UNIX SRG

Checks: C-27961r1_chk

Check if the system requires a password when booted into single user mode. If it does not, this is a finding.

Fix: F-24306r1_fix

Configure the system to require a password upon booting into single user mode.

Generate Mitigation Statement:

Checks: C-27975r1_chk

Use the last command to check for multiple accesses to an account from different workstations/IP addresses. If users log directly onto accounts, rather than using the su command from their own named account to access them, this is a finding (such as logging directly on to Oracle). Also, ask the SA or the IAO if shared accounts are logged into directly or if users log on to an individual account and switch user to the shared account.

Fix: F-24339r1_fix

Use the switch user (su) command from a named account login to access shared accounts. Maintain audit trails that identify the actual user of the account name. Document requirements and procedures for users/administrators to log into their own accounts first and then switch user (su) to the shared account.

Generate Mitigation Statement:

Checks: C-27976r1_chk

Obtain a list of system accounts and check the list for any duplicate user names. If duplicates user names are found, this is a finding.

Fix: F-24342r1_fix

Change user account names, or delete accounts, so each account has a unique name.

Generate Mitigation Statement:

Checks: C-27981r1_chk

List any duplicate UIDs in /etc/passwd: # cut -d':' -f3 /etc/passwd | uniq -d This will show one copy of each duplicate UID.

Fix: F-24344r1_fix

Edit user accounts to provide unique UIDs for each account.

Generate Mitigation Statement:

Checks: C-28845r1_chk

Access the system console and make a logon attempt. Check for either of the following login banners based on the character limitations imposed by the system. An exact match is required. If one of these banners is not displayed, this is a finding. "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. " OR "I've read & consent to terms in IS user agreem't."

Fix: F-25866r1_fix

Configure the system to display one of the DoD login banners (based on the character limitations imposed by the system) prior to any local login attempt. DoD Login Banners: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR I've read & consent to terms in IS user agreem't.

Generate Mitigation Statement:

Checks: C-27998r1_chk

Attempt to log on with a valid user id and incorrect password three times. If the system does not lock the account, requiring an SA to unlock it, this is a finding.

Fix: F-24355r1_fix

Configure the system to lock accounts after three unsuccessful login attempts.

Generate Mitigation Statement:

Checks: C-28005r1_chk

Attempt to log on to the system with an invalid user account name and an incorrect password. If the system does not pause for at least 4 seconds before displaying another logon prompt, this is a finding.

Fix: F-24359r1_fix

Configure the system to delay at least 4 seconds between login prompts following a failed login attempt.

Generate Mitigation Statement:

Checks: C-229r2_chk

If there is an application running on the system continuously in use (such as a network monitoring application), ask the SA what the name of the application is. Execute the following to determine which user owns the process(es) associated with the application. If the owner is root, this is a finding. # ps -ef | more

Fix: F-923r2_fix

Configure the system so the owner of a session requiring a continuous screen display, such as a network management display, is not root. Ensure the display is also located in a secure, controlled access area. Document and justify this requirement. Ensure the terminal and keyboard for the display (or workstation) are secure from all but authorized personnel by maintaining them in a secure area, in a locked cabinet where a swipe card, or other positive forms of identification, must be used to gain entry.

Generate Mitigation Statement:

Checks: C-28053r1_chk

Check the system for duplicate UID 0 assignments by listing all accounts assigned UID 0. Procedure: # grep ":0:" /etc/passwd | awk -F":" '{print$1":"$3":"}' | grep ":0:" If any accounts other than root are assigned UID 0, this is a finding.

Fix: F-24403r1_fix

Remove or change the UID of accounts other than root that have UID 0.

Generate Mitigation Statement:

Checks: C-28063r1_chk

Check the mode of the root home directory. Procedure: # grep "^root" /etc/passwd | awk -F":" '{print $6}' # ls -ld <root home directory> If the mode of the directory is not equal to 0700, this is a finding. If the home directory is /, this is not applicable.

Fix: F-929r2_fix

The root home directory will have permissions of 0700. Do not change the protections of the / directory. Use the following command to change protections for the root home directory. # chmod 0700 /rootdir.

Generate Mitigation Statement:

Checks: C-236r2_chk

To view the root user's PATH, log in as the root user, and execute the following. # env | grep PATH This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is a finding. If an entry starts with a character other than a slash (/), this is a finding. If directories beyond those in the vendor's default root path are present, this is a finding.

Fix: F-930r2_fix

Edit the root user's local initialization files. Change any found PATH variable settings to the vendor's default path for the root user. Remove any empty path entries or references to relative paths.

Generate Mitigation Statement:

Checks: C-28064r1_chk

Check for world-writable permissions on all directories in the root user's executable search path. Procedure: # ls -ld `echo $PATH | sed "s/:/ /g"` If any of the directories in the PATH variable are world-writable, this is a finding.

Fix: F-24415r1_fix

For each world-writable path in root's executable search path, perform one of the following. 1. Remove the world-writable permission on the directory. Procedure: # chmod o-w <path> 2. Remove the world-writable directory from the executable search path. Procedure: Identify and edit the initialization file referencing the world-writable directory and remove it from the PATH variable.

Generate Mitigation Statement:

Checks: C-28065r1_chk

Verify the system only allows root account logins from the system console.

Fix: F-24416r1_fix

Configure the system to only allow root logins from the system console.

Generate Mitigation Statement:

Checks: C-280r2_chk

# more /etc/passwd Confirm all accounts with a GID of 99 and below (499 and below for Linux) are used by a system account. If a GID reserved for system accounts, 0 - 99 (0 - 499 for Linux), is used by a non-system account, this is a finding.

Fix: F-934r2_fix

Change the primary group GID numbers for non-system accounts with reserved primary group GIDs (those less or equal to 99 in general, or 499 for Linux).

Generate Mitigation Statement:

Checks: C-285r2_chk

A few applications providing host-based network intrusion protection are: - Dragon Squire by Enterasys Networks, - ITA by Symantec, - Hostsentry by Psionic Software, - Logcheck by Psionic Software, - RealSecure agent by ISS, and - Swatch by Stanford University. Ask the SA or IAO if a host-based intrusion detection application is loaded on the system. Determine if the application is loaded on the system. Procedure: # find / -name &lt;daemon name&gt; -print Determine if the application is active on the system. Procedure: # ps -ef | grep &lt;daemon name&gt; If no host-based intrusion detection system is installed on the system, this is a finding.

Fix: F-936r3_fix

Install a host-based intrusion detection tool.

Generate Mitigation Statement:

Checks: C-289r2_chk

Check system directories for uneven file permissions. Procedure: # ls -lL /etc /bin /usr/bin /usr/lbin /usr/ucb /sbin /usr/sbin Uneven file permissions exist if the file owner has less permissions than the group or other user classes. If any of the files in the above listed directories contain uneven file permissions, this is a finding.

Fix: F-24427r1_fix

Change the mode of files with uneven permissions so owners do not have less permission than group or world users.

Generate Mitigation Statement:

Checks: C-290r2_chk

Check the system for files with no assigned owner. Procedure: # find / -nouser -print If any files have no assigned owner, this is a finding.

Fix: F-939r2_fix

All directories and files (executable and data) will have an identifiable owner and group name. Either trace files to an authorized user, change the file's owner to root, or delete them. Determine the legitimate owner of the files and use the chown command to set the owner and group to the correct value. If the legitimate owner cannot be determined, change the owner to root (but make sure none of the changed files remain executable because they could be Trojan horses or other malicious code). Examine the files to determine their origin and the reason for their lack of an owner/group.

Generate Mitigation Statement:

Checks: C-291r2_chk

Check the mode of network services daemon files. If any have modes more permissive than 0755, this is a finding.

