| V-24386 | High | The telnet daemon must not be running. | The telnet daemon provides a typically unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user... |
| V-12035 | High | The SYSTEM attribute must not be set to NONE for any account. | The SYSTEM attribute in /etc/security/user defines the mechanisms used to authenticate specific user accounts. If the value is set to NONE, other attributes will be used to determine the... |
| V-11940 | High | The operating system must be a supported release. | An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security... |
| V-770 | High | The system must not have accounts configured with blank or null passwords. | If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. If the root user is configured... |
| V-4688 | High | The rexec daemon must not be running. | The rexecd process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service. |
| V-11988 | High | There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system. | The .rhosts, .shosts, hosts.equiv, and shosts.equiv files are used to configure host-based authentication for individual users or the system. Host-based authentication is not sufficient for... |
| V-4371 | Medium | The traceroute file must have mode 0700 or less permissive. | If the mode of the traceroute executable is more permissive than 0700, malicious code could be inserted by an attacker and triggered whenever the traceroute command is executed by authorized... |
| V-4370 | Medium | The traceroute command must be group-owned by sys, bin, or system. | If the group owner of the traceroute command has not been set to a system group, unauthorized users could have access to the command and use it to gain information regarding a network's topology... |
| V-22561 | Medium | If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be group-owned by security, bin, sys, or system. | LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification. |
| V-22560 | Medium | If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be owned by root. | LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification. |
| V-4367 | Medium | The at.allow file must be owned by root, bin, or sys. | If the owner of the at.allow file is not set to root, bin, or sys, unauthorized users could be allowed to view or edit sensitive information contained within the file. |
| V-831 | Medium | The alias file must be owned by root. | If the alias file is not owned by root, an unauthorized user may modify the file to add aliases to run malicious code or redirect email. |
| V-22488 | Medium | The SSH daemon must not allow compression or must only allow compression after successful authentication. | If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection,... |
| V-22486 | Medium | The SSH daemon must use privilege separation. | SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section. |
| V-22487 | Medium | The SSH daemon must not allow rhosts RSA authentication. | If SSH permits rhosts RSA authentication, a user may be able to log in based on the keys of the host originating the request and not any user-specific authentication. |
| V-11975 | Medium | The system must require passwords to contain no more than three consecutive repeating characters. | To enforce the use of complex passwords, the number of consecutive repeating characters is limited. Passwords with excessive repeated characters may be more vulnerable to password-guessing attacks. |
| V-22485 | Medium | The SSH daemon must perform strict mode checking of home directory configuration files. | If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user. |
| V-768 | Medium | The delay between login prompts following a failed login attempt must be at least 4 seconds. | Enforcing a delay between successive failed login attempts increases protection against automated password guessing attacks. |
| V-1032 | Medium | Users must not be able to change passwords more than once every 24 hours. | The ability to change passwords frequently facilitates users reusing the same password. This can result in users effectively never changing their passwords. This would be accomplished by users... |
| V-766 | Medium | The system must disable accounts after three consecutive unsuccessful login attempts. | Disabling accounts after a limited number of unsuccessful login attempts improves protection against password guessing attacks. |
| V-763 | Medium | The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts. | Failure to display the login banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources. |
| V-22472 | Medium | The SSH private host key files must have mode 0600 or less permissive. | If an unauthorized user obtains the private SSH host key file, the host could be impersonated. |
| V-22471 | Medium | The SSH public host key files must have mode 0644 or less permissive. | If a public host key file is modified by an unauthorized user, the SSH service may be compromised. |
| V-22470 | Medium | The SSH daemon must restrict login ability to specific users and/or groups. | Restricting SSH logins to a limited group of users, such as system administrators, prevents password-guessing and other SSH attacks from reaching system accounts and other accounts not authorized... |
| V-29491 | Medium | The /etc/netsvc.conf file must be root owned. | The /etc/netsvc.conf file is used to specify the ordering of name resolution for the sendmail command, alias resolution for the sendmail command, and host name resolution routines. Malicious... |
| V-29492 | Medium | The /etc/netsvc.conf file must be group-owned by bin, sys, or system. | The /etc/netsvc.conf file is used to specify the ordering of name resolution for the sendmail command, alias resolution for the sendmail command, and host name resolution routines. Malicious... |
| V-12030 | Medium | The system's access control program must be configured to grant or deny system access to specific hosts. | If the system's access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts. |
| V-29498 | Medium | The system must provide protection against IP fragmentation attacks. | The parameter ip_nfrag provides an additional layer of protection against IP fragmentation attacks. The value the ip_nfrag specifies is the maximum number of fragments of an IP packet that can be... |
| V-22332 | Medium | The /etc/passwd file must be owned by root. | The /etc/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. |
| V-4385 | Medium | The system must not use .forward files. | The .forward file allows users to automatically forward mail to another system. Use of .forward files could allow the unauthorized forwarding of mail and could potentially create mail loops which... |
| V-29515 | Medium | The system must not have the rusersd service active. | The rusersd daemon gives out a list of current uses on the system. The rusersd daemon is unnecessary and it increases the attack vector of the system by providing information on the current... |
| V-788 | Medium | All skeleton files (typically those in /etc/skel) must have mode 0644 or less permissive. | If the skeleton files are not protected, unauthorized personnel could change user startup parameters and possibly jeopardize user files.
