STIGQter STIGQter: STIG Summary:

Solaris 10 SPARC Security Technical Implementation Guide

Version: 2

Release: 2 Benchmark Date: 22 Jan 2021

CheckedNameTitle
SV-220017r603265_ruleThe ASET master files must be located in the /usr/aset/masters directory.
SV-220018r603265_ruleThe asetenv file YPCHECK variable must be set to true when NIS+ is configured.
SV-220019r603265_ruleThe system must require authentication upon booting into single-user and maintenance modes.
SV-220020r603265_ruleDirect logins must not be permitted to shared, default, application, or utility accounts.
SV-220021r603265_ruleThe system must disable accounts after three consecutive unsuccessful login attempts.
SV-220022r603265_ruleThe delay between login prompts following a failed login attempt must be at least 4 seconds.
SV-220023r603265_ruleGraphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity and the system must require users to re-authenticate to unlock the environment.
SV-220024r603265_ruleAccounts must be locked upon 35 days of inactivity.
SV-220025r603265_ruleThe root account must be the only account having an UID of 0.
SV-220026r603265_ruleThe root account must not have world-writable directories in its executable search path.
SV-220028r603265_ruleLibrary files must have mode 0755 or less permissive.
SV-220029r603265_ruleAll interactive user's home directories must be owned by their respective users.
SV-220030r603265_ruleAll interactive user's home directories must be group-owned by the home directory owner's primary group.
SV-220031r603265_ruleAll global initialization files must have mode 0644 or less permissive.
SV-220032r603265_ruleAll global initialization files must be owned by root.
SV-220033r603265_ruleAll global initialization files must be group-owned by root, sys, or bin.
SV-220034r603265_ruleGlobal initialization files must contain the mesg -n or mesg n commands.
SV-220035r603265_ruleLocal initialization files must be group-owned by the user's primary group or root.
SV-220036r603265_ruleRemovable media, remote file systems, and any file system that does not contain approved setuid files must be mounted with the "nosuid" option.
SV-220037r603265_ruleThe system must not be configured for network bridging.
SV-220038r603265_ruleThe portmap or rpcbind service must not be running unless needed.
SV-220039r603265_ruleThe rsh daemon must not be running.
SV-220040r603265_ruleThe rlogind service must not be running.
SV-220041r603265_ruleNetwork analysis tools must not be installed.
SV-220043r603265_ruleThe hosts.lpd (or equivalent) file must be group-owned by root, bin, or sys.
SV-220045r603265_ruleThe aliases file must be group-owned by root, sys, smmsp, or bin.
SV-220046r603265_ruleThe SMTP service HELP command must not be enabled.
SV-220047r603265_ruleThe SMTP services SMTP greeting must not provide version information.
SV-220048r603265_ruleThe system must not use .forward files.
SV-220049r603265_ruleThe SMTP service must be an up-to-date version.
SV-220050r603265_ruleThe Sendmail server must have the debug feature disabled.
SV-220051r603265_ruleThe SMTP service must not have a uudecode alias active.
SV-220052r603265_ruleThe TFTP daemon must be configured to vendor specifications, including a dedicated TFTP user account, a non-login shell, such as /bin/false, and a home directory owned by the TFTP user.
SV-220053r603265_ruleThe system must not be used as a syslog server (log host) for systems external to the enclave.
SV-220054r603265_ruleThe syslog daemon must not accept remote messages unless it is a syslog server documented using site-defined procedures.
SV-220055r603265_ruleThe SSH daemon must be configured to only use the SSHv2 protocol.
SV-220056r603265_ruleIP forwarding for IPv4 must not be enabled, unless the system is a router.
SV-220057r603265_ruleThe system must not have IP forwarding for IPv6 enabled, unless the system is an IPv6 router.
SV-220058r603265_ruleThe NFS server must be configured to restrict file system access to local hosts.
SV-220059r603265_ruleThe system must not have a public Instant Messaging (IM) client installed.
SV-220060r603265_ruleThe Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL.
SV-220061r603265_ruleThe system must have a host-based intrusion detection tool installed.
SV-220062r603265_ruleThe system vulnerability assessment tool, host-based intrusion detection tool, and file integrity tool must notify the SA and the IAO of a security breach or a suspected security breach.
SV-220063r603265_ruleThe system package management tool must be used to verify system software periodically.
SV-220064r603265_ruleThe system must use an access control program.
SV-220065r603265_ruleThe system's access control program must be configured to grant or deny system access to specific hosts.
SV-220066r603265_ruleWireless network adapters must be disabled.
SV-220067r603265_ruleThe system must use an appropriate reverse-path filter for IPv6 network traffic, if the system uses IPv6.
SV-220068r603265_ruleIf the system is using LDAP for authentication or account information, the LDAP TLS certificate authority file and/or directory (as appropriate) must not have an extended ACL.
SV-220069r603265_ruleThe system must not use removable media as the boot loader.
SV-226405r603265_ruleThe nosuid option must be configured in the /etc/rmmount.conf file.
SV-226406r603265_ruleThe /etc/security/audit_user file must not define a different auditing level for specific users.
SV-226407r603265_ruleThe /etc/security/audit_user file must be owned by root.
SV-226408r603265_ruleThe /etc/security/audit_user file must be group-owned by root, sys, or bin.
SV-226409r603265_ruleThe /etc/security/audit_user file must have mode 0640 or less permissive.
SV-226410r603265_ruleThe /etc/security/audit_user file must not have an extended ACL.
SV-226411r603265_ruleThe /usr/aset/masters/uid_aliases must be empty.
