STIGQter STIGQter: STIG Summary: VMware ESX 3 Server

Version: 1

Release: 2 Benchmark Date: 22 Jul 2016

CheckedNameTitle
SV-756r2_ruleThe system must require authentication upon booting into single-user and maintenance modes.
SV-760r2_ruleDirect logins must not be permitted to shared, default, application, or utility accounts.
SV-761r2_ruleAll accounts on the system must have unique user or account names.
SV-762r2_ruleAll accounts must be assigned unique User Identification Numbers (UIDs).
SV-763r2_ruleThe Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
SV-766r2_ruleThe system must disable accounts after three consecutive unsuccessful login attempts.
SV-768r2_ruleThe delay between login prompts following a failed login attempt must be at least 4 seconds.
SV-769r2_ruleThe root user must not own the logon session for an application requiring a continuous display.
SV-770r2_ruleThe system must not have accounts configured with blank or null passwords.
SV-773r2_ruleThe root account must be the only account having an UID of 0.
SV-774r2_ruleThe root user's home directory must not be the root directory (/).
SV-775r2_ruleThe root account's home directory (other than /) must have mode 0700.
SV-776r3_ruleThe root account's executable search path must be the vendor default and must contain only absolute paths.
SV-777r2_ruleThe root account must not have world-writable directories in its executable search path.
SV-778r2_ruleThe system must prevent the root account from directly logging in except from the system console.
SV-780r2_ruleGroup Identifiers (GIDs) reserved for system accounts must not be assigned to non-system groups.
SV-781r2_ruleAll GIDs referenced in the /etc/passwd file must be defined in the /etc/group file.
SV-782r2_ruleThe system must have a host-based intrusion detection tool installed.
SV-784r2_ruleSystem files and directories must not have uneven access permissions.
SV-785r2_ruleAll files and directories must have a valid owner.
SV-786r2_ruleAll network services daemon files must have mode 0755 or less permissive.
SV-787r2_ruleSystem log files must have mode 0640 or less permissive.
SV-788r2_ruleAll skeleton files (typically those in /etc/skel) must have mode 0644 or less permissive.
SV-789r2_ruleNIS/NIS+/yp files must be owned by root, sys, or bin.
SV-790r2_ruleNIS/NIS+/yp files must be group-owned by root, sys, bin, other, or system.
SV-791r2_ruleThe NIS/NIS+/yp command files must have mode 0755 or less permissive.
SV-792r2_ruleManual page files must have mode 0644 or less permissive.
SV-793r2_ruleLibrary files must have mode 0755 or less permissive.
SV-794r4_ruleAll system command files must have mode 755 or less permissive.
SV-795r2_ruleAll system files, programs, and directories must be owned by a system account.
SV-796r2_ruleSystem files, programs, and directories must be group-owned by a system group.
SV-797r2_ruleThe /etc/shadow (or equivalent) file must be owned by root.
SV-798r2_ruleThe /etc/passwd file must have mode 0644 or less permissive.
SV-800r2_ruleThe /etc/shadow (or equivalent) file must have mode 0400.
SV-801r2_ruleThe owner, group owner, mode, ACL, and location of files with the setuid bit set must be documented using site-defined procedures.
SV-802r2_ruleThe owner, group-owner, mode, ACL, and location of files with the setgid bit set must be documented using site-defined procedures.
SV-803r2_ruleThe system must be checked weekly for unauthorized setuid files, as well as, unauthorized modification to authorized setuid files.
SV-804r2_ruleThe system must be checked weekly for unauthorized setgid files, as well as, unauthorized modification to authorized setgid files.
SV-805r2_ruleRemovable media, remote file systems, and any file system that does not contain approved setuid files must be mounted with the "nosuid" option.
SV-806r2_ruleThe sticky bit must be set on all public directories.
SV-807r2_ruleAll public directories must be owned by root or an application account.
SV-808r2_ruleThe system and user default umask must be 077.
SV-811r2_ruleAuditing must be implemented.
SV-812r2_ruleSystem audit logs must be owned by root.
SV-813r2_ruleSystem audit logs must have mode 0640 or less permissive.
SV-814r2_ruleThe audit system must be configured to audit failed attempts to access files and programs.
SV-815r2_ruleThe audit system must be configured to audit file deletions.
SV-816r2_ruleThe audit system must be configured to audit all administrative, privileged, and security actions.
SV-818r2_ruleThe audit system must be configured to audit login, logout, and session initiation.
SV-819r2_ruleThe audit system must be configured to audit all discretionary access control permission modifications.
SV-821r2_ruleThe inetd.conf file, xinetd.conf file, and the xinetd.d directory must be owned by root or bin.
SV-822r2_ruleThe inetd.conf and xinetd.conf files must have mode 0440 or less permissive.
SV-823r2_ruleThe services file must be owned by root or bin.
SV-824r2_ruleThe services file must have mode 0444 or less permissive.
SV-825r2_ruleGlobal initialization files must contain the mesg -n or mesg n commands.
SV-827r2_ruleThe hosts.lpd file (or equivalent) must not contain a "+" character.
SV-828r2_ruleThe hosts.lpd (or equivalent) file must be owned by root, bin, sys, or lp.
SV-829r2_ruleThe hosts.lpd (or equivalent) must have mode 0644 or less permissive.
SV-831r2_ruleThe alias file must be owned by root.
SV-832r2_ruleThe alias file must have mode 0644 or less permissive.
SV-833r2_ruleFiles executed through a mail aliases file must be owned by root and must reside within a directory owned and writable only by root.
SV-834r2_ruleFiles executed through a mail aliases file must have mode 0755 or less permissive.
SV-835r2_ruleSendmail logging must not be set to less than nine in the sendmail.cf file.
SV-836r2_ruleThe system syslog service must log informational and more severe SMTP service messages.
SV-837r2_ruleThe SMTP service log file must be owned by root.
SV-838r2_ruleThe SMTP service log file must have mode 0644 or less permissive.
SV-840r2_ruleThe ftpusers file must exist.
SV-841r2_ruleThe ftpusers file must contain account names not allowed to use FTP.
SV-842r2_ruleThe ftpusers file must be owned by root.
SV-843r2_ruleThe ftpusers file must have mode 0640 or less permissive.
SV-845r2_ruleThe FTP daemon must be configured for logging or verbose mode.
SV-846r2_ruleAnonymous FTP must not be active on the system unless authorized.
SV-847r2_ruleThe TFTP daemon must operate in "secure mode" which provides access only to a single directory on the host file system.
SV-848r2_ruleThe TFTP daemon must have mode 0755 or less permissive.
SV-849r2_ruleThe TFTP daemon must be configured to vendor specifications, including a dedicated TFTP user account, a non-login shell, such as /bin/false, and a home directory owned by the TFTP user.
SV-850r2_ruleAny X Windows host must write .Xauthority files.
SV-867r2_ruleThe Network Information System (NIS) protocol must not be used.
