V-770 | High | The system must not have accounts configured with blank or null passwords. | If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. If the root user is configured... |
V-40446 | Medium | The ability to boot the system into single user mode must be restricted to root. | Single user mode access must be strictly limited to the privileged user root. The ability to boot to single user mode allows a malicious user the opportunity to modify, compromise, or otherwise... |
V-22339 | Medium | The /etc/shadow file (or equivalent) must be group-owned by root, bin, sys or other. | The /etc/shadow file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. The file also contains password hashes which... |
V-4084 | Medium | The system must prohibit the reuse of passwords within five iterations. | If a user, or root, used the same password continuously or was allowed to change it back shortly after being forced to change it, this would provide a potential intruder with the opportunity to... |
V-960 | Medium | The system must be configured to operate in a security mode. | When operating in standard mode, account passwords are stored in the /etc/passwd file, which is world readable. By operating in either Trusted Mode or Standard Mode with Security Extensions, the... |
V-941 | Medium | The system's access control program must log each system’s access attempt. | If access attempts are not logged, then multiple attempts to log on to the system by an unauthorized user may go undetected. |
V-40350 | Medium | userdb database must not be used to override the system-wide variables in the security file, unless required. | The user database stores per-user information. It consists of the /var/adm/userdb directory and the files within it. A per-user value in /var/adm/userdb will override any corresponding system-wide... |
V-22702 | Medium | System audit logs must be group-owned by root, bin, sys, or other. | Sensitive system and user information could provide a malicious user with enough information to penetrate further into the system. |
V-40452 | Medium | The /var/adm/userdb/USERDB.DISABLED file must be group-owned by sys. | Unless the userdb is required, the /var/adm/userdb/USERDB.DISABLED file must be created to disable the use of per-user security attributes in the user database. Attributes in the user database... |
V-4290 | Medium | The HP-UX AUDOMON_ARGS attribute must be explicitly initialized. | The minimal set of auditing requirements necessary to collect useful forensics data and provide user help when violations are detected must be configured. |
V-40447 | Medium | The /var/adm/userdb directory must be owned by root. | The /var/adm/userdb directory is the system user database repository used for storing per-user security configuration information. If the configuration is modified maliciously, individual users... |
V-762 | Medium | All accounts must be assigned unique User Identification Numbers (UIDs). | Accounts sharing a UID have full access to each others' files. This has the same effect as sharing a login. There is no way to assure identification, authentication, and accountability because the... |
V-40445 | Medium | The system must impose the same restrictions on root logins that are already applied to non-root users. | Best practices standard operating procedures for computing systems includes account management. If the root account is allowed to be configured without a password, or not configured to lock if... |
V-22347 | Medium | The /etc/passwd file must not contain password hashes. | If password hashes are readable by non-administrators, the passwords are subject to attack through lookup tables or cryptographic weaknesses in the hashes. |
V-4298 | Medium | Remote consoles must be disabled or protected from unauthorized access. | The remote console feature provides an additional means of access to the system which could allow unauthorized access if not disabled or properly secured. With virtualization technologies, remote... |
V-11947 | Medium | The system must require that passwords contain a minimum of 14 characters. | The use of longer passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques by increasing the password search space. |
V-40448 | Medium | The /var/adm/userdb directory must be group-owned by sys. | The /var/adm/userdb directory is the system user database repository used for storing per-user security configuration information. If the configuration is modified maliciously, individual users... |
V-40449 | Medium | The /var/adm/userdb directory must have mode 0700 or less permissive. | The /var/adm/userdb directory is the system user database repository used for storing per-user security configuration information. If the configuration is modified maliciously, individual users... |
V-40482 | Medium | The /etc/pam.conf file must not have an extended ACL. | The /etc/pam.conf file is the system configuration file for the Pluggable Authentication Module (PAM) architecture. It supports per user authentication, account, session, and password management.... |
V-40483 | Medium | The per user PAM configuration file (/etc/pam_user.conf) must not be used to override the system-wide PAM configuration file (/etc/pam.conf) unless it is required. | The per user PAM configuration file (/etc/pam_user.conf) allows individual users to be assigned options that differ from those of the general computing community. This file is optional and should... |
V-40468 | Medium | The /etc/security.dsc file must have mode 0444 or less permissive. | The /etc/security.dsc file is the system description file that contains all attributes and default values that are configurable on a per user basis in /var/adm/userdb. If the description file is... |
V-768 | Medium | The delay between login prompts following a failed login attempt must be at least 4 seconds. | Enforcing a delay between consecutive failed login attempts increases protection against automated password guessing attacks. |
