UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Solaris 10 X86 Security Technical Implementation Guide


Overview

Date Finding Count (513)
2020-12-04 CAT I (High): 28 CAT II (Med): 420 CAT III (Low): 65
STIG Description
This Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Classified)

Finding ID Severity Title
V-227696 High All shell files must have mode 0755 or less permissive.
V-227608 High Root passwords must never be passed over a network in clear text form.
V-227824 High The rexec daemon must not be running.
V-227826 High The telnet daemon must not be running.
V-227948 High The system must not use UDP for NIS/NIS+.
V-220108 High The SSH daemon must be configured to only use the SSHv2 protocol.
V-220104 High The SMTP service must not have a uudecode alias active.
V-220102 High The SMTP service must be an up-to-date version.
V-220103 High The Sendmail server must have the debug feature disabled.
V-227865 High The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.
V-227866 High The TFTP daemon must have mode 0755 or less permissive.
V-227867 High Any active TFTP daemon must be authorized and approved in the system accreditation package.
V-227862 High Anonymous FTP accounts must not have a functional shell.
V-227548 High The root account must be the only account with GID of 0.
V-227582 High The system must not have accounts configured with blank or null passwords.
V-227836 High Administrative accounts must not run a web browser, except as needed for local service administration.
V-227876 High SNMP communities, users, and passphrases must be changed from the default.
V-227871 High X displays must not be exported to the world.
V-227689 High There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system.
V-227556 High The operating system must be a supported release.
V-220122 High The system must not use removable media as the boot loader.
V-220123 High For systems capable of using GRUB, the system must be configured with GRUB as the default boot loader unless another boot loader has been authorized, justified, and documented using site-defined procedures.
V-220124 High The system boot loader must require authentication.
V-227984 High If the system boots from removable media, it must be stored in a safe or similarly secured container.
V-227982 High The system must be configured to only boot from the system boot device.
V-227667 High Run control scripts must not execute world-writable programs or scripts.
V-220092 High The rsh daemon must not be running.
V-227840 High Files executed through a mail aliases file must be owned by root and must reside within a directory owned and writable only by root.
V-227550 Medium The /etc/zones directory, and its contents, must be group-owned by root, sys, or bin.
V-227675 Medium All skeleton files (typically in /etc/skel) must be group-owned by root, bin, or sys.
V-227674 Medium All skeleton files and directories (typically in /etc/skel) must be owned by root.
V-227677 Medium Global initialization files library search paths must contain only authorized paths.
V-227676 Medium All global initialization files executable search paths must contain only authorized paths.
V-227671 Medium All global initialization files must not have extended ACLs.
V-227670 Medium System start-up files must only execute programs owned by a privileged UID or an application.
V-227673 Medium Skeleton files must not have extended ACLs.
V-227672 Medium All skeleton files (typically those in /etc/skel) must have mode 0644 or less permissive.
V-227774 Medium The "at" directory must be group-owned by root, bin, or sys.
V-227775 Medium "At" jobs must not set the umask to a value less restrictive than 077.
V-227776 Medium The at.allow file must be owned by root, bin, or sys.
V-227777 Medium The at.allow file must be group-owned by root, bin, or sys.
V-227770 Medium The "at" daemon must not execute programs in, or subordinate to, world-writable directories.
V-227771 Medium The "at" directory must have mode 0755 or less permissive.
V-227772 Medium The "at" directory must not have an extended ACL.
V-227773 Medium The "at" directory must be owned by root, bin, or sys.
V-227551 Medium The /etc/zones directory, and its contents, must not be group- or world-writable.
V-227914 Medium The NFS export configuration file must be group-owned by root, bin, or sys.
V-227699 Medium Device files and directories must only be writable by users with a system account or as configured by the vendor.
V-227910 Medium The system must be configured with a default gateway for IPv6 if the system uses IPv6, unless the system is a router.
V-227911 Medium A system used for routing must not run other network services or applications.
V-227912 Medium The system must not be running any routing protocol daemons, unless the system is a router.
V-227913 Medium The NFS export configuration file must be owned by root.
V-227693 Medium All shells referenced in /etc/passwd must be listed in the /etc/shells file, except any shells specified for the purpose of preventing logins.
V-227692 Medium The /etc/shells (or equivalent) file must exist.
V-227691 Medium The .rhosts file must not be supported in PAM.
V-227690 Medium All .rhosts, .shosts, .netrc, or hosts.equiv files must be accessible by only root or the owner.
V-227697 Medium All shell files must not have extended ACLs.
V-227695 Medium All shell files must be group-owned by root, bin, or sys.
V-227694 Medium All shell files must be owned by root or bin.
V-227590 Medium The system must require passwords to contain no more than three consecutive repeating characters.
V-227591 Medium User passwords must be changed at least every 60 days.
V-227592 Medium All non-interactive/automated processing account passwords must be changed at least once per year or be locked.
