[Forgot Password]
Login  Register Subscribe

23631

 
 

115038

 
 

96174

 
 

909

 
 

78077

 
 

109

Paid content will be excluded from the download.


Download | Alert*


oval:org.secpod.oval:def:30318
The 'rsyslog' to Accept Messages via TCP, if Acting As Log Server should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:30426
BOOTP queries should be accepted or denied by the DHCP server as appropriate.

oval:org.secpod.oval:def:30407
The sshd service should be disabled if possible.

oval:org.secpod.oval:def:30481
Disable Cache Support (/etc/httpd/conf/httpd.conf) should be configured appropriately.

oval:org.secpod.oval:def:30465
File uploads via vsftpd should be enabled or disabled as appropriate

oval:org.secpod.oval:def:30623
The '/etc/shadow' file should be owned by the appropriate group.

oval:org.secpod.oval:def:30620
File permissions for /bin, /usr/bin, /usr/local/bin, /sbin, /usr/sbin and /usr/local/sbin should be set correctly.

oval:org.secpod.oval:def:30602
The minimum password age policy should be set appropriately.

oval:org.secpod.oval:def:30608
The RPM package telnet should be installed.

oval:org.secpod.oval:def:30311
The RPM package rsyslog should be installed.

oval:org.secpod.oval:def:30534
The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. Any .netrc files should be removed.

oval:org.secpod.oval:def:30359
Audit rules should capture information about session initiation.

oval:org.secpod.oval:def:30458
The vsftpd service should be disabled if possible.

oval:org.secpod.oval:def:30338
Record attempts to alter time through clock_settime.

oval:org.secpod.oval:def:30622
The password hashing algorithm should be set correctly in /etc/login.defs.

oval:org.secpod.oval:def:30580
Verify which group owns the /boot/grub2/grub.cfg file.

oval:org.secpod.oval:def:30325
Legitimate character and block devices should not exist within temporary directories like /tmp. The nodev mount option should be specified for /tmp.

oval:org.secpod.oval:def:30510
The RPM package mcstrans should be installed.

oval:org.secpod.oval:def:30505
The RPM package net-snmp should be removed.

oval:org.secpod.oval:def:30612
The SSH ClientAliveCountMax should be set to an appropriate value (and dependencies are met)

oval:org.secpod.oval:def:30425
DHCPDECLINE messages should be accepted or denied by the DHCP server as appropriate

oval:org.secpod.oval:def:30406
The atd service should be disabled if possible.

oval:org.secpod.oval:def:30348
The changing of file permissions and attributes should be audited.

oval:org.secpod.oval:def:30577
The /etc/shadow file should be owned by the appropriate user.

oval:org.secpod.oval:def:30625
The password retry should meet minimum requirements using pam_cracklib

oval:org.secpod.oval:def:30398
The rhsmcertd service should be disabled if possible.

oval:org.secpod.oval:def:30377
The TFTP daemon should use secure mode.

oval:org.secpod.oval:def:30439
The nfslock service should be disabled if possible.

oval:org.secpod.oval:def:30476
Disable WebDAV (Distributed Authoring and Versioning) (/etc/httpd/conf/httpd.conf) should be configured appropriately.

oval:org.secpod.oval:def:30356
The changing of file permissions and attributes should be audited.

oval:org.secpod.oval:def:30353
The changing of file permissions and attributes should be audited.

oval:org.secpod.oval:def:30349
The changing of file permissions and attributes should be audited.

oval:org.secpod.oval:def:30603
System Audit Logs Must Have Mode 0640 or Less Permissive (/var/log/audit/*) should be configured appropriately.

oval:org.secpod.oval:def:30383
The cpuspeed service should be disabled if possible.

oval:org.secpod.oval:def:30432
The postfix service should be enabled if possible.

oval:org.secpod.oval:def:30424
Configure the system boot firmware (historically called BIOS on PC systems) to disallow booting from USB drives

oval:org.secpod.oval:def:30412
The Avahi daemon should be configured to serve via Ipv6 or not as appropriate.

oval:org.secpod.oval:def:30475
Disable MIME Magic (/etc/httpd/conf/httpd.conf) should be configured appropriately.

oval:org.secpod.oval:def:30598
Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.

oval:org.secpod.oval:def:30590
The number of allowed failed logins should be set correctly.

oval:org.secpod.oval:def:30638
Audit rules should detect modification to system files that hold information about users and groups.

oval:org.secpod.oval:def:30388
The netconsole service should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:30435
Protect against unnecessary release of information.

