UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Solaris 10 SPARC Security Technical Implementation Guide


Overview

Date Finding Count (505)
2020-09-04 CAT I (High): 26 CAT II (Med): 414 CAT III (Low): 65
STIG Description
The Solaris 10 (SPARC) Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Classified)

Finding ID Severity Title
V-226929 High Administrative accounts must not run a web browser, except as needed for local service administration.
V-226456 High The system must not have accounts configured with blank or null passwords.
V-226563 High There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system.
V-220039 High The rsh daemon must not be running.
V-226482 High Root passwords must never be passed over a network in clear text form.
V-226960 High Any active TFTP daemon must be authorized and approved in the system accreditation package.
V-226964 High X displays must not be exported to the world.
V-227041 High The system must not use UDP for NIS/NIS+.
V-220069 High The system must not use removable media as the boot loader.
V-226933 High Files executed through a mail aliases file must be owned by root and must reside within a directory owned and writable only by root.
V-226921 High The telnet daemon must not be running.
V-220050 High The Sendmail server must have the debug feature disabled.
V-220051 High The SMTP service must not have a uudecode alias active.
V-220055 High The SSH daemon must be configured to only use the SSHv2 protocol.
V-226430 High The operating system must be a supported release.
V-226570 High All shell files must have mode 0755 or less permissive.
V-226541 High Run control scripts must not execute world-writable programs or scripts.
V-220049 High The SMTP service must be an up-to-date version.
V-226919 High The rexec daemon must not be running.
V-226969 High SNMP communities, users, and passphrases must be changed from the default.
V-226959 High The TFTP daemon must have mode 0755 or less permissive.
V-226958 High The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.
V-226955 High Anonymous FTP accounts must not have a functional shell.
V-226422 High The root account must be the only account with GID of 0.
V-227075 High If the system boots from removable media, it must be stored in a safe or similarly secured container.
V-227073 High The system must be configured to only boot from the system boot device.
V-226926 Medium The traceroute command must be group-owned by sys, bin, or root.
V-226927 Medium The traceroute file must have mode 0700 or less permissive.
V-226924 Medium The hosts.lpd (or equivalent) file must not have an extended ACL.
V-226925 Medium The traceroute command owner must be root.
V-226923 Medium The hosts.lpd file (or equivalent) must not contain a "+" character.
V-226519 Medium The /etc/group file must be group-owned by root, bin, or sys.
V-226518 Medium The /etc/group file must be owned by root.
V-226517 Medium The /etc/passwd file must not have an extended ACL.
V-226516 Medium The /etc/passwd file must have mode 0644 or less permissive.
V-226515 Medium The /etc/passwd file must be group-owned by root, bin, or sys.
V-226514 Medium The /etc/passwd file must be owned by root.
V-226513 Medium The /etc/nsswitch.conf file must not have an extended ACL.
V-226512 Medium The /etc/nsswitch.conf file must have mode 0644 or less permissive.
V-226511 Medium The /etc/nsswitch.conf file must be group-owned by root, bin, or sys.
V-226457 Medium The system must require passwords contain a minimum of 15 characters.
V-226454 Medium The root user must not own the logon session for an application requiring a continuous display.
V-226455 Medium Users must not be able to change passwords more than once every 24 hours.
V-226450 Medium The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
V-226451 Medium Successful and unsuccessful logins and logouts must be logged.
V-226458 Medium The system must enforce compliance of the entire password during authentication.
V-226459 Medium The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes.
V-226632 Medium The cron.allow file must be owned by root, bin, or sys.
V-226633 Medium The at.allow file must not have an extended ACL.
V-226630 Medium The cron.deny file must not have an extended ACL.
V-226634 Medium The cron.allow file must be group-owned by root, bin, or sys.
V-226635 Medium The at.deny file must have mode 0600 or less permissive.
V-226562 Medium All .rhosts, .shosts, or host.equiv files must only contain trusted host-user pairs.
V-220038 Medium The portmap or rpcbind service must not be running unless needed.
V-226920 Medium The rexecd service must not be installed.
V-226579 Medium The owner, group owner, mode, ACL, and location of files with the setuid bit set must be documented using site-defined procedures.
V-220032 Medium All global initialization files must be owned by root.
V-220033 Medium All global initialization files must be group-owned by root, sys, or bin.
V-220030 Medium All interactive user's home directories must be group-owned by the home directory owner's primary group.
V-220031 Medium All global initialization files must have mode 0644 or less permissive.
V-220036 Medium Removable media, remote file systems, and any file system that does not contain approved setuid files must be mounted with the "nosuid" option.
V-220037 Medium The system must not be configured for network bridging.
V-220035 Medium Local initialization files must be group-owned by the user's primary group or root.
V-226483 Medium The system must not permit root logins using remote access programs such as SSH.
