STIGQter STIGQter: STIG Summary:

Solaris 10 X86 Security Technical Implementation Guide

Version: 2

Release: 2 Benchmark Date: 22 Jan 2021

CheckedNameTitle
SV-220070r603266_ruleThe ASET master files must be located in the /usr/aset/masters directory.
SV-220071r603266_ruleThe asetenv file YPCHECK variable must be set to true when NIS+ is configured.
SV-220072r603266_ruleThe system must require authentication upon booting into single-user and maintenance modes.
SV-220073r603266_ruleDirect logins must not be permitted to shared, default, application, or utility accounts.
SV-220074r603266_ruleThe system must disable accounts after three consecutive unsuccessful login attempts.
SV-220075r603266_ruleThe delay between login prompts following a failed login attempt must be at least 4 seconds.
SV-220076r603266_ruleGraphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity and the system must require users to re-authenticate to unlock the environment.
SV-220077r603266_ruleAccounts must be locked upon 35 days of inactivity.
SV-220078r603266_ruleThe root account must be the only account having an UID of 0.
SV-220079r603266_ruleThe root account must not have world-writable directories in its executable search path.
SV-220081r603266_ruleLibrary files must have mode 0755 or less permissive.
SV-220082r603266_ruleAll interactive user's home directories must be owned by their respective users.
SV-220083r603266_ruleAll interactive user's home directories must be group-owned by the home directory owner's primary group.
SV-220084r603266_ruleAll global initialization files must have mode 0644 or less permissive.
SV-220085r603266_ruleAll global initialization files must be owned by root.
SV-220086r603266_ruleAll global initialization files must be group-owned by root, sys, or bin.
SV-220087r603266_ruleGlobal initialization files must contain the mesg -n or mesg n commands.
SV-220088r603266_ruleLocal initialization files must be group-owned by the user's primary group or root.
SV-220089r603266_ruleRemovable media, remote file systems, and any file system that does not contain approved setuid files must be mounted with the "nosuid" option.
SV-220090r603266_ruleThe system must not be configured for network bridging.
SV-220091r603266_ruleThe portmap or rpcbind service must not be running unless needed.
SV-220092r603266_ruleThe rsh daemon must not be running.
SV-220093r603266_ruleThe rlogind service must not be running.
SV-220094r603266_ruleNetwork analysis tools must not be installed.
SV-220096r603266_ruleThe hosts.lpd (or equivalent) file must be group-owned by root, bin, or sys.
SV-220098r603266_ruleThe aliases file must be group-owned by root, sys, smmsp, or bin.
SV-220099r603266_ruleThe SMTP service HELP command must not be enabled.
SV-220100r603266_ruleThe SMTP services SMTP greeting must not provide version information.
SV-220101r603266_ruleThe system must not use .forward files.
SV-220102r603266_ruleThe SMTP service must be an up-to-date version.
SV-220103r603266_ruleThe Sendmail server must have the debug feature disabled.
SV-220104r603266_ruleThe SMTP service must not have a uudecode alias active.
SV-220105r603266_ruleThe TFTP daemon must be configured to vendor specifications, including a dedicated TFTP user account, a non-login shell, such as /bin/false, and a home directory owned by the TFTP user.
SV-220106r603266_ruleThe system must not be used as a syslog server (log host) for systems external to the enclave.
SV-220107r603266_ruleThe syslog daemon must not accept remote messages unless it is a syslog server documented using site-defined procedures.
SV-220108r603266_ruleThe SSH daemon must be configured to only use the SSHv2 protocol.
SV-220109r603266_ruleIP forwarding for IPv4 must not be enabled, unless the system is a router.
SV-220110r603266_ruleThe system must not have IP forwarding for IPv6 enabled, unless the system is an IPv6 router.
SV-220111r603266_ruleThe NFS server must be configured to restrict file system access to local hosts.
SV-220112r603266_ruleThe system must not have a public Instant Messaging (IM) client installed.
SV-220113r603266_ruleThe Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL.
SV-220115r603266_ruleThe system vulnerability assessment tool, host-based intrusion detection tool, and file integrity tool must notify the SA and the IAO of a security breach or a suspected security breach.
SV-220116r603266_ruleThe system package management tool must be used to verify system software periodically.
SV-220117r603266_ruleThe system must use an access control program.
SV-220118r603266_ruleThe system's access control program must be configured to grant or deny system access to specific hosts.
SV-220119r603266_ruleWireless network adapters must be disabled.
SV-220121r603266_ruleIf the system is using LDAP for authentication or account information, the LDAP TLS certificate authority file and/or directory (as appropriate) must not have an extended ACL.
SV-220122r603266_ruleThe system must not use removable media as the boot loader.
SV-220123r603266_ruleFor systems capable of using GRUB, the system must be configured with GRUB as the default boot loader unless another boot loader has been authorized, justified, and documented using site-defined procedures.
SV-220124r603266_ruleThe system boot loader must require authentication.
SV-220125r603266_ruleThe system boot loader must protect passwords using an MD5 or stronger cryptographic hash.
SV-220127r603266_ruleThe system's boot loader configuration file(s) must not have extended ACLs.
SV-220128r603266_ruleThe system's boot loader configuration files must be owned by root.
SV-220129r603266_ruleThe system's boot loader configuration file(s) must be group-owned by root, bin, sys, or system.
SV-227532r603266_ruleThe nosuid option must be configured in the /etc/rmmount.conf file.
SV-227533r603266_ruleThe /etc/security/audit_user file must not define a different auditing level for specific users.
SV-227534r603266_ruleThe /etc/security/audit_user file must be owned by root.
SV-227535r603266_ruleThe /etc/security/audit_user file must be group-owned by root, sys, or bin.
