HP-UX 11.23 Security Technical Implementation Guide

Checks: C-36228r2_chk

Check the /tcb/files/auth/system/default entry. # grep “:d_boot_authenticate” /tcb/files/auth/system/default If the returned entry looks like “:d_boot_authenticate@:”, single user boot authentication is disabled, and this is a finding. For SMSE: Check the setting for BOOT_AUTH is set to N=1. # grep BOOT_AUTH /etc/default/security /var/adm/userdb/* If BOOT_AUTH=0, then single user boot authentication is disabled, and this is a finding.

Fix: F-31487r2_fix

For Trusted Mode: If single user boot authentication is disabled, use the System Administration Manager (SAM) or the System Management Homepage (SMH) to enable single user boot (for root only) authentication. For SMSE: Note: There may be additional package/bundle updates that must be installed to support attributes in the /etc/default/security file. Use the SAM/SMH interface (/etc/default/security file) and/or the userdbset command (/var/adm/userdb/* files) to update the attribute. See the below example: BOOT_AUTH=1 Note: Never use a text editor to modify any /var/adm/userdb database file. The database contains checksums and other binary data, and editors (vi included) do not follow the file locking conventions that are used to control access to the database. If manually editing the /etc/default/security file, save any change(s) before exiting the editor."

Generate Mitigation Statement:

Checks: C-36244r1_chk

Use the last command to check for multiple accesses to an account from different workstations/IP addresses. If users log directly onto accounts, rather than using the su command from their own named account to access them, this is a finding (such as logging directly on to Oracle). Also, ask the SA or the IAO if shared accounts are logged into directly or if users log on to an individual account and switch user to the shared account. # last <unix account>

Fix: F-31501r1_fix

Use the switch user (su) command from a named account login to access shared accounts. Maintain audit trails identifying the actual user of the account name. Document requirements and procedures for users/administrators to log into their own accounts first and then switch user (su) to the account that must be shared.

Generate Mitigation Statement:

Checks: C-36245r4_chk

Verify the consistency of the assigned home directories in the authentication database. For Trusted Mode: # authck -av For SMSE: # pwck If any duplicate account names are found, this is a finding.

Fix: F-31502r2_fix

Determine if the duplicate accounts have the same or different UIDs. # cat /etc/passwd | cut -f 1,1 -d “:” | sort | uniq -d If the UIDs are different, the account name must be changed. If the UIDs are the same, disable/remove one of the two (or more) password file entries via the SAM/SMH interface.

Generate Mitigation Statement:

Checks: C-36246r2_chk

Verify the consistency of the assigned home directories in the authentication database. For Trusted Mode: # authck -av For SMSE: # pwck If a non-unique UID is found in the password file, this is a finding.

Fix: F-31503r2_fix

Determine if the duplicate UIDs are associated with the same or a different account name. # cat /etc/passwd | grep <non-uniqueUID> or, for multiple non-unique UIDs: # cat /etc/passwd | egrep “<non-uniqueUID1>|<non-uniqueUID2>|,non-uniqueUIDn>“ If the account names are unique, the UIDs must also be modified to be unique. If the account names are the same, disable/remove one of the two (or more) password file entries via the SAM/SMH interface. .

Generate Mitigation Statement:

Checks: C-36247r1_chk

NOTE: This will virtually always require a manual review. Access the system console and make a login attempt. Check for either of the following login banners based on the character limitations imposed by the system. An exact match is required. If one of these banners is not displayed, this is a finding. "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." OR "I've read &amp; consent to terms in IS user agreem't."

Fix: F-31504r1_fix

Edit /etc/issue and add one of the DoD login banners (based on the character limitations imposed by the system). DoD Login Banners: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." OR "I've read & consent to terms in IS user agreem't."

Generate Mitigation Statement:

Checks: C-27995r1_chk

List the logged successful logons to determine if successful logons are being logged. # last -R | more List the logged unsuccessful logons to determine if unsuccessful logons are being logged. # lastb -R | more If logs do not contain successful and unsuccessful logins, this is a finding.

Fix: F-31505r1_fix

Verify that login logs are handled correctly in the /etc/syslog.conf file. Verify that service startup scripts for syslog and (w/b)tmp (if present) are enabled. NOTE: Also examine the syslog.conf file for any references to remote log hosts if last/lastb produce no results. # cat /etc/syslog.conf | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v '^#' | grep "\@"

Generate Mitigation Statement:

Checks: C-36249r2_chk

For Trusted Mode: The u_maxtries attribute in the /tcb/files/auth/system/default file controls whether an account is locked after too many consecutive authentication failures. An account is locked after “N” consecutive authentication failures. Check the global setting for u_maxtries is set to N=3. # grep u_maxtries /tcb/files/auth/system/default If the u_maxtries attribute is not set to 3, this is a finding. For SMSE: The AUTH_MAXTRIES attribute in the /etc/default/security configuration file controls whether an account is locked after too many consecutive authentication failures. An account is locked after N+1 consecutive authentication failures. Check the setting for AUTH_MAXTRIES is set to N=2. # grep AUTH_MAXTRIES /etc/default/security /var/adm/userdb/* If the attribute AUTH_MAXTRIES is not set to 2, this is a finding.

Fix: F-31506r2_fix

For Trusted Mode: Use the SAM/SMH interface or edit the /tcb/files/auth/system/default file and update the u_maxtries attribute. See the below example: :u_maxtries#3: If manually editing the file, save any change(s) before exiting the editor. For SMSE: Note: There may be additional package/bundle updates that must be installed to support attributes in the /etc/default/security file. Use the SAM/SMH interface (/etc/default/security file) and/or the userdbset command (/var/adm/userdb/* files) to update the attribute. See the below example: AUTH_MAXTRIES=2 Note: Never use a text editor to modify any /var/adm/userdb database file. The database contains checksums and other binary data, and editors (vi included) do not follow the file locking conventions that are used to control access to the database. If manually editing the /etc/default/security file, save any change(s) before exiting the editor.

Generate Mitigation Statement:

Checks: C-36250r2_chk

For Trusted Mode: Check the t_logdelay setting. # more /tcb/files/auth/system/default Verify the value of the t_logdelay variable. If the value is less than 4, this is a finding. For SMSE: By default, PAM executes a built-in, 3 second standard delay if user authentication fails. This delay cannot be extended. The “nodelay” parameter disables the built-in delay. Ensure that the “nodelay” parameter is not found in the /etc/pam.conf file. The HP-SMSE environment does not meet the failed authentication 4 second minimum delay requirement. This check will always result in a finding.

Fix: F-31507r2_fix

For Trusted Mode: Use the SAM/SMH interface to ensure that the t_logdelay setting is 4. For SMSE: There is no fix, however, there are attack mitigations to minimize risk (see mitigations).

Generate Mitigation Statement:

Checks: C-36251r1_chk

NOTE: This will virtually always require a manual review. If there is an application running on the system that is continuously in use (such as a network monitoring application), ask the SA what the name of the application is. Execute ps -ef | more to determine which user owns the process(es) associated with the application. If the owner is root, this is a finding.

Fix: F-31508r1_fix

Configure the system so the owner of a session requiring a continuous screen display, such as a network management display, is not root. Ensure the display is also located in a secure, controlled access area. Document and justify this requirement and ensure the terminal and keyboard for the display (or workstation) are secure from all but authorized personnel by maintaining them in a secure area, in a locked cabinet where a swipe card, or other positive forms of identification, must be used to gain entry.

Generate Mitigation Statement:

Checks: C-36271r1_chk

Check the system for duplicate UID 0 assignments by listing all accounts assigned UID 0. # cat /etc/passwd | cut -f 1,3 -d ":" | grep ":0" If any accounts other than root are assigned UID 0, this is a finding.

Fix: F-31528r1_fix

Remove or change the UID of accounts other than root that have UID 0.

Generate Mitigation Statement:

Checks: C-36273r1_chk

Check the mode of the root home directory. Procedure: # cat /etc/passwd | grep "^root" | cut -f 6,6 -d ":" # ls -lLd &lt;root home directory&gt; If the mode of the directory is not equal to 0700, this is a finding. If the home directory is /, this check will be marked Not Applicable.

