-.. _V-38524 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38524
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38525.rst b/doc/source/stig-notes/V-38525.rst
deleted file mode 100644
index 5eaa2a43..00000000
--- a/doc/source/stig-notes/V-38525.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38525: The audit system must be configured to audit all attempts to alter system time through stime.
-------------------------------------------------------------------------------------------------------
-
-Arbitrary changes to the system time can be used to obfuscate nefarious
-activities in log files, as well as to confuse network services that are
-highly dependent upon an accurate system time (such as sshd). All changes to
-the system time should be audited.
-
-Details: `V-38525 in STIG Viewer`_.
-
-.. _V-38525 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38525
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38526.rst b/doc/source/stig-notes/V-38526.rst
deleted file mode 100644
index 8c80b76e..00000000
--- a/doc/source/stig-notes/V-38526.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38526: The system must not accept ICMPv4 secure redirect packets on any interface.
-------------------------------------------------------------------------------------
-
-Accepting "secure" ICMP redirects (from those gateways listed as default
-gateways) has few legitimate uses. It should be disabled unless it is
-absolutely required.
-
-Details: `V-38526 in STIG Viewer`_.
-
-.. _V-38526 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38526
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38527.rst b/doc/source/stig-notes/V-38527.rst
deleted file mode 100644
index 23bb4b36..00000000
--- a/doc/source/stig-notes/V-38527.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38527: The audit system must be configured to audit all attempts to alter system time through clock_settime.
---------------------------------------------------------------------------------------------------------------
-
-Arbitrary changes to the system time can be used to obfuscate nefarious
-activities in log files, as well as to confuse network services that are
-highly dependent upon an accurate system time (such as sshd). All changes to
-the system time should be audited.
-
-Details: `V-38527 in STIG Viewer`_.
-
-.. _V-38527 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38527
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38528.rst b/doc/source/stig-notes/V-38528.rst
deleted file mode 100644
index 42342528..00000000
--- a/doc/source/stig-notes/V-38528.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38528: The system must log Martian packets.
----------------------------------------------
-
-The presence of "martian" packets (which have impossible addresses) as well as
-spoofed packets, source-routed packets, and redirects could be a sign of
-nefarious network activity. Logging these packets enables this activity to be
-detected.
-
-Details: `V-38528 in STIG Viewer`_.
-
-.. _V-38528 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38528
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38529.rst b/doc/source/stig-notes/V-38529.rst
deleted file mode 100644
index 99898628..00000000
--- a/doc/source/stig-notes/V-38529.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38529: The system must not accept IPv4 source-routed packets by default.
---------------------------------------------------------------------------
-
-Accepting source-routed packets in the IPv4 protocol has few legitimate uses.
-It should be disabled unless it is absolutely required.
-
-Details: `V-38529 in STIG Viewer`_.
-
-.. _V-38529 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38529
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38530.rst b/doc/source/stig-notes/V-38530.rst
deleted file mode 100644
index c382c648..00000000
--- a/doc/source/stig-notes/V-38530.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38530: The audit system must be configured to audit all attempts to alter system time through /etc/localtime.
----------------------------------------------------------------------------------------------------------------
-
-Arbitrary changes to the system time can be used to obfuscate nefarious
-activities in log files, as well as to confuse network services that are
-highly dependent upon an accurate system time (such as sshd). All changes to
-the system time should be audited.
-
-Details: `V-38530 in STIG Viewer`_.
-
-.. _V-38530 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38530
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38531.rst b/doc/source/stig-notes/V-38531.rst
deleted file mode 100644
index df71a4ec..00000000
--- a/doc/source/stig-notes/V-38531.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38531: The operating system must automatically audit account creation.
-------------------------------------------------------------------------
-
-In addition to auditing new user and group accounts, these watches will alert
-the system administrator(s) to any modifications. Any unexpected users,
-groups, or modifications should be investigated for legitimacy.
-
-Details: `V-38531 in STIG Viewer`_.
-
-.. _V-38531 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38531
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38532.rst b/doc/source/stig-notes/V-38532.rst
deleted file mode 100644
index 66eeb9fc..00000000
--- a/doc/source/stig-notes/V-38532.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38532: The system must not accept ICMPv4 secure redirect packets by default.
-------------------------------------------------------------------------------
-
-Accepting "secure" ICMP redirects (from those gateways listed as default
-gateways) has few legitimate uses. It should be disabled unless it is
-absolutely required.
-
-Details: `V-38532 in STIG Viewer`_.
-
-.. _V-38532 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38532
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38533.rst b/doc/source/stig-notes/V-38533.rst
deleted file mode 100644
index 529b03a8..00000000
--- a/doc/source/stig-notes/V-38533.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38533: The system must ignore ICMPv4 redirect messages by default.
---------------------------------------------------------------------
-
-This feature of the IPv4 protocol has few legitimate uses. It should be
-disabled unless it is absolutely required.
-
-Details: `V-38533 in STIG Viewer`_.
-
-.. _V-38533 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38533
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38534.rst b/doc/source/stig-notes/V-38534.rst
deleted file mode 100644
index dd0cd702..00000000
--- a/doc/source/stig-notes/V-38534.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38534: The operating system must automatically audit account modification.
-----------------------------------------------------------------------------
-
-In addition to auditing new user and group accounts, these watches will alert
-the system administrator(s) to any modifications. Any unexpected users,
-groups, or modifications should be investigated for legitimacy.
-
-Details: `V-38534 in STIG Viewer`_.
-
-.. _V-38534 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38534
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38535.rst b/doc/source/stig-notes/V-38535.rst
deleted file mode 100644
index 0ef445f2..00000000
--- a/doc/source/stig-notes/V-38535.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38535: The system must not respond to ICMPv4 sent to a broadcast address.
----------------------------------------------------------------------------
-
-Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses
-makes the system slightly more difficult to enumerate on the network.
-
-Details: `V-38535 in STIG Viewer`_.
-
-.. _V-38535 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38535
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38536.rst b/doc/source/stig-notes/V-38536.rst
deleted file mode 100644
index c5c632f5..00000000
--- a/doc/source/stig-notes/V-38536.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38536: The operating system must automatically audit account disabling actions.
----------------------------------------------------------------------------------
-
-In addition to auditing new user and group accounts, these watches will alert
-the system administrator(s) to any modifications. Any unexpected users,
-groups, or modifications should be investigated for legitimacy.
-
-Details: `V-38536 in STIG Viewer`_.
-
-.. _V-38536 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38536
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38537.rst b/doc/source/stig-notes/V-38537.rst
deleted file mode 100644
index 27424b48..00000000
--- a/doc/source/stig-notes/V-38537.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38537: The system must ignore ICMPv4 bogus error responses.
--------------------------------------------------------------
-
-Ignoring bogus ICMP error responses reduces log size, although some activity
-would not be logged.
-
-Details: `V-38537 in STIG Viewer`_.
-
-.. _V-38537 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38537
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38538.rst b/doc/source/stig-notes/V-38538.rst
deleted file mode 100644
index ef144bf4..00000000
--- a/doc/source/stig-notes/V-38538.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38538: The operating system must automatically audit account termination.
----------------------------------------------------------------------------
-
-In addition to auditing new user and group accounts, these watches will alert
-the system administrator(s) to any modifications. Any unexpected users,
-groups, or modifications should be investigated for legitimacy.
-
-Details: `V-38538 in STIG Viewer`_.
-
-.. _V-38538 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38538
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38539.rst b/doc/source/stig-notes/V-38539.rst
deleted file mode 100644
index d57480cd..00000000
--- a/doc/source/stig-notes/V-38539.rst
+++ /dev/null
@@ -1,16 +0,0 @@
-V-38539: The system must be configured to use TCP syncookies when experiencing a TCP SYN flood.
------------------------------------------------------------------------------------------------
-
-A TCP SYN flood attack can cause a denial of service by filling a system's TCP
-connection table with connections in the SYN_RCVD state. Syncookies can be
-used to track a connection when a subsequent ACK is received, verifying the
-initiator is attempting a valid connection and is not a flood source. This
-feature is activated when a flood condition is detected, and enables the
-system to continue servicing valid connection requests.
-
-Details: `V-38539 in STIG Viewer`_.
-
-.. _V-38539 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38539
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38540.rst b/doc/source/stig-notes/V-38540.rst
deleted file mode 100644
index 0b362184..00000000
--- a/doc/source/stig-notes/V-38540.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38540: The audit system must be configured to audit modifications to the systems network configuration.
----------------------------------------------------------------------------------------------------------
-
-The network environment should not be modified by anything other than
-administrator action. Any change to network parameters should be audited.
-
-Details: `V-38540 in STIG Viewer`_.
-
-.. _V-38540 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38540
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38541.rst b/doc/source/stig-notes/V-38541.rst
deleted file mode 100644
index 243d255f..00000000
--- a/doc/source/stig-notes/V-38541.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38541: The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux).
-------------------------------------------------------------------------------------------------------------------------------------------
-
-The system's mandatory access policy (SELinux) should not be arbitrarily
-changed by anything other than administrator action. All changes to MAC policy
-should be audited.
-
-Details: `V-38541 in STIG Viewer`_.
-
-.. _V-38541 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38541
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38542.rst b/doc/source/stig-notes/V-38542.rst
deleted file mode 100644
index f198b1ea..00000000
--- a/doc/source/stig-notes/V-38542.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38542: The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
-------------------------------------------------------------------------------------------------------------
-
-Enabling reverse path filtering drops packets with source addresses that
-should not have been able to be received on the interface they were received
-on. It should not be used on systems which are routers for complicated
-networks, but is helpful for end hosts and routers serving small networks.
-
-Details: `V-38542 in STIG Viewer`_.
-
-.. _V-38542 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38542
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38542_developer.rst b/doc/source/stig-notes/V-38542_developer.rst
deleted file mode 100644
index 3c57bba8..00000000
--- a/doc/source/stig-notes/V-38542_developer.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-**Exception**
-
-The STIG makes several requirements for IPv4 network restrictions, but these
-restrictions can impact certain network interfaces and cause service
-disruptions. Some security configurations make sense for certain types of
-network interfaces, like bridges, but other restrictions cause the network
-interface to stop passing valid traffic between hosts, containers, or virtual
-machines.
-
-The default network scripts and LXC userspace tools already configure various
-network devices to their most secure setting. Since some hosts will act as
-routers, enabling security configurations that restrict network traffic can
-cause service disruptions for OpenStack environments.
diff --git a/doc/source/stig-notes/V-38543.rst b/doc/source/stig-notes/V-38543.rst
deleted file mode 100644
index 15ba2654..00000000
--- a/doc/source/stig-notes/V-38543.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38543: The audit system must be configured to audit all discretionary access control permission modifications using chmod.
-----------------------------------------------------------------------------------------------------------------------------
-
-The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC
-modifications can facilitate the identification of patterns of abuse among
-both authorized and unauthorized users.
-
-Details: `V-38543 in STIG Viewer`_.
-
-.. _V-38543 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38543
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38544.rst b/doc/source/stig-notes/V-38544.rst
deleted file mode 100644
index 9384c3c9..00000000
--- a/doc/source/stig-notes/V-38544.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38544: The system must use a reverse-path filter for IPv4 network traffic when possible by default.
------------------------------------------------------------------------------------------------------
-
-Enabling reverse path filtering drops packets with source addresses that
-should not have been able to be received on the interface they were received
-on. It should not be used on systems which are routers for complicated
-networks, but is helpful for end hosts and routers serving small networks.
-
-Details: `V-38544 in STIG Viewer`_.
-
-.. _V-38544 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38544
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38544_developer.rst b/doc/source/stig-notes/V-38544_developer.rst
deleted file mode 100644
index 3c57bba8..00000000
--- a/doc/source/stig-notes/V-38544_developer.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-**Exception**
-
-The STIG makes several requirements for IPv4 network restrictions, but these
-restrictions can impact certain network interfaces and cause service
-disruptions. Some security configurations make sense for certain types of
-network interfaces, like bridges, but other restrictions cause the network
-interface to stop passing valid traffic between hosts, containers, or virtual
-machines.
-
-The default network scripts and LXC userspace tools already configure various
-network devices to their most secure setting. Since some hosts will act as
-routers, enabling security configurations that restrict network traffic can
-cause service disruptions for OpenStack environments.
diff --git a/doc/source/stig-notes/V-38545.rst b/doc/source/stig-notes/V-38545.rst
deleted file mode 100644
index d678c0a9..00000000
--- a/doc/source/stig-notes/V-38545.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38545: The audit system must be configured to audit all discretionary access control permission modifications using chown.
-----------------------------------------------------------------------------------------------------------------------------
-
-The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC
-modifications can facilitate the identification of patterns of abuse among
-both authorized and unauthorized users.
-
-Details: `V-38545 in STIG Viewer`_.
