Solaris 10 X86 Security Technical Implementation Guide
V002.002R2 2020-12-04       U_SOL_10_X86_V2R2_STIG_SCAP_1-2_Benchmark.xml
This Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]
Vuln Rule Version CCI Severity Title Description
SV-220074r603266_rule GEN000460 CCI-000044 MEDIUM The system must disable accounts after three consecutive unsuccessful login attempts. Disabling accounts after a limited number of unsuccessful login attempts improves protection against password guessing attacks.
SV-220075r603266_rule GEN000480 CCI-002238 MEDIUM The delay between login prompts following a failed login attempt must be at least 4 seconds. Enforcing a delay between successive failed login attempts increases protection against automated password guessing attacks.
SV-220078r603266_rule GEN000880 CCI-000366 MEDIUM The root account must be the only account having an UID of 0. If an account has an UID of 0, it has root authority. Multiple accounts with an UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account.
SV-220081r603266_rule GEN001300 CCI-001499 MEDIUM Library files must have mode 0755 or less permissive. Unauthorized access could destroy the integrity of the library files.
SV-220087r603266_rule GEN001780 CCI-000366 LOW Global initialization files must contain the mesg -n or mesg n commands. If the mesg -n or mesg n command is not placed into the system profile, messaging can be used to cause a Denial of Service attack.
SV-220091r603266_rule GEN003810 CCI-000366 MEDIUM The portmap or rpcbind service must not be running unless needed. The portmap and rpcbind services increase the attack surface of the system and should only be used when needed. The portmap or rpcbind services are used by a variety of services using remote procedure calls (RPCs).
SV-220092r603266_rule GEN003820 CCI-000068 HIGH The rsh daemon must not be running. The rshd process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service. Satisfies: SRG-OS-000505, SRG-OS-000555, SRG-OS-000033
SV-220093r603266_rule GEN003830 CCI-000068 MEDIUM The rlogind service must not be running. The rlogind process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service. Satisfies: SRG-OS-000505, SRG-OS-000555, SRG-OS-000033
SV-220108r603266_rule GEN005500 CCI-001941 HIGH The SSH daemon must be configured to only use the SSHv2 protocol. SSHv1 is not a DoD-approved protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.
SV-220118r603266_rule GEN006620 CCI-000366 MEDIUM The system's access control program must be configured to grant or deny system access to specific hosts. If the system's access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts.
SV-220123r603266_rule GEN008660 CCI-000366 HIGH For systems capable of using GRUB, the system must be configured with GRUB as the default boot loader unless another boot loader has been authorized, justified, and documented using site-defined procedures. GRUB is a versatile boot loader used by several platforms providing authentication for access to the system or boot loader.
SV-220124r603266_rule GEN008700 CCI-000213 HIGH The system boot loader must require authentication. If the system's boot loader does not require authentication, users with console access to the system may be able to alter the system boot configuration or boot the system into single user or maintenance mode, which could result in Denial-of-Service or unauthorized privileged access to the system.
SV-227532r603266_rule GEN000000-SOL00020 CCI-000366 MEDIUM The nosuid option must be configured in the /etc/rmmount.conf file. The rmmount.conf file controls the mounting of removable media on a Solaris system. Removable media is not to be trusted with privileged access, and therefore the filesystems must be mounted with the nosuid option, which prevents any executables with the setuid bit set on this filesystem from running with owner privileges.
SV-227534r603266_rule GEN000000-SOL00060 CCI-000366 MEDIUM The /etc/security/audit_user file must be owned by root. The /etc/security/audit_user is a sensitive file and must be owned by root to prevent possible system compromise.
SV-227535r603266_rule GEN000000-SOL00080 CCI-000366 MEDIUM The /etc/security/audit_user file must be group-owned by root, sys, or bin. The Solaris audit_user file allows for selective auditing or non-auditing of features for certain users. If it is not protected, it could be compromised and used to mask audit events. This could cause the loss of valuable forensics data in the case of a system compromise.
SV-227536r603266_rule GEN000000-SOL00100 CCI-000162 MEDIUM The /etc/security/audit_user file must have mode 0640 or less permissive. Audit_user is a sensitive file that, if compromised, would allow a malicious user to select auditing parameters to ignore his sessions. This would allow malicious operations the auditing subsystem would not log for that user.
SV-227541r603266_rule GEN000000-SOL00220 CCI-000032 MEDIUM The /usr/aset/userlist file must exist. If the userlist file does not exist, then an unauthorized user may exist in the /etc/passwd file.
SV-227542r603266_rule GEN000000-SOL00240 CCI-000366 MEDIUM The /usr/aset/userlist file must be owned by root. If the userlist file is not owned by root, then an unauthorized user can modify the file and enter an unauthorized user.
SV-227543r603266_rule GEN000000-SOL00250 CCI-000366 MEDIUM The /usr/aset/userlist file must be group-owned by root. The /usr/aset/userlist file is critical to system security and must be protected from unauthorized access.
SV-227544r603266_rule GEN000000-SOL00260 CCI-000366 MEDIUM The /usr/aset/userlist file must have mode 0600 or less permissive. A permission mask not set to the required level could allow unauthorized access to sensitive system files and resources.
SV-227546r603266_rule GEN000000-SOL00400 CCI-000172 MEDIUM The NFS server must have logging implemented. Filesystem logging, especially for NFS exported file systems, can be critical to detecting data misuse and possible hardware/system errors that may, otherwise, go unnoticed.
SV-227548r603266_rule GEN000000-SOL00440 CCI-000366 HIGH The root account must be the only account with GID of 0. Accounts with a GID of 0 have root group privileges.
SV-227549r603266_rule GEN000000-SOL00540 CCI-000366 MEDIUM The /etc/zones directory, and its contents, must be owned by root. Solaris zones configuration files must be protected against illicit creation, modification, and deletion.