Fix: F-940r2_fix

Change the mode of the network services daemon. # chmod 0755 <path>

Generate Mitigation Statement:

Checks: C-293r2_chk

Check skeleton files permissions. # ls -alL /etc/skel If a skeleton file has a mode more permissive than 0644, this is a finding.

Fix: F-942r2_fix

Change the mode of skeleton files with incorrect mode. # chmod 0644 <skeleton file>

Generate Mitigation Statement:

Checks: C-294r2_chk

Check the ownership of NIS/NIS+/yp files. Consult vendor documentation to determine the location of these files on the system. Procedure (example): # ls -lL /path/to/file If such a file is not owned by root, sys, bin, or system, this is a finding.

Fix: F-943r2_fix

Change the ownership of NIS/NIS+/yp files to root, sys, bin, or system. Consult vendor documentation to determine the location of the files. Procedure (example): # chown root <filename>

Generate Mitigation Statement:

Checks: C-8012r2_chk

Check the group ownership of the NIS/NIS+/yp files. Procedure: # ls -lL &lt;NIS file&gt; If any such file is not group-owned by root, sys, bin, other, or system, this is a finding.

Fix: F-944r2_fix

Change the group owner of the NIS files to root, sys, bin, other, or system. Procedure: # chgrp root <filename>

Generate Mitigation Statement:

Checks: C-8013r2_chk

Check the mode of the NIS/NIS+/yp files. Consult vendor documentation to determine the location of these files. Procedure (example): # ls -lL /path/to/file If any such file has a mode more permissive than 0755, this is a finding.

Fix: F-945r2_fix

Change the mode of NIS/NIS+/yp files to 0755 or less permissive. Procedure (example): # chmod 0755 <filename>

Generate Mitigation Statement:

Checks: C-296r2_chk

Check the mode of library files. Procedure: # ls -lLR /usr/lib /lib If any of the library files have a mode more permissive than 0755, this is a finding.

Fix: F-947r2_fix

Change the mode of library files to 0755 or less permissive. Procedure (example): # chmod 0755 /path/to/library-file NOTE: Library files should have an extension of .a or .so, possibly followed by a version number.

Generate Mitigation Statement:

Checks: C-298r2_chk

Check the permissions for files in /etc, /bin, /usr/bin, /usr/lbin, /usr/ucb, /sbin, and /usr/sbin. Procedure: # ls -lL /etc /bin /usr/bin /usr/lbin /usr/ucb /sbin /usr/sbin If any file listed has a mode more permissive than 0755, this is a finding. NOTE: Elevate to Severity Code I if any file listed is world-writable.

Fix: F-948r2_fix

Change the mode for system command files to 0755 or less permissive. Procedure: # chmod 0755 <filename>

Generate Mitigation Statement:

Checks: C-8014r2_chk

Check the ownership of system files, programs, and directories. Procedure: # ls -lLa /etc /bin /usr/bin /usr/lbin /usr/ucb /sbin /usr/sbin If any of the system files, programs, or directories are not owned by a system account, this is a finding.

Fix: F-949r2_fix

Change the owner of system files, programs, and directories to a system account. Procedure: # chown root /some/system/file (A different system user may be used in place of root.)

Generate Mitigation Statement:

Checks: C-8015r2_chk

Check the group ownership of system files, programs, and directories. Procedure: # ls -lLa /etc /bin /usr/bin /usr/lbin /usr/ucb /sbin /usr/sbin If any system file, program, or directory is not group-owned by a system group, this is a finding.

Fix: F-950r2_fix

Change the group owner of system files to a system group. Procedure: # chgrp root /path/to/system/file (System groups other than root may be used.)

Generate Mitigation Statement:

Checks: C-301r2_chk

Check the ownership of the /etc/shadow file. # ls -lL /etc/shadow If the /etc/shadow file is not owned by root, this is a finding.

Fix: F-951r2_fix

Change the ownership of the /etc/shadow (or equivalent) file. # chown root <file>

Generate Mitigation Statement:

Checks: C-8016r2_chk

Check the mode of the /etc/passwd file. Procedure: # ls -lL /etc/passwd If /etc/passwd has a mode more permissive than 0644, this is a finding.

Fix: F-952r2_fix

Change the mode of the passwd file to 0644. Procedure: # chmod 0644 /etc/passwd Document all changes.

Generate Mitigation Statement:

Checks: C-303r2_chk

Check the mode of the /etc/shadow file. # ls -lL /etc/shadow If the /etc/shadow file has a mode more permissive than 0400, this is a finding.

Fix: F-954r2_fix

Change the mode of the /etc/shadow (or equivalent) file. # chmod <mode> <file>

Generate Mitigation Statement:

Checks: C-527r2_chk

Files with the setuid bit set will allow anyone running these files to be temporarily assigned the user or group ID of the file. If an executable with setuid allows shell escapes, the user can operate on the system with the effective permission rights of the user or group owner. List all setuid files on the system. Procedure: # find / -perm -4000 -exec ls -l {} \; | more NOTE: Executing these commands may result in large listings of files; the output may be redirected to a file for easier analysis. Ask the SA or IAO if files with the setuid bit set have been documented. If any undocumented file has its setuid bit set, this is a finding.

Fix: F-955r2_fix

Document the files with the setuid bit set or unset the setuid bit on the executable.

Generate Mitigation Statement:

Checks: C-8026r2_chk

Locate all setgid files on the system. Procedure: # find / -perm -2000 If the ownership, permissions, location, and ACLs of all files with the setgid bit set are not documented, this is a finding.

Fix: F-956r2_fix

All files with the setgid bit set will be documented in the system baseline and authorized by the Information Systems Security Officer. Locate all setgid files with the following command. find / -perm -2000 -exec ls -lLd {} \; Ensure setgid files are part of the operating system software, documented application software, documented utility software, or documented locally developed software. Ensure none are text files or shell programs.

Generate Mitigation Statement:

Checks: C-528r2_chk

Determine if a weekly automated or manual process is used to generate a list of setuid files on the system and compare it with the prior list. If no such process is in place, this is a finding.

Fix: F-957r2_fix

Establish a weekly automated or manual process to generate a list of setuid files on the system and compare it with the prior list. To create a list of setuid files use the following command. # find / -perm -4000 > setuid-file-list

Generate Mitigation Statement:

Checks: C-8027r2_chk

Determine if a weekly automated or manual process is used to generate a list of setgid files on the system and compare it with the prior list. If no such process is in place, this is a finding.

Fix: F-958r2_fix

Establish a weekly automated or manual process to generate a list of setgid files on the system and compare it with the prior list. To create a list of setgid files use the following command. # find / -perm -2000 > setgid-file-list

Generate Mitigation Statement:

Checks: C-529r2_chk

Check /etc/fstab and verify the "nosuid" mount option is used on file systems mounted from removable media, network shares, or any other file system that does not contain approved setuid or setgid files.

Fix: F-959r2_fix

Edit /etc/fstab and add the "nosuid" mount option to all file systems mounted from removable media or network shares, and any file system that does not contain approved setuid or setgid files.

Generate Mitigation Statement:

Checks: C-8028r2_chk

Check the ownership of all public directories. Procedure: # find / -type d -perm -1002 -exec ls -ld {} \; If any public directory is not owned by root or an application user, this is a finding.

Fix: F-961r2_fix

Change the owner of public directories to root or an application account. Procedure: # chown root /tmp (Replace root with an application user and/or /tmp with another public directory as necessary.)

Generate Mitigation Statement:

Checks: C-550r2_chk

Check global initialization files for the configured umask value. Procedure: # grep umask /etc/* Check local initialization files for the configured umask value. Procedure: # grep umask /userhomedirectory/.* If the system and user default umask is not 077, this is a finding. NOTE: If the default umask is 000 or allows for the creation of world-writable files, this becomes a Severity Code I (CAT I) finding.

Fix: F-962r2_fix

Edit local and global initialization files that contain "umask" and change them to use 077 instead of the current value.

