Red hat enterprise linux as 3.0
If an account has an empty password, anyone could log in and run commands with the privileges of that account. The system must not have accounts configured with blank or null passwords. Serving files from an intentionally specified directory reduces the risk of sharing files which should. Using the "-s" option causes the TFTP service to only serve files from the given directory. The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system. The NFS server must not have the insecure file locking option enabled.Īllowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user. The operating system must implement cryptographic modules adhering to the higher. Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. The Red Hat GPG keys are necessary to cryptographically verify packages are from Red Hat. Vendor-provided cryptographic certificates must be installed to verify the integrity of system software. SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used. The SSH daemon must be configured to use only the SSHv2 protocol.
Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system. rhosts or hosts.equiv files on the system. Host-based authentication is not sufficient for preventing unauthorized access to the.
shosts and shosts.equiv files are used to configure host-based authentication for the system via SSH. The Red Hat Enterprise Linux operating system must not contain.
The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be.
The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen. The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen. Removing it decreases the risk of those services' accidental (or intentional) activation. The "rsh-server" package provides several obsolete and insecure network services. The rsh-server package must not be installed. The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be. Mitigation: If the telnet-server package is configured to only. Removing the "telnet-server" package decreases the risk of the unencrypted telnet service's accidental (or intentional) activation. The telnet-server package must not be installed. Findings (MAC III - Administrative Sensitive) Finding ID