V-227593 Medium The system must require at least eight characters be changed between the old and new passwords during a password change.
V-227594 Medium The system must prevent the use of dictionary words for passwords.
V-227595 Medium The system must prohibit the reuse of passwords within five iterations.
V-227598 Medium The root account's home directory (other than /) must have mode 0700.
V-227599 Medium The root account's home directory must not have an extended ACL.
V-227600 Medium The root accounts executable search path must contain only authorized paths.
V-227601 Medium The root account's library search path must be the system default and must contain only absolute paths.
V-227602 Medium The root account's list of preloaded libraries must be empty.
V-227603 Medium The system must prevent the root account from directly logging in except from the system console.
V-227604 Medium Remote consoles must be disabled or protected from unauthorized access.
V-227605 Medium The root account must not be used for direct logins.
V-227606 Medium The system must log successful and unsuccessful access to the root account.
V-227609 Medium The system must not permit root logins using remote access programs such as SSH.
V-227828 Medium The hosts.lpd file (or equivalent) must not contain a "+" character.
V-227829 Medium The hosts.lpd (or equivalent) file must be owned by root.
V-227821 Medium The portmap or rpcbind service must not be installed unless needed.
V-227822 Medium The rshd service must not be installed.
V-227823 Medium The rlogind service must not be installed.
V-227825 Medium The rexecd service must not be installed.
V-220089 Medium Removable media, remote file systems, and any file system that does not contain approved setuid files must be mounted with the "nosuid" option.
V-220088 Medium Local initialization files must be group-owned by the user's primary group or root.
V-220086 Medium All global initialization files must be group-owned by root, sys, or bin.
V-220085 Medium All global initialization files must be owned by root.
V-220084 Medium All global initialization files must have mode 0644 or less permissive.
V-220083 Medium All interactive user's home directories must be group-owned by the home directory owner's primary group.
V-220082 Medium All interactive user's home directories must be owned by their respective users.
V-220081 Medium Library files must have mode 0755 or less permissive.
V-227859 Medium The ftpusers file must have mode 0640 or less permissive.
V-227858 Medium The ftpusers file must be group-owned by root, bin, or sys.
V-227855 Medium The ftpusers file must exist.
V-227854 Medium If the system is an anonymous FTP server, it must be isolated to the DMZ network.
V-227857 Medium The ftpusers file must be owned by root.
V-227856 Medium The ftpusers file must contain account names not allowed to use FTP.
V-227851 Medium Mail relaying must be restricted.
V-227853 Medium Anonymous FTP must not be active on the system unless authorized.
V-227852 Medium Unencrypted FTP must not be used on the system.
V-227778 Medium The at.deny file must be owned by root, bin, or sys.
V-227779 Medium The at.deny file must be group-owned by root, bin, or sys.
V-227818 Medium The services file must have mode 0444 or less permissive.
V-227679 Medium All local initialization files must be owned by the user or root.
V-227949 Medium The Network Information System (NIS) protocol must not be used.
V-227678 Medium Global initialization files lists of preloaded libraries must contain only authorized paths.
V-227559 Medium A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.
V-220109 Medium IP forwarding for IPv4 must not be enabled, unless the system is a router.
V-220106 Medium The system must not be used as a syslog server (log host) for systems external to the enclave.
V-220107 Medium The syslog daemon must not accept remote messages unless it is a syslog server documented using site-defined procedures.
V-220105 Medium The TFTP daemon must be configured to vendor specifications, including a dedicated TFTP user account, a non-login shell, such as /bin/false, and a home directory owned by the TFTP user.
V-220101 Medium The system must not use .forward files.
V-227798 Medium The system must not apply reversed source routing to TCP responses.
V-227799 Medium The system must prevent local applications from generating source-routed packets.
V-227796 Medium The system must not respond to ICMPv4 echoes sent to a broadcast address.
V-227797 Medium The system must not respond to ICMP timestamp requests sent to a broadcast address.
V-227794 Medium TCP backlog queue sizes must be set appropriately.
V-227792 Medium The system must use initial TCP sequence numbers most resistant to sequence number guessing attacks.
V-227793 Medium The system must not forward IPv4 source-routed packets.
V-227791 Medium The system must implement non-executable program stacks.
V-227648 Medium The /etc/shadow (or equivalent) file must be owned by root.
V-227649 Medium The /etc/shadow file (or equivalent) must be group-owned by root, bin, or sys.
V-227644 Medium The /etc/group file must be owned by root.
V-227645 Medium The /etc/group file must be group-owned by root, bin, or sys.
V-227646 Medium The /etc/group file must have mode 0644 or less permissive.
V-227647 Medium The /etc/group file must not have an extended ACL.
V-227640 Medium The /etc/passwd file must be owned by root.
V-227641 Medium The /etc/passwd file must be group-owned by root, bin, or sys.
V-227642 Medium The /etc/passwd file must have mode 0644 or less permissive.