SV-226412r603265_ruleIf the system is a firewall, ASET must be used on the system, and the firewall parameters must be set in /usr/aset/asetenv.
SV-226413r603265_ruleThe Solaris system Automated Security Enhancement Tool (ASET) configurable parameters in the asetenv file must be correct.
SV-226414r603265_ruleThe /usr/aset/userlist file must exist.
SV-226415r603265_ruleThe /usr/aset/userlist file must be owned by root.
SV-226416r603265_ruleThe /usr/aset/userlist file must be group-owned by root.
SV-226417r603265_ruleThe /usr/aset/userlist file must have mode 0600 or less permissive.
SV-226418r603265_ruleThe /usr/aset/userlist file must not have an extended ACL.
SV-226419r603265_ruleThe Solaris system EEPROM security-mode parameter must be set to full or command mode.
SV-226420r603265_ruleThe NFS server must have logging implemented.
SV-226421r603265_ruleHidden extended file attributes must not exist on the system.
SV-226422r603265_ruleThe root account must be the only account with GID of 0.
SV-226423r603265_ruleThe /etc/zones directory, and its contents, must be owned by root.
SV-226424r603265_ruleThe /etc/zones directory, and its contents, must be group-owned by root, sys, or bin.
SV-226425r603265_ruleThe /etc/zones directory, and its contents, must not be group- or world-writable.
SV-226426r603265_ruleThe /etc/zones directory, and its contents, must not have an extended ACL.
SV-226427r603265_ruleThe inherit-pkg-dir zone option must be set to none or the system default list defined for sparse root zones.
SV-226428r603265_ruleThe limitpriv zone option must be set to the vendor default or less permissive.
SV-226429r603265_ruleThe physical devices must not be assigned to non-global zones.
SV-226430r603265_ruleThe operating system must be a supported release.
SV-226431r603265_ruleSystem security patches and updates must be installed and up-to-date.
SV-226432r603265_ruleA file integrity baseline must be created and maintained.
SV-226433r603265_ruleA file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.
SV-226434r603265_ruleThe system clock must be synchronized to an authoritative DoD time source.
SV-226435r603265_ruleThe system clock must be synchronized continuously.
SV-226436r603265_ruleThe system must use at least two time sources for clock synchronization.
SV-226437r603265_ruleThe system must use time sources local to the enclave.
SV-226438r603265_ruleThe time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.
SV-226439r603265_ruleThe time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, or sys.
SV-226440r603265_ruleThe time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
SV-226441r603265_ruleThe time synchronization configuration file (such as /etc/ntp.conf) must not have an extended ACL.
SV-226442r603265_ruleThe system must not have unnecessary accounts.
SV-226443r603265_ruleAll accounts on the system must have unique user or account names.
SV-226444r603265_ruleAll accounts must be assigned unique User Identification Numbers (UIDs).
SV-226445r603265_ruleUIDs reserved for system accounts must not be assigned to non-system accounts.
SV-226446r603265_ruleGIDs reserved for system accounts must not be assigned to non-system groups.
SV-226447r603265_ruleAll GIDs referenced in the /etc/passwd file must be defined in the /etc/group file.
SV-226448r603265_ruleThe Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
SV-226449r603265_ruleThe Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
SV-226450r603265_ruleThe FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
SV-226451r603265_ruleSuccessful and unsuccessful logins and logouts must be logged.
SV-226452r603265_ruleThe system must display the date and time of the last successful account login upon login.
SV-226453r603265_ruleThe system must display a publicly-viewable pattern during a graphical desktop environment session lock.
SV-226454r603265_ruleThe root user must not own the logon session for an application requiring a continuous display.
SV-226455r603265_ruleUsers must not be able to change passwords more than once every 24 hours.
SV-226456r603265_ruleThe system must not have accounts configured with blank or null passwords.
SV-226457r603265_ruleThe system must require passwords contain a minimum of 15 characters.
SV-226458r603265_ruleThe system must enforce compliance of the entire password during authentication.
SV-226459r603265_ruleThe system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes.
SV-226460r603265_ruleThe password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.
SV-226461r603265_ruleThe system must require passwords to contain at least one uppercase alphabetic character.
SV-226462r603265_ruleThe system must require passwords to contain at least one numeric character.
SV-226463r603265_ruleThe system must require passwords to contain at least one special character.
SV-226464r603265_ruleThe system must require passwords to contain no more than three consecutive repeating characters.
SV-226465r603265_ruleUser passwords must be changed at least every 60 days.
SV-226466r603265_ruleAll non-interactive/automated processing account passwords must be changed at least once per year or be locked.
SV-226467r603265_ruleThe system must require at least eight characters be changed between the old and new passwords during a password change.
SV-226468r603265_ruleThe system must prevent the use of dictionary words for passwords.
SV-226469r603265_ruleThe system must prohibit the reuse of passwords within five iterations.
SV-226470r603265_ruleThe system must restrict the ability to switch to the root user to members of a defined group.
SV-226471r603265_ruleThe root user's home directory must not be the root directory (/).
SV-226472r603265_ruleThe root account's home directory (other than /) must have mode 0700.
SV-226473r603265_ruleThe root account's home directory must not have an extended ACL.
SV-226474r603265_ruleThe root accounts executable search path must contain only authorized paths.
SV-226475r603265_ruleThe root account's library search path must be the system default and must contain only absolute paths.
SV-226476r603265_ruleThe root account's list of preloaded libraries must be empty.
SV-226477r603265_ruleThe system must prevent the root account from directly logging in except from the system console.
SV-226478r603265_ruleRemote consoles must be disabled or protected from unauthorized access.
