V-12033 | High | The root account must be the only account with GID of 0. | Accounts with a GID of 0 have root group privileges. |
V-4387 | High | Anonymous FTP accounts must not have a functional shell. | If an anonymous FTP account has been configured to use a functional shell, attackers could gain access to the shell if the account is compromised. |
V-4295 | High | The SSH daemon must be configured to only use the SSHv2 protocol. | SSHv1 is not a DoD-approved protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. |
V-4273 | Medium | The /etc/news/hosts.nntp (or equivalent) must have mode 0600 or less permissive. | Excessive permissions on the hosts.nntp file may allow unauthorized modification which could lead to Denial-of-Service to authorized users or provide access to unauthorized users. |
V-4276 | Medium | The /etc/news/passwd.nntp file (or equivalent) must have mode 0600 or less permissive. | File permissions more permissive than 0600 for /etc/news/passwd.nntp may allow access to privileged information by system intruders or malicious users. |
V-4274 | Medium | The /etc/news/hosts.nntp.nolimit (or equivalent) must have mode 0600 or less permissive. | Excessive permissions on the hosts.nntp.nolimit file may allow unauthorized modification which could lead to Denial-of-Service to authorized users or provide access to unauthorized users. |
V-4275 | Medium | The /etc/news/nnrp.access (or equivalent) must have mode 0600 or less permissive. | Excessive permissions on the nnrp.access file may allow unauthorized modification which could lead to Denial-of-Service to authorized users or provide access to unauthorized users. |
V-4370 | Medium | The traceroute command must be group-owned by sys, bin, or root. | If the group owner of the traceroute command has not been set to a system group, unauthorized users could have access to the command and use it to gain information regarding a network's topology... |
V-22561 | Medium | If the system is using LDAP for authentication or account information, the LDAP configuration file must be group-owned by root, bin, or sys. | LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification. |
V-22560 | Medium | If the system is using LDAP for authentication or account information, the LDAP configuration file must be owned by root. | LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification. |
V-4367 | Medium | The at.allow file must be owned by root, bin, or sys. | If the owner of the at.allow file is not set to root, bin, or sys, unauthorized users could be allowed to view or edit sensitive information contained within the file. |
V-11999 | Medium | The system must implement non-executable program stacks. | A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the... |
V-22488 | Medium | The SSH daemon must not allow compression or must only allow compression after successful authentication. | If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection,... |
V-768 | Medium | The delay between login prompts following a failed login attempt must be at least 4 seconds. | Enforcing a delay between successive failed login attempts increases protection against automated password guessing attacks.
|
V-819 | Medium | The audit system must be configured to audit all discretionary access control permission modifications. | If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
|
V-818 | Medium | The audit system must be configured to audit login, logout, and session initiation. | If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
|
V-815 | Medium | The audit system must be configured to audit file deletions. | If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
|
V-814 | Medium | The audit system must be configured to audit failed attempts to access files and programs. | If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
|
V-813 | Medium | System audit logs must have mode 0640 or less permissive. | If a user can write to the audit logs, audit trails can be modified or destroyed and system intrusion may not be detected. System audit logs are those files generated from the audit system and do... |
V-812 | Medium | System audit logs must be owned by root. | Failure to give ownership of system audit log files to root provides the designated owner and unauthorized users with the potential to access sensitive information. |
V-763 | Medium | The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts. | Failure to display the login banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources. |
V-22472 | Medium | The SSH private host key files must have mode 0600 or less permissive. | If an unauthorized user obtains the private SSH host key file, the host could be impersonated. |
V-22471 | Medium | The SSH public host key files must have mode 0644 or less permissive. | If a public host key file is modified by an unauthorized user, the SSH service may be compromised. |
V-12030 | Medium | The system's access control program must be configured to grant or deny system access to specific hosts. | If the system's access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts. |
V-12031 | Medium | The nosuid option must be configured in the /etc/rmmount.conf file. | The rmmount.conf file controls the mounting of removable media on a Solaris system. Removable media is not to be trusted with privileged access, and therefore the filesystems must be mounted with... |
V-4090 | Medium | All system start-up files must be group-owned by root, sys, or bin. | If system start-up files do not have a group owner of root or a system group, the files may be modified by malicious users or intruders. |
V-22332 | Medium | The /etc/passwd file must be owned by root. | The /etc/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. |
V-778 | Medium | The system must prevent the root account from directly logging in except from the system console. | Limiting the root account direct logins to only system consoles protects the root account from direct unauthorized access from a non-console device.