SV-899r2_ruleAll interactive users must be assigned a home directory in the /etc/passwd file.
SV-900r2_ruleAll interactive user home directories defined in the /etc/passwd file must exist.
SV-901r2_ruleAll users' home directories must have mode 0750 or less permissive.
SV-902r2_ruleAll interactive users' home directories must be owned by their respective users.
SV-903r2_ruleAll interactive users' home directories must be group-owned by the home directory owner's primary group.
SV-904r3_ruleAll local initialization files must be owned by the user or root.
SV-905r2_ruleAll local initialization files must have mode 0740 or less permissive.
SV-906r2_ruleAll run control scripts must have mode 0755 or less permissive.
SV-907r2_ruleRun control scripts' executable search paths must contain only absolute paths.
SV-910r2_ruleRun control scripts must not execute world-writable programs or scripts.
SV-913r2_ruleThere must be no .netrc files on the system.
SV-914r2_ruleAll files and directories contained in interactive user's home directories must be owned by the home directory's owner.
SV-915r2_ruleAll files and directories contained in user's home directories must have mode 0750 or less permissive.
SV-916r2_ruleThe /etc/shells (or equivalent) file must exist.
SV-917r2_ruleAll shells referenced in /etc/passwd must be listed in the /etc/shells file, except any shells specified for the purpose of preventing logins.
SV-918r2_ruleAccounts must be locked upon 35 days of inactivity.
SV-921r2_ruleAll shell files must be owned by root or bin.
SV-922r2_ruleAll shell files must have mode 0755 or less permissive.
SV-923r2_ruleThe system must be checked for extraneous device files at least weekly.
SV-924r2_ruleDevice files and directories must only be writable by users with a system account or as configured by the vendor.
SV-925r2_ruleDevice files used for backup must only be readable and/or writable by root or the backup user.
SV-926r2_ruleAny NIS+ server must be operating at security level 2.
SV-928r2_ruleThe NFS export configuration file must be owned by root.
SV-929r2_ruleThe NFS export configuration file must have mode 0644 or less permissive.
SV-931r2_ruleAll NFS-exported system files and system directories must be owned by root.
SV-932r2_ruleThe NFS anonymous UID and GID must be configured to values that have no permissions.
SV-933r2_ruleThe NFS server must be configured to restrict file system access to local hosts.
SV-935r2_ruleThe NFS server must not allow remote root access.
SV-936r2_ruleThe nosuid option must be enabled on all NFS client mounts.
SV-939r2_ruleA system vulnerability tool must be run on the system monthly.
SV-941r2_ruleThe system's access control program must log each system access attempt.
SV-974r2_ruleAccess to the cron utility must be controlled using the cron.allow and/or cron.deny file(s).
SV-975r2_ruleThe cron.allow file must have mode 0600 or less permissive.
SV-976r2_ruleCron must not execute group-writable or world-writable programs.
SV-977r2_ruleCron must not execute programs in, or subordinate to, world-writable directories.
SV-978r2_ruleCrontab files must have mode 0600 or less permissive, and files in cron script directories must have mode 0700 or less permissive.
SV-979r2_ruleCron and crontab directories must have mode 0755 or less permissive.
SV-980r2_ruleCron and crontab directories must be owned by root or bin.
SV-981r2_ruleCron and crontab directories must be group-owned by root, sys, bin or cron.
SV-983r2_ruleThe cron log file must have mode 0600 or less permissive.
SV-984r2_ruleAccess to the "at" utility must be controlled via the at.allow and/or at.deny file(s).
SV-985r2_ruleThe at.deny file must not be empty if it exists.
SV-986r2_ruleDefault system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist.
SV-987r2_ruleThe at.allow file must have mode 0600 or less permissive.
SV-988r2_ruleThe at daemon must not execute group-writable or world-writable programs.
SV-989r2_ruleThe "at" daemon must not execute programs in, or subordinate to, world-writable directories.
SV-993r2_ruleSNMP communities, users, and passphrases must be changed from the default.
SV-994r2_ruleThe snmpd.conf file must have mode 0600 or less permissive.
SV-995r2_ruleManagement Information Base (MIB) files must have mode 0640 or less permissive.
SV-1010r3_rulePublic directories must be the only world-writable directories and world-writable files must be located only in public directories.
SV-1013r2_ruleThe system must be configured to only boot from the system boot device.
SV-1015r2_ruleThe ext3 filesystem type must be used for the primary Linux file system partitions.
SV-1021r2_ruleThe X server must have the correct options enabled.
SV-1022r2_ruleAn X server must have none of the following options enabled: -ac, -core (except for debugging purposes), or -nolock.
SV-1023r2_ruleThe system must not run an Internet Network News (INN) server.
SV-1025r2_ruleThe /etc/access.conf file must be owned by root.
SV-1026r2_ruleThe Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL.
SV-1027r3_ruleThe /etc/smb.conf file must be owned by root.
SV-1028r2_ruleThe /etc/smb.conf file must have mode 0644 or less permissive.
SV-1029r2_ruleThe /etc/smbpasswd file must be owned by root.
SV-1030r3_ruleThe smb.conf file must use the hosts option to restrict access to Samba.
SV-1046r2_ruleRoot passwords must never be passed over a network in clear text form.
SV-1047r2_ruleThe system must not permit root logins using remote access programs, such as SSH.
SV-1048r2_ruleAudio devices must have mode 0660 or less permissive.
SV-1049r2_ruleAudio devices must be owned by root.
SV-1054r2_ruleThe /etc/access.conf file must have a privileged group owner.
SV-1055r2_ruleThe /etc/access.conf file must have mode 0640 or less permissive.
SV-1056r2_ruleThe /etc/smb.conf file must be group-owned by root, bin, or sys.
SV-1058r2_ruleThe /etc/smbpasswd file must be group-owned by root.
SV-1059r2_ruleThe /etc/smbpasswd file must have mode 0600 or less permissive.
SV-1061r2_ruleAudio devices must be group-owned by root, sys, bin, or system.
SV-1062r2_ruleThe root shell must be located in the / file system.
SV-4083r2_ruleGraphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity and the system must require users to re-authenticate to unlock the environment.
SV-4084r2_ruleThe system must prohibit the reuse of passwords within five iterations.
SV-4087r2_ruleUser start-up files must not execute world-writable programs.
SV-4088r2_ruleUser start-up files must not contain the mesg -y or mesg y command.
SV-4089r2_ruleAll system start-up files must be owned by root.
SV-4090r2_ruleAll system start-up files must be group-owned by root, sys, bin, other, or system.
SV-4091r2_ruleSystem start-up files must only execute programs owned by a privileged UID or an application.
SV-4246r2_ruleSystem BIOS or system controllers supporting password protection must have administrator accounts/passwords configured, and no others.
SV-4247r2_ruleThe system must not use removable media as the boot loader.
