VMware ESX 3 Server

Checks: C-27961r1_chk

Check if the system requires a password when booted into single user mode. If it does not, this is a finding.

Fix: F-24306r1_fix

Configure the system to require a password upon booting into single user mode.

Checks: C-27975r1_chk

Use the last command to check for multiple accesses to an account from different workstations/IP addresses. If users log directly onto accounts, rather than using the su command from their own named account to access them, this is a finding (such as logging directly on to Oracle). Also, ask the SA or the IAO if shared accounts are logged into directly or if users log on to an individual account and switch user to the shared account.

Fix: F-24339r1_fix

Use the switch user (su) command from a named account login to access shared accounts. Maintain audit trails that identify the actual user of the account name. Document requirements and procedures for users/administrators to log into their own accounts first and then switch user (su) to the shared account.

Checks: C-27976r1_chk

Obtain a list of system accounts and check the list for any duplicate user names. If duplicates user names are found, this is a finding.

Fix: F-24342r1_fix

Change user account names, or delete accounts, so each account has a unique name.

Checks: C-27981r1_chk

List any duplicate UIDs in /etc/passwd: # cut -d':' -f3 /etc/passwd | uniq -d This will show one copy of each duplicate UID.

Fix: F-24344r1_fix

Edit user accounts to provide unique UIDs for each account.

Checks: C-28845r1_chk

Access the system console and make a logon attempt. Check for either of the following login banners based on the character limitations imposed by the system. An exact match is required. If one of these banners is not displayed, this is a finding. "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. " OR "I've read & consent to terms in IS user agreem't."

Fix: F-25866r1_fix

Configure the system to display one of the DoD login banners (based on the character limitations imposed by the system) prior to any local login attempt. DoD Login Banners: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR I've read & consent to terms in IS user agreem't.

Checks: C-27998r1_chk

Attempt to log on with a valid user id and incorrect password three times. If the system does not lock the account, requiring an SA to unlock it, this is a finding.

Fix: F-24355r1_fix

Configure the system to lock accounts after three unsuccessful login attempts.

Checks: C-28005r1_chk

Attempt to log on to the system with an invalid user account name and an incorrect password. If the system does not pause for at least 4 seconds before displaying another logon prompt, this is a finding.

Fix: F-24359r1_fix

Configure the system to delay at least 4 seconds between login prompts following a failed login attempt.

Checks: C-229r2_chk

If there is an application running on the system continuously in use (such as a network monitoring application), ask the SA what the name of the application is. Execute the following to determine which user owns the process(es) associated with the application. If the owner is root, this is a finding. # ps -ef | more

Fix: F-923r2_fix

Configure the system so the owner of a session requiring a continuous screen display, such as a network management display, is not root. Ensure the display is also located in a secure, controlled access area. Document and justify this requirement. Ensure the terminal and keyboard for the display (or workstation) are secure from all but authorized personnel by maintaining them in a secure area, in a locked cabinet where a swipe card, or other positive forms of identification, must be used to gain entry.

Checks: C-28053r1_chk

Check the system for duplicate UID 0 assignments by listing all accounts assigned UID 0. Procedure: # grep ":0:" /etc/passwd | awk -F":" '{print$1":"$3":"}' | grep ":0:" If any accounts other than root are assigned UID 0, this is a finding.

Fix: F-24403r1_fix

Remove or change the UID of accounts other than root that have UID 0.

Checks: C-28063r1_chk

Check the mode of the root home directory. Procedure: # grep "^root" /etc/passwd | awk -F":" '{print $6}' # ls -ld <root home directory> If the mode of the directory is not equal to 0700, this is a finding. If the home directory is /, this is not applicable.

Fix: F-929r2_fix

The root home directory will have permissions of 0700. Do not change the protections of the / directory. Use the following command to change protections for the root home directory. # chmod 0700 /rootdir.

Checks: C-236r5_chk

To view the root user's PATH, log in as the root user, and execute the following. # env | grep PATH This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is a finding. If an entry begins with a character other than a slash (/) or other than "$PATH", it is a relative path and this is a finding. If directories beyond those in the vendor's default root path are present, this is a finding.

Fix: F-930r2_fix

Edit the root user's local initialization files. Change any found PATH variable settings to the vendor's default path for the root user. Remove any empty path entries or references to relative paths.

Checks: C-28064r1_chk

Check for world-writable permissions on all directories in the root user's executable search path. Procedure: # ls -ld `echo $PATH | sed "s/:/ /g"` If any of the directories in the PATH variable are world-writable, this is a finding.

Fix: F-24415r1_fix

For each world-writable path in root's executable search path, perform one of the following. 1. Remove the world-writable permission on the directory. Procedure: # chmod o-w <path> 2. Remove the world-writable directory from the executable search path. Procedure: Identify and edit the initialization file referencing the world-writable directory and remove it from the PATH variable.

Checks: C-28065r1_chk

Verify the system only allows root account logins from the system console.

Fix: F-24416r1_fix

Configure the system to only allow root logins from the system console.

Checks: C-280r2_chk

# more /etc/passwd Confirm all accounts with a GID of 99 and below (499 and below for Linux) are used by a system account. If a GID reserved for system accounts, 0 - 99 (0 - 499 for Linux), is used by a non-system account, this is a finding.

Fix: F-934r2_fix

Change the primary group GID numbers for non-system accounts with reserved primary group GIDs (those less or equal to 99 in general, or 499 for Linux).

Checks: C-285r3_chk

Ask the SA or IAO if a host-based intrusion detection application is loaded on the system. Determine if the application is loaded on the system. Procedure: # find / -name &lt;daemon name&gt; -print Determine if the application is active on the system. Procedure: # ps -ef | grep &lt;daemon name&gt; If no host-based intrusion detection system is installed on the system, this is a finding.

Fix: F-936r3_fix

Install a host-based intrusion detection tool.

Checks: C-289r2_chk

Check system directories for uneven file permissions. Procedure: # ls -lL /etc /bin /usr/bin /usr/lbin /usr/ucb /sbin /usr/sbin Uneven file permissions exist if the file owner has less permissions than the group or other user classes. If any of the files in the above listed directories contain uneven file permissions, this is a finding.

Fix: F-24427r1_fix

Change the mode of files with uneven permissions so owners do not have less permission than group or world users.

Checks: C-290r2_chk

Check the system for files with no assigned owner. Procedure: # find / -nouser -print If any files have no assigned owner, this is a finding.

Fix: F-939r2_fix

All directories and files (executable and data) will have an identifiable owner and group name. Either trace files to an authorized user, change the file's owner to root, or delete them. Determine the legitimate owner of the files and use the chown command to set the owner and group to the correct value. If the legitimate owner cannot be determined, change the owner to root (but make sure none of the changed files remain executable because they could be Trojan horses or other malicious code). Examine the files to determine their origin and the reason for their lack of an owner/group.

Checks: C-291r2_chk

Check the mode of network services daemon files. If any have modes more permissive than 0755, this is a finding.

Fix: F-940r2_fix

Change the mode of the network services daemon. # chmod 0755 <path>

Checks: C-292r2_chk

Check the mode of log files. Procedure: # ls -lL /var/log /var/log/syslog /var/adm If any of the log files have modes more permissive than 0640, this is a finding.

Fix: F-941r2_fix

Change the mode of the system log file(s) to 0640 or less permissive. Procedure: # chmod 0640 /path/to/system-log-file NOTE: Do not confuse system log files with audit logs. Any subsystems that require less stringent permissions must be documented.

Checks: C-293r2_chk

Check skeleton files permissions. # ls -alL /etc/skel If a skeleton file has a mode more permissive than 0644, this is a finding.

Fix: F-942r2_fix

Change the mode of skeleton files with incorrect mode. # chmod 0644 <skeleton file>

Checks: C-294r2_chk

Check the ownership of NIS/NIS+/yp files. Consult vendor documentation to determine the location of these files on the system. Procedure (example): # ls -lL /path/to/file If such a file is not owned by root, sys, bin, or system, this is a finding.

Fix: F-943r2_fix

Change the ownership of NIS/NIS+/yp files to root, sys, bin, or system. Consult vendor documentation to determine the location of the files. Procedure (example): # chown root <filename>

Checks: C-8012r2_chk

Check the group ownership of the NIS/NIS+/yp files. Procedure: # ls -lL &lt;NIS file&gt; If any such file is not group-owned by root, sys, bin, other, or system, this is a finding.