oval:org.secpod.oval:def:30314
The nosuid mount option prevents set-user-identifier (suid) and set-group-identifier (sgid) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file respectively. Users should not be allowed to introduce suid and g ...

oval:org.secpod.oval:def:30409
Limit Users SSH Access should be configured appropriately.

oval:org.secpod.oval:def:30497
Plaintext authentication of mail clients should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:30368
The rexec service should be disabled if possible.

oval:org.secpod.oval:def:30420
By default, locally configured printers will not be shared over the network, but if this functionality has somehow been enabled, these recommendations will disable it again. Be sure to disable outgoing printer list broadcasts, or remote users will still be able to see the locally configured printers ...

oval:org.secpod.oval:def:30538
The environment variable PATH should be set correctly for the root user.

oval:org.secpod.oval:def:30641
SSH warning banner should be enabled (and dependencies are met).

oval:org.secpod.oval:def:30581
The kernel module dccp should be disabled.

oval:org.secpod.oval:def:30582
The /etc/gshadow file should be owned by the appropriate group.

oval:org.secpod.oval:def:30457
The RPM package bind should be removed.

oval:org.secpod.oval:def:30498
The Samba (SMB) service should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:30408
If inbound SSH access is not needed, the firewall should disallow or reject access to the SSH port (22).

oval:org.secpod.oval:def:30361
Audit rules about the Information on the Use of Privileged Commands are enabled

oval:org.secpod.oval:def:30599
PermitUserEnvironment should be disabled

oval:org.secpod.oval:def:30583
The yum-updatesd service should be disabled

oval:org.secpod.oval:def:30453
Root squashing should be enabled or disabled as appropriate for all NFS shares.

oval:org.secpod.oval:def:30516
The RPM package talk should be installed.

oval:org.secpod.oval:def:30601
The gpgcheck option should be used to ensure that checking of an RPM package's signature always occurs prior to its installation.

oval:org.secpod.oval:def:30604
The file /etc/pam.d/system-auth should not contain the nullok option

oval:org.secpod.oval:def:30440
The rpcgssd service should be disabled if possible.

oval:org.secpod.oval:def:30363
Audit actions taken by system administrators on the system.

oval:org.secpod.oval:def:30572
The password difok should meet minimum requirements using pam_cracklib

oval:org.secpod.oval:def:30508
The maximum password age policy should meet minimum requirements.

oval:org.secpod.oval:def:30423
The dynamic DNS feature of the DHCP server should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:30529
The SELinux state should be set appropriately.

oval:org.secpod.oval:def:30482
Disable CGI Support (/etc/httpd/conf/httpd.conf) should be configured appropriately.

oval:org.secpod.oval:def:30591
The passwords to remember should be set correctly.

oval:org.secpod.oval:def:30334
Record attempts to alter time through adjtimex.

oval:org.secpod.oval:def:30569
The password warning age should be set appropriately.

oval:org.secpod.oval:def:30545
The RPM package screen should be installed.

oval:org.secpod.oval:def:30471
Disable HTTP mod_rewrite (/etc/httpd/conf/httpd.conf) should be configured appropriately.

oval:org.secpod.oval:def:30450
The rpcsvcgssd service should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:30331
admin_space_left_action setting in /etc/audit/auditd.conf is set to a certain action

oval:org.secpod.oval:def:30631
The /etc/gshadow file should be owned by the appropriate user.

oval:org.secpod.oval:def:30624
The audit rules should be configured to log information about kernel module loading and unloading.

oval:org.secpod.oval:def:30621
The password minimum length should be set appropriately.

oval:org.secpod.oval:def:30618
The password lcredit should meet minimum requirements using pam_cracklib

oval:org.secpod.oval:def:30541
The default umask for all users should be set correctly

oval:org.secpod.oval:def:30357
Audit rules should be configured to log successful and unsuccessful logon and logout events.

oval:org.secpod.oval:def:30470
Disable HTTP Digest Authentication (/etc/httpd/conf/httpd.conf) should be configured appropriately.

oval:org.secpod.oval:def:30399
The saslauthd service should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:30573
The /etc/passwd file should be owned by the appropriate group.

oval:org.secpod.oval:def:30518
All files should be owned by a user

oval:org.secpod.oval:def:30615
This test makes sure that '/etc/shadow' file permission is setted as appropriate. If the target file or directory has an extended ACL then it will fail the mode check.

oval:org.secpod.oval:def:30382
The cgred service should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:30379
The certmonger service should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:30295
Global IPv6 initialization should be disabled.

oval:org.secpod.oval:def:30320
The logrotate (syslog rotater) service should be enabled.