Generate Mitigation Statement:

Checks: C-553r2_chk

Determine if auditing is enabled. If auditing is not enabled, this is a finding.

Fix: F-965r2_fix

Configure the system to implement auditing.

Generate Mitigation Statement:

Checks: C-554r2_chk

Check the ownership of the audit log file(s). # ls -l &lt;audit log file&gt; If any audit log file is not owned by root, this is a finding.

Fix: F-966r2_fix

Change the ownership of the audit log file(s). Procedure: # chown root <audit log file>

Generate Mitigation Statement:

Checks: C-555r2_chk

Check the mode of the audit log file(s). # ls -l &lt;audit log file&gt; If any audit log file has a mode more permissive than 0640, this is a finding.

Fix: F-967r2_fix

Change the mode of the audit log directories/files. # chmod 0750 <audit directory> # chmod 0640 <audit file>

Generate Mitigation Statement:

Checks: C-556r2_chk

Check the audit configuration to determine if failed attempts to access files and programs are audited. If they are not, this is a finding.

Fix: F-968r2_fix

Configure the system to audit failed attempts to access files and programs.

Generate Mitigation Statement:

Checks: C-557r2_chk

Check the system audit configuration. If the system is not configured to audit file and program deletion, this is a finding.

Fix: F-969r2_fix

Configure the system to audit file and program deletion.

Generate Mitigation Statement:

Checks: C-558r2_chk

Check the system configuration to determine if all administrative, privileged, and security actions are audited. If any of these categories of events is not audited, this is a finding.

Fix: F-970r2_fix

Configure the system to audit all administrative, privileged, and security actions.

Generate Mitigation Statement:

Checks: C-561r2_chk

Verify the system is configured to audit login, logout, and session initiation. If the system does not audit any of these events, this is a finding.

Fix: F-973r2_fix

Configure the system to audit login, logout, and session initiation.

Generate Mitigation Statement:

Checks: C-28433r1_chk

Verify the system is configured to audit all discretionary access control permission modifications. If the system does not audit any of these events, this is a finding.

Fix: F-24550r1_fix

Configure the system to audit all discretionary access control permission modifications.

Generate Mitigation Statement:

Checks: C-567r2_chk

Check the ownership of inetd.conf file. Procedure: # ls -lL /etc/inetd.conf This is a finding if any of the above files or directories are not owned by root or bin.

Fix: F-975r2_fix

Change the ownership of the inetd.conf file to root or bin. Procedure: # chown root /etc/inetd.conf

Generate Mitigation Statement:

Checks: C-8029r2_chk

Check the mode of inetd.conf file. # ls -lL /etc/inetd.conf If the mode of the file(s) is more permissive than 0440, this is a finding.

Fix: F-976r2_fix

Change the mode of the inetd.conf file. # chmod 0440 /etc/inetd.conf

Generate Mitigation Statement:

Checks: C-28612r1_chk

Check the ownership of the services file. Procedure: # ls -lL /etc/services If the services file is not owned by root or bin, this is a finding.

Fix: F-977r2_fix

Change the ownership of the services file to root or bin. Procedure: # chown root /etc/services

Generate Mitigation Statement:

Checks: C-8030r2_chk

Check the mode of the services file. Procedure: # ls -lL /etc/services If the services file has a mode more permissive than 0444, this is a finding.

Fix: F-978r2_fix

Change the mode of the services file to 0444 or less permissive. Procedure: # chmod 0444 /etc/services

Generate Mitigation Statement:

Checks: C-611r2_chk

Look for the presence of a print service configuration file. Procedure: # find /etc -name hosts.lpd -print # find /etc -name Systems -print # find /etc -name printers.conf If none of the files are found, this check is not applicable. Otherwise, examine the configuration file. Procedure: # more &lt;print service file&gt; Check for entries that contain a "+" or "_" character. If any are found, this is a finding.

Fix: F-981r2_fix

Remove the "+" entries from the hosts.lpd (or equivalent) file.

Generate Mitigation Statement:

Checks: C-612r2_chk

Locate any print service configuration file on the system. Consult vendor documentation to verify the names and locations of print service configuration files on the system. Procedure: # find /etc -name hosts.lpd -print # find /etc -name Systems -print If no print service configuration file is found, this is not applicable. Check the ownership of the print service configuration file(s). Procedure: # ls -lL &lt;print service file&gt; If the owner of the file is not root, sys, bin, or lp, this is a finding.

Fix: F-982r2_fix

Change the owner of the /etc/hosts.lpd file (or equivalent, such as /etc/lp/Systems) to root, lp, or another privileged UID. Consult vendor documentation to determine the name and location of print service configuration files. Procedure: # chown root /etc/hosts.lpd

Generate Mitigation Statement:

Checks: C-8031r2_chk

Locate any print service configuration file on the system. Consult vendor documentation for the name and location of print service configuration files. Procedure: # find /etc -name hosts.lpd -print # find /etc -name Systems -print If no print service configuration file is found, this is not applicable. Check the mode of the print service configuration file. Procedure: # ls -lL &lt;print service file&gt; If the mode of the print service configuration file is more permissive than 0644, this is a finding.

Fix: F-983r2_fix

Change the mode of the /etc/hosts.lpd file (or equivalent, such as /etc/lp/Systems) to 0644 or less permissive. Consult vendor documentation for the name and location of print service configuration files. Procedure: # chmod 0644 /etc/hosts.lpd

Generate Mitigation Statement:

Checks: C-614r2_chk

Find the aliases file on the system. Procedure: # find / -name aliases -depth -print Check the ownership of the alias file. Procedure: # ls -lL &lt;alias location&gt; If the file is not owned by root, this is a finding.

Fix: F-985r2_fix

Change the owner of the /etc/mail/aliases file (or equivalent, such as /usr/lib/aliases) to root. Procedure: # chown root /etc/mail/aliases

Generate Mitigation Statement:

Checks: C-8032r2_chk

Find the aliases file on the system. Procedure: # find / -name aliases -depth -print Check the mode of the alias file. Procedure: # ls -lL &lt;alias location&gt; If the alias file has a mode more permissive than 0644, this is a finding.

Fix: F-986r2_fix

Change the mode of the /etc/mail/aliases file (or equivalent, such as /usr/lib/aliases) to 0644. Procedure: # chmod 0644 /etc/aliases

Generate Mitigation Statement:

Checks: C-8033r2_chk

Find the aliases file on the system. Procedure: # find / -name aliases -depth -print Examine the aliases file for any directories or paths that may be utilized. Procedure: # more &lt;aliases file location&gt; Check the permissions for any paths referenced. Procedure: # ls -lL &lt;path&gt; If any file referenced from the aliases file has a mode more permissive than 0755, this is a finding.

Fix: F-988r2_fix

Use the chmod command to change the access permissions for files executed from the alias file. For example: # chmod 0755 < filename >

Generate Mitigation Statement:

Checks: C-617r2_chk

Check the syslog configuration file for mail.crit logging configuration. Procedure: # more /etc/syslog.conf Verify a line similar to one of the following lines is present in syslog.conf is configured so that critical mail log data is logged. (Critical log data may also be captured by a remote log host in accordance with GEN005460.) mail.crit /var/adm/messages *.crit /var/log/messages If syslog is not configured to log critical Sendmail messages, this is a finding.

Fix: F-990r2_fix

Edit the syslog.conf file and add a configuration line specifying an appropriate destination for mail.crit syslogs.

Generate Mitigation Statement:

Checks: C-8034r2_chk

Locate any mail log files by checking the syslog configuration file. Procedure: # more /etc/syslog.conf Identify any log files configured for the mail service at any severity level, or those configured for all services. Check the ownership of these log files. Procedure: # ls -lL &lt;file location&gt; If any mail log file is not owned by root, this is a finding.