Fix: F-944r2_fix

Change the group owner of the NIS files to root, sys, bin, other, or system. Procedure: # chgrp root <filename>

Checks: C-8013r2_chk

Check the mode of the NIS/NIS+/yp files. Consult vendor documentation to determine the location of these files. Procedure (example): # ls -lL /path/to/file If any such file has a mode more permissive than 0755, this is a finding.

Fix: F-945r2_fix

Change the mode of NIS/NIS+/yp files to 0755 or less permissive. Procedure (example): # chmod 0755 <filename>

Checks: C-296r2_chk

Check the mode of library files. Procedure: # ls -lLR /usr/lib /lib If any of the library files have a mode more permissive than 0755, this is a finding.

Fix: F-947r2_fix

Change the mode of library files to 0755 or less permissive. Procedure (example): # chmod 0755 /path/to/library-file NOTE: Library files should have an extension of .a or .so, possibly followed by a version number.

Checks: C-298r6_chk

Check the permissions for files in /etc, /bin, /usr/bin, /usr/lbin, /usr/ucb, /sbin, and /usr/sbin. Procedure: # ls -lL /etc /bin /usr/bin /usr/lbin /usr/ucb /sbin /usr/sbin If any command file is listed and has a mode more permissive than 755, this is a finding. Note: Elevate to Severity Code I if any command file listed is world-writable.

Fix: F-948r3_fix

Change the mode for system command files to 755 or less permissive. Procedure: # chmod 755 <filename>

Checks: C-8014r2_chk

Check the ownership of system files, programs, and directories. Procedure: # ls -lLa /etc /bin /usr/bin /usr/lbin /usr/ucb /sbin /usr/sbin If any of the system files, programs, or directories are not owned by a system account, this is a finding.

Fix: F-949r2_fix

Change the owner of system files, programs, and directories to a system account. Procedure: # chown root /some/system/file (A different system user may be used in place of root.)

Checks: C-8015r2_chk

Check the group ownership of system files, programs, and directories. Procedure: # ls -lLa /etc /bin /usr/bin /usr/lbin /usr/ucb /sbin /usr/sbin If any system file, program, or directory is not group-owned by a system group, this is a finding.

Fix: F-950r2_fix

Change the group owner of system files to a system group. Procedure: # chgrp root /path/to/system/file (System groups other than root may be used.)

Checks: C-301r2_chk

Check the ownership of the /etc/shadow file. # ls -lL /etc/shadow If the /etc/shadow file is not owned by root, this is a finding.

Fix: F-951r2_fix

Change the ownership of the /etc/shadow (or equivalent) file. # chown root <file>

Checks: C-8016r2_chk

Check the mode of the /etc/passwd file. Procedure: # ls -lL /etc/passwd If /etc/passwd has a mode more permissive than 0644, this is a finding.

Fix: F-952r2_fix

Change the mode of the passwd file to 0644. Procedure: # chmod 0644 /etc/passwd Document all changes.

Checks: C-303r2_chk

Check the mode of the /etc/shadow file. # ls -lL /etc/shadow If the /etc/shadow file has a mode more permissive than 0400, this is a finding.

Fix: F-954r2_fix

Change the mode of the /etc/shadow (or equivalent) file. # chmod <mode> <file>

Checks: C-527r2_chk

Files with the setuid bit set will allow anyone running these files to be temporarily assigned the user or group ID of the file. If an executable with setuid allows shell escapes, the user can operate on the system with the effective permission rights of the user or group owner. List all setuid files on the system. Procedure: # find / -perm -4000 -exec ls -l {} \; | more NOTE: Executing these commands may result in large listings of files; the output may be redirected to a file for easier analysis. Ask the SA or IAO if files with the setuid bit set have been documented. If any undocumented file has its setuid bit set, this is a finding.

Fix: F-955r2_fix

Document the files with the setuid bit set or unset the setuid bit on the executable.

Checks: C-8026r2_chk

Locate all setgid files on the system. Procedure: # find / -perm -2000 If the ownership, permissions, location, and ACLs of all files with the setgid bit set are not documented, this is a finding.

Fix: F-956r2_fix

All files with the setgid bit set will be documented in the system baseline and authorized by the Information Systems Security Officer. Locate all setgid files with the following command. find / -perm -2000 -exec ls -lLd {} \; Ensure setgid files are part of the operating system software, documented application software, documented utility software, or documented locally developed software. Ensure none are text files or shell programs.

Checks: C-528r2_chk

Determine if a weekly automated or manual process is used to generate a list of setuid files on the system and compare it with the prior list. If no such process is in place, this is a finding.

Fix: F-957r2_fix

Establish a weekly automated or manual process to generate a list of setuid files on the system and compare it with the prior list. To create a list of setuid files use the following command. # find / -perm -4000 > setuid-file-list

Checks: C-8027r2_chk

Determine if a weekly automated or manual process is used to generate a list of setgid files on the system and compare it with the prior list. If no such process is in place, this is a finding.

Fix: F-958r2_fix

Establish a weekly automated or manual process to generate a list of setgid files on the system and compare it with the prior list. To create a list of setgid files use the following command. # find / -perm -2000 > setgid-file-list

Checks: C-529r2_chk

Check /etc/fstab and verify the "nosuid" mount option is used on file systems mounted from removable media, network shares, or any other file system that does not contain approved setuid or setgid files.

Fix: F-959r2_fix

Edit /etc/fstab and add the "nosuid" mount option to all file systems mounted from removable media or network shares, and any file system that does not contain approved setuid or setgid files.

Checks: C-8028r2_chk

Check the ownership of all public directories. Procedure: # find / -type d -perm -1002 -exec ls -ld {} \; If any public directory is not owned by root or an application user, this is a finding.

Fix: F-961r2_fix

Change the owner of public directories to root or an application account. Procedure: # chown root /tmp (Replace root with an application user and/or /tmp with another public directory as necessary.)

Checks: C-550r2_chk

Check global initialization files for the configured umask value. Procedure: # grep umask /etc/* Check local initialization files for the configured umask value. Procedure: # grep umask /userhomedirectory/.* If the system and user default umask is not 077, this is a finding. NOTE: If the default umask is 000 or allows for the creation of world-writable files, this becomes a Severity Code I (CAT I) finding.

Fix: F-962r2_fix

Edit local and global initialization files that contain "umask" and change them to use 077 instead of the current value.

Checks: C-553r2_chk

Determine if auditing is enabled. If auditing is not enabled, this is a finding.

Fix: F-965r2_fix

Configure the system to implement auditing.

Checks: C-554r2_chk

Check the ownership of the audit log file(s). # ls -l &lt;audit log file&gt; If any audit log file is not owned by root, this is a finding.

Fix: F-966r2_fix

Change the ownership of the audit log file(s). Procedure: # chown root <audit log file>

Checks: C-555r2_chk

Check the mode of the audit log file(s). # ls -l &lt;audit log file&gt; If any audit log file has a mode more permissive than 0640, this is a finding.

Fix: F-967r2_fix

Change the mode of the audit log directories/files. # chmod 0750 <audit directory> # chmod 0640 <audit file>

Checks: C-556r2_chk

Check the audit configuration to determine if failed attempts to access files and programs are audited. If they are not, this is a finding.

Fix: F-968r2_fix

Configure the system to audit failed attempts to access files and programs.

Checks: C-557r2_chk

Check the system audit configuration. If the system is not configured to audit file and program deletion, this is a finding.

Fix: F-969r2_fix

Configure the system to audit file and program deletion.

Checks: C-558r2_chk

Check the system configuration to determine if all administrative, privileged, and security actions are audited. If any of these categories of events is not audited, this is a finding.

Fix: F-970r2_fix

Configure the system to audit all administrative, privileged, and security actions.

Checks: C-561r2_chk

Verify the system is configured to audit login, logout, and session initiation. If the system does not audit any of these events, this is a finding.

Fix: F-973r2_fix

Configure the system to audit login, logout, and session initiation.

Checks: C-28433r1_chk

Verify the system is configured to audit all discretionary access control permission modifications. If the system does not audit any of these events, this is a finding.

Fix: F-24550r1_fix

Configure the system to audit all discretionary access control permission modifications.

Checks: C-567r2_chk

Check the ownership of inetd.conf file. Procedure: # ls -lL /etc/inetd.conf This is a finding if any of the above files or directories are not owned by root or bin.