oval:org.secpod.oval:def:30553
The kernel runtime parameter "net.ipv4.conf.all.secure_redirects" should be set to "0".

oval:org.secpod.oval:def:30418
The cups service should be disabled if possible.

oval:org.secpod.oval:def:30578
The SELinux state should be enforcing the local policy.

oval:org.secpod.oval:def:30579
The grub boot loader should have password protection enabled.

oval:org.secpod.oval:def:30444
The lockd service should be configured to use a static port or a dynamic portmapper port for UDP as appropriate.

oval:org.secpod.oval:def:30372
The '.rhosts' or 'hosts.equiv' files should exists or doesn't exists on the system.

oval:org.secpod.oval:def:30422
The RPM package dhcpd should be removed.

oval:org.secpod.oval:def:30525
The kernel runtime parameter "kernel.randomize_va_space" should be set to "2".

oval:org.secpod.oval:def:30596
Verify that Shared Library Files Have Restrictive Permissions (/lib, /lib64, /usr/lib or /usr/lib64) should be configured appropriately.

oval:org.secpod.oval:def:30322
Check if SplitHosts line in logwatch.conf is set appropriately.

oval:org.secpod.oval:def:30395
The quota_nld service should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:30387
The messagebus service should be disabled if possible.

oval:org.secpod.oval:def:30524
The kernel runtime parameter "kernel.exec-shield" should be set to "1".

oval:org.secpod.oval:def:30327
num_logs setting in /etc/audit/auditd.conf is set to at least a certain value

oval:org.secpod.oval:def:30365
The xinetd service should be disabled if possible.

oval:org.secpod.oval:def:30317
rsyslogd should reject remote messages

oval:org.secpod.oval:def:30344
The changing of file permissions and attributes should be audited.

oval:org.secpod.oval:def:30332
action_mail_acct setting in /etc/audit/auditd.conf is set to a certain account

oval:org.secpod.oval:def:30335
Record attempts to alter time through settimeofday.

oval:org.secpod.oval:def:30503
The kernel module hfsplus should be disabled.

oval:org.secpod.oval:def:30495
Dovecot plaintext authentication of clients should be enabled or disabled as necessary

oval:org.secpod.oval:def:30366
The RPM package xinetd should be removed.

oval:org.secpod.oval:def:30487
The mod_security package installation should be configured appropriately.

oval:org.secpod.oval:def:30294
The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist in the /dev directory on the root partition or within chroot jails built for system services. All other locations should not allow character and block devic ...

oval:org.secpod.oval:def:30559
The kernel runtime parameter "net.ipv4.icmp_ignore_bogus_error_responses" should be set to "1".

oval:org.secpod.oval:def:30548
The kernel runtime parameter "net.ipv4.conf.default.send_redirects" should be set to "0".

oval:org.secpod.oval:def:30483
Restrict Root Directory (/etc/httpd/conf/httpd.conf) should be configured appropriately.

oval:org.secpod.oval:def:30597
System logs are stored in the /var/log directory. Ensure that it has its own partition or logical volume.

oval:org.secpod.oval:def:30472
Disable LDAP Support (/etc/httpd/conf/httpd.conf) should be configured appropriately.

oval:org.secpod.oval:def:30454
Restriction of NFS clients to privileged ports should be enabled or disabled as appropriate

oval:org.secpod.oval:def:30330
space_left_action setting in /etc/audit/auditd.conf is set to a certain action

oval:org.secpod.oval:def:30443
The lockd service should be configured to use a static port or a dynamic portmapper port for TCP as appropriate.

oval:org.secpod.oval:def:30626
The SELinux policy should be set appropriately.

oval:org.secpod.oval:def:30627
The /etc/passwd file should be owned by the appropriate user.

oval:org.secpod.oval:def:30427
Logging (/etc/rsyslog.conf) should be configured appropriately.

oval:org.secpod.oval:def:30301
Define default gateways for IPv6 traffic

oval:org.secpod.oval:def:30485
Restrict Web Directory (/etc/httpd/conf/httpd.conf) should be configured appropriately.

oval:org.secpod.oval:def:30595
The Red Hat release and auxiliary key packages are required to be installed.

oval:org.secpod.oval:def:30515
The RPM package talk-server should be installed.

oval:org.secpod.oval:def:30507
Ensure Default Password Is Not Used (/etc/snmp/snmpd.conf) should be configured appropriately.

oval:org.secpod.oval:def:30629
The password ocredit should meet minimum requirements using pam_cracklib

oval:org.secpod.oval:def:30385
The kdump service should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:30433
The RPM package sendmail should be removed.