V-226962 Medium All .Xauthority files must have mode 0600 or less permissive.
V-226963 Medium The .Xauthority files must not have extended ACLs.
V-226961 Medium Any X Windows host must write .Xauthority files.
V-226966 Medium The .Xauthority utility must only permit access to authorized hosts.
V-226928 Medium The traceroute file must not have an extended ACL.
V-226965 Medium .Xauthority or X*.hosts (or equivalent) file(s) must be used to restrict access to the X server.
V-226968 Medium The system must not have the UUCP service active.
V-226510 Medium The /etc/nsswitch.conf file must be owned by root.
V-226412 Medium If the system is a firewall, ASET must be used on the system, and the firewall parameters must be set in /usr/aset/asetenv.
V-226413 Medium The Solaris system Automated Security Enhancement Tool (ASET) configurable parameters in the asetenv file must be correct.
V-226410 Medium The /etc/security/audit_user file must not have an extended ACL.
V-226411 Medium The /usr/aset/masters/uid_aliases must be empty.
V-226416 Medium The /usr/aset/userlist file must be group-owned by root.
V-226417 Medium The /usr/aset/userlist file must have mode 0600 or less permissive.
V-226414 Medium The /usr/aset/userlist file must exist.
V-226415 Medium The /usr/aset/userlist file must be owned by root.
V-226425 Medium The /etc/zones directory, and its contents, must not be group- or world-writable.
V-226418 Medium The /usr/aset/userlist file must not have an extended ACL.
V-226419 Medium The Solaris system EEPROM security-mode parameter must be set to full or command mode.
V-226950 Medium The ftpusers file must be owned by root.
V-226429 Medium The physical devices must not be assigned to non-global zones.
V-226428 Medium The limitpriv zone option must be set to the vendor default or less permissive.
V-226566 Medium The /etc/shells (or equivalent) file must exist.
V-226567 Medium All shells referenced in /etc/passwd must be listed in the /etc/shells file, except any shells specified for the purpose of preventing logins.
V-226564 Medium All .rhosts, .shosts, .netrc, or hosts.equiv files must be accessible by only root or the owner.
V-226565 Medium The .rhosts file must not be supported in PAM.
V-226489 Medium All system command files must have mode 755 or less permissive.
V-226488 Medium All network services daemon files must not have extended ACLs.
V-226560 Medium The .rhosts, .shosts, hosts.equiv, shosts.equiv, /etc/passwd, /etc/shadow, and/or /etc/group files must not contain a plus (+) without defining entries for NIS+ netgroups.
V-226561 Medium There must be no .netrc files on the system.
V-226485 Medium All files and directories must have a valid owner.
V-226484 Medium System files and directories must not have uneven access permissions.
V-226487 Medium All network services daemon files must have mode 0755 or less permissive.
V-226486 Medium All files and directories must have a valid group-owner.
V-226480 Medium The system must log successful and unsuccessful access to the root account.
V-226568 Medium All shell files must be owned by root or bin.
V-226569 Medium All shell files must be group-owned by root, bin, or sys.
V-226424 Medium The /etc/zones directory, and its contents, must be group-owned by root, sys, or bin.
V-226867 Medium The "at" directory must not have an extended ACL.
V-226866 Medium The "at" directory must have mode 0755 or less permissive.
V-226865 Medium The "at" daemon must not execute programs in, or subordinate to, world-writable directories.
V-226864 Medium The "at" daemon must not execute group-writable or world-writable programs.
V-226863 Medium The at.allow file must have mode 0600 or less permissive.
V-226862 Medium Default system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist.
V-226988 Medium The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
V-226989 Medium The SSH client must be configured to only use FIPS 140-2 approved ciphers.
V-226861 Medium The at.deny file must not be empty if it exists.
V-226980 Medium The /etc/syslog.conf file must be owned by root.
V-226981 Medium The /etc/syslog.conf file must be group-owned by root, bin, or sys.
V-226982 Medium The system must use a remote syslog server (log host).
V-226983 Medium The system must only use remote syslog servers (log hosts) justified and documented using site-defined procedures.
V-226984 Medium The SSH client must be configured to only use the SSHv2 protocol.
V-226985 Medium The SSH daemon must only listen on management network addresses unless authorized for uses other than management.
V-226986 Medium The SSH daemon must be configured to only use FIPS 140-2 approved ciphers.
V-226987 Medium The SSH daemon must be configured to not use Cipher-Block Chaining (CBC) ciphers.
V-227042 Medium The Network Information System (NIS) protocol must not be used.
V-227043 Medium NIS maps must be protected through hard-to-guess domain names.
V-227040 Medium The files in /etc/news must be group-owned by root.
V-227044 Medium Any NIS+ server must be operating at security level 2.
V-227048 Medium The system's access control program must log each system access attempt.
