Introduction

Test Result

Result ID Profile Start time End time Benchmark Benchmark version
xccdf_org.open-scap_testresult_RHEL6-Default RHEL6-Default 2013-02-05 13:13 2013-02-05 13:27 embedded 0.2

Target info

Targets

  • rhel-6-openscap

Addresses

  • 127.0.0.1
  • 192.168.122.62
  • ::1
  • fe80::5054:ff:feaa:d217

Platforms

  • cpe:/o:redhat:enterprise_linux:6

Score

system score max % bar
urn:xccdf:scoring:default 91.03 100.00 91.03%
urn:xccdf:scoring:flat 680.00 740.00 91.89%

Results overview

Rule Results Summary

pass fixed fail error not selected not checked not applicable informational unknown total
68 0 6 0 69 0 0 0 0 143
Title Result
Red Hat GPG Keys are Installed pass
gpgcheck is Globally Activated pass
Package Signature Checking is Not Disabled For Any Repos fail
User ownership of 'shadow' file pass
Group ownership of 'shadow' file pass
User ownership of 'group' file pass
Group ownership of 'group' file pass
User ownership of 'gshadow' file pass
Group ownership of 'gshadow' file pass
User ownership of 'passwd' file pass
Group ownership of 'passwd' file pass
Permissions on 'shadow' file pass
Permissions on 'group' file pass
Permissions on 'gshadow' file pass
Permissions on 'passwd' file pass
All World-Writable Directories Have Sticky Bits Set fail
Unauthorized World-Writable Files fail
Unauthorized SGID System Executables pass
Unauthorized SUID System Executables fail
Files unowned by any user pass
Files unowned by any group pass
World writable directories not owned by a system account pass
Daemon umask setting pass
Disable Core Dumps for SUID programs pass
ExecShield is enabled (runtime) pass
ExecShield randomized placement of virtual memory regions is enabled (runtime) pass
Root logins to serial ports are not permited fail
The 'wheel' group should exist pass
No Accounts Have Empty Password Fields pass
All Account Password Hashes are Shadowed pass
No Non-Root Accounts Have UID 0 pass
Minimum password age pass
Maximum password age pass
Password warn age pass
Password retry Requirements pass
No Dangerous Directories Exist in Root's PATH variable pass
The PATH variable for root does not include any world-writable or group-writable directories pass
The default umask for all users is set correctly in /etc/bashrc pass
The default umask for all users is set correctly in /etc/csh.cshrc pass
The default umask for all users is set correctly in /etc/login.defs pass
No ~/.netrc files exist pass
Boot Loader user owner pass
Boot Loader group owner pass
Permissions on boot loader pass
SELinux should NOT be disabled in /boot/grub/grub.conf. pass
Proper SELinux state pass
Proper SELinux policy pass
Disable MCS Translation Service (mcstrans) if Possible pass
Accepting source routed packets for all interfaces is configured (runtime) pass
Accepting "secure" ICMP redirects for all interfaces is configured (runtime) pass
Logging of "martian" packets for all interfaces is configured (runtime) pass
Default accepting of source routed packets is configured (runtime) pass
Default accepting ICMP redirects is configured (runtime) pass
Default accepting of "secure" ICMP redirects is configured (runtime) pass
Default logging of "martian" packets for all interfaces is configured (runtime) pass
Ignoring ICMP echo requests is configured (runtime) pass
Ignoring bogus ICMP responses is configured (runtime) pass
Sending TCP syncookies is configured (runtime) pass
The default setting for performing source validation by reverse path is configured (runtime) pass
Configure number of sent router solicitations pass
Configure whether to accept router preference pass
Configure whether to accept path information pass
Configure whether to accept default router information pass
Configure whether to autoconfigure addresses pass
Configure number of duplicate address detection probes pass
Configure maximum number of autoconfigured addresses pass
ip6tables service is enabled pass
iptables service is enabled pass
Rsyslog service is enabled pass
User ownership of System Log Files pass
Group ownership of System Log Files pass
Rsyslog shouldn't be run in a compatibility mode fail
All Logs are Rotated by logrotate pass
Auditd service is enabled pass

Results details

Result for Red Hat GPG Keys are Installed

Result: pass

Rule ID: rule-1005

Time: 2013-02-05 13:13

The GPG keys should be installed.