oval:org.secpod.oval:def:30532
Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the system using the root account.

oval:org.secpod.oval:def:30345
The changing of file permissions and attributes should be audited.

oval:org.secpod.oval:def:30463
The kernel module cramfs should be disabled.

oval:org.secpod.oval:def:30635
The requirement for a password to boot into single-user mode should be configured correctly.

oval:org.secpod.oval:def:30500
Require packet signing of clients who mount Samba shares using the mount.cifs program (e.g., those who specify shares in /etc/fstab). To do so, ensure that signing options (either sec=krb5i or sec=ntlmv2i) are used.

oval:org.secpod.oval:def:30607
Only SSH protocol version 2 connections should be permitted.

oval:org.secpod.oval:def:30606
The /etc/group file should be owned by the appropriate group.

oval:org.secpod.oval:def:30397
The rhnsd service should be disabled if possible.

oval:org.secpod.oval:def:30386
The mdmonitor service should be disabled if possible.

oval:org.secpod.oval:def:30370
The rsh service should be disabled if possible.

oval:org.secpod.oval:def:30561
The kernel runtime parameter "net.ipv4.conf.all.rp_filter" should be set to "1".

oval:org.secpod.oval:def:30336
It can be dangerous to allow the execution of binaries from world-writable temporary storage directories such as /tmp. The noexec mount option prevents binaries from being executed out of /tmp.

oval:org.secpod.oval:def:30637
Only the root account should be assigned a user id of 0.

oval:org.secpod.oval:def:30517
The kernel module udf should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:30394
The Apache qpidd service should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:30496
Configure Dovecot to Use the SSL Key file should be configured appropriately.

oval:org.secpod.oval:def:30558
The kernel runtime parameter "net.ipv4.icmp_echo_ignore_broadcasts" should be set to "1".

oval:org.secpod.oval:def:30300
Enable privacy extensions for IPv6

oval:org.secpod.oval:def:30402
Disable Prelinking (/etc/sysconfig/prelink) should be configured appropriately.

oval:org.secpod.oval:def:30461
Logging of vsftpd transactions should be enabled or disabled as appropriate

oval:org.secpod.oval:def:30574
Verify that Shared Library Files Have Root Ownership (/lib, /lib64, /usr/lib or /usr/lib64) should be configured appropriately.

oval:org.secpod.oval:def:30605
Emulation of the rsh command through the ssh server should be disabled (and dependencies are met)

oval:org.secpod.oval:def:30384
The irqbalance service should be enabled if possible.

oval:org.secpod.oval:def:30381
The cgconfig service should be disabled if possible.

oval:org.secpod.oval:def:30491
The dovecot service should be disabled if possible.

oval:org.secpod.oval:def:30305
The iptables service should be enabled if possible.

oval:org.secpod.oval:def:30537
The number of allowed failed logins should be set correctly.

oval:org.secpod.oval:def:30530
Logins through the Direct root Logins Not Allowed should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:30474
Disable Server Side Includes (/etc/httpd/conf/httpd.conf) should be configured appropriately.

oval:org.secpod.oval:def:30341
System Audit Logs Must Be Owned By Root (/var/log/*) should be configured appropriately.

oval:org.secpod.oval:def:30451
The nodev option should be enabled for all NFS mounts in /etc/fstab.

oval:org.secpod.oval:def:30636
The /tmp directory is a world-writable directory used for temporary file storage. Verify that it has its own partition or logical volume.

oval:org.secpod.oval:def:30303
Change the default policy to DROP (from ACCEPT) for the INPUT built-in chain (/etc/sysconfig/ip6tables).

oval:org.secpod.oval:def:30411
The avahi-daemon service should be disabled if possible.

oval:org.secpod.oval:def:30526
Systems that are using the 64-bit x86 kernel package do not need to install the kernel-PAE package because the 64-bit x86 kernel already includes this support. However, if the system is 32-bit and also supports the PAE and NX features as determined in the previous section, the kernel-PAE package sho ...

oval:org.secpod.oval:def:30351
The changing of file permissions and attributes should be audited.

oval:org.secpod.oval:def:30594
File permissions for '/etc/group' should be set correctly.

oval:org.secpod.oval:def:30589
This test makes sure that '/etc/passwd' has proper permission. If the target file or directory has an extended ACL then it will fail the mode check.

oval:org.secpod.oval:def:30346
The changing of file permissions and attributes should be audited.

oval:org.secpod.oval:def:30563
All wireless interfaces should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:30512
The RPM package ypbind should be installed.

