Check: OL6-00-000347
Oracle Linux 6 STIG:
OL6-00-000347
(in versions v2 r7 through v1 r9)
Title
There must be no .netrc files on the system. (Cat II impact)
Discussion
Unencrypted passwords for remote FTP servers may be stored in ".netrc" files. DoD policy requires passwords be encrypted in storage and not used in access scripts.
Check Content
To check the system for the existence of any ".netrc" files, run the following command: $ sudo find /root /home -xdev -name .netrc If any .netrc files exist, this is a finding.
Fix Text
The ".netrc" files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any ".netrc" files should be removed.
Additional Identifiers
Rule ID: SV-209049r793770_rule
Vulnerability ID: V-209049
Group Title: SRG-OS-000073
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000196 |
The information system, for password-based authentication, stores only cryptographically-protected passwords. |
Controls
Number | Title |
---|---|
IA-5 (1) |
Password-Based Authentication |