|
| V-11947 | Medium | The system must require passwords to contain a minimum of 14 characters. | The use of longer passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques by increasing the password search space. |
| V-778 | Medium | The system must prevent the root account from directly logging in except from the system console. | Limiting the root account direct logins to only system consoles protects the root account from direct unauthorized access from a non-console device. |
| V-800 | Medium | The /etc/security/passwd file must have mode 0400. | The /etc/security/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. The file also contains password... |
| V-777 | Medium | The root account must not have world-writable directories in its executable search path. | If the root search path contains a world-writable directory, malicious software could be placed in the path by intruders and/or malicious users and inadvertently run by root with all of root's privileges.
|
| V-775 | Medium | The root account's home directory (other than /) must have mode 0700. | Permissions greater than 0700 could allow unauthorized users access to the root home directory. |
| V-773 | Medium | The root account must be the only account having an UID of 0. | If an account has an UID of 0, it has root authority. Multiple accounts with an UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. |
| V-22462 | Medium | The SSH client must be configured to not use CBC-based ciphers. | The Cipher-Block Chaining (CBC) mode of encryption as implemented in the SSHv2 protocol is vulnerable to chosen plain text attacks and must not be used.
|
| V-22463 | Medium | The SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. | DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. |
| V-4084 | Medium | The system must prohibit the reuse of passwords within five iterations. | If a user, or root, used the same password continuously or was allowed to change it back shortly after being forced to change it to something else, it would provide a potential intruder with the... |
| V-22553 | Medium | The system must not forward IPv6 source-routed packets. | Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security... |
| V-981 | Medium | Cron and crontab directories must be group-owned by system, sys, bin, or cron. | To protect the integrity of scheduled system jobs and to prevent malicious modification to these jobs, crontab files must be secured. Failure to give group ownership of cron or crontab... |
| V-980 | Medium | Cron and crontab directories must be owned by root or bin. | Incorrect ownership of the cron or crontab directories could permit unauthorized users the ability to alter cron jobs and run automated jobs as privileged users. Failure to give ownership of cron... |
| V-22290 | Medium | The system clock must be synchronized continuously, or at least daily. | A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. Internal system clocks tend to drift and... |
| V-985 | Medium | The at.deny file must not be empty if it exists. | On some systems, if there is no at.allow file and there is an empty at.deny file, then the system assumes everyone has permission to use the at facility. This could create an insecure setting in... |
| V-22296 | Medium | The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive. | A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for... |
| V-987 | Medium | The at.allow file must have mode 0600 or less permissive. | Permissions more permissive than 0600 (read, write and execute for the owner) may allow unauthorized or malicious access to the at.allow and/or at.deny files.