Fix: F-31530r1_fix

The root home directory will have permissions of 0700. Do not change the protections of the / directory. Use the following command to change protections for the root home directory: # chmod 0700 /rootdir.

Generate Mitigation Statement:

Checks: C-36274r1_chk

To view the root user's PATH, log in as the root user, and execute: # env | grep PATH This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, or two consecutive colons, this is a finding. If an entry starts with a character other than a slash (/), this is a finding. If directories beyond those in the vendor's default root path are present, this is a finding.

Fix: F-31531r1_fix

Edit the root user's local initialization files. Change any found PATH variable settings to the vendor's default path for the root user. Remove any empty path entries or references to relative paths.

Generate Mitigation Statement:

Checks: C-36275r1_chk

Check for world-writable permissions on all directories in the root user's executable search path. Procedure: # ls -ld `echo $PATH | sed "s/:/ /g"` If any of the directories in the PATH variable are world-writable, this is a finding.

Fix: F-31532r1_fix

For each world-writable path in root's executable search path, do one of the following: 1. Remove the world-writable permission on the directory. Procedure: # chmod o-w <path> 2. Remove the world-writable directory from the executable search path. Procedure: Identify and edit the initialization file referencing the world-writable directory and remove it from the PATH variable.

Generate Mitigation Statement:

Checks: C-36276r2_chk

Check the /etc/securetty file contents. # more /etc/securetty If /etc/securetty does not exist, or has contents other than console or /dev/null, this is a finding.

Fix: F-31533r3_fix

If the /etc/securetty file does not exist, create the file containing only the word console and ensure correct file properties. # echo “console” > /etc/securetty

Generate Mitigation Statement:

Checks: C-36253r3_chk

Confirm all accounts with a GID of 99 and below are used by a system account. If a GID reserved for system accounts (0 - 99) is used by a non-system account, this is a finding. The vendor-supplied system default group "users" (gid=20) is considered an exception to this check. # cat /etc/passwd | cut -f 1,4 -d ":"

Fix: F-31510r1_fix

Change the primary group GID numbers for non-system accounts with reserved primary group GIDs (those less or equal to 99). # usermod -g <new_group> <user>

Generate Mitigation Statement:

Checks: C-34998r1_chk

A few applications providing host-based network intrusion protection are: - Dragon Squire by Enterasys Networks - ITA by Symantec - Hostsentry by Psionic Software - Logcheck by Psionic Software - RealSecure agent by ISS - Swatch by Stanford University Ask the SA or IAO if a host-based intrusion detection application is loaded on the system (where &lt;daemon name&gt; is the name of the primary application daemon) to determine if the application is loaded on the system. # find / -name &lt;daemon&gt; | xargs -n1 ls -lL Determine if the application is active on the system. # ps -ef | grep &lt;daemon name&gt; If no host-based intrusion detection system is installed on the system, this is a finding.

Fix: F-32105r1_fix

Install a host-based intrusion detection tool.

Generate Mitigation Statement:

Checks: C-288r3_chk

Obtain the list of available security patches from HP. Ensure the available patches have been installed on the system. To list patches installed on the system, use the swlist utility. Example: # swlist -l fileset If there are security patches available and applicable for the system that have not been installed, this is a finding.

Fix: F-937r5_fix

Use a web browser to access the vendor's support website. Follow the instructions to set up an account with a login and a password. Once this is done it is possible to download the needed patches. # swinstall

Generate Mitigation Statement:

Checks: C-36277r1_chk

Check system directories for uneven file permissions. Procedure: # ls -lL /etc /bin /usr/bin /usr/lbin /usr/usb /sbin /usr/sbin Uneven file permissions exist if the file owner has less permissions than the group or other user classes. If any of the files in the above listed directories contain uneven file permissions, this is a finding.

Fix: F-31534r1_fix

Change the mode of files with uneven permissions so owners do not have less permissions than group or world users.

Generate Mitigation Statement:

Checks: C-290r2_chk

Check the system for files with no assigned owner. Procedure: # find / -nouser -print If any files have no assigned owner, this is a finding.

Fix: F-939r2_fix

All directories and files (executable and data) will have an identifiable owner and group name. Either trace files to an authorized user, change the file's owner to root, or delete them. Determine the legitimate owner of the files and use the chown command to set the owner and group to the correct value. If the legitimate owner cannot be determined, change the owner to root (but make sure none of the changed files remain executable because they could be Trojan horses or other malicious code). Examine the files to determine their origin and the reason for their lack of an owner/group.

Generate Mitigation Statement:

Checks: C-36301r1_chk

Check the mode of network services daemons. # ls -lLa /usr/lbin If the mode of a network services daemon is more permissive than 0755, this is a finding. NOTE: Network daemons that may not reside in these directories (such as httpd or sshd) must also be checked for the correct permissions.

Fix: F-31556r1_fix

Change the mode of the network services daemon. # chmod 0755 <path>/<daemon>

Generate Mitigation Statement:

Checks: C-36302r1_chk

Check the mode of log files. # ls -lLR /var/log /var/log/syslog /var/adm /var/opt Note that some of the above directories will contain more than just system log files. For example: /var/adm/sa, /var/adm/sw, etc. Any non-system log files contained within the above directories should be excluded from this requirement. If any of the system log files have modes more permissive than 0640, this is a finding.

Fix: F-31557r1_fix

Change the mode of the system log files to 0640 or less permissive. # chmod 0640 <path>/<system-log-file> NOTE: Do not confuse system log files with audit logs.

Generate Mitigation Statement:

Checks: C-36364r1_chk

Check skeleton files permissions. # ls -alL /etc/skel If a skeleton file has a mode more permissive than 0444, this is a finding.

Fix: F-31701r1_fix

Change the mode of skeleton files with incorrect mode. # chmod 0444 <skeleton file>

Generate Mitigation Statement:

Checks: C-36303r1_chk

Check NIS file ownership. Procedure: # ls -lLa /var/yp/&lt;nis domainname&gt; If the file ownership is not root, sys, or bin, this is a finding.

Fix: F-31558r1_fix

Change the ownership of NIS/NIS+/yp files to root, sys, or bin. Consult vendor documentation to determine the location of the files. Procedure (example): # chown root <filename>

Generate Mitigation Statement:

Checks: C-36304r3_chk

Check NIS file ownership. # ls -alLR /var/yp/`domainname` If the file group owner is not root, sys, bin (the default), or other, this is a finding.

Fix: F-31559r2_fix

Change the group owner of the NIS files to root, sys, bin, or other. # chgrp root <filename>

Generate Mitigation Statement:

Checks: C-36305r1_chk

Check NIS file mode. Procedure: # grep -i NIS_DOMAIN /etc/rc.config.d/namesvrs # ls -lLa /var/yp/&lt;NIS_DOMAIN&gt; If the file's mode is more permissive than 0755, this is a finding.

Fix: F-31560r1_fix

Change the mode of NIS/NIS+/yp command files to 0755 or less permissive. Procedure (example): # chmod 0755 <filename>

Generate Mitigation Statement:

Checks: C-36307r2_chk

Check the mode of library files. Procedure: # ls -lLR /usr/lib /lib If any of the library files have a mode more permissive than 755, this is a finding.

Fix: F-31562r1_fix

Change the mode of library files to 0755 or less permissive. Procedure (example): # chmod 0755 <path>/<library-file> NOTE: Library files should have an extension of ".a" or ".so" (a=archive, so=shared object) extension, possibly followed by a version number.

Generate Mitigation Statement:

Checks: C-36308r1_chk

Check the permissions for files in /etc, /bin, /usr/bin, /usr/lbin, /sbin, and /usr/sbin. # ls -lL /etc /bin /usr/bin /usr/lbin /sbin /usr/sbin If any file listed has a mode more permissive than 755, this is a finding. Note: Elevate to Severity Code I if any file is listed as world-writable.

Fix: F-31563r1_fix

Change the mode for system command files to 755 or less permissive. # chmod 755 <filename>

Generate Mitigation Statement:

Checks: C-36309r1_chk

Check the ownership of system files, programs, and directories. Procedure: # ls -lLa /etc /bin /usr/bin /usr/lbin /usr/usb /sbin /usr/sbin If any of the system files, programs, or directories are not owned by a system account, this is a finding.