Fix: F-991r2_fix

Change the ownership of the Sendmail log file. # chown root <sendmail log file>

Generate Mitigation Statement:

Checks: C-8035r2_chk

Check the mode of the SMTP service log file. Procedure: # more /etc/syslog.conf Check the configuration to determine which log files contain logs for mail.crit, mail.debug, or *.crit. Procedure: # ls -lL &lt;file location&gt; If the log file permissions are greater than 0644, this is a finding.

Fix: F-992r2_fix

Change the mode of the SMTP service log file. Procedure: # chmod 0644 <sendmail log file>

Generate Mitigation Statement:

Checks: C-707r2_chk

Check the system for an ftpusers file. If no ftpusers file appropriate for the system's FTP service exists, this is a finding.

Fix: F-994r2_fix

Create an ftpusers file appropriate for the system's FTP service.

Generate Mitigation Statement:

Checks: C-8063r2_chk

Check the contents of the ftpusers file. If the system has accounts not allowed to use FTP that are not listed in the ftpusers file, this is a finding.

Fix: F-995r2_fix

Add accounts not allowed to use FTP to the ftpusers file.

Generate Mitigation Statement:

Checks: C-708r2_chk

Check the ownership of the ftpusers file. If the ftpusers file is not owned by root, this is a finding.

Fix: F-996r2_fix

Change the owner of the ftpusers file to root.

Generate Mitigation Statement:

Checks: C-8064r2_chk

Check the permissions of the ftpusers file. If the ftpusers file has a mode more permissive than 0640, this is a finding.

Fix: F-997r2_fix

Change the mode of the ftpusers file to 0640.

Generate Mitigation Statement:

Checks: C-40599r1_chk

Determine if the FTP daemon is configured for verbose logging. If it is not, this is a finding.

Fix: F-35834r1_fix

Configure the FTP daemon to use verbose logging.

Generate Mitigation Statement:

Checks: C-711r2_chk

Attempt to log into this host with a user name of anonymous and a password of guest (also try the password of guest@mail.com). If the logon is successful, this is a finding. Procedure: # ftp localhost Name: anonymous 530 Guest login not allowed on this machine.

Fix: F-1000r2_fix

Configure the FTP service to not permit anonymous logins.

Generate Mitigation Statement:

Checks: C-715r2_chk

Check the /etc/passwd file to determine if TFTP is configured properly. Procedure: # grep tftp /etc/passwd If a TFTP user account does not exist and TFTP is active, this is a finding. Check the user shell for the TFTP user. If it is not /bin/false or equivalent, this is a finding. Check the home directory assigned to the TFTP user. If no home directory is set, or the directory specified is not dedicated to the use of the TFTP service, this is a finding.

Fix: F-1003r2_fix

Create a TFTP user account if none exists. Assign a non-login shell to the TFTP user account, such as /bin/false. Assign a home directory to the TFTP user account.

Generate Mitigation Statement:

Checks: C-718r2_chk

Check for .Xauthority files being utilized by looking for such files in the home directory of a user that uses X. Procedure: # cd ~someuser # ls -la .Xauthority If the .Xauthority file does not exist, ask the SA if the user is using X Windows. If the user is utilizing X Windows and the .Xauthority file does not exist, this is a finding.

Fix: F-1004r2_fix

Ensure the X Windows host is configured to write .Xauthority files into user home directories. Edit the Xaccess file. Ensure the line that writes the .Xauthority file is uncommented.

Generate Mitigation Statement:

Checks: C-851r2_chk

Perform the following to determine if NIS is active on the system. # ps -ef | egrep '(ypbind|ypserv)' If NIS is found active on the system, this is a finding.

Fix: F-1021r2_fix

Disable the use of NIS. Possible replacements are NIS+ and LDAP.

Generate Mitigation Statement:

Checks: C-8017r3_chk

Check the home directory mode of each user in /etc/passwd. Procedure: # cut -d : -f 6 /etc/passwd | xargs -n1 ls -ld | more If a user's home directory's mode is more permissive than 0750, this is a finding. NOTE: Application directories are allowed and may need 0755 permissions (or greater) for correct operation.

Fix: F-1055r2_fix

Change the mode of users' home directories to 0750 or less permissive. Procedure (example): # chmod 0750 <home directory>

Generate Mitigation Statement:

Checks: C-8018r2_chk

Check the ownership of each user's home directory listed in the /etc/passwd file. Procedure: # ls -lLd &lt;user home directory&gt; If any user's home directory is not owned by the assigned user, this is a finding.

Fix: F-1056r2_fix

Change the owner of a user's home directory to its assigned user. Procedure: # chown <user> <home directory>

Generate Mitigation Statement:

Checks: C-8019r3_chk

Check the group ownership for each user in the /etc/passwd file. Procedure: # ls -lLd &lt;user home directory&gt; If any user's home directory is not group-owned by the assigned user's primary group, this is a finding. Home directories for application accounts requiring different group ownership must be documented using site-defined procedures.

Fix: F-1057r3_fix

Change the group owner for user's home directories to the primary group of the assigned user. Procedure: # chgrp groupname directoryname (Replace examples with appropriate group and home directory.) Document all changes.

Generate Mitigation Statement:

Checks: C-395r3_chk

Check the ownership of local initialization files. Procedure (using a shell that supports ~USER as USER's home directory): # cut -d : -f 1 /etc/passwd | xargs -n1 -IUSER sh -c "ls -l ~USER/.[a-z]*" # cut -d : -f 1 /etc/passwd | xargs -n1 -IUSER find ~USER/.dt ! -fstype nfs ! -user USER -exec ls -ld {} \; If local initialization files are not owned by the home directory's user, this is a finding.

Fix: F-1058r3_fix

Change the ownership of the startup and login files in the user's directory to the user or root, as appropriate. Examine each user's home directory and verify all file names beginning with "." are owned by the owner of the directory or root. If they are not, use the chown command to change the owner to the user and research the reasons why the owners were not assigned as required. Procedure: # chown username .filename Document all changes.

Generate Mitigation Statement:

Checks: C-8020r2_chk

Check the modes of local initialization files. Procedure: # ls -al /&lt;usershomedirectory&gt;/.login # ls -al /&lt;usershomedirectory&gt;/.cshrc # ls -al /&lt;usershomedirectory&gt;/.logout # ls -al /&lt;usershomedirectory&gt;/.profile # ls -al /&lt;usershomedirectory&gt;/.bash_profile # ls -al /&lt;usershomedirectory&gt;/.bashrc # ls -al /&lt;usershomedirectory&gt;/.bash_logout # ls -al /&lt;usershomedirectory&gt;/.env # ls -al /&lt;usershomedirectory&gt;/.dtprofile (permissions should be 0755) # ls -al /&lt;usershomedirectory&gt;/.dispatch # ls -al /&lt;usershomedirectory&gt;/.emacs # ls -al /&lt;usershomedirectory&gt;/.exrc # find /&lt;usershomedirectory&gt;/.dt ! -fstype nfs \( -perm -0002 -o -perm -0020 \) -exec ls -ld {} \; (permissions not to be more permissive than 0755) If local initialization files are more permissive than 0740, the .dt directory or the .dtprofile file is more permissive than 0755, this is a finding.

Fix: F-1059r3_fix

Ensure user startup files have permissions of 0740 or more restrictive. Examine each user's home directory and verify all file names beginning with "." have access permissions of 0740 or more restrictive. If they do not, use the chmod command to correct the vulnerability. Procedure: # chmod 0740 .filename NOTE: The period is part of the file name and is required.

Generate Mitigation Statement:

Checks: C-8021r2_chk

Check the mode for all run control scripts. If any run control script has a mode more permissive than 0755, this is a finding.

