Tri-Lab Operating System Stack STIG V2R3

View as one page
STIG IDTitle
TOSS-04-010000TOSS must display the Standard Mandatory DoD Notice and Consent Banner or equivalent US Government Agency Notice and Consent Banner before granting local or remote access to the system.
TOSS-04-010010TOSS, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
TOSS-04-010020TOSS, for PKI-based authentication, must enforce authorized access to the corresponding private key.
TOSS-04-010030TOSS must require authentication upon booting into emergency or rescue modes.
TOSS-04-010040TOSS must not permit direct logons to the root account using remote access from outside of the system via SSH.
TOSS-04-010050The TOSS file system automounter must be disabled unless required.
TOSS-04-010060The TOSS pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2-approved cryptographic hashing algorithm for system authentication.
TOSS-04-010070The TOSS pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2-approved cryptographic hashing algorithm for system authentication.
TOSS-04-010080The TOSS operating system must implement DoD-approved encryption in the OpenSSL package.
TOSS-04-010090TOSS must use a Linux Security Module configured to enforce limits on system services.
TOSS-04-010100TOSS must prevent unauthorized and unintended information transfer via shared system resources.
TOSS-04-010110The TOSS operating system must be configured to use TCP syncookies.
TOSS-04-010120TOSS must display the Standard Mandatory DoD Notice and Consent Banner or equivalent US Government Agency Notice and Consent Banner before granting local or remote access to the system via a ssh logon.
TOSS-04-010140The TOSS operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.
TOSS-04-010150The TOSS operating system must implement DoD-approved TLS encryption in the GnuTLS package.
TOSS-04-010160The TOSS SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms.
TOSS-04-010170The TOSS operating system must be configured to preserve log records from failure events.
TOSS-04-010180TOSS must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
TOSS-04-010210The TOSS file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency.
TOSS-04-010220TOSS must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.
TOSS-04-010230TOSS must require reauthentication when using the "sudo" command.
TOSS-04-010240TOSS must have the packages required for multifactor authentication installed.
TOSS-04-010250TOSS must prohibit the use of cached authentications after one day.
TOSS-04-010280All TOSS networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
TOSS-04-010330For TOSS systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.
TOSS-04-010340The debug-shell systemd service must be disabled on TOSS.
TOSS-04-010350The root account must be the only account having unrestricted access to the TOSS system.
TOSS-04-010360The systemd Ctrl-Alt-Delete burst key sequence in TOSS must be disabled.
TOSS-04-010370There must be no ".shosts" files on The TOSS operating system.
TOSS-04-010380TOSS must not allow blank or null passwords in the system-auth file.
TOSS-04-010390TOSS must not be performing packet forwarding unless the system is a router.
TOSS-04-010400The TOSS SSH daemon must not allow authentication using known host's authentication.
TOSS-04-010410The TOSS SSH daemon must not allow compression or must only allow compression after successful authentication.
TOSS-04-010420The TOSS SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.
TOSS-04-010430TOSS must not allow an unattended or automatic logon to the system.
TOSS-04-020000TOSS must enforce the limit of five consecutive invalid logon attempts by a user during a 15-minute time period.
TOSS-04-020010TOSS must limit the number of concurrent sessions to 256 for all accounts and/or account types.
TOSS-04-020020TOSS must retain a user's session lock until that user reestablishes access using established identification and authentication procedures.
TOSS-04-020030TOSS must automatically lock graphical user sessions after 15 minutes of inactivity.
TOSS-04-020050TOSS must map the authenticated identity to the user or group account for PKI-based authentication.
TOSS-04-020060TOSS duplicate User IDs (UIDs) must not exist for interactive users.
TOSS-04-020070TOSS must use multifactor authentication for network and local access to privileged and nonprivileged accounts.
TOSS-04-020120TOSS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
TOSS-04-020140TOSS must automatically remove or disable emergency accounts after the crisis is resolved or 72 hours.
TOSS-04-020150TOSS must reveal error messages only to authorized users.