SV-227550r603266_rule GEN000000-SOL00560 CCI-000366 MEDIUM The /etc/zones directory, and its contents, must be group-owned by root, sys, or bin. Solaris zones configuration files must be protected against illicit creation, modification, and deletion.
SV-227551r603266_rule GEN000000-SOL00580 CCI-000366 MEDIUM The /etc/zones directory, and its contents, must not be group- or world-writable. Solaris zones configuration files must be protected against illicit creation, modification, and deletion.
SV-227561r603266_rule GEN000241 CCI-000366 MEDIUM The system clock must be synchronized continuously. A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. Internal system clocks tend to drift and require periodic resynchronization to ensure their accuracy. Software, such as NTPD, can be used to continuously synchronize the system clock with authoritative sources. Alternatively, the system may be synchronized periodically, with a maximum of one day between synchronizations. If the system is completely isolated (no connections to networks or other systems), time synchronization is not required as no correlation of events or operation of time-dependent protocols between systems will be necessary. If the system is completely isolated, this requirement is not applicable.
SV-227564r603266_rule GEN000250 CCI-000366 MEDIUM The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root. A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. If the configuration files controlling time synchronization are not owned by a system account, unauthorized modifications could result in the failure of time synchronization.
SV-227565r603266_rule GEN000251 CCI-000366 MEDIUM The time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, or sys. A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. If the configuration files controlling time synchronization are not owned by a system group, unauthorized modifications could result in the failure of time synchronization.
SV-227566r603266_rule GEN000252 CCI-002165 MEDIUM The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive. A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. If the configuration files controlling time synchronization are not protected, unauthorized modifications could result in the failure of time synchronization.
SV-227573r603266_rule GEN000380 CCI-000366 LOW All GIDs referenced in the /etc/passwd file must be defined in the /etc/group file. If a user is assigned the GID of a group not existing on the system, and a group with the same GID is subsequently created, the user may have unintended rights to the group.
SV-227582r603266_rule GEN000560 CCI-000366 HIGH The system must not have accounts configured with blank or null passwords. If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. If the root user is configured without a password, the entire system may be compromised. For user accounts not using password authentication, the account must be configured with a password lock value instead of a blank or null value.
SV-227583r603266_rule GEN000580 CCI-000205 MEDIUM The system must require passwords contain a minimum of 15 characters. The use of longer passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques by increasing the password search space.
SV-227586r603266_rule GEN000595 CCI-000196 MEDIUM The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm. Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes more vulnerable to compromise.
SV-227593r603266_rule GEN000750 CCI-000195 MEDIUM The system must require at least eight characters be changed between the old and new passwords during a password change. To ensure password changes are effective in their goals, the system must ensure old and new passwords have significant differences. Without significant changes, new passwords may be easily guessed based on the value of a previously compromised password.
SV-227595r603266_rule GEN000800 CCI-000200 MEDIUM The system must prohibit the reuse of passwords within five iterations. If a user, or root, used the same password continuously or was allowed to change it back shortly after being forced to change it to something else, it would provide a potential intruder with the opportunity to keep guessing at one user's password until it was guessed correctly.
SV-227597r603266_rule GEN000900 CCI-000366 LOW The root user's home directory must not be the root directory (/). Changing the root home directory to something other than / and assigning it a 0700 protection makes it more difficult for intruders to manipulate the system by reading the files that root places in its default directory. It also gives root the same discretionary access control for root's home directory as for the other plain user home directories.
SV-227598r603266_rule GEN000920 CCI-002233 MEDIUM The root account's home directory (other than /) must have mode 0700. Permissions greater than 0700 could allow unauthorized users access to the root home directory.
SV-227600r603266_rule GEN000940 CCI-000366 MEDIUM The root accounts executable search path must contain only authorized paths. The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory or other relative paths, executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, two consecutive colons, or a single period, this is interpreted as the current working directory. Entries starting with a slash (/) are absolute paths.
SV-227601r603266_rule GEN000945 CCI-000366 MEDIUM The root account's library search path must be the system default and must contain only absolute paths. The library search path environment variable(s) contain a list of directories for the dynamic linker to search to find libraries. If this path includes the current working directory or other relative paths, libraries in these directories may be loaded instead of system libraries. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. Entries starting with a slash (/) are absolute paths.
SV-227602r603266_rule GEN000950 CCI-000366 MEDIUM The root account's list of preloaded libraries must be empty. The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to libraries relative to the current working directory, unintended libraries may be preloaded. This variable is formatted as a space-separated list of libraries. Paths starting with (/) are absolute paths.
SV-227603r603266_rule GEN000980 CCI-000770 MEDIUM The system must prevent the root account from directly logging in except from the system console. Limiting the root account direct logins to only system consoles protects the root account from direct unauthorized access from a non-console device.
SV-227609r603266_rule GEN001120 CCI-000770 MEDIUM The system must not permit root logins using remote access programs such as SSH. Even though communications are encrypted, an additional layer of security may be gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account preserves the audit trail.
SV-227618r603266_rule GEN001240 CCI-001499 MEDIUM System files, programs, and directories must be group-owned by a system group. Restricting permissions will protect the files from unauthorized modification.
SV-227619r603266_rule GEN001260 CCI-001314 MEDIUM System log files must have mode 0640 or less permissive. If the system log files are not protected, unauthorized users could change the logged data, eliminating its forensic value.
SV-227624r603266_rule GEN001320 CCI-002165 MEDIUM NIS/NIS+/yp files must be owned by root, sys, or bin. NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.
SV-227625r603266_rule GEN001340 CCI-002165 MEDIUM NIS/NIS+/yp files must be group-owned by root, sys, or bin. NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.