-
-.. _V-38545 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38545
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38546.rst b/doc/source/stig-notes/V-38546.rst
deleted file mode 100644
index 960bf7d2..00000000
--- a/doc/source/stig-notes/V-38546.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38546: The IPv6 protocol handler must not be bound to the network stack unless needed.
-----------------------------------------------------------------------------------------
-
-Any unnecessary network stacks - including IPv6 - should be disabled, to
-reduce the vulnerability to exploitation.
-
-Details: `V-38546 in STIG Viewer`_.
-
-.. _V-38546 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38546
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38547.rst b/doc/source/stig-notes/V-38547.rst
deleted file mode 100644
index 8392eb5e..00000000
--- a/doc/source/stig-notes/V-38547.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38547: The audit system must be configured to audit all discretionary access control permission modifications using fchmod.
------------------------------------------------------------------------------------------------------------------------------
-
-The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC
-modifications can facilitate the identification of patterns of abuse among
-both authorized and unauthorized users.
-
-Details: `V-38547 in STIG Viewer`_.
-
-.. _V-38547 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38547
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38548.rst b/doc/source/stig-notes/V-38548.rst
deleted file mode 100644
index e78511b3..00000000
--- a/doc/source/stig-notes/V-38548.rst
+++ /dev/null
@@ -1,11 +0,0 @@
-V-38548: The system must ignore ICMPv6 redirects by default.
-------------------------------------------------------------
-
-An illicit ICMP redirect message could result in a man-in-the-middle attack.
-
-Details: `V-38548 in STIG Viewer`_.
-
-.. _V-38548 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38548
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38549.rst b/doc/source/stig-notes/V-38549.rst
deleted file mode 100644
index 8df1c333..00000000
--- a/doc/source/stig-notes/V-38549.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38549: The system must employ a local IPv6 firewall.
-------------------------------------------------------
-
-The "ip6tables" service provides the system's host-based firewalling
-capability for IPv6 and ICMPv6.
-
-Details: `V-38549 in STIG Viewer`_.
-
-.. _V-38549 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38549
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38550.rst b/doc/source/stig-notes/V-38550.rst
deleted file mode 100644
index 649da133..00000000
--- a/doc/source/stig-notes/V-38550.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38550: The audit system must be configured to audit all discretionary access control permission modifications using fchmodat.
--------------------------------------------------------------------------------------------------------------------------------
-
-The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC
-modifications can facilitate the identification of patterns of abuse among
-both authorized and unauthorized users.
-
-Details: `V-38550 in STIG Viewer`_.
-
-.. _V-38550 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38550
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38551.rst b/doc/source/stig-notes/V-38551.rst
deleted file mode 100644
index 3ef2bfbe..00000000
--- a/doc/source/stig-notes/V-38551.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38551: The operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
-The "ip6tables" service provides the system's host-based firewalling
-capability for IPv6 and ICMPv6.
-
-Details: `V-38551 in STIG Viewer`_.
-
-.. _V-38551 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38551
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38552.rst b/doc/source/stig-notes/V-38552.rst
deleted file mode 100644
index 4360307b..00000000
--- a/doc/source/stig-notes/V-38552.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38552: The audit system must be configured to audit all discretionary access control permission modifications using fchown.
------------------------------------------------------------------------------------------------------------------------------
-
-The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC
-modifications can facilitate the identification of patterns of abuse among
-both authorized and unauthorized users.
-
-Details: `V-38552 in STIG Viewer`_.
-
-.. _V-38552 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38552
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38553.rst b/doc/source/stig-notes/V-38553.rst
deleted file mode 100644
index 58636d61..00000000
--- a/doc/source/stig-notes/V-38553.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38553: The operating system must prevent public IPv6 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
-The "ip6tables" service provides the system's host-based firewalling
-capability for IPv6 and ICMPv6.
-
-Details: `V-38553 in STIG Viewer`_.
-
-.. _V-38553 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38553
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38554.rst b/doc/source/stig-notes/V-38554.rst
deleted file mode 100644
index 587514aa..00000000
--- a/doc/source/stig-notes/V-38554.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38554: The audit system must be configured to audit all discretionary access control permission modifications using fchownat.
--------------------------------------------------------------------------------------------------------------------------------
-
-The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC
-modifications can facilitate the identification of patterns of abuse among
-both authorized and unauthorized users.
-
-Details: `V-38554 in STIG Viewer`_.
-
-.. _V-38554 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38554
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38555.rst b/doc/source/stig-notes/V-38555.rst
deleted file mode 100644
index 77ddf2c0..00000000
--- a/doc/source/stig-notes/V-38555.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38555: The system must employ a local IPv4 firewall.
-------------------------------------------------------
-
-The "iptables" service provides the system's host-based firewalling capability
-for IPv4 and ICMP.
-
-Details: `V-38555 in STIG Viewer`_.
-
-.. _V-38555 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38555
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38556.rst b/doc/source/stig-notes/V-38556.rst
deleted file mode 100644
index 4990a9c3..00000000
--- a/doc/source/stig-notes/V-38556.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38556: The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr.
------------------------------------------------------------------------------------------------------------------------------------
-
-The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC
-modifications can facilitate the identification of patterns of abuse among
-both authorized and unauthorized users.
-
-Details: `V-38556 in STIG Viewer`_.
-
-.. _V-38556 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38556
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38557.rst b/doc/source/stig-notes/V-38557.rst
deleted file mode 100644
index ee34076d..00000000
--- a/doc/source/stig-notes/V-38557.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38557: The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr.
---------------------------------------------------------------------------------------------------------------------------------
-
-The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC
-modifications can facilitate the identification of patterns of abuse among
-both authorized and unauthorized users.
-
-Details: `V-38557 in STIG Viewer`_.
-
-.. _V-38557 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38557
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38558.rst b/doc/source/stig-notes/V-38558.rst
deleted file mode 100644
index 5a1b7877..00000000
--- a/doc/source/stig-notes/V-38558.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38558: The audit system must be configured to audit all discretionary access control permission modifications using lchown.
------------------------------------------------------------------------------------------------------------------------------
-
-The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC
-modifications can facilitate the identification of patterns of abuse among
-both authorized and unauthorized users.
-
-Details: `V-38558 in STIG Viewer`_.
-
-.. _V-38558 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38558
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38559.rst b/doc/source/stig-notes/V-38559.rst
deleted file mode 100644
index 3c53d346..00000000
--- a/doc/source/stig-notes/V-38559.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38559: The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr.
------------------------------------------------------------------------------------------------------------------------------------
-
-The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC
-modifications can facilitate the identification of patterns of abuse among
-both authorized and unauthorized users.
-
-Details: `V-38559 in STIG Viewer`_.
-
-.. _V-38559 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38559
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38560.rst b/doc/source/stig-notes/V-38560.rst
deleted file mode 100644
index d08c28d3..00000000
--- a/doc/source/stig-notes/V-38560.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38560: The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
-The "iptables" service provides the system's host-based firewalling capability
-for IPv4 and ICMP.
-
-Details: `V-38560 in STIG Viewer`_.
-
-.. _V-38560 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38560
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38561.rst b/doc/source/stig-notes/V-38561.rst
deleted file mode 100644
index 15201234..00000000
--- a/doc/source/stig-notes/V-38561.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38561: The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr.
---------------------------------------------------------------------------------------------------------------------------------
-
-The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC
-modifications can facilitate the identification of patterns of abuse among
-both authorized and unauthorized users.
-
-Details: `V-38561 in STIG Viewer`_.
-
-.. _V-38561 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38561
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38563.rst b/doc/source/stig-notes/V-38563.rst
deleted file mode 100644
index 33a10ac1..00000000
--- a/doc/source/stig-notes/V-38563.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38563: The audit system must be configured to audit all discretionary access control permission modifications using removexattr.
-----------------------------------------------------------------------------------------------------------------------------------
-
-The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC
-modifications can facilitate the identification of patterns of abuse among
-both authorized and unauthorized users.
-
-Details: `V-38563 in STIG Viewer`_.
-
-.. _V-38563 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38563
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38565.rst b/doc/source/stig-notes/V-38565.rst
deleted file mode 100644
index a51593e6..00000000
--- a/doc/source/stig-notes/V-38565.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38565: The audit system must be configured to audit all discretionary access control permission modifications using setxattr.
--------------------------------------------------------------------------------------------------------------------------------
-
-The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC
-modifications can facilitate the identification of patterns of abuse among
-both authorized and unauthorized users.
-
-Details: `V-38565 in STIG Viewer`_.
-
-.. _V-38565 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38565
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38566.rst b/doc/source/stig-notes/V-38566.rst
deleted file mode 100644
index 652fe12f..00000000
--- a/doc/source/stig-notes/V-38566.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38566: The audit system must be configured to audit failed attempts to access files and programs.
----------------------------------------------------------------------------------------------------
-
-Unsuccessful attempts to access files could be an indicator of malicious
-activity on a system. Auditing these events could serve as evidence of
-potential system compromise.
-
-Details: `V-38566 in STIG Viewer`_.
-
-.. _V-38566 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38566
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38567.rst b/doc/source/stig-notes/V-38567.rst
deleted file mode 100644
index 457ba6aa..00000000
--- a/doc/source/stig-notes/V-38567.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38567: The audit system must be configured to audit all use of setuid and setgid programs.
---------------------------------------------------------------------------------------------
-
-Privileged programs are subject to escalation-of-privilege attacks, which
-attempt to subvert their normal role of providing some necessary but limited
-capability. As such, motivation exists to monitor these programs for unusual
-activity.
-
-Details: `V-38567 in STIG Viewer`_.
-
-.. _V-38567 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38567
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38568.rst b/doc/source/stig-notes/V-38568.rst
deleted file mode 100644
index 028eae39..00000000
--- a/doc/source/stig-notes/V-38568.rst
+++ /dev/null
@@ -1,15 +0,0 @@
-V-38568: The audit system must be configured to audit successful file system mounts.
-------------------------------------------------------------------------------------
-
-The unauthorized exportation of data to external media could result in an
-information leak where classified information, Privacy Act information, and
-intellectual property could be lost. An audit trail should be created each
-time a filesystem is mounted to help identify and guard against information
-loss.
-
-Details: `V-38568 in STIG Viewer`_.
-
-.. _V-38568 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38568
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38569.rst b/doc/source/stig-notes/V-38569.rst
deleted file mode 100644
index 112de3f8..00000000
--- a/doc/source/stig-notes/V-38569.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38569: The system must require passwords to contain at least one uppercase alphabetic character.
---------------------------------------------------------------------------------------------------
-
-Requiring a minimum number of uppercase characters makes password guessing
-attacks more difficult by ensuring a larger search space.
-
-Details: `V-38569 in STIG Viewer`_.
-
-.. _V-38569 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38569
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38570.rst b/doc/source/stig-notes/V-38570.rst
deleted file mode 100644
index 15952aa2..00000000
--- a/doc/source/stig-notes/V-38570.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38570: The system must require passwords to contain at least one special character.
--------------------------------------------------------------------------------------
-
-Requiring a minimum number of special characters makes password guessing
-attacks more difficult by ensuring a larger search space.
-
-Details: `V-38570 in STIG Viewer`_.
-
-.. _V-38570 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38570
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38571.rst b/doc/source/stig-notes/V-38571.rst
deleted file mode 100644
index 06b56d07..00000000
--- a/doc/source/stig-notes/V-38571.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38571: The system must require passwords to contain at least one lowercase alphabetic character.
---------------------------------------------------------------------------------------------------
-
-Requiring a minimum number of lowercase characters makes password guessing
-attacks more difficult by ensuring a larger search space.
-
-Details: `V-38571 in STIG Viewer`_.
-
-.. _V-38571 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38571
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38572.rst b/doc/source/stig-notes/V-38572.rst
deleted file mode 100644
index 232889ca..00000000
--- a/doc/source/stig-notes/V-38572.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38572: The system must require at least four characters be changed between the old and new passwords during a password change.
---------------------------------------------------------------------------------------------------------------------------------
-
-Requiring a minimum number of different characters during password changes
-ensures that newly changed passwords should not resemble previously
-compromised ones. Note that passwords which are changed on compromised systems
-will still be compromised, however.
-
-Details: `V-38572 in STIG Viewer`_.
-
-.. _V-38572 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38572
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38572_developer.rst b/doc/source/stig-notes/V-38572_developer.rst
deleted file mode 100644
index 344697e5..00000000
--- a/doc/source/stig-notes/V-38572_developer.rst
+++ /dev/null
@@ -1,10 +0,0 @@
-**Exception**
-
-Password complexity requirements are left up to the deployer. Deployers are
-urged to rely on SSH keys as often as possible to avoid problems with
-passwords.
-
-Review the pam_cracklib documentation by running ``man pam_cracklib`` or
-read the `detailed documentation from Hal Pomeranz`_.