SV-226479r603265_ruleThe root account must not be used for direct logins.
SV-226480r603265_ruleThe system must log successful and unsuccessful access to the root account.
SV-226481r603265_ruleThe root shell must be located in the / file system.
SV-226482r603265_ruleRoot passwords must never be passed over a network in clear text form.
SV-226483r603265_ruleThe system must not permit root logins using remote access programs such as SSH.
SV-226484r603265_ruleSystem files and directories must not have uneven access permissions.
SV-226485r603265_ruleAll files and directories must have a valid owner.
SV-226486r603265_ruleAll files and directories must have a valid group-owner.
SV-226487r603265_ruleAll network services daemon files must have mode 0755 or less permissive.
SV-226488r603265_ruleAll network services daemon files must not have extended ACLs.
SV-226489r603265_ruleAll system command files must have mode 755 or less permissive.
SV-226490r603265_ruleAll system command files must not have extended ACLs.
SV-226491r603265_ruleAll system files, programs, and directories must be owned by a system account.
SV-226492r603265_ruleSystem files, programs, and directories must be group-owned by a system group.
SV-226493r603265_ruleSystem log files must have mode 0640 or less permissive.
SV-226494r603265_ruleSystem log files must not have extended ACLs, except as needed to support authorized software.
SV-226495r603265_ruleManual page files must have mode 0655 or less permissive.
SV-226496r603265_ruleAll manual page files must not have extended ACLs.
SV-226497r603265_ruleAll library files must not have extended ACLs.
SV-226498r603265_ruleNIS/NIS+/yp files must be owned by root, sys, or bin.
SV-226499r603265_ruleNIS/NIS+/yp files must be group-owned by root, sys, or bin.
SV-226500r603265_ruleThe NIS/NIS+/yp command files must have mode 0755 or less permissive.
SV-226501r603265_ruleNIS/NIS+/yp command files must not have extended ACLs.
SV-226502r603265_ruleThe /etc/resolv.conf file must be owned by root.
SV-226503r603265_ruleThe /etc/resolv.conf file must be group-owned by root, bin, or sys.
SV-226504r603265_ruleThe /etc/resolv.conf file must have mode 0644 or less permissive.
SV-226505r603265_ruleThe /etc/resolv.conf file must not have an extended ACL.
SV-226506r603265_ruleThe /etc/hosts file must be owned by root.
SV-226507r603265_ruleThe /etc/hosts file must be group-owned by root, bin, or sys.
SV-226508r603265_ruleThe /etc/hosts file must have mode 0644 or less permissive.
SV-226509r603265_ruleThe /etc/hosts file must not have an extended ACL.
SV-226510r603265_ruleThe /etc/nsswitch.conf file must be owned by root.
SV-226511r603265_ruleThe /etc/nsswitch.conf file must be group-owned by root, bin, or sys.
SV-226512r603265_ruleThe /etc/nsswitch.conf file must have mode 0644 or less permissive.
SV-226513r603265_ruleThe /etc/nsswitch.conf file must not have an extended ACL.
SV-226514r603265_ruleThe /etc/passwd file must be owned by root.
SV-226515r603265_ruleThe /etc/passwd file must be group-owned by root, bin, or sys.
SV-226516r603265_ruleThe /etc/passwd file must have mode 0644 or less permissive.
SV-226517r603265_ruleThe /etc/passwd file must not have an extended ACL.
SV-226518r603265_ruleThe /etc/group file must be owned by root.
SV-226519r603265_ruleThe /etc/group file must be group-owned by root, bin, or sys.
SV-226520r603265_ruleThe /etc/group file must have mode 0644 or less permissive.
SV-226521r603265_ruleThe /etc/group file must not have an extended ACL.
SV-226522r603265_ruleThe /etc/shadow (or equivalent) file must be owned by root.
SV-226523r603265_ruleThe /etc/shadow file (or equivalent) must be group-owned by root, bin, or sys.
SV-226524r603265_ruleThe /etc/shadow (or equivalent) file must have mode 0400.
SV-226525r603265_ruleThe /etc/shadow file must not have an extended ACL.
SV-226526r603265_ruleAll interactive users must be assigned a home directory in the /etc/passwd file.
SV-226527r603265_ruleAll interactive user home directories defined in the /etc/passwd file must exist.
SV-226528r603265_ruleThe /etc/passwd file must not contain password hashes.
SV-226529r603265_ruleThe /etc/group file must not contain any group password hashes.
SV-226530r603265_ruleAll users' home directories must have mode 0750 or less permissive.
SV-226531r603265_ruleUser's home directories must not have extended ACLs.
SV-226532r603265_ruleAll files and directories contained in interactive user's home directories must be owned by the home directory's owner.
SV-226533r603265_ruleAll files and directories contained in user home directories must be group-owned by a group of which the home directory's owner is a member.
SV-226534r603265_ruleAll files and directories contained in user's home directories must have mode 0750 or less permissive.
SV-226535r603265_ruleAll files and directories contained in user home directories must not have extended ACLs.
SV-226536r603265_ruleAll run control scripts must have mode 0755 or less permissive.
SV-226537r603265_ruleAll run control scripts must have no extended ACLs.
SV-226538r603265_ruleRun control scripts executable search paths must contain only authorized paths.
SV-226539r603265_ruleRun control scripts lists of preloaded libraries must contain only authorized paths.
SV-226540r603265_ruleRun control scripts lists of preloaded libraries must contain only authorized paths.
SV-226541r603265_ruleRun control scripts must not execute world-writable programs or scripts.
SV-226542r603265_ruleAll system start-up files must be owned by root.
