UCF STIG Viewer Logo

HP-UX 11.31 Security Technical Implementation Guide


Overview

Date Finding Count (260)
2017-01-27 CAT I (High): 11 CAT II (Med): 214 CAT III (Low): 35
STIG Description
The HP-UX 11.31 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-922 High All shell files must have mode 0755 or less permissive.
V-4387 High Anonymous FTP accounts must not have a functional shell.
V-770 High The system must not have accounts configured with blank or null passwords.
V-11988 High There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system.
V-24386 High The telnet daemon must not be running.
V-848 High The TFTP daemon must have mode 0755 or less permissive.
V-847 High The TFTP daemon must operate in "secure mode" which provides access only to a single directory on the host file system.
V-4295 High The SSH daemon must be configured to only use the SSHv2 protocol.
V-833 High Files executed through a mail aliases file must be owned by root and must reside within a directory owned and writable only by root.
V-4688 High The rexec daemon must not be running.
V-4687 High The remsh daemon must not be running.
V-22569 Medium If the system is using LDAP for authentication or account information, the LDAP TLS certificate file must have mode 0644 or less permissive.
V-22568 Medium If the system is using LDAP for authentication or account information, the LDAP TLS certificate file must be group-owned by root, bin, sys, or other.
V-22565 Medium If the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must have mode 0644 (0755 for directories) or less permissive.
V-12022 Medium The SSH daemon must be configured for IP filtering.
V-4371 Medium The traceroute file must have mode 0700 or less permissive.
V-960 Medium The system must be configured to operate in a security mode.
V-967 Medium The /etc/securetty file must have mode 0640 or less permissive.
V-966 Medium The /etc/securetty file must be owned by root.
V-965 Medium The HP-UX /etc/securetty must be group-owned by root, sys, or bin.
V-22488 Medium The SSH daemon must not allow compression or must only allow compression after successful authentication.
V-975 Medium The cron.allow file must have mode 0600 or less permissive.
V-22486 Medium The SSH daemon must use privilege separation.
V-22487 Medium The SSH daemon must not allow rhosts RSA authentication.
V-22485 Medium The SSH daemon must perform strict mode checking of home directory configuration files.
V-22363 Medium Local initialization files library search paths must contain only authorized paths.
V-12023 Medium IP forwarding for IPv4 must not be enabled, unless the system is a router.
V-22360 Medium Global initialization files lists of preloaded libraries must contain only authorized paths.
V-768 Medium The delay between login prompts following a failed login attempt must be at least 4 seconds.
V-819 Medium The audit system must be configured to audit all discretionary access control permission modifications.
V-818 Medium The audit system must be configured to audit login, logout, and session initiation.
V-816 Medium The audit system must be configured to audit all administrative, privileged, and security actions.
V-815 Medium The audit system must be configured to audit file deletions.
V-766 Medium The system must disable accounts after three consecutive unsuccessful login attempts.
V-12021 Medium The syslog daemon must not accept remote messages unless it is a syslog server documented using site-defined procedures.
V-763 Medium The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
V-810 Medium Default system accounts must be disabled or removed.
V-22472 Medium The SSH private host key files must have mode 0600 or less permissive.
V-22471 Medium The SSH public host key files must have mode 0644 or less permissive.
V-4370 Medium The traceroute command must be group-owned by sys, bin, root, or other.
V-22572 Medium If the system is using LDAP for authentication or account information, the LDAP TLS key file must be group-owned by root, bin, sys, or other.
V-22573 Medium If the system is using LDAP for authentication or account information, the LDAP TLS key file must have mode 0600 or less permissive.
V-4361 Medium The cron.allow file must be owned by root, bin, or sys.
V-22571 Medium If the system is using LDAP for authentication or account information, the LDAP TLS key file must be owned by root.
V-788 Medium All skeleton files (typically those in /etc/skel) must have mode 0444 or less permissive.
V-22332 Medium The /etc/passwd file must be owned by root.
V-4304 Medium The root file system must employ journaling or another mechanism ensuring file system consistency.