SV-227626r603266_rule GEN001360 CCI-002165 MEDIUM The NIS/NIS+/yp command files must have mode 0755 or less permissive. NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Unauthorized modification of these files could compromise these processes and the system.
SV-227628r603266_rule GEN001362 CCI-000366 MEDIUM The /etc/resolv.conf file must be owned by root. The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution may fail or return incorrect information. DNS may be used by a variety of system security functions, such as time synchronization, centralized authentication, and remote system logging.
SV-227629r603266_rule GEN001363 CCI-000366 MEDIUM The /etc/resolv.conf file must be group-owned by root, bin, or sys. The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution may fail or return incorrect information. DNS may be used by a variety of system security functions such as time synchronization, centralized authentication, and remote system logging.
SV-227630r603266_rule GEN001364 CCI-000366 MEDIUM The /etc/resolv.conf file must have mode 0644 or less permissive. The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution may fail or return incorrect information. DNS may be used by a variety of system security functions, such as time synchronization, centralized authentication, and remote system logging.
SV-227632r603266_rule GEN001366 CCI-000366 MEDIUM The /etc/hosts file must be owned by root. The /etc/hosts file (or equivalent) configures local host name to IP address mappings that typically take precedence over DNS resolution. If this file is maliciously modified, it could cause the failure or compromise of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.
SV-227633r603266_rule GEN001367 CCI-000366 MEDIUM The /etc/hosts file must be group-owned by root, bin, or sys. The /etc/hosts file (or equivalent) configures local host name to IP address mappings that typically take precedence over DNS resolution. If this file is maliciously modified, it could cause the failure or compromise of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.
SV-227634r603266_rule GEN001368 CCI-000366 MEDIUM The /etc/hosts file must have mode 0644 or less permissive. The /etc/hosts file (or equivalent) configures local host name to IP address mappings that typically take precedence over DNS resolution. If this file is maliciously modified, it could cause the failure or compromise of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.
SV-227636r603266_rule GEN001371 CCI-000366 MEDIUM The /etc/nsswitch.conf file must be owned by root. The nsswitch.conf file (or equivalent) configures the source of a variety of system security information including account, group, and host lookups. Malicious changes could prevent the system from functioning or compromise system security.
SV-227637r603266_rule GEN001372 CCI-000366 MEDIUM The /etc/nsswitch.conf file must be group-owned by root, bin, or sys. The nsswitch.conf file (or equivalent) configures the source of a variety of system security information including account, group, and host lookups. Malicious changes could prevent the system from functioning or compromise system security.
SV-227638r603266_rule GEN001373 CCI-000366 MEDIUM The /etc/nsswitch.conf file must have mode 0644 or less permissive. The nsswitch.conf file (or equivalent) configures the source of a variety of system security information including account, group, and host lookups. Malicious changes could prevent the system from functioning or compromise system security.
SV-227640r603266_rule GEN001378 CCI-000366 MEDIUM The /etc/passwd file must be owned by root. The /etc/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification.
SV-227641r603266_rule GEN001379 CCI-000366 MEDIUM The /etc/passwd file must be group-owned by root, bin, or sys. The /etc/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification.
SV-227642r603266_rule GEN001380 CCI-002165 MEDIUM The /etc/passwd file must have mode 0644 or less permissive. If the password file is writable by a group owner or the world, the risk of password file compromise is increased. The password file contains the list of accounts on the system and associated information.
SV-227644r603266_rule GEN001391 CCI-000366 MEDIUM The /etc/group file must be owned by root. The /etc/group file is critical to system security and must be owned by a privileged user. The group file contains a list of system groups and associated information.
SV-227645r603266_rule GEN001392 CCI-000366 MEDIUM The /etc/group file must be group-owned by root, bin, or sys. The /etc/group file is critical to system security and must be protected from unauthorized modification. The group file contains a list of system groups and associated information.
SV-227646r603266_rule GEN001393 CCI-000366 MEDIUM The /etc/group file must have mode 0644 or less permissive. The /etc/group file is critical to system security and must be protected from unauthorized modification. The group file contains a list of system groups and associated information.
SV-227648r603266_rule GEN001400 CCI-002165 MEDIUM The /etc/shadow (or equivalent) file must be owned by root. The /etc/shadow file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. Failure to give ownership of sensitive files or utilities to root provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.
SV-227649r603266_rule GEN001410 CCI-000366 MEDIUM The /etc/shadow file (or equivalent) must be group-owned by root, bin, or sys. The /etc/shadow file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. The file also contains password hashes which must not be accessible to users other than root.
SV-227650r603266_rule GEN001420 CCI-002165 MEDIUM The /etc/shadow (or equivalent) file must have mode 0400. The /etc/shadow file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. The file also contains password hashes which must not be accessible to users other than root.
SV-227652r603266_rule GEN001440 CCI-000366 LOW All interactive users must be assigned a home directory in the /etc/passwd file. If users do not have a valid home directory, there is no place for the storage and control of files they own.
SV-227654r603266_rule GEN001470 CCI-000196 MEDIUM The /etc/passwd file must not contain password hashes. If password hashes are readable by non-administrators, the passwords are subject to attack through lookup tables or cryptographic weaknesses in the hashes.
SV-227655r603266_rule GEN001475 CCI-000366 MEDIUM The /etc/group file must not contain any group password hashes. Group passwords are typically shared and should not be used. Additionally, if password hashes are readable by non-administrators, the passwords are subject to attack through lookup tables or cryptographic weaknesses in the hashes.
SV-227664r603266_rule GEN001600 CCI-000366 MEDIUM Run control scripts executable search paths must contain only authorized paths. The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory or other relative paths, executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, two consecutive colons, or a single period, this is interpreted as the current working directory. Paths starting with a slash (/) are absolute paths.
