HP-UX SMSE Security Technical Implementation Guide


Overview

Date Finding Count (70)
2014-02-28 CAT I (High): 1 CAT II (Med): 62 CAT III (Low): 7
STIG Description
The HP-UX Standard Mode with Security Extensions (SMSE) Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. It is a subset of the full HP-UX 11.31 STIG, updated to address SMSE capabilities. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-770 High The system must not have accounts configured with blank or null passwords.
V-40446 Medium The ability to boot the system into single user mode must be restricted to root.
V-22339 Medium The /etc/shadow file (or equivalent) must be group-owned by root, bin, sys or other.
V-4084 Medium The system must prohibit the reuse of passwords within five iterations.
V-960 Medium The system must be configured to operate in a security mode.
V-941 Medium The system's access control program must log each system’s access attempt.
V-40350 Medium userdb database must not be used to override the system-wide variables in the security file, unless required.
V-22702 Medium System audit logs must be group-owned by root, bin, sys, or other.
V-40452 Medium The /var/adm/userdb/USERDB.DISABLED file must be group-owned by sys.
V-4290 Medium The HP-UX AUDOMON_ARGS attribute must be explicitly initialized.
V-40447 Medium The /var/adm/userdb directory must be owned by root.
V-762 Medium All accounts must be assigned unique User Identification Numbers (UIDs).
V-40445 Medium The system must impose the same restrictions on root logins that are already applied to non-root users.
V-22347 Medium The /etc/passwd file must not contain password hashes.
V-4298 Medium Remote consoles must be disabled or protected from unauthorized access.
V-11947 Medium The system must require that passwords contain a minimum of 14 characters.
V-40448 Medium The /var/adm/userdb directory must be group-owned by sys.
V-40449 Medium The /var/adm/userdb directory must have mode 0700 or less permissive.
V-40482 Medium The /etc/pam.conf file must not have an extended ACL.
V-40483 Medium The per user PAM configuration file (/etc/pam_user.conf) must not be used to override the system-wide PAM configuration file (/etc/pam.conf) unless it is required.
V-40468 Medium The /etc/security.dsc file must have mode 0444 or less permissive.
V-768 Medium The delay between login prompts following a failed login attempt must be at least 4 seconds.
V-40484 Medium The /etc/pam_user.conf file must be owned by root.
V-1032 Medium Users must not be able to change passwords more than once every 24 hours.
V-40486 Medium The /etc/pam_user.conf file must have mode 0444 or less permissive.
V-22369 Medium All system audit files must not have extended ACLs.
V-766 Medium The system must disable accounts after three consecutive unsuccessful login attempts.
V-813 Medium System audit logs must have mode 0640 or less permissive.
V-812 Medium System audit logs must be owned by root.
V-40487 Medium /etc/pam_user.conf file must not have an extended ACL.
V-11979 Medium The root account must not be used for direct logins.
V-11973 Medium The system must require passwords contain at least one special character.
V-778 Medium The system must prevent the root account from directly logging in except from the system console.
V-797 Medium The /etc/shadow (or equivalent) file must be owned by root.
V-22303 Medium The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes.
V-22302 Medium The system must enforce the correctness of the entire password during authentication.
V-22305 Medium The system must require passwords contain at least one lowercase alphabetic character.
V-22304 Medium The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.
V-11980 Medium The system must log successful and unsuccessful access to the root account.
V-11972 Medium The system must require passwords contain at least one numeric character.
V-800 Medium The /etc/shadow (or equivalent) file must have mode 0400.
V-11976 Medium User passwords must be changed at least every 60 days.
V-40476 Medium The /etc/pam.conf file must be group-owned by sys.
V-40355 Medium The system must disable accounts after three consecutive unsuccessful SSH login attempts.
V-40492 Medium During a password change, the system must determine if password aging attributes are inherited from the /etc/default/security file attributes when no password aging is specified in the shadow file for local users.
V-918 Medium Accounts must be locked upon 35 days of inactivity.
V-11948 Medium The system must require passwords contain at least one uppercase alphabetic character.
V-756 Medium The system must require authentication upon booting into single-user and maintenance modes.
V-40467 Medium The /etc/security.dsc file must be group-owned by sys.
V-40494 Medium The system and user default umask must be 0077 for all sessions initiated via PAM.
V-761 Medium All accounts on the system must have unique user or account names.
V-40466 Medium The /etc/security.dsc file must be owned by root.
V-40485 Medium The /etc/pam_user.conf file must be group-owned by sys.
V-22340 Medium The /etc/shadow file must not have an extended ACL.
V-40493 Medium The system must display the date and time of the last successful account login upon login by means other than SSH.
V-40478 Medium The /etc/pam.conf file must have mode 0444 or less permissive.
V-40451 Medium The /var/adm/userdb/USERDB.DISABLED file must be owned by root.
V-40450 Medium The /var/adm/userdb directory must not have an extended ACL.
V-40453 Medium The /var/adm/userdb/USERDB.DISABLED file must have mode 0444 or less permissive.
V-810 Medium Default system accounts must be disabled or removed.
V-40473 Medium The /etc/pam.conf file must be owned by root.
V-40454 Medium The /var/adm/userdb/USERDB.DISABLED file must not have an extended ACL.
V-40470 Medium The /etc/security.dsc file must not have an extended ACL.
V-22298 Low The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.
V-899 Low All interactive users must be assigned a home directory in the /etc/passwd file.
V-900 Low All interactive user home directories defined in the /etc/passwd file must exist.
V-22370 Low System audit tool executables must be owned by root.
V-22371 Low System audit tool executables must be group-owned by root, bin, sys, or other.
V-22372 Low System audit tool executables must have mode 0750 or less permissive.
V-22373 Low System audit tool executables must not have extended ACLs.