Fix: F-975r2_fix

Change the ownership of the inetd.conf file to root or bin. Procedure: # chown root /etc/inetd.conf

Checks: C-8029r2_chk

Check the mode of inetd.conf file. # ls -lL /etc/inetd.conf If the mode of the file(s) is more permissive than 0440, this is a finding.

Fix: F-976r2_fix

Change the mode of the inetd.conf file. # chmod 0440 /etc/inetd.conf

Checks: C-28612r1_chk

Check the ownership of the services file. Procedure: # ls -lL /etc/services If the services file is not owned by root or bin, this is a finding.

Fix: F-977r2_fix

Change the ownership of the services file to root or bin. Procedure: # chown root /etc/services

Checks: C-8030r2_chk

Check the mode of the services file. Procedure: # ls -lL /etc/services If the services file has a mode more permissive than 0444, this is a finding.

Fix: F-978r2_fix

Change the mode of the services file to 0444 or less permissive. Procedure: # chmod 0444 /etc/services

Checks: C-611r2_chk

Look for the presence of a print service configuration file. Procedure: # find /etc -name hosts.lpd -print # find /etc -name Systems -print # find /etc -name printers.conf If none of the files are found, this check is not applicable. Otherwise, examine the configuration file. Procedure: # more &lt;print service file&gt; Check for entries that contain a "+" or "_" character. If any are found, this is a finding.

Fix: F-981r2_fix

Remove the "+" entries from the hosts.lpd (or equivalent) file.

Checks: C-612r2_chk

Locate any print service configuration file on the system. Consult vendor documentation to verify the names and locations of print service configuration files on the system. Procedure: # find /etc -name hosts.lpd -print # find /etc -name Systems -print If no print service configuration file is found, this is not applicable. Check the ownership of the print service configuration file(s). Procedure: # ls -lL &lt;print service file&gt; If the owner of the file is not root, sys, bin, or lp, this is a finding.

Fix: F-982r2_fix

Change the owner of the /etc/hosts.lpd file (or equivalent, such as /etc/lp/Systems) to root, lp, or another privileged UID. Consult vendor documentation to determine the name and location of print service configuration files. Procedure: # chown root /etc/hosts.lpd

Checks: C-8031r2_chk

Locate any print service configuration file on the system. Consult vendor documentation for the name and location of print service configuration files. Procedure: # find /etc -name hosts.lpd -print # find /etc -name Systems -print If no print service configuration file is found, this is not applicable. Check the mode of the print service configuration file. Procedure: # ls -lL &lt;print service file&gt; If the mode of the print service configuration file is more permissive than 0644, this is a finding.

Fix: F-983r2_fix

Change the mode of the /etc/hosts.lpd file (or equivalent, such as /etc/lp/Systems) to 0644 or less permissive. Consult vendor documentation for the name and location of print service configuration files. Procedure: # chmod 0644 /etc/hosts.lpd

Checks: C-614r2_chk

Find the aliases file on the system. Procedure: # find / -name aliases -depth -print Check the ownership of the alias file. Procedure: # ls -lL &lt;alias location&gt; If the file is not owned by root, this is a finding.

Fix: F-985r2_fix

Change the owner of the /etc/mail/aliases file (or equivalent, such as /usr/lib/aliases) to root. Procedure: # chown root /etc/mail/aliases

Checks: C-8032r2_chk

Find the aliases file on the system. Procedure: # find / -name aliases -depth -print Check the mode of the alias file. Procedure: # ls -lL &lt;alias location&gt; If the alias file has a mode more permissive than 0644, this is a finding.

Fix: F-986r2_fix

Change the mode of the /etc/mail/aliases file (or equivalent, such as /usr/lib/aliases) to 0644. Procedure: # chmod 0644 /etc/aliases

Checks: C-8033r2_chk

Find the aliases file on the system. Procedure: # find / -name aliases -depth -print Examine the aliases file for any directories or paths that may be utilized. Procedure: # more &lt;aliases file location&gt; Check the permissions for any paths referenced. Procedure: # ls -lL &lt;path&gt; If any file referenced from the aliases file has a mode more permissive than 0755, this is a finding.

Fix: F-988r2_fix

Use the chmod command to change the access permissions for files executed from the alias file. For example: # chmod 0755 < filename >

Checks: C-617r2_chk

Check the syslog configuration file for mail.crit logging configuration. Procedure: # more /etc/syslog.conf Verify a line similar to one of the following lines is present in syslog.conf is configured so that critical mail log data is logged. (Critical log data may also be captured by a remote log host in accordance with GEN005460.) mail.crit /var/adm/messages *.crit /var/log/messages If syslog is not configured to log critical Sendmail messages, this is a finding.

Fix: F-990r2_fix

Edit the syslog.conf file and add a configuration line specifying an appropriate destination for mail.crit syslogs.

Checks: C-8034r2_chk

Locate any mail log files by checking the syslog configuration file. Procedure: # more /etc/syslog.conf Identify any log files configured for the mail service at any severity level, or those configured for all services. Check the ownership of these log files. Procedure: # ls -lL &lt;file location&gt; If any mail log file is not owned by root, this is a finding.

Fix: F-991r2_fix

Change the ownership of the Sendmail log file. # chown root <sendmail log file>

Checks: C-8035r2_chk

Check the mode of the SMTP service log file. Procedure: # more /etc/syslog.conf Check the configuration to determine which log files contain logs for mail.crit, mail.debug, or *.crit. Procedure: # ls -lL &lt;file location&gt; If the log file permissions are greater than 0644, this is a finding.

Fix: F-992r2_fix

Change the mode of the SMTP service log file. Procedure: # chmod 0644 <sendmail log file>

Checks: C-707r2_chk

Check the system for an ftpusers file. If no ftpusers file appropriate for the system's FTP service exists, this is a finding.

Fix: F-994r2_fix

Create an ftpusers file appropriate for the system's FTP service.

Checks: C-8063r2_chk

Check the contents of the ftpusers file. If the system has accounts not allowed to use FTP that are not listed in the ftpusers file, this is a finding.

Fix: F-995r2_fix

Add accounts not allowed to use FTP to the ftpusers file.

Checks: C-708r2_chk

Check the ownership of the ftpusers file. If the ftpusers file is not owned by root, this is a finding.

Fix: F-996r2_fix

Change the owner of the ftpusers file to root.

Checks: C-8064r2_chk

Check the permissions of the ftpusers file. If the ftpusers file has a mode more permissive than 0640, this is a finding.

Fix: F-997r2_fix

Change the mode of the ftpusers file to 0640.

Checks: C-711r2_chk

Attempt to log into this host with a user name of anonymous and a password of guest (also try the password of guest@mail.com). If the logon is successful, this is a finding. Procedure: # ftp localhost Name: anonymous 530 Guest login not allowed on this machine.

Fix: F-1000r2_fix

Configure the FTP service to not permit anonymous logins.

Checks: C-715r2_chk

Check the /etc/passwd file to determine if TFTP is configured properly. Procedure: # grep tftp /etc/passwd If a TFTP user account does not exist and TFTP is active, this is a finding. Check the user shell for the TFTP user. If it is not /bin/false or equivalent, this is a finding. Check the home directory assigned to the TFTP user. If no home directory is set, or the directory specified is not dedicated to the use of the TFTP service, this is a finding.

Fix: F-1003r2_fix

Create a TFTP user account if none exists. Assign a non-login shell to the TFTP user account, such as /bin/false. Assign a home directory to the TFTP user account.

Checks: C-718r2_chk

Check for .Xauthority files being utilized by looking for such files in the home directory of a user that uses X. Procedure: # cd ~someuser # ls -la .Xauthority If the .Xauthority file does not exist, ask the SA if the user is using X Windows. If the user is utilizing X Windows and the .Xauthority file does not exist, this is a finding.

Fix: F-1004r2_fix

Ensure the X Windows host is configured to write .Xauthority files into user home directories. Edit the Xaccess file. Ensure the line that writes the .Xauthority file is uncommented.

Checks: C-851r2_chk

Perform the following to determine if NIS is active on the system. # ps -ef | egrep '(ypbind|ypserv)' If NIS is found active on the system, this is a finding.

Fix: F-1021r2_fix

Disable the use of NIS. Possible replacements are NIS+ and LDAP.