SV-227536r603266_ruleThe /etc/security/audit_user file must have mode 0640 or less permissive.
SV-227537r603266_ruleThe /etc/security/audit_user file must not have an extended ACL.
SV-227538r603266_ruleThe /usr/aset/masters/uid_aliases must be empty.
SV-227539r603266_ruleIf the system is a firewall, ASET must be used on the system, and the firewall parameters must be set in /usr/aset/asetenv.
SV-227540r603266_ruleThe Solaris system Automated Security Enhancement Tool (ASET) configurable parameters in the asetenv file must be correct.
SV-227541r603266_ruleThe /usr/aset/userlist file must exist.
SV-227542r603266_ruleThe /usr/aset/userlist file must be owned by root.
SV-227543r603266_ruleThe /usr/aset/userlist file must be group-owned by root.
SV-227544r603266_ruleThe /usr/aset/userlist file must have mode 0600 or less permissive.
SV-227545r603266_ruleThe /usr/aset/userlist file must not have an extended ACL.
SV-227546r603266_ruleThe NFS server must have logging implemented.
SV-227547r603266_ruleHidden extended file attributes must not exist on the system.
SV-227548r603266_ruleThe root account must be the only account with GID of 0.
SV-227549r603266_ruleThe /etc/zones directory, and its contents, must be owned by root.
SV-227550r603266_ruleThe /etc/zones directory, and its contents, must be group-owned by root, sys, or bin.
SV-227551r603266_ruleThe /etc/zones directory, and its contents, must not be group- or world-writable.
SV-227552r603266_ruleThe /etc/zones directory, and its contents, must not have an extended ACL.
SV-227553r603266_ruleThe inherit-pkg-dir zone option must be set to none or the system default list defined for sparse root zones.
SV-227554r603266_ruleThe limitpriv zone option must be set to the vendor default or less permissive.
SV-227555r603266_ruleThe physical devices must not be assigned to non-global zones.
SV-227556r603266_ruleThe operating system must be a supported release.
SV-227557r603266_ruleSystem security patches and updates must be installed and up-to-date.
SV-227558r603266_ruleA file integrity baseline must be created and maintained.
SV-227559r603266_ruleA file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.
SV-227560r603266_ruleThe system clock must be synchronized to an authoritative DoD time source.
SV-227561r603266_ruleThe system clock must be synchronized continuously.
SV-227562r603266_ruleThe system must use at least two time sources for clock synchronization.
SV-227563r603266_ruleThe system must use time sources local to the enclave.
SV-227564r603266_ruleThe time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.
SV-227565r603266_ruleThe time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, or sys.
SV-227566r603266_ruleThe time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
SV-227567r603266_ruleThe time synchronization configuration file (such as /etc/ntp.conf) must not have an extended ACL.
SV-227568r603266_ruleThe system must not have unnecessary accounts.
SV-227569r603266_ruleAll accounts on the system must have unique user or account names.
SV-227570r603266_ruleAll accounts must be assigned unique User Identification Numbers (UIDs).
SV-227571r603266_ruleUIDs reserved for system accounts must not be assigned to non-system accounts.
SV-227572r603266_ruleGIDs reserved for system accounts must not be assigned to non-system groups.
SV-227573r603266_ruleAll GIDs referenced in the /etc/passwd file must be defined in the /etc/group file.
SV-227574r603266_ruleThe Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
SV-227575r603266_ruleThe Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
SV-227576r603266_ruleThe FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
SV-227577r603266_ruleSuccessful and unsuccessful logins and logouts must be logged.
SV-227578r603266_ruleThe system must display the date and time of the last successful account login upon login.
SV-227579r603266_ruleThe system must display a publicly-viewable pattern during a graphical desktop environment session lock.
SV-227580r603266_ruleThe root user must not own the logon session for an application requiring a continuous display.
SV-227581r603266_ruleUsers must not be able to change passwords more than once every 24 hours.
SV-227582r603266_ruleThe system must not have accounts configured with blank or null passwords.
SV-227583r603266_ruleThe system must require passwords contain a minimum of 15 characters.
SV-227584r603266_ruleThe system must enforce compliance of the entire password during authentication.
SV-227585r603266_ruleThe system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes.
SV-227586r603266_ruleThe password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.
SV-227587r603266_ruleThe system must require passwords to contain at least one uppercase alphabetic character.
SV-227588r603266_ruleThe system must require passwords to contain at least one numeric character.
SV-227589r603266_ruleThe system must require passwords to contain at least one special character.
SV-227590r603266_ruleThe system must require passwords to contain no more than three consecutive repeating characters.
SV-227591r603266_ruleUser passwords must be changed at least every 60 days.
SV-227592r603266_ruleAll non-interactive/automated processing account passwords must be changed at least once per year or be locked.
SV-227593r603266_ruleThe system must require at least eight characters be changed between the old and new passwords during a password change.
SV-227594r603266_ruleThe system must prevent the use of dictionary words for passwords.
SV-227595r603266_ruleThe system must prohibit the reuse of passwords within five iterations.
SV-227596r603266_ruleThe system must restrict the ability to switch to the root user to members of a defined group.
SV-227597r603266_ruleThe root user's home directory must not be the root directory (/).
SV-227598r603266_ruleThe root account's home directory (other than /) must have mode 0700.
SV-227599r603266_ruleThe root account's home directory must not have an extended ACL.
SV-227600r603266_ruleThe root accounts executable search path must contain only authorized paths.
SV-227601r603266_ruleThe root account's library search path must be the system default and must contain only absolute paths.
SV-227602r603266_ruleThe root account's list of preloaded libraries must be empty.