Fix: F-1060r2_fix

Ensure all system startup files have mode 0755 or less permissive. Examine the rc files, and all files in the rc1.d (rc2.d, and so on) directories, and in the /etc/init.d directory to ensure they are not world-writable. If they are world-writable, use the chmod command to correct the vulnerability and to research why. Procedure: # chmod 755 startupfile

Generate Mitigation Statement:

Checks: C-39526r1_chk

Verify run control scripts' library search paths. Procedure: # grep -r PATH /etc/rc* This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, or two consecutive colons, this is a finding. If an entry begins with a character other than a slash (/), this is a relative path, and this is a finding.

Fix: F-1061r2_fix

Edit the run control script and remove the relative path entry from the executable search path variable.

Generate Mitigation Statement:

Checks: C-404r2_chk

Check the system for the existence of any .netrc files. Procedure: # find / -name .netrc If any .netrc file exists, this is a finding.

Fix: F-1067r3_fix

Remove the .netrc file(s). Procedure: # rm .netrc

Generate Mitigation Statement:

Checks: C-432r2_chk

Verify /etc/shells exists. # ls -l /etc/shells If the file does not exist, this is a finding.

Fix: F-1070r2_fix

Create a /etc/shells file containing a list of valid system shells. Consult vendor documentation for an appropriate list of system shells. Procedure: # echo "/bin/bash" >> /etc/shells # echo "/bin/csh" >> /etc/shells (Repeat as necessary for other shells.)

Generate Mitigation Statement:

Checks: C-433r2_chk

Confirm the login shells referenced in the /etc/passwd file are listed in the /etc/shells file. Procedure: # more /etc/passwd # more /etc/shells The /usr/bin/false, /bin/false, /dev/null, /sbin/nologin, (and equivalents), and sdshell will be considered valid shells for use in the /etc/passwd file, but will not be listed in the /etc/shells file. If a shell referenced in /etc/passwd is not listed in the shells file, excluding the above mentioned shells, this is a finding.

Fix: F-1071r2_fix

Use the chsh utility or edit the /etc/passwd file and correct the error by changing the default shell of the account in error to an acceptable shell name contained in the /etc/shells file.

Generate Mitigation Statement:

Checks: C-462r2_chk

Indications of inactive accounts are those without entries in the last log. Check the date in the last log to verify it is within the last 35 days. If an inactive account is not disabled via an entry in the password field in the /etc/passwd or /etc/shadow (or equivalent), check the /etc/passwd file to check if the account has a valid shell. If an inactive account is found that is not disabled, this is a finding.

Fix: F-1072r2_fix

All inactive accounts will have /bin/false, /usr/bin/false, or /dev/null as the default shell in the /etc/passwd file and have the password disabled. Disable the inactive accounts. Examine the inactive accounts using the last command. Note the date of last login for each account. If any (other than system and application accounts) exceed 35 days, then disable them by placing a shell of /bin/false or /dev/null in the shell field of the passwd file entry for that account. An alternative, and preferable method, is to disable the account using SAM, SMIT, or ADMINTOOL.

Generate Mitigation Statement:

Checks: C-8024r2_chk

Check the ownership of the system shells. # cat /etc/shells | xargs -n1 ls -lL If any shell is not owned by root or bin, this is a finding.

Fix: F-1075r2_fix

Change the ownership of the shell with incorrect ownership. # chown root <shell>

Generate Mitigation Statement:

Checks: C-465r2_chk

Find all device files existing anywhere on the system. Procedure: # find / -type b -print &gt; devicelist # find / -type c -print &gt;&gt; devicelist Check the permissions on the directories above subdirectories containing device files. If any of the device files or their parent directories is world-writable, excepting device files specifically intended to be world-writable, such as /dev/null, this is a finding.

Fix: F-1078r3_fix

Remove the world-writable permission from the device file(s). Procedure: # chmod o-w <device file> Document all changes.

Generate Mitigation Statement:

Checks: C-466r2_chk

Check the system for world-writable device files. Procedure: # find / -perm -2 -a \( -type b -o -type c \) -exec ls -ld {} \; If any device file(s) used for backup are writable by users other than root, this is a finding.

Fix: F-1079r2_fix

Use the chmod command to remove the world-writable bit from the backup device files. Procedure: # chmod o-w backdevicefilename Document all changes.

Generate Mitigation Statement:

Checks: C-852r2_chk

If the system is not using NIS+, this is not applicable. Check the system to determine if NIS+ security level 2 is implemented. Procedure: # niscat cred.org_dir If the second column does not contain DES, the system is not using NIS+ security level 2, and this is a finding.

Fix: F-25778r1_fix

Configure the NIS+ server to use security level 2.

Generate Mitigation Statement:

Checks: C-855r2_chk

Check the ownership of the NFS export configuration file. If the file is not owned by root, this is a finding.

Fix: F-1082r2_fix

Change the ownership of the NFS export configuration file to root. # chown root <NFS export file>

Generate Mitigation Statement:

Checks: C-862r2_chk

Check for NFS exported file systems. Procedure: # exportfs -v This will display all of the exported file systems. For each file system displayed, check the ownership. Procedure: # ls -lLa &lt;exported file system path&gt; If the files and directories are not owned by root, this is a finding.

Fix: F-1085r2_fix

Change the ownership of exported file systems not owned by root. Procedure: # chown root <path>

Generate Mitigation Statement:

Checks: C-863r2_chk

Check if the anon option is set correctly for exported file systems. List exported file systems. # exportfs -v Each of the exported file systems should include an entry for the 'anon=' option set to -1 or an equivalent (60001, 60002, 65534, or 65535). If an appropriate 'anon=' setting is not present for an exported file system, this is a finding.

Fix: F-1086r2_fix

Edit /etc/exports and set the anon=-1 option for exports without it. Re-export the file systems.

Generate Mitigation Statement:

Checks: C-864r2_chk

Check the permissions on exported NFS file systems. Procedure: # exportfs -v If the exported file systems do not contain the rw or ro options specifying a list of hosts or networks, this is a finding.

Fix: F-1087r2_fix

Edit /etc/exports and add ro and/or rw options (as appropriate) specifying a list of hosts or networks which are permitted access. Re-export the file systems.

Generate Mitigation Statement:

Checks: C-867r2_chk

Determine if the NFS server is exporting with the root access option. Procedure: # exportfs -v | grep "root=" If an export with the root option is found, this is a finding.

Fix: F-1089r2_fix

Edit /etc/exports and remove the root= option for all exports. Re-export the file systems.

Generate Mitigation Statement:

Checks: C-868r2_chk

Check the system for NFS mounts not using the nosuid option. Procedure: # mount -v | grep " type nfs " | grep -v nosuid If the mounted file systems do not have the nosuid option, this is a finding.

Fix: F-1090r2_fix

Edit /etc/fstab and add the "nosuid" option for all NFS file systems. Remount the NFS file systems to make the change take effect.

Generate Mitigation Statement:

Checks: C-888r2_chk

Normally, TCPD logs to the mail facility in /etc/syslog.conf. Determine if syslog is configured to log events by TCPD. Procedure: # more /etc/syslog.conf Look for entries similar to the following: mail.debug /var/adm/maillog mail.none /var/adm/maillog mail.* /var/log/mail auth.info /var/log/messages The above entries would indicate mail alerts are being logged. If no entries for mail exist, then TCPD is not logging and this is a finding.

Fix: F-1095r2_fix

Configure the access restriction program to log every access attempt. Ensure the implementation instructions for TCP_WRAPPERS are followed, so system access attempts are logged into the system log files. If an alternate application is used, it must support this function.

Generate Mitigation Statement:

Checks: C-786r2_chk

Check for the existence of the cron.allow and cron.deny files. If neither file exists, this is a finding.

Fix: F-1128r2_fix

Create a cron.allow and/or cron.deny file(s) with appropriate content in the appropriate directory for the system.

Generate Mitigation Statement:

Checks: C-787r2_chk

Check the mode of the cron.allow file. If the file has a mode more permissive than 0600, this is a finding.

Fix: F-1129r2_fix

Change the mode of the cron.allow file to 0600.

