STIGQter STIGQter: STIG Summary: SOLARIS 9 X86 SECURITY TECHNICAL IMPLEMENTATION GUIDE

Version: 1

Release: 9 Benchmark Date: 23 Oct 2015

CheckedNameTitle
SV-36754r1_ruleThe system must require authentication upon booting into single-user and maintenance modes.
SV-41504r1_ruleDirect logins must not be permitted to shared, default, application, or utility accounts.
SV-27061r1_ruleAll accounts on the system must have unique user or account names.
SV-27065r1_ruleAll accounts must be assigned unique User Identification Numbers (UIDs).
SV-28596r1_ruleThe Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
SV-27080r1_ruleSuccessful and unsuccessful logins and logouts must be logged.
SV-39816r1_ruleThe system must disable accounts after three consecutive unsuccessful login attempts.
SV-27094r1_ruleThe delay between login prompts following a failed login attempt must be at least 4 seconds.
SV-769r2_ruleThe root user must not own the logon session for an application requiring a continuous display.
SV-27105r1_ruleThe system must not have accounts configured with blank or null passwords.
SV-39820r1_ruleThe root account must be the only account having an UID of 0.
SV-774r2_ruleThe root user's home directory must not be the root directory (/).
SV-775r2_ruleThe root account's home directory (other than /) must have mode 0700.
SV-776r2_ruleThe root account's executable search path must be the vendor default and must contain only absolute paths.
SV-37075r1_ruleThe root account must not have world-writable directories in its executable search path.
SV-27143r1_ruleThe system must prevent the root account from directly logging in except from the system console.
SV-28658r1_ruleGIDs reserved for system accounts must not be assigned to non-system groups.
SV-27069r1_ruleAll GIDs referenced in the /etc/passwd file must be defined in the /etc/group file.
SV-41526r2_ruleThe system must have a host-based intrusion detection tool installed.
SV-27054r2_ruleSecurity patches and updates must be installed and up-to-date.
SV-39833r1_ruleSystem files and directories must not have uneven access permissions.
SV-785r2_ruleAll files and directories must have a valid owner.
SV-27161r1_ruleAll network services daemon files must have mode 0755 or less permissive.
SV-787r2_ruleSystem log files must have mode 0640 or less permissive.
SV-788r2_ruleAll skeleton files (typically those in /etc/skel) must have mode 0644 or less permissive.
SV-27166r1_ruleNIS/NIS+/yp files must be owned by root, sys, or bin.
SV-27171r1_ruleNIS/NIS+/yp files must be group-owned by root, sys, or bin.
SV-27175r1_ruleThe NIS/NIS+/yp command files must have mode 0755 or less permissive.
SV-39835r1_ruleManual page files must have mode 0644 or less permissive.
SV-39821r1_ruleLibrary files must have mode 0755 or less permissive.
SV-794r3_ruleAll system command files must have mode 0755 or less permissive.
SV-795r2_ruleAll system files, programs, and directories must be owned by a system account.
SV-796r2_ruleSystem files, programs, and directories must be group-owned by a system group.
SV-39826r1_ruleThe /etc/shadow (or equivalent) file must be owned by root.
SV-798r2_ruleThe /etc/passwd file must have mode 0644 or less permissive.
SV-800r2_ruleThe /etc/shadow (or equivalent) file must have mode 0400.
SV-801r2_ruleThe owner, group owner, mode, ACL, and location of files with the setuid bit set must be documented using site-defined procedures.
SV-802r2_ruleThe owner, group-owner, mode, ACL, and location of files with the setgid bit set must be documented using site-defined procedures.
SV-803r2_ruleThe system must be checked weekly for unauthorized setuid files, as well as, unauthorized modification to authorized setuid files.
SV-804r2_ruleThe system must be checked weekly for unauthorized setgid files, as well as, unauthorized modification to authorized setgid files.
SV-27262r1_ruleRemovable media, remote file systems, and any file system that does not contain approved setuid files must be mounted with the "nosuid" option.
SV-806r2_ruleThe sticky bit must be set on all public directories.
SV-807r2_ruleAll public directories must be owned by root or an application account.
SV-28641r2_ruleThe system and user default umask must be 077.
SV-39834r1_ruleDefault system accounts must be disabled or removed.
SV-27266r1_ruleAuditing must be implemented.
SV-27271r1_ruleSystem audit logs must be owned by root.
SV-27282r1_ruleSystem audit logs must have mode 0640 or less permissive.
SV-27287r1_ruleThe audit system must be configured to audit failed attempts to access files and programs.
SV-27292r1_ruleThe audit system must be configured to audit file deletions.
SV-27297r1_ruleThe audit system must be configured to audit all administrative, privileged, and security actions.
SV-27303r1_ruleThe audit system must be configured to audit login, logout, and session initiation.
SV-27309r1_ruleThe audit system must be configured to audit all discretionary access control permission modifications.
SV-39883r1_ruleThe inetd.conf file must be owned by root or bin.
SV-39885r1_ruleThe inetd.conf file must have mode 0440 or less permissive.
SV-823r2_ruleThe services file must be owned by root or bin.
SV-824r2_ruleThe services file must have mode 0444 or less permissive.
SV-39828r1_ruleGlobal initialization files must contain the mesg -n or mesg n commands.