TOSS-04-020160TOSS must protect wireless access to the system using authentication of users and/or devices.
TOSS-04-020170TOSS must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.
TOSS-04-020180TOSS must require users to reauthenticate for privilege escalation.
TOSS-04-020190TOSS must require users to provide a password for privilege escalation.
TOSS-04-020200All TOSS local interactive user accounts must be assigned a home directory upon creation.
TOSS-04-020210All TOSS local interactive user home directories must be group-owned by the home directory owner's primary group.
TOSS-04-020230All TOSS local interactive users must have a home directory assigned in the /etc/passwd file.
TOSS-04-020240The x86 Ctrl-Alt-Delete key sequence in TOSS must be disabled if a graphical user interface is installed.
TOSS-04-020250TOSS must disable the user list at logon for graphical user interfaces.
TOSS-04-020260TOSS must display the date and time of the last successful account logon upon an SSH logon.
TOSS-04-020270TOSS must not allow accounts configured with blank or null passwords.
TOSS-04-020280TOSS must not have unnecessary accounts.
TOSS-04-020290TOSS must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
TOSS-04-020300All TOSS local interactive user home directories must have mode 0770 or less permissive.
TOSS-04-020310All TOSS local interactive user home directories must be owned by root.
TOSS-04-020320All TOSS local interactive user home directories must be owned by the user's primary group.
TOSS-04-030000TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
TOSS-04-030010TOSS audit records must contain information to establish what type of events occurred, when the events occurred, the source of events, where events occurred, and the outcome of events.
TOSS-04-030060TOSS must generate audit records containing the full-text recording of privileged commands.
TOSS-04-030080TOSS must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
TOSS-04-030090TOSS must take appropriate action when an audit processing failure occurs.
TOSS-04-030120TOSS audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access.
TOSS-04-030130TOSS audit log directory must have a mode of 0700 or less permissive to prevent unauthorized read access.
TOSS-04-030140TOSS audit logs must be owned by user root to prevent unauthorized read access.
TOSS-04-030150TOSS audit logs must be owned by group root to prevent unauthorized read access.
TOSS-04-030160TOSS audit log directory must be owned by user root to prevent unauthorized read access.
TOSS-04-030170TOSS audit log directory must be owned by group root to prevent unauthorized read access.
TOSS-04-030180The TOSS audit system must protect auditing rules from unauthorized change.
TOSS-04-030190The TOSS audit system must protect logon UIDs from unauthorized change.
TOSS-04-030310Successful/unsuccessful uses of the "chage" command in TOSS must generate an audit record.
TOSS-04-030320Successful/unsuccessful uses of the "chcon" command in TOSS must generate an audit record.
TOSS-04-030330Successful/unsuccessful uses of the ssh-agent in TOSS must generate an audit record.
TOSS-04-030340Successful/unsuccessful uses of the "passwd" command in TOSS must generate an audit record.
TOSS-04-030350Successful/unsuccessful uses of postdrop in TOSS must generate an audit record.
TOSS-04-030360Successful/unsuccessful uses of postqueue in TOSS must generate an audit record.
TOSS-04-030370Successful/unsuccessful uses of setsebool in TOSS must generate an audit record.
TOSS-04-030380Successful/unsuccessful uses of the ssh-keysign in TOSS must generate an audit record.
TOSS-04-030390Successful/unsuccessful uses of the "setfacl" command in RTOSS must generate an audit record.
TOSS-04-030400Successful/unsuccessful uses of the "pam_timestamp_check" command in TOSS must generate an audit record.
TOSS-04-030410Successful/unsuccessful uses of the "newgrp" command in TOSS must generate an audit record.
TOSS-04-030420Successful/unsuccessful uses of the "init_module" command in TOSS must generate an audit record.
TOSS-04-030430Successful/unsuccessful uses of the "rename" command in TOSS must generate an audit record.
TOSS-04-030440Successful/unsuccessful uses of the "renameat" command in TOSS must generate an audit record.