|
| V-23741 | Medium | TCP backlog queue sizes must be set appropriately. | To provide some mitigation to TCP DoS attacks, the clear_partial_conns parameter must be enabled. |
| V-4394 | Medium | The /etc/syslog.conf file must be group-owned by bin, sys, or system. | If the group owner of /etc/syslog.conf is not root, bin, or sys, unauthorized users could be permitted to view, edit, or delete important system messages handled by the syslog facility. |
| V-4393 | Medium | The /etc/syslog.conf file must be owned by root. | If the /etc/syslog.conf file is not owned by root, unauthorized users could be allowed to view, edit, or delete important system messages handled by the syslog facility. |
| V-789 | Medium | NIS/NIS+/yp files must be owned by root, sys, or bin. | NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Failure to give ownership of sensitive files or utilities... |
| V-974 | Medium | Access to the cron utility must be controlled using the cron.allow and/or cron.deny file(s). | The cron facility allows users to execute recurring jobs on a regular and unattended basis. The cron.allow file designates accounts allowed to enter and execute jobs using the cron facility. If... |
| V-975 | Medium | The cron.allow file must have mode 0600 or less permissive. | A cron.allow file that is readable and/or writable by other than root could allow potential intruders and malicious users to use the file contents to help discern information, such as who is... |
| V-22391 | Medium | The cron.allow file must be group-owned by system, bin, sys, or cron. | If the group of the cron.allow is not set to system, bin, sys, or cron, the possibility exists for an unauthorized user to view or edit the list of users permitted to use cron. Unauthorized... |
| V-22348 | Medium | The /etc/group file must not contain any group password hashes. | Group passwords are typically shared and should not be used. Additionally, if password hashes are readable by non-administrators, the passwords are subject to attack through lookup tables or... |
| V-978 | Medium | Crontab files must have mode 0600 or less permissive. | To protect the integrity of scheduled system jobs and prevent malicious modification to these jobs, crontab files must be secured.
|
| V-979 | Medium | Cron and crontab directories must have mode 0755 or less permissive. | To protect the integrity of scheduled system jobs and to prevent malicious modification to these jobs, crontab files must be secured.
|
| V-22324 | Medium | The /etc/hosts file must be group-owned by bin, sys, or system. | The /etc/hosts file (or equivalent) configures local host name to IP address mappings that typically take precedence over DNS resolution. If this file is maliciously modified, it could cause the... |
| V-1028 | Medium | The /usr/lib/smb.conf file must have mode 0644 or less permissive. | If the smb.conf file has excessive permissions, the file may be maliciously modified and the Samba configuration could be compromised. |
| V-1029 | Medium | The /var/private/smbpasswd file must be owned by root. | If the smbpasswd file is not owned by root, the smbpasswd file may be maliciously accessed or modified, potentially resulting in the compromise of Samba accounts. |
| V-22325 | Medium | The /etc/hosts file must have mode 0644 or less permissive. | The /etc/hosts file (or equivalent) configures local host name to IP address mappings that typically take precedence over DNS resolution. If this file is maliciously modified, it could cause the... |
| V-1027 | Medium | The /usr/lib/smb.conf file must be owned by root. | The /usr/lib/smb.conf file allows access to other machines on the network and grants permissions to certain users. If it is owned by another user, the file may be maliciously modified and the... |
| V-22323 | Medium | The /etc/hosts file must be owned by root. | The /etc/hosts file (or equivalent) configures local host name to IP address mappings that typically take precedence over DNS resolution. If this file is maliciously modified, it could cause the... |
| V-22453 | Medium | The /etc/syslog.conf file must have mode 0640 or less permissive. | Unauthorized users must not be allowed to access or modify the /etc/syslog.conf file. |
| V-22320 | Medium | The /etc/resolv.conf file must be group-owned by bin, sys, or system. | The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution... |
| V-776 | Medium | The root account's executable search path must be the vendor default and must contain only absolute paths. | The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory... |
| V-22321 | Medium | The /etc/resolv.conf file must have mode 0644 or less permissive. | The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution... |
| V-23732 | Medium | The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner. | Failure to display the login banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.