SV-827r2_ruleThe hosts.lpd file (or equivalent) must not contain a "+" character.
SV-37455r3_ruleThe hosts.lpd (or equivalent) file must be owned by root.
SV-37457r2_ruleThe hosts.lpd (or equivalent) must have mode 0644 or less permissive.
SV-831r2_ruleThe alias file must be owned by root.
SV-40651r1_ruleThe alias file must have mode 0644 or less permissive.
SV-41546r1_ruleThe system syslog service must log informational and more severe SMTP service messages.
SV-837r2_ruleThe SMTP service log file must be owned by root.
SV-838r2_ruleThe SMTP service log file must have mode 0644 or less permissive.
SV-28404r1_ruleThe ftpusers file must exist.
SV-28407r1_ruleThe ftpusers file must contain account names not allowed to use FTP.
SV-28410r1_ruleThe ftpusers file must be owned by root.
SV-28413r1_ruleThe ftpusers file must have mode 0640 or less permissive.
SV-845r2_ruleThe FTP daemon must be configured for logging or verbose mode.
SV-846r2_ruleAnonymous FTP must not be active on the system unless authorized.
SV-28418r1_ruleThe TFTP daemon must operate in "secure mode" which provides access only to a single directory on the host file system.
SV-848r2_ruleThe TFTP daemon must have mode 0755 or less permissive.
SV-39825r1_ruleThe TFTP daemon must be configured to vendor specifications, including a dedicated TFTP user account, a non-login shell, such as /bin/false, and a home directory owned by the TFTP user.
SV-850r2_ruleAny X Windows host must write .Xauthority files.
SV-867r2_ruleThe Network Information System (NIS) protocol must not be used.
SV-27184r1_ruleAll interactive users must be assigned a home directory in the /etc/passwd file.
SV-27192r1_ruleAll interactive user home directories defined in the /etc/passwd file must exist.
SV-901r2_ruleAll users' home directories must have mode 0750 or less permissive.
SV-39822r1_ruleAll interactive user's home directories must be owned by their respective users.
SV-39823r1_ruleAll interactive user's home directories must be group-owned by the home directory owner's primary group.
SV-904r3_ruleAll local initialization files must be owned by the user or root.
SV-905r2_ruleAll local initialization files must have mode 0740 or less permissive.
SV-27199r2_ruleAll run control scripts must have mode 0755 or less permissive.
SV-39837r2_ruleRun control scripts' executable search paths must contain only absolute paths.
SV-910r2_ruleRun control scripts must not execute world-writable programs or scripts.
SV-913r2_ruleThere must be no .netrc files on the system.
SV-39836r1_ruleAll files and directories contained in interactive user's home directories must be owned by the home directory's owner.
SV-39840r1_ruleAll files and directories contained in user's home directories must have mode 0750 or less permissive.
SV-40806r1_ruleThe /etc/shells (or equivalent) file must exist.
SV-917r2_ruleAll shells referenced in /etc/passwd must be listed in the /etc/shells file, except any shells specified for the purpose of preventing logins.
SV-39824r1_ruleAccounts must be locked upon 35 days of inactivity.
SV-921r2_ruleAll shell files must be owned by root or bin.
SV-922r2_ruleAll shell files must have mode 0755 or less permissive.
SV-923r2_ruleThe system must be checked for extraneous device files at least weekly.
SV-924r2_ruleDevice files and directories must only be writable by users with a system account or as configured by the vendor.
SV-925r2_ruleDevice files used for backup must only be readable and/or writable by root or the backup user.
SV-28453r1_ruleAny NIS+ server must be operating at security level 2.
SV-28444r1_ruleThe NFS export configuration file must be owned by root.
SV-28446r1_ruleThe NFS export configuration file must have mode 0644 or less permissive.
SV-931r2_ruleAll NFS-exported system files and system directories must be owned by root.
SV-28448r1_ruleThe NFS anonymous UID and GID must be configured to values without permissions.
SV-28450r1_ruleThe NFS server must be configured to restrict filesystem access to local hosts.
SV-934r2_ruleThe system's NFS export configuration must not have the sec option set to none (or equivalent); additionally, the default authentication must not to be set to none.
SV-28451r1_ruleThe NFS server must not allow remote root access.
SV-28452r1_ruleThe nosuid option must be enabled on all NFS client mounts.
SV-28458r1_ruleThe system must use an access control program.
SV-941r2_ruleThe system's access control program must log each system access attempt.
SV-953r2_ruleThe Solaris system Automated Security Enhancement Tool (ASET) configurable parameters in the asetenv file must be correct.
SV-954r2_ruleIf NIS+ is configured on the Solaris system, YPCHECK must be set to true.
SV-955r2_ruleThe /usr/aset/userlist file must exist.
SV-956r2_ruleThe /usr/aset/userlist file must be owned by root.
SV-957r2_ruleThe /usr/aset/userlist file must have mode 0600 or less permissive.
SV-27317r1_ruleAccess to the cron utility must be controlled using the cron.allow and/or cron.deny file(s).
SV-27323r1_ruleThe cron.allow file must have mode 0600 or less permissive.
SV-27329r1_ruleCron must not execute group-writable or world-writable programs.