V-23741 Medium TCP backlog queue sizes must be set appropriately.
V-932 Medium The Network File System (NFS) anonymous UID and GID must be configured to values that have no permissions.
V-4385 Medium The system must not use .forward files.
V-808 Medium The system and user default umask must be 077.
V-11947 Medium The system must require that passwords contain a minimum of 15 characters.
V-22375 Medium The audit system must alert the SA when the audit storage volume approaches its capacity.
V-778 Medium The system must prevent the root account from directly logging in except from the system console.
V-776 Medium The root accounts executable search path must contain only authorized paths.
V-777 Medium The root account must not have world-writable directories in its executable search path.
V-775 Medium The root account's home directory (other than /) must have mode 0700.
V-773 Medium The root account must be the only account having an UID of 0.
V-22461 Medium The SSH client must be configured to only use FIPS 140-2 approved ciphers.
V-22462 Medium The SSH client must be configured to not use Cipher-Block Chaining (CBC) based ciphers.
V-22463 Medium The SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
V-867 Medium The Network Information System (NIS) protocol must not be used.
V-4083 Medium Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity and must require users to re-authenticate to unlock the environment.
V-981 Medium Cron and crontab directories must be group-owned by root, sys, bin or other.
V-980 Medium Cron and crontab directories must be owned by root or bin.
V-983 Medium The cronlog file must have mode 0600 or less permissive.
V-982 Medium Cron logging must be implemented.
V-985 Medium The at.deny file must not be empty if it exists.
V-984 Medium Access to the at utility must be controlled via the at.allow and/or at.deny file(s).
V-987 Medium The at.allow file must have mode 0600 or less permissive.
V-22294 Medium The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.
V-4394 Medium The /etc/syslog.conf file must be group-owned by root, bin, sys, or system.
V-22582 Medium The system must employ a local firewall.
V-4393 Medium The /etc/syslog.conf file must be owned by bin.
V-800 Medium The /etc/shadow (or equivalent) file must have mode 0400.
V-974 Medium Access to the cron utility must be controlled using the cron.allow and/or cron.deny file(s).
V-24384 Medium If the system is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords.
V-22391 Medium The cron.allow file must be group-owned by root, bin, sys or other.
V-22348 Medium The /etc/group file must not contain any group password hashes.
V-22347 Medium The /etc/passwd file must not contain password hashes.
V-978 Medium Crontab files must have mode 0600 or less permissive, and files in cron script directories must have mode 0700 or less permissive.
V-979 Medium Cron and crontab directories must have mode 0755 or less permissive.
V-22324 Medium The /etc/hosts file must be group-owned by root, bin, sys, or system.
V-1028 Medium The /etc/opt/samba/smb.conf file must have mode 0644 or less permissive.
V-842 Medium The ftpusers file must be owned by root.
V-22329 Medium The /etc/nsswitch.conf file must have mode 0644 or less permissive.
V-22328 Medium The /etc/nsswitch.conf file must be group-owned by root, bin, sys, or system.
V-22327 Medium The /etc/nsswitch.conf file must be owned by root.
V-22323 Medium The /etc/hosts file must be owned by root.
V-22325 Medium The /etc/hosts file must have mode 0644 or less permissive.
V-1027 Medium The /etc/smb.conf file must be owned by root.
V-22451 Medium The snmpd.conf file must be group-owned by root, sys, bin or other.
V-22321 Medium The /etc/resolv.conf file must have mode 0644 or less permissive.
V-1023 Medium The system must not run an Internet Network News (INN) server.
V-834 Medium Files executed through a mail aliases file must have mode 0755 or less permissive.
V-22453 Medium The /etc/syslog.conf file must have mode 0640 or less permissive.
V-4321 Medium The system must not run Samba unless needed.
V-22320 Medium The /etc/resolv.conf file must be group-owned by root, bin, sys, or system.
V-22511 Medium The Stream Control Transmission Protocol (SCTP) must be disabled unless required.
V-994 Medium The snmpd.conf file must have mode 0600 or less permissive.