V-227049 Medium The system must use a virus scan program.
V-226956 Medium The anonymous FTP account must be configured to use chroot or a similarly isolated environment.
V-220061 Medium The system must have a host-based intrusion detection tool installed.
V-220060 Medium The Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL.
V-220063 Medium The system package management tool must be used to verify system software periodically.
V-220062 Medium The system vulnerability assessment tool, host-based intrusion detection tool, and file integrity tool must notify the SA and the IAO of a security breach or a suspected security breach.
V-220065 Medium The system's access control program must be configured to grant or deny system access to specific hosts.
V-220064 Medium The system must use an access control program.
V-220067 Medium The system must use an appropriate reverse-path filter for IPv6 network traffic, if the system uses IPv6.
V-220066 Medium Wireless network adapters must be disabled.
V-220068 Medium If the system is using LDAP for authentication or account information, the LDAP TLS certificate authority file and/or directory (as appropriate) must not have an extended ACL.
V-226939 Medium The SMTP service log file must have mode 0644 or less permissive.
V-226938 Medium The SMTP service log file must be owned by root.
V-226931 Medium The alias file must have mode 0644 or less permissive.
V-226930 Medium The alias file must be owned by root.
V-226932 Medium The alias file must not have an extended ACL.
V-226935 Medium Files executed through a mail aliases file must not have extended ACLs.
V-226934 Medium Files executed through a mail aliases file must be group-owned by root, bin, or sys, and must reside within a directory group-owned by root, bin, or sys.
V-226937 Medium The system syslog service must log informational and more severe SMTP service messages.
V-226522 Medium The /etc/shadow (or equivalent) file must be owned by root.
V-226523 Medium The /etc/shadow file (or equivalent) must be group-owned by root, bin, or sys.
V-226520 Medium The /etc/group file must have mode 0644 or less permissive.
V-226521 Medium The /etc/group file must not have an extended ACL.
V-226524 Medium The /etc/shadow (or equivalent) file must have mode 0400.
V-226525 Medium The /etc/shadow file must not have an extended ACL.
V-226441 Medium The time synchronization configuration file (such as /etc/ntp.conf) must not have an extended ACL.
V-226440 Medium The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
V-226443 Medium All accounts on the system must have unique user or account names.
V-226442 Medium The system must not have unnecessary accounts.
V-226445 Medium UIDs reserved for system accounts must not be assigned to non-system accounts.
V-226444 Medium All accounts must be assigned unique User Identification Numbers (UIDs).
V-226446 Medium GIDs reserved for system accounts must not be assigned to non-system groups.
V-226551 Medium Global initialization files library search paths must contain only authorized paths.
V-226592 Medium System audit logs must have mode 0640 or less permissive.
V-226629 Medium The cron.deny file must have mode 0600 or less permissive.
V-226628 Medium The cron log files must not have extended ACLs.
V-226625 Medium Cron and crontab directories must be group-owned by root, sys, or bin.
V-226624 Medium Cron and crontab directories must be owned by root or bin.
V-226627 Medium The cronlog file must have mode 0600 or less permissive.
V-226626 Medium Cron logging must be implemented.
V-226621 Medium Crontab files must not have extended ACLs.
V-226620 Medium Crontab files must have mode 0600 or less permissive.
V-226623 Medium Cron and crontab directories must not have extended ACLs.
V-226622 Medium Cron and crontab directories must have mode 0755 or less permissive.
V-226439 Medium The time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, or sys.
V-226992 Medium The SSH daemon must restrict login ability to specific users and/or groups.
V-227000 Medium The SSH daemon must be configured for IP filtering.
V-226498 Medium NIS/NIS+/yp files must be owned by root, sys, or bin.
V-226881 Medium Kernel core dumps must be disabled unless needed.
V-220029 Medium All interactive user's home directories must be owned by their respective users.
V-220028 Medium Library files must have mode 0755 or less permissive.
V-226552 Medium Global initialization files lists of preloaded libraries must contain only authorized paths.
V-220025 Medium The root account must be the only account having an UID of 0.
V-220024 Medium Accounts must be locked upon 35 days of inactivity.
V-220026 Medium The root account must not have world-writable directories in its executable search path.
V-220021 Medium The system must disable accounts after three consecutive unsuccessful login attempts.
V-220020 Medium Direct logins must not be permitted to shared, default, application, or utility accounts.
V-220023 Medium Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity and the system must require users to re-authenticate to unlock the environment.
V-220022 Medium The delay between login prompts following a failed login attempt must be at least 4 seconds.
V-226499 Medium NIS/NIS+/yp files must be group-owned by root, sys, or bin.
V-226557 Medium Local initialization files library search paths must contain only authorized paths.
V-226556 Medium All local initialization files executable search paths must contain only authorized paths.
V-226887 Medium The system must use initial TCP sequence numbers most resistant to sequence number guessing attacks.