SV-4248r3_ruleFor systems capable of using GRUB, the system must be configured with GRUB as the default boot loader unless another boot loader has been authorized, justified, and documented using site-defined procedures.
SV-4249r3_ruleThe system boot loader must require authentication.
SV-4250r3_ruleThe system's boot loader configuration file(s) must have mode 0600 or less permissive.
SV-4252r2_ruleIf LILO is the authorized boot loader for the system, a global password must be defined in /etc/lilo.conf.
SV-4253r2_ruleThe /etc/lilo.conf file must have mode 0600 or less permissive.
SV-4255r2_ruleIf the system boots from removable media, it must be stored in a safe or similarly secured container.
SV-4262r2_ruleThe system must not have the rpc.ugidd daemon enabled.
SV-4268r2_ruleThe system must not have special privilege accounts, such as shutdown and halt.
SV-4269r2_ruleThe system must not have unnecessary accounts.
SV-4273r2_ruleThe /etc/news/hosts.nntp (or equivalent) must have mode 0600 or less permissive.
SV-4274r2_ruleThe /etc/news/hosts.nntp.nolimit (or equivalent) must have mode 0600 or less permissive.
SV-4275r2_ruleThe /etc/news/nnrp.access (or equivalent) must have mode 0600 or less permissive.
SV-4276r2_ruleThe /etc/news/passwd.nntp file (or equivalent) must have mode 0600 or less permissive.
SV-4277r2_ruleFiles in /etc/news must be owned by root or news.
SV-4278r2_ruleThe files in /etc/news must be group-owned by root or news.
SV-4295r2_ruleThe SSH daemon must be configured to only use the SSHv2 protocol.
SV-4298r2_ruleRemote consoles must be disabled or protected from unauthorized access.
SV-4301r2_ruleThe system clock must be synchronized to an authoritative DoD time source.
SV-4304r2_ruleThe root file system must employ journaling or another mechanism ensuring file system consistency.
SV-4321r2_ruleThe system must not run Samba unless needed.
SV-4334r2_ruleThe /etc/sysctl.conf file must be owned by root.
SV-4335r2_ruleThe /etc/sysctl.conf file must be group-owned by root.
SV-4336r2_ruleThe /etc/sysctl.conf file must have mode 0600 or less permissive.
SV-4339r2_ruleThe Linux NFS Server must not have the insecure file locking option.
SV-4342r2_ruleThe x86 CTRL-ALT-DELETE key sequence must be disabled.
SV-4346r2_ruleThe Linux PAM system must not grant sole access to admin privileges to the first user who logs into the console.
SV-4357r2_ruleAudit logs must be rotated daily.
SV-4358r2_ruleThe cron.deny file must have mode 0600 or less permissive.
SV-4360r2_ruleCron programs must not set the umask to a value less restrictive than 077.
SV-4364r2_ruleThe "at" directory must have mode 0755 or less permissive.
SV-4365r2_ruleThe "at" directory must be owned by root, bin, or sys.
SV-4366r2_rule"At" jobs must not set the umask to a value less restrictive than 077.
SV-4367r2_ruleThe at.allow file must be owned by root, bin, or sys.
SV-4368r2_ruleThe at.deny file must be owned by root, bin, or sys.
SV-4369r2_ruleThe traceroute command owner must be root.
SV-4370r2_ruleThe traceroute command must be group-owned by sys, bin, root, or system.
SV-4371r2_ruleThe traceroute file must have mode 0700 or less permissive.
SV-4382r2_ruleAdministrative accounts must not run a web browser, except as needed for local service administration.
SV-4384r2_ruleThe SMTP service's SMTP greeting must not provide version information.
SV-4385r2_ruleThe system must not use .forward files.
SV-4387r2_ruleAnonymous FTP accounts must not have a functional shell.
SV-4388r2_ruleThe anonymous FTP account must be configured to use chroot or a similarly isolated environment.
SV-4392r2_ruleIf the system is a Network Management System (NMS) server, it must only run the NMS and any software required by the NMS.
SV-4393r2_ruleThe /etc/syslog.conf file must be owned by root.
SV-4394r2_ruleThe /etc/syslog.conf file must be group-owned by root, bin, sys, or system.
SV-4395r2_ruleThe system must only use remote syslog servers (log hosts) justified and documented using site-defined procedures.
SV-4397r2_ruleThe system must be configured with a default gateway for IPv4 if the system uses IPv4, unless the system is a router.
SV-4398r2_ruleA system used for routing must not run other network services or applications.
SV-4399r2_ruleThe system must not use UDP for NIS/NIS+.
SV-4427r2_ruleAll .rhosts, .shosts, or host.equiv files must only contain trusted host-user pairs.
SV-4687r2_ruleThe rsh daemon must not be running.
SV-4688r2_ruleThe rexec daemon must not be running.
SV-4689r2_ruleThe SMTP service must be an up-to-date version.
SV-4690r2_ruleThe Sendmail server must have the debug feature disabled.
SV-4691r2_ruleThe SMTP service must not have a uudecode alias active.
SV-4692r2_ruleThe SMTP service must not have the EXPN feature active.
SV-4693r2_ruleThe SMTP service must not have the VRFY feature active.
SV-4694r2_ruleThe Sendmail service must not have the wizard backdoor active.
SV-4695r2_ruleAny active TFTP daemon must be authorized and approved in the system accreditation package.
SV-4696r2_ruleThe system must not have the UUCP service active.
SV-4697r2_ruleX displays must not be exported to the world.
SV-4701r2_ruleThe system must not have the finger service active.
SV-4702r2_ruleIf the system is an anonymous FTP server, it must be isolated to the DMZ network.
SV-6986r1_ruleThere is no document instructing users that USB devices be powered off for at least 60 seconds prior to being connected to an IS.
SV-6987r1_ruleMP3 players, camcorders, or digital cameras are being attached to ISs without prior DAA approval.
SV-6988r1_ruleUSB devices are attached to a DoD IS without prior IAO approval.
SV-6990r1_ruleDisguised jump drives are not banned from locations containing DOD ISs.
SV-6991r1_ruleNotices are not prominently displayed informing everyone of the ban of disguised jump drives.
SV-6992r1_rulePersistent memory USB devices are not treated as removable media and contrary to DODD 5200.1-R; the devices are not secured, transported, and sanitized in a manner appropriate for the classification level of the data they contain.
SV-6993r1_rulePersistent memory USB devices are not labeled in accordance with the classification level of the data they contain.
SV-6994r1_ruleSensitive data stored on a USB device with persistent memory, that the data owner requires encryption is not encrypted using NIST-certified cryptography.
SV-6995r1_ruleUSB devices with persistent memory are not formatted in a manner to allow the application of Access Controls to files or data stored on the device.
SV-6996r1_ruleThere is no section within the SFUG, or equivalent documentation, describing the correct usage and handling of USB technologies.
SV-6997r1_ruleThe USB usage section of the SFUG, or equivalent document, does not contain a discussion of the devices that contain persistent non-removable memory.
