| V-48107 | High | Login must not be permitted with empty/null passwords for SSH. | Permitting login without a password is inherently risky. |
| V-48119 | High | There must be no user .rhosts files. | Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for... |
| V-48121 | High | The system must not allow autologin capabilities from the GNOME desktop. | As automatic logins are a known security risk for other than "kiosk" types of systems, GNOME automatic login should be disabled in pam.conf. |
| V-48027 | High | The operating system must be a supported release. | An operating system release is considered supported if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security... |
| V-47845 | High | The operating system must alert designated organizational officials in the event of an audit processing failure. | Proper alerts to system administrators and IA officials of audit failures ensure a timely response to critical system issues. |
| V-47843 | High | The audit system must alert the System Administrator (SA) if there is any type of audit failure. | Proper alerts to system administrators and Information Assurance (IA) officials of audit failures ensure a timely response to critical system issues. |
| V-48143 | High | The operating system must not allow logins for users with blank passwords. | If the password field is blank and the system does not enforce a policy that passwords are required, it could allow login without proper authentication of a user. |
| V-47915 | High | The telnet service daemon must not be installed unless required. | Telnet is an insecure protocol. |
| V-47911 | High | The FTP daemon must not be installed unless required. | FTP is an insecure protocol. |
| V-47913 | High | The TFTP service daemon must not be installed unless required. | TFTP is an insecure protocol. |
| V-47905 | High | The NIS package must not be installed. | NIS is an insecure protocol. |
| V-59841 | Medium | All system start-up files must be group-owned by root, sys, or bin. | If system start-up files do not have a group owner of root or a system group, the files may be modified by malicious users or intruders. |
| V-48103 | Medium | Direct root account login must not be permitted for SSH access. | The system should not allow users to log in as the root user directly, as audited actions would be non-attributable to a specific user. |
| V-48101 | Medium | The rhost-based authentication for SSH must be disabled. | Setting this parameter forces users to enter a password when authenticating with SSH. |
| V-48187 | Medium | The operating system must use mechanisms for authentication to a cryptographic module meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for such authentication. | Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity, and... |
| V-48183 | Medium | The operating system must employ FIPS-validate or NSA-approved cryptography to implement digital signatures. | FIPS 140-2 is the current standard for validating cryptographic modules, and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified hardware based encryption modules. |
| V-47971 | Medium | The system must require passwords to contain at least one uppercase alphabetic character. | Complex passwords can reduce the likelihood of success of automated password-guessing attacks. |
| V-48077 | Medium | Reserved UIDs 0-99 must only be used by system accounts. | If a user is assigned a UID that is in the reserved range, even if it is not presently in use, security exposures can arise if a subsequently installed application uses the same UID. |
| V-48115 | Medium | Groups assigned to users must exist in the /etc/group file. | Groups defined in passwd but not in group file pose a threat to system security since group permissions are not properly managed. |
| V-48117 | Medium | The use of FTP must be restricted. | FTP is an insecure protocol that transfers files and credentials in clear text, and can be replaced by using SFTP. However, if FTP is permitted for use in the environment, it is important to... |
| V-48113 | Medium | Host-based authentication for login-based services must be disabled. | The use of .rhosts authentication is an insecure protocol and can be replaced with public-key authentication using Secure Shell. As automatic authentication settings in the .rhosts files can... |
| V-48195 | Medium | The operating system must terminate all sessions and network connections when non-local maintenance is completed. | Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal... |
| V-61005 | Medium | All .Xauthority files must have mode 0600 or less permissive. | .Xauthority files ensure the user is authorized to access the specific X Windows host. Excessive permissions may permit unauthorized modification of these files, which could lead to Denial of... |
| V-47967 | Medium | The system must require at least four characters be changed between the old and new passwords during a password change. | To ensure password changes are effective in their goals, the system must ensure old and new passwords have significant differences. Without significant changes, new passwords may be easily guessed... |
| V-47961 | Medium | Users must not reuse the last 5 passwords. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks.
To meet password policy requirements, passwords need to be... |
| V-47803 | Medium | Audit records must include the outcome (success or failure) of the events that occurred. | Tracking both the successful and unsuccessful attempts aids in identifying threats to the system. |
| V-47801 | Medium | Audit records must include the sources of the events that occurred. | Without accurate source information malicious activity cannot be accurately tracked. |
| V-48061 | Medium | The default umask for system and users must be 077. | Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. |
| V-48065 | Medium | The system must not allow users to configure .forward files. | Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a secondary risk as it can be used to... |
| V-48067 | Medium | User .netrc files must not exist. | The .netrc file presents a significant security risk since it stores passwords in unencrypted form. |
| V-48123 | Medium | Permissions on user .netrc files must be 750 or less permissive. | .netrc files may contain unencrypted passwords that can be used to attack other systems. |
| V-48125 | Medium | Unauthorized use of the at or cron capabilities must not be permitted. | On many systems, only the system administrator needs the ability to schedule jobs.