-
-.. _detailed documentation from Hal Pomeranz: http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html
diff --git a/doc/source/stig-notes/V-38573.rst b/doc/source/stig-notes/V-38573.rst
deleted file mode 100644
index bf397e07..00000000
--- a/doc/source/stig-notes/V-38573.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38573: The system must disable accounts after three consecutive unsuccessful logon attempts.
-----------------------------------------------------------------------------------------------
-
-Locking out user accounts after a number of incorrect attempts prevents direct
-password guessing attacks.
-
-Details: `V-38573 in STIG Viewer`_.
-
-.. _V-38573 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38573
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38574.rst b/doc/source/stig-notes/V-38574.rst
deleted file mode 100644
index 9832e64a..00000000
--- a/doc/source/stig-notes/V-38574.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38574: The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth).
-----------------------------------------------------------------------------------------------------------------------------------------
-
-Using a stronger hashing algorithm makes password cracking attacks more
-difficult.
-
-Details: `V-38574 in STIG Viewer`_.
-
-.. _V-38574 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38574
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38575.rst b/doc/source/stig-notes/V-38575.rst
deleted file mode 100644
index 3174e24d..00000000
--- a/doc/source/stig-notes/V-38575.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38575: The audit system must be configured to audit user deletions of files and programs.
--------------------------------------------------------------------------------------------
-
-Auditing file deletions will create an audit trail for files that are removed
-from the system. The audit trail could aid in system troubleshooting, as well
-as detecting malicious processes that attempt to delete log files to conceal
-their presence.
-
-Details: `V-38575 in STIG Viewer`_.
-
-.. _V-38575 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38575
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38576.rst b/doc/source/stig-notes/V-38576.rst
deleted file mode 100644
index 38daec50..00000000
--- a/doc/source/stig-notes/V-38576.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38576: The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs).
----------------------------------------------------------------------------------------------------------------------------------------
-
-Using a stronger hashing algorithm makes password cracking attacks more
-difficult.
-
-Details: `V-38576 in STIG Viewer`_.
-
-.. _V-38576 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38576
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38577.rst b/doc/source/stig-notes/V-38577.rst
deleted file mode 100644
index 460b6285..00000000
--- a/doc/source/stig-notes/V-38577.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38577: The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf).
------------------------------------------------------------------------------------------------------------------------------------------
-
-Using a stronger hashing algorithm makes password cracking attacks more
-difficult.
-
-Details: `V-38577 in STIG Viewer`_.
-
-.. _V-38577 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38577
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38578.rst b/doc/source/stig-notes/V-38578.rst
deleted file mode 100644
index 28889e75..00000000
--- a/doc/source/stig-notes/V-38578.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38578: The audit system must be configured to audit changes to the /etc/sudoers file.
----------------------------------------------------------------------------------------
-
-The actions taken by system administrators should be audited to keep a record
-of what was executed on the system, as well as, for accountability purposes.
-
-Details: `V-38578 in STIG Viewer`_.
-
-.. _V-38578 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38578
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38579.rst b/doc/source/stig-notes/V-38579.rst
deleted file mode 100644
index 69731a3a..00000000
--- a/doc/source/stig-notes/V-38579.rst
+++ /dev/null
@@ -1,11 +0,0 @@
-V-38579: The system boot loader configuration file(s) must be owned by root.
-----------------------------------------------------------------------------
-
-Only root should be able to modify important boot parameters.
-
-Details: `V-38579 in STIG Viewer`_.
-
-.. _V-38579 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38579
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38580.rst b/doc/source/stig-notes/V-38580.rst
deleted file mode 100644
index 09bb1c85..00000000
--- a/doc/source/stig-notes/V-38580.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38580: The audit system must be configured to audit the loading and unloading of dynamic kernel modules.
-----------------------------------------------------------------------------------------------------------
-
-The addition/removal of kernel modules can be used to alter the behavior of
-the kernel and potentially introduce malicious code into kernel space. It is
-important to have an audit trail of modules that have been introduced into the
-kernel.
-
-Details: `V-38580 in STIG Viewer`_.
-
-.. _V-38580 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38580
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38581.rst b/doc/source/stig-notes/V-38581.rst
deleted file mode 100644
index 02186916..00000000
--- a/doc/source/stig-notes/V-38581.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38581: The system boot loader configuration file(s) must be group-owned by root.
-----------------------------------------------------------------------------------
-
-The "root" group is a highly-privileged group. Furthermore, the group-owner of
-this file should not have any access privileges anyway.
-
-Details: `V-38581 in STIG Viewer`_.
-
-.. _V-38581 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38581
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38582.rst b/doc/source/stig-notes/V-38582.rst
deleted file mode 100644
index 3b96964b..00000000
--- a/doc/source/stig-notes/V-38582.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38582: The xinetd service must be disabled if no network services utilizing it are enabled.
----------------------------------------------------------------------------------------------
-
-The xinetd service provides a dedicated listener service for some programs,
-which is no longer necessary for commonly-used network services. Disabling it
-ensures that these uncommon services are not running, and also prevents
-attacks against xinetd itself.
-
-Details: `V-38582 in STIG Viewer`_.
-
-.. _V-38582 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38582
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38583.rst b/doc/source/stig-notes/V-38583.rst
deleted file mode 100644
index 5f1501eb..00000000
--- a/doc/source/stig-notes/V-38583.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38583: The system boot loader configuration file(s) must have mode 0600 or less permissive.
----------------------------------------------------------------------------------------------
-
-Proper permissions ensure that only the root user can modify important boot
-parameters.
-
-Details: `V-38583 in STIG Viewer`_.
-
-.. _V-38583 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38583
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38584.rst b/doc/source/stig-notes/V-38584.rst
deleted file mode 100644
index 8b120578..00000000
--- a/doc/source/stig-notes/V-38584.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38584: The xinetd service must be uninstalled if no network services utilizing it are enabled.
-------------------------------------------------------------------------------------------------
-
-Removing the "xinetd" package decreases the risk of the xinetd service's
-accidental (or intentional) activation.
-
-Details: `V-38584 in STIG Viewer`_.
-
-.. _V-38584 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38584
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38585.rst b/doc/source/stig-notes/V-38585.rst
deleted file mode 100644
index 1cda06cf..00000000
--- a/doc/source/stig-notes/V-38585.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38585: The system boot loader must require authentication.
-------------------------------------------------------------
-
-Password protection on the boot loader configuration ensures users with
-physical access cannot trivially alter important bootloader settings. These
-include which kernel to use, and whether to enter single-user mode.
-
-Details: `V-38585 in STIG Viewer`_.
-
-.. _V-38585 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38585
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38586.rst b/doc/source/stig-notes/V-38586.rst
deleted file mode 100644
index ffcd05a5..00000000
--- a/doc/source/stig-notes/V-38586.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38586: The system must require authentication upon booting into single-user and maintenance modes.
-----------------------------------------------------------------------------------------------------
-
-This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented by
-configuring the bootloader password.
-
-Details: `V-38586 in STIG Viewer`_.
-
-.. _V-38586 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38586
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38587.rst b/doc/source/stig-notes/V-38587.rst
deleted file mode 100644
index b6f4fad6..00000000
--- a/doc/source/stig-notes/V-38587.rst
+++ /dev/null
@@ -1,15 +0,0 @@
-V-38587: The telnet-server package must not be installed.
----------------------------------------------------------
-
-Removing the "telnet-server" package decreases the risk of the unencrypted
-telnet service's accidental (or intentional) activation. Mitigation: If the
-telnet-server package is configured to only allow encrypted sessions, such as
-with Kerberos or the use of encrypted network tunnels, the risk of exposing
-sensitive information is mitigated.
-
-Details: `V-38587 in STIG Viewer`_.
-
-.. _V-38587 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38587
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38588.rst b/doc/source/stig-notes/V-38588.rst
deleted file mode 100644
index 43e54b16..00000000
--- a/doc/source/stig-notes/V-38588.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38588: The system must not permit interactive boot.
------------------------------------------------------
-
-Using interactive boot, the console user could disable auditing, firewalls, or
-other services, weakening system security.
-
-Details: `V-38588 in STIG Viewer`_.
-
-.. _V-38588 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38588
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38589.rst b/doc/source/stig-notes/V-38589.rst
deleted file mode 100644
index 6cb1c9d7..00000000
--- a/doc/source/stig-notes/V-38589.rst
+++ /dev/null
@@ -1,17 +0,0 @@
-V-38589: The telnet daemon must not be running.
------------------------------------------------
-
-The telnet protocol uses unencrypted network communication, which means that
-data from the login session, including passwords and all other information
-transmitted during the session, can be stolen by eavesdroppers on the network.
-The telnet protocol is also subject to man-in-the-middle attacks. Mitigation:
-If an enabled telnet daemon is configured to only allow encrypted sessions,
-such as with Kerberos or the use of encrypted network tunnels, the risk of
-exposing sensitive information is mitigated.
-
-Details: `V-38589 in STIG Viewer`_.
-
-.. _V-38589 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38589
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38590.rst b/doc/source/stig-notes/V-38590.rst
deleted file mode 100644
index ea7036f9..00000000
--- a/doc/source/stig-notes/V-38590.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38590: The system must allow locking of the console screen in text mode.
---------------------------------------------------------------------------
-
-Installing "screen" ensures a console locking capability is available for
-users who may need to suspend console logins.
-
-Details: `V-38590 in STIG Viewer`_.
-
-.. _V-38590 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38590
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38591.rst b/doc/source/stig-notes/V-38591.rst
deleted file mode 100644
index a14b7415..00000000
--- a/doc/source/stig-notes/V-38591.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38591: The rsh-server package must not be installed.
-------------------------------------------------------
-
-The "rsh-server" package provides several obsolete and insecure network
-services. Removing it decreases the risk of those services' accidental (or
-intentional) activation.
-
-Details: `V-38591 in STIG Viewer`_.
-
-.. _V-38591 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38591
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38592.rst b/doc/source/stig-notes/V-38592.rst
deleted file mode 100644
index 094d8d53..00000000
--- a/doc/source/stig-notes/V-38592.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38592: The system must require administrator action to unlock an account locked by excessive failed login attempts.
----------------------------------------------------------------------------------------------------------------------
-
-Locking out user accounts after a number of incorrect attempts prevents direct
-password guessing attacks. Ensuring that an administrator is involved in
-unlocking locked accounts draws appropriate attention to such situations.
-
-Details: `V-38592 in STIG Viewer`_.
-
-.. _V-38592 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38592
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38593.rst b/doc/source/stig-notes/V-38593.rst
deleted file mode 100644
index dae93a66..00000000
--- a/doc/source/stig-notes/V-38593.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38593: The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
------------------------------------------------------------------------------------------------------------------------------------
-
-An appropriate warning message reinforces policy awareness during the logon
-process and facilitates possible legal action against attackers.
-
-Details: `V-38593 in STIG Viewer`_.
-
-.. _V-38593 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38593
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38594.rst b/doc/source/stig-notes/V-38594.rst
deleted file mode 100644
index e5fdca3f..00000000
--- a/doc/source/stig-notes/V-38594.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38594: The rshd service must not be running.
-----------------------------------------------
-
-The rsh service uses unencrypted network communications, which means that data
-from the login session, including passwords and all other information
-transmitted during the session, can be stolen by eavesdroppers on the network.
-
-Details: `V-38594 in STIG Viewer`_.
-
-.. _V-38594 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38594
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38595.rst b/doc/source/stig-notes/V-38595.rst
deleted file mode 100644
index 5471f6d1..00000000
--- a/doc/source/stig-notes/V-38595.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38595: The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
-----------------------------------------------------------------------------------------------------------------------------------------------------
-
-Smart card login provides two-factor authentication stronger than that
-provided by a username/password combination. Smart cards leverage a PKI
-(public key infrastructure) in order to provide and verify credentials.
-
-Details: `V-38595 in STIG Viewer`_.
-
-.. _V-38595 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38595
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38596.rst b/doc/source/stig-notes/V-38596.rst
deleted file mode 100644
index 630ee0e4..00000000
--- a/doc/source/stig-notes/V-38596.rst
+++ /dev/null
@@ -1,16 +0,0 @@
-V-38596: The system must implement virtual address space randomization.
------------------------------------------------------------------------
-
-Address space layout randomization (ASLR) makes it more difficult for an
-attacker to predict the location of attack code he or she has introduced into
-a process's address space during an attempt at exploitation. Additionally,
-ASLR also makes it more difficult for an attacker to know the location of
-existing code in order to repurpose it using return oriented programming (ROP)
-techniques.
-
-Details: `V-38596 in STIG Viewer`_.