SV-6998r1_ruleAn IS has its BIOS set to allow a boot from a USB device.
SV-12441r2_ruleThe operating system must be a supported release.
SV-12442r2_ruleA file integrity baseline must be created and maintained.
SV-28610r2_ruleA file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.
SV-12447r2_ruleUIDs reserved for system accounts must not be assigned to non-system accounts.
SV-12448r2_ruleThe system must require that passwords contain a minimum of 14 characters.
SV-12449r2_ruleThe system must require that passwords contain at least one uppercase alphabetic character.
SV-12473r2_ruleThe system must require that passwords contain at least one numeric character.
SV-12474r2_ruleThe system must require that passwords contain at least one special character.
SV-12476r2_ruleThe system must require passwords to contain no more than three consecutive repeating characters.
SV-12477r2_ruleUser passwords must be changed at least every 60 days.
SV-12478r2_ruleAll non-interactive/automated processing account passwords must be changed at least once per year or be locked.
SV-12480r2_ruleThe root account must not be used for direct logins.
SV-12481r2_ruleThe system must log successful and unsuccessful access to the root account.
SV-12482r2_ruleAll global initialization files must have mode 0444 or less permissive.
SV-12483r2_ruleAll global initialization files must be owned by bin.
SV-12484r2_ruleAll global initialization files must be group-owned by root, sys, bin, other, system, or the system default.
SV-12485r2_ruleAll skeleton files and directories (typically in /etc/skel) must be owned by bin.
SV-12486r2_ruleAll global initialization files' executable search paths must contain only absolute paths.
SV-12487r4_ruleAll local initialization files' executable search paths must contain only absolute paths.
SV-12488r2_ruleThe .rhosts, .shosts, hosts.equiv, shosts.equiv, /etc/passwd, /etc/shadow, and/or /etc/group files must not contain a plus (+) without defining entries for NIS+ netgroups.
SV-12489r2_ruleThere must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system.
SV-12490r2_ruleThe .rhosts file must not be supported in PAM.
SV-12491r2_ruleAll public directories must be group-owned by root or an application group.
SV-12495r2_ruleCrontabs must be owned by root or the crontab creator.
SV-12496r2_ruleDefault system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist.
SV-12497r2_ruleProcess core dumps must be disabled unless needed.
SV-12498r2_ruleThe kernel core dump data directory must be owned by root.
SV-12500r2_ruleThe system must implement non-executable program stacks.
SV-12502r2_ruleThe system must use initial TCP sequence numbers most resistant to sequence number guessing attacks.
SV-12503r2_ruleThe system must not forward IPv4 source-routed packets.
SV-12504r2_ruleA separate file system must be used for user home directories (such as /home or equivalent).
SV-12505r2_ruleThe system must log authentication informational data.
SV-12506r2_ruleInetd and xinetd must be disabled or removed if no network services utilizing them are enabled.
SV-12507r2_ruleThe SMTP service HELP command must not be enabled.
SV-12511r2_ruleUnencrypted FTP must not be used on the system.
SV-28634r1_ruleUnencrypted FTP must not be used on the system.
SV-12512r2_ruleAll FTP users must have a default umask of 077.
SV-12515r2_ruleAll .Xauthority files must have mode 0600 or less permissive.
SV-12517r2_rule.Xauthority or X*.hosts (or equivalent) file(s) must be used to restrict access to the X server.
SV-12518r2_ruleThe .Xauthority utility must only permit access to authorized hosts.
SV-12519r2_ruleX Window System connections that are not required must be disabled.
SV-12520r3_ruleThe snmpd.conf file must be owned by bin.
SV-12521r2_ruleThe system must not be used as a syslog server (log host) for systems external to the enclave.
SV-12522r2_ruleThe syslog daemon must not accept remote messages unless it is a syslog server documented using site-defined procedures.
SV-12523r2_ruleThe SSH daemon must be configured for IP filtering.
SV-12524r2_ruleIP forwarding for IPv4 must not be enabled, unless the system is a router.
SV-12525r2_ruleThe system must not have a public Instant Messaging (IM) client installed.
SV-12526r2_ruleThe system must not have any peer-to-peer file-sharing application installed.
SV-12527r2_ruleNIS maps must be protected through hard-to-guess domain names.
SV-12529r2_ruleThe system vulnerability assessment tool, host-based intrusion detection tool, and file integrity tool must notify the SA and the IAO of a security breach or a suspected security breach.
SV-12531r2_ruleThe system's access control program must be configured to grant or deny system access to specific hosts.
SV-12537r2_ruleThe LILO Boot Loader password is not encrypted.
SV-12539r2_ruleThe /etc/securetty file must be group-owned by root, sys, or bin.
SV-12540r2_ruleThe /etc/securetty file must be owned by root.
SV-12541r2_ruleThe /etc/securetty file must have mode 0640 or less permissive.
SV-12550r2_ruleNetwork analysis tools must not be installed.
SV-13328r2_ruleThe system must use and update a DoD-approved virus scan program.
SV-16722r1_ruleESX Server is not configured in accordance with the UNIX STIG.
SV-16723r1_ruleAn NFS Server is running on the ESX Server host
SV-16726r1_rulePermissions on the configuration and virtual disk files are incorrect.
SV-16729r1_ruleiSCSI storage equipment is not configured with the latest patches and updates.
SV-16730r1_ruleiSCSI passwords are not compliant with DoD policy.
SV-16732r1_ruleUSB drives automatically load when inserted into the ESX Server host.
SV-16740r1_ruleThe ESX Server does not meet the minimum requirement of two network adapters.
SV-16743r1_ruleThe ESX Server external physical switch ports are configured to VLAN 1.
SV-16744r1_rulePermissions have been changed on the /usr/sbin/esx* utilities
SV-16750r1_ruleUnused port groups have not been removed
SV-16758r1_rulePromiscuous mode is enabled for virtual switches during the ESX Server boot process.
SV-16759r1_ruleExternal physical switch ports configured for EST mode are configured with spanning-tree enabled.
SV-16760r1_ruleThe non-negotiate option is not configured for trunk links between external physical switches and virtual switches in VST mode.
SV-16761r1_ruleUndocumented VLANs are configured on ESX Server in VST mode.
SV-16763r1_ruleESX Server firewall is not configured to High Security.
SV-16765r1_ruleIP tables or internal router/firewall is not configured to restrict IP addresses to services.
SV-16766r1_ruleESX Server required services are not documented.
SV-16767r1_ruleESX Server service console administrators are not documented
SV-16768r1_ruleHash signatures for the /etc files are not stored offline.
SV-16774r1_ruleThe setuid and setgid flags have been disabled.
SV-16775r1_ruleESX Server is not authenticating the time source with a hashing algorithm.
SV-16781r1_ruleESX Server does not record log files.
SV-16783r1_ruleLog file permissions have not been configured to restrict unauthorized users
SV-16784r1_ruleESX Server does not send logs to a syslog server.