SV-226543r603265_ruleAll system start-up files must be group-owned by root, sys, or bin.
SV-226544r603265_ruleSystem start-up files must only execute programs owned by a privileged UID or an application.
SV-226545r603265_ruleAll global initialization files must not have extended ACLs.
SV-226546r603265_ruleAll skeleton files (typically those in /etc/skel) must have mode 0644 or less permissive.
SV-226547r603265_ruleSkeleton files must not have extended ACLs.
SV-226548r603265_ruleAll skeleton files and directories (typically in /etc/skel) must be owned by root.
SV-226549r603265_ruleAll skeleton files (typically in /etc/skel) must be group-owned by root, bin, or sys.
SV-226550r603265_ruleAll global initialization files executable search paths must contain only authorized paths.
SV-226551r603265_ruleGlobal initialization files library search paths must contain only authorized paths.
SV-226552r603265_ruleGlobal initialization files lists of preloaded libraries must contain only authorized paths.
SV-226553r603265_ruleAll local initialization files must be owned by the user or root.
SV-226554r603265_ruleAll local initialization files must have mode 0740 or less permissive.
SV-226555r603265_ruleLocal initialization files must not have extended ACLs.
SV-226556r603265_ruleAll local initialization files executable search paths must contain only authorized paths.
SV-226557r603265_ruleLocal initialization files library search paths must contain only authorized paths.
SV-226558r603265_ruleLocal initialization files lists of preloaded libraries must contain only authorized paths.
SV-226559r603265_ruleUser start-up files must not execute world-writable programs.
SV-226560r603265_ruleThe .rhosts, .shosts, hosts.equiv, shosts.equiv, /etc/passwd, /etc/shadow, and/or /etc/group files must not contain a plus (+) without defining entries for NIS+ netgroups.
SV-226561r603265_ruleThere must be no .netrc files on the system.
SV-226562r603265_ruleAll .rhosts, .shosts, or host.equiv files must only contain trusted host-user pairs.
SV-226563r603265_ruleThere must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system.
SV-226564r603265_ruleAll .rhosts, .shosts, .netrc, or hosts.equiv files must be accessible by only root or the owner.
SV-226565r603265_ruleThe .rhosts file must not be supported in PAM.
SV-226566r603265_ruleThe /etc/shells (or equivalent) file must exist.
SV-226567r603265_ruleAll shells referenced in /etc/passwd must be listed in the /etc/shells file, except any shells specified for the purpose of preventing logins.
SV-226568r603265_ruleAll shell files must be owned by root or bin.
SV-226569r603265_ruleAll shell files must be group-owned by root, bin, or sys.
SV-226570r603265_ruleAll shell files must have mode 0755 or less permissive.
SV-226571r603265_ruleAll shell files must not have extended ACLs.
SV-226572r603265_ruleThe system must be checked for extraneous device files at least weekly.
SV-226573r603265_ruleDevice files and directories must only be writable by users with a system account or as configured by the vendor.
SV-226574r603265_ruleDevice files used for backup must only be readable and/or writable by root or the backup user.
SV-226575r603265_ruleAudio devices must have mode 0660 or less permissive.
SV-226576r603265_ruleAudio devices must not have extended ACLs.
SV-226577r603265_ruleAudio devices must be owned by root.
SV-226578r603265_ruleAudio devices must be group-owned by root, sys, or bin.
SV-226579r603265_ruleThe owner, group owner, mode, ACL, and location of files with the setuid bit set must be documented using site-defined procedures.
SV-226580r603265_ruleThe system must be checked weekly for unauthorized setuid files, as well as, unauthorized modification to authorized setuid files.
SV-226581r603265_ruleThe owner, group-owner, mode, ACL, and location of files with the setgid bit set must be documented using site-defined procedures.
SV-226582r603265_ruleThe system must be checked weekly for unauthorized setgid files, as well as, unauthorized modification to authorized setgid files.
SV-226583r603265_rulePublic directories must be the only world-writable directories and world-writable files must be located only in public directories.
SV-226584r603265_ruleThe sticky bit must be set on all public directories.
SV-226585r603265_ruleAll public directories must be owned by root or an application account.
SV-226586r603265_ruleAll public directories must be group-owned by root or an application group.
SV-226587r603265_ruleThe system and user default umask must be 077.
SV-226588r603265_ruleDefault system accounts must be disabled or removed.
SV-226589r603265_ruleAuditing must be implemented.
SV-226590r603265_ruleSystem audit logs must be owned by root.
SV-226591r603265_ruleSystem audit logs must be group-owned by root, bin, or sys.
SV-226592r603265_ruleSystem audit logs must have mode 0640 or less permissive.
SV-226593r603265_ruleAll system audit files must not have extended ACLs.
SV-226594r603265_ruleSystem audit tool executables must be owned by root.
SV-226595r603265_ruleSystem audit tool executables must be group-owned by root, bin, or sys.
SV-226596r603265_ruleSystem audit tool executables must have mode 0750 or less permissive.
SV-226597r603265_ruleSystem audit tool executables must not have extended ACLs.
SV-226598r603265_ruleThe audit system must alert the SA in the event of an audit processing failure.
SV-226599r603265_ruleThe audit system must be configured to audit failed attempts to access files and programs.
SV-226600r603265_ruleThe audit system must alert the SA when the audit storage volume approaches its capacity.
SV-226601r603265_ruleThe audit system must be configured to audit file deletions.
SV-226602r603265_ruleThe audit system must be configured to audit account creation.
SV-226603r603265_ruleThe audit system must be configured to audit account modification.
SV-226604r603265_ruleThe audit system must be configured to audit account disabling.