-
-.. _V-38596 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38596
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38597.rst b/doc/source/stig-notes/V-38597.rst
deleted file mode 100644
index 1b50e028..00000000
--- a/doc/source/stig-notes/V-38597.rst
+++ /dev/null
@@ -1,16 +0,0 @@
-V-38597: The system must limit the ability of processes to have simultaneous write and execute access to memory.
-----------------------------------------------------------------------------------------------------------------
-
-ExecShield uses the segmentation feature on all x86 systems to prevent
-execution in memory higher than a certain address. It writes an address as a
-limit in the code segment descriptor, to control where code can be executed,
-on a per-process basis. When the kernel places a process's memory regions such
-as the stack and heap higher than this address, the hardware prevents
-execution in that address range.
-
-Details: `V-38597 in STIG Viewer`_.
-
-.. _V-38597 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38597
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38598.rst b/doc/source/stig-notes/V-38598.rst
deleted file mode 100644
index a025b02b..00000000
--- a/doc/source/stig-notes/V-38598.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38598: The rexecd service must not be running.
-------------------------------------------------
-
-The rexec service uses unencrypted network communications, which means that
-data from the login session, including passwords and all other information
-transmitted during the session, can be stolen by eavesdroppers on the network.
-
-Details: `V-38598 in STIG Viewer`_.
-
-.. _V-38598 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38598
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38599.rst b/doc/source/stig-notes/V-38599.rst
deleted file mode 100644
index 5e243f2b..00000000
--- a/doc/source/stig-notes/V-38599.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38599: The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
------------------------------------------------------------------------------------------------------------------
-
-This setting will cause the system greeting banner to be used for FTP
-connections as well.
-
-Details: `V-38599 in STIG Viewer`_.
-
-.. _V-38599 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38599
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38600.rst b/doc/source/stig-notes/V-38600.rst
deleted file mode 100644
index fe208c43..00000000
--- a/doc/source/stig-notes/V-38600.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38600: The system must not send ICMPv4 redirects by default.
---------------------------------------------------------------
-
-Sending ICMP redirects permits the system to instruct other systems to update
-their routing information. The ability to send ICMP redirects is only
-appropriate for systems acting as routers.
-
-Details: `V-38600 in STIG Viewer`_.
-
-.. _V-38600 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38600
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38601.rst b/doc/source/stig-notes/V-38601.rst
deleted file mode 100644
index 9de28251..00000000
--- a/doc/source/stig-notes/V-38601.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38601: The system must not send ICMPv4 redirects from any interface.
-----------------------------------------------------------------------
-
-Sending ICMP redirects permits the system to instruct other systems to update
-their routing information. The ability to send ICMP redirects is only
-appropriate for systems acting as routers.
-
-Details: `V-38601 in STIG Viewer`_.
-
-.. _V-38601 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38601
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38602.rst b/doc/source/stig-notes/V-38602.rst
deleted file mode 100644
index 190cdb0d..00000000
--- a/doc/source/stig-notes/V-38602.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38602: The rlogind service must not be running.
--------------------------------------------------
-
-The rlogin service uses unencrypted network communications, which means that
-data from the login session, including passwords and all other information
-transmitted during the session, can be stolen by eavesdroppers on the network.
-
-Details: `V-38602 in STIG Viewer`_.
-
-.. _V-38602 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38602
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38603.rst b/doc/source/stig-notes/V-38603.rst
deleted file mode 100644
index 0ba9c2d5..00000000
--- a/doc/source/stig-notes/V-38603.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38603: The ypserv package must not be installed.
---------------------------------------------------
-
-Removing the "ypserv" package decreases the risk of the accidental (or
-intentional) activation of NIS or NIS+ services.
-
-Details: `V-38603 in STIG Viewer`_.
-
-.. _V-38603 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38603
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38604.rst b/doc/source/stig-notes/V-38604.rst
deleted file mode 100644
index ef811a01..00000000
--- a/doc/source/stig-notes/V-38604.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38604: The ypbind service must not be running.
-------------------------------------------------
-
-Disabling the "ypbind" service ensures the system is not acting as a client in
-a NIS or NIS+ domain.
-
-Details: `V-38604 in STIG Viewer`_.
-
-.. _V-38604 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38604
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38605.rst b/doc/source/stig-notes/V-38605.rst
deleted file mode 100644
index 68b3f021..00000000
--- a/doc/source/stig-notes/V-38605.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38605: The cron service must be running.
-------------------------------------------
-
-Due to its usage for maintenance and security-supporting tasks, enabling the
-cron daemon is essential.
-
-Details: `V-38605 in STIG Viewer`_.
-
-.. _V-38605 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38605
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38606.rst b/doc/source/stig-notes/V-38606.rst
deleted file mode 100644
index e95c3b30..00000000
--- a/doc/source/stig-notes/V-38606.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38606: The tftp-server package must not be installed unless required.
------------------------------------------------------------------------
-
-Removing the "tftp-server" package decreases the risk of the accidental (or
-intentional) activation of tftp services.
-
-Details: `V-38606 in STIG Viewer`_.
-
-.. _V-38606 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38606
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38607.rst b/doc/source/stig-notes/V-38607.rst
deleted file mode 100644
index 3a3199bd..00000000
--- a/doc/source/stig-notes/V-38607.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38607: The SSH daemon must be configured to use only the SSHv2 protocol.
---------------------------------------------------------------------------
-
-SSH protocol version 1 suffers from design flaws that result in security
-vulnerabilities and should not be used.
-
-Details: `V-38607 in STIG Viewer`_.
-
-.. _V-38607 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38607
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38608.rst b/doc/source/stig-notes/V-38608.rst
deleted file mode 100644
index faa84add..00000000
--- a/doc/source/stig-notes/V-38608.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38608: The SSH daemon must set a timeout interval on idle sessions.
----------------------------------------------------------------------
-
-Causing idle users to be automatically logged out guards against compromises
-one system leading trivially to compromises on another.
-
-Details: `V-38608 in STIG Viewer`_.
-
-.. _V-38608 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38608
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38609.rst b/doc/source/stig-notes/V-38609.rst
deleted file mode 100644
index 2e1d384d..00000000
--- a/doc/source/stig-notes/V-38609.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38609: The TFTP service must not be running.
-----------------------------------------------
-
-Disabling the "tftp" service ensures the system is not acting as a tftp
-server, which does not provide encryption or authentication.
-
-Details: `V-38609 in STIG Viewer`_.
-
-.. _V-38609 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38609
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38610.rst b/doc/source/stig-notes/V-38610.rst
deleted file mode 100644
index dfbeb3c2..00000000
--- a/doc/source/stig-notes/V-38610.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38610: The SSH daemon must set a timeout count on idle sessions.
-------------------------------------------------------------------
-
-This ensures a user login will be terminated as soon as the
-"ClientAliveCountMax" is reached.
-
-Details: `V-38610 in STIG Viewer`_.
-
-.. _V-38610 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38610
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38611.rst b/doc/source/stig-notes/V-38611.rst
deleted file mode 100644
index 61b9ef17..00000000
--- a/doc/source/stig-notes/V-38611.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38611: The SSH daemon must ignore .rhosts files.
---------------------------------------------------
-
-SSH trust relationships mean a compromise on one host can allow an attacker to
-move trivially to other hosts.
-
-Details: `V-38611 in STIG Viewer`_.
-
-.. _V-38611 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38611
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38612.rst b/doc/source/stig-notes/V-38612.rst
deleted file mode 100644
index 6671c78b..00000000
--- a/doc/source/stig-notes/V-38612.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38612: The SSH daemon must not allow host-based authentication.
------------------------------------------------------------------
-
-SSH trust relationships mean a compromise on one host can allow an attacker to
-move trivially to other hosts.
-
-Details: `V-38612 in STIG Viewer`_.
-
-.. _V-38612 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38612
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38613.rst b/doc/source/stig-notes/V-38613.rst
deleted file mode 100644
index 2e19eea0..00000000
--- a/doc/source/stig-notes/V-38613.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38613: The system must not permit root logins using remote access programs such as ssh.
------------------------------------------------------------------------------------------
-
-Permitting direct root login reduces auditable information about who ran
-privileged commands on the system and also allows direct attack attempts on
-root's password.
-
-Details: `V-38613 in STIG Viewer`_.
-
-.. _V-38613 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38613
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38614.rst b/doc/source/stig-notes/V-38614.rst
deleted file mode 100644
index af516d15..00000000
--- a/doc/source/stig-notes/V-38614.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38614: The SSH daemon must not allow authentication using an empty password.
-------------------------------------------------------------------------------
-
-Configuring this setting for the SSH daemon provides additional assurance that
-remote login via SSH will require a password, even in the event of
-misconfiguration elsewhere.
-
-Details: `V-38614 in STIG Viewer`_.
-
-.. _V-38614 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38614
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38615.rst b/doc/source/stig-notes/V-38615.rst
deleted file mode 100644
index d39296b0..00000000
--- a/doc/source/stig-notes/V-38615.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38615: The SSH daemon must be configured with the Department of Defense (DoD) login banner.
----------------------------------------------------------------------------------------------
-
-The warning message reinforces policy awareness during the logon process and
-facilitates possible legal action against attackers. Alternatively, systems
-whose ownership should not be obvious should ensure usage of a banner that
-does not provide easy attribution.
-
-Details: `V-38615 in STIG Viewer`_.
-
-.. _V-38615 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38615
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38616.rst b/doc/source/stig-notes/V-38616.rst
deleted file mode 100644
index 227a1704..00000000
--- a/doc/source/stig-notes/V-38616.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38616: The SSH daemon must not permit user environment settings.
-------------------------------------------------------------------
-
-SSH environment options potentially allow users to bypass access restriction
-in some configurations.
-
-Details: `V-38616 in STIG Viewer`_.
-
-.. _V-38616 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38616
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38617.rst b/doc/source/stig-notes/V-38617.rst
deleted file mode 100644
index edbd470d..00000000
--- a/doc/source/stig-notes/V-38617.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38617: The SSH daemon must be configured to use only FIPS 140-2 approved ciphers.
------------------------------------------------------------------------------------
-
-Approved algorithms should impart some level of confidence in their
-implementation. These are also required for compliance.
-
-Details: `V-38617 in STIG Viewer`_.
-
-.. _V-38617 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38617
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38618.rst b/doc/source/stig-notes/V-38618.rst
deleted file mode 100644
index c6abdb05..00000000
--- a/doc/source/stig-notes/V-38618.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38618: The avahi service must be disabled.
---------------------------------------------
-
-Because the Avahi daemon service keeps an open network port, it is subject to
-network attacks. Its functionality is convenient but is only appropriate if
-the local network can be trusted.
-
-Details: `V-38618 in STIG Viewer`_.
-
-.. _V-38618 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38618
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38619.rst b/doc/source/stig-notes/V-38619.rst
deleted file mode 100644
index 6108bcab..00000000
--- a/doc/source/stig-notes/V-38619.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38619: There must be no .netrc files on the system.
------------------------------------------------------
-
-Unencrypted passwords for remote FTP servers may be stored in ".netrc" files.
-DoD policy requires passwords be encrypted in storage and not used in access
-scripts.
-
-Details: `V-38619 in STIG Viewer`_.
-
-.. _V-38619 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38619
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38620.rst b/doc/source/stig-notes/V-38620.rst
deleted file mode 100644
index 7e20a7b2..00000000
--- a/doc/source/stig-notes/V-38620.rst
+++ /dev/null
@@ -1,17 +0,0 @@
-V-38620: The system clock must be synchronized continuously, or at least daily.
--------------------------------------------------------------------------------
-
-Enabling the "ntpd" service ensures that the "ntpd" service will be running
-and that the system will synchronize its time to any servers specified. This
-is important whether the system is configured to be a client (and synchronize
-only its own clock) or it is also acting as an NTP server to other systems.
-Synchronizing time is essential for authentication services such as Kerberos,
-but it is also important for maintaining accurate logs and auditing possible
-security breaches.
-
-Details: `V-38620 in STIG Viewer`_.
-
-.. _V-38620 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38620
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38621.rst b/doc/source/stig-notes/V-38621.rst
deleted file mode 100644
index be8beb5e..00000000
--- a/doc/source/stig-notes/V-38621.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38621: The system clock must be synchronized to an authoritative DoD time source.
------------------------------------------------------------------------------------
-
-Synchronizing with an NTP server makes it possible to collate system logs from
-multiple sources or correlate computer events with real time events. Using a
-trusted NTP server provided by your organization is recommended.
-
-Details: `V-38621 in STIG Viewer`_.
-
-.. _V-38621 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38621
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38622.rst b/doc/source/stig-notes/V-38622.rst
deleted file mode 100644
index d1f7ae6b..00000000
--- a/doc/source/stig-notes/V-38622.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38622: Mail relaying must be restricted.