V-227643 Medium The /etc/passwd file must not have an extended ACL.
V-227727 Medium The audit system must be configured to audit file deletions.
V-227726 Medium The audit system must alert the SA when the audit storage volume approaches its capacity.
V-227725 Medium The audit system must be configured to audit failed attempts to access files and programs.
V-227864 Medium All FTP users must have a default umask of 077.
V-227860 Medium The ftpusers file must not have an extended ACL.
V-227863 Medium The anonymous FTP account must be configured to use chroot or a similarly isolated environment.
V-227943 Medium The /etc/news/nnrp.access file must not have an extended ACL.
V-227942 Medium The /etc/news/nnrp.access (or equivalent) must have mode 0600 or less permissive.
V-227941 Medium The /etc/news/hosts.nntp.nolimit file must not have an extended ACL.
V-227940 Medium The /etc/news/hosts.nntp.nolimit (or equivalent) must have mode 0600 or less permissive.
V-227868 Medium Any X Windows host must write .Xauthority files.
V-227869 Medium All .Xauthority files must have mode 0600 or less permissive.
V-227945 Medium The /etc/news/passwd.nntp file must not have an extended ACL.
V-227944 Medium The /etc/news/passwd.nntp file (or equivalent) must have mode 0600 or less permissive.
V-227917 Medium All NFS-exported system files and system directories must be owned by root.
V-227899 Medium The SSH daemon must restrict login ability to specific users and/or groups.
V-227898 Medium The SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
V-227891 Medium The SSH client must be configured to only use the SSHv2 protocol.
V-227890 Medium The system must only use remote syslog servers (log hosts) justified and documented using site-defined procedures.
V-227893 Medium The operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.
V-227892 Medium The SSH daemon must only listen on management network addresses unless authorized for uses other than management.
V-227895 Medium The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
V-227894 Medium The SSH daemon must be configured to not use Cipher-Block Chaining (CBC) ciphers.
V-227897 Medium The SSH client must be configured to not use CBC-based ciphers.
V-227896 Medium The SSH client must be configured to only use FIPS 140-2 approved ciphers.
V-227547 Medium Hidden extended file attributes must not exist on the system.
V-227546 Medium The NFS server must have logging implemented.
V-227545 Medium The /usr/aset/userlist file must not have an extended ACL.
V-227544 Medium The /usr/aset/userlist file must have mode 0600 or less permissive.
V-227543 Medium The /usr/aset/userlist file must be group-owned by root.
V-227542 Medium The /usr/aset/userlist file must be owned by root.
V-227541 Medium The /usr/aset/userlist file must exist.
V-227540 Medium The Solaris system Automated Security Enhancement Tool (ASET) configurable parameters in the asetenv file must be correct.
V-227549 Medium The /etc/zones directory, and its contents, must be owned by root.
V-227918 Medium All NFS exported system files and system directories must be group-owned by root, bin, or sys.
V-227919 Medium The NFS anonymous UID and GID must be configured to values that have no permissions.
V-227681 Medium Local initialization files must not have extended ACLs.
V-227558 Medium A file integrity baseline must be created and maintained.
V-227769 Medium The "at" daemon must not execute group-writable or world-writable programs.
V-227768 Medium The at.allow file must have mode 0600 or less permissive.
V-227767 Medium Default system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist.
V-227766 Medium The at.deny file must not be empty if it exists.
V-227765 Medium Access to the at utility must be controlled via the at.allow and/or at.deny file(s).
V-227764 Medium The cron.deny file must be group-owned by root, bin, or sys.
V-227763 Medium The cron.deny file must be owned by root, bin, or sys.
V-227762 Medium The at.deny file must not have an extended ACL.
V-227761 Medium The at.deny file must have mode 0600 or less permissive.
V-227760 Medium The cron.allow file must be group-owned by root, bin, or sys.
V-233305 Medium The sshd server must bind the X11 forwarding server to the loopback address.
V-227907 Medium The SSH daemon must be configured for IP filtering.
V-227906 Medium The SSH daemon must not allow compression or must only allow compression after successful authentication.
V-227905 Medium The SSH daemon must not allow rhosts RSA authentication.
V-227904 Medium The SSH daemon must perform strict mode checking of home directory configuration files.
V-227901 Medium The SSH private host key files must have mode 0600 or less permissive.
V-227900 Medium The SSH public host key files must have mode 0644 or less permissive.
V-227909 Medium The system must be configured with a default gateway for IPv4 if the system uses IPv4, unless the system is a router.
V-227908 Medium The SSH daemon must be configured with the Department of Defense (DoD) login banner.
V-227583 Medium The system must require passwords contain a minimum of 15 characters.
V-227581 Medium Users must not be able to change passwords more than once every 24 hours.
V-227580 Medium The root user must not own the logon session for an application requiring a continuous display.