V-40484 | Medium | The /etc/pam_user.conf file must be owned by root. | The /etc/pam_user.conf file is the per user configuration file for the Pluggable Authentication Module (PAM) architecture. It supports per user authentication, account, session, and password... |
V-1032 | Medium | Users must not be able to change passwords more than once every 24 hours. | The ability to change passwords frequently facilitates users reusing the same password. This can result in users effectively never changing their passwords. This would be accomplished by users... |
V-40486 | Medium | The /etc/pam_user.conf file must have mode 0444 or less permissive. | The /etc/pam_user.conf file is the per user configuration file for the Pluggable Authentication Module (PAM) architecture. It supports per user authentication, account, session, and password... |
V-22369 | Medium | All system audit files must not have extended ACLs. | If a user can write to the audit logs, then audit trails can be modified or destroyed and system intrusion may not be detected. |
V-766 | Medium | The system must disable accounts after three consecutive unsuccessful login attempts. | Disabling accounts after a limited number of unsuccessful login attempts improves protection against password guessing attacks. |
V-813 | Medium | System audit logs must have mode 0640 or less permissive. | If a user can write to the audit logs, audit trails can be modified or destroyed and system intrusion may not be detected. System audit logs are those files generated from the audit system and do... |
V-812 | Medium | System audit logs must be owned by root. | Failure to give ownership of system audit log files to root provides the designated owner and unauthorized users with the potential to access sensitive information. |
V-40487 | Medium | /etc/pam_user.conf file must not have an extended ACL. | The /etc/pam_user.conf file is the per user configuration file for the Pluggable Authentication Module (PAM) architecture. It supports per user authentication, account, session, and password... |
V-11979 | Medium | The root account must not be used for direct logins. | Direct login with the root account prevents individual user accountability. Acceptable non-routine uses of the root account for direct login are limited to emergency maintenance, the use of... |
V-11973 | Medium | The system must require passwords contain at least one special character. | To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid... |
V-778 | Medium | The system must prevent the root account from directly logging in except from the system console. | Limiting the root account direct logins to only system consoles protects the root account from direct unauthorized access from a non-console device. |
V-797 | Medium | The /etc/shadow (or equivalent) file must be owned by root. | The /etc/shadow file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. Failure to give ownership of sensitive files... |
V-22303 | Medium | The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes. | Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes... |
V-22302 | Medium | The system must enforce the correctness of the entire password during authentication. | Some common password hashing schemes only process the first eight characters of a user's password, which reduces the effective strength of the password.
|
V-22305 | Medium | The system must require passwords contain at least one lowercase alphabetic character. | To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid... |
V-22304 | Medium | The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm. | Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes... |
V-11980 | Medium | The system must log successful and unsuccessful access to the root account. | If successful and unsuccessful logins and logouts are not monitored or recorded, access attempts cannot be tracked. Without this logging, it may be impossible to track unauthorized access to the system. |
V-11972 | Medium | The system must require passwords contain at least one numeric character. | To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid... |
V-800 | Medium | The /etc/shadow (or equivalent) file must have mode 0400. | The /etc/shadow file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. The file also contains password hashes which... |
V-11976 | Medium | User passwords must be changed at least every 60 days. | Limiting the lifespan of authenticators limits the period of time an unauthorized user has access to the system while using compromised credentials and reduces the period of time available for... |
V-40476 | Medium | The /etc/pam.conf file must be group-owned by sys. | The /etc/pam.conf file is the system configuration file for the Pluggable Authentication Module (PAM) architecture. It supports per user authentication, account, session, and password management.... |
V-40355 | Medium | The system must disable accounts after three consecutive unsuccessful SSH login attempts. | Disabling accounts after a limited number of unsuccessful SSH login attempts improves protection against password guessing attacks. |
V-40492 | Medium | During a password change, the system must determine if password aging attributes are inherited from the /etc/default/security file attributes when no password aging is specified in the shadow file for local users. | Password aging attributes are stored in /etc/default/security and /etc/shadow. Anytime a password aging policy is changed, policy requirements are updated in /etc/default/security. If the system... |
V-918 | Medium | Accounts must be locked upon 35 days of inactivity. | Inactive user accounts pose a risk to systems and applications. Owners of Inactive accounts will not notice if unauthorized access to their account has been obtained. There is a risk that inactive... |
V-11948 | Medium | The system must require passwords contain at least one uppercase alphabetic character. | To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid... |