-------------------------------------------
-
-This ensures "postfix" accepts mail messages (such as cron job reports) from
-the local system only, and not from the network, which protects it from
-network attack.
-
-Details: `V-38622 in STIG Viewer`_.
-
-.. _V-38622 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38622
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38623.rst b/doc/source/stig-notes/V-38623.rst
deleted file mode 100644
index cacb041a..00000000
--- a/doc/source/stig-notes/V-38623.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38623: All rsyslog-generated log files must have mode 0600 or less permissive.
---------------------------------------------------------------------------------
-
-Log files can contain valuable information regarding system configuration. If
-the system log files are not protected, unauthorized users could change the
-logged data, eliminating their forensic value.
-
-Details: `V-38623 in STIG Viewer`_.
-
-.. _V-38623 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38623
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38624.rst b/doc/source/stig-notes/V-38624.rst
deleted file mode 100644
index b355f4fc..00000000
--- a/doc/source/stig-notes/V-38624.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38624: System logs must be rotated daily.
--------------------------------------------
-
-Log files that are not properly rotated run the risk of growing so large that
-they fill up the /var/log partition. Valuable logging information could be
-lost if the /var/log partition becomes full.
-
-Details: `V-38624 in STIG Viewer`_.
-
-.. _V-38624 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38624
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38625.rst b/doc/source/stig-notes/V-38625.rst
deleted file mode 100644
index d20c91dc..00000000
--- a/doc/source/stig-notes/V-38625.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38625: If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
-The ssl directive specifies whether to use ssl or not. If not specified it
-will default to "no". It should be set to "start_tls" rather than doing LDAP
-over SSL.
-
-Details: `V-38625 in STIG Viewer`_.
-
-.. _V-38625 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38625
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38626.rst b/doc/source/stig-notes/V-38626.rst
deleted file mode 100644
index a38b878d..00000000
--- a/doc/source/stig-notes/V-38626.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38626: The LDAP client must use a TLS connection using trust certificates signed by the site CA.
---------------------------------------------------------------------------------------------------
-
-The tls_cacertdir or tls_cacertfile directives are required when tls_checkpeer
-is configured (which is the default for openldap versions 2.1 and up). These
-directives define the path to the trust certificates signed by the site CA.
-
-Details: `V-38626 in STIG Viewer`_.
-
-.. _V-38626 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38626
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38627.rst b/doc/source/stig-notes/V-38627.rst
deleted file mode 100644
index 23de4b74..00000000
--- a/doc/source/stig-notes/V-38627.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38627: The openldap-servers package must not be installed unless required.
-----------------------------------------------------------------------------
-
-Unnecessary packages should not be installed to decrease the attack surface of
-the system.
-
-Details: `V-38627 in STIG Viewer`_.
-
-.. _V-38627 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38627
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38628.rst b/doc/source/stig-notes/V-38628.rst
deleted file mode 100644
index 78656093..00000000
--- a/doc/source/stig-notes/V-38628.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38628: The operating system must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
-Ensuring the "auditd" service is active ensures audit records generated by the
-kernel can be written to disk, or that appropriate actions will be taken if
-other obstacles exist.
-
-Details: `V-38628 in STIG Viewer`_.
-
-.. _V-38628 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38628
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38628_developer.rst b/doc/source/stig-notes/V-38628_developer.rst
deleted file mode 100644
index d45851d7..00000000
--- a/doc/source/stig-notes/V-38628_developer.rst
+++ /dev/null
@@ -1 +0,0 @@
-This STIG requirement overlaps with V-38632.
diff --git a/doc/source/stig-notes/V-38629.rst b/doc/source/stig-notes/V-38629.rst
deleted file mode 100644
index 193172ae..00000000
--- a/doc/source/stig-notes/V-38629.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38629: The graphical desktop environment must set the idle timeout to no more than 15 minutes.
-------------------------------------------------------------------------------------------------
-
-Setting the idle delay controls when the screensaver will start, and can be
-combined with screen locking to prevent access from passersby.
-
-Details: `V-38629 in STIG Viewer`_.
-
-.. _V-38629 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38629
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38630.rst b/doc/source/stig-notes/V-38630.rst
deleted file mode 100644
index 6eac67ad..00000000
--- a/doc/source/stig-notes/V-38630.rst
+++ /dev/null
@@ -1,15 +0,0 @@
-V-38630: The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
-Enabling idle activation of the screen saver ensures the screensaver will be
-activated after the idle delay. Applications requiring continuous, real-time
-screen display (such as network management products) require the login session
-does not have administrator rights and the display station is located in a
-controlled-access area.
-
-Details: `V-38630 in STIG Viewer`_.
-
-.. _V-38630 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38630
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38631.rst b/doc/source/stig-notes/V-38631.rst
deleted file mode 100644
index c34ed7b7..00000000
--- a/doc/source/stig-notes/V-38631.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38631: The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods.
----------------------------------------------------------------------------------------------------------------------------------
-
-Ensuring the "auditd" service is active ensures audit records generated by the
-kernel can be written to disk, or that appropriate actions will be taken if
-other obstacles exist.
-
-Details: `V-38631 in STIG Viewer`_.
-
-.. _V-38631 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38631
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38631_developer.rst b/doc/source/stig-notes/V-38631_developer.rst
deleted file mode 100644
index d45851d7..00000000
--- a/doc/source/stig-notes/V-38631_developer.rst
+++ /dev/null
@@ -1 +0,0 @@
-This STIG requirement overlaps with V-38632.
diff --git a/doc/source/stig-notes/V-38632.rst b/doc/source/stig-notes/V-38632.rst
deleted file mode 100644
index 51090adf..00000000
--- a/doc/source/stig-notes/V-38632.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38632: The operating system must produce audit records containing sufficient information to establish what type of events occurred.
--------------------------------------------------------------------------------------------------------------------------------------
-
-Ensuring the "auditd" service is active ensures audit records generated by the
-kernel can be written to disk, or that appropriate actions will be taken if
-other obstacles exist.
-
-Details: `V-38632 in STIG Viewer`_.
-
-.. _V-38632 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38632
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38633.rst b/doc/source/stig-notes/V-38633.rst
deleted file mode 100644
index 72e494f9..00000000
--- a/doc/source/stig-notes/V-38633.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38633: The system must set a maximum audit log file size.
------------------------------------------------------------
-
-The total storage for audit log files must be large enough to retain log
-information over the period required. This is a function of the maximum log
-file size and the number of logs retained.
-
-Details: `V-38633 in STIG Viewer`_.
-
-.. _V-38633 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38633
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38634.rst b/doc/source/stig-notes/V-38634.rst
deleted file mode 100644
index 04364a18..00000000
--- a/doc/source/stig-notes/V-38634.rst
+++ /dev/null
@@ -1,15 +0,0 @@
-V-38634: The system must rotate audit log files that reach the maximum file size.
----------------------------------------------------------------------------------
-
-Automatically rotating logs (by setting this to "rotate") minimizes the
-chances of the system unexpectedly running out of disk space by being
-overwhelmed with log data. However, for systems that must never discard log
-data, or which use external processes to transfer it and reclaim space,
-"keep_logs" can be employed.
-
-Details: `V-38634 in STIG Viewer`_.
-
-.. _V-38634 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38634
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38635.rst b/doc/source/stig-notes/V-38635.rst
deleted file mode 100644
index 690be31e..00000000
--- a/doc/source/stig-notes/V-38635.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38635: The audit system must be configured to audit all attempts to alter system time through adjtimex.
----------------------------------------------------------------------------------------------------------
-
-Arbitrary changes to the system time can be used to obfuscate nefarious
-activities in log files, as well as to confuse network services that are
-highly dependent upon an accurate system time (such as sshd). All changes to
-the system time should be audited.
-
-Details: `V-38635 in STIG Viewer`_.
-
-.. _V-38635 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38635
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38636.rst b/doc/source/stig-notes/V-38636.rst
deleted file mode 100644
index 4954bbd6..00000000
--- a/doc/source/stig-notes/V-38636.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38636: The system must retain enough rotated audit logs to cover the required log retention period.
------------------------------------------------------------------------------------------------------
-
-The total storage for audit log files must be large enough to retain log
-information over the period required. This is a function of the maximum log
-file size and the number of logs retained.
-
-Details: `V-38636 in STIG Viewer`_.
-
-.. _V-38636 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38636
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38637.rst b/doc/source/stig-notes/V-38637.rst
deleted file mode 100644
index 04f4f10a..00000000
--- a/doc/source/stig-notes/V-38637.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38637: The system package management tool must verify contents of all files associated with the audit package.
-----------------------------------------------------------------------------------------------------------------
-
-The hash on important files like audit system executables should match the
-information given by the RPM database. Audit executables with erroneous
-hashes could be a sign of nefarious activity on the system.
-
-Details: `V-38637 in STIG Viewer`_.
-
-.. _V-38637 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38637
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38638.rst b/doc/source/stig-notes/V-38638.rst
deleted file mode 100644
index b7b8258e..00000000
--- a/doc/source/stig-notes/V-38638.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38638: The graphical desktop environment must have automatic lock enabled.
-----------------------------------------------------------------------------
-
-Enabling the activation of the screen lock after an idle period ensures
-password entry will be required in order to access the system, preventing
-access by passersby.
-
-Details: `V-38638 in STIG Viewer`_.
-
-.. _V-38638 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38638
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38639.rst b/doc/source/stig-notes/V-38639.rst
deleted file mode 100644
index 8dd32222..00000000
--- a/doc/source/stig-notes/V-38639.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38639: The system must display a publicly-viewable pattern during a graphical desktop environment session lock.
------------------------------------------------------------------------------------------------------------------
-
-Setting the screensaver mode to blank-only conceals the contents of the
-display from passersby.
-
-Details: `V-38639 in STIG Viewer`_.
-
-.. _V-38639 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38639
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38640.rst b/doc/source/stig-notes/V-38640.rst
deleted file mode 100644
index cdaf67ff..00000000
--- a/doc/source/stig-notes/V-38640.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38640: The Automatic Bug Reporting Tool (abrtd) service must not be running.
-------------------------------------------------------------------------------
-
-Mishandling crash data could expose sensitive information about
-vulnerabilities in software executing on the local machine, as well as
-sensitive information from within a process's address space or registers.
-
-Details: `V-38640 in STIG Viewer`_.
-
-.. _V-38640 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38640
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38641.rst b/doc/source/stig-notes/V-38641.rst
deleted file mode 100644
index 645eb604..00000000
--- a/doc/source/stig-notes/V-38641.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38641: The atd service must be disabled.
-------------------------------------------
-
-The "atd" service could be used by an unsophisticated insider to carry out
-activities outside of a normal login session, which could complicate
-accountability. Furthermore, the need to schedule tasks with "at" or "batch"
-is not common.
-
-Details: `V-38641 in STIG Viewer`_.
-
-.. _V-38641 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38641
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38642.rst b/doc/source/stig-notes/V-38642.rst
deleted file mode 100644
index 28967c57..00000000
--- a/doc/source/stig-notes/V-38642.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38642: The system default umask for daemons must be 027 or 022.
------------------------------------------------------------------
-
-The umask influences the permissions assigned to files created by a process at
-run time. An unnecessarily permissive umask could result in files being
-created with insecure permissions.
-
-Details: `V-38642 in STIG Viewer`_.
-
-.. _V-38642 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38642
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38643.rst b/doc/source/stig-notes/V-38643.rst
deleted file mode 100644
index 2fba4a30..00000000
--- a/doc/source/stig-notes/V-38643.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38643: There must be no world-writable files on the system.
--------------------------------------------------------------
-
-Data in world-writable files can be modified by any user on the system. In
-almost all circumstances, files can be configured using a combination of user
-and group permissions to support whatever legitimate access is needed without
-the risk caused by world-writable files.
-
-Details: `V-38643 in STIG Viewer`_.
-
-.. _V-38643 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38643
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38644.rst b/doc/source/stig-notes/V-38644.rst
deleted file mode 100644
index 0e2de8a6..00000000
--- a/doc/source/stig-notes/V-38644.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38644: The ntpdate service must not be running.
--------------------------------------------------
-
-The "ntpdate" service may only be suitable for systems which are rebooted
-frequently enough that clock drift does not cause problems between reboots. In
-any event, the functionality of the ntpdate service is now available in the
-ntpd program and should be considered deprecated.
-
-Details: `V-38644 in STIG Viewer`_.
-
-.. _V-38644 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38644
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38645.rst b/doc/source/stig-notes/V-38645.rst
deleted file mode 100644
index 29b3023e..00000000
--- a/doc/source/stig-notes/V-38645.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38645: The system default umask in /etc/login.defs must be 077.
------------------------------------------------------------------
-
-The umask value influences the permissions assigned to files when they are
-created. A misconfigured umask value could result in files with excessive
-permissions that can be read and/or written to by unauthorized users.