SV-227603r603266_ruleThe system must prevent the root account from directly logging in except from the system console.
SV-227604r603266_ruleRemote consoles must be disabled or protected from unauthorized access.
SV-227605r603266_ruleThe root account must not be used for direct logins.
SV-227606r603266_ruleThe system must log successful and unsuccessful access to the root account.
SV-227607r603266_ruleThe root shell must be located in the / file system.
SV-227608r603266_ruleRoot passwords must never be passed over a network in clear text form.
SV-227609r603266_ruleThe system must not permit root logins using remote access programs such as SSH.
SV-227610r603266_ruleSystem files and directories must not have uneven access permissions.
SV-227611r603266_ruleAll files and directories must have a valid owner.
SV-227612r603266_ruleAll files and directories must have a valid group-owner.
SV-227613r603266_ruleAll network services daemon files must have mode 0755 or less permissive.
SV-227614r603266_ruleAll network services daemon files must not have extended ACLs.
SV-227615r603266_ruleAll system command files must have mode 755 or less permissive.
SV-227616r603266_ruleAll system command files must not have extended ACLs.
SV-227617r603266_ruleAll system files, programs, and directories must be owned by a system account.
SV-227618r603266_ruleSystem files, programs, and directories must be group-owned by a system group.
SV-227619r603266_ruleSystem log files must have mode 0640 or less permissive.
SV-227620r603266_ruleSystem log files must not have extended ACLs, except as needed to support authorized software.
SV-227621r603266_ruleManual page files must have mode 0655 or less permissive.
SV-227622r603266_ruleAll manual page files must not have extended ACLs.
SV-227623r603266_ruleAll library files must not have extended ACLs.
SV-227624r603266_ruleNIS/NIS+/yp files must be owned by root, sys, or bin.
SV-227625r603266_ruleNIS/NIS+/yp files must be group-owned by root, sys, or bin.
SV-227626r603266_ruleThe NIS/NIS+/yp command files must have mode 0755 or less permissive.
SV-227627r603266_ruleNIS/NIS+/yp command files must not have extended ACLs.
SV-227628r603266_ruleThe /etc/resolv.conf file must be owned by root.
SV-227629r603266_ruleThe /etc/resolv.conf file must be group-owned by root, bin, or sys.
SV-227630r603266_ruleThe /etc/resolv.conf file must have mode 0644 or less permissive.
SV-227631r603266_ruleThe /etc/resolv.conf file must not have an extended ACL.
SV-227632r603266_ruleThe /etc/hosts file must be owned by root.
SV-227633r603266_ruleThe /etc/hosts file must be group-owned by root, bin, or sys.
SV-227634r603266_ruleThe /etc/hosts file must have mode 0644 or less permissive.
SV-227635r603266_ruleThe /etc/hosts file must not have an extended ACL.
SV-227636r603266_ruleThe /etc/nsswitch.conf file must be owned by root.
SV-227637r603266_ruleThe /etc/nsswitch.conf file must be group-owned by root, bin, or sys.
SV-227638r603266_ruleThe /etc/nsswitch.conf file must have mode 0644 or less permissive.
SV-227639r603266_ruleThe /etc/nsswitch.conf file must not have an extended ACL.
SV-227640r603266_ruleThe /etc/passwd file must be owned by root.
SV-227641r603266_ruleThe /etc/passwd file must be group-owned by root, bin, or sys.
SV-227642r603266_ruleThe /etc/passwd file must have mode 0644 or less permissive.
SV-227643r603266_ruleThe /etc/passwd file must not have an extended ACL.
SV-227644r603266_ruleThe /etc/group file must be owned by root.
SV-227645r603266_ruleThe /etc/group file must be group-owned by root, bin, or sys.
SV-227646r603266_ruleThe /etc/group file must have mode 0644 or less permissive.
SV-227647r603266_ruleThe /etc/group file must not have an extended ACL.
SV-227648r603266_ruleThe /etc/shadow (or equivalent) file must be owned by root.
SV-227649r603266_ruleThe /etc/shadow file (or equivalent) must be group-owned by root, bin, or sys.
SV-227650r603266_ruleThe /etc/shadow (or equivalent) file must have mode 0400.
SV-227651r603266_ruleThe /etc/shadow file must not have an extended ACL.
SV-227652r603266_ruleAll interactive users must be assigned a home directory in the /etc/passwd file.
SV-227653r603266_ruleAll interactive user home directories defined in the /etc/passwd file must exist.
SV-227654r603266_ruleThe /etc/passwd file must not contain password hashes.
SV-227655r603266_ruleThe /etc/group file must not contain any group password hashes.
SV-227656r603266_ruleAll users' home directories must have mode 0750 or less permissive.
SV-227657r603266_ruleUser's home directories must not have extended ACLs.
SV-227658r603266_ruleAll files and directories contained in interactive user's home directories must be owned by the home directory's owner.
SV-227659r603266_ruleAll files and directories contained in user home directories must be group-owned by a group of which the home directory's owner is a member.
SV-227660r603266_ruleAll files and directories contained in user's home directories must have mode 0750 or less permissive.
SV-227661r603266_ruleAll files and directories contained in user home directories must not have extended ACLs.
SV-227662r603266_ruleAll run control scripts must have mode 0755 or less permissive.
SV-227663r603266_ruleAll run control scripts must have no extended ACLs.
SV-227664r603266_ruleRun control scripts executable search paths must contain only authorized paths.
SV-227665r603266_ruleRun control scripts lists of preloaded libraries must contain only authorized paths.
SV-227666r603266_ruleRun control scripts lists of preloaded libraries must contain only authorized paths.
SV-227667r603266_ruleRun control scripts must not execute world-writable programs or scripts.