TOSS-04-030450Successful/unsuccessful uses of the "rmdir" command in TOSS must generate an audit record.
TOSS-04-030460Successful/unsuccessful uses of the "unlink" command in TOSS must generate an audit record.
TOSS-04-030470Successful/unsuccessful uses of the "unlinkat" command in TOSS must generate an audit record.
TOSS-04-030480Successful/unsuccessful uses of the "finit_module" command in TOSS must generate an audit record.
TOSS-04-030490Successful/unsuccessful uses of the "delete_module" command in TOSS must generate an audit record.
TOSS-04-030500Successful/unsuccessful uses of the "crontab" command in TOSS must generate an audit record.
TOSS-04-030510Successful/unsuccessful uses of the "chsh" command in TOSS must generate an audit record.
TOSS-04-030520Successful/unsuccessful uses of setfiles in TOSS must generate an audit record.
TOSS-04-030540Successful/unsuccessful uses of the "chacl" command in TOSS must generate an audit record.
TOSS-04-030550TOSS must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
TOSS-04-030560Successful/unsuccessful uses of the chmod system call in TOSS must generate an audit record.
TOSS-04-030570Successful/unsuccessful uses of the chown system call in TOSS must generate an audit record.
TOSS-04-030580Successful/unsuccessful uses of the creat system call in TOSS must generate an audit record.
TOSS-04-030590Successful/unsuccessful uses of the fchmod system call in TOSS must generate an audit record.
TOSS-04-030600Successful/unsuccessful uses of the fchmodat system call in TOSS must generate an audit record.
TOSS-04-030610Successful/unsuccessful uses of the fchown system call in TOSS must generate an audit record.
TOSS-04-030620Successful/unsuccessful uses of the fchownat system call in TOSS must generate an audit record.
TOSS-04-030630Successful/unsuccessful uses of the ftruncate system call system call in TOSS must generate an audit record.
TOSS-04-030640Successful/unsuccessful uses of the lchown system call in TOSS must generate an audit record.
TOSS-04-030650Successful/unsuccessful uses of the open system call in TOSS must generate an audit record.
TOSS-04-030660Successful/unsuccessful uses of the open_by_handle_at system call system call in TOSS must generate an audit record.
TOSS-04-030670Successful/unsuccessful uses of the openat system call in TOSS must generate an audit record.
TOSS-04-030680Successful/unsuccessful uses of the truncate system call in TOSS must generate an audit record.
TOSS-04-030750TOSS audit tools must be owned by "root".
TOSS-04-030780TOSS must use cryptographic mechanisms to protect the integrity of audit tools.
TOSS-04-030790TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group".
TOSS-04-030800TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow".
TOSS-04-030810TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd".
TOSS-04-030820TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd".
TOSS-04-030840TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers".
TOSS-04-030850TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/".
TOSS-04-030860The TOSS audit system must prevent all software from executing at higher privilege levels than users executing the software and the audit system must be configured to audit the execution of privileged functions.
TOSS-04-030890TOSS must allocate audit record storage capacity to store at least one week's worth of audit records, when audit records are not immediately sent to a central audit record storage facility.
TOSS-04-030900The TOSS audit records must be offloaded onto a different system or storage media from the system being audited.
TOSS-04-030910TOSS must label all off-loaded audit logs before sending them to the central log server.
TOSS-04-030990The TOSS audit system must be configured to audit any usage of the "fsetxattr" system call.
TOSS-04-031000The TOSS audit system must be configured to audit any usage of the "lsetxattr" system call.
TOSS-04-031100Successful/unsuccessful uses of the fremovexattr system call in TOSS must generate an audit record.
TOSS-04-031110Successful/unsuccessful uses of the "lremovexattr" system call in TOSS must generate an audit record.
TOSS-04-031120Successful/unsuccessful uses of the "removexattr" system call in TOSS must generate an audit record.
TOSS-04-031130Successful/unsuccessful modifications to the "lastlog" file in TOSS must generate an audit record.
TOSS-04-031140Successful/unsuccessful uses of "semanage" in TOSS must generate an audit record.