V-227587 Medium The system must require passwords to contain at least one uppercase alphabetic character.
V-227586 Medium The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.
V-227585 Medium The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes.
V-227584 Medium The system must enforce compliance of the entire password during authentication.
V-227589 Medium The system must require passwords to contain at least one special character.
V-227588 Medium The system must require passwords to contain at least one numeric character.
V-227613 Medium All network services daemon files must have mode 0755 or less permissive.
V-227612 Medium All files and directories must have a valid group-owner.
V-227611 Medium All files and directories must have a valid owner.
V-227610 Medium System files and directories must not have uneven access permissions.
V-227617 Medium All system files, programs, and directories must be owned by a system account.
V-227616 Medium All system command files must not have extended ACLs.
V-227615 Medium All system command files must have mode 755 or less permissive.
V-227614 Medium All network services daemon files must not have extended ACLs.
V-227619 Medium System log files must have mode 0640 or less permissive.
V-227618 Medium System files, programs, and directories must be group-owned by a system group.
V-227839 Medium The alias file must not have an extended ACL.
V-227838 Medium The alias file must have mode 0644 or less permissive.
V-227833 Medium The traceroute command must be group-owned by sys, bin, or root.
V-227832 Medium The traceroute command owner must be root.
V-227831 Medium The hosts.lpd (or equivalent) file must not have an extended ACL.
V-227830 Medium The hosts.lpd (or equivalent) must have mode 0644 or less permissive.
V-227837 Medium The alias file must be owned by root.
V-227835 Medium The traceroute file must not have an extended ACL.
V-227834 Medium The traceroute file must have mode 0700 or less permissive.
V-227538 Medium The /usr/aset/masters/uid_aliases must be empty.
V-227539 Medium If the system is a firewall, ASET must be used on the system, and the firewall parameters must be set in /usr/aset/asetenv.
V-227536 Medium The /etc/security/audit_user file must have mode 0640 or less permissive.
V-227537 Medium The /etc/security/audit_user file must not have an extended ACL.
V-227534 Medium The /etc/security/audit_user file must be owned by root.
V-227535 Medium The /etc/security/audit_user file must be group-owned by root, sys, or bin.
V-227532 Medium The nosuid option must be configured in the /etc/rmmount.conf file.
V-227533 Medium The /etc/security/audit_user file must not define a different auditing level for specific users.
V-227709 Medium Public directories must be the only world-writable directories and world-writable files must be located only in public directories.
V-227708 Medium The system must be checked weekly for unauthorized setgid files, as well as, unauthorized modification to authorized setgid files.
V-220111 Medium The NFS server must be configured to restrict file system access to local hosts.
V-220110 Medium The system must not have IP forwarding for IPv6 enabled, unless the system is an IPv6 router.
V-220113 Medium The Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL.
V-220112 Medium The system must not have a public Instant Messaging (IM) client installed.
V-220115 Medium The system vulnerability assessment tool, host-based intrusion detection tool, and file integrity tool must notify the SA and the IAO of a security breach or a suspected security breach.
V-220117 Medium The system must use an access control program.
V-220116 Medium The system package management tool must be used to verify system software periodically.
V-220119 Medium Wireless network adapters must be disabled.
V-220118 Medium The system's access control program must be configured to grant or deny system access to specific hosts.
V-227703 Medium Audio devices must be owned by root.
V-227786 Medium Kernel core dumps must be disabled unless needed.
V-227659 Medium All files and directories contained in user home directories must be group-owned by a group of which the home directory's owner is a member.
V-227656 Medium All users' home directories must have mode 0750 or less permissive.
V-227655 Medium The /etc/group file must not contain any group password hashes.
V-227654 Medium The /etc/passwd file must not contain password hashes.
V-227651 Medium The /etc/shadow file must not have an extended ACL.
V-227650 Medium The /etc/shadow (or equivalent) file must have mode 0400.
V-227716 Medium System audit logs must be owned by root.
V-227717 Medium System audit logs must be group-owned by root, bin, or sys.
V-227714 Medium Default system accounts must be disabled or removed.
V-227715 Medium Auditing must be implemented.
V-227712 Medium All public directories must be group-owned by root or an application group.
V-227713 Medium The system and user default umask must be 077.
V-227711 Medium All public directories must be owned by root or an application account.
V-227718 Medium System audit logs must have mode 0640 or less permissive.
V-227719 Medium All system audit files must not have extended ACLs.
V-227877 Medium The SNMP service must use only SNMPv3 or its successors.
V-227875 Medium The system must not have the UUCP service active.
V-227874 Medium X Window System connections that are not required must be disabled.
V-227873 Medium The .Xauthority utility must only permit access to authorized hosts.
V-227872 Medium .Xauthority or X*.hosts (or equivalent) file(s) must be used to restrict access to the X server.
V-227870 Medium The .Xauthority files must not have extended ACLs.
V-227974 Medium If the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be group-owned by root, bin, or sys.