Checks: C-8017r3_chk

Check the home directory mode of each user in /etc/passwd. Procedure: # cut -d : -f 6 /etc/passwd | xargs -n1 ls -ld | more If a user's home directory's mode is more permissive than 0750, this is a finding. NOTE: Application directories are allowed and may need 0755 permissions (or greater) for correct operation.

Fix: F-1055r2_fix

Change the mode of users' home directories to 0750 or less permissive. Procedure (example): # chmod 0750 <home directory>

Checks: C-8018r2_chk

Check the ownership of each user's home directory listed in the /etc/passwd file. Procedure: # ls -lLd &lt;user home directory&gt; If any user's home directory is not owned by the assigned user, this is a finding.

Fix: F-1056r2_fix

Change the owner of a user's home directory to its assigned user. Procedure: # chown <user> <home directory>

Checks: C-8019r3_chk

Check the group ownership for each user in the /etc/passwd file. Procedure: # ls -lLd &lt;user home directory&gt; If any user's home directory is not group-owned by the assigned user's primary group, this is a finding. Home directories for application accounts requiring different group ownership must be documented using site-defined procedures.

Fix: F-1057r3_fix

Change the group owner for user's home directories to the primary group of the assigned user. Procedure: # chgrp groupname directoryname (Replace examples with appropriate group and home directory.) Document all changes.

Checks: C-395r4_chk

NOTE: The following commands must be run in the BASH shell. Check the ownership of local initialization files. Procedure (using a shell that supports ~USER as USER's home directory): # cut -d : -f 1 /etc/passwd | xargs -n1 -IUSER sh -c "ls -l ~USER/.[a-z]*" # cut -d : -f 1 /etc/passwd | xargs -n1 -IUSER find ~USER/.dt ! -fstype nfs ! -user USER -exec ls -ld {} \; If local initialization files are not owned by the home directory's user, this is a finding.

Fix: F-1058r3_fix

Change the ownership of the startup and login files in the user's directory to the user or root, as appropriate. Examine each user's home directory and verify all file names beginning with "." are owned by the owner of the directory or root. If they are not, use the chown command to change the owner to the user and research the reasons why the owners were not assigned as required. Procedure: # chown username .filename Document all changes.

Checks: C-8020r2_chk

Check the modes of local initialization files. Procedure: # ls -al /&lt;usershomedirectory&gt;/.login # ls -al /&lt;usershomedirectory&gt;/.cshrc # ls -al /&lt;usershomedirectory&gt;/.logout # ls -al /&lt;usershomedirectory&gt;/.profile # ls -al /&lt;usershomedirectory&gt;/.bash_profile # ls -al /&lt;usershomedirectory&gt;/.bashrc # ls -al /&lt;usershomedirectory&gt;/.bash_logout # ls -al /&lt;usershomedirectory&gt;/.env # ls -al /&lt;usershomedirectory&gt;/.dtprofile (permissions should be 0755) # ls -al /&lt;usershomedirectory&gt;/.dispatch # ls -al /&lt;usershomedirectory&gt;/.emacs # ls -al /&lt;usershomedirectory&gt;/.exrc # find /&lt;usershomedirectory&gt;/.dt ! -fstype nfs \( -perm -0002 -o -perm -0020 \) -exec ls -ld {} \; (permissions not to be more permissive than 0755) If local initialization files are more permissive than 0740, the .dt directory or the .dtprofile file is more permissive than 0755, this is a finding.

Fix: F-1059r3_fix

Ensure user startup files have permissions of 0740 or more restrictive. Examine each user's home directory and verify all file names beginning with "." have access permissions of 0740 or more restrictive. If they do not, use the chmod command to correct the vulnerability. Procedure: # chmod 0740 .filename NOTE: The period is part of the file name and is required.

Checks: C-8021r2_chk

Check the mode for all run control scripts. If any run control script has a mode more permissive than 0755, this is a finding.

Fix: F-1060r2_fix

Ensure all system startup files have mode 0755 or less permissive. Examine the rc files, and all files in the rc1.d (rc2.d, and so on) directories, and in the /etc/init.d directory to ensure they are not world-writable. If they are world-writable, use the chmod command to correct the vulnerability and to research why. Procedure: # chmod 755 startupfile

Checks: C-39526r2_chk

Verify run control scripts' library search paths. Procedure: # grep -r PATH /etc/rc* This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, or two consecutive colons, this is a finding. If an entry begins with a character other than a slash (/) or other than "$PATH", it is a relative path and this is a finding.

Fix: F-1061r2_fix

Edit the run control script and remove the relative path entry from the executable search path variable.

Checks: C-404r2_chk

Check the system for the existence of any .netrc files. Procedure: # find / -name .netrc If any .netrc file exists, this is a finding.

Fix: F-1067r3_fix

Remove the .netrc file(s). Procedure: # rm .netrc

Checks: C-432r2_chk

Verify /etc/shells exists. # ls -l /etc/shells If the file does not exist, this is a finding.

Fix: F-1070r2_fix

Create a /etc/shells file containing a list of valid system shells. Consult vendor documentation for an appropriate list of system shells. Procedure: # echo "/bin/bash" >> /etc/shells # echo "/bin/csh" >> /etc/shells (Repeat as necessary for other shells.)

Checks: C-433r2_chk

Confirm the login shells referenced in the /etc/passwd file are listed in the /etc/shells file. Procedure: # more /etc/passwd # more /etc/shells The /usr/bin/false, /bin/false, /dev/null, /sbin/nologin, (and equivalents), and sdshell will be considered valid shells for use in the /etc/passwd file, but will not be listed in the /etc/shells file. If a shell referenced in /etc/passwd is not listed in the shells file, excluding the above mentioned shells, this is a finding.

Fix: F-1071r2_fix

Use the chsh utility or edit the /etc/passwd file and correct the error by changing the default shell of the account in error to an acceptable shell name contained in the /etc/shells file.

Checks: C-462r2_chk

Indications of inactive accounts are those without entries in the last log. Check the date in the last log to verify it is within the last 35 days. If an inactive account is not disabled via an entry in the password field in the /etc/passwd or /etc/shadow (or equivalent), check the /etc/passwd file to check if the account has a valid shell. If an inactive account is found that is not disabled, this is a finding.

Fix: F-1072r2_fix

All inactive accounts will have /bin/false, /usr/bin/false, or /dev/null as the default shell in the /etc/passwd file and have the password disabled. Disable the inactive accounts. Examine the inactive accounts using the last command. Note the date of last login for each account. If any (other than system and application accounts) exceed 35 days, then disable them by placing a shell of /bin/false or /dev/null in the shell field of the passwd file entry for that account. An alternative, and preferable method, is to disable the account using SAM, SMIT, or ADMINTOOL.

Checks: C-8024r2_chk

Check the ownership of the system shells. # cat /etc/shells | xargs -n1 ls -lL If any shell is not owned by root or bin, this is a finding.

Fix: F-1075r2_fix

Change the ownership of the shell with incorrect ownership. # chown root <shell>

Checks: C-465r2_chk

Find all device files existing anywhere on the system. Procedure: # find / -type b -print &gt; devicelist # find / -type c -print &gt;&gt; devicelist Check the permissions on the directories above subdirectories containing device files. If any of the device files or their parent directories is world-writable, excepting device files specifically intended to be world-writable, such as /dev/null, this is a finding.

Fix: F-1078r3_fix

Remove the world-writable permission from the device file(s). Procedure: # chmod o-w <device file> Document all changes.

Checks: C-466r2_chk

Check the system for world-writable device files. Procedure: # find / -perm -2 -a \( -type b -o -type c \) -exec ls -ld {} \; If any device file(s) used for backup are writable by users other than root, this is a finding.

Fix: F-1079r2_fix

Use the chmod command to remove the world-writable bit from the backup device files. Procedure: # chmod o-w backdevicefilename Document all changes.

Checks: C-852r2_chk

If the system is not using NIS+, this is not applicable. Check the system to determine if NIS+ security level 2 is implemented. Procedure: # niscat cred.org_dir If the second column does not contain DES, the system is not using NIS+ security level 2, and this is a finding.

Fix: F-25778r1_fix

Configure the NIS+ server to use security level 2.

Checks: C-855r2_chk

Check the ownership of the NFS export configuration file. If the file is not owned by root, this is a finding.