SV-227668r603266_rule GEN001660 CCI-000366 MEDIUM All system start-up files must be owned by root. System start-up files not owned by root could lead to system compromise by allowing malicious users or applications to modify them for unauthorized purposes. This could lead to system and network compromise.
SV-227669r603266_rule GEN001680 CCI-000366 MEDIUM All system start-up files must be group-owned by root, sys, or bin. If system start-up files do not have a group owner of root or a system group, the files may be modified by malicious users or intruders.
SV-227672r603266_rule GEN001800 CCI-002165 MEDIUM All skeleton files (typically those in /etc/skel) must have mode 0644 or less permissive. If the skeleton files are not protected, unauthorized personnel could change user startup parameters and possibly jeopardize user files.
SV-227674r603266_rule GEN001820 CCI-000366 MEDIUM All skeleton files and directories (typically in /etc/skel) must be owned by root. If the skeleton files are not protected, unauthorized personnel could change user startup parameters and possibly jeopardize user files. Failure to give ownership of sensitive files or utilities to root provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.
SV-227675r603266_rule GEN001830 CCI-000366 MEDIUM All skeleton files (typically in /etc/skel) must be group-owned by root, bin, or sys. If the skeleton files are not protected, unauthorized personnel could change user startup parameters and possibly jeopardize user files.
SV-227676r603266_rule GEN001840 CCI-000366 MEDIUM All global initialization files executable search paths must contain only authorized paths. The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory or other relative paths, executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, two consecutive colons, or a single period, this is interpreted as the current working directory. Paths starting with a slash (/) are absolute paths.
SV-227689r603266_rule GEN002040 CCI-000366 HIGH There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system. The .rhosts, .shosts, hosts.equiv, and shosts.equiv files are used to configure host-based authentication for individual users or the system. Host-based authentication is not sufficient for preventing unauthorized access to the system.
SV-227691r603266_rule GEN002100 CCI-000366 MEDIUM The .rhosts file must not be supported in PAM. The .rhosts files are used to specify a list of hosts that are permitted remote access to a particular account without authenticating. The use of such a mechanism defeats strong identification and authentication requirements.
SV-227692r603266_rule GEN002120 CCI-000366 MEDIUM The /etc/shells (or equivalent) file must exist. The shells file (or equivalent) lists approved default shells. It helps provide layered defense to the security approach by ensuring users cannot change their default shell to an unauthorized shell that may not be secure.
SV-227703r603266_rule GEN002340 CCI-000366 MEDIUM Audio devices must be owned by root. Globally Accessible audio and video devices have proven to be security hazards. There is software that can activate system microphones and video devices connected to user workstations and/or X terminals. Once the microphone has been activated, it is possible to eavesdrop on otherwise private conversations without the victim being aware of it. This action effectively changes the user's microphone to a bugging device.
SV-227704r603266_rule GEN002360 CCI-000366 MEDIUM Audio devices must be group-owned by root, sys, or bin. Without privileged group owners, audio devices will be vulnerable to being used as eaves-dropping devices by malicious users or intruders to possibly listen to conversations containing sensitive information.
SV-227716r603266_rule GEN002680 CCI-000162 MEDIUM System audit logs must be owned by root. Failure to give ownership of system audit log files to root provides the designated owner and unauthorized users with the potential to access sensitive information.
SV-227717r603266_rule GEN002690 CCI-000162 MEDIUM System audit logs must be group-owned by root, bin, or sys. Sensitive system and user information could provide a malicious user with enough information to penetrate further into the system.
SV-227718r603266_rule GEN002700 CCI-000163 MEDIUM System audit logs must have mode 0640 or less permissive. If a user can write to the audit logs, audit trails can be modified or destroyed and system intrusion may not be detected. System audit logs are those files generated from the audit system and do not include activity, error, or other log files created by application software.
SV-227720r603266_rule GEN002715 CCI-001493 LOW System audit tool executables must be owned by root. To prevent unauthorized access or manipulation of system audit logs, the tools for manipulating those logs must be protected.
SV-227721r603266_rule GEN002716 CCI-001493 LOW System audit tool executables must be group-owned by root, bin, or sys. To prevent unauthorized access or manipulation of system audit logs, the tools for manipulating those logs must be protected.
SV-227722r603266_rule GEN002717 CCI-001493 LOW System audit tool executables must have mode 0750 or less permissive. To prevent unauthorized access or manipulation of system audit logs, the tools for manipulating those logs must be protected.
SV-227725r603266_rule GEN002720 CCI-000172 MEDIUM The audit system must be configured to audit failed attempts to access files and programs. If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
SV-227727r603266_rule GEN002740 CCI-000169 MEDIUM The audit system must be configured to audit file deletions. If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
SV-227732r603266_rule GEN002760 CCI-000169 MEDIUM The audit system must be configured to audit all administrative, privileged, and security actions. If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
SV-227733r603266_rule GEN002800 CCI-000172 MEDIUM The audit system must be configured to audit login, logout, and session initiation. If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
SV-227734r603266_rule GEN002820 CCI-000172 MEDIUM The audit system must be configured to audit all discretionary access control permission modifications. If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
SV-227735r603266_rule GEN002825 CCI-000169 MEDIUM The audit system must be configured to audit the loading and unloading of dynamic kernel modules. Actions concerning dynamic kernel modules must be recorded as they are substantial events. Dynamic kernel modules can increase the attack surface of a system. A malicious kernel module can be used to substantially alter the functioning of a system, often with the purpose of hiding a compromise from the SA.