SV-227668r603266_ruleAll system start-up files must be owned by root.
SV-227669r603266_ruleAll system start-up files must be group-owned by root, sys, or bin.
SV-227670r603266_ruleSystem start-up files must only execute programs owned by a privileged UID or an application.
SV-227671r603266_ruleAll global initialization files must not have extended ACLs.
SV-227672r603266_ruleAll skeleton files (typically those in /etc/skel) must have mode 0644 or less permissive.
SV-227673r603266_ruleSkeleton files must not have extended ACLs.
SV-227674r603266_ruleAll skeleton files and directories (typically in /etc/skel) must be owned by root.
SV-227675r603266_ruleAll skeleton files (typically in /etc/skel) must be group-owned by root, bin, or sys.
SV-227676r603266_ruleAll global initialization files executable search paths must contain only authorized paths.
SV-227677r603266_ruleGlobal initialization files library search paths must contain only authorized paths.
SV-227678r603266_ruleGlobal initialization files lists of preloaded libraries must contain only authorized paths.
SV-227679r603266_ruleAll local initialization files must be owned by the user or root.
SV-227680r603266_ruleAll local initialization files must have mode 0740 or less permissive.
SV-227681r603266_ruleLocal initialization files must not have extended ACLs.
SV-227682r603266_ruleAll local initialization files executable search paths must contain only authorized paths.
SV-227683r603266_ruleLocal initialization files library search paths must contain only authorized paths.
SV-227684r603266_ruleLocal initialization files lists of preloaded libraries must contain only authorized paths.
SV-227685r603266_ruleUser start-up files must not execute world-writable programs.
SV-227686r603266_ruleThe .rhosts, .shosts, hosts.equiv, shosts.equiv, /etc/passwd, /etc/shadow, and/or /etc/group files must not contain a plus (+) without defining entries for NIS+ netgroups.
SV-227687r603266_ruleThere must be no .netrc files on the system.
SV-227688r603266_ruleAll .rhosts, .shosts, or host.equiv files must only contain trusted host-user pairs.
SV-227689r603266_ruleThere must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system.
SV-227690r603266_ruleAll .rhosts, .shosts, .netrc, or hosts.equiv files must be accessible by only root or the owner.
SV-227691r603266_ruleThe .rhosts file must not be supported in PAM.
SV-227692r603266_ruleThe /etc/shells (or equivalent) file must exist.
SV-227693r603266_ruleAll shells referenced in /etc/passwd must be listed in the /etc/shells file, except any shells specified for the purpose of preventing logins.
SV-227694r603266_ruleAll shell files must be owned by root or bin.
SV-227695r603266_ruleAll shell files must be group-owned by root, bin, or sys.
SV-227696r603266_ruleAll shell files must have mode 0755 or less permissive.
SV-227697r603266_ruleAll shell files must not have extended ACLs.
SV-227698r603266_ruleThe system must be checked for extraneous device files at least weekly.
SV-227699r603266_ruleDevice files and directories must only be writable by users with a system account or as configured by the vendor.
SV-227700r603266_ruleDevice files used for backup must only be readable and/or writable by root or the backup user.
SV-227701r603266_ruleAudio devices must have mode 0660 or less permissive.
SV-227702r603266_ruleAudio devices must not have extended ACLs.
SV-227703r603266_ruleAudio devices must be owned by root.
SV-227704r603266_ruleAudio devices must be group-owned by root, sys, or bin.
SV-227705r603266_ruleThe owner, group owner, mode, ACL, and location of files with the setuid bit set must be documented using site-defined procedures.
SV-227706r603266_ruleThe system must be checked weekly for unauthorized setuid files, as well as, unauthorized modification to authorized setuid files.
SV-227707r603266_ruleThe owner, group-owner, mode, ACL, and location of files with the setgid bit set must be documented using site-defined procedures.
SV-227708r603266_ruleThe system must be checked weekly for unauthorized setgid files, as well as, unauthorized modification to authorized setgid files.
SV-227709r603266_rulePublic directories must be the only world-writable directories and world-writable files must be located only in public directories.
SV-227710r603266_ruleThe sticky bit must be set on all public directories.
SV-227711r603266_ruleAll public directories must be owned by root or an application account.
SV-227712r603266_ruleAll public directories must be group-owned by root or an application group.
SV-227713r603266_ruleThe system and user default umask must be 077.
SV-227714r603266_ruleDefault system accounts must be disabled or removed.
SV-227715r603266_ruleAuditing must be implemented.
SV-227716r603266_ruleSystem audit logs must be owned by root.
SV-227717r603266_ruleSystem audit logs must be group-owned by root, bin, or sys.
SV-227718r603266_ruleSystem audit logs must have mode 0640 or less permissive.
SV-227719r603266_ruleAll system audit files must not have extended ACLs.
SV-227720r603266_ruleSystem audit tool executables must be owned by root.
SV-227721r603266_ruleSystem audit tool executables must be group-owned by root, bin, or sys.
SV-227722r603266_ruleSystem audit tool executables must have mode 0750 or less permissive.
SV-227723r603266_ruleSystem audit tool executables must not have extended ACLs.
SV-227724r603266_ruleThe audit system must alert the SA in the event of an audit processing failure.
SV-227725r603266_ruleThe audit system must be configured to audit failed attempts to access files and programs.
SV-227726r603266_ruleThe audit system must alert the SA when the audit storage volume approaches its capacity.
SV-227727r603266_ruleThe audit system must be configured to audit file deletions.
SV-227728r603266_ruleThe audit system must be configured to audit account creation.
SV-227729r603266_ruleThe audit system must be configured to audit account modification.
SV-227730r603266_ruleThe audit system must be configured to audit account disabling.