V-226886 Medium The system must implement non-executable program stacks.
V-226975 Medium The snmpd.conf file must be group-owned by root, sys, or bin.
V-226974 Medium The snmpd.conf files must be owned by root.
V-226977 Medium If the system is a Network Management System (NMS) server, it must only run the NMS and any software required by the NMS.
V-226976 Medium The snmpd.conf file must not have an extended ACL.
V-226973 Medium Management Information Base (MIB) files must not have extended ACLs.
V-226972 Medium Management Information Base (MIB) files must have mode 0640 or less permissive.
V-227011 Medium All NFS exported system files and system directories must be group-owned by root, bin, or sys.
V-227013 Medium The system's NFS export configuration must not have the sec option set to none (or equivalent); additionally, the default authentication must not to be set to none.
V-226979 Medium The /etc/syslog.conf file must not have an extended ACL.
V-226871 Medium The at.allow file must be owned by root, bin, or sys.
V-227017 Medium The system must not run Samba unless needed.
V-227016 Medium The system must not have any peer-to-peer file-sharing application installed.
V-226405 Medium The nosuid option must be configured in the /etc/rmmount.conf file.
V-226407 Medium The /etc/security/audit_user file must be owned by root.
V-226406 Medium The /etc/security/audit_user file must not define a different auditing level for specific users.
V-226409 Medium The /etc/security/audit_user file must have mode 0640 or less permissive.
V-226408 Medium The /etc/security/audit_user file must be group-owned by root, sys, or bin.
V-220058 Medium The NFS server must be configured to restrict file system access to local hosts.
V-220059 Medium The system must not have a public Instant Messaging (IM) client installed.
V-226494 Medium System log files must not have extended ACLs, except as needed to support authorized software.
V-220052 Medium The TFTP daemon must be configured to vendor specifications, including a dedicated TFTP user account, a non-login shell, such as /bin/false, and a home directory owned by the TFTP user.
V-220053 Medium The system must not be used as a syslog server (log host) for systems external to the enclave.
V-220054 Medium The syslog daemon must not accept remote messages unless it is a syslog server documented using site-defined procedures.
V-220056 Medium IP forwarding for IPv4 must not be enabled, unless the system is a router.
V-220057 Medium The system must not have IP forwarding for IPv6 enabled, unless the system is an IPv6 router.
V-226585 Medium All public directories must be owned by root or an application account.
V-226586 Medium All public directories must be group-owned by root or an application group.
V-226587 Medium The system and user default umask must be 077.
V-226580 Medium The system must be checked weekly for unauthorized setuid files, as well as, unauthorized modification to authorized setuid files.
V-226581 Medium The owner, group-owner, mode, ACL, and location of files with the setgid bit set must be documented using site-defined procedures.
V-226582 Medium The system must be checked weekly for unauthorized setgid files, as well as, unauthorized modification to authorized setgid files.
V-226583 Medium Public directories must be the only world-writable directories and world-writable files must be located only in public directories.
V-226588 Medium Default system accounts must be disabled or removed.
V-226589 Medium Auditing must be implemented.
V-227001 Medium The SSH daemon must be configured with the Department of Defense (DoD) login banner.
V-226903 Medium The root file system must employ journaling or another mechanism ensuring file system consistency.
V-226905 Medium The system must log authentication informational data.
V-226906 Medium Inetd and xinetd must be disabled or removed if no network services utilizing them are enabled.
V-226907 Medium The inetd.conf file must be owned by root or bin.
V-226908 Medium The inetd.conf file must be group-owned by root, bin, or sys.
V-226909 Medium The inetd.conf file must have mode 0440 or less permissive.
V-226573 Medium Device files and directories must only be writable by users with a system account or as configured by the vendor.
V-226575 Medium Audio devices must have mode 0660 or less permissive.
V-226574 Medium Device files used for backup must only be readable and/or writable by root or the backup user.
V-226577 Medium Audio devices must be owned by root.
V-226576 Medium Audio devices must not have extended ACLs.
V-226472 Medium The root account's home directory (other than /) must have mode 0700.
V-226473 Medium The root account's home directory must not have an extended ACL.
V-226474 Medium The root accounts executable search path must contain only authorized paths.
V-226475 Medium The root account's library search path must be the system default and must contain only absolute paths.
V-226476 Medium The root account's list of preloaded libraries must be empty.
V-226477 Medium The system must prevent the root account from directly logging in except from the system console.
V-226478 Medium Remote consoles must be disabled or protected from unauthorized access.
V-226479 Medium The root account must not be used for direct logins.
V-226535 Medium All files and directories contained in user home directories must not have extended ACLs.
V-227021 Medium The smb.conf file must not have an extended ACL.
V-226537 Medium All run control scripts must have no extended ACLs.