oval:org.secpod.oval:def:30416
Disable Avahi Publishing (/etc/avahi/avahi-daemon.conf) should be configured appropriately.

oval:org.secpod.oval:def:30531
Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account.

oval:org.secpod.oval:def:30410
The RPM package xorg-x11-server-common should be removed.

oval:org.secpod.oval:def:30539
The default umask for users of the bash shell

oval:org.secpod.oval:def:30392
The portreserve service should be disabled if possible.

oval:org.secpod.oval:def:30298
The kernel runtime parameter "net.ipv6.conf.default.accept_redirects" should be set to "0".

oval:org.secpod.oval:def:30556
The kernel runtime parameter "net.ipv4.conf.default.accept_redirects" should be set to "0".

oval:org.secpod.oval:def:30520
Configure Periodic Execution of AIDE (/etc/crontab) should be configured appropriately.

oval:org.secpod.oval:def:30350
The changing of file permissions and attributes should be audited.

oval:org.secpod.oval:def:30565
The kernel module bluetooth should be disabled.

oval:org.secpod.oval:def:30490
The /etc/httpd/conf/* files should have the appropriate permissions.

oval:org.secpod.oval:def:30438
The RPM package openldap-servers should be removed.

oval:org.secpod.oval:def:30535
Configure the system to notify users of last logon/access using pam_lastlog.

oval:org.secpod.oval:def:30415
Avahi should be configured to allow other stacks from binding to port 5353 or not as appropriate.

oval:org.secpod.oval:def:30575
The RPM package aide should be installed.

oval:org.secpod.oval:def:30504
The snmpd service should be disabled if possible.

oval:org.secpod.oval:def:30600
The password ucredit should meet minimum requirements using pam_cracklib

oval:org.secpod.oval:def:30393
The psacct service should be enabled if possible.

oval:org.secpod.oval:def:30488
Directory permissions for /var/log/httpd should be set appropriately.

oval:org.secpod.oval:def:30428
DHCP configuration should be static for all interfaces.

oval:org.secpod.oval:def:30640
The system login banner text should be set correctly.

oval:org.secpod.oval:def:30340
The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.

oval:org.secpod.oval:def:30448
Specify UID and GID for Anonymous NFS Connections (/etc/exports) should be configured appropriately.

oval:org.secpod.oval:def:30323
Disable Logwatch on Clients if a Logserver Exists (/etc/cron.daily/0logwatch) should be configured appropriately.

oval:org.secpod.oval:def:30329
max_log_file_action setting in /etc/audit/auditd.conf is set to a certain action

oval:org.secpod.oval:def:30511
The RPM package rsh should be installed.

oval:org.secpod.oval:def:30441
The rpcidmapd service should be disabled if possible.

oval:org.secpod.oval:def:30557
The kernel runtime parameter "net.ipv4.conf.default.secure_redirects" should be set to "0".

oval:org.secpod.oval:def:30404
The crond service should be enabled if possible.

oval:org.secpod.oval:def:30354
The changing of file permissions and attributes should be audited.

oval:org.secpod.oval:def:30342
Audit rules that detect changes to the system's mandatory access controls (SELinux) are enabled.

oval:org.secpod.oval:def:30333
Configure auditd to use audispd plugin (/etc/audisp/plugins.d/syslog.conf) should be configured appropriately.

oval:org.secpod.oval:def:30513
The RPM package tftp should be installed.

oval:org.secpod.oval:def:30560
The kernel runtime parameter "net.ipv4.tcp_syncookies" should be set to "1".

oval:org.secpod.oval:def:30310
The RPM package libreswan should be installed.

oval:org.secpod.oval:def:30521
The daemon umask should be set as appropriate

oval:org.secpod.oval:def:30401
The sysstat service should be disabled if possible.

oval:org.secpod.oval:def:30480
The HTTPD Proxy Module Support should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:30360
Audit rules about the Unauthorized Access Attempts to Files (unsuccessful) are enabled

oval:org.secpod.oval:def:30585
Remote connections (SSH) from accounts with empty passwords should be disabled (and dependencies are met).

oval:org.secpod.oval:def:30459
The RPM package vsftpd should be removed.

oval:org.secpod.oval:def:30536
Set Password to Maximum of Three Consecutive Repeating Characters should be configured appropriately.

oval:org.secpod.oval:def:30326
Look for argument audit=1 in the kernel line in /etc/grub.conf.

oval:org.secpod.oval:def:30613
Verify that System Executables Have Restrictive Permissions (/bin, /usr/bin, /usr/local/bin, /sbin, /usr/sbin or /usr/local/sbin) should be configured appropriately.