SV-227731r603266_ruleThe audit system must be configured to audit account termination.
SV-227732r603266_ruleThe audit system must be configured to audit all administrative, privileged, and security actions.
SV-227733r603266_ruleThe audit system must be configured to audit login, logout, and session initiation.
SV-227734r603266_ruleThe audit system must be configured to audit all discretionary access control permission modifications.
SV-227735r603266_ruleThe audit system must be configured to audit the loading and unloading of dynamic kernel modules.
SV-227736r603266_ruleAudit logs must be rotated daily.
SV-227737r603266_ruleThe system must be configured to send audit records to a remote audit server.
SV-227738r603266_ruleAccess to the cron utility must be controlled using the cron.allow and/or cron.deny file(s).
SV-227739r603266_ruleThe cron.allow file must have mode 0600 or less permissive.
SV-227740r603266_ruleThe cron.allow file must not have an extended ACL.
SV-227741r603266_ruleCron must not execute group-writable or world-writable programs.
SV-227742r603266_ruleCron must not execute programs in, or subordinate to, world-writable directories.
SV-227743r603266_ruleCrontabs must be owned by root or the crontab creator.
SV-227744r603266_ruleCrontab files must be group-owned by root, sys, or the crontab creator's primary group.
SV-227745r603266_ruleDefault system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist.
SV-227746r603266_ruleCrontab files must have mode 0600 or less permissive.
SV-227747r603266_ruleCrontab files must not have extended ACLs.
SV-227748r603266_ruleCron and crontab directories must have mode 0755 or less permissive.
SV-227749r603266_ruleCron and crontab directories must not have extended ACLs.
SV-227750r603266_ruleCron and crontab directories must be owned by root or bin.
SV-227751r603266_ruleCron and crontab directories must be group-owned by root, sys, or bin.
SV-227752r603266_ruleCron logging must be implemented.
SV-227753r603266_ruleThe cronlog file must have mode 0600 or less permissive.
SV-227754r603266_ruleThe cron log files must not have extended ACLs.
SV-227755r603266_ruleThe cron.deny file must have mode 0600 or less permissive.
SV-227756r603266_ruleThe cron.deny file must not have an extended ACL.
SV-227757r603266_ruleCron programs must not set the umask to a value less restrictive than 077.
SV-227758r603266_ruleThe cron.allow file must be owned by root, bin, or sys.
SV-227759r603266_ruleThe at.allow file must not have an extended ACL.
SV-227760r603266_ruleThe cron.allow file must be group-owned by root, bin, or sys.
SV-227761r603266_ruleThe at.deny file must have mode 0600 or less permissive.
SV-227762r603266_ruleThe at.deny file must not have an extended ACL.
SV-227763r603266_ruleThe cron.deny file must be owned by root, bin, or sys.
SV-227764r603266_ruleThe cron.deny file must be group-owned by root, bin, or sys.
SV-227765r603266_ruleAccess to the at utility must be controlled via the at.allow and/or at.deny file(s).
SV-227766r603266_ruleThe at.deny file must not be empty if it exists.
SV-227767r603266_ruleDefault system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist.
SV-227768r603266_ruleThe at.allow file must have mode 0600 or less permissive.
SV-227769r603266_ruleThe "at" daemon must not execute group-writable or world-writable programs.
SV-227770r603266_ruleThe "at" daemon must not execute programs in, or subordinate to, world-writable directories.
SV-227771r603266_ruleThe "at" directory must have mode 0755 or less permissive.
SV-227772r603266_ruleThe "at" directory must not have an extended ACL.
SV-227773r603266_ruleThe "at" directory must be owned by root, bin, or sys.
SV-227774r603266_ruleThe "at" directory must be group-owned by root, bin, or sys.
SV-227775r603266_rule"At" jobs must not set the umask to a value less restrictive than 077.
SV-227776r603266_ruleThe at.allow file must be owned by root, bin, or sys.
SV-227777r603266_ruleThe at.allow file must be group-owned by root, bin, or sys.
SV-227778r603266_ruleThe at.deny file must be owned by root, bin, or sys.
SV-227779r603266_ruleThe at.deny file must be group-owned by root, bin, or sys.
SV-227780r603266_ruleProcess core dumps must be disabled unless needed.
SV-227781r603266_ruleThe system must be configured to store any process core dumps in a specific, centralized directory.
SV-227782r603266_ruleThe centralized process core dump data directory must be owned by root.
SV-227783r603266_ruleThe centralized process core dump data directory must be group-owned by root, bin, or sys.
SV-227784r603266_ruleThe centralized process core dump data directory must have mode 0700 or less permissive.
SV-227785r603266_ruleThe centralized process core dump data directory must not have an extended ACL.
SV-227786r603266_ruleKernel core dumps must be disabled unless needed.
SV-227787r603266_ruleThe kernel core dump data directory must be owned by root.
SV-227788r603266_ruleThe kernel core dump data directory must be group-owned by root.
SV-227789r603266_ruleThe kernel core dump data directory must have mode 0700 or less permissive.
SV-227790r603266_ruleThe kernel core dump data directory must not have an extended ACL.
SV-227791r603266_ruleThe system must implement non-executable program stacks.
SV-227792r603266_ruleThe system must use initial TCP sequence numbers most resistant to sequence number guessing attacks.
SV-227793r603266_ruleThe system must not forward IPv4 source-routed packets.
SV-227794r603266_ruleTCP backlog queue sizes must be set appropriately.
SV-227795r603266_ruleThe system must not process ICMP timestamp requests.
SV-227796r603266_ruleThe system must not respond to ICMPv4 echoes sent to a broadcast address.