SV-226605r603265_ruleThe audit system must be configured to audit account termination.
SV-226606r603265_ruleThe audit system must be configured to audit all administrative, privileged, and security actions.
SV-226607r603265_ruleThe audit system must be configured to audit login, logout, and session initiation.
SV-226608r603265_ruleThe audit system must be configured to audit all discretionary access control permission modifications.
SV-226609r603265_ruleThe audit system must be configured to audit the loading and unloading of dynamic kernel modules.
SV-226610r603265_ruleAudit logs must be rotated daily.
SV-226611r603265_ruleThe system must be configured to send audit records to a remote audit server.
SV-226612r603265_ruleAccess to the cron utility must be controlled using the cron.allow and/or cron.deny file(s).
SV-226613r603265_ruleThe cron.allow file must have mode 0600 or less permissive.
SV-226614r603265_ruleThe cron.allow file must not have an extended ACL.
SV-226615r603265_ruleCron must not execute group-writable or world-writable programs.
SV-226616r603265_ruleCron must not execute programs in, or subordinate to, world-writable directories.
SV-226617r603265_ruleCrontabs must be owned by root or the crontab creator.
SV-226618r603265_ruleCrontab files must be group-owned by root, sys, or the crontab creator's primary group.
SV-226619r603265_ruleDefault system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist.
SV-226620r603265_ruleCrontab files must have mode 0600 or less permissive.
SV-226621r603265_ruleCrontab files must not have extended ACLs.
SV-226622r603265_ruleCron and crontab directories must have mode 0755 or less permissive.
SV-226623r603265_ruleCron and crontab directories must not have extended ACLs.
SV-226624r603265_ruleCron and crontab directories must be owned by root or bin.
SV-226625r603265_ruleCron and crontab directories must be group-owned by root, sys, or bin.
SV-226626r603265_ruleCron logging must be implemented.
SV-226627r603265_ruleThe cronlog file must have mode 0600 or less permissive.
SV-226628r603265_ruleThe cron log files must not have extended ACLs.
SV-226629r603265_ruleThe cron.deny file must have mode 0600 or less permissive.
SV-226630r603265_ruleThe cron.deny file must not have an extended ACL.
SV-226631r603265_ruleCron programs must not set the umask to a value less restrictive than 077.
SV-226632r603265_ruleThe cron.allow file must be owned by root, bin, or sys.
SV-226633r603265_ruleThe at.allow file must not have an extended ACL.
SV-226634r603265_ruleThe cron.allow file must be group-owned by root, bin, or sys.
SV-226635r603265_ruleThe at.deny file must have mode 0600 or less permissive.
SV-226857r603265_ruleThe at.deny file must not have an extended ACL.
SV-226858r603265_ruleThe cron.deny file must be owned by root, bin, or sys.
SV-226859r603265_ruleThe cron.deny file must be group-owned by root, bin, or sys.
SV-226860r603265_ruleAccess to the at utility must be controlled via the at.allow and/or at.deny file(s).
SV-226861r603265_ruleThe at.deny file must not be empty if it exists.
SV-226862r603265_ruleDefault system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist.
SV-226863r603265_ruleThe at.allow file must have mode 0600 or less permissive.
SV-226864r603265_ruleThe "at" daemon must not execute group-writable or world-writable programs.
SV-226865r603265_ruleThe "at" daemon must not execute programs in, or subordinate to, world-writable directories.
SV-226866r603265_ruleThe "at" directory must have mode 0755 or less permissive.
SV-226867r603265_ruleThe "at" directory must not have an extended ACL.
SV-226868r603265_ruleThe "at" directory must be owned by root, bin, or sys.
SV-226869r603265_ruleThe "at" directory must be group-owned by root, bin, or sys.
SV-226870r603265_rule"At" jobs must not set the umask to a value less restrictive than 077.
SV-226871r603265_ruleThe at.allow file must be owned by root, bin, or sys.
SV-226872r603265_ruleThe at.allow file must be group-owned by root, bin, or sys.
SV-226873r603265_ruleThe at.deny file must be owned by root, bin, or sys.
SV-226874r603265_ruleThe at.deny file must be group-owned by root, bin, or sys.
SV-226875r603265_ruleProcess core dumps must be disabled unless needed.
SV-226876r603265_ruleThe system must be configured to store any process core dumps in a specific, centralized directory.
SV-226877r603265_ruleThe centralized process core dump data directory must be owned by root.
SV-226878r603265_ruleThe centralized process core dump data directory must be group-owned by root, bin, or sys.
SV-226879r603265_ruleThe centralized process core dump data directory must have mode 0700 or less permissive.
SV-226880r603265_ruleThe centralized process core dump data directory must not have an extended ACL.
SV-226881r603265_ruleKernel core dumps must be disabled unless needed.
SV-226882r603265_ruleThe kernel core dump data directory must be owned by root.
SV-226883r603265_ruleThe kernel core dump data directory must be group-owned by root.
SV-226884r603265_ruleThe kernel core dump data directory must have mode 0700 or less permissive.
SV-226885r603265_ruleThe kernel core dump data directory must not have an extended ACL.
SV-226886r603265_ruleThe system must implement non-executable program stacks.
SV-226887r603265_ruleThe system must use initial TCP sequence numbers most resistant to sequence number guessing attacks.
SV-226888r603265_ruleThe system must not forward IPv4 source-routed packets.
SV-226889r603265_ruleTCP backlog queue sizes must be set appropriately.
SV-226890r603265_ruleThe system must not process ICMP timestamp requests.
SV-226891r603265_ruleThe system must not respond to ICMPv4 echoes sent to a broadcast address.