TOSS-04-031150Successful/unsuccessful uses of the "gpasswd" command in TOSS must generate an audit record.
TOSS-04-031160Successful/unsuccessful uses of the "mount" command in TOSS must generate an audit record.
TOSS-04-031170Successful/unsuccessful uses of the "mount" syscall in TOSS must generate an audit record.
TOSS-04-031180Successful/unsuccessful uses of the "su" command in TOSS must generate an audit record.
TOSS-04-031190Successful/unsuccessful uses of the "umount" command in TOSS must generate an audit record.
TOSS-04-031200Successful/unsuccessful uses of the "unix_update" in TOSS must generate an audit record.
TOSS-04-031210Successful/unsuccessful uses of the "usermod" command in TOSS must generate an audit record.
TOSS-04-031220Successful/unsuccessful uses of "unix_chkpwd" in TOSS must generate an audit record.
TOSS-04-031230Successful/unsuccessful uses of "userhelper" in TOSS must generate an audit record.
TOSS-04-031240Successful/unsuccessful uses of the "kmod" command in TOSS must generate an audit record.
TOSS-04-031340The auditd service must be running in TOSS.
TOSS-04-031350The TOSS audit system must audit local events.
TOSS-04-031360TOSS must resolve audit information before writing to disk.
TOSS-04-031370TOSS must have the packages required for offloading audit logs installed.
TOSS-04-031380TOSS must have the packages required for encrypting offloaded audit logs installed.
TOSS-04-040010TOSS must monitor remote access methods.
TOSS-04-040020TOSS must force a frequent session key renegotiation for SSH connections by the client.
TOSS-04-040030TOSS must force a frequent session key renegotiation for SSH connections to the server.
TOSS-04-040040TOSS must implement NIST FIPS-validated cryptography for the following: to provision digital signatures; to generate cryptographic hashes; and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
TOSS-04-040050TOSS must enforce password complexity by requiring that at least one uppercase character be used.
TOSS-04-040060TOSS must enforce password complexity by requiring that at least one lowercase character be used.
TOSS-04-040070TOSS must enforce password complexity by requiring that at least one numeric character be used.
TOSS-04-040080TOSS must require the change of at least eight characters when passwords are changed.
TOSS-04-040090TOSS must store only encrypted representations of passwords.
TOSS-04-040100TOSS must not have the rsh-server package installed.
TOSS-04-040110TOSS must enforce 24 hours/one day as the minimum password lifetime.
TOSS-04-040120TOSS must enforce a 60-day maximum password lifetime restriction.
TOSS-04-040140TOSS must enforce a minimum 15-character password length.
TOSS-04-040150TOSS must cover or disable the built-in or attached camera when not in use.
TOSS-04-040160TOSS must disable IEEE 1394 (FireWire) Support.
TOSS-04-040170TOSS must disable mounting of cramfs.
TOSS-04-040180TOSS must disable network management of the chrony daemon.
TOSS-04-040190TOSS must disable the asynchronous transfer mode (ATM) protocol.
TOSS-04-040200TOSS must disable the controller area network (CAN) protocol.
TOSS-04-040210TOSS must disable the stream control transmission (SCTP) protocol.
TOSS-04-040220TOSS must disable the transparent inter-process communication (TIPC) protocol.
TOSS-04-040230TOSS must not have any automated bug reporting tools installed.
TOSS-04-040250TOSS must not have the sendmail package installed.
TOSS-04-040260TOSS must not have the telnet-server package installed.
TOSS-04-040270TOSS must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
TOSS-04-040280TOSS must be configured to disable USB mass storage.
TOSS-04-040290TOSS must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.
TOSS-04-040310TOSS must have policycoreutils package installed.
TOSS-04-040330All TOSS local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
TOSS-04-040340TOSS must limit privileges to change software resident within software libraries.
TOSS-04-040350TOSS must enforce password complexity by requiring that at least one special character be used.
TOSS-04-040370A firewall must be installed on TOSS.