V-227975 Medium If the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must have mode 0644 (0755 for directories) or less permissive.
V-227972 Medium If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must not have an extended ACL.
V-227973 Medium If the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be owned by root.
V-227879 Medium Management Information Base (MIB) files must have mode 0640 or less permissive.
V-227878 Medium The snmpd.conf file must have mode 0600 or less permissive.
V-227572 Medium GIDs reserved for system accounts must not be assigned to non-system groups.
V-227570 Medium All accounts must be assigned unique User Identification Numbers (UIDs).
V-227571 Medium UIDs reserved for system accounts must not be assigned to non-system accounts.
V-227576 Medium The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
V-227577 Medium Successful and unsuccessful logins and logouts must be logged.
V-227574 Medium The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
V-227575 Medium The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
V-227688 Medium All .rhosts, .shosts, or host.equiv files must only contain trusted host-user pairs.
V-227680 Medium All local initialization files must have mode 0740 or less permissive.
V-227883 Medium The snmpd.conf file must not have an extended ACL.
V-227702 Medium Audio devices must not have extended ACLs.
V-227929 Medium The smbpasswd file must be owned by root.
V-227752 Medium Cron logging must be implemented.
V-227753 Medium The cronlog file must have mode 0600 or less permissive.
V-227750 Medium Cron and crontab directories must be owned by root or bin.
V-227751 Medium Cron and crontab directories must be group-owned by root, sys, or bin.
V-227756 Medium The cron.deny file must not have an extended ACL.
V-227754 Medium The cron log files must not have extended ACLs.
V-227755 Medium The cron.deny file must have mode 0600 or less permissive.
V-227758 Medium The cron.allow file must be owned by root, bin, or sys.
V-227759 Medium The at.allow file must not have an extended ACL.
V-220128 Medium The system's boot loader configuration files must be owned by root.
V-220129 Medium The system's boot loader configuration file(s) must be group-owned by root, bin, sys, or system.
V-227885 Medium The /etc/syslog.conf file must have mode 0640 or less permissive.
V-220121 Medium If the system is using LDAP for authentication or account information, the LDAP TLS certificate authority file and/or directory (as appropriate) must not have an extended ACL.
V-220125 Medium The system boot loader must protect passwords using an MD5 or stronger cryptographic hash.
V-220127 Medium The system's boot loader configuration file(s) must not have extended ACLs.
V-227552 Medium The /etc/zones directory, and its contents, must not have an extended ACL.
V-227553 Medium The inherit-pkg-dir zone option must be set to none or the system default list defined for sparse root zones.
V-227988 Medium The system, if capable, must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
V-227985 Medium The system's boot loader configuration file(s) must have mode 0600 or less permissive.
V-227983 Medium System BIOS or system controllers supporting password protection must have administrator accounts/passwords configured, and no others.
V-227981 Medium The system's local firewall must implement a deny-all, allow-by-exception policy.
V-227980 Medium The system must employ a local firewall.
V-227626 Medium The NIS/NIS+/yp command files must have mode 0755 or less permissive.
V-227627 Medium NIS/NIS+/yp command files must not have extended ACLs.
V-227624 Medium NIS/NIS+/yp files must be owned by root, sys, or bin.
V-227625 Medium NIS/NIS+/yp files must be group-owned by root, sys, or bin.
V-227623 Medium All library files must not have extended ACLs.
V-227620 Medium System log files must not have extended ACLs, except as needed to support authorized software.
V-227889 Medium The system must use a remote syslog server (log host).
V-227628 Medium The /etc/resolv.conf file must be owned by root.
V-227629 Medium The /etc/resolv.conf file must be group-owned by root, bin, or sys.
V-227808 Medium The root file system must employ journaling or another mechanism ensuring file system consistency.
V-227802 Medium The system must ignore IPv4 ICMP redirect messages.
V-227803 Medium The system must not send IPv4 ICMP redirects.
V-227800 Medium The system must not accept source-routed IPv4 packets.
V-227801 Medium Proxy ARP must not be enabled on the system.
V-227938 Medium The /etc/news/hosts.nntp (or equivalent) must have mode 0600 or less permissive.
V-227939 Medium The /etc/news/hosts.nntp file must not have an extended ACL.
V-227932 Medium The smbpasswd file must not have an extended ACL.
V-227933 Medium The smb.conf file must use the hosts option to restrict access to Samba.
V-227930 Medium The smbpasswd file must be group-owned by root.
V-227931 Medium The smbpasswd file must have mode 0600 or less permissive.
V-227936 Medium Samba must be configured to not allow guest access to shares.
V-227937 Medium The system must not run an Internet Network News (INN) server.
V-227934 Medium Samba must be configured to use an authentication mechanism other than "share."
V-227935 Medium Samba must be configured to use encrypted passwords.
V-227888 Medium The /etc/syslog.conf file must be group-owned by root, bin, or sys.