SV-16785r1_ruleAuditing is not configured on the ESX Server.
SV-16787r1_ruleThe ESX Server software version is not at the latest release.
SV-16788r1_ruleESX Server updates are not tested.
SV-16789r1_ruleVMware tools are not used to update the ESX Server.
SV-16790r1_ruleESX Server software version is not supported.
SV-16791r1_ruleVMware and third party applications are not supported.
SV-16793r1_ruleThe ESX Servers and management servers are not backed up in accordance to the MAC level of the servers.
SV-16795r1_ruleBackups are not located in separate logical partitions from production data.
SV-16796r1_ruleVI client sessions to the ESX Server are unencrypted.
SV-16797r1_ruleVI Web Access sessions to the ESX Server are unencrypted.
SV-16798r1_ruleVirtualCenter communications to the ESX Server are unencrypted.
SV-16799r1_ruleSNMP write mode is enabled on ESX Server.
SV-16815r1_ruleVirtualCenter vpxuser has been modified.
SV-16825r1_ruleISO images are not restricted to authorized users.
SV-16826r1_ruleISO images do not have hash checksums.
SV-16827r1_ruleISO images are not verified for integrity when moved across the network.
SV-16828r1_ruleMaster templates are not stored on a separate partition.
SV-16829r1_ruleMaster templates are not restricted to authorized users only.
SV-16843r1_ruleVirtual machine moves are not logged from one physical server to another.
SV-16846r1_ruleProduction virtual machines are not located in a controlled access area.
SV-16848r1_ruleVirtual machine OS log files are not saved before rollback.
SV-16849r1_ruleVirtual machine log files do not have a size limit.
SV-16850r1_ruleESX Server is not configured to maintain a specific number of log files via log rotation.
SV-16851r1_ruleVirtual machine log files are not maintained for 1 year.
SV-16855r1_ruleVirtual machines are not backed up in accordance with the MAC level.
SV-16914r1_ruleVirtual machines are not registered in VMS.
SV-16915r1_ruleESX Server is not properly registered in VMS.
SV-16916r1_ruleESX Server assets are not configured with the correct posture in VMS.
SV-17881r1_rulePermissions on the virtual disk files are incorrect.
SV-32521r1_ruleThe system clock must be synchronized continuously, or at least daily.
SV-28717r1_ruleThe system must use at least two time sources for clock synchronization.
SV-28718r1_ruleThe system must use time sources local to the enclave.
SV-28719r1_ruleThe system time synchronization method must use cryptographic algorithms to verify the authenticity and integrity of the time data.
SV-28720r1_ruleThe time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.
SV-28721r1_ruleThe time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, sys, or system.
SV-28722r1_ruleThe time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
SV-28723r1_ruleThe time synchronization configuration file (such as /etc/ntp.conf) must not have an extended ACL.
SV-25945r1_ruleThe system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.
SV-25946r1_ruleThe system must display the date and time of the last successful account login upon login.
SV-25947r1_ruleThe system must display the number of unsuccessful login attempts since the last successful login for a user account upon logging in.
SV-25948r1_ruleThe system must display a publicly-viewable pattern during a graphical desktop environment session lock.
SV-25949r1_ruleThe system must enforce the entire password during authentication.
SV-25950r1_ruleThe system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes.
SV-25951r1_ruleThe password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.
SV-25952r1_ruleThe system must require passwords contain at least one lowercase alphabetic character.
SV-25953r1_ruleThe system must require at least four characters be changed between the old and new passwords during a password change.
SV-25954r1_ruleThe system must prevent the use of dictionary words for passwords.
SV-26348r1_ruleThe system must restrict the ability to switch to the root user for members of a defined group.
SV-25956r1_ruleThe root account's home directory must not have an extended ACL.
SV-25957r1_ruleThe root account's library search path must be the system default and must contain only absolute paths.
SV-25958r1_ruleThe root account's list of preloaded libraries must be empty.
SV-25959r1_ruleAll files and directories must have a valid group owner.
SV-25960r1_ruleAll network services daemon files must not have extended ACLs.
SV-25961r1_ruleAll system command files must not have extended ACLs.
SV-25962r1_ruleSystem log files must not have extended ACLs, except as needed to support authorized software.
SV-25963r1_ruleAll manual page files must not have extended ACLs.
SV-25964r1_ruleAll library files must not have extended ACLs.
SV-25965r1_ruleNIS/NIS+/yp command files must not have extended ACLs.
SV-26395r1_ruleThe /etc/resolv.conf file must be owned by root.
SV-26396r1_ruleThe /etc/resolv.conf file must be group-owned by root, bin, sys, or system.
SV-26397r1_ruleThe /etc/resolv.conf file must have mode 0644 or less permissive.
SV-25969r1_ruleThe /etc/resolv.conf file must not have an extended ACL.
SV-26410r2_ruleThe /etc/hosts file must be owned by root.
SV-26411r1_ruleThe /etc/hosts file must be group-owned by root, bin, sys, or system.
SV-26412r1_ruleThe /etc/hosts file must have mode 0644 or less permissive.
SV-25973r1_ruleThe /etc/hosts file must not have an extended ACL.
SV-26417r1_ruleThe /etc/nsswitch.conf file must be owned by root.
SV-26418r1_ruleThe /etc/nsswitch.conf file must be group-owned by root, bin, sys, or system.
SV-26419r1_ruleThe /etc/nsswitch.conf file must have mode 0644 or less permissive.
SV-25977r1_ruleThe /etc/nsswitch.conf file must not have an extended ACL.
SV-26424r1_ruleFor systems using DNS resolution, at least two name servers must be configured.
SV-26425r1_ruleThe /etc/passwd file must be owned by root.
SV-26426r1_ruleThe /etc/passwd file must be group-owned by root, bin, sys, or system.
SV-25981r1_ruleThe /etc/passwd file must not have an extended ACL.
SV-26431r1_ruleThe /etc/group file must be owned by root.
SV-26432r1_ruleThe /etc/group file must be group-owned by root, bin, sys, or system.
SV-26433r1_ruleThe /etc/group file must have mode 0644 or less permissive.
SV-25985r1_ruleThe /etc/group file must not have an extended ACL.
SV-26437r1_ruleThe /etc/shadow file (or equivalent) must be group-owned by root, bin, sys, or system.
SV-25987r1_ruleThe /etc/shadow file must not have an extended ACL.
SV-26442r1_ruleThe /etc/gshadow file must be owned by root.
SV-26444r1_ruleThe /etc/gshadow file must have mode 0400.
SV-26467r1_ruleThe /etc/passwd file must not contain password hashes.
SV-26447r1_ruleThe /etc/group file must not contain any group password hashes.
SV-26448r1_ruleThe /etc/gshadow file must not contain any group password hashes.
SV-25997r1_ruleUser home directories must not have extended ACLs.