SV-27331r1_ruleCron must not execute programs in, or subordinate to, world-writable directories.
SV-27340r1_ruleCrontab files must have mode 0600 or less permissive.
SV-27342r1_ruleCron and crontab directories must have mode 0755 or less permissive.
SV-27345r1_ruleCron and crontab directories must be owned by root or bin.
SV-27347r1_ruleCron and crontab directories must be group-owned by root, sys, or bin.
SV-27349r1_ruleCron logging must be implemented.
SV-27354r1_ruleThe cronlog file must have mode 0600 or less permissive.
SV-27376r1_ruleAccess to the at utility must be controlled via the at.allow and/or at.deny file(s).
SV-27380r1_ruleThe at.deny file must not be empty if it exists.
SV-27384r1_ruleDefault system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist.
SV-27388r1_ruleThe at.allow file must have mode 0600 or less permissive.
SV-40411r1_ruleThe "at" daemon must not execute group-writable or world-writable programs.
SV-40412r1_ruleThe "at" daemon must not execute programs in, or subordinate to, world-writable directories.
SV-993r2_ruleSNMP communities, users, and passphrases must be changed from the default.
SV-994r2_ruleThe snmpd.conf file must have mode 0600 or less permissive.
SV-995r2_ruleManagement Information Base (MIB) files must have mode 0640 or less permissive.
SV-1010r3_rulePublic directories must be the only world-writable directories and world-writable files must be located only in public directories.
SV-27429r1_ruleInetd or xinetd logging/tracing must be enabled.
SV-1013r2_ruleThe system must be configured to only boot from the system boot device.
SV-1023r2_ruleThe system must not run an Internet Network News (INN) server.
SV-42313r1_ruleThe Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL.
SV-1027r3_ruleThe /etc/smb.conf file must be owned by root.
SV-1028r2_ruleThe /etc/smb.conf file must have mode 0644 or less permissive.
SV-1029r2_ruleThe /etc/smbpasswd file must be owned by root.
SV-1030r3_ruleThe smb.conf file must use the hosts option to restrict access to Samba.
SV-39809r1_ruleUsers must not be able to change passwords more than once every 24 hours.
SV-1046r2_ruleRoot passwords must never be passed over a network in clear text form.
SV-39811r1_ruleThe system must not permit root logins using remote access programs such as SSH.
SV-27241r1_ruleAudio devices must have mode 0660 or less permissive.
SV-27246r1_ruleAudio devices must be owned by root.
SV-39890r3_ruleThe smb.conf file must be group-owned by root, bin, or sys.
SV-1058r2_ruleThe /etc/smbpasswd file must be group-owned by root.
SV-1059r2_ruleThe /etc/smbpasswd file must have mode 0600 or less permissive.
SV-27251r1_ruleAudio devices must be group-owned by root, sys, or bin.
SV-27157r1_ruleThe root shell must be located in the / file system.
SV-39814r1_ruleGraphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity and the system must require users to re-authenticate to unlock the environment.
SV-4087r2_ruleUser start-up files must not execute world-writable programs.
SV-27207r1_ruleAll system start-up files must be owned by root.
SV-27213r1_ruleAll system start-up files must be group-owned by root, sys, or bin.
SV-27219r1_ruleSystem start-up files must only execute programs owned by a privileged UID or an application.
SV-4245r2_ruleThe /etc/security/audit_user file must have mode 0640 or less permissive.
SV-4246r2_ruleSystem BIOS or system controllers supporting password protection must have administrator accounts/passwords configured, and no others.
SV-41534r1_ruleThe system must not use removable media as the boot loader.
SV-4255r2_ruleIf the system boots from removable media, it must be stored in a safe or similarly secured container.
SV-4269r2_ruleThe system must not have unnecessary accounts.
SV-4273r2_ruleThe /etc/news/hosts.nntp (or equivalent) must have mode 0600 or less permissive.
SV-4274r2_ruleThe /etc/news/hosts.nntp.nolimit (or equivalent) must have mode 0600 or less permissive.
SV-4275r2_ruleThe /etc/news/nnrp.access (or equivalent) must have mode 0600 or less permissive.
SV-4276r2_ruleThe /etc/news/passwd.nntp file (or equivalent) must have mode 0600 or less permissive.
SV-4277r2_ruleFiles in /etc/news must be owned by root or news.
SV-4278r2_ruleThe files in /etc/news must be group-owned by root or news.
SV-39817r1_ruleThe SSH daemon must be configured to only use the SSHv2 protocol.
SV-27147r1_ruleRemote consoles must be disabled or protected from unauthorized access.
SV-4300r2_ruleThe NFS server must have logging implemented.
SV-36867r1_ruleThe system clock must be synchronized to an authoritative DoD time source.
SV-4304r2_ruleThe root file system must employ journaling or another mechanism ensuring file system consistency.
SV-4309r2_ruleIf the system is a firewall, ASET must be used on the system, and the firewall parameters must be set in /usr/aset/asetenv.
SV-4312r2_ruleThe /usr/aset/masters/uid_aliases must be empty.
SV-36751r1_ruleThe ASET master files must be located in the /usr/aset/masters directory.
SV-4321r2_ruleThe system must not run Samba unless needed.