NOTE: SFTP and FTPS are encrypted alternatives... |
| V-29520 | Medium | The /etc/ftpaccess.ctl file must be owned by root. | If the ftpaccess.ctl file is not owned by root, an unauthorized user may modify the file to allow unauthorized access to change the file. Unauthorized modification could result in Denial of... |
| V-29521 | Medium | The /etc/ftpaccess.ctl file must be group-owned by bin, sys, or system. | If the ftpaccess.ctl file is not group-owned by a system group, an unauthorized user may modify the file to allow unauthorized access to modify the file. Unauthorized modification could result in... |
| V-901 | Medium | All users' home directories must have mode 0750 or less permissive. | Excessive permissions on home directories allow unauthorized access to user's files. |
| V-22358 | Medium | All skeleton files (typically in /etc/skel) must be group-owned by security. | If the skeleton files are not protected, unauthorized personnel could change user start-up parameters and possibly jeopardize user files. |
| V-12002 | Medium | The system must not forward IPv4 source-routed packets. | Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security... |
| V-4368 | Medium | The at.deny file must be owned by root, bin, or sys. | If the owner of the at.deny file is not set to root, bin, or sys, unauthorized users could be allowed to view or edit sensitive information contained within the file. |
| V-22339 | Medium | The /etc/security/passwd file must be group-owned by security, bin, sys, or system. | The /etc/security/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. The file also contains password... |
| V-22335 | Medium | The /etc/group file must be owned by root. | The /etc/group file is critical to system security and must be owned by a privileged user. The group file contains a list of system groups and associated information. |
| V-22336 | Medium | The /etc/group file must be group-owned by security, bin, sys, or system. | The /etc/group file is critical to system security and must be protected from unauthorized modification. The group file contains a list of system groups and associated information. |
| V-22337 | Medium | The /etc/group file must have mode 0644 or less permissive. | The /etc/group file is critical to system security and must be protected from unauthorized modification. The group file contains a list of system groups and associated information. |
| V-22444 | Medium | The ftpusers file must be group-owned by bin, sys, or system. | If the ftpusers file is not group-owned by a system group, an unauthorized user may modify the file to allow unauthorized accounts to use FTP. |
| V-22333 | Medium | The /etc/passwd file must be group-owned by bin, security, sys, or system. | The /etc/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. |
| V-4430 | Medium | The cron.deny file must be owned by root, bin, or sys. | Cron daemon control files restrict the scheduling of automated tasks and must be protected.
|
| V-11973 | Medium | The system must require that passwords contain at least one special character. | To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid... |
| V-824 | Medium | The services file must have mode 0444 or less permissive. | The services file is critical to the proper operation of network services and must be protected from unauthorized modification. Unauthorized modification could result in the failure of network services. |
| V-22302 | Medium | The system must enforce the entire password during authentication. | Some common password hashing schemes only process the first eight characters of a user's password, which reduces the effective strength of the password.
|
| V-22304 | Medium | The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm. | Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes... |
| V-22307 | Medium | The system must prevent the use of dictionary words for passwords. | An easily guessable password provides an open door to any external or internal malicious intruder. Many computer compromises occur as the result of account name and password guessing. This is... |
| V-22306 | Medium | The system must require at least four characters be changed between the old and new passwords during a password change. | To ensure password changes are effective in their goals, the system must ensure old and new passwords have significant differences. Without significant changes, new passwords may be easily guessed... |
| V-22438 | Medium | The aliases file must be group-owned by sys, bin, or system. | If the alias file is not group-owned by a system group, an unauthorized user may modify the file to add aliases to run malicious code or redirect e-mail. |
| V-22435 | Medium | The hosts.lpd (or equivalent) file must be group-owned by bin, sys, or system. | Failure to give group ownership of the hosts.lpd file to bin, sys, or system provides the members of the owning group and possible unauthorized users, with the potential to modify the hosts.lpd... |
| V-22432 | Medium | The rlogind service must not be running. | The rlogind process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service. |
| V-22430 | Medium | The portmap or rpcbind service must not be installed unless needed. | The portmap and rpcbind services increase the attack surface of the system and should only be used when needed. The portmap or rpcbind services are used by a variety of services using Remote... |
| V-840 | Medium | The ftpusers file must exist. | The ftpusers file contains a list of accounts not allowed to use FTP to transfer files. If this file does not exist, then unauthorized accounts can utilize FTP.
|
| V-842 | Medium | The ftpusers file must be owned by root. | If the file ftpusers is not owned by root, an unauthorized user may modify the file to allow unauthorized accounts to use FTP.