V-23972 Medium The system must not respond to ICMPv6 echo requests sent to a broadcast address.
V-22564 Medium If the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be group-owned by root, bin, sys, or other.
V-924 Medium Device files and directories must only be writable by users with a system account or as configured by the vendor.
V-11948 Medium The system must require passwords contain at least one uppercase alphabetic character.
V-12005 Medium Inetd and xinetd must be disabled or removed if no network services utilizing them are enabled.
V-22358 Medium All skeleton files (typically in /etc/skel) must be group-owned by root, bin, sys, system, or other.
V-12006 Medium The SMTP service HELP command must not be enabled.
V-905 Medium All local initialization files must have mode 0740 or less permissive.
V-12002 Medium The system must not forward IPv4 source-routed packets.
V-22354 Medium Run control scripts library search paths must contain only authorized paths.
V-22355 Medium Run control scripts lists of preloaded libraries must contain only authorized paths.
V-22339 Medium The /etc/shadow file (or equivalent) must be group-owned by root, bin, sys or other.
V-22335 Medium The /etc/group file must be owned by bin.
V-22336 Medium The /etc/group file must be group-owned by root, bin, sys, or system.
V-22337 Medium The /etc/group file must have mode 0444 or less permissive.
V-22444 Medium The ftpusers file must be group-owned by root, bin, sys or other.
V-22333 Medium The /etc/passwd file must be group-owned by root, bin, sys, or system.
V-824 Medium The services file must have mode 0444 or less permissive.
V-11999 Medium The system must implement non-executable program stacks.
V-23732 Medium The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
V-786 Medium All network services daemon files must have mode 0755 or less permissive.
V-11984 Medium All skeleton files and directories (typically in /etc/skel) must be owned by bin.
V-795 Medium All system files, programs, and directories must be owned by a system account.
V-913 Medium There must be no .netrc files on the system.
V-12011 Medium All FTP users must have a default umask of 077.
V-916 Medium The /etc/shells (or equivalent) file must exist.
V-917 Medium All shells referenced in /etc/passwd must be listed in the /etc/shells file, except any shells specified for the purpose of preventing logins.
V-12014 Medium All .Xauthority files must have mode 0600 or less permissive.
V-4084 Medium The system must prohibit the reuse of passwords within five iterations.
V-995 Medium Management Information Base (MIB) files must have mode 0640 or less permissive.
V-4430 Medium The cron.deny file must be owned by root, bin, or sys.
V-22365 Medium All shell files must be group-owned by root, bin, sys, or system.
V-796 Medium System files, programs, and directories must be group-owned by a system group.
V-22364 Medium Local initialization files lists of preloaded libraries must contain only authorized paths.
V-22305 Medium The system must require passwords contain at least one lowercase alphabetic character.
V-821 Medium The inetd.conf file, xinetd.conf file, and the xinetd.d directory must be owned by root or bin.
V-4364 Medium The at directory must have mode 0755 or less permissive.
V-22438 Medium The aliases file must be group-owned by root, sys, bin, or other.
V-1047 Medium The system must not permit root logins using remote access programs such as SSH.
V-22435 Medium The hosts.lpd (or equivalent) file must be group-owned by root, bin, sys, or system.
V-22432 Medium The rlogind service must not be running.
V-22431 Medium The remshd service must not be installed.
V-12019 Medium The snmpd.conf file must be owned by bin.
V-797 Medium The /etc/shadow (or equivalent) file must be owned by root.
V-11989 Medium The .rhosts file must not be supported in PAM.
V-814 Medium The audit system must be configured to audit failed attempts to access files and programs.
V-840 Medium The ftpusers file must exist.
V-843 Medium The ftpusers file must have mode 0640 or less permissive.
V-11981 Medium All global initialization files must have mode 0444 or less permissive.
V-11983 Medium All global initialization files must be group-owned by root, sys, bin, other system, or the system default.
V-11982 Medium All global initialization files must be owned by bin.
V-11985 Medium All global initialization files executable search paths must contain only authorized paths.