SV-227738r603266_rule GEN002960 CCI-000366 MEDIUM Access to the cron utility must be controlled using the cron.allow and/or cron.deny file(s). The cron facility allows users to execute recurring jobs on a regular and unattended basis. The cron.allow file designates accounts allowed to enter and execute jobs using the cron facility. If neither cron.allow nor cron.deny exists, then any account may use the cron facility. This may open the facility up for abuse by system intruders and malicious users.
SV-227739r603266_rule GEN002980 CCI-000366 MEDIUM The cron.allow file must have mode 0600 or less permissive. A cron.allow file that is readable and/or writable by other than root could allow potential intruders and malicious users to use the file contents to help discern information, such as who is allowed to execute cron programs, which could be harmful to overall system and network security.
SV-227746r603266_rule GEN003080 CCI-000366 MEDIUM Crontab files must have mode 0600 or less permissive. To protect the integrity of scheduled system jobs and prevent malicious modification to these jobs, crontab files must be secured.
SV-227748r603266_rule GEN003100 CCI-000366 MEDIUM Cron and crontab directories must have mode 0755 or less permissive. To protect the integrity of scheduled system jobs and to prevent malicious modification to these jobs, crontab files must be secured.
SV-227750r603266_rule GEN003120 CCI-000366 MEDIUM Cron and crontab directories must be owned by root or bin. Incorrect ownership of the cron or crontab directories could permit unauthorized users the ability to alter cron jobs and run automated jobs as privileged users. Failure to give ownership of cron or crontab directories to root or to bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.
SV-227751r603266_rule GEN003140 CCI-000366 MEDIUM Cron and crontab directories must be group-owned by root, sys, or bin. To protect the integrity of scheduled system jobs and to prevent malicious modification to these jobs, crontab files must be secured. Failure to give group-ownership of cron or crontab directories to a system group provides the designated group and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.
SV-227753r603266_rule GEN003180 CCI-000162 MEDIUM The cronlog file must have mode 0600 or less permissive. Cron logs contain reports of scheduled system activities and must be protected from unauthorized access or manipulation.
SV-227755r603266_rule GEN003200 CCI-002165 MEDIUM The cron.deny file must have mode 0600 or less permissive. If file permissions for cron.deny are more permissive than 0600, sensitive information could be viewed or edited by unauthorized users.
SV-227758r603266_rule GEN003240 CCI-000366 MEDIUM The cron.allow file must be owned by root, bin, or sys. If the owner of the cron.allow file is not set to root, bin, or sys, the possibility exists for an unauthorized user to view or to edit sensitive information.
SV-227760r603266_rule GEN003250 CCI-000366 MEDIUM The cron.allow file must be group-owned by root, bin, or sys. If the group of the cron.allow is not set to root, bin, or sys, the possibility exists for an unauthorized user to view or edit the list of users permitted to use cron. Unauthorized modification of this file could cause Denial of Service to authorized cron users or provide unauthorized users with the ability to run cron jobs.
SV-227761r603266_rule GEN003252 CCI-000366 MEDIUM The at.deny file must have mode 0600 or less permissive. The at daemon control files restrict access to scheduled job manipulation and must be protected. Unauthorized modification of the at.deny file could result in Denial of Service to authorized at users or provide unauthorized users with the ability to run at jobs.
SV-227763r603266_rule GEN003260 CCI-000366 MEDIUM The cron.deny file must be owned by root, bin, or sys. Cron daemon control files restrict the scheduling of automated tasks and must be protected.
SV-227764r603266_rule GEN003270 CCI-000366 MEDIUM The cron.deny file must be group-owned by root, bin, or sys. Cron daemon control files restrict the scheduling of automated tasks and must be protected. Unauthorized modification of the cron.deny file could result in Denial of Service to authorized cron users or could provide unauthorized users with the ability to run cron jobs.
SV-227765r603266_rule GEN003280 CCI-002165 MEDIUM Access to the at utility must be controlled via the at.allow and/or at.deny file(s). The at facility selectively allows users to execute jobs at deferred times. It is usually used for one-time jobs. The at.allow file selectively allows access to the at facility. If there is no at.allow file, there is no ready documentation of who is allowed to submit at jobs.
SV-227766r603266_rule GEN003300 CCI-000366 MEDIUM The at.deny file must not be empty if it exists. On some systems, if there is no at.allow file and there is an empty at.deny file, then the system assumes everyone has permission to use the at facility. This could create an insecure setting in the case of malicious users or system intruders.
SV-227768r603266_rule GEN003340 CCI-002165 MEDIUM The at.allow file must have mode 0600 or less permissive. Permissions more permissive than 0600 (read and write for the owner) may allow unauthorized or malicious access to the at.allow and/or at.deny files.
SV-227776r603266_rule GEN003460 CCI-000366 MEDIUM The at.allow file must be owned by root, bin, or sys. If the owner of the at.allow file is not set to root, bin, or sys, unauthorized users could be allowed to view or edit sensitive information contained within the file.
SV-227777r603266_rule GEN003470 CCI-000366 MEDIUM The at.allow file must be group-owned by root, bin, or sys. If the group owner of the at.allow file is not set to root, bin, or sys, unauthorized users could be allowed to view or edit the list of users permitted to run at jobs. Unauthorized modification could result in Denial of Service to authorized at users or provide unauthorized users with the ability to run at jobs.
SV-227778r603266_rule GEN003480 CCI-000366 MEDIUM The at.deny file must be owned by root, bin, or sys. If the owner of the at.deny file is not set to root, bin, or sys, unauthorized users could be allowed to view or edit sensitive information contained within the file.
SV-227779r603266_rule GEN003490 CCI-000366 MEDIUM The at.deny file must be group-owned by root, bin, or sys. If the group owner of the at.deny file is not set to root, bin, or sys, unauthorized users could be allowed to view or edit sensitive information contained within the file. Unauthorized modification could result in Denial of Service to authorized "at" users or provide unauthorized users with the ability to run "at" jobs.