SV-226892r603265_ruleThe system must not respond to ICMP timestamp requests sent to a broadcast address.
SV-226893r603265_ruleThe system must not apply reversed source routing to TCP responses.
SV-226894r603265_ruleThe system must prevent local applications from generating source-routed packets.
SV-226895r603265_ruleThe system must not accept source-routed IPv4 packets.
SV-226896r603265_ruleProxy ARP must not be enabled on the system.
SV-226897r603265_ruleThe system must ignore IPv4 ICMP redirect messages.
SV-226898r603265_ruleThe system must not send IPv4 ICMP redirects.
SV-226899r603265_ruleThe system must log martian packets.
SV-226900r603265_ruleA separate file system must be used for user home directories (such as /home or equivalent).
SV-226901r603265_ruleThe system must use a separate file system for the system audit data path.
SV-226902r603265_ruleThe system must use a separate filesystem for /tmp (or equivalent).
SV-226903r603265_ruleThe root file system must employ journaling or another mechanism ensuring file system consistency.
SV-226904r603265_ruleAll local file systems must employ journaling or another mechanism ensuring file system consistency.
SV-226905r603265_ruleThe system must log authentication informational data.
SV-226906r603265_ruleInetd and xinetd must be disabled or removed if no network services utilizing them are enabled.
SV-226907r603265_ruleThe inetd.conf file must be owned by root or bin.
SV-226908r603265_ruleThe inetd.conf file must be group-owned by root, bin, or sys.
SV-226909r603265_ruleThe inetd.conf file must have mode 0440 or less permissive.
SV-226910r603265_ruleThe inetd.conf file must not have extended ACLs.
SV-226911r603265_ruleThe services file must be owned by root or bin.
SV-226912r603265_ruleThe services file must be group-owned by root, bin, or sys.
SV-226913r603265_ruleThe services file must have mode 0444 or less permissive.
SV-226914r603265_ruleThe services file must not have an extended ACL.
SV-226915r603265_ruleInetd or xinetd logging/tracing must be enabled.
SV-226916r603265_ruleThe portmap or rpcbind service must not be installed unless needed.
SV-226917r603265_ruleThe rshd service must not be installed.
SV-226918r603265_ruleThe rlogind service must not be installed.
SV-226919r603265_ruleThe rexec daemon must not be running.
SV-226920r603265_ruleThe rexecd service must not be installed.
SV-226921r603265_ruleThe telnet daemon must not be running.
SV-226922r603265_ruleThe system must not have the finger service active.
SV-226923r603265_ruleThe hosts.lpd file (or equivalent) must not contain a "+" character.
SV-226924r603265_ruleThe hosts.lpd (or equivalent) file must not have an extended ACL.
SV-226925r603265_ruleThe traceroute command owner must be root.
SV-226926r603265_ruleThe traceroute command must be group-owned by sys, bin, or root.
SV-226927r603265_ruleThe traceroute file must have mode 0700 or less permissive.
SV-226928r603265_ruleThe traceroute file must not have an extended ACL.
SV-226929r603265_ruleAdministrative accounts must not run a web browser, except as needed for local service administration.
SV-226930r603265_ruleThe alias file must be owned by root.
SV-226931r603265_ruleThe alias file must have mode 0644 or less permissive.
SV-226932r603265_ruleThe alias file must not have an extended ACL.
SV-226933r603265_ruleFiles executed through a mail aliases file must be owned by root and must reside within a directory owned and writable only by root.
SV-226934r603265_ruleFiles executed through a mail aliases file must be group-owned by root, bin, or sys, and must reside within a directory group-owned by root, bin, or sys.
SV-226935r603265_ruleFiles executed through a mail aliases file must not have extended ACLs.
SV-226936r603265_ruleSendmail logging must not be set to less than nine in the sendmail.cf file.
SV-226937r603265_ruleThe system syslog service must log informational and more severe SMTP service messages.
SV-226938r603265_ruleThe SMTP service log file must be owned by root.
SV-226939r603265_ruleThe SMTP service log file must have mode 0644 or less permissive.
SV-226940r603265_ruleThe SMTP service log file must not have an extended ACL.
SV-226941r603265_ruleThe SMTP service must not have the EXPN feature active.
SV-226942r603265_ruleThe SMTP service must not have the VRFY feature active.
SV-226943r603265_ruleThe Sendmail service must not have the wizard backdoor active.
SV-226944r603265_ruleMail relaying must be restricted.
SV-226945r603265_ruleUnencrypted FTP must not be used on the system.
SV-226946r603265_ruleAnonymous FTP must not be active on the system unless authorized.
SV-226947r603265_ruleIf the system is an anonymous FTP server, it must be isolated to the DMZ network.
SV-226948r603265_ruleThe ftpusers file must exist.
SV-226949r603265_ruleThe ftpusers file must contain account names not allowed to use FTP.
SV-226950r603265_ruleThe ftpusers file must be owned by root.
SV-226951r603265_ruleThe ftpusers file must be group-owned by root, bin, or sys.
SV-226952r603265_ruleThe ftpusers file must have mode 0640 or less permissive.
SV-226953r603265_ruleThe ftpusers file must not have an extended ACL.
SV-226954r603265_ruleThe FTP daemon must be configured for logging or verbose mode.
SV-226955r603265_ruleAnonymous FTP accounts must not have a functional shell.
SV-226956r603265_ruleThe anonymous FTP account must be configured to use chroot or a similarly isolated environment.
SV-226957r603265_ruleAll FTP users must have a default umask of 077.
SV-226958r603265_ruleThe TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.