Even though a given user is not listed in the "cron.allow" file, cron jobs can still be run as that user. The... |
| V-48127 | Medium | Logins to the root account must be restricted to the system console only. | Use an authorized mechanism such as RBAC and the "su" command to provide administrative access to unprivileged accounts. These mechanisms provide an audit trail in the event of problems. |
| V-47957 | Medium | User passwords must be at least 15 characters in length. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks.
Password length is one factor of several that helps to determine... |
| V-48055 | Medium | The system must restrict the ability of users to assume excessive privileges to members of a defined group and prevent unauthorized users from accessing administrative tools. | Allowing any user to elevate their privileges can allow them excessive control of the system tools. |
| V-48057 | Medium | The operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator. | Allowing any user to elevate their privileges can allow them excessive control of the system tools. |
| V-48053 | Medium | The system must prevent the use of dictionary words for passwords. | The use of common words in passwords simplifies password-cracking attacks. |
| V-48035 | Medium | The root account must be the only account with GID of 0. | All accounts with a GID of 0 have root group privileges and must be limited to the group account only. |
| V-49635 | Medium | The operating system must monitor for unauthorized connections of mobile devices to organizational information systems. | Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g.,... |
| V-48043 | Medium | The delay between login prompts following a failed login attempt must be at least 4 seconds. | As an immediate return of an error message, coupled with the capability to try again, may facilitate automatic and rapid-fire brute-force password attacks by a malicious user. |
| V-48047 | Medium | Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity. | Allowing access to a graphical environment when the user is not attending the system can allow unauthorized users access to the system. |
| V-48045 | Medium | The system must require users to re-authenticate to unlock a graphical desktop environment. | Allowing access to a graphical environment when the user is not attending the system can allow unauthorized users access to the system. |
| V-48025 | Medium | The system must implement non-executable program stacks. | A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the... |
| V-47835 | Medium | The audit system must alert the SA when the audit storage volume approaches its capacity. | Filling the audit storage area can result in a denial of service or system outage and can lead to events going undetected. |
| V-47939 | Medium | The operating system must disable information system functionality that provides the capability for automatic execution of code on mobile devices without user direction. | Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g.,... |
| V-48133 | Medium | Permissions on user home directories must be 750 or less permissive. | Group-writable or world-writable user home directories may enable malicious users to steal or modify other users' data or to gain another user's system privileges. |
| V-48139 | Medium | The operating system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not log out because of the temporary nature of... |
| V-47797 | Medium | Audit records must include when (date and time) the events occurred. | Without accurate time stamps malicious activity cannot be accurately tracked. |
| V-47795 | Medium | Audit records must include what type of events occurred. | Without proper system auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account. |
| V-47793 | Medium | The operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance. | Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.
Without accurate time stamps, source, user, and... |
| V-47791 | Medium | The operating system must generate audit records for the selected list of auditable events as defined in DoD list of events. | Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.
Without accurate time stamps, source, user, and... |
| V-59839 | Medium | All system start-up files must be owned by root. | System start-up files not owned by root could lead to system compromise by allowing malicious users or applications to modify them for unauthorized purposes. This could lead to system and network... |
| V-48243 | Medium | Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. | Cryptographic hashes provide quick password authentication while not actually storing the password. |
| V-48245 | Medium | The system must disable accounts after three consecutive unsuccessful login attempts. | Allowing continued access to accounts on the system exposes them to brute-force password-guessing attacks. |
| V-47799 | Medium | Audit records must include where the events occurred. | Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.
Without accurate time stamps, source, user, and... |
| V-48093 | Medium | X11 forwarding for SSH must be disabled. | As enabling X11 Forwarding on the host can permit a malicious user to secretly open another X11 connection to another remote client during the session and perform unobtrusive activities such as... |
| V-47921 | Medium | The VNC server package must not be installed unless required. | The VNC service uses weak authentication capabilities and provides the user complete graphical system access. |
| V-47785 | Medium | The audit system records must be able to be used by a report generation capability. | Enabling the audit system will produce records for use in report generation. Without an audit reporting capability, users find it difficult to identify specific patterns of attack. |
| V-47787 | Medium | The operating system must provide the capability to automatically process audit records for events of interest based upon selectable, event criteria. | Without an audit reporting capability, users find it difficult to identify specific patterns of attack. |
| V-47999 | Medium | The system must not have accounts configured with blank or null passwords. | Complex passwords can reduce the likelihood of success of automated password-guessing attacks. |
| V-47781 | Medium | The audit system must produce records containing sufficient information to establish the identity of any user/subject associated with the event. | Enabling the audit system will produce records with accurate time stamps, source, user, and activity information. Without this information malicious activity cannot be accurately tracked. |
| V-47783 | Medium | The audit system must support an audit reduction capability. | Using the audit system will utilize the audit reduction capability. Without an audit reduction capability, users find it difficult to identify specific patterns of attack. |
| V-59827 | Medium | All run control scripts must have mode 0755 or less permissive. | If the startup files are writable by other users, these users could modify the startup files to insert malicious commands into the startup files. |
| V-47997 | Medium | The operating system must implement transaction recovery for transaction-based systems. | Recovery and reconstitution constitutes executing an operating system contingency plan comprised of activities to restore essential missions and business functions.