Security identifiers

  • CCE-14440-2

Result for gpgcheck is Globally Activated

Result: pass

Rule ID: rule-1007

Time: 2013-02-05 13:13

The gpgcheck option should be used to ensure that checking of an RPM package’s signature always occurs prior to its installation.

To force yum to check package signatures before installing them, ensure that the following line appears in /etc/yum.conf in the [main] section:

gpgcheck=1

Security identifiers

  • CCE-14914-6

Result for Package Signature Checking is Not Disabled For Any Repos

Result: fail

Rule ID: rule-1008

Time: 2013-02-05 13:13

To ensure that signature checking is not disabled for any repos, ensure that the following line DOES NOT appear in any repo configuration files in /etc/yum.repos.d or elsewhere:

gpgcheck=0

Security identifiers

  • CCE-14813-0

Result for User ownership of 'shadow' file

Result: pass

Rule ID: rule-1010

Time: 2013-02-05 13:13

Severity: medium

The /etc/shadow file should be owned by root.

Security identifiers

  • CCE-3918-0

Result for Group ownership of 'shadow' file

Result: pass

Rule ID: rule-1011

Time: 2013-02-05 13:13

Severity: medium

The /etc/shadow file should be owned by root.

Security identifiers

  • CCE-3988-3

Result for User ownership of 'group' file

Result: pass

Rule ID: rule-1012

Time: 2013-02-05 13:13

Severity: medium

The /etc/group file should be owned by root.

Security identifiers

  • CCE-3276-3

Result for Group ownership of 'group' file

Result: pass

Rule ID: rule-1013

Time: 2013-02-05 13:13

Severity: medium

The /etc/group file should be owned by root.

Security identifiers

  • CCE-3883-6

Result for User ownership of 'gshadow' file

Result: pass

Rule ID: rule-1014

Time: 2013-02-05 13:13

Severity: medium

The /etc/gshadow file should be owned by root.

Security identifiers

  • CCE-4210-1

Result for Group ownership of 'gshadow' file

Result: pass

Rule ID: rule-1015

Time: 2013-02-05 13:13

Severity: medium

The /etc/gshadow file should be owned by root.

Security identifiers

  • CCE-4064-2

Result for User ownership of 'passwd' file

Result: pass

Rule ID: rule-1016

Time: 2013-02-05 13:13

Severity: medium

The /etc/passwd file should be owned by root.

Security identifiers

  • CCE-3958-6

Result for Group ownership of 'passwd' file

Result: pass

Rule ID: rule-1017

Time: 2013-02-05 13:13

Severity: medium

The /etc/passwd file should be owned by root.

Security identifiers

  • CCE-3495-9

Result for Permissions on 'shadow' file

Result: pass

Rule ID: rule-1018

Time: 2013-02-05 13:13

Severity: medium

File permissions for /etc/shadow should be set correctly.

Security identifiers

  • CCE-4130-1

Result for Permissions on 'group' file

Result: pass

Rule ID: rule-1019

Time: 2013-02-05 13:13

Severity: medium

File permissions for /etc/group should be set correctly.

Security identifiers

  • CCE-3967-7

Result for Permissions on 'gshadow' file

Result: pass

Rule ID: rule-1020

Time: 2013-02-05 13:13

Severity: medium

File permissions for /etc/gshadow should be set correctly.

Security identifiers

  • CCE-3932-1

Result for Permissions on 'passwd' file

Result: pass

Rule ID: rule-1021

Time: 2013-02-05 13:13

Severity: medium

File permissions for /etc/passwd should be set correctly.

Security identifiers

  • CCE-3566-7

Result for All World-Writable Directories Have Sticky Bits Set

Result: fail

Rule ID: rule-1022

Time: 2013-02-05 13:14

Severity: low

The sticky bit should be set for all world-writable directories.

Security identifiers

  • CCE-3399-3

Result for Unauthorized World-Writable Files

Result: fail

Rule ID: rule-1023

Time: 2013-02-05 13:15

Severity: medium

The world-write permission should be disabled for all files.

Security identifiers

  • CCE-3795-2

Result for Unauthorized SGID System Executables

Result: pass

Rule ID: rule-1024

Time: 2013-02-05 13:18

Severity: medium

The sgid bit should not be set for all files.

Security identifiers

  • CCE-14340-4

Result for Unauthorized SUID System Executables

Result: fail

Rule ID: rule-1025

Time: 2013-02-05 13:21

Severity: high

The suid bit should not be set for all files.