V-227819 Medium The services file must not have an extended ACL.
V-227662 Medium All run control scripts must have mode 0755 or less permissive.
V-227663 Medium All run control scripts must have no extended ACLs.
V-227661 Medium All files and directories contained in user home directories must not have extended ACLs.
V-227666 Medium Run control scripts lists of preloaded libraries must contain only authorized paths.
V-227664 Medium Run control scripts executable search paths must contain only authorized paths.
V-227665 Medium Run control scripts lists of preloaded libraries must contain only authorized paths.
V-227701 Medium Audio devices must have mode 0660 or less permissive.
V-227700 Medium Device files used for backup must only be readable and/or writable by root or the backup user.
V-227668 Medium All system start-up files must be owned by root.
V-227669 Medium All system start-up files must be group-owned by root, sys, or bin.
V-227705 Medium The owner, group owner, mode, ACL, and location of files with the setuid bit set must be documented using site-defined procedures.
V-227704 Medium Audio devices must be group-owned by root, sys, or bin.
V-227707 Medium The owner, group-owner, mode, ACL, and location of files with the setgid bit set must be documented using site-defined procedures.
V-227706 Medium The system must be checked weekly for unauthorized setuid files, as well as, unauthorized modification to authorized setuid files.
V-227961 Medium The system must not have IP tunnels configured.
V-227960 Medium The system must not have 6to4 enabled.
V-227963 Medium The system must ignore IPv6 ICMP redirect messages.
V-227962 Medium The DHCP client must be disabled if not needed.
V-227965 Medium The system must use an appropriate reverse-path filter for IPv6 network traffic, if the system uses IPv6.
V-227964 Medium The system must not send IPv6 ICMP redirects.
V-227967 Medium The system must not respond to ICMPv6 echo requests sent to a broadcast address.
V-227966 Medium The system must not forward IPv6 source-routed packets.
V-227969 Medium If the system is using LDAP for authentication or account information the LDAP client configuration file must have mode 0600 or less permissive.
V-227968 Medium If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms.
V-227682 Medium All local initialization files executable search paths must contain only authorized paths.
V-227683 Medium Local initialization files library search paths must contain only authorized paths.
V-227684 Medium Local initialization files lists of preloaded libraries must contain only authorized paths.
V-227685 Medium User start-up files must not execute world-writable programs.
V-227686 Medium The .rhosts, .shosts, hosts.equiv, shosts.equiv, /etc/passwd, /etc/shadow, and/or /etc/group files must not contain a plus (+) without defining entries for NIS+ netgroups.
V-227687 Medium There must be no .netrc files on the system.
V-227569 Medium All accounts on the system must have unique user or account names.
V-227568 Medium The system must not have unnecessary accounts.
V-227565 Medium The time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, or sys.
V-227564 Medium The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.
V-227567 Medium The time synchronization configuration file (such as /etc/ntp.conf) must not have an extended ACL.
V-227566 Medium The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
V-227561 Medium The system clock must be synchronized continuously.
V-227560 Medium The system clock must be synchronized to an authoritative DoD time source.
V-227562 Medium The system must use at least two time sources for clock synchronization.
V-220098 Medium The aliases file must be group-owned by root, sys, smmsp, or bin.
V-220099 Medium The SMTP service HELP command must not be enabled.
V-220094 Medium Network analysis tools must not be installed.
V-220096 Medium The hosts.lpd (or equivalent) file must be group-owned by root, bin, or sys.
V-220090 Medium The system must not be configured for network bridging.
V-220091 Medium The portmap or rpcbind service must not be running unless needed.
V-220093 Medium The rlogind service must not be running.
V-227842 Medium Files executed through a mail aliases file must not have extended ACLs.
V-227841 Medium Files executed through a mail aliases file must be group-owned by root, bin, or sys, and must reside within a directory group-owned by root, bin, or sys.
V-227846 Medium The SMTP service log file must have mode 0644 or less permissive.
V-227847 Medium The SMTP service log file must not have an extended ACL.
V-227844 Medium The system syslog service must log informational and more severe SMTP service messages.
V-227845 Medium The SMTP service log file must be owned by root.
V-227970 Medium If the system is using LDAP for authentication or account information, the LDAP configuration file must be owned by root.
V-227971 Medium If the system is using LDAP for authentication or account information, the LDAP configuration file must be group-owned by root, bin, or sys.
V-227745 Medium Default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist.
V-227744 Medium Crontab files must be group-owned by root, sys, or the crontab creator's primary group.
V-227747 Medium Crontab files must not have extended ACLs.
V-227746 Medium Crontab files must have mode 0600 or less permissive.
V-227741 Medium Cron must not execute group-writable or world-writable programs.
V-227740 Medium The cron.allow file must not have an extended ACL.
V-227743 Medium Crontabs must be owned by root or the crontab creator.