|
| V-843 | Medium | The ftpusers file must have mode 0640 or less permissive. | Excessive permissions on the ftpusers file could permit unauthorized modification. Unauthorized modification could result in Denial of Service to authorized FTP users or permit unauthorized users... |
| V-11981 | Medium | All global initialization files must have mode 0644 or less permissive. | Global initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon logon. |
| V-11983 | Medium | All global initialization files must be group-owned by sys, bin, system, or security. | Global initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon logon. Failure to give ownership... |
| V-11982 | Medium | All global initialization files must be owned by root. | Global initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon logon. Failure to give ownership... |
| V-22294 | Medium | The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root. | A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for... |
| V-11984 | Medium | All skeleton files and directories (typically in /etc/skel) must be owned by root or bin. | If the skeleton files are not protected, unauthorized personnel could change user startup parameters and possibly jeopardize user files. Failure to give ownership of sensitive files or utilities... |
| V-29522 | Medium | The /etc/ftpaccess.ctl file must have mode 0640 or less permissive. | Excessive permissions on the ftpaccess.ctl file could permit unauthorized modification. Unauthorized modification could result in Denial of Service to authorized FTP users or permit unauthorized... |
| V-29495 | Medium | The system must not allow directed broadcasts to gateway. | Disabling directed broadcast prevents packets directed to a gateway to be broadcasted on a remote network. |
| V-12049 | Medium | Network analysis tools must not be installed. | Network analysis tools allow for the capture of network traffic visible to the system. |
| V-4358 | Medium | The cron.deny file must have mode 0600 or less permissive. | If file permissions for cron.deny are more permissive than 0600, sensitive information could be viewed or edited by unauthorized users.
|
| V-22549 | Medium | The DHCP client must not send dynamic DNS updates. | Dynamic DNS updates transmit unencrypted information about a system including its name and address and should not be used unless needed. |
| V-22548 | Medium | The DHCP client must be disabled if not needed. | DHCP allows for the unauthenticated configuration of network parameters on the system by exchanging information with a DHCP server. |
| V-29496 | Medium | The system must provide protection from Internet Control Message Protocol (ICMP) attacks on TCP connections. | The ICMP attacks may be of the form of ICMP source quench attacks and Path MTU Discovery (PMTUD) attacks. If this network option tcp_icmpsecure is turned on, the system does not react to ICMP... |
| V-29497 | Medium | The system must provide protection for the TCP stack against connection resets, SYN, and data injection attacks. | The tcp_tcpsecure parameter provides protection for TCP connections from fake SYN's, fake RST, and data injections on established connections. The first vulnerability involves sending a fake SYN... |
| V-1059 | Medium | The /var/private/smbpasswd file must have mode 0600 or less permissive. | If the smbpasswd file has a mode more permissive than 0600, the smbpasswd file may be maliciously accessed or modified, potentially resulting in the compromise of Samba accounts. |
| V-1058 | Medium | The /var/private/smbpasswd file must be group-owned by sys or system. | If the smbpasswd file is not group-owned by root, the smbpasswd file may be maliciously accessed or modified, potentially resulting in the compromise of Samba accounts. |
| V-22398 | Medium | The at.deny file must be group-owned by system, bin, sys, or cron. | If the group owner of the at.deny file is not set to system, bin, sys, or cron, unauthorized users could be allowed to view or edit sensitive information contained within the file. Unauthorized... |
| V-22396 | Medium | The "at" directory must be group-owned by system, bin, sys, or cron. | If the group of the "at" directory is not system, bin, sys, or cron, unauthorized users could be allowed to view or edit files containing sensitive information within the directory. |
| V-22397 | Medium | The at.allow file must be group-owned by system, bin, sys, or cron. | If the group-owner of the at.allow file is not set to system, bin, sys, or cron, unauthorized users could be allowed to view or edit the list of users permitted to run at jobs. Unauthorized... |
| V-22394 | Medium | The cron.deny file must be group-owned by system, bin, sys, or cron. | Cron daemon control files restrict the scheduling of automated tasks and must be protected. Unauthorized modification of the cron.deny file could result in Denial of Service to authorized cron... |
| V-1056 | Medium | The /usr/lib/smb.conf file must be group-owned by bin, sys, or system. | If the group-owner of the smb.conf file is not root or a system group, the file may be maliciously modified and the Samba configuration could be compromised. |