-
-Details: `V-38645 in STIG Viewer`_.
-
-.. _V-38645 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38645
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38646.rst b/doc/source/stig-notes/V-38646.rst
deleted file mode 100644
index 2a908ddc..00000000
--- a/doc/source/stig-notes/V-38646.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38646: The oddjobd service must not be running.
--------------------------------------------------
-
-The "oddjobd" service may provide necessary functionality in some environments
-but it can be disabled if it is not needed. Execution of tasks by privileged
-programs, on behalf of unprivileged ones, has traditionally been a source of
-privilege escalation security issues.
-
-Details: `V-38646 in STIG Viewer`_.
-
-.. _V-38646 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38646
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38647.rst b/doc/source/stig-notes/V-38647.rst
deleted file mode 100644
index 51a63d59..00000000
--- a/doc/source/stig-notes/V-38647.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38647: The system default umask in /etc/profile must be 077.
---------------------------------------------------------------
-
-The umask value influences the permissions assigned to files when they are
-created. A misconfigured umask value could result in files with excessive
-permissions that can be read and/or written to by unauthorized users.
-
-Details: `V-38647 in STIG Viewer`_.
-
-.. _V-38647 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38647
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38648.rst b/doc/source/stig-notes/V-38648.rst
deleted file mode 100644
index 9684f698..00000000
--- a/doc/source/stig-notes/V-38648.rst
+++ /dev/null
@@ -1,15 +0,0 @@
-V-38648: The qpidd service must not be running.
------------------------------------------------
-
-The qpidd service is automatically installed when the "base" package selection
-is selected during installation. The qpidd service listens for network
-connections which increases the attack surface of the system. If the system is
-not intended to receive AMQP traffic then the "qpidd" service is not needed
-and should be disabled or removed.
-
-Details: `V-38648 in STIG Viewer`_.
-
-.. _V-38648 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38648
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38649.rst b/doc/source/stig-notes/V-38649.rst
deleted file mode 100644
index d869615a..00000000
--- a/doc/source/stig-notes/V-38649.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38649: The system default umask for the csh shell must be 077.
-----------------------------------------------------------------
-
-The umask value influences the permissions assigned to files when they are
-created. A misconfigured umask value could result in files with excessive
-permissions that can be read and/or written to by unauthorized users.
-
-Details: `V-38649 in STIG Viewer`_.
-
-.. _V-38649 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38649
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38650.rst b/doc/source/stig-notes/V-38650.rst
deleted file mode 100644
index c76e7d81..00000000
--- a/doc/source/stig-notes/V-38650.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38650: The rdisc service must not be running.
------------------------------------------------
-
-General-purpose systems typically have their network and routing information
-configured statically by a system administrator. Workstations or some special-
-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network
-configuration information.
-
-Details: `V-38650 in STIG Viewer`_.
-
-.. _V-38650 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38650
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38651.rst b/doc/source/stig-notes/V-38651.rst
deleted file mode 100644
index 32a66484..00000000
--- a/doc/source/stig-notes/V-38651.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38651: The system default umask for the bash shell must be 077.
------------------------------------------------------------------
-
-The umask value influences the permissions assigned to files when they are
-created. A misconfigured umask value could result in files with excessive
-permissions that can be read and/or written to by unauthorized users.
-
-Details: `V-38651 in STIG Viewer`_.
-
-.. _V-38651 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38651
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38652.rst b/doc/source/stig-notes/V-38652.rst
deleted file mode 100644
index ff034e39..00000000
--- a/doc/source/stig-notes/V-38652.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38652: Remote file systems must be mounted with the nodev option.
--------------------------------------------------------------------
-
-Legitimate device files should only exist in the /dev directory. NFS mounts
-should not present device files to users.
-
-Details: `V-38652 in STIG Viewer`_.
-
-.. _V-38652 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38652
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38653.rst b/doc/source/stig-notes/V-38653.rst
deleted file mode 100644
index 9d41a48d..00000000
--- a/doc/source/stig-notes/V-38653.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38653: The snmpd service must not use a default password.
------------------------------------------------------------
-
-Presence of the default SNMP password enables querying of different system
-aspects and could result in unauthorized knowledge of the system.
-
-Details: `V-38653 in STIG Viewer`_.
-
-.. _V-38653 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38653
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38654.rst b/doc/source/stig-notes/V-38654.rst
deleted file mode 100644
index 87608fd5..00000000
--- a/doc/source/stig-notes/V-38654.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38654: Remote file systems must be mounted with the nosuid option.
---------------------------------------------------------------------
-
-NFS mounts should not present suid binaries to users. Only vendor-supplied
-suid executables should be installed to their default location on the local
-filesystem.
-
-Details: `V-38654 in STIG Viewer`_.
-
-.. _V-38654 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38654
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38655.rst b/doc/source/stig-notes/V-38655.rst
deleted file mode 100644
index 34084520..00000000
--- a/doc/source/stig-notes/V-38655.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38655: The noexec option must be added to removable media partitions.
------------------------------------------------------------------------
-
-Allowing users to execute binaries from removable media such as USB keys
-exposes the system to potential compromise.
-
-Details: `V-38655 in STIG Viewer`_.
-
-.. _V-38655 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38655
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38656.rst b/doc/source/stig-notes/V-38656.rst
deleted file mode 100644
index c417f16f..00000000
--- a/doc/source/stig-notes/V-38656.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38656: The system must use SMB client signing for connecting to samba servers using smbclient.
-------------------------------------------------------------------------------------------------
-
-Packet signing can prevent man-in-the-middle attacks which modify SMB packets
-in transit.
-
-Details: `V-38656 in STIG Viewer`_.
-
-.. _V-38656 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38656
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38657.rst b/doc/source/stig-notes/V-38657.rst
deleted file mode 100644
index 37f3ab3b..00000000
--- a/doc/source/stig-notes/V-38657.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38657: The system must use SMB client signing for connecting to samba servers using mount.cifs.
--------------------------------------------------------------------------------------------------
-
-Packet signing can prevent man-in-the-middle attacks which modify SMB packets
-in transit.
-
-Details: `V-38657 in STIG Viewer`_.
-
-.. _V-38657 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38657
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38658.rst b/doc/source/stig-notes/V-38658.rst
deleted file mode 100644
index 7d12c685..00000000
--- a/doc/source/stig-notes/V-38658.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38658: The system must prohibit the reuse of passwords within twenty-four iterations.
----------------------------------------------------------------------------------------
-
-Preventing reuse of previous passwords helps ensure that a compromised
-password is not reused by a user.
-
-Details: `V-38658 in STIG Viewer`_.
-
-.. _V-38658 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38658
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38659.rst b/doc/source/stig-notes/V-38659.rst
deleted file mode 100644
index 4da529a6..00000000
--- a/doc/source/stig-notes/V-38659.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38659: The operating system must employ cryptographic mechanisms to protect information in storage.
------------------------------------------------------------------------------------------------------
-
-The risk of a system's physical compromise, particularly mobile systems such
-as laptops, places its data at risk of compromise. Encrypting this data
-mitigates the risk of its loss if the system is lost.
-
-Details: `V-38659 in STIG Viewer`_.
-
-.. _V-38659 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38659
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38660.rst b/doc/source/stig-notes/V-38660.rst
deleted file mode 100644
index dc5ef211..00000000
--- a/doc/source/stig-notes/V-38660.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38660: The snmpd service must use only SNMP protocol version 3 or newer.
---------------------------------------------------------------------------
-
-Earlier versions of SNMP are considered insecure, as they potentially allow
-unauthorized access to detailed system management information.
-
-Details: `V-38660 in STIG Viewer`_.
-
-.. _V-38660 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38660
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38661.rst b/doc/source/stig-notes/V-38661.rst
deleted file mode 100644
index 5f533b78..00000000
--- a/doc/source/stig-notes/V-38661.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38661: The operating system must protect the confidentiality and integrity of data at rest.
----------------------------------------------------------------------------------------------
-
-The risk of a system's physical compromise, particularly mobile systems such
-as laptops, places its data at risk of compromise. Encrypting this data
-mitigates the risk of its loss if the system is lost.
-
-Details: `V-38661 in STIG Viewer`_.
-
-.. _V-38661 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38661
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38662.rst b/doc/source/stig-notes/V-38662.rst
deleted file mode 100644
index 48605f3f..00000000
--- a/doc/source/stig-notes/V-38662.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38662: The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of data at rest unless otherwise protected by alternative physical measures.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
-The risk of a system's physical compromise, particularly mobile systems such
-as laptops, places its data at risk of compromise. Encrypting this data
-mitigates the risk of its loss if the system is lost.
-
-Details: `V-38662 in STIG Viewer`_.
-
-.. _V-38662 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38662
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38663.rst b/doc/source/stig-notes/V-38663.rst
deleted file mode 100644
index 735ea136..00000000
--- a/doc/source/stig-notes/V-38663.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38663: The system package management tool must verify permissions on all files and directories associated with the audit package.
------------------------------------------------------------------------------------------------------------------------------------
-
-Permissions on audit binaries and configuration files that are too generous
-could allow an unauthorized user to gain privileges that they should not have.
-The permissions set by the vendor should be maintained. Any deviations from
-this baseline should be investigated.
-
-Details: `V-38663 in STIG Viewer`_.
-
-.. _V-38663 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38663
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38664.rst b/doc/source/stig-notes/V-38664.rst
deleted file mode 100644
index 9c8acc24..00000000
--- a/doc/source/stig-notes/V-38664.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38664: The system package management tool must verify ownership on all files and directories associated with the audit package.
----------------------------------------------------------------------------------------------------------------------------------
-
-Ownership of audit binaries and configuration files that is incorrect could
-allow an unauthorized user to gain privileges that they should not have. The
-ownership set by the vendor should be maintained. Any deviations from this
-baseline should be investigated.
-
-Details: `V-38664 in STIG Viewer`_.
-
-.. _V-38664 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38664
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38665.rst b/doc/source/stig-notes/V-38665.rst
deleted file mode 100644
index da06aa50..00000000
--- a/doc/source/stig-notes/V-38665.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38665: The system package management tool must verify group-ownership on all files and directories associated with the audit package.
----------------------------------------------------------------------------------------------------------------------------------------
-
-Group-ownership of audit binaries and configuration files that is incorrect
-could allow an unauthorized user to gain privileges that they should not have.
-The group-ownership set by the vendor should be maintained. Any deviations
-from this baseline should be investigated.
-
-Details: `V-38665 in STIG Viewer`_.
-
-.. _V-38665 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38665
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38666.rst b/doc/source/stig-notes/V-38666.rst
deleted file mode 100644
index a9ad3f08..00000000
--- a/doc/source/stig-notes/V-38666.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38666: The system must use and update a DoD-approved virus scan program.
---------------------------------------------------------------------------
-
-Virus scanning software can be used to detect if a system has been compromised
-by computer viruses, as well as to limit their spread to other systems.
-
-Details: `V-38666 in STIG Viewer`_.
-
-.. _V-38666 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38666
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38667.rst b/doc/source/stig-notes/V-38667.rst
deleted file mode 100644
index 1b07cde5..00000000
--- a/doc/source/stig-notes/V-38667.rst
+++ /dev/null
@@ -1,15 +0,0 @@
-V-38667: The system must have a host-based intrusion detection tool installed.
-------------------------------------------------------------------------------
-
-Adding host-based intrusion detection tools can provide the capability to
-automatically take actions in response to malicious behavior, which can
-provide additional agility in reacting to network threats. These tools also
-often include a reporting capability to provide network awareness of system,
-which may not otherwise exist in an organization's systems management regime.
-
-Details: `V-38667 in STIG Viewer`_.
-
-.. _V-38667 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38667
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38668.rst b/doc/source/stig-notes/V-38668.rst
deleted file mode 100644
index 7970199a..00000000
--- a/doc/source/stig-notes/V-38668.rst
+++ /dev/null
@@ -1,16 +0,0 @@
-V-38668: The x86 Ctrl-Alt-Delete key sequence must be disabled.
----------------------------------------------------------------
-
-A locally logged-in user who presses Ctrl-Alt-Delete, when at the console, can
-reboot the system. If accidentally pressed, as could happen in the case of
-mixed OS environment, this can create the risk of short-term loss of
-availability of systems due to unintentional reboot. In the GNOME graphical
-environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is
-reduced because the user will be prompted before any action is taken.
-
-Details: `V-38668 in STIG Viewer`_.
-
-.. _V-38668 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38668
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38669.rst b/doc/source/stig-notes/V-38669.rst
deleted file mode 100644
index 16c23cd8..00000000
--- a/doc/source/stig-notes/V-38669.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38669: The postfix service must be enabled for mail delivery.
----------------------------------------------------------------
-
-Local mail delivery is essential to some system maintenance and notification
-tasks.