Fix: F-1082r2_fix

Change the ownership of the NFS export configuration file to root. # chown root <NFS export file>

Checks: C-862r2_chk

Check for NFS exported file systems. Procedure: # exportfs -v This will display all of the exported file systems. For each file system displayed, check the ownership. Procedure: # ls -lLa &lt;exported file system path&gt; If the files and directories are not owned by root, this is a finding.

Fix: F-1085r2_fix

Change the ownership of exported file systems not owned by root. Procedure: # chown root <path>

Checks: C-863r2_chk

Check if the anon option is set correctly for exported file systems. List exported file systems. # exportfs -v Each of the exported file systems should include an entry for the 'anon=' option set to -1 or an equivalent (60001, 60002, 65534, or 65535). If an appropriate 'anon=' setting is not present for an exported file system, this is a finding.

Fix: F-1086r2_fix

Edit /etc/exports and set the anon=-1 option for exports without it. Re-export the file systems.

Checks: C-864r2_chk

Check the permissions on exported NFS file systems. Procedure: # exportfs -v If the exported file systems do not contain the rw or ro options specifying a list of hosts or networks, this is a finding.

Fix: F-1087r2_fix

Edit /etc/exports and add ro and/or rw options (as appropriate) specifying a list of hosts or networks which are permitted access. Re-export the file systems.

Checks: C-867r2_chk

Determine if the NFS server is exporting with the root access option. Procedure: # exportfs -v | grep "root=" If an export with the root option is found, this is a finding.

Fix: F-1089r2_fix

Edit /etc/exports and remove the root= option for all exports. Re-export the file systems.

Checks: C-868r2_chk

Check the system for NFS mounts not using the nosuid option. Procedure: # mount -v | grep " type nfs " | grep -v nosuid If the mounted file systems do not have the nosuid option, this is a finding.

Fix: F-1090r2_fix

Edit /etc/fstab and add the "nosuid" option for all NFS file systems. Remount the NFS file systems to make the change take effect.

Checks: C-886r2_chk

Perform the following to check for a security tool executing monthly: # crontab –l Check for the existence of a vulnerability assessment tool being scheduled and run monthly. If no entries exist in the crontab, ask the SA if a vulnerability tool is run monthly. In addition, if the tool is run monthly, ask to see any reports that may have been generated from the tool. If a tool is not run monthly then this a finding.

Fix: F-1093r2_fix

Add a monthly cronjob to run the system vulnerability tool.

Checks: C-888r2_chk

Normally, TCPD logs to the mail facility in /etc/syslog.conf. Determine if syslog is configured to log events by TCPD. Procedure: # more /etc/syslog.conf Look for entries similar to the following: mail.debug /var/adm/maillog mail.none /var/adm/maillog mail.* /var/log/mail auth.info /var/log/messages The above entries would indicate mail alerts are being logged. If no entries for mail exist, then TCPD is not logging and this is a finding.

Fix: F-1095r2_fix

Configure the access restriction program to log every access attempt. Ensure the implementation instructions for TCP_WRAPPERS are followed, so system access attempts are logged into the system log files. If an alternate application is used, it must support this function.

Checks: C-786r2_chk

Check for the existence of the cron.allow and cron.deny files. If neither file exists, this is a finding.

Fix: F-1128r2_fix

Create a cron.allow and/or cron.deny file(s) with appropriate content in the appropriate directory for the system.

Checks: C-787r2_chk

Check the mode of the cron.allow file. If the file has a mode more permissive than 0600, this is a finding.

Fix: F-1129r2_fix

Change the mode of the cron.allow file to 0600.

Checks: C-788r2_chk

List all cron jobs on the system. If any cron job executes a program with group-writable or world-writable permissions, this is a finding.

Fix: F-1130r2_fix

Remove the world-writable and group-writable permissions from the cron program file(s) identified. # chmod go-w <cron program file>

Checks: C-789r2_chk

List all cron jobs on the system. If any cron job executes a program located in a world-writable directory, this is a finding.

Fix: F-1131r2_fix

Remove the world-writable permission from the cron program directories identified. Procedure: # chmod o-w <cron program directory>

Checks: C-790r2_chk

Check the modes of the crontab and cron job script files. If the mode is more permissive than 0600 for crontab files or 0700 for cron job script files, this is a finding.

Fix: F-1132r2_fix

Change the modes of crontab files to 0600 and cron job script files to 0700.

Checks: C-8072r2_chk

Check the mode of crontab directories. If any have a mode more permissive than 0755, this is a finding.

Fix: F-1133r2_fix

Change the mode of crontab directories to 0755.

Checks: C-8073r2_chk

Check the owner of the cron and crontab directories. If any cron or crontab directory is not owned by root or bin, this is a finding.

Fix: F-1134r2_fix

Change the owner of the cron and crontab directories to root or bin.

Checks: C-8074r2_chk

Check the group owner of cron and crontab directories. If a cron or crontab directory is not group-owned by root, sys, bin, or cron, this is a finding.

Fix: F-1135r2_fix

Change the group owner of the cron and crontab directories to root, sys, bin, or cron.

Checks: C-792r2_chk

Check the mode of the system cron log. If the mode is more permissive than 0600, this is a finding.

Fix: F-1137r2_fix

Change the mode of the system cron log to 0600.

Checks: C-797r2_chk

Check for the existence of at.allow and at.deny files. If neither file exists, this is a finding.

Fix: F-11346r2_fix

Create at.allow and/or at.deny files containing appropriate lists of users to be allowed or denied access to the "at" daemon.

Checks: C-798r2_chk

Check the at.deny file. If the at.deny file exists and is empty, this is a finding.

Fix: F-1139r2_fix

Add appropriate users to the at.deny file, or remove the empty at.deny file if an at.allow file exists.

Checks: C-28539r1_chk

Check the contents of the at.allow file. If default accounts (such as bin, sys, adm, and others) are listed in the at.allow file, this is a finding.

Fix: F-1140r2_fix

Remove the default accounts (such as bin, sys, adm, and others) from the at.allow file.

Checks: C-800r2_chk

Check the mode of the at.allow file. If the at.allow file has a mode more permissive than 0600, this is a finding.

Fix: F-1141r2_fix

Change the mode of the at.allow file to 0600.

Checks: C-801r2_chk

List the "at" jobs on the system. Procedure: # ls -la /var/spool/cron/atjobs /var/spool/atjobs For each "at" job file, determine which programs are executed. Procedure: # more &lt;at job file&gt; Check each program executed by "at" for group- or world-writable permissions. Procedure: # ls -la &lt;at program file&gt; If "at" executes group- or world-writable programs, this is a finding.

Fix: F-1142r2_fix

Remove group-write and world-write permissions from files executed by "at" jobs. Procedure: # chmod go-w <file>

Checks: C-802r2_chk

List any "at" jobs on the system. Procedure: # ls /var/spool/cron/atjobs /var/spool/atjobs For each "at" job, determine which programs are executed. Procedure: # more &lt;at job file&gt; Check the directory containing each program executed by "at" for world-writable permissions. Procedure: # ls -la &lt;at program file directory&gt; If "at" executes programs in world-writable directories, this is a finding.

Fix: F-1143r2_fix

Remove the world-writable permission from directories containing programs executed by "at". Procedure: # chmod o-w <at program directory>

Checks: C-817r2_chk

Check the mode of the SNMP daemon configuration file. Locate the SNMP daemon configuration file. Consult vendor documentation to verify the name and location of the file. Procedure: # find / -name snmpd.conf Check the mode of the SNMP daemon configuration file. Procedure: # ls -lL &lt;snmpd.conf&gt; If the snmpd.conf file has a mode more permissive than 0600, this is a finding.

Fix: F-1148r2_fix

Change the mode of the SNMP daemon configuration file to 0600. Procedure: # chmod 0600 <snmpd.conf>

Checks: C-818r2_chk

Check the modes for all Management Information Base (MIB) files on the system. Procedure: # find / -name *.mib -print # ls -lL &lt;mib file&gt; If any file is returned that does not have mode 0640 or less permissive, this is a finding.

Fix: F-1149r2_fix

Change the mode of MIB files to 0640. Procedure: # chmod 0640 <mib file>

Checks: C-467r3_chk

Check the system for world-writable files and directories. Procedure: # find / -perm -2 -a \( -type d -o -type f \) -exec ls -ld {} \; If any world-writable files or directories are located, except those required for proper system or application operation, such as /tmp and /dev/null, this is a finding.