SV-26453r1_ruleAll files and directories contained in user's home directories must be group-owned by a group the home directory's owner is a member.
SV-25999r1_ruleAll files and directories contained in user home directories must not have extended ACLs.
SV-26000r1_ruleAll run control scripts must have no extended ACLs.
SV-26001r1_ruleRun control scripts' library search paths must contain only absolute paths.
SV-26002r1_ruleRun control scripts' lists of preloaded libraries must contain only absolute paths.
SV-26003r1_ruleAll global initialization files must not have extended ACLs.
SV-26004r1_ruleSkeleton files must not have extended ACLs.
SV-26477r1_ruleAll skeleton files (typically in /etc/skel) must be group-owned by root, bin, sys, system, or other.
SV-26006r1_ruleGlobal initialization files' library search paths must contain only absolute paths.
SV-26007r1_ruleGlobal initialization files' lists of preloaded libraries must contain only absolute paths.
SV-26481r1_ruleLocal initialization files must be group-owned by the user's primary group or root.
SV-26009r1_ruleLocal initialization files must not have extended ACLs.
SV-26010r1_ruleLocal initialization files' library search paths must contain only absolute paths.
SV-26011r1_ruleLocal initialization files' lists of preloaded libraries must contain only absolute paths.
SV-26489r1_ruleAll shell files must be group-owned by root, bin, sys, or system.
SV-26013r1_ruleAll shell files must not have extended ACLs.
SV-26014r1_ruleAudio devices must not have extended ACLs.
SV-26015r1_ruleRemovable media, remote file systems, and any file system that does not contain approved device files must be mounted with the "nodev" option.
SV-26016r1_ruleAll system audit files must not have extended ACLs.
SV-26017r1_ruleSystem audit tool executables must be owned by root.
SV-26018r1_ruleSystem audit tool executables must be group-owned by root, bin, sys, or system.
SV-26019r1_ruleSystem audit tool executables must have mode 0750 or less permissive.
SV-26020r1_ruleSystem audit tool executables must not have extended ACLs.
SV-26021r1_ruleThe audit system must alert the SA in the event of an audit processing failure.
SV-26022r1_ruleThe audit system must alert the SA when the audit storage volume approaches its capacity.
SV-26023r1_ruleThe audit system must be configured to audit account creation.
SV-26024r1_ruleThe audit system must be configured to audit account modification.
SV-26025r1_ruleThe audit system must be configured to audit account disabling.
SV-26029r1_ruleThe audit system must be configured to audit account termination.
SV-26030r1_ruleThe audit system must be configured to audit the loading and unloading of dynamic kernel modules.
SV-26034r1_ruleThe cron.allow file must not have an extended ACL.
SV-26531r1_ruleCrontab files must be group-owned by root, cron, or the crontab creator's primary group.
SV-26036r1_ruleCrontab files must not have extended ACLs.
SV-26037r1_ruleCron and crontab directories must not have extended ACLs.
SV-26038r1_ruleThe cron log files must not have extended ACLs.
SV-26039r1_ruleThe cron.deny file must not have an extended ACL.
SV-26041r1_ruleThe at.allow file must not have an extended ACL.
SV-26042r1_ruleThe cron.allow file must be group-owned by root, bin, sys, or cron.
SV-26043r1_ruleThe at.deny file must have mode 0600 or less permissive.
SV-26044r1_ruleThe at.deny file must not have an extended ACL.
SV-26046r1_ruleThe cron.deny file must be group-owned by root, bin, sys, or cron.
SV-26047r1_ruleThe "at" directory must not have an extended ACL.
SV-26568r1_ruleThe "at" directory must be group-owned by root, bin, sys, or cron.
SV-26050r1_ruleThe at.allow file must be group-owned by root, bin, sys, or cron.
SV-26051r1_ruleThe at.deny file must be group-owned by root, bin, sys, or cron.
SV-26052r1_ruleThe system must be configured to store any process core dumps in a specific, centralized directory.
SV-26054r1_ruleThe centralized process core dump data directory must be owned by root.
SV-26055r1_ruleThe centralized process core dump data directory must be group-owned by root, bin, sys, or system.
SV-26056r1_ruleThe centralized process core dump data directory must have mode 0700 or less permissive.
SV-26058r1_ruleThe centralized process core dump data directory must not have an extended ACL.
SV-26059r1_ruleKernel core dumps must be disabled unless needed.
SV-26066r1_ruleThe kernel core dump data directory must be group-owned by root, bin, sys, or system.
SV-26067r1_ruleThe kernel core dump data directory must have mode 0700 or less permissive.
SV-26068r1_ruleThe kernel core dump data directory must not have an extended ACL.
SV-26069r1_ruleNetwork interfaces must not be configured to allow user control.
SV-26071r1_ruleThe system must not process ICMP timestamp requests.
SV-26073r1_ruleThe system must not respond to ICMPv4 echoes sent to a broadcast address.
SV-26074r1_ruleThe system must not respond to ICMP timestamp requests sent to a broadcast address.
SV-26075r1_ruleThe system must not apply reversed source routing to TCP responses.
SV-26076r1_ruleThe system must prevent local applications from generating source-routed packets.
SV-26077r1_ruleThe system must not accept source-routed IPv4 packets.
SV-26079r1_ruleProxy ARP must not be enabled on the system.
SV-26080r1_ruleThe system must ignore IPv4 ICMP redirect messages.
SV-26081r1_ruleThe system must not send IPv4 ICMP redirects.
SV-26082r1_ruleThe system must log martian packets.
SV-26084r1_ruleThe system must use a reverse-path filter for IPv4 network traffic when possible.
SV-26086r1_ruleAll local file systems must employ journaling or another mechanism ensuring file system consistency.
SV-26650r1_ruleThe inetd.conf file, xinetd.conf file, and the xinetd.d directory must be group-owned by root, bin, sys, or system.
SV-26088r1_ruleThe inetd.conf and xinetd.conf files must not have extended ACLs.
SV-26089r1_ruleThe xinetd.d directory must have mode 0755 or less permissive.
SV-26090r1_ruleThe xinetd.d directory must not have an extended ACL.
SV-26657r1_ruleThe services file must be group-owned by root, bin, sys, or system.
SV-26092r1_ruleThe services file must not have an extended ACL.
SV-26093r1_ruleThe portmap or rpcbind service must not be running unless needed.
SV-26094r1_ruleThe portmap or rpcbind service must not be installed unless needed.
SV-26096r1_ruleThe rshd service must not be installed.
SV-26098r1_ruleThe rlogind service must not be running.
SV-26100r1_ruleThe rlogind service must not be installed.
SV-26101r1_ruleThe rexecd service must not be installed.
SV-26675r1_ruleThe hosts.lpd (or equivalent) file must be group-owned by root, bin, sys, or system.
SV-26103r1_ruleThe hosts.lpd (or equivalent) file must not have an extended ACL.