Fix: F-31564r1_fix

Change the owner of system files, programs, and directories to a system account. Procedure: # chown root <path>/<system file> (A different system user may be used in place of root.)

Generate Mitigation Statement:

Checks: C-36310r1_chk

Check the group ownership of system files, programs, and directories. Procedure: # ls -lLa /etc /bin /usr/bin /usr/lbin /usr/usb /sbin /usr/sbin If any system file, program, or directory is not owned by a system group, this is a finding.

Fix: F-31565r1_fix

Change the group owner of system files to a system group. Procedure: # chgrp root <path>/<system file> (System groups other than root may be used.)

Generate Mitigation Statement:

Checks: C-36330r4_chk

For Trusted Mode: Check the ownership of the /etc/shadow file. # ls -lL /etc/shadow If the /etc/shadow file exists and is not owned by root, this is a finding. NOTE: /etc/shadow should not exist if the system is in Trusted Mode. Check the ownership of the TCB auth files and directories. # ls -lLd /tcb /tcb/files /tcb/files/auth # ls -lL /tcb/files/auth/[a-z,A-Z]/* If the owner of any of the /tcb files and directories is not root, this is a finding. For SMSE: Check the /etc/shadow file. # ls -lL /etc/shadow If the /etc/shadow file exists and is not owned by root, this is a finding.

Fix: F-31585r2_fix

For Trusted Mode: # chown root /tcb # chown root /tcb/files /tcb/files/auth # chown root /tcb/files/auth/[a-z]/* For SMSE: # chown root /etc/shadow

Generate Mitigation Statement:

Checks: C-36331r1_chk

Check the mode of the /etc/passwd file. Procedure: # ls -lL /etc/passwd If /etc/passwd has a mode more permissive than 0444, this is a finding.

Fix: F-31586r1_fix

Change the mode of the passwd file to 0444. # chmod 0444 /etc/passwd Document all changes.

Generate Mitigation Statement:

Checks: C-36332r2_chk

For Trusted Mode: Check the TCB auth files and directories. # ls -lLd /tcb /tcb/files /tcp/files/auth # ls -lL /tcb/files/auth/[a-z,A-Z]/* If the mode of /tcb directory is more permissive than 0555, this is a finding. If the mode of /tcb/files or /tcb/files/auth directories is more permissive than 0771, this is a finding. If the mode of any of the /tcb/files/auth/[a-z]/* is more permissive than 0664, this is a finding. For SMSE: Check the /etc/shadow file. # ls -lL /etc/shadow If the /etc/shadow file has a mode more permissive than 0400, this is a finding. NOTE: The /etc/shadow file will not exist if the system is in Trusted Mode.

Fix: F-31587r3_fix

For Trusted Mode: # chmod 0555 /tcb # chmod 0771 /tcb/files /tcb/files/auth # chmod 0664 /tcb/files/auth/[a-z]/* For SMSE: # chmod 0400 /etc/shadow

Generate Mitigation Statement:

Checks: C-36399r1_chk

Files with the setuid bit set will allow anyone running these files to be temporarily assigned the user or group ID of the file. If an executable with setuid allows shell escapes, the user can operate on the system with the effective permission rights of the user or group owner. List all setuid files on the system. Procedure: # find / -perm -4000 -exec ls -l {} \; | more NOTE: Executing these commands may result in large listings of files; the output may be redirected to a file for easier analysis. Ask the SA or IAO if files with the suid bit set have been documented. If any undocumented file has its suid bit set, this is a finding.

Fix: F-31738r1_fix

Document the files with the suid bit set or unset the suid bit on the executable.

Generate Mitigation Statement:

Checks: C-36401r1_chk

Locate all setgid files on the system. Procedure: # find / -perm -2000 If the ownership, permissions, location, and ACLs of all files with the setgid bit set are not documented, this is a finding.

Fix: F-31740r1_fix

All files with the sgid bit set will be documented in the system baseline and authorized by the Information Systems Security Officer (ISSO). Locate all sgid files with the following command: find / -perm -2000 -exec ls -lL {} \; Ensure sgid files are part of the operating system software, documented application software, documented utility software, or documented locally developed software. Ensure none are text files or shell programs.

Generate Mitigation Statement:

Checks: C-36400r1_chk

NOTE: This will virtually always require a manual review. Determine if a weekly automated or manual process is used to generate a list of suid files on the system and compare it with the prior list. If no such process is in place, this is a finding.

Fix: F-31739r1_fix

Establish a weekly automated or manual process to generate a list of suid files on the system and compare it with the prior list. To create a list of suid files: # find / -perm -4000 > suid-file-list

Generate Mitigation Statement:

Checks: C-36402r1_chk

NOTE: This will virtually always require a manual review. Determine if a weekly automated or manual process is used to generate a list of sgid files on the system and compare it with the prior list. If no such process is in place, this is a finding.

Fix: F-31741r1_fix

Establish a weekly automated or manual process to generate a list of sgid files on the system and compare it with the prior list. To create a list of sgid files: # find / -type f -perm -2000 -exec ls -lL {} \; >> sgid-file-list

Generate Mitigation Statement:

Checks: C-36403r1_chk

Check /etc/fstab and verify the nosuid mount option is used on file systems mounted from removable media, network shares, or any other file system not containing approved setuid or setgid files. Each file system line entry must contain a device specific file and may additionally contain all of the following fields, in the following order: mount directory, type, options, backup frequency, pass number (on parallel fsck) and comment. # cat /etc/fstab | grep -v "^#" If the "nosuid" mount option is not used on file systems mounted from removable media, network shares, or any other file system that does not contain approved setuid or setgid files, this is a finding.

Fix: F-31742r1_fix

Edit /etc/fstab and add the nosuid mount option to all file systems mounted from removable media or network shares, and any file system not containing approved setuid or setgid files.

Generate Mitigation Statement:

Checks: C-36406r1_chk

Check the ownership of all public directories. Procedure: # find / -type d -perm -1002 -exec ls -ld {} \; If any public directory is not owned by root or an application user, this is a finding.

Fix: F-31744r1_fix

Change the owner of public directories to root or an application account. Procedure: # chown root <public directory>

Generate Mitigation Statement:

Checks: C-36407r1_chk

Check global initialization files for the configured umask value. # grep umask /etc/* | grep -v ":#" | grep "umask [0-9]" Check local initialization files for the configured umask value. Procedure: # grep umask /userhomedirectory/.* If the system and user default umask is not 077, this is a finding. NOTE: If the default umask is 000 or allows for the creation of world-writable files this becomes a Severity Code I (CAT I) finding.

Fix: F-31745r1_fix

Edit local and global initialization files containing umask and change them to use 077 instead of the current value.

Generate Mitigation Statement:

Checks: C-36408r2_chk

Account/password locking is typically accomplished with the asterisk (*). System logins that never had a password use a double exclamation mark (!!) and accounts that have been locked have the valid password entry invalidated by a single exclamation mark (!) prefix. For Trusted Mode: Protected password database files are maintained in the /tcb/files/auth hierarchy. This directory contains other directories each named with a single letter from the alphabet. User authentication profiles are stored in these directories based on the first letter of the user account name. Next check if default system accounts (such as those for sys, bin, uucp, nuucp, daemon, smtp) have been disabled. # grep “u_pwd=“ /tcb/files/auth/[a-z,A-Z]/* If any default system accounts (such as those for sys, bin, uucp, nuucp, daemon, smtp) have not been disabled, this is a finding. For SMSE: Check if default system accounts (such as those for sys, bin, uucp, nuucp, daemon, smtp) have been disabled. # cat /etc/shadow If any default system accounts (such as those for sys, bin, uucp, nuucp, daemon, smtp) have not been disabled, this is a finding.

Fix: F-31746r2_fix

For Trusted Mode and SMSE: Use the System Administration Manager (SAM) or the System Management Homepage (SMH) to lock/disable or remove any enabled default system accounts.

Generate Mitigation Statement:

Checks: C-35101r1_chk

Determine if auditing is enabled. # audsys If the audit service is not running, this is a finding.