SV-4351r2_ruleThe /etc/security/audit_user file must be group-owned by root, sys, or bin.
SV-4352r2_ruleThe /etc/security/audit_user file must be owned by root.
SV-4353r2_ruleThe /etc/security/audit_user file must not define a different auditing level for specific users.
SV-4357r2_ruleAudit logs must be rotated daily.
SV-27359r1_ruleThe cron.deny file must have mode 0600 or less permissive.
SV-27364r1_ruleCron programs must not set the umask to a value less restrictive than 077.
SV-27366r1_ruleThe cron.allow file must be owned by root, bin, or sys.
SV-40391r1_ruleThe "at" directory must have mode 0755 or less permissive.
SV-39886r1_ruleThe "at" directory must be owned by root, bin, or sys.
SV-40416r1_rule"At" jobs must not set the umask to a value less restrictive than 077.
SV-27392r1_ruleThe at.allow file must be owned by root, bin, or sys.
SV-27396r1_ruleThe at.deny file must be owned by root, bin, or sys.
SV-28392r1_ruleThe traceroute command owner must be root.
SV-28395r1_ruleThe traceroute command must be group-owned by sys, bin, or root.
SV-28399r1_ruleThe traceroute file must have mode 0700 or less permissive.
SV-4382r2_ruleAdministrative accounts must not run a web browser, except as needed for local service administration.
SV-42310r1_ruleThe SMTP services SMTP greeting must not provide version information.
SV-39827r1_ruleThe system must not use .forward files.
SV-4387r2_ruleAnonymous FTP accounts must not have a functional shell.
SV-39838r1_ruleThe anonymous FTP account must be configured to use chroot or a similarly isolated environment.
SV-4392r2_ruleIf the system is a Network Management System (NMS) server, it must only run the NMS and any software required by the NMS.
SV-4393r2_ruleThe /etc/syslog.conf file must be owned by root.
SV-39892r1_ruleThe /etc/syslog.conf file must be group-owned by root, bin, or sys.
SV-4395r2_ruleThe system must only use remote syslog servers (log hosts) justified and documented using site-defined procedures.
SV-30079r1_ruleThe system must be configured with a default gateway for IPv4 if the system uses IPv4, unless the system is a router.
SV-4398r2_ruleA system used for routing must not run other network services or applications.
SV-4399r2_ruleThe system must not use UDP for NIS/NIS+.
SV-4427r2_ruleAll .rhosts, .shosts, or host.equiv files must only contain trusted host-user pairs.
SV-40341r1_ruleAll .rhosts, .shosts, .netrc, or hosts.equiv files must be accessible by only root or the owner.
SV-27371r1_ruleThe cron.deny file must be owned by root, bin, or sys.
SV-27434r1_ruleThe rsh daemon must not be running.
SV-27437r1_ruleThe rexec daemon must not be running.
SV-39819r1_ruleThe SMTP service must be an up-to-date version.
SV-42311r1_ruleThe Sendmail server must have the debug feature disabled.
SV-42312r1_ruleThe SMTP service must not have a uudecode alias active.
SV-4692r2_ruleThe SMTP service must not have the EXPN feature active.
SV-4693r2_ruleThe SMTP service must not have the VRFY feature active.
SV-4694r2_ruleThe Sendmail service must not have the wizard backdoor active.
SV-28422r1_ruleAny active TFTP daemon must be authorized and approved in the system accreditation package.
SV-28427r1_ruleThe system must not have the UUCP service active.
SV-4697r2_ruleX displays must not be exported to the world.
SV-27440r1_ruleThe system must not have the finger service active.
SV-4702r2_ruleIf the system is an anonymous FTP server, it must be isolated to the DMZ network.
SV-27051r1_ruleThe operating system must be a supported release.
SV-12442r2_ruleA file integrity baseline must be created and maintained.
SV-28610r2_ruleA file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.
SV-12447r2_ruleUIDs reserved for system accounts must not be assigned to non-system accounts.
SV-27110r2_ruleThe system must require passwords contain a minimum of 15 characters.
SV-39845r3_ruleUser passwords must be changed at least every 60 days.
SV-12478r2_ruleAll non-interactive/automated processing account passwords must be changed at least once per year or be locked.
SV-39848r1_ruleThe root account must not be used for direct logins.
SV-39850r1_ruleThe system must log successful and unsuccessful access to the root account.
SV-39829r1_ruleAll global initialization files must have mode 0644 or less permissive.
SV-39830r1_ruleAll global initialization files must be owned by root.
SV-39831r1_ruleAll global initialization files must be group-owned by root, sys, or bin.
SV-12485r2_ruleAll skeleton files and directories (typically in /etc/skel) must be owned by bin.
SV-12486r2_ruleAll global initialization files' executable search paths must contain only absolute paths.
SV-12487r3_ruleAll local initialization files' executable search paths must contain only absolute paths.
SV-12488r2_ruleThe .rhosts, .shosts, hosts.equiv, shosts.equiv, /etc/passwd, /etc/shadow, and/or /etc/group files must not contain a plus (+) without defining entries for NIS+ netgroups.
SV-12489r2_ruleThere must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system.
SV-12490r2_ruleThe .rhosts file must not be supported in PAM.
SV-12491r2_ruleAll public directories must be group-owned by root or an application group.