| V-22392 | Medium | The at.deny file must have mode 0640 or less permissive. | The at daemon control files restrict access to scheduled job manipulation and must be protected. Unauthorized modification of the at.deny file could result in Denial of Service to authorized at... |
| V-22423 | Medium | The inetd.conf file, xinetd.conf file, and the xinetd.d directory must be group-owned by bin, sys, or system. | Failure to give ownership of sensitive files or utilities to system groups may provide unauthorized users with the potential to access sensitive information or change the system configuration... |
| V-822 | Medium | The inetd.conf and xinetd.conf files must have mode 0440 or less permissive. | The Internet service daemon configuration files must be protected as malicious modification could cause Denial of Service or increase the attack surface of the system. |
| V-22427 | Medium | The services file must be group-owned by bin, sys, or system. | Failure to give ownership of system configuration files to root or a system group provides the designated owner and unauthorized users with the potential to change the system configuration which... |
| V-823 | Medium | The services file must be owned by root or bin. | Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the... |
| V-4298 | Medium | Remote consoles must be disabled or protected from unauthorized access. | The remote console feature provides an additional means of access to the system which could allow unauthorized access if not disabled or properly secured. With virtualization technologies, remote... |
| V-29493 | Medium | The /etc/netsvc.conf file must have mode 0644 or less permissive. | The /etc/netsvc.conf file is used to specify the ordering of name resolution for the sendmail command, alias resolution for the sendmail command, and host name resolution routines. Malicious... |
| V-984 | Medium | Access to the at utility must be controlled via the at.allow and/or at.deny file(s). | The at facility selectively allows users to execute jobs at deferred times. It is usually used for one-time jobs. The at.allow file selectively allows access to the at facility. If there is no... |
| V-787 | Medium | System log files must have mode 0640 or less permissive. | If the system log files are not protected, unauthorized users could change the logged data, eliminating its forensic value. |
| V-832 | Medium | The alias file must have mode 0644 or less permissive. | Excessive permissions on the aliases file may permit unauthorized modification. If the alias file is modified by an unauthorized user, they may modify the file to run malicious code or redirect email. |
| V-22295 | Medium | The time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by bin, sys, or system. | A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for... |
| V-29511 | Medium | The system must not have the netstat service active on the inetd process. | The netstat service can potentially give out network information on active connections if it is running. The information given out can aid in an attack and weaken the systems defensive posture. |
| V-29510 | Medium | The system must not have the talk or ntalk services active. | The talk and ntalk commands allow users on the same or different systems on converse. The talk daemons are started from the inetd process and run as root. These unnecessary processes increase the... |
| V-29513 | Medium | The system must not have the systat service active. | The systat daemon allows remote users to see the running process and who is running them. This may aid in information collection for an attack and weaken the security posture of the system. |
| V-29512 | Medium | The system must not have the PCNFS service active. | The PCNFS service predates Microsoft’s SMB specifications. If a similar service is needed to share files from a Windows based OS to a UNIX based OS, consider SAMBA. |
| V-986 | Medium | Default system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist. | Default accounts, such as bin, sys, adm, uucp, daemon, and others, should never have access to the at facility. This would create a possible vulnerability open to intruders or malicious users. |
| V-29514 | Medium | The inetd time service must not be active on the system on the inetd daemon. | The time service is an internal inetd function is used by the rdate command. This service is sometimes used to synchronize clocks at boot time. The service is outdated. Use the ntpdate... |
| V-29517 | Medium | The system must not have the rstatd service active. | The rstatd can give out information on the running system, such as the CPU usage, the system uptime, its network usage, and other system information that could potentially aid in an attack. The... |
| V-29516 | Medium | The system must not have the sprayd service active. | The sprayd service is sometimes used for network and nfs troubleshooting. The spray service can be used for both buffer overflow and Denial of Service attacks by saturating the network. The... |
| V-22550 | Medium | The system must ignore IPv6 ICMP redirect messages. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An... |
| V-22551 | Medium | The system must not send IPv6 ICMP redirects. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table that could... |
| V-928 | Medium | The NFS export configuration file must be owned by root. | Failure to give ownership of the NFS export configuration file to root provides the designated owner and possible unauthorized users with the potential to change system configuration which could... |