SV-227787r603266_rule GEN003520 CCI-000366 LOW The kernel core dump data directory must be owned by root. Kernel core dumps may contain the full contents of system memory at the time of the crash. As the system memory may contain sensitive information, it must be protected accordingly. If the kernel core dump data directory is not owned by root, the core dumps contained in the directory may be subject to unauthorized access.
SV-227791r603266_rule GEN003540 CCI-000366 MEDIUM The system must implement non-executable program stacks. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack.
SV-227792r603266_rule GEN003580 CCI-000366 MEDIUM The system must use initial TCP sequence numbers most resistant to sequence number guessing attacks. One use of initial TCP sequence numbers is to verify bidirectional communication between two hosts, which provides some protection against spoofed source addresses being used by the connection originator. If the initial TCP sequence numbers for a host can be determined by an attacker, it may be possible to establish a TCP connection from a spoofed source address without bidirectional communication.
SV-227799r603266_rule GEN003606 CCI-000366 MEDIUM The system must prevent local applications from generating source-routed packets. Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.
SV-227800r603266_rule GEN003607 CCI-000366 MEDIUM The system must not accept source-routed IPv4 packets. Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the handling of source-routed traffic destined to the system itself, not to traffic forwarded by the system to another, such as when IPv4 forwarding is enabled and the system is functioning as a router.
SV-227807r603266_rule GEN003624 CCI-000366 LOW The system must use a separate filesystem for /tmp (or equivalent). The use of separate filesystems for different paths can protect the system from failures resulting from a filesystem becoming full or failing.
SV-227808r603266_rule GEN003640 CCI-000366 MEDIUM The root file system must employ journaling or another mechanism ensuring file system consistency. File system journaling, or logging, can allow reconstruction of file system data after a system crash, thus, preserving the integrity of data that may have otherwise been lost. Journaling file systems typically do not require consistent checks upon booting after a crash, which can improve system availability. Some file systems employ other mechanisms to ensure consistency which also satisfy this requirement.
SV-227814r603266_rule GEN003740 CCI-002165 MEDIUM The inetd.conf file must have mode 0440 or less permissive. The Internet service daemon configuration files must be protected as malicious modification could cause Denial of Service or increase the attack surface of the system.
SV-227816r603266_rule GEN003760 CCI-002165 MEDIUM The services file must be owned by root or bin. Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.
SV-227817r603266_rule GEN003770 CCI-000366 MEDIUM The services file must be group-owned by root, bin, or sys. Failure to give ownership of system configuration files to root or a system group provides the designated owner and unauthorized users with the potential to change the system configuration which could weaken the system's security posture.
SV-227818r603266_rule GEN003780 CCI-002165 MEDIUM The services file must have mode 0444 or less permissive. The services file is critical to the proper operation of network services and must be protected from unauthorized modification. Unauthorized modification could result in the failure of network services.
SV-227822r603266_rule GEN003825 CCI-000381 MEDIUM The rshd service must not be installed. The rshd process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service.
SV-227823r603266_rule GEN003835 CCI-000381 MEDIUM The rlogind service must not be installed. The rlogind process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service.
SV-227824r603266_rule GEN003840 CCI-000381 HIGH The rexec daemon must not be running. The rexecd process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service.
SV-227825r603266_rule GEN003845 CCI-000381 MEDIUM The rexecd service must not be installed. The rexecd process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service.
SV-227826r603266_rule GEN003850 CCI-000197 HIGH The telnet daemon must not be running. The telnet daemon provides a typically unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. Satisfies: SRG-OS-000074, SRG-OS-000520
SV-227827r603266_rule GEN003860 CCI-000366 LOW The system must not have the finger service active. The finger service provides information about the system's users to network clients. This information could expose information that could be used in subsequent attacks.
SV-227832r603266_rule GEN003960 CCI-000366 MEDIUM The traceroute command owner must be root. If the traceroute command owner has not been set to root, an unauthorized user could use this command to obtain knowledge of the network topology inside the firewall. This information may allow an attacker to determine trusted routers and other network information possibly leading to system and network compromise.
SV-227833r603266_rule GEN003980 CCI-000366 MEDIUM The traceroute command must be group-owned by sys, bin, or root. If the group owner of the traceroute command has not been set to a system group, unauthorized users could have access to the command and use it to gain information regarding a network's topology inside of the firewall. This information may allow an attacker to determine trusted routers and other network information possibly leading to system and network compromise.
SV-227837r603266_rule GEN004360 CCI-002165 MEDIUM The alias file must be owned by root. If the alias file is not owned by root, an unauthorized user may modify the file to add aliases to run malicious code or redirect email.
SV-227843r603266_rule GEN004440 CCI-000366 LOW Sendmail logging must not be set to less than nine in the sendmail.cf file. If Sendmail is not configured to log at level 9, system logs may not contain the information necessary for tracking unauthorized use of the Sendmail service.
SV-227844r603266_rule GEN004460 CCI-000169 MEDIUM The system syslog service must log informational and more severe SMTP service messages. If informational and more severe SMTP service messages are not logged, malicious activity on the system may go unnoticed.
SV-227855r603266_rule GEN004880 CCI-002165 MEDIUM The ftpusers file must exist. The ftpusers file contains a list of accounts not allowed to use FTP to transfer files. If this file does not exist, then unauthorized accounts can utilize FTP.
SV-227857r603266_rule GEN004920 CCI-002165 MEDIUM The ftpusers file must be owned by root. If the file ftpusers is not owned by root, an unauthorized user may modify the file to allow unauthorized accounts to use FTP.