V-756 | Medium | The system must require authentication upon booting into single-user and maintenance modes. | Single user mode access must be strictly limited to privileged users. The ability to boot to single user mode allows a malicious user the opportunity to modify, compromise, or otherwise damage the system. |
V-40467 | Medium | The /etc/security.dsc file must be group-owned by sys. | The /etc/security.dsc file is the system description file that contains all attributes and default values that are configurable on a per user basis in /var/adm/userdb. If the description file is... |
V-40494 | Medium | The system and user default umask must be 0077 for all sessions initiated via PAM. | The umask controls the default access mode assigned to newly created files. An umask of 0077 limits new files to mode 0700 or less permissive. The leading zero digit represents an unsigned octal... |
V-761 | Medium | All accounts on the system must have unique user or account names. | A unique user name is the first part of the identification and authentication process. If user names are not unique, there can be no accountability on the system for auditing purposes. Multiple... |
V-40466 | Medium | The /etc/security.dsc file must be owned by root. | The /etc/security.dsc file is the system description file that contains all attributes and default values that are configurable on a per user basis in /var/adm/userdb. If the description file is... |
V-40485 | Medium | The /etc/pam_user.conf file must be group-owned by sys. | The /etc/pam_user.conf file is the per user configuration file for the Pluggable Authentication Module (PAM) architecture. It supports per user authentication, account, session, and password... |
V-22340 | Medium | The /etc/shadow file must not have an extended ACL. | The /etc/shadow file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. The file also contains password hashes which... |
V-40493 | Medium | The system must display the date and time of the last successful account login upon login by means other than SSH. | Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. |
V-40478 | Medium | The /etc/pam.conf file must have mode 0444 or less permissive. | The /etc/pam.conf file is the system configuration file for the Pluggable Authentication Module (PAM) architecture. It supports per user authentication, account, session, and password management.... |
V-40451 | Medium | The /var/adm/userdb/USERDB.DISABLED file must be owned by root. | Unless the userdb is required, the /var/adm/userdb/USERDB.DISABLED file must be created to disable the use of per-user security attributes in the user database. Attributes in the user database... |
V-40450 | Medium | The /var/adm/userdb directory must not have an extended ACL. | The /var/adm/userdb directory is the system user database repository used for storing per-user security configuration information. If the configuration is modified maliciously, individual users... |
V-40453 | Medium | The /var/adm/userdb/USERDB.DISABLED file must have mode 0444 or less permissive. | Unless the userdb is required, the /var/adm/userdb/USERDB.DISABLED file must be created to disable the use of per-user security attributes in the user database. Attributes in the user database... |
V-810 | Medium | Default system accounts must be disabled or removed. | Vendor accounts and software may contain backdoors that will allow unauthorized access to the system. These backdoors are common knowledge and present a threat to system security if the account... |
V-40473 | Medium | The /etc/pam.conf file must be owned by root. | /etc/pam.conf file is the system configuration file for the Pluggable Authentication Module (PAM) architecture. It supports per user authentication, account, session, and password management. If... |
V-40454 | Medium | The /var/adm/userdb/USERDB.DISABLED file must not have an extended ACL. | Unless the userdb is required, the /var/adm/userdb/USERDB.DISABLED file must be created to disable the use of per-user security attributes in the user database. Attributes in the user database... |
V-40470 | Medium | The /etc/security.dsc file must not have an extended ACL. | The /etc/security.dsc file is the system description file that contains all attributes and default values that are configurable on a per user basis in /var/adm/userdb. If the description file is... |
V-22298 | Low | The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements. | Limiting simultaneous user logins can insulate the system from Denial of Service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an... |
V-899 | Low | All interactive users must be assigned a home directory in the /etc/passwd file. | If users do not have a valid home directory, there is no place for the storage and control of files they own. |
V-900 | Low | All interactive user home directories defined in the /etc/passwd file must exist. | If a user has a home directory defined that does not exist, the user may be given the / directory, by default, as the current working directory upon logon. This could create a Denial of Service... |
V-22370 | Low | System audit tool executables must be owned by root. | To prevent unauthorized access or manipulation of system audit logs, the tools for manipulating those logs must be protected. |
V-22371 | Low | System audit tool executables must be group-owned by root, bin, sys, or other. | To prevent unauthorized access or manipulation of system audit logs, the tools for manipulating those logs must be protected. |
V-22372 | Low | System audit tool executables must have mode 0750 or less permissive. | To prevent unauthorized access or manipulation of system audit logs, the tools for manipulating those logs must be protected. |
V-22373 | Low | System audit tool executables must not have extended ACLs. | To prevent unauthorized access or manipulation of system audit logs, the tools for manipulating those logs must be protected. |