Fix: F-30370r1_fix

In order to turn auditing on, the system must first be in Trusted Mode. Next, turn on the auditing system. The system will use existing current and next audit trails (if configured). # sam Then: Auditing and Security -> Audited Events -> Actions -> Turn Auditing On.

Generate Mitigation Statement:

Checks: C-36424r2_chk

Inspect the auditing configuration file, /etc/rc.config.d/auditing, to determine the filename and path of the audit logs. The entries should appear similar to the following: PRI_AUDFILE=/var/.audit/file1 SEC_AUDFILE=/var/.audit/file2 # egrep “PRI_AUDFILE|SEC_AUDFILE” /etc/rc.config.d/auditing For each audit log directory/file, check the ownership. # ls -lLd &lt;audit directory&gt; # ls -lLa &lt;audit file&gt; If any audit log directory/file is not owned by root, this is a finding.

Fix: F-31763r2_fix

As root, change the ownership. # chown root <audit directory> # chown root <audit file>

Generate Mitigation Statement:

Checks: C-36425r2_chk

Inspect the auditing configuration file, /etc/rc.config.d/auditing, to determine the filename and path of the audit logs. The entries should appear similar to the following: PRI_AUDFILE=/var/.audit/file1 SEC_AUDFILE=/var/.audit/file2 # egrep “PRI_AUDFILE|SEC_AUDFILE” /etc/rc.config.d/auditing For each audit log directory/file, check the permissions. # ls -lLd &lt;audit directory&gt; # ls -lLa &lt;audit file&gt; If any audit log file has permissions greater than 0640 (0750 for directories), this is a finding.

Fix: F-31764r2_fix

As root, change the permissions. # chmod 0750 <audit directory> # chmod 0640 <audit file>

Generate Mitigation Statement:

Checks: C-36426r1_chk

Check the system audit configuration to determine if failed attempts to access files and programs are audited. # grep -i audevent_args1 /etc/rc.config.d/auditing | grep open If no results are returned, this is a finding.

Fix: F-31765r1_fix

Edit /etc/rc.config.d/auditing and add -e open to the end of the AUDEVENT_ARGS1 parameter.

Generate Mitigation Statement:

Checks: C-36427r1_chk

Check the system audit configuration to determine if failed attempts to access files and programs are audited. # grep -i audevent_args1 /etc/rc.config.d/auditing | grep delete If no results are returned, this is a finding.

Fix: F-31766r1_fix

Edit /etc/rc.config.d/auditing and add -e delete to the end of the AUDEVENT_ARGS1 parameter.

Generate Mitigation Statement:

Checks: C-36428r1_chk

Check the auditing configuration of the system. # grep -i audevent_args1 /etc/rc.config.d/auditing | grep admin # grep -i audevent_args1 /etc/rc.config.d/auditing | grep removable If no results are returned for either of these commands, this is a finding.

Fix: F-31767r1_fix

Edit /etc/rc.config.d/auditing and add -e admin and -e removable to the end of the AUDEVENT_ARGS1 parameter.

Generate Mitigation Statement:

Checks: C-36429r1_chk

Check the system's audit configuration. # grep -i audevent_args1 /etc/rc.config.d/auditing | grep login If no results are returned, this is a finding.

Fix: F-31768r1_fix

Edit /etc/rc.config.d/auditing and add -e login to the end of the AUDEVENT_ARGS1 parameter.

Generate Mitigation Statement:

Checks: C-36430r1_chk

Check the system's audit configuration. The term moddac is code for MODify Dicscretionary Access Control (i.e., chown, chmod, etc.). # grep -i audevent_args1 /etc/rc.config.d/auditing | grep moddac If no results are returned, this is a finding.

Fix: F-31769r1_fix

Edit /etc/rc.config.d/auditing and add -e moddac to the end of the AUDEVENT_ARGS1 parameter.

Generate Mitigation Statement:

Checks: C-34933r1_chk

Check the ownership of the xinetd.d directory, the (x)inetd.conf file and any files identified by the configuration file includedir stanza. # find / -type d -name xinetd.d | xargs -n1 ls -lLd # find / -type f -name inetd.conf -o -name xinetd.conf | xargs -n1 ls -lL # grep includedir &lt;PATH&gt;/xinetd.conf If any of the above named files, included files or directories are not owned by root or bin, this is a finding.

Fix: F-30239r1_fix

Change the ownership of the inetd.conf file to root or bin. # chown root <file or directory>

Generate Mitigation Statement:

Checks: C-34936r1_chk

Check the mode of the (x)inetd.conf file and any files identified by the configuration file includedir stanza: # find / -type f -name inetd.conf -o -name xinetd.conf | xargs -n1 ls -lL # grep includedir &lt;PATH&gt;/xinetd.conf # ls -lL &lt;includedir files from previous command&gt; If any of the above file mode are more permissive than 0440, this is a finding.

Fix: F-30242r1_fix

Change the mode of the (x)inetd.conf file. # chmod 0440 <file>

Generate Mitigation Statement:

Checks: C-34941r1_chk

Check the ownership of the services file. NOTE: The typical ownership of the services file is bin. # ls -lL /etc/services If the services file is not owned by root or bin, this is a finding.

Fix: F-30246r1_fix

Change the ownership of the services file to root or bin. # chown root /etc/services

Generate Mitigation Statement:

Checks: C-34942r1_chk

Check the mode of the services file. NOTE: The typical default mode of the services file is 0444. # ls -lL /etc/services If the services file has a mode more permissive than 0444, this is a finding.

Fix: F-30247r1_fix

Change the mode of the services file to 0444 or less permissive. # chmod 0444 /etc/services

Generate Mitigation Statement:

Checks: C-34997r1_chk

Look for the presence of a print service configuration file. The hosts.lpd file is not used on HP, only inetd.sec, hosts.equiv, and/or the system (lp) .rhosts will apply. When rlpdaemon is started via inetd, access control is provided via the fileinetd.sec to allow or prevent a host from making print requests. When rlpdaemon is started at boot via a run command file, all requests must come from one of the machines listed in the file /etc/hosts.equiv or /var/spool/lp/.rhosts. Procedure: First, determine the rlpdaemon startup method: 1) Print services started via inetd? # cat /etc/inetd.conf | grep -v "^#" | grep -c rlpdaemon If the above command return value is 1, check the services file. # cat /etc/services | grep -v "^#" | grep printer | grep -c spooler If the above command return value is 1, check the inetd.sec file. # cat /var/adm/inetd.sec | grep -v "^#" | tr '\011' ' ' | tr -s ' ' | grep printer | grep allow | grep -c "\+" If the above command return value is 1, this is a finding. 2) The rlpdaemon is started as a service, and not via inetd. Verify neither the /etc/hosts.equiv nor /var/spool/lp/.rhosts contains a "+": # cat /etc/hosts.equiv | grep -v "^#" | grep -c "\+" # cat /var/spool/lp/.rhosts | grep -v "^#" | grep -c "\+" If the return value of either of the above two command(s) is 1, this is a finding. If none of the files are found, this check should be marked not a finding. Otherwise, examine the configuration file. # more &lt;print service file&gt; Check for entries containing a "+" or "_" character. If any are found, this is a finding.

Fix: F-30292r1_fix

Remove the "+" entries from the hosts.lpd (or equivalent) file.

Generate Mitigation Statement:

Checks: C-35001r1_chk

Locate any print service configuration file(s) on the system. HP vendor documentation identifies the following names and locations of print service configuration files on the system that can be checked via the following commands: # ls -lL /var/spool/lp/.rhosts # ls -lL /var/adm/inetd.sec # ls -lL /etc/hosts.equiv If no print service configuration file is found, this is not a finding. Check the ownership of the print service configuration file(s). # ls -lL &lt;print service configuration file&gt; If the owner of the file is not root, sys, bin, or lp, this is a finding.

Fix: F-30294r1_fix

Change the owner of the /etc/hosts.lpd file (or equivalent) to root, lp, or another privileged UID. # chown root <print service configuration file>

Generate Mitigation Statement:

Checks: C-35005r1_chk

Locate any print service configuration file(s) on the system. HP vendor documentation identifies the following names and locations of print service configuration files on the system that can be checked via the following commands: # ls -lL /var/spool/lp/.rhosts # ls -lL /var/adm/inetd.sec # ls -lL /etc/hosts.equiv If no print service configuration file is found, this is not a finding. Check the mode of the print service configuration file. # ls -lL &lt;print service configuration file&gt; If the mode of the print service configuration file is more permissive than 0644, this is a finding.