Fix: F-1164r2_fix

Remove or change the mode for any world-writable file or directory on the system that is not required to be world-writable. Procedure: # chmod o-w <file/directory> Document all changes.

Checks: C-8300r2_chk

Perform the following to check for ext3 filesystems: # more /etc/fstab If a local filesystem on a Linux platform is not using ext3, this is a finding. Note: the CD, floppy drives, proc, and, swap entries do not support ext3.

Fix: F-1169r2_fix

Use the ext3 filesystem type for Linux partitions.

Checks: C-2042r2_chk

X servers get started several ways, such as xdm, gdm or xinit. Perform: # ps –ef |grep X Output for example: /usr/X11R6/bin/X –nolisten –ctp –br vt7 –auth /var/lib/xdm/authdir/authfiles/A:0 Check the Xservers file to ensure the following options are enabled: -audit, -auth, and –s 15. Xserver files can found in: /etc/X11/xdm/Xservers /etc/opt/kde3/share/config/kdm/Xservers /etc/X11/gdm/Xservers

Fix: F-1175r2_fix

Enable the following options: -audit (at level 4), -auth and -s with 15 minutes as the timeout value.

Checks: C-8302r2_chk

X servers get started several ways, such as xdm, gdm or xinit. Perform: # ps –ef |grep X Output for example: /usr/X11R6/bin/X –nolisten –ctp –br vt7 –auth /var/lib/xdm/authdir/authfiles/A:0 The above example show xdm is controlling the Xserver. Check the Xservers file to ensure the following options are not enabled: -ac, -core, and -nolock . Xserver files can found in: /etc/X11/xdm/Xservers /etc/opt/kde3/share/config/kdm/Xservers /etc/X11/gdm/Xservers

Fix: F-1176r2_fix

Disable the following options: -ac, -core and -nolock.

Checks: C-2043r2_chk

# ps -ef | egrep "innd|nntpd" If an INN server is running, this is a finding.

Fix: F-1177r2_fix

Disable the INN server.

Checks: C-28798r1_chk

Check access configuration ownership: # ls –lL /etc/login.access /etc/security/access.conf /etc/access.conf If any of these files exist and are not owned by root, this is a finding.

Fix: F-1179r2_fix

Follow the correct configuration parameters for access configuration file. Use the chown command to configure it properly. For example: # chown root /etc/login.access /etc/security/access.conf /etc/access.conf

Checks: C-2047r3_chk

Check the system for an enabled SWAT service. # grep -i swat /etc/inetd.conf If SWAT is found enabled, it must be utilized with SSL to ensure a secure connection between the client and the server. Ask the SA to identify the method used to provide SSL protection for the SWAT service. Verify (or ask the SA to demonstrate) this configuration is effective by accessing SWAT using an HTTPS connection from a web browser. If SWAT is found enabled and has no SSL protection, this is a finding.

Fix: F-1180r3_fix

Disable SWAT (e.g., remove the "swat" line from inetd.conf or equivalent, and restart the service) or configure SSL protection for the SWAT service.

Checks: C-28771r4_chk

Check the ownership of the smb.conf file. Default locations for this file include /etc, /etc/sfw, /etc/samba, and /etc/sfw/samba. If the system has Samba installed in non-standard locations, also check the smb.conf in those locations. Procedure: # ls -lL /etc/smb.conf /etc/sfw/smb.conf /etc/samba/smb.conf /etc/sfw/samba/smb.conf # ls -l /etc/smb.conf /etc/sfw/smb.conf /etc/samba/smb.conf /etc/sfw/samba/smb.conf If an smb.conf file is not owned by root, this is a finding.

Fix: F-1181r4_fix

Change the ownership of the smb.conf file. Procedure: # chown root /etc/smb.conf /etc/sfw/smb.conf /etc/samba/smb.conf /etc/sfw/samba/smb.conf

Checks: C-2048r2_chk

Check the mode of the smb.conf file. Procedure: # find / -name smb.conf # ls -lL &lt;smb.conf file&gt; If the smb.conf has a mode more permissive than 0644, this is a finding.

Fix: F-1182r2_fix

Change the mode of the smb.conf file to 0644 or less permissive. Procedure: # chmod 0644 smb.conf

Checks: C-28774r1_chk

Check the ownership of the smbpasswd file. # find / -name smbpasswd # ls -l &lt;smbpasswd file&gt; If an smbpasswd file is not owned by root, this is a finding.

Fix: F-1183r2_fix

Use the chown command to configure the smbpasswd file. # chown root /etc/smbpasswd

Checks: C-2052r4_chk

Examine the smb.conf file. Default locations for this file include /etc, /etc/sfw, /etc/samba, and /etc/sfw/samba. If the system has Samba installed in non-standard locations, also check the smb.conf in those locations. # more /etc/smb.conf /etc/sfw/smb.conf /etc/samba/smb.conf /etc/sfw/samba/smb.conf If the hosts option is not present to restrict access to a list of authorized hosts and networks, this is a finding.

Fix: F-1184r4_fix

Edit the smb.conf file and set the hosts option to permit only authorized hosts to access Samba.

Checks: C-892r2_chk

Determine if the SSH daemon is configured to permit root logins. Procedure: # find / -name sshd_config -print # grep -v "^#" &lt;sshd_config path&gt; | grep -i permitrootlogin If the PermitRootLogin entry is not found or is not set to no, this is a finding.

Fix: F-24426r1_fix

Edit the configuration file and set the PermitRootLogin option to no.

Checks: C-893r2_chk

Check the mode of audio devices. If the mode of audio devices are more permissive than 0660, this is a finding.

Fix: F-24491r1_fix

Change the mode of audio devices. # chmod o-w <audio device>

Checks: C-28270r1_chk

Check the owner of audio devices. If the owner of an audio device is not root, this is a finding.

Fix: F-1203r2_fix

Change the owner of the audio device. # chown root <audio device>

Checks: C-28799r1_chk

Check access configuration group ownership: # ls -lL /etc/login.access /etc/security/access.conf /etc/access.conf If any of these files exist and are have a group-owner that is not a privileged user, this is a finding.

Fix: F-1208r2_fix

Use the chgrp command to ensure the group owner is root, sys, or bin. For example: # chgrp root /etc/login.access /etc/security/access.conf /etc/access.conf

Checks: C-2045r2_chk

Check access configuration mode: # ls -lL /etc/login.access /etc/security/access.conf /etc/access.conf If any of these files exist and have a mode more permissive than 0640, this is a finding.

Fix: F-1209r2_fix

Use the chmod command to set the permissions to 0640. For example: # chmod 0640 /etc/login.access /etc/security/access.conf /etc/access.conf

Checks: C-28772r1_chk

Check the group ownership of the smb.conf file. Procedure: # find / -name /etc/samba/smb.conf # ls -l &lt;smb.conf file&gt; If an smb.conf file is not group-owned by root, bin, or sys, this is a finding

Fix: F-1210r2_fix

Change the group owner of the smb.conf file. Procedure: # chgrp root smb.conf

Checks: C-2051r2_chk

Check smbpasswd ownership. # find / -name smbpasswd # ls -lL &lt;smbpasswd file&gt; If smbpasswd is not group-owned by root, this is a finding.

Fix: F-1212r2_fix

Use the chgrp command to ensure the group owner of the smbpasswd file is root. # chgrp root /etc/smbpasswd.

Checks: C-2053r2_chk

Check smbpasswd mode. Procedure: # find / -name smbpasswd # ls -lL &lt;smbpasswd file&gt; If smbpasswd has a mode more permissive than 0600, this is a finding.

Fix: F-1213r2_fix

Change the mode of the smbpasswd file to 0600. Procedure: # chmod 0600 smbpasswd

Checks: C-28282r1_chk

Check the group owner of audio devices. Procedure: # ls -lL &lt;audio device file&gt; If the group owner of an audio device is not root, sys, bin, or system, this is a finding.

Fix: F-1215r2_fix

Change the group owner of the audio device. Procedure: # chgrp system <audio device>

Checks: C-8205r2_chk

Log into a graphical desktop environment provided by the system. Allow the session to remain idle for 15 minutes. If the desktop session is not automatically locked after 15 minutes, or does not require re-authentication to resume operations, this is a finding.