SV-26105r1_ruleThe traceroute file must not have an extended ACL.
SV-26684r1_ruleThe aliases file must be group-owned by root, sys, bin, or system.
SV-26108r1_ruleThe alias file must not have an extended ACL.
SV-26110r1_ruleFiles executed through a mail aliases file must not have extended ACLs.
SV-26111r1_ruleThe SMTP service log file must not have an extended ACL.
SV-26704r1_ruleThe ftpusers file must be group-owned by root, bin, sys, or system.
SV-26114r1_ruleThe ftpusers file must not have an extended ACL.
SV-26115r1_ruleThe .Xauthority files must not have extended ACLs.
SV-26116r1_ruleThe SNMP service must use only SNMPv3 or its successors.
SV-26117r1_ruleThe SNMP service must require the use of a FIPS 140-2 approved cryptographic hash algorithm as part of its authentication and integrity methods.
SV-26118r1_ruleThe SNMP service must require the use of a FIPS 140-2 approved encryption algorithm for protecting the privacy of SNMP messages.
SV-26119r1_ruleManagement Information Base (MIB) files must not have extended ACLs.
SV-26120r1_ruleThe snmpd.conf file must be group-owned by root, bin, sys, or system.
SV-26121r1_ruleThe snmpd.conf file must not have an extended ACL.
SV-26740r1_ruleThe /etc/syslog.conf file must have mode 0640 or less permissive.
SV-26123r1_ruleThe /etc/syslog.conf file must not have an extended ACL.
SV-26745r1_ruleThe system must use a remote syslog server (log host).
SV-26749r1_ruleThe SSH client must be configured to only use the SSHv2 protocol.
SV-26750r1_ruleThe SSH daemon must only listen on management network addresses unless authorized for uses other than management.
SV-26751r1_ruleThe SSH daemon must be configured to only use FIPS 140-2 approved ciphers.
SV-26752r2_ruleThe SSH daemon must be configured to not use Cipher-Block Chaining (CBC) ciphers.
SV-26753r2_ruleThe SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
SV-26754r1_ruleThe SSH client must be configured to only use FIPS 140-2 approved ciphers.
SV-26755r1_ruleThe SSH client must be configured to not use CBC-based ciphers.
SV-26756r2_ruleThe SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
SV-26757r1_ruleThe SSH daemon must be configured to not allow TCP connection forwarding.
SV-26758r1_ruleThe SSH client must be configured to not allow TCP forwarding.
SV-26759r1_ruleThe SSH daemon must be configured to not allow gateway ports.
SV-26760r1_ruleThe SSH client must be configured to not allow gateway ports.
SV-26761r1_ruleThe SSH daemon must be configured to not allow X11 forwarding.
SV-26762r1_ruleThe SSH client must be configured to not allow X11 forwarding.
SV-26763r1_ruleThe SSH daemon must restrict login ability to specific users and/or groups.
SV-26764r1_ruleThe SSH public host key files must have mode 0644 or less permissive.
SV-26765r1_ruleThe SSH private host key files must have mode 0600 or less permissive.
SV-26766r1_ruleThe SSH daemon must not permit GSSAPI authentication unless needed.
SV-26767r1_ruleThe SSH client must not permit GSSAPI authentication unless needed.
SV-26768r1_ruleThe SSH daemon must not permit Kerberos authentication unless needed.
SV-26771r1_ruleThe SSH daemon must not accept environment variables from the client or must only accept those pertaining to locale.
SV-26772r1_ruleThe SSH client must not send environment variables to the server or must only send those pertaining to locale.
SV-26773r1_ruleThe SSH daemon must not permit user environment settings.
SV-26774r1_ruleThe SSH daemon must not permit tunnels.
SV-26775r1_ruleThe SSH client must not permit tunnels.
SV-26776r1_ruleThe SSH daemon must limit connections to a single session.
SV-26781r1_ruleThe SSH daemon must perform strict mode checking of home directory configuration files.
SV-26782r1_ruleThe SSH daemon must use privilege separation.
SV-26786r1_ruleThe SSH daemon must not allow rhosts RSA authentication.
SV-26787r1_ruleThe SSH daemon must not allow compression or must only allow compression after successful authentication.
SV-26802r1_ruleThe SSH daemon must be configured with the Department of Defense (DoD) logon banner.
SV-26165r1_ruleThe system must be configured with a default gateway for IPv6 if the system uses IPv6, unless the system is a router.
SV-26166r1_ruleThe system must not have IP forwarding for IPv6 enabled, unless the system is an IPv6 router.
SV-26167r1_ruleThe NFS export configuration file must be group-owned by root, bin, sys, or system.
SV-26168r1_ruleThe NFS exports configuration file must not have an extended ACL.
SV-26171r1_ruleAll NFS-exported system files and system directories must be group-owned by root, bin, sys, or system.
SV-26172r1_ruleThe /etc/smb.conf file must not have an extended ACL.
SV-26173r1_ruleThe /etc/smbpasswd file must not have an extended ACL.
SV-26830r2_ruleSamba must be configured to use an authentication mechanism other than share.
SV-26831r2_ruleSamba must be configured to use encrypted passwords.
SV-26832r2_ruleSamba must be configured to not allow guest access to shares.
SV-26177r1_ruleThe /etc/news/hosts.nntp file must not have an extended ACL.
SV-26178r1_ruleThe /etc/news/hosts.nntp.nolimit file must not have an extended ACL.
SV-26179r1_ruleThe /etc/news/nnrp.access file must not have an extended ACL.
SV-26180r1_ruleThe /etc/news/passwd.nntp file must not have an extended ACL.
SV-26181r1_ruleThe system package management tool must be used to verify system software periodically.
SV-26858r1_ruleThe file integrity tool must be configured to verify ACLs.
SV-26860r1_ruleThe file integrity tool must be configured to verify extended attributes.
SV-26861r1_ruleThe file integrity tool must use FIPS 140-2 approved cryptographic hashes for validating file contents.
SV-26186r1_ruleThe Stream Control Transmission Protocol (SCTP) must be disabled unless required.
SV-26189r1_ruleThe Datagram Congestion Control Protocol (DCCP) must be disabled unless required.
SV-26192r1_ruleThe Lightweight User Datagram Protocol (UDP-Lite) must be disabled unless required.
SV-26195r1_ruleThe Internetwork Packet Exchange (IPX) protocol must be disabled or not installed.
SV-26199r1_ruleThe AppleTalk protocol must be disabled or not installed.
SV-26202r1_ruleThe DECnet protocol must be disabled or not installed.
SV-26205r1_ruleThe Reliable Datagram Sockets (RDS) protocol must be disabled or not installed unless required.
SV-26208r1_ruleThe Transparent Inter-Process Communication (TIPC) protocol must be disabled or uninstalled.
SV-26210r1_ruleThe PF_LLC protocol handler must not be bound to the network stack.
SV-26212r1_ruleThe PF_LLC protocol handler must not be installed.