| V-22554 | Medium | The system must not accept source-routed IPv6 packets. | Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security... |
| V-4369 | Medium | The traceroute command owner must be root. | If the traceroute command owner has not been set to root, an unauthorized user could use this command to obtain knowledge of the network topology inside the firewall. This information may allow... |
| V-4364 | Medium | The at directory must have mode 0755 or less permissive. | If the at directory has a mode more permissive than 0755, unauthorized users could be allowed to view or to edit files containing sensitive information within the at directory. Unauthorized... |
| V-22559 | Medium | If the system is using LDAP for authentication or account information the /etc/ldap.conf (or equivalent) file must have mode 0644 or less permissive. | LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification. |
| V-22311 | Medium | The root account's list of preloaded libraries must be empty. | The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to... |
| V-4361 | Medium | The cron.allow file must be owned by root, bin, or sys. | If the owner of the cron.allow file is not set to root, bin, or sys, the possibility exists for an unauthorized user to view or to edit sensitive information. |
| V-11976 | Medium | User passwords must be changed at least every 60 days. | Limiting the lifespan of authenticators limits the period of time an unauthorized user has access to the system while using compromised credentials and reduces the period of time available for... |
| V-29499 | Medium | The system must not have the bootp service active. | The bootp service is used for Network Installation Management (NIM) and remote booting of systems. The bootp service should not be active unless it is needed for NIM servers or booting remote... |
| V-22419 | Medium | The system must be configured to use TCP syncookies when experiencing a TCP SYN flood. | A TCP SYN flood attack can cause Denial of Service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies are a mechanism used to not track a connection... |
| V-798 | Medium | The /etc/passwd file must have mode 0644 or less permissive. | If the password file is writable by a group owner or the world, the risk of password file compromise is increased. The password file contains the list of accounts on the system and associated information. |
| V-29519 | Medium | The /etc/ftpaccess.ctl file must exist. | The ftpaccess.ctl file contains options for the ftp daemon, such as herald, motd, user access, and permissions to files and directories. If the ftpaccess.ctl file does not exist, the ftpd... |
| V-22413 | Medium | The system must prevent local applications from generating source-routed packets. | Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. |
| V-22414 | Medium | The system must not accept source-routed IPv4 packets. | Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security... |
| V-22417 | Medium | The system must not send IPv4 ICMP redirects. | ICMP redirect messages are used by routers to inform hosts a more direct route exists for a particular destination. These messages contain information from the system's route table possibly... |
| V-22416 | Medium | The system must ignore IPv4 ICMP redirect messages. | ICMP redirect messages are used by routers to inform hosts a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit... |
| V-29506 | Medium | The system must not have the dtspc service active. | This service is started automatically by the inetd daemon with root permission in response to a CDE client requesting a process to be started on the daemon’s host system. Running the dtscp... |
| V-29507 | Medium | The system must not have the echo service active. | The echo service can be used in Denial of Service or SMURF attacks. It can also used at someone else to get through a firewall or start a data storm. The echo service is unnecessary and it... |
| V-29504 | Medium | The system must not have the daytime service active. | The daytime service runs as root from the inetd daemon and can provide an opportunity for Denial of Service PING or PING-PONG attacks. The daytime service is unnecessary and it increases the... |
| V-29505 | Medium | The system must not have the discard service active. | The discard service runs as root from the inetd server and can be used in Denial of Service attacks. The discard service is unnecessary and it increases the attack vector of the system. |
| V-29502 | Medium | The system must not have the tool-talk database server (ttdbserver) service active. | The ttdbserver service for CDE is an unnecessary service that runs as root and might be compromised. |
| V-29503 | Medium | The system must not have the comsat service active. | The comsat daemon notifies users on incoming email. This is an unnecessary service and is vulnerable to a flood attack. Running unnecessary services increases the attack vector of the system. |
| V-29500 | Medium | The system must not have the chargen service active. | When contacted, chargen responds with some random characters. When contacted via UDP, it