Transaction rollback and... |
| V-47991 | Medium | The system must require passwords to contain at least one special character. | Complex passwords can reduce the likelihood of success of automated password-guessing attacks. |
| V-47789 | Medium | The audit records must provide data for all auditable events defined at the organizational level for the organization-defined information system components. | Without auditing, individual system accesses cannot be tracked, and malicious activity cannot be detected and traced back to an individual account.
Without accurate time stamps, source, user, and... |
| V-48089 | Medium | The nobody access for RPC encryption key storage service must be disabled. | If login by the user "nobody" is allowed for secure RPC, there is an increased risk of system compromise. If keyserv holds a private key for the "nobody" user, it will be used by... |
| V-48087 | Medium | Login services for serial ports must be disabled. | Login services should not be enabled on any serial ports that are not strictly required to support the mission of the system. This action can be safely performed even when console access is... |
| V-47989 | Medium | The system must require passwords to contain at least one numeric character. | Complex passwords can reduce the likelihood of success of automated password-guessing attacks. |
| V-47981 | Medium | The operating system must enforce password complexity requiring that at least one lowercase character is used. | Complex passwords can reduce the likelihood of success of automated password-guessing attacks. |
| V-59831 | Medium | Run control scripts executable search paths must contain only absolute paths. | The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working... |
| V-47901 | Medium | The legacy remote network access utilities daemons must not be installed. | Legacy remote access utilities allow remote control of a system without proper authentication. |
| V-48109 | Low | Users must have a valid home directory assignment. | All users must be assigned a home directory in the passwd file. Failure to have a home directory may result in the user being put in the root directory. |
| V-48105 | Low | A users defined home directory must exist. | If the user's home directory does not exist, the user will be placed in "/" and will not be able to write any files or have local environment variables set. |
| V-48071 | Low | The default umask for FTP users must be 077. | Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. |
| V-48205 | Low | The operating system must display the DoD approved system use notification message or banner for SSH connections. | Warning messages inform users who are attempting to log in to the system of their legal status regarding the system and must include the name of the organization that owns the system and any... |
| V-48203 | Low | The GNOME service must display the DoD approved system use notification message or banner before granting access to the system. | Warning messages inform users who are attempting to log in to the system of their legal status regarding the system and must include the name of the organization that owns the system and any... |
| V-48111 | Low | The operating system must terminate the network connection associated with a communications session at the end of the session or after 10 minutes of inactivity. | This requirement applies to both internal and external networks.
Terminating network connections associated with communications sessions means de-allocating associated TCP/IP address/port pairs... |
| V-48199 | Low | The FTP service must display the DoD approved system use notification message or banner before granting access to the system. | Warning messages inform users who are attempting to log in to the system of their legal status regarding the system and must include the name of the organization that owns the system and any... |
| V-47893 | Low | The finger daemon package must not be installed. | Finger is an insecure protocol. |
| V-47895 | Low | The limitpriv zone option must be set to the vendor default or less permissive. | Solaris zones can be assigned privileges generally reserved for the global zone using the "limitpriv" zone option. Any privilege assignments in excess of the vendor defaults may provide the... |
| V-47897 | Low | The /etc/zones directory, and its contents, must have the vendor default owner, group, and permissions. | Incorrect ownership can result in unauthorized changes or theft of data. |
| V-48033 | Low | The operating system must reveal error messages only to authorized personnel. | Proper file permissions and ownership ensures that only designated personnel in the organization can access error messages. |
| V-48131 | Low | The operating system, upon successful logon, must display to the user the date and time of the last logon (access). | Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the date and time of their last successful login allows the user to determine if... |
| V-48099 | Low | Consecutive login attempts for SSH must be limited to 3. | Setting the authentication login limit to a low value will disconnect the attacker and force a reconnect, which severely limits the speed of such brute-force attacks. |
| V-47993 | Low | The system must require passwords to contain no more than three consecutive repeating characters. | Complex passwords can reduce the likelihood of success of automated password-guessing attacks. |
| V-47917 | Low | The UUCP service daemon must not be installed unless required. | UUCP is an insecure protocol. |
| V-48209 | Low | The operating system must display the DoD approved system use notification message or banner before granting access to the system for general system logons. | Warning messages inform users who are attempting to log in to the system of their legal status regarding the system and must include the name of the organization that owns the system and any... |
| V-47909 | Low | The pidgin IM client package must not be installed. | Instant messaging is an insecure protocol. |
| V-48001 | Low | The system must require authentication before allowing modification of the boot devices or menus. Secure the GRUB Menu (Intel). | The flexibility that GRUB provides creates a security risk if its configuration is modified by an unauthorized user. The failsafe menu entry needs to be secured in the same environments that... |