Security identifiers

  • CCE-14340-4

Result for Files unowned by any user

Result: pass

Rule ID: rule-1026

Time: 2013-02-05 13:23

Severity: medium

All files should be owned by a user

Security identifiers

  • CCE-4223-4

Result for Files unowned by any group

Result: pass

Rule ID: rule-1027

Time: 2013-02-05 13:27

Severity: medium

All files should be owned by a group

Security identifiers

  • CCE-3573-3

Result for World writable directories not owned by a system account

Result: pass

Rule ID: rule-1028

Time: 2013-02-05 13:27

Severity: medium

All world writable directories should be owned by a system user

Security identifiers

  • CCE-14794-2

Result for Daemon umask setting

Result: pass

Rule ID: rule-1029

Time: 2013-02-05 13:27

Severity: medium

The daemon umask should be set as appropriate

Security identifiers

  • CCE-4220-0

Result for Disable Core Dumps for SUID programs

Result: pass

Rule ID: rule-1031

Time: 2013-02-05 13:27

Severity: low

Core dumps for setuid programs should be disabled

Security identifiers

  • CCE-4247-3

Result for ExecShield is enabled (runtime)

Result: pass

Rule ID: rule-1032

Time: 2013-02-05 13:27

ExecShield should be enabled

Security identifiers

  • CCE-4168-1

Result for ExecShield randomized placement of virtual memory regions is enabled (runtime)

Result: pass

Rule ID: rule-1033

Time: 2013-02-05 13:27

ExecShield randomized placement of virtual memory regions should be enabled

Security identifiers

  • CCE-4146-7

Result for Root logins to serial ports are not permited

Result: fail

Rule ID: rule-1035

Time: 2013-02-05 13:27

Severity: medium

Root logins on serial ports should be disabled.

Security identifiers

  • CCE-4256-4

Result for The 'wheel' group should exist

Result: pass

Rule ID: rule-1036

Time: 2013-02-05 13:27

Severity: medium

Ensure that the group wheel exists

Security identifiers

  • CCE-14088-9

Result for No Accounts Have Empty Password Fields

Result: pass

Rule ID: rule-1039

Time: 2013-02-05 13:27

Severity: medium

Login access to accounts without passwords should be disabled

Security identifiers

  • CCE-4238-2

Result for All Account Password Hashes are Shadowed

Result: pass

Rule ID: rule-1040

Time: 2013-02-05 13:27

Severity: medium

Check that passwords are shadowed

Security identifiers

  • CCE-14300-8

Result for No Non-Root Accounts Have UID 0

Result: pass

Rule ID: rule-1041

Time: 2013-02-05 13:27

Severity: medium

Anonymous root logins should be disabled

Security identifiers

  • CCE-4009-7

Result for Minimum password age

Result: pass

Rule ID: rule-1042

Time: 2013-02-05 13:27

Severity: medium

The minimum password age should be set appropriately

Security identifiers

  • CCE-4180-6

Result for Maximum password age

Result: pass

Rule ID: rule-1043

Time: 2013-02-05 13:27

Severity: medium

The maximum password age should be set to: 180

Security identifiers

  • CCE-4092-3

Result for Password warn age

Result: pass

Rule ID: rule-1044

Time: 2013-02-05 13:27

Severity: medium

The password warn age should be set to: 7

Security identifiers

  • CCE-4097-2

Result for Password retry Requirements

Result: pass

Rule ID: rule-1045

Time: 2013-02-05 13:27

Severity: medium

The password retry should meet minimum requirements

Security identifiers

  • CCE-15054-0

Result for No Dangerous Directories Exist in Root's PATH variable

Result: pass

Rule ID: rule-1055

Time: 2013-02-05 13:27

Severity: medium

The PATH variable should be set correctly for user root

Security identifiers

  • CCE-3301-9

Result for The PATH variable for root does not include any world-writable or group-writable directories

Result: pass

Rule ID: rule-1056

Time: 2013-02-05 13:27

Severity: medium

Check each directory in root's path and make use it does not grant write permission to group and other