Fix: F-4016r2_fix

Consult vendor documentation to determine the settings required for the system to lock graphical desktop environments. Configure the system to lock graphical desktop environments after 15 minutes of inactivity and require re-authentication to resume operations.

Checks: C-1670r2_chk

Verify the system is configured to prohibit the reuse of passwords within five iterations.

Fix: F-4017r2_fix

Configure the system to prohibit the reuse of passwords within five iterations.

Checks: C-8206r2_chk

Check local initialization files for any executed world-writable programs or scripts. Procedure: # more /&lt;usershomedirectory&gt;/.* # ls -al &lt;program or script&gt; If any local initialization file executes a world-writable program or script, this is a finding.

Fix: F-4020r2_fix

Remove the world-writable permission of files referenced by local initialization scripts, or remove the references to these files in the local initialization scripts.

Checks: C-1674r2_chk

Check the ownership of system run control scripts. If any are owned by a user other than root or bin, this is a finding.

Fix: F-4022r2_fix

Change the ownership of the run control script(s) with incorrect ownership. # chown root <run control script>

Checks: C-1675r2_chk

Check the group ownership of system run control scripts. If any are group-owned by a user other than root, sys, bin, other, or the system default, this is a finding.

Fix: F-24459r1_fix

Change the group ownership of the run control script(s) with incorrect group ownership. Procedure: # chgrp root <run control script>

Checks: C-28190r1_chk

Check the ownership of any files executed from system startup scripts. If any of these files are not owned by root, bin, sys, or other, this is a finding.

Fix: F-24458r1_fix

Change the ownership of the file executed from system startup scripts to root, bin, sys, or other. # chown root <executed file>

Checks: C-2056r3_chk

On systems with a BIOS or system controller, verify a supervisor or administrator password is set. If a password is not set, this is a finding. If the BIOS or system controller supports user-level access in addition to supervisor/administrator access, determine if this access is enabled. If so, this is a finding. The exact procedure will be hardware-dependent, and the SA should be consulted to identify the specific configuration. In the event the BIOS or system controller is not accessible without adversely impacting (e.g., restarting) the system, the SA may be interviewed to determine compliance with the requirement.

Fix: F-4157r2_fix

Access the system's BIOS or system controller. Set a supervisor/administrator password if one has not been set. Disable a user-level password if one has been set.

Checks: C-2060r3_chk

This check applies to the global zone only. Determine the type of zone that you are currently securing. # zonename If the command output is "global", this check applies. Check the permission of the menu.lst file. On systems that have a ZFS root, the menu.lst file is typically located at /pool-name/boot/grub/menu.lst where "pool-name" is the mount point for the top-level dataset. On systems that have a UFS root, the menu.lst file is typically located at /boot/grub/menu.lst . Procedure: # ls -lL /pool-name/boot/grub/menu.lst or # ls -lL /boot/grub/menu.lst If menu.lst has a mode more permissive than 0600, this is a finding.

Fix: F-25796r2_fix

Change the mode of the menu.lst file to 0600. # chmod 0600 /pool-name/boot/grub/menu.lst or # chmod 0600 /boot/grub/menu.lst

Checks: C-2086r2_chk

To check for the rpc.ugidd daemon perform: # chkconfig –list rpc.ugidd Or # ps –ef | grep –i ugidd If the daemon is running or installed this is a finding.

Fix: F-4173r2_fix

If the rpc.ugidd daemon is installed, disable it using the chkconfig utility.

Checks: C-2090r2_chk

Check the system for unnecessary user accounts. Procedure: # more /etc/passwd Some examples of unnecessary accounts include games, news, gopher, ftp, and lp. If any unnecessary accounts are found, this is a finding.

Fix: F-4180r2_fix

 Remove all unnecessary accounts, such as games, from the /etc/passwd file before connecting a system to the network. Other accounts, such as news and gopher, associated with a service not in use should also be removed.

Checks: C-2092r2_chk

Check /etc/news/hosts.nntp permissions. # ls -lL /etc/news/hosts.nntp If /etc/news/hosts.nntp has a mode more permissive than 0600, this is a finding.

Fix: F-4184r2_fix

Change the mode of the /etc/news/hosts.nntp file to 0600. # chmod 0600 /etc/news/hosts.nntp

Checks: C-2093r2_chk

Check /etc/news/hosts.nntp.nolimit permissions. # ls -lL /etc/news/hosts.nntp.nolimit If /etc/news/hosts.nntp.nolimit has a mode more permissive than 0600, this is a finding.

Fix: F-4185r2_fix

Change the mode of /etc/news/hosts.nntp.nolimit to 0600. # chmod 0600 /etc/news/hosts.nntp.nolimit

Checks: C-2094r2_chk

Check /etc/news/nnrp.access permissions. # ls -lL /etc/news/nnrp.access If /etc/news/nnrp.access has a mode more permissive than 0600, this is a finding.

Fix: F-4186r2_fix

Change the mode of the /etc/news/nnrp.access file to 0600. # chmod 0600 /etc/news/nnrp.access

Checks: C-2095r2_chk

Check /etc/news/passwd.nntp permissions. # ls -lL /etc/news/passwd.nntp If /etc/news/passwd.nntp has a mode more permissive than 0600, this is a finding.

Fix: F-4187r2_fix

Change the mode of the /etc/news/passwd.nntp file. # chmod 0600 /etc/news/passwd.nntp

Checks: C-28776r1_chk

Check the ownership of the files in /etc/news. Procedure: # ls -al /etc/news If any files are not owned by root or news, this is a finding.

Fix: F-4188r2_fix

Change the ownership of the files in /etc/news to root or news. Procedure: # chown root /etc/news/*

Checks: C-2101r2_chk

Check /etc/news files group ownership. Procedure: # ls -al /etc/news If /etc/news files are not group-owned by root or news, this is a finding.

Fix: F-4189r2_fix

Change the group owner of the files in /etc/news to root or news. Procedure: # chgrp root /etc/news/*

Checks: C-8298r2_chk

Check the system for configured remote consoles. If any console port is connected to a terminal outside of a secured environment or to any aggregation device (KVM, serial concentrator), or virtualization system that does not protect the console at the level of a privileged resource in accordance with the appropriate STIGs for these devices, this is a finding.

Fix: F-4209r2_fix

Remove the configuration for remote consoles.

Checks: C-8293r2_chk

Check if NTP running: # ps -ef | egrep "xntpd|ntpd" Check if ntpdate scheduled to run: # grep ntpdate /var/spool/cron/crontabs/* If NTP is running or ntpdate is found: # more /etc/ntp/ntp.conf Confirm the servers and peers or multicast client (as applicable) are local or an authoritative U.S. DoD source. If a non-local/non-authoritative (U.S. DoD source) time-server is used, this is a finding.

Fix: F-4212r4_fix

Use a local authoritative time server synchronizing to an authorized DoD time source. Ensure all systems in the facility feed from one or more local time servers that feed from the authoritative time server.

Checks: C-8291r2_chk

Logging should be enabled for those types of files systems that do not turn on logging by default. Procedure: # mount JFS, VXFS, HFS, XFS, reiserfs, EXT3, and EXT4 all turn logging on by default and will not be a finding. The ZFS file system uses other mechanisms to provide for file system consistency, and will not be a finding. For other file systems types, if the root file system does not have the logging option, this is a finding. If the nolog option is set on the root file system, this is a finding.

Fix: F-4215r2_fix

Implement file system journaling for the root file system, or use a file system using other mechanisms to ensure consistency. If the root file system supports journaling, enable it. If the file system does not support journaling or another mechanism to ensure consistency, a migration to a different file system will be necessary.

Checks: C-2132r2_chk

Check the system for a running Samba server. Procedure: # ps -ef |grep smbd If the Samba server is running, ask the SA if the Samba server is operationally required. If it is not, this is a finding.

Fix: F-4232r2_fix

If there is no functional need for Samba and the daemon is running, disable the daemon by killing the process ID as noted from the output of ps -ef |grep smbd. The utility should also be removed or not installed if there is no functional requirement.

Checks: C-28800r1_chk

Check /etc/sysctl.conf permissions: # ls -lL /etc/sysctl.conf If /etc/sysctl.conf is not owned by root, this is a finding.

Fix: F-4245r2_fix

Use the chown command to change the owner of /etc/sysctl.conf to root: # chown root /etc/sysctl.conf

Checks: C-28801r1_chk

Check /etc/sysctl.conf group ownership: # ls -lL /etc/sysctl.conf If /etc/sysctl.conf is not group-owned by root, this is a finding.