will respond with a single UDP packet. When contacted via TCP, it will continue spewing characters until... |
| V-29501 | Medium | The system must not have the Calendar Manager Service Daemon (CMSD) service active. | The CMSD service for CDE is an unnecessary process that runs a root and increases attack vector of the system. Buffer overflow attacks against the CMSD process can potentially give access to the system. |
| V-4284 | Medium | The securetcpip command must be used. | The AIX securetcpip command disables insecure network utilities, such as rcp, rlogin, rlogind, rsh, rshd, tftp, tftpd, and trpt/d. These services increase the attack surface of the system. |
| V-29508 | Medium | The system must not have Internet Message Access Protocol (IMAP) service active. | The IMAP service should not be running unless the system is acting as a mail server for client connections. Running unnecessary services increases the attack vector on the system. |
| V-29509 | Medium | The system must not have the PostOffice Protocol (POP3) service active. | The POP3 service is only needed if the server is acting as a mail server and clients are using applications that only support POP3. Users' ids and passwords are sent in plain text to the POP3... |
| V-790 | Medium | NIS/NIS+/yp files must be group-owned by sys, bin, other, or system. | NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Failure to give ownership of sensitive files or utilities... |
| V-791 | Medium | The NIS/NIS+/yp files must have mode 0755 or less permissive. | NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Unauthorized modification of these files could compromise... |
| V-821 | Medium | The inetd.conf file, xinetd.conf file, and the xinetd.d directory must be owned by root or bin. | Failure to give ownership of sensitive files or utilities to root provides the designated owner and unauthorized users with the potential to access sensitive information or change the system... |
| V-794 | Medium | All system command files must have mode 0755 or less permissive. | Restricting permissions will protect system command files from unauthorized modification. System command files include files present in directories used by the operating system for storing default... |
| V-22310 | Medium | The root account's library search path must be the system default and must contain only absolute paths. | The library search path environment variable(s) contains a list of directories for the dynamic linker to search to find libraries. If this path includes the current working directory or other... |
| V-797 | Medium | The /etc/security/passwd file must be owned by root. | The /etc/security/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. Failure to give ownership of... |
| V-22319 | Medium | The /etc/resolv.conf file must be owned by root. | The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution... |
| V-4701 | Low | The system must not have the finger service active. | The finger service provides information about the system's users to network clients. This information could expose information that could be used in subsequent attacks.
|
| V-22473 | Low | The SSH daemon must not permit GSSAPI authentication unless needed. | GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system’s GSSAPI to remote hosts, increasing... |
| V-22474 | Low | The SSH client must not permit GSSAPI authentication unless needed. | GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system’s GSSAPI to remote hosts, increasing... |
| V-774 | Low | The root user's home directory must not be the root directory (/). | Changing the root home directory to something other than / and assigning it a 0700 protection makes it more difficult for intruders to manipulate the system by reading the files that root places... |
| V-22308 | Low | The system must restrict the ability to switch to the root user to members of a defined group. | Configuring a supplemental group for users permitted to switch to the root user prevents unauthorized users from accessing the root account, even with knowledge of the root credentials. |
| V-825 | Low | Global initialization files must contain the mesg -n or mesg n commands. | If the mesg -n or mesg n command is not placed into the system profile, messaging can be used to cause a Denial of Service attack. |
| V-11996 | Low | Process core dumps must be disabled unless needed. | Process core dumps contain the memory in use by the process when it crashed. Process core dump files can be of significant size and their use can result in file systems filling to capacity, which... |
| V-22475 | Low | The SSH daemon must not permit Kerberos authentication unless needed. | Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. ... |
| V-781 | Low | All Group Identifiers (GIDs) referenced in the /etc/passwd file must be defined in the /etc/group file. | If a user is assigned the GID of a group that does not exist on the system, and a group with that GID is subsequently created, the user may have unintended rights to the group.
|
| V-929 | Low | The NFS export configuration file must have mode 0644 or less permissive. | Excessive permissions on the NFS export configuration file could allow unauthorized modification of the file, which could result in Denial of Service to authorized NFS exports and the creation of... |