SV-226959r603265_ruleThe TFTP daemon must have mode 0755 or less permissive.
SV-226960r603265_ruleAny active TFTP daemon must be authorized and approved in the system accreditation package.
SV-226961r603265_ruleAny X Windows host must write .Xauthority files.
SV-226962r603265_ruleAll .Xauthority files must have mode 0600 or less permissive.
SV-226963r603265_ruleThe .Xauthority files must not have extended ACLs.
SV-226964r603265_ruleX displays must not be exported to the world.
SV-226965r603265_rule.Xauthority or X*.hosts (or equivalent) file(s) must be used to restrict access to the X server.
SV-226966r603265_ruleThe .Xauthority utility must only permit access to authorized hosts.
SV-226967r603265_ruleX Window System connections that are not required must be disabled.
SV-226968r603265_ruleThe system must not have the UUCP service active.
SV-226969r603265_ruleSNMP communities, users, and passphrases must be changed from the default.
SV-226970r603265_ruleThe SNMP service must use only SNMPv3 or its successors.
SV-226971r603265_ruleThe snmpd.conf file must have mode 0600 or less permissive.
SV-226972r603265_ruleManagement Information Base (MIB) files must have mode 0640 or less permissive.
SV-226973r603265_ruleManagement Information Base (MIB) files must not have extended ACLs.
SV-226974r603265_ruleThe snmpd.conf files must be owned by root.
SV-226975r603265_ruleThe snmpd.conf file must be group-owned by root, sys, or bin.
SV-226976r603265_ruleThe snmpd.conf file must not have an extended ACL.
SV-226977r603265_ruleIf the system is a Network Management System (NMS) server, it must only run the NMS and any software required by the NMS.
SV-226978r603265_ruleThe /etc/syslog.conf file must have mode 0640 or less permissive.
SV-226979r603265_ruleThe /etc/syslog.conf file must not have an extended ACL.
SV-226980r603265_ruleThe /etc/syslog.conf file must be owned by root.
SV-226981r603265_ruleThe /etc/syslog.conf file must be group-owned by root, bin, or sys.
SV-226982r603265_ruleThe system must use a remote syslog server (log host).
SV-226983r603265_ruleThe system must only use remote syslog servers (log hosts) justified and documented using site-defined procedures.
SV-226984r603265_ruleThe SSH client must be configured to only use the SSHv2 protocol.
SV-226985r603265_ruleThe SSH daemon must only listen on management network addresses unless authorized for uses other than management.
SV-226986r603852_ruleThe operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.
SV-226987r603265_ruleThe SSH daemon must be configured to not use Cipher-Block Chaining (CBC) ciphers.
SV-226988r603265_ruleThe SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
SV-226989r603265_ruleThe SSH client must be configured to only use FIPS 140-2 approved ciphers.
SV-226990r603265_ruleThe SSH client must be configured to not use CBC-based ciphers.
SV-226991r603265_ruleThe SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
SV-226992r603265_ruleThe SSH daemon must restrict login ability to specific users and/or groups.
SV-226993r603265_ruleThe SSH public host key files must have mode 0644 or less permissive.
SV-226994r603265_ruleThe SSH private host key files must have mode 0600 or less permissive.
SV-226995r603265_ruleThe SSH daemon must not permit GSSAPI authentication unless needed.
SV-226996r603265_ruleThe SSH client must not permit GSSAPI authentication unless needed.
SV-226997r603265_ruleThe SSH daemon must perform strict mode checking of home directory configuration files.
SV-226998r603265_ruleThe SSH daemon must not allow rhosts RSA authentication.
SV-226999r603265_ruleThe SSH daemon must not allow compression or must only allow compression after successful authentication.
SV-227000r603265_ruleThe SSH daemon must be configured for IP filtering.
SV-227001r603265_ruleThe SSH daemon must be configured with the Department of Defense (DoD) login banner.
SV-227002r603265_ruleThe system must be configured with a default gateway for IPv4 if the system uses IPv4, unless the system is a router.
SV-227003r603265_ruleThe system must be configured with a default gateway for IPv6 if the system uses IPv6, unless the system is a router.
SV-227004r603265_ruleA system used for routing must not run other network services or applications.
SV-227005r603265_ruleThe system must not be running any routing protocol daemons, unless the system is a router.
SV-227006r603265_ruleThe NFS export configuration file must be owned by root.
SV-227007r603265_ruleThe NFS export configuration file must be group-owned by root, bin, or sys.
SV-227008r603265_ruleThe NFS export configuration file must have mode 0644 or less permissive.
SV-227009r603265_ruleThe NFS exports configuration file must not have an extended ACL.
SV-227010r603265_ruleAll NFS-exported system files and system directories must be owned by root.
SV-227011r603265_ruleAll NFS exported system files and system directories must be group-owned by root, bin, or sys.
SV-227012r603265_ruleThe NFS anonymous UID and GID must be configured to values that have no permissions.
SV-227013r603265_ruleThe system's NFS export configuration must not have the sec option set to none (or equivalent); additionally, the default authentication must not to be set to none.
SV-227014r603265_ruleThe NFS server must not allow remote root access.
SV-227015r603265_ruleThe nosuid option must be enabled on all NFS client mounts.
SV-227016r603265_ruleThe system must not have any peer-to-peer file-sharing application installed.
SV-227017r603265_ruleThe system must not run Samba unless needed.
SV-227018r603265_ruleThe smb.conf file must be owned by root.
SV-227019r603265_ruleThe smb.conf file must be group-owned by root, bin, or sys.
SV-227020r603265_ruleThe smb.conf file must have mode 0644 or less permissive.