SV-27333r1_ruleCrontabs must be owned by root or the crontab creator.
SV-27335r1_ruleDefault system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist.
SV-27400r1_ruleProcess core dumps must be disabled unless needed.
SV-27407r1_ruleThe kernel core dump data directory must be owned by root.
SV-27412r1_ruleThe system must implement non-executable program stacks.
SV-27416r1_ruleThe system must use initial TCP sequence numbers most resistant to sequence number guessing attacks.
SV-27420r1_ruleThe system must not forward IPv4 source-routed packets.
SV-28618r3_ruleA separate file system must be used for user home directories (such as /home or equivalent).
SV-12505r2_ruleThe system must log authentication informational data.
SV-12506r2_ruleInetd and xinetd must be disabled or removed if no network services utilizing them are enabled.
SV-42309r1_ruleThe SMTP service HELP command must not be enabled.
SV-28634r1_ruleUnencrypted FTP must not be used on the system.
SV-12512r2_ruleAll FTP users must have a default umask of 077.
SV-12515r2_ruleAll .Xauthority files must have mode 0600 or less permissive.
SV-12517r2_rule.Xauthority or X*.hosts (or equivalent) file(s) must be used to restrict access to the X server.
SV-12518r2_ruleThe .Xauthority utility must only permit access to authorized hosts.
SV-12519r2_ruleX Window System connections that are not required must be disabled.
SV-41515r1_ruleThe system must not be used as a syslog server (log host) for systems external to the enclave.
SV-28430r1_ruleThe syslog daemon must not accept remote messages unless it is a syslog server documented using site-defined procedures.
SV-12523r2_ruleThe SSH daemon must be configured for IP filtering.
SV-28435r1_ruleIP forwarding for IPv4 must not be enabled, unless the system is a router.
SV-41525r1_ruleThe system must not have a public Instant Messaging (IM) client installed.
SV-12526r2_ruleThe system must not have any peer-to-peer file-sharing application installed.
SV-12527r2_ruleNIS maps must be protected through hard-to-guess domain names.
SV-41530r1_ruleThe system vulnerability assessment tool, host-based intrusion detection tool, and file integrity tool must notify the SA and the IAO of a security breach or a suspected security breach.
SV-41532r1_ruleThe system's access control program must be configured to grant or deny system access to specific hosts.
SV-12532r2_ruleThe nosuid option must be configured in the /etc/rmmount.conf file.
SV-12533r2_ruleHidden extended file attributes must not exist on the system.
SV-12534r2_ruleThe root account must be the only account with GID of 0.
SV-40811r1_ruleNetwork analysis tools must not be installed.
SV-28461r3_ruleThe system must use and update a DoD-approved virus scan program.
SV-26290r1_ruleThe system clock must be synchronized continuously, or at least daily.
SV-26303r1_ruleThe system must use at least two time sources for clock synchronization.
SV-26305r1_ruleThe system must use time sources local to the enclave.
SV-26293r1_ruleThe time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.
SV-26296r1_ruleThe time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, or sys.
SV-26298r1_ruleThe time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
SV-26300r1_ruleThe time synchronization configuration file (such as /etc/ntp.conf) must not have an extended ACL.
SV-26310r1_ruleThe system must display the date and time of the last successful account login upon login.
SV-39865r1_ruleThe system must display a publicly-viewable pattern during a graphical desktop environment session lock.
SV-25952r1_ruleThe system must require passwords contain at least one lowercase alphabetic character.
SV-39876r1_ruleThe system must restrict the ability to switch to the root user to members of a defined group.
SV-26352r1_ruleThe root account's home directory must not have an extended ACL.
SV-26355r1_ruleThe root account's library search path must be the system default and must contain only absolute paths.
SV-26357r1_ruleThe root account's list of preloaded libraries must be empty.
SV-26358r1_ruleAll files and directories must have a valid group-owner.
SV-26360r1_ruleAll network services daemon files must not have extended ACLs.
SV-26364r1_ruleAll system command files must not have extended ACLs.
SV-26368r1_ruleSystem log files must not have extended ACLs, except as needed to support authorized software.
SV-26372r1_ruleAll manual page files must not have extended ACLs.
SV-26376r1_ruleAll library files must not have extended ACLs.
SV-26385r1_ruleNIS/NIS+/yp command files must not have extended ACLs.
SV-26395r1_ruleThe /etc/resolv.conf file must be owned by root.
SV-39894r1_ruleThe /etc/resolv.conf file must be group-owned by root, bin, or sys.
SV-26397r1_ruleThe /etc/resolv.conf file must have mode 0644 or less permissive.
SV-26399r1_ruleThe /etc/resolv.conf file must not have an extended ACL.
SV-26410r1_ruleThe /etc/hosts file must be owned by root.
SV-39896r1_ruleThe /etc/hosts file must be group-owned by root, bin, or sys.
SV-26412r1_ruleThe /etc/hosts file must have mode 0644 or less permissive.
SV-26414r1_ruleThe /etc/hosts file must not have an extended ACL.
SV-26417r1_ruleThe /etc/nsswitch.conf file must be owned by root.
SV-39897r1_ruleThe /etc/nsswitch.conf file must be group-owned by root, bin, or sys.