oval:org.secpod.oval:def:30437
Require the use of TLS for ldap clients.

oval:org.secpod.oval:def:30421
The dhcpd service should be disabled if possible.

oval:org.secpod.oval:def:30533
The PATH variable should be set correctly for user root

oval:org.secpod.oval:def:30455
Ensure Insecure File Locking is Not Allowed (/etc/exports) should be configured appropriately.

oval:org.secpod.oval:def:30442
The netfs service should be disabled if possible.

oval:org.secpod.oval:def:30639
Audit files deletion events.

oval:org.secpod.oval:def:30614
The maximum number of concurrent login sessions per user should meet minimum requirements.

oval:org.secpod.oval:def:30312
The rsyslog service should be enabled if possible.

oval:org.secpod.oval:def:30555
The Kernel Parameter for Accepting Source-Routed Packets By Default should be enabled or disabled as appropriate. The kernel runtime parameter "net.ipv4.conf.default.accept_source_route" should be set to "0".

oval:org.secpod.oval:def:30419
The CUPS print service can be configured to broadcast a list of available printers to the network. Other machines on the network, also running the CUPS print service, can be configured to listen to these broadcasts and add and configure these printers for immediate use. By disabling this browsing ca ...

oval:org.secpod.oval:def:30403
The kernel module usb-storage should be disabled.

oval:org.secpod.oval:def:30592
The /etc/group file should be owned by the appropriate user.

oval:org.secpod.oval:def:30464
Restrict Access to Anonymous Users should be configured appropriately.

oval:org.secpod.oval:def:30296
The RPC IPv6 Support should be configured appropriately based rpc services.

oval:org.secpod.oval:def:30436
Require the use of TLS for ldap clients.

oval:org.secpod.oval:def:30527
The kernel runtime parameter "kernel.dmesg_restrict" should be set to "1".

oval:org.secpod.oval:def:30358
Legitimate character and block devices should not exist within temporary directories like /dev/shm. The nodev mount option should be specified for /dev/shm.

oval:org.secpod.oval:def:30319
The rsyslog to Accept Messages via UDP, if Acting As Log Server should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:30551
The kernel runtime parameter "net.ipv4.conf.all.accept_source_route" should be set to "0".

oval:org.secpod.oval:def:30542
The default umask for all users specified in /etc/login.defs

oval:org.secpod.oval:def:30544
The ability for users to perform interactive startups should be disabled.

oval:org.secpod.oval:def:30429
The ntpd service should be enable or disable as appropriate.

oval:org.secpod.oval:def:30588
Ensure all yum repositories utilize signature checking.

oval:org.secpod.oval:def:30456
The named service should be disabled if possible.

oval:org.secpod.oval:def:30446
Configure statd to use static port (/etc/sysconfig/nfs) should be configured appropriately.

oval:org.secpod.oval:def:30328
max_log_file setting in /etc/audit/auditd.conf is set to at least a certain value

oval:org.secpod.oval:def:30380
The nosuid mount option should be set for temporary storage partitions such as /dev/shm. The suid/sgid permissions should not be required in these world-writable directories.

oval:org.secpod.oval:def:30494
SSL capabilities should be enabled for the mail server.

oval:org.secpod.oval:def:30562
The kernel runtime parameter "net.ipv4.conf.default.rp_filter" should be set to "1".

oval:org.secpod.oval:def:30479
Disable URL Correction on Misspelled Entries (/etc/httpd/conf/httpd.conf) should be configured appropriately.

oval:org.secpod.oval:def:30477
Disable Server Activity Status (/etc/httpd/conf/httpd.conf) should be configured appropriately.

oval:org.secpod.oval:def:30466
The httpd service should be disabled if possible.

oval:org.secpod.oval:def:30452
The nosuid option should be enabled for all NFS mounts in /etc/fstab.

oval:org.secpod.oval:def:30376
The RPM package tftp-server should be removed.

oval:org.secpod.oval:def:30499
Require samba clients which use smb.conf, such as smbclient, to use packet signing. A Samba client should only communicate with servers who can support SMB packet signing.

oval:org.secpod.oval:def:30486
mod_ssl package installation should be configured appropriately.

oval:org.secpod.oval:def:30304
The noexec mount option prevents the direct execution of binaries on the mounted filesystem. Users should not be allowed to execute binaries that exist on partitions mounted from removable media (such as a USB key). The noexec option prevents code from being executed directly from the media itself, ...

oval:org.secpod.oval:def:30306
Change the default policy to DROP (from ACCEPT) for the INPUT built-in chain (/etc/sysconfig/iptables).