Generate Mitigation Statement:

Checks: C-788r2_chk

List all cron jobs on the system. If any cron job executes a program with group-writable or world-writable permissions, this is a finding.

Fix: F-1130r2_fix

Remove the world-writable and group-writable permissions from the cron program file(s) identified. # chmod go-w <cron program file>

Generate Mitigation Statement:

Checks: C-789r2_chk

List all cron jobs on the system. If any cron job executes a program located in a world-writable directory, this is a finding.

Fix: F-1131r2_fix

Remove the world-writable permission from the cron program directories identified. Procedure: # chmod o-w <cron program directory>

Generate Mitigation Statement:

Checks: C-790r2_chk

Check the modes of the crontab and cron job script files. If the mode is more permissive than 0600 for crontab files or 0700 for cron job script files, this is a finding.

Fix: F-1132r2_fix

Change the modes of crontab files to 0600 and cron job script files to 0700.

Generate Mitigation Statement:

Checks: C-8072r2_chk

Check the mode of crontab directories. If any have a mode more permissive than 0755, this is a finding.

Fix: F-1133r2_fix

Change the mode of crontab directories to 0755.

Generate Mitigation Statement:

Checks: C-8073r2_chk

Check the owner of the cron and crontab directories. If any cron or crontab directory is not owned by root or bin, this is a finding.

Fix: F-1134r2_fix

Change the owner of the cron and crontab directories to root or bin.

Generate Mitigation Statement:

Checks: C-8074r2_chk

Check the group owner of cron and crontab directories. If a cron or crontab directory is not group-owned by root, sys, bin, or cron, this is a finding.

Fix: F-1135r2_fix

Change the group owner of the cron and crontab directories to root, sys, bin, or cron.

Generate Mitigation Statement:

Checks: C-792r2_chk

Check the mode of the system cron log. If the mode is more permissive than 0600, this is a finding.

Fix: F-1137r2_fix

Change the mode of the system cron log to 0600.

Generate Mitigation Statement:

Checks: C-797r2_chk

Check for the existence of at.allow and at.deny files. If neither file exists, this is a finding.

Fix: F-11346r2_fix

Create at.allow and/or at.deny files containing appropriate lists of users to be allowed or denied access to the "at" daemon.

Generate Mitigation Statement:

Checks: C-798r2_chk

Check the at.deny file. If the at.deny file exists and is empty, this is a finding.

Fix: F-1139r2_fix

Add appropriate users to the at.deny file, or remove the empty at.deny file if an at.allow file exists.

Generate Mitigation Statement:

Checks: C-28539r1_chk

Check the contents of the at.allow file. If default accounts (such as bin, sys, adm, and others) are listed in the at.allow file, this is a finding.

Fix: F-1140r2_fix

Remove the default accounts (such as bin, sys, adm, and others) from the at.allow file.

Generate Mitigation Statement:

Checks: C-800r2_chk

Check the mode of the at.allow file. If the at.allow file has a mode more permissive than 0600, this is a finding.

Fix: F-1141r2_fix

Change the mode of the at.allow file to 0600.

Generate Mitigation Statement:

Checks: C-801r2_chk

List the "at" jobs on the system. Procedure: # ls -la /var/spool/cron/atjobs /var/spool/atjobs For each "at" job file, determine which programs are executed. Procedure: # more &lt;at job file&gt; Check each program executed by "at" for group- or world-writable permissions. Procedure: # ls -la &lt;at program file&gt; If "at" executes group- or world-writable programs, this is a finding.

Fix: F-1142r2_fix

Remove group-write and world-write permissions from files executed by "at" jobs. Procedure: # chmod go-w <file>

Generate Mitigation Statement:

Checks: C-802r2_chk

List any "at" jobs on the system. Procedure: # ls /var/spool/cron/atjobs /var/spool/atjobs For each "at" job, determine which programs are executed. Procedure: # more &lt;at job file&gt; Check the directory containing each program executed by "at" for world-writable permissions. Procedure: # ls -la &lt;at program file directory&gt; If "at" executes programs in world-writable directories, this is a finding.

Fix: F-1143r2_fix

Remove the world-writable permission from directories containing programs executed by "at". Procedure: # chmod o-w <at program directory>

Generate Mitigation Statement:

Checks: C-817r2_chk

Check the mode of the SNMP daemon configuration file. Locate the SNMP daemon configuration file. Consult vendor documentation to verify the name and location of the file. Procedure: # find / -name snmpd.conf Check the mode of the SNMP daemon configuration file. Procedure: # ls -lL &lt;snmpd.conf&gt; If the snmpd.conf file has a mode more permissive than 0600, this is a finding.

Fix: F-1148r2_fix

Change the mode of the SNMP daemon configuration file to 0600. Procedure: # chmod 0600 <snmpd.conf>

Generate Mitigation Statement:

Checks: C-818r2_chk

Check the modes for all Management Information Base (MIB) files on the system. Procedure: # find / -name *.mib -print # ls -lL &lt;mib file&gt; If any file is returned that does not have mode 0640 or less permissive, this is a finding.

Fix: F-1149r2_fix

Change the mode of MIB files to 0640. Procedure: # chmod 0640 <mib file>

Generate Mitigation Statement:

Checks: C-467r2_chk

Check the system for world-writable files and directories. Procedure: # find / -perm -2 -a \( -type d -o -type f \) -exec ls -ld {} \; If any world-writable files or directories are located, except those required for system operation, such as /tmp and /dev/null, this is a finding.

Fix: F-1164r2_fix

Remove or change the mode for any world-writable file or directory on the system that is not required to be world-writable. Procedure: # chmod o-w <file/directory> Document all changes.

Generate Mitigation Statement:

Checks: C-2043r2_chk

# ps -ef | egrep "innd|nntpd" If an INN server is running, this is a finding.

Fix: F-1177r2_fix

Disable the INN server.

Generate Mitigation Statement:

Checks: C-2047r3_chk

Check the system for an enabled SWAT service. # grep -i swat /etc/inetd.conf If SWAT is found enabled, it must be utilized with SSL to ensure a secure connection between the client and the server. Ask the SA to identify the method used to provide SSL protection for the SWAT service. Verify (or ask the SA to demonstrate) this configuration is effective by accessing SWAT using an HTTPS connection from a web browser. If SWAT is found enabled and has no SSL protection, this is a finding.

Fix: F-1180r3_fix

Disable SWAT (e.g., remove the "swat" line from inetd.conf or equivalent, and restart the service) or configure SSL protection for the SWAT service.

Generate Mitigation Statement:

Checks: C-28771r2_chk

Check the ownership of the smb.conf file. Procedure: # ls -lL /etc/opt/samba/smb.conf # ls -l &lt;smb.conf file&gt; If an smb.conf file is not owned by root, this is a finding.

Fix: F-1181r2_fix

Change the ownership of the smb.conf file. Procedure: # chown root smb.conf

Generate Mitigation Statement:

Checks: C-2048r2_chk

Check the mode of the smb.conf file. Procedure: # find / -name smb.conf # ls -lL &lt;smb.conf file&gt; If the smb.conf has a mode more permissive than 0644, this is a finding.

Fix: F-1182r2_fix

Change the mode of the smb.conf file to 0644 or less permissive. Procedure: # chmod 0644 smb.conf

Generate Mitigation Statement:

Checks: C-28774r1_chk

Check the ownership of the smbpasswd file. # find / -name smbpasswd # ls -l &lt;smbpasswd file&gt; If an smbpasswd file is not owned by root, this is a finding.

Fix: F-1183r2_fix

Use the chown command to configure the smbpasswd file. # chown root /etc/smbpasswd

Generate Mitigation Statement:

Checks: C-2052r2_chk

Examine the smb.conf file. # more smb.conf If the hosts option is not present to restrict access to a list of authorized hosts and networks, this is a finding.