V-226492 Medium System files, programs, and directories must be group-owned by a system group.
V-226536 Medium All run control scripts must have mode 0755 or less permissive.
V-226438 Medium The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.
V-227025 Medium The smbpasswd file must not have an extended ACL.
V-227019 Medium The smb.conf file must be group-owned by root, bin, or sys.
V-227026 Medium The smb.conf file must use the hosts option to restrict access to Samba.
V-227018 Medium The smb.conf file must be owned by root.
V-227027 Medium Samba must be configured to use an authentication mechanism other than "share."
V-226614 Medium The cron.allow file must not have an extended ACL.
V-227028 Medium Samba must be configured to use encrypted passwords.
V-226616 Medium Cron must not execute programs in, or subordinate to, world-writable directories.
V-226617 Medium Crontabs must be owned by root or the crontab creator.
V-226610 Medium Audit logs must be rotated daily.
V-226612 Medium Access to the cron utility must be controlled using the cron.allow and/or cron.deny file(s).
V-226613 Medium The cron.allow file must have mode 0600 or less permissive.
V-226993 Medium The SSH public host key files must have mode 0644 or less permissive.
V-226971 Medium The snmpd.conf file must have mode 0600 or less permissive.
V-226991 Medium The SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
V-226990 Medium The SSH client must be configured to not use CBC-based ciphers.
V-226618 Medium Crontab files must be group-owned by root, sys, or the crontab creator's primary group.
V-226619 Medium Default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist.
V-226970 Medium The SNMP service must use only SNMPv3 or its successors.
V-226539 Medium Run control scripts lists of preloaded libraries must contain only authorized paths.
V-226490 Medium All system command files must not have extended ACLs.
V-226538 Medium Run control scripts executable search paths must contain only authorized paths.
V-226874 Medium The at.deny file must be group-owned by root, bin, or sys.
V-227010 Medium All NFS-exported system files and system directories must be owned by root.
V-227012 Medium The NFS anonymous UID and GID must be configured to values that have no permissions.
V-226870 Medium "At" jobs must not set the umask to a value less restrictive than 077.
V-227014 Medium The NFS server must not allow remote root access.
V-226872 Medium The at.allow file must be group-owned by root, bin, or sys.
V-226873 Medium The at.deny file must be owned by root, bin, or sys.
V-227055 Medium The system must ignore IPv6 ICMP redirect messages.
V-227054 Medium The DHCP client must be disabled if not needed.
V-227057 Medium The system must not forward IPv6 source-routed packets.
V-227056 Medium The system must not send IPv6 ICMP redirects.
V-227051 Medium The Transparent Inter-Process Communication (TIPC) protocol must be disabled or not installed.
V-227050 Medium The Reliable Datagram Sockets (RDS) protocol must be disabled or not installed unless required.
V-227053 Medium The system must not have IP tunnels configured.
V-227052 Medium The system must not have 6to4 enabled.
V-227059 Medium If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms.
V-227058 Medium The system must not respond to ICMPv6 echo requests sent to a broadcast address.
V-220017 Medium The ASET master files must be located in the /usr/aset/masters directory.
V-220018 Medium The asetenv file YPCHECK variable must be set to true when NIS+ is configured.
V-220019 Medium The system must require authentication upon booting into single-user and maintenance modes.
V-226948 Medium The ftpusers file must exist.
V-226949 Medium The ftpusers file must contain account names not allowed to use FTP.
V-226944 Medium Mail relaying must be restricted.
V-226945 Medium Unencrypted FTP must not be used on the system.
V-226946 Medium Anonymous FTP must not be active on the system unless authorized.
V-226947 Medium If the system is an anonymous FTP server, it must be isolated to the DMZ network.
V-226940 Medium The SMTP service log file must not have an extended ACL.
V-227020 Medium The smb.conf file must have mode 0644 or less permissive.
V-227022 Medium The smbpasswd file must be owned by root.
V-227023 Medium The smbpasswd file must be group-owned by root.
V-227024 Medium The smbpasswd file must have mode 0600 or less permissive.
V-226530 Medium All users' home directories must have mode 0750 or less permissive.
V-226533 Medium All files and directories contained in user home directories must be group-owned by a group of which the home directory's owner is a member.
V-226434 Medium The system clock must be synchronized to an authoritative DoD time source.
V-226435 Medium The system clock must be synchronized continuously.
V-226436 Medium The system must use at least two time sources for clock synchronization.
V-226431 Medium System security patches and updates must be installed and up-to-date.
V-226432 Medium A file integrity baseline must be created and maintained.
V-226433 Medium A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.
V-226540 Medium Run control scripts lists of preloaded libraries must contain only authorized paths.
V-226542 Medium All system start-up files must be owned by root.
V-226543 Medium All system start-up files must be group-owned by root, sys, or bin.