Security identifiers

  • CCE-14957-5

Result for The default umask for all users is set correctly in /etc/bashrc

Result: pass

Rule ID: rule-1059

Time: 2013-02-05 13:27

Severity: medium

The default umask for all users for the bash shell should be set to: 022

Security identifiers

  • CCE-3844-8

Result for The default umask for all users is set correctly in /etc/csh.cshrc

Result: pass

Rule ID: rule-1060

Time: 2013-02-05 13:27

Severity: medium

The default umask for all users for the csh shell should be set to: 022

Security identifiers

  • CCE-4227-5

Result for The default umask for all users is set correctly in /etc/login.defs

Result: pass

Rule ID: rule-1061

Time: 2013-02-05 13:27

Severity: medium

The default umask for all users should be set to: 077

Security identifiers

  • CCE-14107-7

Result for No ~/.netrc files exist

Result: pass

Rule ID: rule-1063

Time: 2013-02-05 13:27

Severity: medium

No user's home directory should contain a .netrc file

Result for Boot Loader user owner

Result: pass

Rule ID: rule-1064

Time: 2013-02-05 13:27

Severity: medium

Boot Loader configuration file should be owned by root.

Security identifiers

  • CCE-4144-2

Result for Boot Loader group owner

Result: pass

Rule ID: rule-1065

Time: 2013-02-05 13:27

Severity: medium

Boot Loader configuration file should be owned by group root.

Security identifiers

  • CCE-4197-0

Result for Permissions on boot loader

Result: pass

Rule ID: rule-1066

Time: 2013-02-05 13:27

Severity: medium

Boot Loader configuration file permissions should be set correctly.

Security identifiers

  • CCE-3923-0

Result for SELinux should NOT be disabled in /boot/grub/grub.conf.

Result: pass

Rule ID: rule-1079

Time: 2013-02-05 13:27

Severity: medium

SELinux should NOT be disabled in /boot/grub/grub.conf. Check that selinux=0 is not found

Security identifiers

  • CCE-3977-6

Result for Proper SELinux state

Result: pass

Rule ID: rule-1080

Time: 2013-02-05 13:27

Severity: medium

The SELinux state should be set appropriately

Security identifiers

  • CCE-3999-0

Result for Proper SELinux policy

Result: pass

Rule ID: rule-1081

Time: 2013-02-05 13:27

Severity: medium

The SELinux policy should be set appropriately.

Security identifiers

  • CCE-3624-4

Result for Disable MCS Translation Service (mcstrans) if Possible

Result: pass

Rule ID: rule-1083

Time: 2013-02-05 13:27

Severity: low

The mcstrans service should be disabled.

Security identifiers

  • CCE-3668-1

Result for Accepting source routed packets for all interfaces is configured (runtime)

Result: pass

Rule ID: rule-1087

Time: 2013-02-05 13:27

Severity: medium

Accepting source routed packets should be: 0 for all interfaces as appropriate.

Security identifiers

  • CCE-4236-6

Result for Accepting "secure" ICMP redirects for all interfaces is configured (runtime)

Result: pass

Rule ID: rule-1089

Time: 2013-02-05 13:27

Severity: medium

Accepting "secure" ICMP redirects (those from gateways listed in the default gateways list) should be: 0 for all interfaces as appropriate.

Security identifiers

  • CCE-3472-8

Result for Logging of "martian" packets for all interfaces is configured (runtime)

Result: pass

Rule ID: rule-1090

Time: 2013-02-05 13:27

Severity: medium

Logging of "martian" packets (those with impossible addresses) should be: 0 for all interfaces as appropriate.

Security identifiers

  • CCE-4320-8

Result for Default accepting of source routed packets is configured (runtime)

Result: pass

Rule ID: rule-1091

Time: 2013-02-05 13:27

Severity: medium

The default setting for accepting source routed packets should be: 0 for all interfaces as appropriate.

Security identifiers

  • CCE-4091-5

Result for Default accepting ICMP redirects is configured (runtime)

Result: pass

Rule ID: rule-1092

Time: 2013-02-05 13:27

Severity: medium

The default setting for accepting ICMP redirects should be: 0 for all interfaces as appropriate.

Security identifiers

  • CCE-4186-3

Result for Default accepting of "secure" ICMP redirects is configured (runtime)

Result: pass

Rule ID: rule-1093

Time: 2013-02-05 13:27

Severity: medium

The default setting for accepting "secure" ICMP redirects (those from gateways listed in the default gateways list) should be: 0 for all interfaces as appropriate.

Security identifiers

  • CCE-3339-9

Result for Default logging of "martian" packets for all interfaces is configured (runtime)

Result: pass

Rule ID: rule-1094

Time: 2013-02-05 13:27

Severity: medium

Logging of "martian" packets (those with impossible addresses) should be: 0 for all interfaces as appropriate.