Fix: F-1184r2_fix

Edit the smb.conf file and set the hosts option to permit only authorized hosts to access Samba.

Generate Mitigation Statement:

Checks: C-892r2_chk

Determine if the SSH daemon is configured to permit root logins. Procedure: # find / -name sshd_config -print # grep -v "^#" &lt;sshd_config path&gt; | grep -i permitrootlogin If the PermitRootLogin entry is not found or is not set to no, this is a finding.

Fix: F-24426r1_fix

Edit the configuration file and set the PermitRootLogin option to no.

Generate Mitigation Statement:

Checks: C-893r2_chk

Check the mode of audio devices. If the mode of audio devices are more permissive than 0660, this is a finding.

Fix: F-24491r1_fix

Change the mode of audio devices. # chmod o-w <audio device>

Generate Mitigation Statement:

Checks: C-28270r1_chk

Check the owner of audio devices. If the owner of an audio device is not root, this is a finding.

Fix: F-1203r2_fix

Change the owner of the audio device. # chown root <audio device>

Generate Mitigation Statement:

Checks: C-28772r1_chk

Check the group ownership of the smb.conf file. Procedure: # find / -name /etc/samba/smb.conf # ls -l &lt;smb.conf file&gt; If an smb.conf file is not group-owned by root, bin, or sys, this is a finding

Fix: F-1210r2_fix

Change the group owner of the smb.conf file. Procedure: # chgrp root smb.conf

Generate Mitigation Statement:

Checks: C-2051r2_chk

Check smbpasswd ownership. # find / -name smbpasswd # ls -lL &lt;smbpasswd file&gt; If smbpasswd is not group-owned by root, this is a finding.

Fix: F-1212r2_fix

Use the chgrp command to ensure the group owner of the smbpasswd file is root. # chgrp root /etc/smbpasswd.

Generate Mitigation Statement:

Checks: C-2053r2_chk

Check smbpasswd mode. Procedure: # find / -name smbpasswd # ls -lL &lt;smbpasswd file&gt; If smbpasswd has a mode more permissive than 0600, this is a finding.

Fix: F-1213r2_fix

Change the mode of the smbpasswd file to 0600. Procedure: # chmod 0600 smbpasswd

Generate Mitigation Statement:

Checks: C-28282r1_chk

Check the group owner of audio devices. Procedure: # ls -lL &lt;audio device file&gt; If the group owner of an audio device is not root, sys, bin, or system, this is a finding.

Fix: F-1215r2_fix

Change the group owner of the audio device. Procedure: # chgrp system <audio device>

Generate Mitigation Statement:

Checks: C-8205r2_chk

Log into a graphical desktop environment provided by the system. Allow the session to remain idle for 15 minutes. If the desktop session is not automatically locked after 15 minutes, or does not require re-authentication to resume operations, this is a finding.

Fix: F-4016r2_fix

Consult vendor documentation to determine the settings required for the system to lock graphical desktop environments. Configure the system to lock graphical desktop environments after 15 minutes of inactivity and require re-authentication to resume operations.

Generate Mitigation Statement:

Checks: C-1670r2_chk

Verify the system is configured to prohibit the reuse of passwords within five iterations.

Fix: F-4017r2_fix

Configure the system to prohibit the reuse of passwords within five iterations.

Generate Mitigation Statement:

Checks: C-8206r2_chk

Check local initialization files for any executed world-writable programs or scripts. Procedure: # more /&lt;usershomedirectory&gt;/.* # ls -al &lt;program or script&gt; If any local initialization file executes a world-writable program or script, this is a finding.

Fix: F-4020r2_fix

Remove the world-writable permission of files referenced by local initialization scripts, or remove the references to these files in the local initialization scripts.

Generate Mitigation Statement:

Checks: C-1674r2_chk

Check the ownership of system run control scripts. If any are owned by a user other than root or bin, this is a finding.

Fix: F-4022r2_fix

Change the ownership of the run control script(s) with incorrect ownership. # chown root <run control script>

Generate Mitigation Statement:

Checks: C-1675r2_chk

Check the group ownership of system run control scripts. If any are group-owned by a user other than root, sys, bin, other, or the system default, this is a finding.

Fix: F-24459r1_fix

Change the group ownership of the run control script(s) with incorrect group ownership. Procedure: # chgrp root <run control script>

Generate Mitigation Statement:

Checks: C-28190r1_chk

Check the ownership of any files executed from system startup scripts. If any of these files are not owned by root, bin, sys, or other, this is a finding.

Fix: F-24458r1_fix

Change the ownership of the file executed from system startup scripts to root, bin, sys, or other. # chown root <executed file>

Generate Mitigation Statement:

Checks: C-2056r3_chk

On systems with a BIOS or system controller, verify a supervisor or administrator password is set. If a password is not set, this is a finding. If the BIOS or system controller supports user-level access in addition to supervisor/administrator access, determine if this access is enabled. If so, this is a finding. The exact procedure will be hardware-dependent, and the SA should be consulted to identify the specific configuration. In the event the BIOS or system controller is not accessible without adversely impacting (e.g., restarting) the system, the SA may be interviewed to determine compliance with the requirement.

Fix: F-4157r2_fix

Access the system's BIOS or system controller. Set a supervisor/administrator password if one has not been set. Disable a user-level password if one has been set.

Generate Mitigation Statement:

Checks: C-2060r2_chk

Check /etc/grub.conf permissions. # ls -lL /etc/grub.conf If /etc/grub.conf has a mode more permissive than 0600, this is a finding.

Fix: F-25796r1_fix

Change the mode of the grub.conf file to 0600. # chmod 0600 /etc/grub.conf

Generate Mitigation Statement:

Checks: C-2090r2_chk

Check the system for unnecessary user accounts. Procedure: # more /etc/passwd Some examples of unnecessary accounts include games, news, gopher, ftp, and lp. If any unnecessary accounts are found, this is a finding.

Fix: F-4180r2_fix

 Remove all unnecessary accounts, such as games, from the /etc/passwd file before connecting a system to the network. Other accounts, such as news and gopher, associated with a service not in use should also be removed.

Generate Mitigation Statement:

Checks: C-2092r2_chk

Check /etc/news/hosts.nntp permissions. # ls -lL /etc/news/hosts.nntp If /etc/news/hosts.nntp has a mode more permissive than 0600, this is a finding.

Fix: F-4184r2_fix

Change the mode of the /etc/news/hosts.nntp file to 0600. # chmod 0600 /etc/news/hosts.nntp

Generate Mitigation Statement:

Checks: C-2093r2_chk

Check /etc/news/hosts.nntp.nolimit permissions. # ls -lL /etc/news/hosts.nntp.nolimit If /etc/news/hosts.nntp.nolimit has a mode more permissive than 0600, this is a finding.

Fix: F-4185r2_fix

Change the mode of /etc/news/hosts.nntp.nolimit to 0600. # chmod 0600 /etc/news/hosts.nntp.nolimit

Generate Mitigation Statement:

Checks: C-2094r2_chk

Check /etc/news/nnrp.access permissions. # ls -lL /etc/news/nnrp.access If /etc/news/nnrp.access has a mode more permissive than 0600, this is a finding.

Fix: F-4186r2_fix

Change the mode of the /etc/news/nnrp.access file to 0600. # chmod 0600 /etc/news/nnrp.access

Generate Mitigation Statement:

Checks: C-2095r2_chk

Check /etc/news/passwd.nntp permissions. # ls -lL /etc/news/passwd.nntp If /etc/news/passwd.nntp has a mode more permissive than 0600, this is a finding.

Fix: F-4187r2_fix

Change the mode of the /etc/news/passwd.nntp file. # chmod 0600 /etc/news/passwd.nntp

Generate Mitigation Statement:

Checks: C-28776r1_chk

Check the ownership of the files in /etc/news. Procedure: # ls -al /etc/news If any files are not owned by root or news, this is a finding.