SV-227021r603265_ruleThe smb.conf file must not have an extended ACL.
SV-227022r603265_ruleThe smbpasswd file must be owned by root.
SV-227023r603265_ruleThe smbpasswd file must be group-owned by root.
SV-227024r603265_ruleThe smbpasswd file must have mode 0600 or less permissive.
SV-227025r603265_ruleThe smbpasswd file must not have an extended ACL.
SV-227026r603265_ruleThe smb.conf file must use the hosts option to restrict access to Samba.
SV-227027r603265_ruleSamba must be configured to use an authentication mechanism other than "share."
SV-227028r603265_ruleSamba must be configured to use encrypted passwords.
SV-227029r603265_ruleSamba must be configured to not allow guest access to shares.
SV-227030r603265_ruleThe system must not run an Internet Network News (INN) server.
SV-227031r603265_ruleThe /etc/news/hosts.nntp (or equivalent) must have mode 0600 or less permissive.
SV-227032r603265_ruleThe /etc/news/hosts.nntp file must not have an extended ACL.
SV-227033r603265_ruleThe /etc/news/hosts.nntp.nolimit (or equivalent) must have mode 0600 or less permissive.
SV-227034r603265_ruleThe /etc/news/hosts.nntp.nolimit file must not have an extended ACL.
SV-227035r603265_ruleThe /etc/news/nnrp.access (or equivalent) must have mode 0600 or less permissive.
SV-227036r603265_ruleThe /etc/news/nnrp.access file must not have an extended ACL.
SV-227037r603265_ruleThe /etc/news/passwd.nntp file (or equivalent) must have mode 0600 or less permissive.
SV-227038r603265_ruleThe /etc/news/passwd.nntp file must not have an extended ACL.
SV-227039r603265_ruleFiles in /etc/news must be owned by root.
SV-227040r603265_ruleThe files in /etc/news must be group-owned by root.
SV-227041r603265_ruleThe system must not use UDP for NIS/NIS+.
SV-227042r603265_ruleThe Network Information System (NIS) protocol must not be used.
SV-227043r603265_ruleNIS maps must be protected through hard-to-guess domain names.
SV-227044r603265_ruleAny NIS+ server must be operating at security level 2.
SV-227045r603265_ruleThe file integrity tool must be configured to verify ACLs.
SV-227046r603265_ruleThe file integrity tool must be configured to verify extended attributes.
SV-227047r603265_ruleThe file integrity tool must use FIPS 140-2 approved cryptographic hashes for validating file contents.
SV-227048r603265_ruleThe system's access control program must log each system access attempt.
SV-227049r603265_ruleThe system must use a virus scan program.
SV-227050r603265_ruleThe Reliable Datagram Sockets (RDS) protocol must be disabled or not installed unless required.
SV-227051r603265_ruleThe Transparent Inter-Process Communication (TIPC) protocol must be disabled or not installed.
SV-227052r603265_ruleThe system must not have 6to4 enabled.
SV-227053r603265_ruleThe system must not have IP tunnels configured.
SV-227054r603265_ruleThe DHCP client must be disabled if not needed.
SV-227055r603265_ruleThe system must ignore IPv6 ICMP redirect messages.
SV-227056r603265_ruleThe system must not send IPv6 ICMP redirects.
SV-227057r603265_ruleThe system must not forward IPv6 source-routed packets.
SV-227058r603265_ruleThe system must not respond to ICMPv6 echo requests sent to a broadcast address.
SV-227059r603265_ruleIf the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms.
SV-227060r603265_ruleIf the system is using LDAP for authentication or account information the LDAP client configuration file must have mode 0600 or less permissive.
SV-227061r603265_ruleIf the system is using LDAP for authentication or account information, the LDAP configuration file must be owned by root.
SV-227062r603265_ruleIf the system is using LDAP for authentication or account information, the LDAP configuration file must be group-owned by root, bin, or sys.
SV-227063r603265_ruleIf the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must not have an extended ACL.
SV-227064r603265_ruleIf the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be owned by root.
SV-227065r603265_ruleIf the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be group-owned by root, bin, or sys.
SV-227066r603265_ruleIf the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must have mode 0644 (0755 for directories) or less permissive.
SV-227067r603265_ruleAutomated file system mounting tools must not be enabled unless needed.
SV-227068r603265_ruleThe system must have USB disabled unless needed.
SV-227069r603265_ruleThe system must have USB Mass Storage disabled unless needed.
SV-227070r603265_ruleThe system must have IEEE 1394 (Firewire) disabled unless needed.
SV-227071r603265_ruleThe system must employ a local firewall.
SV-227072r603265_ruleThe system's local firewall must implement a deny-all, allow-by-exception policy.
SV-227073r603265_ruleThe system must be configured to only boot from the system boot device.
SV-227074r603265_ruleSystem BIOS or system controllers supporting password protection must have administrator accounts/passwords configured, and no others.
SV-227075r603265_ruleIf the system boots from removable media, it must be stored in a safe or similarly secured container.
SV-227076r603265_ruleThe system package management tool must cryptographically verify the authenticity of software packages during installation.
SV-227077r603265_ruleThe system package management tool must not automatically obtain updates.
SV-227078r603265_ruleThe system, if capable, must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
SV-227079r603265_ruleThe hosts.lpd (or equivalent) file must be owned by root.
SV-227080r603265_ruleThe hosts.lpd (or equivalent) must have mode 0644 or less permissive.
SV-233302r603286_ruleX11 forwarding for SSH must be disabled.
SV-233304r603292_ruleThe sshd server must bind the X11 forwarding server to the loopback address.