SV-227858r603266_rule GEN004930 CCI-000366 MEDIUM The ftpusers file must be group-owned by root, bin, or sys. If the ftpusers file is not group-owned by root or a system group, an unauthorized user may modify the file to allow unauthorized accounts to use FTP.
SV-227859r603266_rule GEN004940 CCI-002165 MEDIUM The ftpusers file must have mode 0640 or less permissive. Excessive permissions on the ftpusers file could permit unauthorized modification. Unauthorized modification could result in Denial of Service to authorized FTP users or permit unauthorized users to access the FTP service.
SV-227862r603266_rule GEN005000 CCI-000366 HIGH Anonymous FTP accounts must not have a functional shell. If an anonymous FTP account has been configured to use a functional shell, attackers could gain access to the shell if the account is compromised.
SV-227865r603266_rule GEN005080 CCI-000366 HIGH The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system. Secure mode limits TFTP requests to a specific directory. If TFTP is not running in secure mode, it may be able to write to any file or directory and may seriously impair system integrity, confidentiality, and availability.
SV-227866r603266_rule GEN005100 CCI-002165 HIGH The TFTP daemon must have mode 0755 or less permissive. If TFTP runs with the setuid or setgid bit set, it may be able to write to any file or directory and may seriously impair system integrity, confidentiality, and availability.
SV-227869r603266_rule GEN005180 CCI-000366 MEDIUM All .Xauthority files must have mode 0600 or less permissive. .Xauthority files ensure the user is authorized to access the specific X Windows host. Excessive permissions may permit unauthorized modification of these files, which could lead to Denial of Service to authorized access or allow unauthorized access to be obtained.
SV-227885r603266_rule GEN005390 CCI-000366 MEDIUM The /etc/syslog.conf file must have mode 0640 or less permissive. Unauthorized users must not be allowed to access or modify the /etc/syslog.conf file.
SV-227887r603266_rule GEN005400 CCI-000366 MEDIUM The /etc/syslog.conf file must be owned by root. If the /etc/syslog.conf file is not owned by root, unauthorized users could be allowed to view, edit, or delete important system messages handled by the syslog facility.
SV-227888r603266_rule GEN005420 CCI-000366 MEDIUM The /etc/syslog.conf file must be group-owned by root, bin, or sys. If the group owner of /etc/syslog.conf is not root, bin, or sys, unauthorized users could be permitted to view, edit, or delete important system messages handled by the syslog facility.
SV-227891r603266_rule GEN005501 CCI-000197 MEDIUM The SSH client must be configured to only use the SSHv2 protocol. SSHv1 is not a DoD-approved protocol and has many well-known vulnerability exploits. Exploits of the SSH client could provide access to the system with the privileges of the user running the client.
SV-227894r603266_rule GEN005506 CCI-000366 MEDIUM The SSH daemon must be configured to not use Cipher-Block Chaining (CBC) ciphers. The Cipher-Block Chaining (CBC) mode of encryption as implemented in the SSHv2 protocol is vulnerable to chosen plain text attacks and must not be used.
SV-227897r603266_rule GEN005511 CCI-000366 MEDIUM The SSH client must be configured to not use CBC-based ciphers. The Cipher-Block Chaining (CBC) mode of encryption as implemented in the SSHv2 protocol is vulnerable to chosen plain text attacks and must not be used.
SV-227900r603266_rule GEN005522 CCI-000366 MEDIUM The SSH public host key files must have mode 0644 or less permissive. If a public host key file is modified by an unauthorized user, the SSH service may be compromised.
SV-227901r603266_rule GEN005523 CCI-000366 MEDIUM The SSH private host key files must have mode 0600 or less permissive. If an unauthorized user obtains the private SSH host key file, the host could be impersonated.
SV-227902r603266_rule GEN005524 CCI-000366 LOW The SSH daemon must not permit GSSAPI authentication unless needed. GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system’s GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.
SV-227903r603266_rule GEN005525 CCI-000366 LOW The SSH client must not permit GSSAPI authentication unless needed. GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system’s GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.
SV-227906r603266_rule GEN005539 CCI-000366 MEDIUM The SSH daemon must not allow compression or must only allow compression after successful authentication. If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.
SV-227907r603266_rule GEN005540 CCI-000366 MEDIUM The SSH daemon must be configured for IP filtering. The SSH daemon must be configured for IP filtering to provide a layered defense against connection attempts from unauthorized addresses.
SV-227913r603266_rule GEN005740 CCI-000366 MEDIUM The NFS export configuration file must be owned by root. Failure to give ownership of the NFS export configuration file to root provides the designated owner and possible unauthorized users with the potential to change system configuration which could weaken the system's security posture.
SV-227914r603266_rule GEN005750 CCI-000366 MEDIUM The NFS export configuration file must be group-owned by root, bin, or sys. Failure to give group ownership of the NFS export configuration file to root or system groups provides the designated group owner and possible unauthorized users with the potential to change system configuration which could weaken the system's security posture.
SV-227915r603266_rule GEN005760 CCI-000366 LOW The NFS export configuration file must have mode 0644 or less permissive. Excessive permissions on the NFS export configuration file could allow unauthorized modification of the file, which could result in Denial of Service to authorized NFS exports and the creation of additional unauthorized exports.
SV-227924r603266_rule GEN006060 CCI-000381 MEDIUM The system must not run Samba unless needed. Samba is a tool used for the sharing of files and printers between Windows and UNIX operating systems. It provides access to sensitive files and, therefore, poses a security risk if compromised.
SV-227925r603266_rule GEN006100 CCI-000366 MEDIUM The smb.conf file must be owned by root. The smb.conf file allows access to other machines on the network and grants permissions to certain users. If it is owned by another user, the file may be maliciously modified and the Samba configuration could be compromised.