V-226544 Medium System start-up files must only execute programs owned by a privileged UID or an application.
V-226545 Medium All global initialization files must not have extended ACLs.
V-226898 Medium The system must not send IPv4 ICMP redirects.
V-226547 Medium Skeleton files must not have extended ACLs.
V-226548 Medium All skeleton files and directories (typically in /etc/skel) must be owned by root.
V-226897 Medium The system must ignore IPv4 ICMP redirect messages.
V-226894 Medium The system must prevent local applications from generating source-routed packets.
V-226895 Medium The system must not accept source-routed IPv4 packets.
V-226892 Medium The system must not respond to ICMP timestamp requests sent to a broadcast address.
V-226893 Medium The system must not apply reversed source routing to TCP responses.
V-226891 Medium The system must not respond to ICMPv4 echoes sent to a broadcast address.
V-226491 Medium All system files, programs, and directories must be owned by a system account.
V-226917 Medium The rshd service must not be installed.
V-226916 Medium The portmap or rpcbind service must not be installed unless needed.
V-227029 Medium Samba must be configured to not allow guest access to shares.
V-226869 Medium The "at" directory must be group-owned by root, bin, or sys.
V-226868 Medium The "at" directory must be owned by root, bin, or sys.
V-227064 Medium If the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be owned by root.
V-227065 Medium If the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be group-owned by root, bin, or sys.
V-227066 Medium If the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must have mode 0644 (0755 for directories) or less permissive.
V-227060 Medium If the system is using LDAP for authentication or account information the LDAP client configuration file must have mode 0600 or less permissive.
V-227061 Medium If the system is using LDAP for authentication or account information, the LDAP configuration file must be owned by root.
V-227062 Medium If the system is using LDAP for authentication or account information, the LDAP configuration file must be group-owned by root, bin, or sys.
V-226860 Medium Access to the at utility must be controlled via the at.allow and/or at.deny file(s).
V-220048 Medium The system must not use .forward files.
V-220043 Medium The hosts.lpd (or equivalent) file must be group-owned by root, bin, or sys.
V-220041 Medium Network analysis tools must not be installed.
V-220040 Medium The rlogind service must not be running.
V-220046 Medium The SMTP service HELP command must not be enabled.
V-220045 Medium The aliases file must be group-owned by root, sys, smmsp, or bin.
V-226593 Medium All system audit files must not have extended ACLs.
V-226546 Medium All skeleton files (typically those in /etc/skel) must have mode 0644 or less permissive.
V-226978 Medium The /etc/syslog.conf file must have mode 0640 or less permissive.
V-226599 Medium The audit system must be configured to audit failed attempts to access files and programs.
V-226896 Medium Proxy ARP must not be enabled on the system.
V-227063 Medium If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must not have an extended ACL.
V-226549 Medium All skeleton files (typically in /etc/skel) must be group-owned by root, bin, or sys.
V-226913 Medium The services file must have mode 0444 or less permissive.
V-226912 Medium The services file must be group-owned by root, bin, or sys.
V-226911 Medium The services file must be owned by root or bin.
V-226910 Medium The inetd.conf file must not have extended ACLs.
V-226508 Medium The /etc/hosts file must have mode 0644 or less permissive.
V-226509 Medium The /etc/hosts file must not have an extended ACL.
V-226914 Medium The services file must not have an extended ACL.
V-226504 Medium The /etc/resolv.conf file must have mode 0644 or less permissive.
V-226505 Medium The /etc/resolv.conf file must not have an extended ACL.
V-226507 Medium The /etc/hosts file must be group-owned by root, bin, or sys.
V-226500 Medium The NIS/NIS+/yp command files must have mode 0755 or less permissive.
V-226501 Medium NIS/NIS+/yp command files must not have extended ACLs.
V-226502 Medium The /etc/resolv.conf file must be owned by root.
V-226503 Medium The /etc/resolv.conf file must be group-owned by root, bin, or sys.
V-226463 Medium The system must require passwords to contain at least one special character.
V-226571 Medium All shell files must not have extended ACLs.
V-226461 Medium The system must require passwords to contain at least one uppercase alphabetic character.
V-226460 Medium The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.
V-226467 Medium The system must require at least eight characters be changed between the old and new passwords during a password change.
V-226466 Medium All non-interactive/automated processing account passwords must be changed at least once per year or be locked.
V-226465 Medium User passwords must be changed at least every 60 days.
V-226464 Medium The system must require passwords to contain no more than three consecutive repeating characters.
V-226469 Medium The system must prohibit the reuse of passwords within five iterations.
V-226468 Medium The system must prevent the use of dictionary words for passwords.
V-226918 Medium The rlogind service must not be installed.
V-226578 Medium Audio devices must be group-owned by root, sys, or bin.
V-226607 Medium The audit system must be configured to audit login, logout, and session initiation.