-
-Details: `V-38669 in STIG Viewer`_.
-
-.. _V-38669 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38669
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38670.rst b/doc/source/stig-notes/V-38670.rst
deleted file mode 100644
index 5b2ca980..00000000
--- a/doc/source/stig-notes/V-38670.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38670: The operating system must detect unauthorized changes to software and information.
--------------------------------------------------------------------------------------------
-
-By default, AIDE does not install itself for periodic execution. Periodically
-running AIDE may reveal unexpected changes in installed files.
-
-Details: `V-38670 in STIG Viewer`_.
-
-.. _V-38670 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38670
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38671.rst b/doc/source/stig-notes/V-38671.rst
deleted file mode 100644
index 3502c482..00000000
--- a/doc/source/stig-notes/V-38671.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38671: The sendmail package must be removed.
-----------------------------------------------
-
-The sendmail software was not developed with security in mind and its design
-prevents it from being effectively contained by SELinux. Postfix should be
-used instead.
-
-Details: `V-38671 in STIG Viewer`_.
-
-.. _V-38671 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38671
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38672.rst b/doc/source/stig-notes/V-38672.rst
deleted file mode 100644
index 51e90001..00000000
--- a/doc/source/stig-notes/V-38672.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38672: The netconsole service must be disabled unless required.
------------------------------------------------------------------
-
-The "netconsole" service is not necessary unless there is a need to debug
-kernel panics, which is not common.
-
-Details: `V-38672 in STIG Viewer`_.
-
-.. _V-38672 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38672
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38673.rst b/doc/source/stig-notes/V-38673.rst
deleted file mode 100644
index 016773a0..00000000
--- a/doc/source/stig-notes/V-38673.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38673: The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.
----------------------------------------------------------------------------------------------------------------------
-
-By default, AIDE does not install itself for periodic execution. Periodically
-running AIDE may reveal unexpected changes in installed files.
-
-Details: `V-38673 in STIG Viewer`_.
-
-.. _V-38673 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38673
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38674.rst b/doc/source/stig-notes/V-38674.rst
deleted file mode 100644
index 0673380b..00000000
--- a/doc/source/stig-notes/V-38674.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38674: X Windows must not be enabled unless required.
--------------------------------------------------------
-
-Unnecessary services should be disabled to decrease the attack surface of the
-system.
-
-Details: `V-38674 in STIG Viewer`_.
-
-.. _V-38674 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38674
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38675.rst b/doc/source/stig-notes/V-38675.rst
deleted file mode 100644
index b3470614..00000000
--- a/doc/source/stig-notes/V-38675.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38675: Process core dumps must be disabled unless needed.
------------------------------------------------------------
-
-A core dump includes a memory image taken at the time the operating system
-terminates an application. The memory image could contain sensitive data and
-is generally useful only for developers trying to debug problems.
-
-Details: `V-38675 in STIG Viewer`_.
-
-.. _V-38675 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38675
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38676.rst b/doc/source/stig-notes/V-38676.rst
deleted file mode 100644
index 22af2175..00000000
--- a/doc/source/stig-notes/V-38676.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38676: The xorg-x11-server-common (X Windows) package must not be installed, unless required.
------------------------------------------------------------------------------------------------
-
-Unnecessary packages should not be installed to decrease the attack surface of
-the system.
-
-Details: `V-38676 in STIG Viewer`_.
-
-.. _V-38676 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38676
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38677.rst b/doc/source/stig-notes/V-38677.rst
deleted file mode 100644
index e2e311d5..00000000
--- a/doc/source/stig-notes/V-38677.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38677: The NFS server must not have the insecure file locking option enabled.
--------------------------------------------------------------------------------
-
-Allowing insecure file locking could allow for sensitive data to be viewed or
-edited by an unauthorized user.
-
-Details: `V-38677 in STIG Viewer`_.
-
-.. _V-38677 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38677
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38678.rst b/doc/source/stig-notes/V-38678.rst
deleted file mode 100644
index 8cb13612..00000000
--- a/doc/source/stig-notes/V-38678.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38678: The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
-Notifying administrators of an impending disk space problem may allow them to
-take corrective action prior to any disruption.
-
-Details: `V-38678 in STIG Viewer`_.
-
-.. _V-38678 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38678
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38679.rst b/doc/source/stig-notes/V-38679.rst
deleted file mode 100644
index 49726262..00000000
--- a/doc/source/stig-notes/V-38679.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38679: The DHCP client must be disabled if not needed.
---------------------------------------------------------
-
-DHCP relies on trusting the local network. If the local network is not
-trusted, then it should not be used. However, the automatic configuration
-provided by DHCP is commonly used and the alternative, manual configuration,
-presents an unacceptable burden in many circumstances.
-
-Details: `V-38679 in STIG Viewer`_.
-
-.. _V-38679 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38679
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38680.rst b/doc/source/stig-notes/V-38680.rst
deleted file mode 100644
index e173db0d..00000000
--- a/doc/source/stig-notes/V-38680.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38680: The audit system must identify staff members to receive notifications of audit log storage volume capacity issues.
----------------------------------------------------------------------------------------------------------------------------
-
-Email sent to the root account is typically aliased to the administrators of
-the system, who can take appropriate action.
-
-Details: `V-38680 in STIG Viewer`_.
-
-.. _V-38680 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38680
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38681.rst b/doc/source/stig-notes/V-38681.rst
deleted file mode 100644
index 1c0f048c..00000000
--- a/doc/source/stig-notes/V-38681.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38681: All GIDs referenced in /etc/passwd must be defined in /etc/group
--------------------------------------------------------------------------
-
-Inconsistency in GIDs between /etc/passwd and /etc/group could lead to a user
-having unintended rights.
-
-Details: `V-38681 in STIG Viewer`_.
-
-.. _V-38681 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38681
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38682.rst b/doc/source/stig-notes/V-38682.rst
deleted file mode 100644
index 5c2cbe90..00000000
--- a/doc/source/stig-notes/V-38682.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38682: The Bluetooth kernel module must be disabled.
-------------------------------------------------------
-
-If Bluetooth functionality must be disabled, preventing the kernel from
-loading the kernel module provides an additional safeguard against its
-activation.
-
-Details: `V-38682 in STIG Viewer`_.
-
-.. _V-38682 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38682
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38683.rst b/doc/source/stig-notes/V-38683.rst
deleted file mode 100644
index e1394a9e..00000000
--- a/doc/source/stig-notes/V-38683.rst
+++ /dev/null
@@ -1,11 +0,0 @@
-V-38683: All accounts on the system must have unique user or account names
---------------------------------------------------------------------------
-
-Unique usernames allow for accountability on the system.
-
-Details: `V-38683 in STIG Viewer`_.
-
-.. _V-38683 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38683
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38684.rst b/doc/source/stig-notes/V-38684.rst
deleted file mode 100644
index 00f525ab..00000000
--- a/doc/source/stig-notes/V-38684.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38684: The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.
----------------------------------------------------------------------------------------------------------------------------------------------
-
-Limiting simultaneous user logins can insulate the system from denial of
-service problems caused by excessive logins. Automated login processes
-operating improperly or maliciously may result in an exceptional number of
-simultaneous login sessions.
-
-Details: `V-38684 in STIG Viewer`_.
-
-.. _V-38684 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38684
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38685.rst b/doc/source/stig-notes/V-38685.rst
deleted file mode 100644
index f61673bb..00000000
--- a/doc/source/stig-notes/V-38685.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38685: Temporary accounts must be provisioned with an expiration date.
-------------------------------------------------------------------------
-
-When temporary accounts are created, there is a risk they may remain in place
-and active after the need for them no longer exists. Account expiration
-greatly reduces the risk of accounts being misused or hijacked.
-
-Details: `V-38685 in STIG Viewer`_.
-
-.. _V-38685 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38685
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38686.rst b/doc/source/stig-notes/V-38686.rst
deleted file mode 100644
index 11b8a96a..00000000
--- a/doc/source/stig-notes/V-38686.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38686: The systems local firewall must implement a deny-all, allow-by-exception policy for forwarded packets.
----------------------------------------------------------------------------------------------------------------
-
-In "iptables" the default policy is applied only after all the applicable
-rules in the table are examined for a match. Setting the default policy to
-"DROP" implements proper design for a firewall, i.e., any packets which are
-not explicitly permitted should not be accepted.
-
-Details: `V-38686 in STIG Viewer`_.
-
-.. _V-38686 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38686
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38687.rst b/doc/source/stig-notes/V-38687.rst
deleted file mode 100644
index 5c924c62..00000000
--- a/doc/source/stig-notes/V-38687.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38687: The system must provide VPN connectivity for communications over untrusted networks.
----------------------------------------------------------------------------------------------
-
-Providing the ability for remote users or systems to initiate a secure VPN
-connection protects information when it is transmitted over a wide area
-network.
-
-Details: `V-38687 in STIG Viewer`_.
-
-.. _V-38687 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38687
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38688.rst b/doc/source/stig-notes/V-38688.rst
deleted file mode 100644
index 6a1c708e..00000000
--- a/doc/source/stig-notes/V-38688.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38688: A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
----------------------------------------------------------------------------------------------------------------------------
-
-An appropriate warning message reinforces policy awareness during the logon
-process and facilitates possible legal action against attackers.
-
-Details: `V-38688 in STIG Viewer`_.
-
-.. _V-38688 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38688
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38688_developer.rst b/doc/source/stig-notes/V-38688_developer.rst
deleted file mode 100644
index 4828fe1e..00000000
--- a/doc/source/stig-notes/V-38688_developer.rst
+++ /dev/null
@@ -1,5 +0,0 @@
-**Exception**
-
-Deployers are urged to use graphical desktops only on client machines that
-connect to the OpenStack environment, rather than configuring graphical
-desktops within the OpenStack infrastructure itself.
diff --git a/doc/source/stig-notes/V-38689.rst b/doc/source/stig-notes/V-38689.rst
deleted file mode 100644
index 09133556..00000000
--- a/doc/source/stig-notes/V-38689.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38689: The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
----------------------------------------------------------------------------------------------------------------------------------------------------------
-
-An appropriate warning message reinforces policy awareness during the logon
-process and facilitates possible legal action against attackers.
-
-Details: `V-38689 in STIG Viewer`_.
-
-.. _V-38689 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38689
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38689_developer.rst b/doc/source/stig-notes/V-38689_developer.rst
deleted file mode 100644
index 4828fe1e..00000000
--- a/doc/source/stig-notes/V-38689_developer.rst
+++ /dev/null
@@ -1,5 +0,0 @@
-**Exception**
-
-Deployers are urged to use graphical desktops only on client machines that
-connect to the OpenStack environment, rather than configuring graphical
-desktops within the OpenStack infrastructure itself.
diff --git a/doc/source/stig-notes/V-38690.rst b/doc/source/stig-notes/V-38690.rst
deleted file mode 100644
index 4a253e31..00000000
--- a/doc/source/stig-notes/V-38690.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38690: Emergency accounts must be provisioned with an expiration date.
-------------------------------------------------------------------------
-
-When emergency accounts are created, there is a risk they may remain in place
-and active after the need for them no longer exists. Account expiration
-greatly reduces the risk of accounts being misused or hijacked.
-
-Details: `V-38690 in STIG Viewer`_.
-
-.. _V-38690 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38690
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38691.rst b/doc/source/stig-notes/V-38691.rst
deleted file mode 100644
index 1a9ba924..00000000
--- a/doc/source/stig-notes/V-38691.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38691: The Bluetooth service must be disabled.
-------------------------------------------------
-
-Disabling the "bluetooth" service prevents the system from attempting
-connections to Bluetooth devices, which entails some security risk.
-Nevertheless, variation in this risk decision may be expected due to the
-utility of Bluetooth connectivity and its limited range.
-
-Details: `V-38691 in STIG Viewer`_.
-
-.. _V-38691 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38691
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38692.rst b/doc/source/stig-notes/V-38692.rst
deleted file mode 100644
index 63b286f7..00000000
--- a/doc/source/stig-notes/V-38692.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38692: Accounts must be locked upon 35 days of inactivity.
-------------------------------------------------------------
-
-Disabling inactive accounts ensures that accounts which may not have been
-responsibly removed are not available to attackers who may have compromised
-their credentials.
-
-Details: `V-38692 in STIG Viewer`_.
-
-.. _V-38692 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38692
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38693.rst b/doc/source/stig-notes/V-38693.rst
deleted file mode 100644
index 1e91239a..00000000
--- a/doc/source/stig-notes/V-38693.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38693: The system must require passwords to contain no more than three consecutive repeating characters.
-----------------------------------------------------------------------------------------------------------
-
-Passwords with excessive repeating characters may be more vulnerable to
-password-guessing attacks.
-
-Details: `V-38693 in STIG Viewer`_.