Fix: F-30299r1_fix

Change the mode of the /etc/hosts.lpd file (or equivalent) to 0644 or less permissive. Procedure: # chmod 0644 <print service configuration file>

Generate Mitigation Statement:

Checks: C-35014r1_chk

Find the aliases file on the system and check the ownership. # ls -lL /etc/mail/aliases If the file is not owned by root, this is a finding.

Fix: F-30308r1_fix

Change the owner of the /etc/mail/aliases file (or equivalent) to root. # chown root /etc/mail/aliases

Generate Mitigation Statement:

Checks: C-35017r1_chk

Find the aliases file on the system. Procedure: # ls -lL /etc/mail/aliases If the aliases file exists with a mode more permissive than 0644, this is a finding.

Fix: F-30311r1_fix

Change the mode of the aliases file (or equivalent) to 0644. # chmod 0644 /etc/mail/aliases

Generate Mitigation Statement:

Checks: C-36562r1_chk

Examine the aliases file on the system for any utilized directories or paths. # cat /etc/mail/aliases | cut -f 2,2 -d ":" | grep "|" Check the permissions for any file paths referenced. # ls -lL &lt;path/file&gt; If any file referenced from the aliases file has a mode more permissive than 0755, this is a finding.

Fix: F-31930r1_fix

Use the chmod command to change the access permissions for files executed from the aliases file. For example: # chmod 0755 <path/file>

Generate Mitigation Statement:

Checks: C-36565r1_chk

The syslog.conf file critical mail logging option line will typically appear as one of the following examples: mail.crit /var/adm/messages mail.* /var/adm/messages *.* /var/adm/messages *.crit /var/adm/messages Check the syslog configuration file for mail.crit logging configuration. # cat /etc/syslog.conf | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v "^#" | egrep -i "mail.crit|mail.\*|\*.crit|\*.\*" If syslog is not configured to log critical sendmail messages, this is a finding.

Fix: F-31933r1_fix

Edit the syslog.conf file and add a configuration line specifying an appropriate destination for critical "mail" syslogs, for example: mail.crit /var/adm/messages mail.* /var/adm/messages *.* /var/adm/messages *.crit /var/adm/messages

Generate Mitigation Statement:

Checks: C-36566r1_chk

Locate any Sendmail log files by checking the syslog configuration file. # cat /etc/syslog.conf | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v "^#" | \ egrep -i "mail.info|mail.debug|mail.\*|\*.info|\*.debug|\*.\*" | cut -f 2,2 -d " " | uniq | xargs -n1 ls -lL Identify any log files configured for the "mail" service at any severity level, or those configured for all services. Check the ownership of these log files. If any mail log file is not owned by root, this is a finding.

Fix: F-31934r1_fix

Change the ownership of the sendmail log file. # chown root <sendmail log file>

Generate Mitigation Statement:

Checks: C-36567r1_chk

Check the mode of the SMTP service log file. # cat /etc/syslog.conf | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v "^#" | egrep -i "mail.info|mail.debug|mail.\*|\*.info|\*.debug|\*.\*" | cut -f 2,2 -d " " | uniq | xargs -n1 ls -lL Check the configuration to determine which log files contain logs for mail. # ls -lL &lt;sendmail log file&gt; If any Sendmail log file permissions are greater than 0644, this is a finding.

Fix: F-31935r1_fix

Change the mode of the SMTP service log file. # chmod 0644 <sendmail log file>

Generate Mitigation Statement:

Checks: C-36582r1_chk

Check for the existence of the ftpusers file. This file is normally located in the /etc/ftpd directory. # ls -lL /etc/ftpd/ftpusers OR alternatively # find / -type f -name ftpusers -exec ls -lL {} \; If the ftpusers file does not exist, this is a finding.

Fix: F-31950r1_fix

Create a /etc/ftpd/ftpusers (or equivalent) file containing a list of /etc/passwd accounts not authorized for FTP.

Generate Mitigation Statement:

Checks: C-36583r1_chk

Check the contents of the ftpusers file. # more /etc/ftpd/ftpusers OR alternatively # find / -type f -name ftpusers -exec ls -lL {} \; If the system has accounts not allowed to use FTP and not listed in the ftpusers file, this is a finding.

Fix: F-31951r1_fix

Add accounts not allowed to use FTP to the /etc/ftpd/ftpusers (or equivalent) file.

Generate Mitigation Statement:

Checks: C-36584r1_chk

Check the ownership of the ftpusers file. # ls -lL /etc/ftpd/ftpusers If the ftpusers file is not owned by root, this is a finding.

Fix: F-31952r1_fix

Change the owner of the ftpusers file to root. # chown root /etc/ftpd/ftpusers

Generate Mitigation Statement:

Checks: C-36586r1_chk

Check the permissions of the ftpusers file. # ls -lL /etc/ftpd/ftpusers If the ftpusers file has a mode more permissive than 0640, this is a finding.

Fix: F-31954r1_fix

Change the mode of the ftpusers file to 0640. # chmod 0640 /etc/ftpd/ftpusers

Generate Mitigation Statement:

Checks: C-36580r2_chk

Attempt to log in with anonymous or ftp. The user can type any string of characters as a password. (By convention, the password is the host name of the user's host or the user's email address.) The anonymous user is then given access only to user ftp's home directory, usually called /home/ftp. If the login is successful, this is a finding.

Fix: F-31948r2_fix

Configure the FTP service to not permit anonymous logins. Remove the user(s) ftp and/or anonymous from the /etc/passwd file.

Generate Mitigation Statement:

Checks: C-715r2_chk

Check the /etc/passwd file to determine if TFTP is configured properly. Procedure: # grep tftp /etc/passwd If a TFTP user account does not exist and TFTP is active, this is a finding. Check the user shell for the TFTP user. If it is not /bin/false or equivalent, this is a finding. Check the home directory assigned to the TFTP user. If no home directory is set, or the directory specified is not dedicated to the use of the TFTP service, this is a finding.

Fix: F-31962r1_fix

Create a tftp user account if none exists. Assign a non-login shell to the tftp user account, such as /usr/bin/false. Assign/create the tftp user account home directory where/as necessary. Ensure the home directory is owned by the tftp user.

Generate Mitigation Statement:

Checks: C-36598r1_chk

Check for .Xauthority files being utilized by looking for such files in the home directory of a user using X. Get a list of (non-system account) users and the associated home directories. # cat /etc/passwd | cut -f 1,6 -d ":" Inspect individual user home directories for the .Xauthority file. # find &lt;f6 from the above command&gt; -type f -name "\.Xauthority" -exec ls -lLa {} \; If the .Xauthority file does not exist, ask the SA if the user is using X Windows. If the user is utilizing X Windows and the .Xauthority file does not exist, this is a finding.

Fix: F-31964r1_fix

Ensure the X Windows host is configured to write .Xauthority files into user home directories. Edit the file. Ensure the line writing the .Xauthority file is uncommented.

Generate Mitigation Statement:

Checks: C-36720r1_chk

Perform the following to determine if NIS is active on the system. # ps -ef | grep -v grep | egrep "ypbind|ypserv" If NIS is found active on the system, this is a finding.

Fix: F-32102r1_fix

Disable the use of NIS. Possible replacements are NIS+ and LDAP-UX.

Generate Mitigation Statement:

Checks: C-36335r1_chk

Check the home directory mode of each user in /etc/passwd. Procedure: # ls -lLd `cat /etc/passwd | cut -f 6,6 -d ":"` | more If a user's home directory mode is more permissive than 0750, this is a finding. NOTE: Application directories are allowed to and may need 0755 permissions (or greater) for correct operation.

Fix: F-31590r1_fix

Change the mode of user's home directory to 0750 or less permissive. Procedure (example): # chmod 0750 <home directory> NOTE: Application directories are allowed to and may need 0755 permissions (or greater) for correct operation.