V-226606 Medium The audit system must be configured to audit all administrative, privileged, and security actions.
V-226601 Medium The audit system must be configured to audit file deletions.
V-226600 Medium The audit system must alert the SA when the audit storage volume approaches its capacity.
V-226609 Medium The audit system must be configured to audit the loading and unloading of dynamic kernel modules.
V-226608 Medium The audit system must be configured to audit all discretionary access control permission modifications.
V-226449 Medium The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
V-226448 Medium The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
V-226462 Medium The system must require passwords to contain at least one numeric character.
V-226506 Medium The /etc/hosts file must be owned by root.
V-226528 Medium The /etc/passwd file must not contain password hashes.
V-226967 Medium X Window System connections that are not required must be disabled.
V-226529 Medium The /etc/group file must not contain any group password hashes.
V-227006 Medium The NFS export configuration file must be owned by root.
V-227007 Medium The NFS export configuration file must be group-owned by root, bin, or sys.
V-227004 Medium A system used for routing must not run other network services or applications.
V-227005 Medium The system must not be running any routing protocol daemons, unless the system is a router.
V-226957 Medium All FTP users must have a default umask of 077.
V-227002 Medium The system must be configured with a default gateway for IPv4 if the system uses IPv4, unless the system is a router.
V-226953 Medium The ftpusers file must not have an extended ACL.
V-226952 Medium The ftpusers file must have mode 0640 or less permissive.
V-226951 Medium The ftpusers file must be group-owned by root, bin, or sys.
V-227003 Medium The system must be configured with a default gateway for IPv6 if the system uses IPv6, unless the system is a router.
V-227033 Medium The /etc/news/hosts.nntp.nolimit (or equivalent) must have mode 0600 or less permissive.
V-227032 Medium The /etc/news/hosts.nntp file must not have an extended ACL.
V-227031 Medium The /etc/news/hosts.nntp (or equivalent) must have mode 0600 or less permissive.
V-227030 Medium The system must not run an Internet Network News (INN) server.
V-227037 Medium The /etc/news/passwd.nntp file (or equivalent) must have mode 0600 or less permissive.
V-227036 Medium The /etc/news/nnrp.access file must not have an extended ACL.
V-227035 Medium The /etc/news/nnrp.access (or equivalent) must have mode 0600 or less permissive.
V-227034 Medium The /etc/news/hosts.nntp.nolimit file must not have an extended ACL.
V-226427 Medium The inherit-pkg-dir zone option must be set to none or the system default list defined for sparse root zones.
V-226426 Medium The /etc/zones directory, and its contents, must not have an extended ACL.
V-227039 Medium Files in /etc/news must be owned by root.
V-227038 Medium The /etc/news/passwd.nntp file must not have an extended ACL.
V-226423 Medium The /etc/zones directory, and its contents, must be owned by root.
V-226421 Medium Hidden extended file attributes must not exist on the system.
V-226420 Medium The NFS server must have logging implemented.
V-226858 Medium The cron.deny file must be owned by root, bin, or sys.
V-226859 Medium The cron.deny file must be group-owned by root, bin, or sys.
V-226553 Medium All local initialization files must be owned by the user or root.
V-226550 Medium All global initialization files executable search paths must contain only authorized paths.
V-226555 Medium Local initialization files must not have extended ACLs.
V-226554 Medium All local initialization files must have mode 0740 or less permissive.
V-226889 Medium TCP backlog queue sizes must be set appropriately.
V-226493 Medium System log files must have mode 0640 or less permissive.
V-226559 Medium User start-up files must not execute world-writable programs.
V-226558 Medium Local initialization files lists of preloaded libraries must contain only authorized paths.
V-226497 Medium All library files must not have extended ACLs.
V-227080 Medium The hosts.lpd (or equivalent) must have mode 0644 or less permissive.
V-226888 Medium The system must not forward IPv4 source-routed packets.
V-226615 Medium Cron must not execute group-writable or world-writable programs.
V-226591 Medium System audit logs must be group-owned by root, bin, or sys.
V-226999 Medium The SSH daemon must not allow compression or must only allow compression after successful authentication.
V-226998 Medium The SSH daemon must not allow rhosts RSA authentication.
V-226590 Medium System audit logs must be owned by root.
V-226857 Medium The at.deny file must not have an extended ACL.
V-227079 Medium The hosts.lpd (or equivalent) file must be owned by root.
V-227078 Medium The system, if capable, must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
V-227074 Medium System BIOS or system controllers supporting password protection must have administrator accounts/passwords configured, and no others.
V-227072 Medium The system's local firewall must implement a deny-all, allow-by-exception policy.
V-227071 Medium The system must employ a local firewall.
V-227015 Medium The nosuid option must be enabled on all NFS client mounts.