SV-26419r1_ruleThe /etc/nsswitch.conf file must have mode 0644 or less permissive.
SV-26421r1_ruleThe /etc/nsswitch.conf file must not have an extended ACL.
SV-26425r1_ruleThe /etc/passwd file must be owned by root.
SV-39898r1_ruleThe /etc/passwd file must be group-owned by root, bin, or sys.
SV-26428r1_ruleThe /etc/passwd file must not have an extended ACL.
SV-26431r1_ruleThe /etc/group file must be owned by root.
SV-39899r1_ruleThe /etc/group file must be group-owned by root, bin, or sys.
SV-26433r1_ruleThe /etc/group file must have mode 0644 or less permissive.
SV-26435r1_ruleThe /etc/group file must not have an extended ACL.
SV-39900r1_ruleThe /etc/shadow file (or equivalent) must be group-owned by root, bin, or sys.
SV-26439r1_ruleThe /etc/shadow file must not have an extended ACL.
SV-26467r1_ruleThe /etc/passwd file must not contain password hashes.
SV-26447r1_ruleThe /etc/group file must not contain any group password hashes.
SV-26450r1_ruleUser home directories must not have extended ACLs.
SV-39877r1_ruleAll files and directories contained in user home directories must be group-owned by a group of which the home directory's owner is a member.
SV-26455r1_ruleAll files and directories contained in user home directories must not have extended ACLs.
SV-26459r1_ruleAll run control scripts must have no extended ACLs.
SV-26462r1_ruleRun control scripts' library search paths must contain only absolute paths.
SV-26464r1_ruleRun control scripts' lists of preloaded libraries must contain only absolute paths.
SV-26470r1_ruleAll global initialization files must not have extended ACLs.
SV-26474r1_ruleSkeleton files must not have extended ACLs.
SV-39901r2_ruleAll skeleton files (typically in /etc/skel) must be group-owned by root, bin, or sys.
SV-26478r1_ruleGlobal initialization files' library search paths must contain only absolute paths.
SV-39839r1_ruleGlobal initialization files' lists of preloaded libraries must contain only absolute paths.
SV-37101r1_ruleLocal initialization files must be group-owned by the user's primary group or root.
SV-26483r1_ruleLocal initialization files must not have extended ACLs.
SV-26486r2_ruleLocal initialization files' library search paths must contain only absolute paths.
SV-26488r2_ruleLocal initialization files' lists of preloaded libraries must contain only absolute paths.
SV-39902r1_ruleAll shell files must be group-owned by root, bin, or sys.
SV-26491r1_ruleAll shell files must not have extended ACLs.
SV-26495r1_ruleAudio devices must not have extended ACLs.
SV-26501r1_ruleAll system audit files must not have extended ACLs.
SV-26505r1_ruleSystem audit tool executables must be owned by root.
SV-26508r1_ruleSystem audit tool executables must be group-owned by root, bin, or sys.
SV-26511r1_ruleSystem audit tool executables must have mode 0750 or less permissive.
SV-26514r1_ruleSystem audit tool executables must not have extended ACLs.
SV-40562r1_ruleThe audit system must alert the SA in the event of an audit processing failure.
SV-40564r1_ruleThe audit system must alert the SA when the audit storage volume approaches its capacity.
SV-26524r1_ruleThe audit system must be configured to audit the loading and unloading of dynamic kernel modules.
SV-26527r1_ruleThe cron.allow file must not have an extended ACL.
SV-41044r1_ruleCrontab files must be group-owned by root, sys, or the crontab creator's primary group.
SV-26533r1_ruleCrontab files must not have extended ACLs.
SV-26537r1_ruleCron and crontab directories must not have extended ACLs.
SV-26541r1_ruleThe cron log files must not have extended ACLs.
SV-26545r1_ruleThe cron.deny file must not have an extended ACL.
SV-26549r1_ruleThe at.allow file must not have an extended ACL.
SV-26553r1_ruleThe cron.allow file must be group-owned by root, bin, or sys.
SV-26556r1_ruleThe at.deny file must have mode 0600 or less permissive.
SV-26559r1_ruleThe at.deny file must not have an extended ACL.
SV-26563r1_ruleThe cron.deny file must be group-owned by root, bin, or sys.
SV-26565r1_ruleThe at directory must not have an extended ACL.
SV-40414r1_ruleThe "at" directory must be group-owned by root, bin, or sys.
SV-26570r1_ruleThe at.allow file must be group-owned by root, bin, or sys.
SV-26573r1_ruleThe at.deny file must be group-owned by root, bin, or sys.
SV-26576r2_ruleThe system must be configured to store any process core dumps in a specific, centralized directory.
SV-26579r1_ruleThe centralized process core dump data directory must be owned by root.
SV-26582r2_ruleThe centralized process core dump data directory must be group-owned by root, bin, or sys.
SV-26596r1_ruleThe centralized process core dump data directory must have mode 0700 or less permissive.
SV-26601r1_ruleThe centralized process core dump data directory must not have an extended ACL.
SV-26605r1_ruleKernel core dumps must be disabled unless needed.
SV-26610r1_ruleThe kernel core dump data directory must be group-owned by root.
SV-26614r1_ruleThe kernel core dump data directory must have mode 0700 or less permissive.