V-849 Medium The TFTP daemon must be configured to vendor specifications, including a dedicated TFTP user account, a non-login shell such as /bin/false, and a home directory owned by the TFTP user.
V-921 Medium All shell files must be owned by root or bin.
V-11986 Medium All local initialization files executable search paths must contain only authorized paths.
V-789 Medium NIS/NIS+/yp files must be owned by root, sys, or bin.
V-22547 Medium The system must not have IP tunnels configured.
V-12049 Medium Network analysis tools must not be installed.
V-4358 Medium The cron.deny file must have mode 0600 or less permissive.
V-22548 Medium The DHCP client must be disabled if not needed.
V-941 Medium The system's access control program must log each system’s access attempt.
V-940 Medium The system must use an access control program.
V-22470 Medium The SSH daemon must restrict login ability to specific users and/or groups.
V-22398 Medium The at.deny file must be group-owned by root, bin, sys, or other.
V-22397 Medium The at.allow file must be group-owned by root, sys, bin or other.
V-22396 Medium The at directory must be group-owned by root, bin, sys or other.
V-22425 Medium The xinetd.d directory must have mode 0755 or less permissive.
V-22394 Medium The cron.deny file must be group-owned by root, bin, sys or other.
V-22427 Medium The services file must be group-owned by root, bin, sys, or other.
V-22392 Medium The at.deny file must have mode 0600 or less permissive.
V-22423 Medium The inetd.conf file, xinetd.conf file, and the xinetd.d directory must be group-owned by root, bin, sys, or other.
V-4290 Medium The HP-UX AUDOMON_ARGS attribute must be explicitly initialized.
V-1056 Medium The /etc/smb.conf file must be group-owned by root, bin, sys, or system.
V-832 Medium The alias file must have mode 0644 or less permissive.
V-823 Medium The services file must be owned by root or bin.
V-22567 Medium For systems using NSS LDAP, the TLS certificate file must be owned by root.
V-22440 Medium Files executed through a mail aliases file must be group-owned by root, bin, sys, or other, and must reside within a directory group-owned by root, bin, sys, or other.
V-22295 Medium The time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, sys, or system.
V-22296 Medium The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
V-831 Medium The alias file must be owned by root.
V-12030 Medium The system's access control program must be configured to grant or deny system access to specific hosts.
V-22359 Medium Global initialization files library search paths must contain only authorized paths.
V-22501 Medium Samba must be configured to not allow guest access to shares.
V-837 Medium The SMTP service log file must be owned by root.
V-836 Medium The system syslog service must log informational and more severe SMTP service messages.
V-838 Medium The SMTP service log file must have mode 0644 or less permissive.
V-4696 Medium The system must not have the UUCP service active.
V-986 Medium Default system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist.
V-935 Medium The NFS server must not allow remote root access.
V-936 Medium The nosuid option must be enabled on all NFS client mounts.
V-22550 Medium The system must ignore IPv6 Internet Control Message Protocol (ICMP ) redirect messages.
V-22551 Medium The system must not send IPv6 ICMP redirects.
V-4368 Medium The at.deny file must be owned by root, bin, or sys.
V-907 Medium Run control scripts executable search paths must contain only authorized paths.
V-22557 Medium If the system is using LDAP for authentication or account information, the LDAP TLS connection must require the server provide a certificate and this certificate has a valid trust path to a trusted CA.
V-1030 Medium The smb.conf file must use the hosts option to restrict access to Samba.
V-4365 Medium The at directory must be owned by root, bin, or sys.
V-11972 Medium The system must require passwords contain at least one numeric character.
V-4367 Medium The at.allow file must be owned by root, bin, or sys.
V-933 Medium The Network File System (NFS) server must be configured to restrict file system access to local hosts.
V-22563 Medium If the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be owned by root.
V-11995 Medium Default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist.
V-22499 Medium Samba must be configured to use an authentication mechanism other than share.
V-22411 Medium The system must not respond to Internet Control Message Protocol (ICMP) timestamp requests sent to a broadcast address.
V-22410 Medium The system must not respond to ICMPv4 echoes sent to a broadcast address.