Fix: F-4188r2_fix

Change the ownership of the files in /etc/news to root or news. Procedure: # chown root /etc/news/*

Generate Mitigation Statement:

Checks: C-2101r2_chk

Check /etc/news files group ownership. Procedure: # ls -al /etc/news If /etc/news files are not group-owned by root or news, this is a finding.

Fix: F-4189r2_fix

Change the group owner of the files in /etc/news to root or news. Procedure: # chgrp root /etc/news/*

Generate Mitigation Statement:

Checks: C-8298r2_chk

Check the system for configured remote consoles. If any console port is connected to a terminal outside of a secured environment or to any aggregation device (KVM, serial concentrator), or virtualization system that does not protect the console at the level of a privileged resource in accordance with the appropriate STIGs for these devices, this is a finding.

Fix: F-4209r2_fix

Remove the configuration for remote consoles.

Generate Mitigation Statement:

Checks: C-8293r2_chk

Check if NTP running: # ps -ef | egrep "xntpd|ntpd" Check if ntpdate scheduled to run: # grep ntpdate /var/spool/cron/crontabs/* If NTP is running or ntpdate is found: # more /etc/ntp/ntp.conf Confirm the servers and peers or multicast client (as applicable) are local or an authoritative U.S. DoD source. If a non-local/non-authoritative (U.S. DoD source) time-server is used, this is a finding.

Fix: F-4212r4_fix

Use a local authoritative time server synchronizing to an authorized DoD time source. Ensure all systems in the facility feed from one or more local time servers that feed from the authoritative time server.

Generate Mitigation Statement:

Checks: C-8291r2_chk

Logging should be enabled for those types of files systems that do not turn on logging by default. Procedure: # mount JFS, VXFS, HFS, XFS, reiserfs, EXT3, and EXT4 all turn logging on by default and will not be a finding. The ZFS file system uses other mechanisms to provide for file system consistency, and will not be a finding. For other file systems types, if the root file system does not have the logging option, this is a finding. If the nolog option is set on the root file system, this is a finding.

Fix: F-4215r2_fix

Implement file system journaling for the root file system, or use a file system using other mechanisms to ensure consistency. If the root file system supports journaling, enable it. If the file system does not support journaling or another mechanism to ensure consistency, a migration to a different file system will be necessary.

Generate Mitigation Statement:

Checks: C-2132r2_chk

Check the system for a running Samba server. Procedure: # ps -ef |grep smbd If the Samba server is running, ask the SA if the Samba server is operationally required. If it is not, this is a finding.

Fix: F-4232r2_fix

If there is no functional need for Samba and the daemon is running, disable the daemon by killing the process ID as noted from the output of ps -ef |grep smbd. The utility should also be removed or not installed if there is no functional requirement.

Generate Mitigation Statement:

Checks: C-8278r2_chk

Check for any crontab entries that rotate audit logs. Procedure: # crontab -l If such a cron job is found, this is not a finding. Otherwise, query the SA. If there is a process automatically rotating audit logs, this is not a finding. If the SA manually rotates audit logs, this is still a finding, because if the SA is not there, it will not be accomplished. If the audit output is not archived daily, to tape or disk, this is a finding. This can be ascertained by looking at the audit log directory and, if more than one file is there, or if the file does not have today's date, this is a finding.

Fix: F-4268r2_fix

Configure a cron job or other automated process to rotate the audit logs on a daily basis.

Generate Mitigation Statement:

Checks: C-8221r2_chk

Check the mode of the cron.deny file. If the cron.deny file is more permissive than 0600, this is a finding.

Fix: F-11473r2_fix

Change the mode of the cron.deny file to 0600.

Generate Mitigation Statement:

Checks: C-8245r2_chk

Check the mode of the "at" directory. Procedure: # ls -ld /var/spool/cron/atjobs /var/spool/atjobs /var/spool/at If the directory mode is more permissive than 0755, this is a finding.

Fix: F-4275r2_fix

Change the mode of the "at" directory to 0755. Procedure: # chmod 0755 < at directory >

Generate Mitigation Statement:

Checks: C-8246r2_chk

Check the ownership of the "at" directory. Procedure: # ls -ld /var/spool/cron/atjobs /var/spool/atjobs /var/spool/at If the directory is not owned by root, sys, bin, daemon, or cron, this is a finding.

Fix: F-4276r2_fix

Change the owner of the "at" directory to root, bin, sys, or system. Procedure: # chown root /var/spool/at (Replace root with another system group and/or /var/spool/at with a different "at" directory as necessary.)

Generate Mitigation Statement:

Checks: C-8247r2_chk

Determine what "at" jobs exist on the system. Procedure: # ls /var/spool/cron/atjobs /var/spool/atjobs If there are no "at" jobs present, this is not applicable. Determine if any of the "at" jobs or any scripts referenced execute the umask command. Check for any umask setting more permissive than 077. # grep umask &lt;at job or referenced script&gt; If any "at" job or referenced script sets umask to a value more permissive than 077, this is a finding.

Fix: F-4277r2_fix

Edit "at" jobs or referenced scripts to remove umask commands setting umask to a value less restrictive than 077.

Generate Mitigation Statement:

Checks: C-8248r2_chk

Check the owner of the at.allow file. If the owner is not root, bin, or sys, this is a finding.

Fix: F-4278r2_fix

Change the owner of the at.allow file to root, bin, or sys.

Generate Mitigation Statement:

Checks: C-8249r2_chk

Check the ownership of the at.deny file. If the owner is not root, bin, or sys, this is a finding.

Fix: F-4279r2_fix

Change the owner of the at.deny file to root, bin, or sys.

Generate Mitigation Statement:

Checks: C-8250r2_chk

Determine traceroute command locations and ownership. Procedure: # find / -name traceroute -exec ls -lL {} \; If the traceroute command is not owned by root, this is a finding.

Fix: F-4280r2_fix

Change the owner of the traceroute command to root, bin, or sys. Example: # chown root <traceroute command>

Generate Mitigation Statement:

Checks: C-8251r2_chk

Determine traceroute command locations and group ownership. Procedure: # find / -name traceroute -exec ls -lL {} \; If the traceroute command is not group-owned by root, sys, bin, or system, this is a finding.

Fix: F-4281r2_fix

Change the group owner of the traceroute command to root, bin, sys, or system. Procedure: # chgrp root <traceroute command>

Generate Mitigation Statement:

Checks: C-8252r2_chk

Determine traceroute command locations and mode. # find / -name traceroute -exec ls -lL {} \; If the traceroute command has a mode more permissive than 0700, this is a finding.

Fix: F-4282r2_fix

Change the mode of the traceroute command. # chmod 0700 <traceroute command>

Generate Mitigation Statement:

Checks: C-8268r2_chk

Search for any .forward files on the system. # find / -name .forward -print This is considered a finding if any .forward files are found on the system.

Fix: F-4296r2_fix

Remove .forward files from the system.

Generate Mitigation Statement:

Checks: C-8270r2_chk

Consult vendor documentation for the anonymous FTP service to determine the necessary configuration for operating the service in a chroot environment. If the system is not configured to operate the anonymous FTP service in a chroot environment, this is a finding.

Fix: F-4299r2_fix

Configure the anonymous FTP service to operate in a chroot environment. Consult vendor documentation for the necessary configuration procedures.

Generate Mitigation Statement:

Checks: C-8271r2_chk

Ask the SA if this is an NMS server. If it is an NMS server, then ask what other applications run on it. If there is anything other than network management software and DBMS software used only for the storage and inquiry of NMS data, this is a finding.

Fix: F-4303r2_fix

Ensure only authorized software is loaded on a designated NMS server. Authorized software is limited to the NMS software itself, a database management system for the NMS server if necessary, and network management software.

Generate Mitigation Statement:

Checks: C-8272r2_chk