Generate Mitigation Statement:

Checks: C-36336r1_chk

Check the ownership of each user home directory listed in the /etc/passwd file. Procedure: # ls -lLd &lt;user home directory&gt; OR # ls -lLd `cat /etc/passwd | cut -f 6,6 -d ":"` | more If any user home directory is not owned by the assigned user, this is a finding.

Fix: F-31591r1_fix

Change the owner of a user's home directory to its assigned user. Procedure: # chown <user> <home directory>

Generate Mitigation Statement:

Checks: C-36337r1_chk

Check the group ownership for each user in the /etc/passwd file. Procedure: # ls -lLd &lt;user home directory&gt; OR # ls -lLd `cat /etc/passwd | cut -f 6,6 -d ":"` | more If any user home directory is not group-owned by the assigned user's primary group, this is a finding. Home directories for application accounts requiring different group ownership must be documented using site-defined procedures.

Fix: F-31592r1_fix

Change the group-owner for user home directories to the primary group of the assigned user. Procedure: # chgrp groupname directoryname (Replace examples with appropriate group and home directory.) Document all changes.

Generate Mitigation Statement:

Checks: C-36366r2_chk

Check the ownership of local initialization files. Procedure: # ls -alL /&lt;usershomedirectory&gt;/.login # ls -alL /&lt;usershomedirectory&gt;/.cshrc # ls -alL /&lt;usershomedirectory&gt;/.logout # ls -alL /&lt;usershomedirectory&gt;/.profile # ls -alL /&lt;usershomedirectory&gt;/.bash_profile # ls -alL /&lt;usershomedirectory&gt;/.bashrc # ls -alL /&lt;usershomedirectory&gt;/.bash_logout # ls -alL /&lt;usershomedirectory&gt;/.env # ls -alL /&lt;usershomedirectory&gt;/.dtprofile # ls -alL /&lt;usershomedirectory&gt;/.dispatch # ls -alL /&lt;usershomedirectory&gt;/.emacs # ls -alL /&lt;usershomedirectory&gt;/.exrc # find /&lt;usershomedirectory&gt;/.dt ! -fstype nfs ! -user &lt;username&gt; -exec ls -ld {} \; If local initialization files are not owned by the home directory's user or root, this is a finding.

Fix: F-31703r1_fix

Change the ownership of the startup and login files in the user's directory to the user or root, as appropriate. Examine each user's home directory and verify all filenames beginning with "." are owned by the owner of the directory or root. If they are not, use the chown command to change the owner to the user and research the reasons why the owners were not assigned as required.

Generate Mitigation Statement:

Checks: C-36367r1_chk

Check the modes of local initialization files. Procedure: # ls -alL /&lt;usershomedirectory&gt;/.login # ls -alL /&lt;usershomedirectory&gt;/.cschrc # ls -alL /&lt;usershomedirectory&gt;/.logout # ls -alL /&lt;usershomedirectory&gt;/.profile # ls -alL /&lt;usershomedirectory&gt;/.bash_profile # ls -alL /&lt;usershomedirectory&gt;/.bashrc # ls -alL /&lt;usershomedirectory&gt;/.bash_logout # ls -alL /&lt;usershomedirectory&gt;/.env # ls -alL /&lt;usershomedirectory&gt;/.dtprofile (permissions should be 0755) # ls -alL /&lt;usershomedirectory&gt;/.dispatch # ls -alL /&lt;usershomedirectory&gt;/.emacs # ls -alL /&lt;usershomedirectory&gt;/.exrc # find /&lt;usershomedirecotory&gt;/.dt ! -fstype nfs \( -perm -0002 -o -perm -0020 \) -exec ls -ld {} \; (permissions not to be more permissive than 0755) If local initialization files are more permissive than 0740, the .dt directory is more permissive than 0755, or the .dtprofile file is more permissive than 0755, this is a finding.

Fix: F-31704r1_fix

Ensure user startup files have permissions of 0740 or more restrictive. Examine each user's home directory and verify all file names beginning with "." have access permissions of 0740 or more restrictive. If they do not, use the chmod command to correct the vulnerability. Procedure: # chmod 0740 .filename NOTE: The period is part of the file name and is required.

Generate Mitigation Statement:

Checks: C-36338r1_chk

Verify run control scripts have no extended ACLs. # ls -lLa /sbin/init.d/[a-z,A-Z,0-9]* If the permissions include a "+" the file has an extended ACL, this is a finding.

Fix: F-31593r1_fix

Ensure all system startup files have mode 0755 or less permissive. Examine the rc files, all files in the rc1.d (rc2.d, and so on) directories, and in the /etc/init.d directory to ensure they are not world-writable. If they are world-writable, use the chmod command to correct the vulnerability, and research why they are world-writable. # chmod 755 startupfile

Generate Mitigation Statement:

Checks: C-36339r1_chk

Verify the run control scripts search paths do not contain references to the current working directory or other relative paths in any script where the "PATH" variable occurs. # grep "PATH" /sbin/init.d/[a-z,A-Z,0-9]* | grep -v "_PATH" This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, or two consecutive colons, this is a finding. If an entry begins with a character other than a slash (/), this is a relative path, and this is a finding.

Fix: F-31594r1_fix

Edit the run control script and remove the relative path entry from the executable search path variable.

Generate Mitigation Statement:

Checks: C-36369r1_chk

Check the system for the existence of any .netrc files. Procedure: # find / -name .netrc If any .netrc file exists, this is a finding.

Fix: F-31706r1_fix

Remove the .netrc file(s). Procedure: # rm .netrc

Generate Mitigation Statement:

Checks: C-36410r1_chk

Verify /etc/shells exists. # ls -l /etc/shells If the file does not exist, this is a finding.

Fix: F-31748r1_fix

Create /etc/shells file containing a list of valid system shells. Consult vendor documentation for an appropriate list of system shells. Procedure: Typical installed shells include: /sbin/sh /usr/bin/sh /usr/bin/rsh /usr/bin/ksh /usr/bin/rksh /usr/bin/csh /usr/bin/keysh # echo "/sbin/sh" >> /etc/shells (Repeat as necessary for all existing shell programs.)

Generate Mitigation Statement:

Checks: C-35098r1_chk

Confirm the login shells referenced in the /etc/passwd file are listed in the /etc/shells file. Procedure: # more /etc/passwd # more /etc/shells The /usr/bin/false, /bin/false, /dev/null, /sbin/nologin, (and equivalents), and sdshell will be considered valid shells for use in the /etc/passwd file, but will not be listed in the /etc/shells file. If a shell referenced in /etc/passwd is not listed in the shells file, excluding the above mentioned shells, this is a finding.

Fix: F-30367r1_fix

Use the chsh utility or edit the /etc/passwd file and correct the error by changing the default shell of the account in error to an acceptable shell name contained in the /etc/shells file.

Generate Mitigation Statement:

Checks: C-36270r3_chk

For Trusted Mode: Verify that user accounts are locked after 35 days of inactivity. Note: The “u_llogin” attribute is stored in seconds: 86400 seconds/day * 35 days = 3024000 seconds. # cd /tcb/files/auth &amp;&amp; cat */* | egrep “:u_name=|:u_llogin=“ If user account is not set to lock after 35 days of inactivity, this is a finding. For SMSE: Check the INACTIVITY_MAXDAYS setting. # grep INACTIVITY_MAXDAYS /etc/default/security /var/adm/userdb/* If INACTIVITY_MAXDAYS is set to 0 or greater than 35 for any user, this is a finding.

Fix: F-31527r3_fix

For Trusted Mode: Use the SAM/SMH interface to update the “u_llogin” (user last login) /tcb database attribute. See the /tcb database entry example below: :u_llogin#3024000: For SMSE: Note: There may be additional package/bundle updates that must be installed to support attributes in the /etc/default/security file. Use the SAM/SMH interface (/etc/default/security file) and/or the userdbset command (/var/adm/userdb/* files) to update the INACTIVITY_MAXDAYS attribute. See the below example: INACTIVITY_MAXDAYS=35 Note: Never use a text editor to modify any /var/adm/userdb database file. The database contains checksums and other binary data, and editors (vi included) do not follow the file locking conventions that are used to control access to the database. If manually editing the /etc/default/security file, save any change(s) before exiting the editor.