SV-227797r603266_ruleThe system must not respond to ICMP timestamp requests sent to a broadcast address.
SV-227798r603266_ruleThe system must not apply reversed source routing to TCP responses.
SV-227799r603266_ruleThe system must prevent local applications from generating source-routed packets.
SV-227800r603266_ruleThe system must not accept source-routed IPv4 packets.
SV-227801r603266_ruleProxy ARP must not be enabled on the system.
SV-227802r603266_ruleThe system must ignore IPv4 ICMP redirect messages.
SV-227803r603266_ruleThe system must not send IPv4 ICMP redirects.
SV-227804r603266_ruleThe system must log martian packets.
SV-227805r603266_ruleA separate file system must be used for user home directories (such as /home or equivalent).
SV-227806r603266_ruleThe system must use a separate file system for the system audit data path.
SV-227807r603266_ruleThe system must use a separate filesystem for /tmp (or equivalent).
SV-227808r603266_ruleThe root file system must employ journaling or another mechanism ensuring file system consistency.
SV-227809r603266_ruleAll local file systems must employ journaling or another mechanism ensuring file system consistency.
SV-227810r603266_ruleThe system must log authentication informational data.
SV-227811r603266_ruleInetd and xinetd must be disabled or removed if no network services utilizing them are enabled.
SV-227812r603266_ruleThe inetd.conf file must be owned by root or bin.
SV-227813r603266_ruleThe inetd.conf file must be group-owned by root, bin, or sys.
SV-227814r603266_ruleThe inetd.conf file must have mode 0440 or less permissive.
SV-227815r603266_ruleThe inetd.conf file must not have extended ACLs.
SV-227816r603266_ruleThe services file must be owned by root or bin.
SV-227817r603266_ruleThe services file must be group-owned by root, bin, or sys.
SV-227818r603266_ruleThe services file must have mode 0444 or less permissive.
SV-227819r603266_ruleThe services file must not have an extended ACL.
SV-227820r603266_ruleInetd or xinetd logging/tracing must be enabled.
SV-227821r603266_ruleThe portmap or rpcbind service must not be installed unless needed.
SV-227822r603266_ruleThe rshd service must not be installed.
SV-227823r603266_ruleThe rlogind service must not be installed.
SV-227824r603266_ruleThe rexec daemon must not be running.
SV-227825r603266_ruleThe rexecd service must not be installed.
SV-227826r603266_ruleThe telnet daemon must not be running.
SV-227827r603266_ruleThe system must not have the finger service active.
SV-227828r603266_ruleThe hosts.lpd file (or equivalent) must not contain a "+" character.
SV-227829r603266_ruleThe hosts.lpd (or equivalent) file must be owned by root.
SV-227830r603266_ruleThe hosts.lpd (or equivalent) must have mode 0644 or less permissive.
SV-227831r603266_ruleThe hosts.lpd (or equivalent) file must not have an extended ACL.
SV-227832r603266_ruleThe traceroute command owner must be root.
SV-227833r603266_ruleThe traceroute command must be group-owned by sys, bin, or root.
SV-227834r603266_ruleThe traceroute file must have mode 0700 or less permissive.
SV-227835r603266_ruleThe traceroute file must not have an extended ACL.
SV-227836r603266_ruleAdministrative accounts must not run a web browser, except as needed for local service administration.
SV-227837r603266_ruleThe alias file must be owned by root.
SV-227838r603266_ruleThe alias file must have mode 0644 or less permissive.
SV-227839r603266_ruleThe alias file must not have an extended ACL.
SV-227840r603266_ruleFiles executed through a mail aliases file must be owned by root and must reside within a directory owned and writable only by root.
SV-227841r603266_ruleFiles executed through a mail aliases file must be group-owned by root, bin, or sys, and must reside within a directory group-owned by root, bin, or sys.
SV-227842r603266_ruleFiles executed through a mail aliases file must not have extended ACLs.
SV-227843r603266_ruleSendmail logging must not be set to less than nine in the sendmail.cf file.
SV-227844r603266_ruleThe system syslog service must log informational and more severe SMTP service messages.
SV-227845r603266_ruleThe SMTP service log file must be owned by root.
SV-227846r603266_ruleThe SMTP service log file must have mode 0644 or less permissive.
SV-227847r603266_ruleThe SMTP service log file must not have an extended ACL.
SV-227848r603266_ruleThe SMTP service must not have the EXPN feature active.
SV-227849r603266_ruleThe SMTP service must not have the VRFY feature active.
SV-227850r603266_ruleThe Sendmail service must not have the wizard backdoor active.
SV-227851r603266_ruleMail relaying must be restricted.
SV-227852r603266_ruleUnencrypted FTP must not be used on the system.
SV-227853r603266_ruleAnonymous FTP must not be active on the system unless authorized.
SV-227854r603266_ruleIf the system is an anonymous FTP server, it must be isolated to the DMZ network.
SV-227855r603266_ruleThe ftpusers file must exist.
SV-227856r603266_ruleThe ftpusers file must contain account names not allowed to use FTP.
SV-227857r603266_ruleThe ftpusers file must be owned by root.
SV-227858r603266_ruleThe ftpusers file must be group-owned by root, bin, or sys.
SV-227859r603266_ruleThe ftpusers file must have mode 0640 or less permissive.
SV-227860r603266_ruleThe ftpusers file must not have an extended ACL.
SV-227861r603266_ruleThe FTP daemon must be configured for logging or verbose mode.
SV-227862r603266_ruleAnonymous FTP accounts must not have a functional shell.
SV-227863r603266_ruleThe anonymous FTP account must be configured to use chroot or a similarly isolated environment.
SV-227864r603266_ruleAll FTP users must have a default umask of 077.