SV-227926r603266_rule GEN006120 CCI-000366 MEDIUM The smb.conf file must be group-owned by root, bin, or sys. If the group owner of the smb.conf file is not root or a system group, the file may be maliciously modified and the Samba configuration could be compromised.
SV-227927r603266_rule GEN006140 CCI-002165 MEDIUM The smb.conf file must have mode 0644 or less permissive. If the smb.conf file has excessive permissions, the file may be maliciously modified and the Samba configuration could be compromised.
SV-227929r603266_rule GEN006160 CCI-000366 MEDIUM The smbpasswd file must be owned by root. If the smbpasswd file is not owned by root, the smbpasswd file may be maliciously accessed or modified, potentially resulting in the compromise of Samba accounts.
SV-227930r603266_rule GEN006180 CCI-000366 MEDIUM The smbpasswd file must be group-owned by root. If the smbpasswd file is not group-owned by root, the smbpasswd file may be maliciously accessed or modified, potentially resulting in the compromise of Samba accounts.
SV-227931r603266_rule GEN006200 CCI-002165 MEDIUM The smbpasswd file must have mode 0600 or less permissive. If the smbpasswd file has a mode more permissive than 0600, the smbpasswd file may be maliciously accessed or modified, potentially resulting in the compromise of Samba accounts.
SV-227934r603266_rule GEN006225 CCI-000366 MEDIUM Samba must be configured to use an authentication mechanism other than "share." Samba share authentication does not provide for individual user identification and must not be used.
SV-227936r603266_rule GEN006235 CCI-000366 MEDIUM Samba must be configured to not allow guest access to shares. Guest access to shares permits anonymous access and is not permitted.
SV-227937r603266_rule GEN006240 CCI-000381 MEDIUM The system must not run an Internet Network News (INN) server. Internet Network News (INN) servers access Usenet newsfeeds and store newsgroup articles. INN servers use the Network News Transfer Protocol (NNTP) to transfer information from the Usenet to the server and from the server to authorized remote hosts. If this function is necessary to support a valid mission requirement, its use must be authorized and approved in the system accreditation package.
SV-227938r603266_rule GEN006260 CCI-002165 MEDIUM The /etc/news/hosts.nntp (or equivalent) must have mode 0600 or less permissive. Excessive permissions on the hosts.nntp file may allow unauthorized modification which could lead to Denial-of-Service to authorized users or provide access to unauthorized users.
SV-227940r603266_rule GEN006280 CCI-002165 MEDIUM The /etc/news/hosts.nntp.nolimit (or equivalent) must have mode 0600 or less permissive. Excessive permissions on the hosts.nntp.nolimit file may allow unauthorized modification which could lead to Denial-of-Service to authorized users or provide access to unauthorized users.
SV-227942r603266_rule GEN006300 CCI-002165 MEDIUM The /etc/news/nnrp.access (or equivalent) must have mode 0600 or less permissive. Excessive permissions on the nnrp.access file may allow unauthorized modification which could lead to Denial-of-Service to authorized users or provide access to unauthorized users.
SV-227944r603266_rule GEN006320 CCI-002165 MEDIUM The /etc/news/passwd.nntp file (or equivalent) must have mode 0600 or less permissive. File permissions more permissive than 0600 for /etc/news/passwd.nntp may allow access to privileged information by system intruders or malicious users.
SV-227946r603266_rule GEN006340 CCI-000366 MEDIUM Files in /etc/news must be owned by root. If critical system files are not owned by a privileged user, system integrity could be compromised.
SV-227947r603266_rule GEN006360 CCI-000366 MEDIUM The files in /etc/news must be group-owned by root. If critical system files do not have a privileged group owner, system integrity could be compromised.
SV-227949r603266_rule GEN006400 CCI-000381 MEDIUM The Network Information System (NIS) protocol must not be used. Due to numerous security vulnerabilities existing within NIS, it must not be used. Possible alternative directory services are NIS+ and LDAP.
SV-227962r603266_rule GEN007840 CCI-000366 MEDIUM The DHCP client must be disabled if not needed. DHCP allows for the unauthenticated configuration of network parameters on the system by exchanging information with a DHCP server.
SV-227969r603266_rule GEN008060 CCI-000366 MEDIUM If the system is using LDAP for authentication or account information the LDAP client configuration file must have mode 0600 or less permissive. LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.
SV-227970r603266_rule GEN008080 CCI-000366 MEDIUM If the system is using LDAP for authentication or account information, the LDAP configuration file must be owned by root. LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.
SV-227971r603266_rule GEN008100 CCI-000366 MEDIUM If the system is using LDAP for authentication or account information, the LDAP configuration file must be group-owned by root, bin, or sys. LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.
SV-227976r603266_rule GEN008440 CCI-000366 LOW Automated file system mounting tools must not be enabled unless needed. Automated file system mounting tools may provide unprivileged users with the ability to access local media and network shares. If this access is not necessary for the system’s operation, it must be disabled to reduce the risk of unauthorized access to these resources.
SV-227977r603266_rule GEN008460 CCI-000366 LOW The system must have USB disabled unless needed. USB is a common computer peripheral interface. USB devices may include storage devices that could be used to install malicious software on a system or exfiltrate data.
SV-227980r603266_rule GEN008520 CCI-000366 MEDIUM The system must employ a local firewall. A local firewall protects the system from exposing unnecessary or undocumented network services to the local enclave. If a system within the enclave is compromised, firewall protection on an individual system continues to protect it from attack.
SV-227986r603266_rule GEN008800 CCI-001749 LOW The system package management tool must cryptographically verify the authenticity of software packages during installation. To prevent the installation of software from unauthorized sources, the system package management tool must use cryptographic algorithms to verify the packages are authentic.