-
-.. _V-38693 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38693
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38693_developer.rst b/doc/source/stig-notes/V-38693_developer.rst
deleted file mode 100644
index 344697e5..00000000
--- a/doc/source/stig-notes/V-38693_developer.rst
+++ /dev/null
@@ -1,10 +0,0 @@
-**Exception**
-
-Password complexity requirements are left up to the deployer. Deployers are
-urged to rely on SSH keys as often as possible to avoid problems with
-passwords.
-
-Review the pam_cracklib documentation by running ``man pam_cracklib`` or
-read the `detailed documentation from Hal Pomeranz`_.
-
-.. _detailed documentation from Hal Pomeranz: http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html
diff --git a/doc/source/stig-notes/V-38694.rst b/doc/source/stig-notes/V-38694.rst
deleted file mode 100644
index 40e963f0..00000000
--- a/doc/source/stig-notes/V-38694.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38694: The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
-Disabling inactive accounts ensures that accounts which may not have been
-responsibly removed are not available to attackers who may have compromised
-their credentials.
-
-Details: `V-38694 in STIG Viewer`_.
-
-.. _V-38694 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38694
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38695.rst b/doc/source/stig-notes/V-38695.rst
deleted file mode 100644
index db6d225b..00000000
--- a/doc/source/stig-notes/V-38695.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38695: A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
-By default, AIDE does not install itself for periodic execution. Periodically
-running AIDE may reveal unexpected changes in installed files.
-
-Details: `V-38695 in STIG Viewer`_.
-
-.. _V-38695 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38695
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38696.rst b/doc/source/stig-notes/V-38696.rst
deleted file mode 100644
index 927b3a7f..00000000
--- a/doc/source/stig-notes/V-38696.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38696: The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
-By default, AIDE does not install itself for periodic execution. Periodically
-running AIDE may reveal unexpected changes in installed files.
-
-Details: `V-38696 in STIG Viewer`_.
-
-.. _V-38696 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38696
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38697.rst b/doc/source/stig-notes/V-38697.rst
deleted file mode 100644
index bb13ca39..00000000
--- a/doc/source/stig-notes/V-38697.rst
+++ /dev/null
@@ -1,16 +0,0 @@
-V-38697: The sticky bit must be set on all public directories.
---------------------------------------------------------------
-
-Failing to set the sticky bit on public directories allows unauthorized users
-to delete files in the directory structure. The only authorized public
-directories are those temporary directories supplied with the system, or those
-designed to be temporary file repositories. The setting is normally reserved
-for directories used by the system, and by users for temporary file storage -
-such as /tmp - and for directories requiring global read/write access.
-
-Details: `V-38697 in STIG Viewer`_.
-
-.. _V-38697 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38697
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38698.rst b/doc/source/stig-notes/V-38698.rst
deleted file mode 100644
index bc6e00db..00000000
--- a/doc/source/stig-notes/V-38698.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38698: The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
-By default, AIDE does not install itself for periodic execution. Periodically
-running AIDE may reveal unexpected changes in installed files.
-
-Details: `V-38698 in STIG Viewer`_.
-
-.. _V-38698 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38698
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38699.rst b/doc/source/stig-notes/V-38699.rst
deleted file mode 100644
index da1b42ef..00000000
--- a/doc/source/stig-notes/V-38699.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38699: All public directories must be owned by a system account.
-------------------------------------------------------------------
-
-Allowing a user account to own a world-writable directory is undesirable
-because it allows the owner of that directory to remove or replace any files
-that may be placed in the directory by other users.
-
-Details: `V-38699 in STIG Viewer`_.
-
-.. _V-38699 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38699
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38700.rst b/doc/source/stig-notes/V-38700.rst
deleted file mode 100644
index 436d95f4..00000000
--- a/doc/source/stig-notes/V-38700.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-38700: The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
-By default, AIDE does not install itself for periodic execution. Periodically
-running AIDE may reveal unexpected changes in installed files.
-
-Details: `V-38700 in STIG Viewer`_.
-
-.. _V-38700 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38700
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38700_developer.rst b/doc/source/stig-notes/V-38700_developer.rst
deleted file mode 100644
index 4a37b92f..00000000
--- a/doc/source/stig-notes/V-38700_developer.rst
+++ /dev/null
@@ -1,5 +0,0 @@
-The AIDE package is already installed as part of the Ansible tasks to fix
-V-38429, but these Ansible tasks will verify that the cron job file is actually
-in place. The cron job is installed as part of the aide package installation.
-If the cron job is missing, an error will be printed and the playbook will
-fail.
diff --git a/doc/source/stig-notes/V-38701.rst b/doc/source/stig-notes/V-38701.rst
deleted file mode 100644
index b07123f1..00000000
--- a/doc/source/stig-notes/V-38701.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-38701: The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.
-------------------------------------------------------------------------------------------------------------------------------
-
-Using the "-s" option causes the TFTP service to only serve files from the
-given directory. Serving files from an intentionally specified directory
-reduces the risk of sharing files which should remain private.
-
-Details: `V-38701 in STIG Viewer`_.
-
-.. _V-38701 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38701
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-38702.rst b/doc/source/stig-notes/V-38702.rst
deleted file mode 100644
index 4e997cd4..00000000
--- a/doc/source/stig-notes/V-38702.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-38702: The FTP daemon must be configured for logging or verbose mode.
------------------------------------------------------------------------
-
-To trace malicious activity facilitated by the FTP service, it must be
-configured to ensure that all commands sent to the ftp server are logged using
-the verbose vsftpd log format. The default vsftpd log file is
-/var/log/vsftpd.log.
-
-Details: `V-38702 in STIG Viewer`_.
-
-.. _V-38702 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38702
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-43150.rst b/doc/source/stig-notes/V-43150.rst
deleted file mode 100644
index 20ce7281..00000000
--- a/doc/source/stig-notes/V-43150.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-43150: The login user list must be disabled.
-----------------------------------------------
-
-Leaving the user list enabled is a security risk since it allows anyone with
-physical access to the system to quickly enumerate known user accounts without
-logging in.
-
-Details: `V-43150 in STIG Viewer`_.
-
-.. _V-43150 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-43150
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-43150_developer.rst b/doc/source/stig-notes/V-43150_developer.rst
deleted file mode 100644
index 4828fe1e..00000000
--- a/doc/source/stig-notes/V-43150_developer.rst
+++ /dev/null
@@ -1,5 +0,0 @@
-**Exception**
-
-Deployers are urged to use graphical desktops only on client machines that
-connect to the OpenStack environment, rather than configuring graphical
-desktops within the OpenStack infrastructure itself.
diff --git a/doc/source/stig-notes/V-51337.rst b/doc/source/stig-notes/V-51337.rst
deleted file mode 100644
index 1cf7d748..00000000
--- a/doc/source/stig-notes/V-51337.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-51337: The system must use a Linux Security Module at boot time.
-------------------------------------------------------------------
-
-Disabling a major host protection feature, such as SELinux, at boot time
-prevents it from confining system services at boot time. Further, it increases
-the chances that it will remain off during system operation.
-
-Details: `V-51337 in STIG Viewer`_.
-
-.. _V-51337 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-51337
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-51363.rst b/doc/source/stig-notes/V-51363.rst
deleted file mode 100644
index 5f0b12c6..00000000
--- a/doc/source/stig-notes/V-51363.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-V-51363: The system must use a Linux Security Module configured to enforce limits on system services.
------------------------------------------------------------------------------------------------------
-
-Setting the SELinux state to enforcing ensures SELinux is able to confine
-potentially compromised processes to the security policy, which is designed to
-prevent them from causing damage to the system or further elevating their
-privileges.
-
-Details: `V-51363 in STIG Viewer`_.
-
-.. _V-51363 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-51363
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-51369.rst b/doc/source/stig-notes/V-51369.rst
deleted file mode 100644
index 1d6f4a01..00000000
--- a/doc/source/stig-notes/V-51369.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-51369: The system must use a Linux Security Module configured to limit the privileges of system services.
------------------------------------------------------------------------------------------------------------
-
-Setting the SELinux policy to "targeted" or a more specialized policy ensures
-the system will confine processes that are likely to be targeted for
-exploitation, such as network or system services.
-
-Details: `V-51369 in STIG Viewer`_.
-
-.. _V-51369 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-51369
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-51379.rst b/doc/source/stig-notes/V-51379.rst
deleted file mode 100644
index 312fb866..00000000
--- a/doc/source/stig-notes/V-51379.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-V-51379: All device files must be monitored by the system Linux Security Module.
---------------------------------------------------------------------------------
-
-If a device file carries the SELinux type "unlabeled_t", then SELinux cannot
-properly restrict access to the device file.
-
-Details: `V-51379 in STIG Viewer`_.
-
-.. _V-51379 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-51379
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-51391.rst b/doc/source/stig-notes/V-51391.rst
deleted file mode 100644
index 37a0f4b8..00000000
--- a/doc/source/stig-notes/V-51391.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-51391: A file integrity baseline must be created.
----------------------------------------------------
-
-For AIDE to be effective, an initial database of "known-good" information
-about files must be captured and it should be able to be verified against the
-installed files.
-
-Details: `V-51391 in STIG Viewer`_.
-
-.. _V-51391 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-51391
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-51875.rst b/doc/source/stig-notes/V-51875.rst
deleted file mode 100644
index e501fe6f..00000000
--- a/doc/source/stig-notes/V-51875.rst
+++ /dev/null
@@ -1,15 +0,0 @@
-V-51875: The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
-Users need to be aware of activity that occurs regarding their account.
-Providing users with information regarding the number of unsuccessful attempts
-that were made to login to their account allows the user to determine if any
-unauthorized activity has occurred and gives them an opportunity to notify
-administrators.
-
-Details: `V-51875 in STIG Viewer`_.
-
-.. _V-51875 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-51875
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-54381.rst b/doc/source/stig-notes/V-54381.rst
deleted file mode 100644
index 5a336c12..00000000
--- a/doc/source/stig-notes/V-54381.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-54381: The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low.
----------------------------------------------------------------------------------------------------------------------------------
-
-Administrators should be made aware of an inability to record audit records.
-If a separate partition or logical volume of adequate size is used, running
-low on space for audit records should never occur.
-
-Details: `V-54381 in STIG Viewer`_.
-
-.. _V-54381 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-54381
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-57569.rst b/doc/source/stig-notes/V-57569.rst
deleted file mode 100644
index 6ce43c19..00000000
--- a/doc/source/stig-notes/V-57569.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-V-57569: The noexec option must be added to the /tmp partition.
----------------------------------------------------------------
-
-Allowing users to execute binaries from world-writable directories such as
-"/tmp" should never be necessary in normal operation and can expose the system
-to potential compromise.
-
-Details: `V-57569 in STIG Viewer`_.
-
-.. _V-57569 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-57569
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/doc/source/stig-notes/V-58901.rst b/doc/source/stig-notes/V-58901.rst
deleted file mode 100644
index 52872284..00000000
--- a/doc/source/stig-notes/V-58901.rst
+++ /dev/null
@@ -1,17 +0,0 @@
-V-58901: The sudo command must require authentication.
-------------------------------------------------------
-
-The "sudo" command allows authorized users to run programs (including shells)
-as other users, system users, and root. The "/etc/sudoers" file is used to
-configure authorized "sudo" users as well as the programs they are allowed to
-run. Some configuration options in the "/etc/sudoers" file allow configured
-users to run programs without re-authenticating. Use of these configuration
-options makes it easier for one compromised account to be used to compromise
-other accounts.
-
-Details: `V-58901 in STIG Viewer`_.
-
-.. _V-58901 in STIG Viewer: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-58901
-
-Notes for deployers
-~~~~~~~~~~~~~~~~~~~
diff --git a/setup.cfg b/setup.cfg
index 701b5168..75bbe25c 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -1,6 +1,6 @@
[metadata]
name = openstack-ansible-security
-summary = Security hardening role for openstack-ansible
+summary = OpenStack-Ansible: Host security hardening
description-file =
README.rst
author = OpenStack
diff --git a/test-requirements.txt b/test-requirements.txt
index e9b3fcb0..0d0b5974 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -14,3 +14,5 @@ oslosphinx!=3.4.0,>=2.5.0 # Apache-2.0
openstackdocstheme>=1.5.0 # Apache-2.0
doc8 # Apache-2.0
reno>=1.8.0 # Apache2
+Jinja2>=2.8 # BSD License (3 clause)
+lxml>=2.3 # BSD
diff --git a/tox.ini b/tox.ini
index 49f2eb8b..b0144d2c 100644
--- a/tox.ini
+++ b/tox.ini
@@ -31,6 +31,8 @@ setenv =
[testenv:docs]
+deps=
+ {[testenv]deps}
commands=
bash -c "rm -rf doc/build"
doc8 doc