SV-227865r603266_ruleThe TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.
SV-227866r603266_ruleThe TFTP daemon must have mode 0755 or less permissive.
SV-227867r603266_ruleAny active TFTP daemon must be authorized and approved in the system accreditation package.
SV-227868r603266_ruleAny X Windows host must write .Xauthority files.
SV-227869r603266_ruleAll .Xauthority files must have mode 0600 or less permissive.
SV-227870r603266_ruleThe .Xauthority files must not have extended ACLs.
SV-227871r603266_ruleX displays must not be exported to the world.
SV-227872r603266_rule.Xauthority or X*.hosts (or equivalent) file(s) must be used to restrict access to the X server.
SV-227873r603266_ruleThe .Xauthority utility must only permit access to authorized hosts.
SV-227874r603266_ruleX Window System connections that are not required must be disabled.
SV-227875r603266_ruleThe system must not have the UUCP service active.
SV-227876r603266_ruleSNMP communities, users, and passphrases must be changed from the default.
SV-227877r603266_ruleThe SNMP service must use only SNMPv3 or its successors.
SV-227878r603266_ruleThe snmpd.conf file must have mode 0600 or less permissive.
SV-227879r603266_ruleManagement Information Base (MIB) files must have mode 0640 or less permissive.
SV-227880r603266_ruleManagement Information Base (MIB) files must not have extended ACLs.
SV-227881r603266_ruleThe snmpd.conf files must be owned by root.
SV-227882r603266_ruleThe snmpd.conf file must be group-owned by root, sys, or bin.
SV-227883r603266_ruleThe snmpd.conf file must not have an extended ACL.
SV-227884r603266_ruleIf the system is a Network Management System (NMS) server, it must only run the NMS and any software required by the NMS.
SV-227885r603266_ruleThe /etc/syslog.conf file must have mode 0640 or less permissive.
SV-227886r603266_ruleThe /etc/syslog.conf file must not have an extended ACL.
SV-227887r603266_ruleThe /etc/syslog.conf file must be owned by root.
SV-227888r603266_ruleThe /etc/syslog.conf file must be group-owned by root, bin, or sys.
SV-227889r603266_ruleThe system must use a remote syslog server (log host).
SV-227890r603266_ruleThe system must only use remote syslog servers (log hosts) justified and documented using site-defined procedures.
SV-227891r603266_ruleThe SSH client must be configured to only use the SSHv2 protocol.
SV-227892r603266_ruleThe SSH daemon must only listen on management network addresses unless authorized for uses other than management.
SV-227893r603855_ruleThe operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.
SV-227894r603266_ruleThe SSH daemon must be configured to not use Cipher-Block Chaining (CBC) ciphers.
SV-227895r603266_ruleThe SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
SV-227896r603266_ruleThe SSH client must be configured to only use FIPS 140-2 approved ciphers.
SV-227897r603266_ruleThe SSH client must be configured to not use CBC-based ciphers.
SV-227898r603266_ruleThe SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
SV-227899r603266_ruleThe SSH daemon must restrict login ability to specific users and/or groups.
SV-227900r603266_ruleThe SSH public host key files must have mode 0644 or less permissive.
SV-227901r603266_ruleThe SSH private host key files must have mode 0600 or less permissive.
SV-227902r603266_ruleThe SSH daemon must not permit GSSAPI authentication unless needed.
SV-227903r603266_ruleThe SSH client must not permit GSSAPI authentication unless needed.
SV-227904r603266_ruleThe SSH daemon must perform strict mode checking of home directory configuration files.
SV-227905r603266_ruleThe SSH daemon must not allow rhosts RSA authentication.
SV-227906r603266_ruleThe SSH daemon must not allow compression or must only allow compression after successful authentication.
SV-227907r603266_ruleThe SSH daemon must be configured for IP filtering.
SV-227908r603266_ruleThe SSH daemon must be configured with the Department of Defense (DoD) login banner.
SV-227909r603266_ruleThe system must be configured with a default gateway for IPv4 if the system uses IPv4, unless the system is a router.
SV-227910r603266_ruleThe system must be configured with a default gateway for IPv6 if the system uses IPv6, unless the system is a router.
SV-227911r603266_ruleA system used for routing must not run other network services or applications.
SV-227912r603266_ruleThe system must not be running any routing protocol daemons, unless the system is a router.
SV-227913r603266_ruleThe NFS export configuration file must be owned by root.
SV-227914r603266_ruleThe NFS export configuration file must be group-owned by root, bin, or sys.
SV-227915r603266_ruleThe NFS export configuration file must have mode 0644 or less permissive.
SV-227916r603266_ruleThe NFS exports configuration file must not have an extended ACL.
SV-227917r603266_ruleAll NFS-exported system files and system directories must be owned by root.
SV-227918r603266_ruleAll NFS exported system files and system directories must be group-owned by root, bin, or sys.
SV-227919r603266_ruleThe NFS anonymous UID and GID must be configured to values that have no permissions.
SV-227920r603266_ruleThe system's NFS export configuration must not have the sec option set to none (or equivalent); additionally, the default authentication must not to be set to none.
SV-227921r603266_ruleThe NFS server must not allow remote root access.
SV-227922r603266_ruleThe nosuid option must be enabled on all NFS client mounts.
SV-227923r603266_ruleThe system must not have any peer-to-peer file-sharing application installed.
SV-227924r603266_ruleThe system must not run Samba unless needed.
SV-227925r603266_ruleThe smb.conf file must be owned by root.
SV-227926r603266_ruleThe smb.conf file must be group-owned by root, bin, or sys.
SV-227927r603266_ruleThe smb.conf file must have mode 0644 or less permissive.