Fix: F-4246r2_fix

Use the chgrp command to change the group owner of /etc/sysctl.conf to root: # chgrp root /etc/sysctl.conf

Checks: C-2141r2_chk

Check /etc/sysctl.conf permissions: # ls –lL /etc/sysctl.conf If /etc/sysctl.conf has a mode more permissive than 0600, this is a finding.

Fix: F-4247r2_fix

Use the chmod command to change the mode of the /etc/sysctl.conf file. # chmod 0600 /etc/sysctl.conf

Checks: C-2225r2_chk

Ensure the pam_console.so module is not configured in any files in /etc/pam.d by: # cd /etc/pam.d # grep pam_console.so * Or # ls -la /etc/security/console.perms If either the pam_console.so entry or the file /etc/security/console.perms is found then this is a finding.

Fix: F-4257r3_fix

Configure PAM to not grant sole access of administrative privileges to the first user logged in at the console. Identify any instances of pam_console. # cd /etc/pam.d # grep pam_console.so * For any files containing an un-commented reference to pam_console.so, edit the file and remove or comment out the reference. Remove the console.perms file if it exists: # rm /etc/security/console.perms

Checks: C-8278r2_chk

Check for any crontab entries that rotate audit logs. Procedure: # crontab -l If such a cron job is found, this is not a finding. Otherwise, query the SA. If there is a process automatically rotating audit logs, this is not a finding. If the SA manually rotates audit logs, this is still a finding, because if the SA is not there, it will not be accomplished. If the audit output is not archived daily, to tape or disk, this is a finding. This can be ascertained by looking at the audit log directory and, if more than one file is there, or if the file does not have today's date, this is a finding.

Fix: F-4268r2_fix

Configure a cron job or other automated process to rotate the audit logs on a daily basis.

Checks: C-8221r2_chk

Check the mode of the cron.deny file. If the cron.deny file is more permissive than 0600, this is a finding.

Fix: F-11473r2_fix

Change the mode of the cron.deny file to 0600.

Checks: C-8245r2_chk

Check the mode of the "at" directory. Procedure: # ls -ld /var/spool/cron/atjobs /var/spool/atjobs /var/spool/at If the directory mode is more permissive than 0755, this is a finding.

Fix: F-4275r2_fix

Change the mode of the "at" directory to 0755. Procedure: # chmod 0755 < at directory >

Checks: C-8246r2_chk

Check the ownership of the "at" directory. Procedure: # ls -ld /var/spool/cron/atjobs /var/spool/atjobs /var/spool/at If the directory is not owned by root, sys, bin, daemon, or cron, this is a finding.

Fix: F-4276r2_fix

Change the owner of the "at" directory to root, bin, sys, or system. Procedure: # chown root /var/spool/at (Replace root with another system group and/or /var/spool/at with a different "at" directory as necessary.)

Checks: C-8247r2_chk

Determine what "at" jobs exist on the system. Procedure: # ls /var/spool/cron/atjobs /var/spool/atjobs If there are no "at" jobs present, this is not applicable. Determine if any of the "at" jobs or any scripts referenced execute the umask command. Check for any umask setting more permissive than 077. # grep umask &lt;at job or referenced script&gt; If any "at" job or referenced script sets umask to a value more permissive than 077, this is a finding.

Fix: F-4277r2_fix

Edit "at" jobs or referenced scripts to remove umask commands setting umask to a value less restrictive than 077.

Checks: C-8248r2_chk

Check the owner of the at.allow file. If the owner is not root, bin, or sys, this is a finding.

Fix: F-4278r2_fix

Change the owner of the at.allow file to root, bin, or sys.

Checks: C-8249r2_chk

Check the ownership of the at.deny file. If the owner is not root, bin, or sys, this is a finding.

Fix: F-4279r2_fix

Change the owner of the at.deny file to root, bin, or sys.

Checks: C-8250r2_chk

Determine traceroute command locations and ownership. Procedure: # find / -name traceroute -exec ls -lL {} \; If the traceroute command is not owned by root, this is a finding.

Fix: F-4280r2_fix

Change the owner of the traceroute command to root, bin, or sys. Example: # chown root <traceroute command>

Checks: C-8251r2_chk

Determine traceroute command locations and group ownership. Procedure: # find / -name traceroute -exec ls -lL {} \; If the traceroute command is not group-owned by root, sys, bin, or system, this is a finding.

Fix: F-4281r2_fix

Change the group owner of the traceroute command to root, bin, sys, or system. Procedure: # chgrp root <traceroute command>

Checks: C-8252r2_chk

Determine traceroute command locations and mode. # find / -name traceroute -exec ls -lL {} \; If the traceroute command has a mode more permissive than 0700, this is a finding.

Fix: F-4282r2_fix

Change the mode of the traceroute command. # chmod 0700 <traceroute command>

Checks: C-8268r2_chk

Search for any .forward files on the system. # find / -name .forward -print This is considered a finding if any .forward files are found on the system.

Fix: F-4296r2_fix

Remove .forward files from the system.

Checks: C-8270r2_chk

Consult vendor documentation for the anonymous FTP service to determine the necessary configuration for operating the service in a chroot environment. If the system is not configured to operate the anonymous FTP service in a chroot environment, this is a finding.

Fix: F-4299r2_fix

Configure the anonymous FTP service to operate in a chroot environment. Consult vendor documentation for the necessary configuration procedures.

Checks: C-8271r2_chk

Ask the SA if this is an NMS server. If it is an NMS server, then ask what other applications run on it. If there is anything other than network management software and DBMS software used only for the storage and inquiry of NMS data, this is a finding.

Fix: F-4303r2_fix

Ensure only authorized software is loaded on a designated NMS server. Authorized software is limited to the NMS software itself, a database management system for the NMS server if necessary, and network management software.

Checks: C-8272r2_chk

Check /etc/syslog.conf ownership. # ls -lL /etc/syslog.conf If /etc/syslog.conf is not owned by root, this is a finding.

Fix: F-4304r2_fix

Use the chown command to set the owner to root. # chown root /etc/syslog.conf

Checks: C-8273r2_chk

Check /etc/syslog.conf group ownership. Procedure: # ls -lL /etc/syslog.conf If /etc/syslog.conf is not group-owned by root, sys, bin, or system, this is a finding.

Fix: F-4305r2_fix

Change the group owner of the /etc/syslog.conf file to root, bin, sys, or system. Procedure: # chgrp root /etc/syslog.conf

Checks: C-8274r2_chk

Examine the syslog.conf file for any references to remote log hosts. # grep -v "^#" /etc/syslog.conf | grep '@' Destination locations beginning with an @ represent log hosts. If the log host name is a local alias, such as log host, consult the /etc/hosts or other name databases as necessary to obtain the canonical name or address for the log host. Determine if the host referenced is a log host documented using site-defined procedures. If an undocumented log host is referenced, this is a finding.

Fix: F-4306r3_fix

Remove, replace, or document the referenced undocumented log host.

Checks: C-8275r2_chk

Check the system for an IPv4 default route. Procedure: # netstat -r |grep default If a default route is not defined, this is a finding.

Fix: F-4308r2_fix

Set a default gateway for IPv4.

Checks: C-8276r2_chk

Ask the SA if the system is a designated router. If it is not, this is not applicable. Check the system for non-routing network services. Procedure: # netstat -a | grep -i listen # ps -ef If non-routing services, including Web servers, file servers, DNS servers, or applications servers, but excluding management services, such as SSH and SNMP, are running on the system, this is a finding.

Fix: F-4309r2_fix

Ensure only authorized software is loaded on a designated router. Authorized software will be limited to the most current version of routing protocols and SSH for system administration purposes.

Checks: C-8219r2_chk

Locate and examine all .rhosts, .shosts, hosts.equiv, and shosts.equiv files. Procedure: # find / -name .rhosts # more /&lt;directorylocation&gt;/.rhosts # find / -name .shosts # more /&lt;directorylocation&gt;/.shosts # find / -name hosts.equiv # more /&lt;directorylocation&gt;/hosts.equiv # find / -name shosts.equiv # more /&lt;directorylocation&gt;/shosts.equiv If any .rhosts, .shosts, hosts.equiv, or shosts.equiv file contains other than host-user pairs, this is a finding.

Fix: F-4326r2_fix