SV-26617r1_ruleThe kernel core dump data directory must not have an extended ACL.
SV-26621r1_ruleThe system must not process ICMP timestamp requests.
SV-26622r1_ruleThe system must not respond to ICMPv4 echoes sent to a broadcast address.
SV-26624r1_ruleThe system must not respond to ICMP timestamp requests sent to a broadcast address.
SV-26626r1_ruleThe system must not apply reversed source routing to TCP responses.
SV-26076r1_ruleThe system must prevent local applications from generating source-routed packets.
SV-26077r1_ruleThe system must not accept source-routed IPv4 packets.
SV-29603r1_ruleProxy ARP must not be enabled on the system.
SV-26630r1_ruleThe system must ignore IPv4 ICMP redirect messages.
SV-26632r1_ruleThe system must not send IPv4 ICMP redirects.
SV-26082r1_ruleThe system must log martian packets.
SV-42308r1_ruleThe system must not be configured for network bridging.
SV-26638r2_ruleAll local file systems must employ journaling or another mechanism ensuring file system consistency.
SV-39884r1_ruleThe inetd.conf file must be group-owned by root, bin, or sys.
SV-26652r1_ruleThe inetd.conf and xinetd.conf files must not have extended ACLs.
SV-39903r1_ruleThe services file must be group-owned by root, bin, or sys.
SV-26659r1_ruleThe services file must not have an extended ACL.
SV-26663r1_ruleThe portmap or rpcbind service must not be running unless needed.
SV-40810r1_ruleThe portmap or rpcbind service must not be installed unless needed.
SV-26668r1_ruleThe rshd service must not be installed.
SV-26672r1_ruleThe rlogind service must not be running.
SV-26670r1_ruleThe rlogind service must not be installed.
SV-26674r1_ruleThe rexecd service must not be installed.
SV-37456r2_ruleThe hosts.lpd (or equivalent) file must be group-owned by root, bin, or sys.
SV-26677r1_ruleThe hosts.lpd (or equivalent) file must not have an extended ACL.
SV-26681r1_ruleThe traceroute file must not have an extended ACL.
SV-37458r1_ruleThe aliases file must be group-owned by root, sys, smmsp, or bin.
SV-26686r1_ruleThe alias file must not have an extended ACL.
SV-39904r1_ruleFiles executed through a mail aliases file must be group-owned by root, bin, or sys, and must reside within a directory group-owned by root, bin, or sys.
SV-26691r1_ruleFiles executed through a mail aliases file must not have extended ACLs.
SV-26699r1_ruleThe SMTP service log file must not have an extended ACL.
SV-39905r1_ruleThe ftpusers file must be group-owned by root, bin, or sys.
SV-26706r1_ruleThe ftpusers file must not have an extended ACL.
SV-26710r1_ruleThe .Xauthority files must not have extended ACLs.
SV-26714r1_ruleThe SNMP service must use only SNMPv3 or its successors.
SV-26728r1_ruleManagement Information Base (MIB) files must not have extended ACLs.
SV-26732r1_ruleThe snmpd.conf file must be group-owned by root, sys, or bin.
SV-26736r1_ruleThe snmpd.conf file must not have an extended ACL.
SV-26740r1_ruleThe /etc/syslog.conf file must have mode 0640 or less permissive.
SV-26742r1_ruleThe /etc/syslog.conf file must not have an extended ACL.
SV-26745r1_ruleThe system must use a remote syslog server (log host).
SV-26749r1_ruleThe SSH client must be configured to only use the SSHv2 protocol.
SV-26750r1_ruleThe SSH daemon must only listen on management network addresses unless authorized for uses other than management.
SV-41035r1_ruleThe SSH daemon must be configured to only use FIPS 140-2 approved ciphers.
SV-26752r2_ruleThe SSH daemon must be configured to not use Cipher-Block Chaining (CBC) ciphers.
SV-26753r1_ruleThe SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
SV-26754r1_ruleThe SSH client must be configured to only use FIPS 140-2 approved ciphers.
SV-26755r1_ruleThe SSH client must be configured to not use CBC-based ciphers.
SV-26756r1_ruleThe SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
SV-26763r1_ruleThe SSH daemon must restrict login ability to specific users and/or groups.
SV-26764r1_ruleThe SSH public host key files must have mode 0644 or less permissive.
SV-26765r1_ruleThe SSH private host key files must have mode 0600 or less permissive.
SV-26766r1_ruleThe SSH daemon must not permit GSSAPI authentication unless needed.
SV-26767r1_ruleThe SSH client must not permit GSSAPI authentication unless needed.
SV-26781r1_ruleThe SSH daemon must perform strict mode checking of home directory configuration files.
SV-26786r1_ruleThe SSH daemon must not allow rhosts RSA authentication.
SV-26787r1_ruleThe SSH daemon must not allow compression or must only allow compression after successful authentication.
SV-26802r1_ruleThe SSH daemon must be configured with the Department of Defense (DoD) logon banner.
SV-26804r1_ruleThe system must be configured with a default gateway for IPv6 if the system uses IPv6, unless the system is a router.
SV-26810r1_ruleThe system must not have IP forwarding for IPv6 enabled, unless the system is an IPv6 router.
SV-26813r1_ruleThe NFS export configuration file must be group-owned by root, bin, or sys.