oval:org.secpod.oval:def:30543
Ctrl-Alt-Del Reboot Activation should be set as appropriate.

oval:org.secpod.oval:def:30400
The smartd service should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:30632
This test makes sure that '/etc/gshadow' is setted appropriate permission. If the target file or directory has an extended ACL then it will fail the mode check.

oval:org.secpod.oval:def:30611
File permissions for '/boot/grub2/grub.cfg' should be set appropriate.

oval:org.secpod.oval:def:30391
The /var/tmp directory should be bind mounted to /tmp in order to consolidate temporary storage into one location protected by the same techniques as /tmp.

oval:org.secpod.oval:def:30375
The tftp service should be disabled if possible.

oval:org.secpod.oval:def:30299
Manually configure addresses for IPv6

oval:org.secpod.oval:def:30522
Core dumps for all users should be disabled

oval:org.secpod.oval:def:30364
Force a reboot to change audit rules is enabled

oval:org.secpod.oval:def:30478
Disable Web Server Configuration Display (/etc/httpd/conf/httpd.conf) should be configured appropriately.

oval:org.secpod.oval:def:30633
The password dcredit should meet minimum requirements using pam_cracklib

oval:org.secpod.oval:def:30509
The RPM package setroubleshoot should be installed.

oval:org.secpod.oval:def:30493
The kernel module hfs should be disabled.

oval:org.secpod.oval:def:30430
A remote NTP Server for time synchronization should be specified (and dependencies are met)

oval:org.secpod.oval:def:30308
The kernel module rds should be disabled.

oval:org.secpod.oval:def:30355
The changing of file permissions and attributes should be audited.

oval:org.secpod.oval:def:30468
The apache2 server's ServerTokens value should be set appropriately

oval:org.secpod.oval:def:30514
The squashfs Kernel Module should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:30352
The changing of file permissions and attributes should be audited.

oval:org.secpod.oval:def:30337
Record attempts to alter time through stime, note that this is only relevant on 32bit architecture.

oval:org.secpod.oval:def:30587
The abrtd service should be disabled if possible.

oval:org.secpod.oval:def:30378
The acpid service should be disabled if possible.

oval:org.secpod.oval:def:30547
Disable Zeroconf automatic route assignment in the 169.254.0.0 subnet.

oval:org.secpod.oval:def:30566
The disable option will allow the IPv6 module to be inserted, but prevent address assignment and activation of the network stack.

oval:org.secpod.oval:def:30367
The RPM package rsh-server should be removed.

oval:org.secpod.oval:def:30309
The kernel module tipc should be disabled.

oval:org.secpod.oval:def:30593
Root login via SSH should be disabled (and dependencies are met)

oval:org.secpod.oval:def:30576
The number of allowed failed logins should be set correctly.

oval:org.secpod.oval:def:30564
The bluetooth service should be disabled if possible.

oval:org.secpod.oval:def:30445
The autofs service should be disabled if possible.

oval:org.secpod.oval:def:30610
The password hashing algorithm should be set correctly in /etc/libuser.conf.

oval:org.secpod.oval:def:30389
The ntpdate service should be disabled if possible.

oval:org.secpod.oval:def:30369
It can be dangerous to allow the execution of binaries from world-writable temporary storage directories such as /dev/shm. The noexec mount option prevents binaries from being executed out of /dev/shm.

oval:org.secpod.oval:def:30554
The kernel runtime parameter "net.ipv4.conf.all.log_martians" should be set to "1".

oval:org.secpod.oval:def:30540
The default umask for users of the csh shell

oval:org.secpod.oval:def:30523
The kernel runtime parameter "fs.suid_dumpable" should be set to "0".

oval:org.secpod.oval:def:30405
The anacron service should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:30469
The apache2 server's ServerSignature value should be set appropriately.

oval:org.secpod.oval:def:30570
The SSH idle timeout interval should be set to an appropriate value.

oval:org.secpod.oval:def:30506
Configure SNMP Service to Use Only SNMPv3 or Newer (/etc/snmp/snmpd.conf) should be configured appropriately.

oval:org.secpod.oval:def:30609
Limit the ciphers to those which are FIPS-approved and only use ciphers in counter (CTR) mode.

oval:org.secpod.oval:def:30552
The kernel runtime parameter "net.ipv4.conf.all.accept_redirects" should be set to "0".

oval:org.secpod.oval:def:30434
Postfix network listening should be disabled

oval:org.secpod.oval:def:30417
Avahi publishing of IP addresses should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:30584
The '/boot/grub2/grub.cfg' file should be owned by appropriate User.