Generate Mitigation Statement:

Checks: C-36412r1_chk

Check the ownership of the system shells. # cat /etc/shells | xargs -n1 ls -lL If any shell is not owned by root or bin, this is a finding.

Fix: F-31750r1_fix

Change the ownership of any system shell not owned by root or bin: # chown root <path/shell>

Generate Mitigation Statement:

Checks: C-36415r1_chk

Find all device special files existing anywhere on the system. Types include: b=block, c=character, p=fifo. Example: # find / -type b -print &gt;&gt; devicelist # find / -type c -print &gt;&gt; devicelist # find / -type p -print &gt;&gt; devicelist Check the permissions on the directories above subdirectories that contain device files. If any device file, or directory containing device files, is world-writable, except device files specifically intended to be world-writable such as /dev/null, this is a finding. Note the following exception/exclusion list: /dev/pts/*, /dev/pty/*, /dev/ptym/*, the following in dev: full, zero, null, tty, ptmx, pty*, tcp, udp, ip, arp, udp6, tcp6, rawip6, ip6, rawip, rtsock, ipsecpol, ipseckey, sad, dlpi*, sasd*, ttyp*, ttyq*, ttyr*, strlog, telnetm, tlclts, asyncdsk, async, tlcots, tlcotsod, echo, beep, gvid0, gvid, poll, log, log.um, stcpmap, nuls, usctp6, sctp6, usctp and sctp.

Fix: F-31753r1_fix

Remove the world-writable permission from the device file(s). # chmod o-w <device file> Document all changes.

Generate Mitigation Statement:

Checks: C-36416r1_chk

Check the system for device files read/write enabled for users other than root or the backup user. Example: # find / \( -perm -0020 -o -perm -0040 -o -perm -0002 -o -perm -0004 \) -a \( -type b -o -type c -o -type n \) -exec ls -ld {} \; If any device files used for backup are read/write enabled for users other than root, this is a finding.

Fix: F-31754r1_fix

Use the chmod command to remove the read/write bit(s) from the backup device files. # chmod o-r <b/u device file name> # chmod o-w <b/u device file name> # chmod g-r <b/u device file name> # chmod g-w <b/u device file name> Document all changes.

Generate Mitigation Statement:

Checks: C-36723r1_chk

If the system is not using NIS+, this is not applicable. Check the system to determine if NIS+ security level two is implemented. Execute this command: # niscat cred.org_dir If the second column does not contain DES, the system is not using NIS+ security level two, and this is a finding.

Fix: F-32104r1_fix

Configure the NIS+ server to use security level 2.

Generate Mitigation Statement:

Checks: C-35023r1_chk

# echo `ls -lL /etc/exports` | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | cut -f 3,3 -d " " If the export configuration file is not owned by root, this is a finding.

Fix: F-30316r1_fix

Change the owner of the exports file to root. Example: # chown root /etc/exports

Generate Mitigation Statement:

Checks: C-35036r1_chk

Check for NFS exported file systems. # cat /etc/exports This will display all of the exported file systems. For each file system displayed, check the ownership. Check the owner of the NFS export configuration file. # echo ` ls -lLad &lt;export file system path&gt;` | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' If the files and directories are not owned by root, this is a finding.

Fix: F-30327r1_fix

Change the ownership of exported file systems not owned by root. # chown root <path>

Generate Mitigation Statement:

Checks: C-35042r1_chk

Check if the anon option is set correctly for exported file systems. List exported file systems: # exportfs -v Each of the exported file systems should include an entry for the anon= option set to -1 or an equivalent (60001, 65534, or 65535). If an appropriate anon= setting is not present for an exported file system, this is a finding.

Fix: F-1086r2_fix

Edit /etc/exports and set the anon=-1 option for exports without it. Re-export the file systems.

Generate Mitigation Statement:

Checks: C-36686r1_chk

Check the permissions on exported NFS file systems. Procedure: # exportfs -v If the exported file systems do not contain the 'rw' or 'ro' options specifying a list of hosts or networks, this is a finding.

Fix: F-32060r1_fix

Edit /etc/exports and add ro and/or rw options (as appropriate) specifying a list of hosts or networks which are permitted access. Re-export the file systems via the following commands: # exportfs -u <the file system entry that was modified> # exportfs -v <the file system entry that was modified>

Generate Mitigation Statement:

Checks: C-36687r1_chk

Determine if the NFS server is exporting with the root access option. Procedure: # exportfs -v | grep "root=" If an export with the root option is found, this is a finding.

Fix: F-32062r1_fix

Edit /etc/exports and remove the root= option for all exports. Re-export the file systems.

Generate Mitigation Statement:

Checks: C-35048r1_chk

Check the system for NFS mounts that do not use the nosuid option. # mount -v | grep " type nfs " | grep -v "nosuid" If the mounted file systems do not have the nosuid option, this is a finding.

Fix: F-30338r1_fix

Edit /etc/fstab and add the nosuid option for all NFS file systems. Remount the NFS file systems to make the change take effect.

Generate Mitigation Statement:

Checks: C-35044r1_chk

Locate the inetd.conf file (normally located within the /etc directory). # find /etc -type f -name inetd.conf Determine if TCP_WRAPPERS is used. The following example demonstrates one possible single inetd.conf line first without and then with the service tcp wrapped. telnet stream tcp6 nowait root /usr/sbin/telnetd telnetd telnet stream tcp6 nowait root /usr/sbin/tcpd telnetd # cat &lt;path&gt;/inetd.conf | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' |grep -v "^#" | grep tcpd If there are unwrapped active services listed, this is a finding.

Fix: F-30334r1_fix

Edit /etc/inetd.conf and use tcpd to wrap active services.

Generate Mitigation Statement:

Checks: C-35049r2_chk

Normally, tcpd logs to the mail facility in the syslog.conf file (normally located within the /etc directory). Determine if syslog is configured to log events by tcpd. # find /etc -type f -name syslog.conf # cat &lt;path&gt;/syslog.conf | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' |grep -v “^#” | egrep “mail.debug|mail.info|mail.\*” Look for an entry similar to the following, indicating that mail alerts are being logged: mail.* /var/log/maillog If no entries for mail exist, then tcpd is not logging and this is a finding.

Fix: F-32112r1_fix

Configure the access restriction program to log every access attempt. Ensure the implementation instructions for TCP_WRAPPERS are followed so logging of system access attempts is logged into the system log files. If an alternate application is used, it must support this function.

Generate Mitigation Statement:

Checks: C-2278r4_chk

For Trusted Mode: Determine if the /tcb directory tree exists. # ls -lLd /tcb If the /tcb directory tree does not exist, this is a finding. For SMSE: Determine if the userdb directory tree and the /etc/shadow file exists. # ls -lL /var/adm/userdb # ls -lL /etc/shadow If both the /var/adm/userdb directory tree and the /etc/shadow file do not exist, this is a finding.

Fix: F-33047r2_fix

SAM/SMH must be used to convert standard mode HP-UX to Trusted Mode (optional for SMSE). For Trusted Mode only: The following command may be used to “manually” convert from Standard Mode to Trusted Mode (note that its use is not vendor supported): # tsconvert -c For SMSE only: The following command may be used to “manually” create the /etc/shadow file with information from the /etc/passwd file (use of this commend is vendor supported). # pwconv Note that additional software bundles and/or patches may be required in order to completely convert a standard mode system to SMSE.

Generate Mitigation Statement:

Checks: C-2289r2_chk

ls -lL /etc/securetty

Fix: F-1119r2_fix

Change the group-owner of the /etc/securetty to root, bin, or sys. Example: # chgrp root /etc/securetty

Generate Mitigation Statement:

Checks: C-37789r1_chk

Check the ownership of the /etc/securetty file. ls -lL /etc/securetty If /etc/securetty is not owned by root, sys, or bin, this is a finding.

Fix: F-1120r2_fix

Change the owner of the /etc/securetty file to root. # chown root /etc/securetty

Generate Mitigation Statement:

Checks: C-2290r2_chk

Check the mode of the securetty file. Example: # ls -lL /etc/securetty If /etc/securetty has a mode more permissive than 0640, this is a finding.