SV-227928r603266_ruleThe smb.conf file must not have an extended ACL.
SV-227929r603266_ruleThe smbpasswd file must be owned by root.
SV-227930r603266_ruleThe smbpasswd file must be group-owned by root.
SV-227931r603266_ruleThe smbpasswd file must have mode 0600 or less permissive.
SV-227932r603266_ruleThe smbpasswd file must not have an extended ACL.
SV-227933r603266_ruleThe smb.conf file must use the hosts option to restrict access to Samba.
SV-227934r603266_ruleSamba must be configured to use an authentication mechanism other than "share."
SV-227935r603266_ruleSamba must be configured to use encrypted passwords.
SV-227936r603266_ruleSamba must be configured to not allow guest access to shares.
SV-227937r603266_ruleThe system must not run an Internet Network News (INN) server.
SV-227938r603266_ruleThe /etc/news/hosts.nntp (or equivalent) must have mode 0600 or less permissive.
SV-227939r603266_ruleThe /etc/news/hosts.nntp file must not have an extended ACL.
SV-227940r603266_ruleThe /etc/news/hosts.nntp.nolimit (or equivalent) must have mode 0600 or less permissive.
SV-227941r603266_ruleThe /etc/news/hosts.nntp.nolimit file must not have an extended ACL.
SV-227942r603266_ruleThe /etc/news/nnrp.access (or equivalent) must have mode 0600 or less permissive.
SV-227943r603266_ruleThe /etc/news/nnrp.access file must not have an extended ACL.
SV-227944r603266_ruleThe /etc/news/passwd.nntp file (or equivalent) must have mode 0600 or less permissive.
SV-227945r603266_ruleThe /etc/news/passwd.nntp file must not have an extended ACL.
SV-227946r603266_ruleFiles in /etc/news must be owned by root.
SV-227947r603266_ruleThe files in /etc/news must be group-owned by root.
SV-227948r603266_ruleThe system must not use UDP for NIS/NIS+.
SV-227949r603266_ruleThe Network Information System (NIS) protocol must not be used.
SV-227950r603266_ruleNIS maps must be protected through hard-to-guess domain names.
SV-227951r603266_ruleAny NIS+ server must be operating at security level 2.
SV-227952r603266_ruleThe system must have a host-based intrusion detection tool installed.
SV-227953r603266_ruleThe file integrity tool must be configured to verify ACLs.
SV-227954r603266_ruleThe file integrity tool must be configured to verify extended attributes.
SV-227955r603266_ruleThe file integrity tool must use FIPS 140-2 approved cryptographic hashes for validating file contents.
SV-227956r603266_ruleThe system's access control program must log each system access attempt.
SV-227957r603266_ruleThe system must use a virus scan program.
SV-227958r603266_ruleThe Reliable Datagram Sockets (RDS) protocol must be disabled or not installed unless required.
SV-227959r603266_ruleThe Transparent Inter-Process Communication (TIPC) protocol must be disabled or not installed.
SV-227960r603266_ruleThe system must not have 6to4 enabled.
SV-227961r603266_ruleThe system must not have IP tunnels configured.
SV-227962r603266_ruleThe DHCP client must be disabled if not needed.
SV-227963r603266_ruleThe system must ignore IPv6 ICMP redirect messages.
SV-227964r603266_ruleThe system must not send IPv6 ICMP redirects.
SV-227965r603266_ruleThe system must use an appropriate reverse-path filter for IPv6 network traffic, if the system uses IPv6.
SV-227966r603266_ruleThe system must not forward IPv6 source-routed packets.
SV-227967r603266_ruleThe system must not respond to ICMPv6 echo requests sent to a broadcast address.
SV-227968r603266_ruleIf the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms.
SV-227969r603266_ruleIf the system is using LDAP for authentication or account information the LDAP client configuration file must have mode 0600 or less permissive.
SV-227970r603266_ruleIf the system is using LDAP for authentication or account information, the LDAP configuration file must be owned by root.
SV-227971r603266_ruleIf the system is using LDAP for authentication or account information, the LDAP configuration file must be group-owned by root, bin, or sys.
SV-227972r603266_ruleIf the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must not have an extended ACL.
SV-227973r603266_ruleIf the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be owned by root.
SV-227974r603266_ruleIf the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be group-owned by root, bin, or sys.
SV-227975r603266_ruleIf the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must have mode 0644 (0755 for directories) or less permissive.
SV-227976r603266_ruleAutomated file system mounting tools must not be enabled unless needed.
SV-227977r603266_ruleThe system must have USB disabled unless needed.
SV-227978r603266_ruleThe system must have USB Mass Storage disabled unless needed.
SV-227979r603266_ruleThe system must have IEEE 1394 (Firewire) disabled unless needed.
SV-227980r603266_ruleThe system must employ a local firewall.
SV-227981r603266_ruleThe system's local firewall must implement a deny-all, allow-by-exception policy.
SV-227982r603266_ruleThe system must be configured to only boot from the system boot device.
SV-227983r603266_ruleSystem BIOS or system controllers supporting password protection must have administrator accounts/passwords configured, and no others.
SV-227984r603266_ruleIf the system boots from removable media, it must be stored in a safe or similarly secured container.
SV-227985r603266_ruleThe system's boot loader configuration file(s) must have mode 0600 or less permissive.
SV-227986r603266_ruleThe system package management tool must cryptographically verify the authenticity of software packages during installation.
SV-227987r603266_ruleThe system package management tool must not automatically obtain updates.
SV-227988r603266_ruleThe system, if capable, must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
SV-233303r603289_ruleX11 forwarding for SSH must be disabled.
SV-233305r603295_ruleThe sshd server must bind the X11 forwarding server to the loopback address.