SV-26815r1_ruleThe NFS exports configuration file must not have an extended ACL.
SV-26821r2_ruleAll NFS exported system files and system directories must be group-owned by root, bin, or sys.
SV-26823r2_ruleThe /etc/smb.conf file must not have an extended ACL.
SV-26827r1_ruleThe /etc/smbpasswd file must not have an extended ACL.
SV-26830r2_ruleSamba must be configured to use an authentication mechanism other than share.
SV-26831r2_ruleSamba must be configured to use encrypted passwords.
SV-26832r2_ruleSamba must be configured to not allow guest access to shares.
SV-26834r1_ruleThe /etc/news/hosts.nntp file must not have an extended ACL.
SV-26838r1_ruleThe /etc/news/hosts.nntp.nolimit file must not have an extended ACL.
SV-26845r1_ruleThe /etc/news/nnrp.access file must not have an extended ACL.
SV-26849r1_ruleThe /etc/news/passwd.nntp file must not have an extended ACL.
SV-26857r1_ruleThe system package management tool must be used to verify system software periodically.
SV-26858r1_ruleThe file integrity tool must be configured to verify ACLs.
SV-26860r1_ruleThe file integrity tool must be configured to verify extended attributes.
SV-26861r1_ruleThe file integrity tool must use FIPS 140-2 approved cryptographic hashes for validating file contents.
SV-29987r1_ruleThe Stream Control Transmission Protocol (SCTP) must be disabled unless required.
SV-26205r1_ruleThe Reliable Datagram Sockets (RDS) protocol must be disabled or not installed unless required.
SV-26208r1_ruleThe Transparent Inter-Process Communication (TIPC) protocol must be disabled or uninstalled.
SV-42321r1_ruleThe IPv6 protocol handler must not be bound to the network stack unless needed.
SV-26921r1_ruleThe system must not have 6to4 enabled.
SV-26927r1_ruleThe system must not have IP tunnels configured.
SV-26931r1_ruleThe DHCP client must be disabled if not needed.
SV-26937r1_ruleThe system must ignore IPv6 ICMP redirect messages.
SV-26938r1_ruleThe system must not send IPv6 ICMP redirects.
SV-26227r1_ruleThe system must use an appropriate reverse-path filter for IPv6 network traffic, if the system uses IPv6.
SV-26940r1_ruleThe system must not forward IPv6 source-routed packets.
SV-42323r1_ruleThe system must not accept source-routed IPv6 packets.
SV-41038r1_ruleIf the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms.
SV-40726r1_ruleIf the system is using LDAP for authentication or account information the LDAP client configuration file must have mode 0600 or less permissive.
SV-40727r1_ruleIf the system is using LDAP for authentication or account information, the LDAP configuration file must be owned by root.
SV-39906r1_ruleIf the system is using LDAP for authentication or account information, the LDAP configuration file must be group-owned by root, bin, or sys.
SV-40728r1_ruleIf the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must not have an extended ACL.
SV-40755r1_ruleIf the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be owned by root.
SV-39907r1_ruleIf the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be group-owned by root, bin, or sys.
SV-40760r1_ruleIf the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must have mode 0644 (0755 for directories) or less permissive.
SV-40623r1_ruleIf the system is using LDAP for authentication or account information, the LDAP TLS certificate authority file and/or directory (as appropriate) must not have an extended ACL.
SV-26250r1_ruleA root kit check tool must be run on the system at least weekly.
SV-26964r1_ruleAutomated file system mounting tools must not be enabled unless needed.
SV-26968r1_ruleThe system must have USB disabled unless needed.
SV-26970r4_ruleThe system must have USB Mass Storage disabled unless needed.
SV-26972r1_ruleThe system must have IEEE 1394 (Firewire) disabled unless needed.
SV-41533r1_ruleThe system must employ a local firewall.
SV-26258r1_ruleThe system's local firewall must implement a deny-all, allow-by-exception policy.
SV-26991r1_ruleThe system package management tool must cryptographically verify the authenticity of software packages during installation.
SV-26264r1_ruleThe system package management tool must not automatically obtain updates.
SV-27003r1_ruleThe /etc/security/audit_user file must not have an extended ACL.
SV-27013r1_ruleThe /usr/aset/userlist file must be group-owned by root.
SV-27014r1_ruleThe /usr/aset/userlist file must not have an extended ACL.
SV-26808r1_ruleThe system must not be running any routing protocol daemons, unless the system is a router.
SV-27277r1_ruleSystem audit logs must be group-owned by root, bin, or sys.
SV-39879r1_ruleThe FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
SV-28628r1_ruleThe system must use a separate file system for the system audit data path.
SV-28632r1_ruleThe system must use a separate filesystem for /tmp (or equivalent).
SV-28639r1_ruleTCP backlog queue sizes must be set appropriately.
SV-28908r1_ruleMail relaying must be restricted.
SV-29785r1_ruleThe system must not respond to ICMPv6 echo requests sent to a broadcast address.
SV-39880r1_ruleThe Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
SV-30004r1_ruleThe system, if capable, must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
SV-40015r1_ruleThe system must be configured to send audit records to a remote audit server.
SV-30063r1_ruleThe telnet daemon must not be running.