Fix: F-1121r2_fix

Change the mode of the /etc/securetty file to 0640. Example: # chmod 0640 /etc/securetty

Generate Mitigation Statement:

Checks: C-36431r1_chk

Check for the existence of the cron.allow and cron.deny files. # ls -lL /var/adm/cron/cron.allow # ls -lL /var/adm/cron/cron.deny If neither file exists, this is a finding.

Fix: F-31770r1_fix

Create /var/adm/cron/cron.allow and/or /var/adm/cron/cron.deny with appropriate local content.

Generate Mitigation Statement:

Checks: C-36432r1_chk

Check mode of the cron.allow file. Procedure: # ls -lL /var/adm/cron/cron.allow If the file has a mode more permissive than 0600, this is a finding.

Fix: F-31771r1_fix

Change the mode of the cron.allow file to 0600. Procedure: # chmod 0600 /var/adm/cron/cron.allow

Generate Mitigation Statement:

Checks: C-36434r1_chk

List all cronjobs on the system. Procedure: # ls -lL /var/spool/cron/crontabs If cron jobs exist under any of the above directories, search for programs executed by cron. Procedure: # more &lt;cron job file&gt; Determine if the file is group-writable or world-writable. Procedure: # ls -lLa &lt;cron program file&gt; If cron executes group-writable or world-writable files, this is a finding.

Fix: F-31773r1_fix

Remove the world-writable and group-writable permissions from the cron program file(s) identified. # chmod go-w <cron program file>

Generate Mitigation Statement:

Checks: C-36433r1_chk

List all cronjobs on the system. Procedure: # ls -lL /var/spool/cron/crontabs If cron jobs exist under any of the above directories, search for programs executed by cron: Procedure: # more &lt;cron job file&gt; Determine if the directory containing programs executed from cron is world-writable. Procedure: # ls -lLd &lt;cron program directory&gt; If cron executes programs in world-writable directories, this is a finding.

Fix: F-31772r1_fix

Remove the world-writable permission from the cron program directories identified. Procedure: # chmod o-w <cron program directory>

Generate Mitigation Statement:

Checks: C-36451r1_chk

Check the mode of the crontab files. # ls -lL /var/spool/cron/crontabs If any crontab file has a mode more permissive than 0600, this is a finding.

Fix: F-31790r1_fix

Change the mode of the crontab files. # chmod 0600 /var/spool/cron/crontabs/*

Generate Mitigation Statement:

Checks: C-36452r1_chk

Check the mode of the crontab directory. # ls -lLd /var/spool/cron/crontabs If the mode of the crontab directory is more permissive than 0755, this is a finding.

Fix: F-1133r2_fix

Change the mode of crontab directories to 0755.

Generate Mitigation Statement:

Checks: C-36453r1_chk

Check the owner of the crontab directory. # ls -ld /var/spool/cron/crontabs If the owner of the crontab directory is not root or bin, this is a finding.

Fix: F-31792r1_fix

Change the mode of the crontab directory. # chown root /var/spool/cron/crontabs

Generate Mitigation Statement:

Checks: C-36454r1_chk

Check the group owner of the crontab directories. # ls -lLd /var/spool/cron/crontabs If the directory is not group-owned by root, sys, bin or other, this is a finding.

Fix: F-31793r1_fix

Change the group owner of the crontab directories to root, sys, bin or other. # chown root /var/spool/cron/crontabs

Generate Mitigation Statement:

Checks: C-36455r1_chk

# ls -lL /var/adm/cron/log If this file does not exist, or has a timestamp older than the last cron job, this is a finding.

Fix: F-31794r1_fix

Enable cron/logging on the system via: # /sbin/init.d/cron stop # mv <current cron log> <to a new location and new name> # /sbin/init.d/cron start # more /var/adm/cron/log Cron automatically handles its own logging function and (at least) the Start Time should be visible at the beginning of the new log file /var/adm/cron/log.

Generate Mitigation Statement:

Checks: C-36456r1_chk

Check the mode of the cron log file. # ls -lL /var/adm/cron/log If the mode is more permissive than 0600, this is a finding.

Fix: F-31795r1_fix

Change the mode of the cron log file. # chmod 0600 /var/adm/cron/log

Generate Mitigation Statement:

Checks: C-36457r1_chk

Check for the existence of at.allow and at.deny files. # ls -lL /var/adm/cron/at.allow # ls -lL /var/adm/cron/at.deny If neither file exists, this is a finding.

Fix: F-31796r1_fix

Create at.allow and/or at.deny files containing appropriate lists of users to be allowed or denied access to the at facility supported by the cron daemon.

Generate Mitigation Statement:

Checks: C-36458r1_chk

# more /var/adm/cron/at.deny If the at.deny file exists and is empty, this is a finding.

Fix: F-31797r1_fix

Add appropriate users to the at.deny file, or remove the empty at.deny file if an at.allow file exists.

Generate Mitigation Statement:

Checks: C-36459r1_chk

# more /var/adm/cron/at.allow If default accounts (such as bin, sys, adm, and others) are listed in the at.allow file, this is a finding.

Fix: F-31799r1_fix

Remove the default accounts (such as bin, sys, adm, and others) from the at.allow file.

Generate Mitigation Statement:

Checks: C-36460r1_chk

Check the mode of the at.allow file. # ls -lL /var/adm/cron/at.allow If the at.allow file has a mode more permissive than 0600, this is a finding.

Fix: F-31800r1_fix

Change the mode of the at.allow file. # chmod 0600 /var/adm/cron/at.allow

Generate Mitigation Statement:

Checks: C-36461r1_chk

List the at jobs on the system. Procedure: # ls -lLa /var/spool/cron/atjobs For each at job file, determine which programs are executed. # more &lt;at job file&gt; Check each program executed by at for group- or world-writable permissions. # ls -lLa &lt;at program file&gt; If at executes programs that are group- or world-writable, this is a finding.

Fix: F-31801r1_fix

Remove group-write and world-write permissions from files executed by at jobs. # chmod go-w <file>

Generate Mitigation Statement:

Checks: C-36462r1_chk

List any at jobs on the system. # ls -lLa /var/spool/cron/atjobs For each at job, determine which programs are executed by at. # more &lt;at job file&gt; Check the directory containing each program executed by at for world-writable permissions. # ls -lL &lt;at program file directory&gt; If at executes programs in world-writable directories, this is a finding.

Fix: F-31802r1_fix

Remove the world-writable permission from directories containing programs executed by at. # chmod o-w <at program directory>

Generate Mitigation Statement:

Checks: C-36612r1_chk

Check the mode of the SNMP daemon configuration file. # ls -lL /etc/SnmpAgent.d/snmpd.conf If the /etc/SnmpAgent.d/snmpd.conf file has a mode more permissive than 0600, this is a finding.

Fix: F-31978r1_fix

Change the mode of the SNMP daemon configuration file to 0600. # chmod 0600 /etc/SnmpAgent.d/snmpd.conf

Generate Mitigation Statement:

Checks: C-36613r1_chk

Check the modes for all MIB files on the system. # find / -type f -name *.mib -exec ls -lL {} \; If any file is returned without a mode 0640 or less permissive, this is a finding.

Fix: F-31979r1_fix

Change the mode of MIB files to 0640. # chmod 0640 <mib file>

Generate Mitigation Statement:

Checks: C-36722r2_chk

Check the domain name for NIS maps. Procedure: # domainname If the name returned is simple to guess, such as the organization name, building, or room name, etc., this is a finding.

Fix: F-32085r1_fix

Disable the INN server.

Generate Mitigation Statement:

Checks: C-36693r3_chk

Determine if the CIFS (HP SAMBA) bundle is installed (SWAT is included). # swlist -l bundle | egrep -i "CIFS-CLIENT|CIFS-SERVER" If the HP bundle is not installed, this is not applicable. If the HP bundle is installed, ask the SA if the Samba Web Administration Tool (SWAT) has been configured to use SSL. If SWAT is not configured to use SSL, this is a finding.

Fix: F-32068r2_fix

Disable SWAT. # chmod 0000 <path>/swat OR # rm -i <path>/swat

Generate Mitigation Statement:

Checks: C-36694r1_chk