V-227742 Medium Cron must not execute programs in, or subordinate to, world-writable directories.
V-227749 Medium Cron and crontab directories must not have extended ACLs.
V-227748 Medium Cron and crontab directories must have mode 0755 or less permissive.
V-227947 Medium The files in /etc/news must be group-owned by root.
V-227946 Medium Files in /etc/news must be owned by root.
V-227639 Medium The /etc/nsswitch.conf file must not have an extended ACL.
V-227638 Medium The /etc/nsswitch.conf file must have mode 0644 or less permissive.
V-227631 Medium The /etc/resolv.conf file must not have an extended ACL.
V-227630 Medium The /etc/resolv.conf file must have mode 0644 or less permissive.
V-227633 Medium The /etc/hosts file must be group-owned by root, bin, or sys.
V-227632 Medium The /etc/hosts file must be owned by root.
V-227635 Medium The /etc/hosts file must not have an extended ACL.
V-227634 Medium The /etc/hosts file must have mode 0644 or less permissive.
V-227637 Medium The /etc/nsswitch.conf file must be group-owned by root, bin, or sys.
V-227636 Medium The /etc/nsswitch.conf file must be owned by root.
V-227732 Medium The audit system must be configured to audit all administrative, privileged, and security actions.
V-227733 Medium The audit system must be configured to audit login, logout, and session initiation.
V-227734 Medium The audit system must be configured to audit all discretionary access control permission modifications.
V-227735 Medium The audit system must be configured to audit the loading and unloading of dynamic kernel modules.
V-227736 Medium Audit logs must be rotated daily.
V-227738 Medium Access to the cron utility must be controlled using the cron.allow and/or cron.deny file(s).
V-227739 Medium The cron.allow file must have mode 0600 or less permissive.
V-227958 Medium The Reliable Datagram Sockets (RDS) protocol must be disabled or not installed unless required.
V-227959 Medium The Transparent Inter-Process Communication (TIPC) protocol must be disabled or not installed.
V-227813 Medium The inetd.conf file must be group-owned by root, bin, or sys.
V-227812 Medium The inetd.conf file must be owned by root or bin.
V-227815 Medium The inetd.conf file must not have extended ACLs.
V-227814 Medium The inetd.conf file must have mode 0440 or less permissive.
V-227817 Medium The services file must be group-owned by root, bin, or sys.
V-227816 Medium The services file must be owned by root or bin.
V-227950 Medium NIS maps must be protected through hard-to-guess domain names.
V-227951 Medium Any NIS+ server must be operating at security level 2.
V-227952 Medium The system must have a host-based intrusion detection tool installed.
V-227956 Medium The system's access control program must log each system access attempt.
V-227957 Medium The system must use a virus scan program.
V-227886 Medium The /etc/syslog.conf file must not have an extended ACL.
V-227887 Medium The /etc/syslog.conf file must be owned by root.
V-227884 Medium If the system is a Network Management System (NMS) server, it must only run the NMS and any software required by the NMS.
V-233303 Medium X11 forwarding for SSH must be disabled.
V-227882 Medium The snmpd.conf file must be group-owned by root, sys, or bin.
V-227928 Medium The smb.conf file must not have an extended ACL.
V-227880 Medium Management Information Base (MIB) files must not have extended ACLs.
V-227881 Medium The snmpd.conf files must be owned by root.
V-227925 Medium The smb.conf file must be owned by root.
V-227924 Medium The system must not run Samba unless needed.
V-227927 Medium The smb.conf file must have mode 0644 or less permissive.
V-227926 Medium The smb.conf file must be group-owned by root, bin, or sys.
V-227921 Medium The NFS server must not allow remote root access.
V-227920 Medium The system's NFS export configuration must not have the sec option set to none (or equivalent); additionally, the default authentication must not to be set to none.
V-227923 Medium The system must not have any peer-to-peer file-sharing application installed.
V-227922 Medium The nosuid option must be enabled on all NFS client mounts.
V-227811 Medium Inetd and xinetd must be disabled or removed if no network services utilizing them are enabled.
V-227810 Medium The system must log authentication informational data.
V-227554 Medium The limitpriv zone option must be set to the vendor default or less permissive.
V-227555 Medium The physical devices must not be assigned to non-global zones.
V-220075 Medium The delay between login prompts following a failed login attempt must be at least 4 seconds.
V-220078 Medium The root account must be the only account having an UID of 0.
V-220079 Medium The root account must not have world-writable directories in its executable search path.
V-220076 Medium Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity and the system must require users to re-authenticate to unlock the environment.
V-220077 Medium Accounts must be locked upon 35 days of inactivity.
V-220074 Medium The system must disable accounts after three consecutive unsuccessful login attempts.
V-227557 Medium System security patches and updates must be installed and up-to-date.
V-220072 Medium The system must require authentication upon booting into single-user and maintenance modes.