V-22413 Medium The system must prevent local applications from generating source-routed packets.
V-22412 Medium The system must not apply reversed source routing to TCP responses.
V-22455 Medium The system must use a remote syslog server (loghost).
V-22414 Medium The system must not accept source-routed IPv4 packets.
V-22417 Medium The system must not send IPv4 ICMP redirects.
V-22416 Medium The system must ignore IPv4 ICMP redirect messages.
V-22491 Medium The system must not have IP forwarding for IPv6 enabled, unless the system is an IPv6 router.
V-24331 Medium The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
V-22496 Medium All Network File System (NFS) shared system files and system directories must be group-owned by root, bin, sys, or other.
V-22500 Medium Samba must be configured to use encrypted passwords.
V-11973 Medium The system must require passwords contain at least one special character.
V-822 Medium The inetd.conf and xinetd.conf files must have mode 0440 or less permissive.
V-791 Medium The NIS/NIS+/yp command files must have mode 0755 or less permissive.
V-827 Medium The hosts.lpd file (or equivalent) must not contain a "+" character.
V-22310 Medium The root account's library search path must be the system default and must contain only absolute paths.
V-22311 Medium The root account's list of preloaded libraries must be empty.
V-798 Medium The /etc/passwd file must have mode 0444 or less permissive.
V-828 Medium The hosts.lpd (or equivalent) file must be owned by root, bin, sys, or lp.
V-829 Medium The hosts.lpd (or equivalent) must have mode 0644 or less permissive.
V-22319 Medium The /etc/resolv.conf file must be owned by root.
V-22406 Low The kernel core dump data directory must have mode 0700 or less permissive.
V-22405 Low The kernel core dump data directory must be group-owned by root, bin, sys, or other.
V-22409 Low The system must not process Internet Control Message Protocol (ICMP) timestamp requests.
V-4701 Low The system must not have the finger service active.
V-22473 Low The SSH daemon must not permit GSSAPI authentication unless needed.
V-781 Low All GIDs referenced in the /etc/passwd file must be defined in the /etc/group file.
V-22475 Low The SSH daemon must not permit Kerberos authentication unless needed.
V-22474 Low The SSH client must not permit GSSAPI authentication unless needed.
V-22577 Low Automated file system mounting tools must not be enabled unless needed.
V-4384 Low The SMTP service's SMTP greeting must not provide version information.
V-22371 Low System audit tool executables must be group-owned by root, bin, sys, or other.
V-22377 Low The audit system must be configured to audit account modification.
V-774 Low The root user's home directory must not be the root directory (/).
V-22299 Low The system must display the date and time of the last successful account login upon login.
V-22298 Low The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.
V-22372 Low System audit tool executables must have mode 0750 or less permissive.
V-22589 Low The system package management tool must not automatically obtain updates.
V-22378 Low The audit system must be configured to audit account disabling.
V-23739 Low The system must use a separate file system for /tmp (or equivalent).
V-23738 Low The system must use a separate file system for the system audit data path..
V-900 Low All interactive user home directories defined in the /etc/passwd file must exist.
V-12003 Low A separate file system must be used for user home directories (such as /home or equivalent).
V-825 Low Global initialization files must contain the mesg -n or mesg n commands.
V-22376 Low The audit system must be configured to audit account creation.
V-1062 Low The root shell must be located in the / file system.
V-23736 Low The system must use a separate file system for /var.
V-22308 Low The system must restrict the ability to switch to the root user to members of a defined group.
V-22382 Low The audit system must be configured to audit account termination.
V-929 Low The Network File System (NFS) share configuration file must have mode 0644 or less permissive.
V-835 Low Sendmail logging must not be set to less than 9 in the sendmail.cf file.
V-4693 Low The SMTP service must not have the VRFY feature active.
V-899 Low All interactive users must be assigned a home directory in the /etc/passwd file.
V-11996 Low Process core dumps must be disabled unless needed.
V-4692 Low The SMTP service must not have the EXPN feature active.
V-22370 Low System audit tool executables must be owned by root.