TOSS-04-040390TOSS must take appropriate action when the internal event queue is full.
TOSS-04-040420TOSS must accept Personal Identity Verification (PIV) credentials.
TOSS-04-040440TOSS must implement DoD-approved encryption in the OpenSSL package.
TOSS-04-040480A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring TOSS can implement rate-limiting measures on impacted network interfaces.
TOSS-04-040490TOSS must implement non-executable data to protect its memory from unauthorized code execution.
TOSS-04-040500YUM must remove all software components after updated versions have been installed on TOSS.
TOSS-04-040510TOSS must enable the "SELinux" targeted policy.
TOSS-04-040540TOSS must prevent the use of dictionary words for passwords.
TOSS-04-040550TOSS must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
TOSS-04-040560A File Transfer Protocol (FTP) server package must not be installed unless mission essential on TOSS.
TOSS-04-040570All TOSS local files and directories must have a valid group owner.
TOSS-04-040580All TOSS local files and directories must have a valid owner.
TOSS-04-040590Cron logging must be implemented in TOSS.
TOSS-04-040600If the Trivial File Transfer Protocol (TFTP) server is required, the TOSS TFTP daemon must be configured to operate in secure mode.
TOSS-04-040610The graphical display manager must not be installed on TOSS unless approved.
TOSS-04-040630The TOSS file integrity tool must be configured to verify Access Control Lists (ACLs).
TOSS-04-040640The TOSS file integrity tool must be configured to verify extended attributes.
TOSS-04-040650The TOSS SSH daemon must perform strict mode checking of home directory configuration files.
TOSS-04-040660The TOSS SSH private host key files must have mode 0600 or less permissive.
TOSS-04-040670The TOSS SSH public host key files must have mode 0644 or less permissive.
TOSS-04-040680The x86 Ctrl-Alt-Delete key sequence must be disabled on TOSS.
TOSS-04-040690TOSS must be a vendor-supported release.
TOSS-04-040700TOSS must be configured to prevent unrestricted mail relaying.
TOSS-04-040710TOSS must define default permissions for logon and non-logon shells.
TOSS-04-040720TOSS must disable access to network bpf syscall from unprivileged processes.
TOSS-04-040730TOSS must enable hardening for the Berkeley Packet Filter Just-in-time compiler.
TOSS-04-040740TOSS must enable the hardware random number generator entropy gatherer service.
TOSS-04-040750TOSS must ensure the SSH server uses strong entropy.
TOSS-04-040760TOSS must have the packages required to use the hardware random number generator entropy gatherer service.
TOSS-04-040770TOSS must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.
TOSS-04-040780TOSS must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
TOSS-04-040790TOSS must not accept router advertisements on all IPv6 interfaces by default.
TOSS-04-040800TOSS must not accept router advertisements on all IPv6 interfaces.
TOSS-04-040810TOSS must not allow blank or null passwords in the password-auth file.
TOSS-04-040820TOSS must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
TOSS-04-040830TOSS must not forward IPv4 source-routed packets by default.
TOSS-04-040840TOSS must not forward IPv4 source-routed packets.
TOSS-04-040850TOSS must not forward IPv6 source-routed packets by default.
TOSS-04-040860TOSS must not forward IPv6 source-routed packets.
TOSS-04-040870TOSS must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
TOSS-04-040880TOSS must not send Internet Control Message Protocol (ICMP) redirects.
TOSS-04-040890TOSS must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
TOSS-04-040900TOSS must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
TOSS-04-040910TOSS must restrict exposed kernel pointer addresses access.
TOSS-04-040920TOSS must restrict privilege elevation to authorized personnel.
TOSS-04-040930TOSS must use reverse path filtering on all IPv4 interfaces.
TOSS-04-040940TOSS network interfaces must not be in promiscuous mode.
TOSS-04-040950TOSS must enable kernel parameters to enforce discretionary access control on symlinks.
TOSS-04-040960TOSS must enable kernel parameters to enforce discretionary access control on hardlinks.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.