Result for Ignoring ICMP echo requests is configured (runtime)

Result: pass

Rule ID: rule-1095

Time: 2013-02-05 13:27

Severity: medium

Ignoring ICMP echo requests (pings) sent to broadcast / multicast addresses should be: 1 for all interfaces as appropriate.

Security identifiers

  • CCE-3644-2

Result for Ignoring bogus ICMP responses is configured (runtime)

Result: pass

Rule ID: rule-1096

Time: 2013-02-05 13:27

Severity: medium

Ignoring bogus ICMP responses to broadcasts should be: 1 for all interfaces as appropriate.

Security identifiers

  • CCE-4133-5

Result for Sending TCP syncookies is configured (runtime)

Result: pass

Rule ID: rule-1097

Time: 2013-02-05 13:27

Severity: medium

Sending TCP syncookies should be: 1 for all interfaces as appropriate.

Security identifiers

  • CCE-4265-5

Result for The default setting for performing source validation by reverse path is configured (runtime)

Result: pass

Rule ID: rule-1099

Time: 2013-02-05 13:27

Severity: medium

The default setting for performing source validation by reverse path should be: 1 for all interfaces as appropriate.

Security identifiers

  • CCE-3840-6

Result for Configure number of sent router solicitations

Result: pass

Rule ID: rule-1103

Time: 2013-02-05 13:27

Severity: medium

The default number of sent router solicitations should be: 0 for all interfaces.

Result for Configure whether to accept router preference

Result: pass

Rule ID: rule-1104

Time: 2013-02-05 13:27

Severity: medium

Router preference should be accepted by default: 0

Result for Configure whether to accept path information

Result: pass

Rule ID: rule-1105

Time: 2013-02-05 13:27

Severity: medium

Path information should be accepted by default: 0

Result for Configure whether to accept default router information

Result: pass

Rule ID: rule-1106

Time: 2013-02-05 13:27

Severity: medium

Default router information should be accepted by default: 0

Result for Configure whether to autoconfigure addresses

Result: pass

Rule ID: rule-1107

Time: 2013-02-05 13:27

Severity: medium

Addresses should be autoconfigured by default: 0

Result for Configure number of duplicate address detection probes

Result: pass

Rule ID: rule-1108

Time: 2013-02-05 13:27

Severity: medium

Number of duplicate address detection probes should be by default: 0

Result for Configure maximum number of autoconfigured addresses

Result: pass

Rule ID: rule-1109

Time: 2013-02-05 13:27

Severity: medium

Maximum number of autoconfigured addresses be by default: 1

Result for ip6tables service is enabled

Result: pass

Rule ID: rule-1111

Time: 2013-02-05 13:27

Severity: high

The ip6tables service should be enabled.

Security identifiers

  • CCE-4167-3

Result for iptables service is enabled

Result: pass

Rule ID: rule-1112

Time: 2013-02-05 13:27

Severity: high

The iptables service should be enabled.

Security identifiers

  • CCE-4189-7

Result for Rsyslog service is enabled

Result: pass

Rule ID: rule-1120

Time: 2013-02-05 13:27

Severity: medium

The rsyslog service should be enabled.

Security identifiers

  • CCE-3679-8

Result for User ownership of System Log Files

Result: pass

Rule ID: rule-1121

Time: 2013-02-05 13:27

Severity: medium

All syslog log files should be owned by user 0.

Security identifiers

  • CCE-4366-1

Result for Group ownership of System Log Files

Result: pass

Rule ID: rule-1122

Time: 2013-02-05 13:27

Severity: medium

All syslog log files should be group owned group 0.

Security identifiers

  • CCE-3701-0

Result for Rsyslog shouldn't be run in a compatibility mode

Result: fail

Rule ID: rule-1125

Time: 2013-02-05 13:27

Severity: medium

An appropriate compatibility mode, that matches the daemons current version should be specified using the SYSLOGD_OPTION variable in /etc/sysconfig/rsyslog.

Result for All Logs are Rotated by logrotate

Result: pass

Rule ID: rule-1126

Time: 2013-02-05 13:27

Severity: medium

The logrotate (syslog rotater) service should be enabled.

Security identifiers

  • CCE-4182-2

Result for Auditd service is enabled

Result: pass

Rule ID: rule-1127

Time: 2013-02-05 13:27

Severity: medium

The auditd service should be enabled.

Security identifiers

  • CCE-4292-9