V-226997 Medium The SSH daemon must perform strict mode checking of home directory configuration files.
V-226994 Medium The SSH private host key files must have mode 0600 or less permissive.
V-226922 Low The system must not have the finger service active.
V-226452 Low The system must display the date and time of the last successful account login upon login.
V-226453 Low The system must display a publicly-viewable pattern during a graphical desktop environment session lock.
V-226631 Low Cron programs must not set the umask to a value less restrictive than 077.
V-220034 Low Global initialization files must contain the mesg -n or mesg n commands.
V-227008 Low The NFS export configuration file must have mode 0644 or less permissive.
V-227009 Low The NFS exports configuration file must not have an extended ACL.
V-226481 Low The root shell must be located in the / file system.
V-226531 Low User's home directories must not have extended ACLs.
V-227046 Low The file integrity tool must be configured to verify extended attributes.
V-227047 Low The file integrity tool must use FIPS 140-2 approved cryptographic hashes for validating file contents.
V-227045 Low The file integrity tool must be configured to verify ACLs.
V-226936 Low Sendmail logging must not be set to less than nine in the sendmail.cf file.
V-226526 Low All interactive users must be assigned a home directory in the /etc/passwd file.
V-226527 Low All interactive user home directories defined in the /etc/passwd file must exist.
V-226447 Low All GIDs referenced in the /etc/passwd file must be defined in the /etc/group file.
V-226878 Low The centralized process core dump data directory must be group-owned by root, bin, or sys.
V-226879 Low The centralized process core dump data directory must have mode 0700 or less permissive.
V-226875 Low Process core dumps must be disabled unless needed.
V-226877 Low The centralized process core dump data directory must be owned by root.
V-226584 Low The sticky bit must be set on all public directories.
V-226900 Low A separate file system must be used for user home directories (such as /home or equivalent).
V-226902 Low The system must use a separate filesystem for /tmp (or equivalent).
V-226904 Low All local file systems must employ journaling or another mechanism ensuring file system consistency.
V-226572 Low The system must be checked for extraneous device files at least weekly.
V-226470 Low The system must restrict the ability to switch to the root user to members of a defined group.
V-226471 Low The root user's home directory must not be the root directory (/).
V-226611 Low The system must be configured to send audit records to a remote audit server.
V-226995 Low The SSH daemon must not permit GSSAPI authentication unless needed.
V-226876 Low The system must be configured to store any process core dumps in a specific, centralized directory.
V-226941 Low The SMTP service must not have the EXPN feature active.
V-226942 Low The SMTP service must not have the VRFY feature active.
V-226943 Low The Sendmail service must not have the wizard backdoor active.
V-226534 Low All files and directories contained in user's home directories must have mode 0750 or less permissive.
V-226532 Low All files and directories contained in interactive user's home directories must be owned by the home directory's owner.
V-226437 Low The system must use time sources local to the enclave.
V-226890 Low The system must not process ICMP timestamp requests.
V-227068 Low The system must have USB disabled unless needed.
V-227069 Low The system must have USB Mass Storage disabled unless needed.
V-227067 Low Automated file system mounting tools must not be enabled unless needed.
V-220047 Low The SMTP services SMTP greeting must not provide version information.
V-226597 Low System audit tool executables must not have extended ACLs.
V-226596 Low System audit tool executables must have mode 0750 or less permissive.
V-226595 Low System audit tool executables must be group-owned by root, bin, or sys.
V-226594 Low System audit tool executables must be owned by root.
V-226901 Low The system must use a separate file system for the system audit data path.
V-226899 Low The system must log martian packets.
V-226598 Low The audit system must alert the SA in the event of an audit processing failure.
V-226915 Low Inetd or xinetd logging/tracing must be enabled.
V-226605 Low The audit system must be configured to audit account termination.
V-226604 Low The audit system must be configured to audit account disabling.
V-226603 Low The audit system must be configured to audit account modification.
V-226602 Low The audit system must be configured to audit account creation.
V-226882 Low The kernel core dump data directory must be owned by root.
V-226954 Low The FTP daemon must be configured for logging or verbose mode.
V-226880 Low The centralized process core dump data directory must not have an extended ACL.
V-226883 Low The kernel core dump data directory must be group-owned by root.
V-226885 Low The kernel core dump data directory must not have an extended ACL.
V-226884 Low The kernel core dump data directory must have mode 0700 or less permissive.
V-226496 Low All manual page files must not have extended ACLs.
V-226495 Low Manual page files must have mode 0655 or less permissive.
V-227077 Low The system package management tool must not automatically obtain updates.
V-227076 Low The system package management tool must cryptographically verify the authenticity of software packages during installation.
V-227070 Low The system must have IEEE 1394 (Firewire) disabled unless needed.
V-226996 Low The SSH client must not permit GSSAPI authentication unless needed.