V-220073 Medium Direct logins must not be permitted to shared, default, application, or utility accounts.
V-220070 Medium The ASET master files must be located in the /usr/aset/masters directory.
V-220071 Medium The asetenv file YPCHECK variable must be set to true when NIS+ is configured.
V-227915 Low The NFS export configuration file must have mode 0644 or less permissive.
V-227698 Low The system must be checked for extraneous device files at least weekly.
V-227596 Low The system must restrict the ability to switch to the root user to members of a defined group.
V-227597 Low The root user's home directory must not be the root directory (/).
V-227607 Low The root shell must be located in the / file system.
V-227820 Low Inetd or xinetd logging/tracing must be enabled.
V-227827 Low The system must not have the finger service active.
V-220087 Low Global initialization files must contain the mesg -n or mesg n commands.
V-227850 Low The Sendmail service must not have the wizard backdoor active.
V-220100 Low The SMTP services SMTP greeting must not provide version information.
V-227795 Low The system must not process ICMP timestamp requests.
V-227790 Low The kernel core dump data directory must not have an extended ACL.
V-227723 Low System audit tool executables must not have extended ACLs.
V-227722 Low System audit tool executables must have mode 0750 or less permissive.
V-227721 Low System audit tool executables must be group-owned by root, bin, or sys.
V-227720 Low System audit tool executables must be owned by root.
V-227724 Low The audit system must alert the SA in the event of an audit processing failure.
V-227729 Low The audit system must be configured to audit account modification.
V-227728 Low The audit system must be configured to audit account creation.
V-227861 Low The FTP daemon must be configured for logging or verbose mode.
V-227903 Low The SSH client must not permit GSSAPI authentication unless needed.
V-227902 Low The SSH daemon must not permit GSSAPI authentication unless needed.
V-227781 Low The system must be configured to store any process core dumps in a specific, centralized directory.
V-227780 Low Process core dumps must be disabled unless needed.
V-227783 Low The centralized process core dump data directory must be group-owned by root, bin, or sys.
V-227782 Low The centralized process core dump data directory must be owned by root.
V-227785 Low The centralized process core dump data directory must not have an extended ACL.
V-227784 Low The centralized process core dump data directory must have mode 0700 or less permissive.
V-227787 Low The kernel core dump data directory must be owned by root.
V-227789 Low The kernel core dump data directory must have mode 0700 or less permissive.
V-227788 Low The kernel core dump data directory must be group-owned by root.
V-227658 Low All files and directories contained in interactive user's home directories must be owned by the home directory's owner.
V-227657 Low User's home directories must not have extended ACLs.
V-227653 Low All interactive user home directories defined in the /etc/passwd file must exist.
V-227652 Low All interactive users must be assigned a home directory in the /etc/passwd file.
V-227710 Low The sticky bit must be set on all public directories.
V-227976 Low Automated file system mounting tools must not be enabled unless needed.
V-227977 Low The system must have USB disabled unless needed.
V-227578 Low The system must display the date and time of the last successful account login upon login.
V-227579 Low The system must display a publicly-viewable pattern during a graphical desktop environment session lock.
V-227573 Low All GIDs referenced in the /etc/passwd file must be defined in the /etc/group file.
V-227757 Low Cron programs must not set the umask to a value less restrictive than 077.
V-227987 Low The system package management tool must not automatically obtain updates.
V-227986 Low The system package management tool must cryptographically verify the authenticity of software packages during installation.
V-227622 Low All manual page files must not have extended ACLs.
V-227621 Low Manual page files must have mode 0655 or less permissive.
V-227809 Low All local file systems must employ journaling or another mechanism ensuring file system consistency.
V-227806 Low The system must use a separate file system for the system audit data path.
V-227807 Low The system must use a separate filesystem for /tmp (or equivalent).
V-227804 Low The system must log martian packets.
V-227805 Low A separate file system must be used for user home directories (such as /home or equivalent).
V-227660 Low All files and directories contained in user's home directories must have mode 0750 or less permissive.
V-227563 Low The system must use time sources local to the enclave.
V-227848 Low The SMTP service must not have the EXPN feature active.
V-227849 Low The SMTP service must not have the VRFY feature active.
V-227843 Low Sendmail logging must not be set to less than nine in the sendmail.cf file.
V-227916 Low The NFS exports configuration file must not have an extended ACL.
V-227978 Low The system must have USB Mass Storage disabled unless needed.
V-227979 Low The system must have IEEE 1394 (Firewire) disabled unless needed.
V-227730 Low The audit system must be configured to audit account disabling.
V-227731 Low The audit system must be configured to audit account termination.
V-227737 Low The system must be configured to send audit records to a remote audit server.
V-227953 Low The file integrity tool must be configured to verify ACLs.
V-227954 Low The file integrity tool must be configured to verify extended attributes.
V-227955 Low The file integrity tool must use FIPS 140-2 approved cryptographic hashes for validating file contents.