SV-26214r1_ruleThe Bluetooth protocol handler must be disabled or not installed.
SV-26216r1_ruleThe IPv6 protocol handler must not be bound to the network stack unless needed.
SV-26217r1_ruleThe IPv6 protocol handler must be prevented from dynamic loading unless needed.
SV-26218r2_ruleThe IPv6 protocol handler must not be installed unless needed.
SV-26219r1_ruleProxy Neighbor Discovery Protocol (NDP) must not be enabled on the system.
SV-26220r1_ruleThe system must not have 6to4 enabled.
SV-26221r1_ruleThe system must not have Teredo enabled.
SV-26222r1_ruleThe system must not have IP tunnels configured.
SV-26223r1_ruleThe DHCP client must be disabled if not needed.
SV-26224r1_ruleThe DHCP client must not send dynamic DNS updates.
SV-26225r1_ruleThe system must ignore IPv6 ICMP redirect messages.
SV-26226r1_ruleThe system must not send IPv6 ICMP redirects.
SV-26227r1_ruleThe system must use an appropriate reverse-path filter for IPv6 network traffic, if the system uses IPv6.
SV-26228r1_ruleThe system must not forward IPv6 source-routed packets.
SV-26942r1_ruleIf the system is using LDAP for authentication or account information, certificates used to authenticate to the LDAP server must be provided from DoD PKI or a DoD-approved external PKI.
SV-26943r1_ruleIf the system is using LDAP for authentication or account information, the LDAP TLS connection must require the server provides a certificate and this certificate has a valid trust path to a trusted CA.
SV-26945r1_ruleIf the system is using LDAP for authentication or account information, the system must check that the LDAP server's certificate has not been revoked.
SV-26946r1_ruleIf the system is using LDAP for authentication or account information the /etc/ldap.conf (or equivalent) file must have mode 0644 or less permissive.
SV-26947r1_ruleIf the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be owned by root.
SV-26948r1_ruleIf the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be group-owned by root, bin, sys, or system.
SV-26237r1_ruleIf the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must not have an extended ACL.
SV-26950r1_ruleIf the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be owned by root.
SV-26239r1_ruleIf the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be group-owned by root, bin, sys, or system.
SV-26952r1_ruleIf the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must have mode 0644 (0755 for directories) or less permissive.
SV-26953r1_ruleIf the system is using LDAP for authentication or account information, the LDAP TLS certificate authority file and/or directory (as appropriate) must not have an extended ACL.
SV-26954r1_ruleFor systems using NSS LDAP, the TLS certificate file must be owned by root.
SV-26243r1_ruleIf the system is using LDAP for authentication or account information, the LDAP TLS certificate file must be group-owned by root, bin, sys, or system.
SV-26956r1_ruleIf the system is using LDAP for authentication or account information, the LDAP TLS certificate file must have mode 0644 or less permissive.
SV-26957r1_ruleIf the system is using LDAP for authentication or account information, the LDAP TLS certificate file must not have an extended ACL.
SV-26958r1_ruleIf the system is using LDAP for authentication or account information, the LDAP TLS key file must be owned by root.
SV-26247r1_ruleIf the system is using LDAP for authentication or account information, the LDAP TLS key file must be group-owned by root, bin, sys, or system.
SV-26961r1_ruleIf the system is using LDAP for authentication or account information, the LDAP TLS key file must not have an extended ACL.
SV-26250r1_ruleA root kit check tool must be run on the system at least weekly.
SV-26252r1_ruleAutomated file system mounting tools must not be enabled unless needed.
SV-26253r1_ruleThe system must have USB disabled unless needed.
SV-26254r1_ruleThe system must have USB Mass Storage disabled unless needed.
SV-26255r1_ruleThe system must have IEEE 1394 (Firewire) disabled unless needed.
SV-26257r1_ruleThe system must employ a local firewall.
SV-26258r1_ruleThe system's local firewall must implement a deny-all, allow-by-exception policy.
SV-26260r1_ruleThe system's boot loader configuration file(s) must not have extended ACLs.
SV-26261r1_ruleThe system's boot loader configuration files must be owned by root.
SV-26262r1_ruleThe system's boot loader configuration file(s) must be group-owned by root, bin, sys, or system.
SV-26263r1_ruleThe system package management tool must cryptographically verify the authenticity of software packages during installation.
SV-26264r1_ruleThe system package management tool must not automatically obtain updates.
SV-26808r1_ruleThe system must not be running any routing protocol daemons, unless the system is a router.
SV-27276r1_ruleSystem audit logs must be group-owned by root, bin, sys, or system.
SV-28604r1_ruleThe FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
SV-28620r1_ruleThe system must use a separate file system for /var.
SV-28627r1_ruleThe system must use a separate file system for the system audit data path.
SV-28631r1_ruleThe system must use a separate file system for /tmp (or equivalent).
SV-28638r1_ruleTCP backlog queue sizes must be set appropriately.
SV-28761r1_ruleThe system must use a FIPS 140-2 validated cryptographic module (operating in FIPS mode) for generating system password hashes.
SV-28762r1_ruleThe SSH daemon must use a FIPS 140-2 validated cryptographic module (operating in FIPS mode).
SV-28763r1_ruleThe SSH client must use a FIPS 140-2 validated cryptographic module (operating in FIPS mode).
SV-28764r1_ruleIf the system is using LDAP for authentication or account information, the system must use a FIPS 140-2 validated cryptographic module (operating in FIPS mode) for protecting the LDAP connection.
SV-28908r1_ruleMail relaying must be restricted.
SV-28909r1_ruleThe ldd command must be disabled unless it protects against the execution of untrusted files.
SV-28928r1_ruleThe system must not respond to ICMPv6 echo requests sent to a broadcast address.
SV-29977r1_ruleThe Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
SV-30004r2_ruleThe system, if capable, must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
SV-30025r1_ruleThe system must be configured to send audit records to a remote audit server.
SV-30059r1_ruleIf the system is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords.
SV-30063r1_ruleThe telnet daemon must not be running.
SV-30313r1_ruleThe system boot loader must protect passwords using an MD5 or stronger cryptographic hash.
SV-783r3_ruleSystem security patches and updates must be installed and up-to-date.
SV-765r2_ruleSuccessful and unsuccessful logins and logouts must be logged.
SV-1032r2_ruleUsers must not be able to change passwords more than once every 24 hours.
SV-810r2_ruleDefault system accounts must be disabled or removed.
SV-982r2_ruleCron logging must be implemented.
SV-4361r2_ruleThe cron.allow file must be owned by root, bin, or sys.
SV-4430r2_ruleThe cron.deny file must be owned by root, bin, or sys.
SV-927r2_ruleNFS servers must only accept NFS requests from privileged ports on client systems.
SV-940r2_ruleThe system must use an access control program.
SV-83301r1_ruleVMware ESX operating systems that are no longer supported by the vendor for security updates must not be installed on a system.