oval:org.secpod.oval:def:30492
The RPM package dovecot should be removed.

oval:org.secpod.oval:def:30489
Directory permissions for /etc/httpd/conf/ should be set as appropriate.

oval:org.secpod.oval:def:30473
The kernel module freevxfs should be disabled.

oval:org.secpod.oval:def:30567
Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options, which is used as temporary storage by many program, particularly system services such as daemons. It is not uncommon for the /var directory to contain world-writable directories, installed by ot ...

oval:org.secpod.oval:def:30568
The root account is the only system account that should have a login shell.

oval:org.secpod.oval:def:30447
The mountd service should be configured to use a static port or a dynamic portmapper port as appropriate

oval:org.secpod.oval:def:30449
The nfs service should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:30619
The password minclass should meet minimum requirements using pam_cracklib

oval:org.secpod.oval:def:30362
Audit rules that detect the mounting of filesystems should be enabled.

oval:org.secpod.oval:def:30467
The RPM package httpd should be removed.

oval:org.secpod.oval:def:30324
The auditd service should be enabled if possible.

oval:org.secpod.oval:def:30634
The RPM package telnet-server should be removed.

oval:org.secpod.oval:def:30297
The kernel runtime parameter "net.ipv6.conf.default.accept_ra" should be set to "0".

oval:org.secpod.oval:def:30293
If user home directories will be stored locally, create a separate partition for /home. If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at this time, and the mountpoint can instead be configured later.

oval:org.secpod.oval:def:30431
Specify Additional Remote NTP Servers (/etc/ntp.conf) should be configured appropriately.

oval:org.secpod.oval:def:30550
The kernel runtime parameter "net.ipv4.ip_forward" should be set to "0".

oval:org.secpod.oval:def:30586
SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization.

oval:org.secpod.oval:def:30630
The telnet service should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:30502
The RPM package squid should be removed.

oval:org.secpod.oval:def:30617
The kernel module sctp should be disabled.

oval:org.secpod.oval:def:30373
The RPM package ypserv should be removed.

oval:org.secpod.oval:def:30546
The pcscd service should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:30307
IP forwarding should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:30413
Look for argument "nousb" in the kernel line in /etc/grub.conf

oval:org.secpod.oval:def:30339
Record attempts to alter time through /etc/localtime

oval:org.secpod.oval:def:30616
The password hashing algorithm should be set correctly in /etc/pam.d/system-auth.

oval:org.secpod.oval:def:30390
The oddjobd service should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:30414
Avahi should be configured to accept packets with a TTL field not equal to 255 or not as appropriate.

oval:org.secpod.oval:def:30347
The nosuid mount option should be set for temporary storage partitions such as /tmp. The suid/sgid permissions should not be required in these world-writable directories.

oval:org.secpod.oval:def:30343
Record Events that Modify the System's Discretionary Access Controls - chmod. The changing of file permissions and attributes should be audited.

oval:org.secpod.oval:def:30571
The password minclass should meet minimum requirements using pam_cracklib

oval:org.secpod.oval:def:30374
The ypbind service should be disabled if possible.

oval:org.secpod.oval:def:30371
The rlogin service should be disabled if possible.

oval:org.secpod.oval:def:30316
Syslog logs should be sent to a remote loghost

oval:org.secpod.oval:def:30549
The kernel runtime parameter "net.ipv4.conf.all.send_redirects" should be set to "0".

oval:org.secpod.oval:def:30462
A warning banner for all FTP users should be enabled or disabled as appropriate

oval:org.secpod.oval:def:30321
Test if HostLimit line in logwatch.conf is set appropriately. On a central logserver, you want Logwatch to summarize all syslog entries, including those which did not originate on the logserver itself. The HostLimit setting tells Logwatch to report on all hosts, not just the one on which it is runni ...

oval:org.secpod.oval:def:30628
All password hashes should be shadowed.

oval:org.secpod.oval:def:30396
The rdisc service should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:30528
The SELinux in /etc/grub.conf should be enabled or disabled as appropriate.

oval:org.secpod.oval:def:30484
The kernel module jffs2 should be disabled.

oval:org.secpod.oval:def:30501
The squid service should be disabled if possible.

CPE    1
cpe:/o:redhat:enterprise_linux:7
CCE    389
CCE-90627-1
CCE-90841-8
CCE-90969-7
CCE-90948-1
...
*XCCDF
xccdf_org.secpod_benchmark_general_RHEL_7

© 2013 SecPod Technologies