|
V-800 | Medium | The /etc/shadow (or equivalent) file must have mode 0400. | The /etc/shadow file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. The file also contains password hashes which... |
V-775 | Medium | The root account's home directory (other than /) must have mode 0700. | Permissions greater than 0700 could allow unauthorized users access to the root home directory. |
V-773 | Medium | The root account must be the only account having an UID of 0. | If an account has an UID of 0, it has root authority. Multiple accounts with an UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. |
V-22462 | Medium | The SSH client must be configured to not use CBC-based ciphers. | The Cipher-Block Chaining (CBC) mode of encryption as implemented in the SSHv2 protocol is vulnerable to chosen plain text attacks and must not be used.
|
V-4089 | Medium | All system start-up files must be owned by root. | System start-up files not owned by root could lead to system compromise by allowing malicious users or applications to modify them for unauthorized purposes. This could lead to system and network... |
V-867 | Medium | The Network Information System (NIS) protocol must not be used. | Due to numerous security vulnerabilities existing within NIS, it must not be used. Possible alternative directory services are NIS+ and LDAP. |
V-22453 | Medium | The /etc/syslog.conf file must have mode 0640 or less permissive. | Unauthorized users must not be allowed to access or modify the /etc/syslog.conf file. |
V-822 | Medium | The inetd.conf file must have mode 0440 or less permissive. | The Internet service daemon configuration files must be protected as malicious modification could cause Denial of Service or increase the attack surface of the system. |
V-981 | Medium | Cron and crontab directories must be group-owned by root, sys, or bin. | To protect the integrity of scheduled system jobs and to prevent malicious modification to these jobs, crontab files must be secured. Failure to give group-ownership of cron or crontab... |
V-980 | Medium | Cron and crontab directories must be owned by root or bin. | Incorrect ownership of the cron or crontab directories could permit unauthorized users the ability to alter cron jobs and run automated jobs as privileged users. Failure to give ownership of cron... |
V-983 | Medium | The cronlog file must have mode 0600 or less permissive. | Cron logs contain reports of scheduled system activities and must be protected from unauthorized access or manipulation.
|
V-985 | Medium | The at.deny file must not be empty if it exists. | On some systems, if there is no at.allow file and there is an empty at.deny file, then the system assumes everyone has permission to use the at facility. This could create an insecure setting in... |
V-984 | Medium | Access to the at utility must be controlled via the at.allow and/or at.deny file(s). | The at facility selectively allows users to execute jobs at deferred times. It is usually used for one-time jobs. The at.allow file selectively allows access to the at facility. If there is no... |
V-987 | Medium | The at.allow file must have mode 0600 or less permissive. | Permissions more permissive than 0600 (read and write for the owner) may allow unauthorized or malicious access to the at.allow and/or at.deny files. |
V-22294 | Medium | The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root. | A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for... |
V-4394 | Medium | The /etc/syslog.conf file must be group-owned by root, bin, or sys. | If the group owner of /etc/syslog.conf is not root, bin, or sys, unauthorized users could be permitted to view, edit, or delete important system messages handled by the syslog facility. |
V-4393 | Medium | The /etc/syslog.conf file must be owned by root. | If the /etc/syslog.conf file is not owned by root, unauthorized users could be allowed to view, edit, or delete important system messages handled by the syslog facility. |
V-974 | Medium | Access to the cron utility must be controlled using the cron.allow and/or cron.deny file(s). | The cron facility allows users to execute recurring jobs on a regular and unattended basis. The cron.allow file designates accounts allowed to enter and execute jobs using the cron facility. If... |
V-975 | Medium | The cron.allow file must have mode 0600 or less permissive. | A cron.allow file that is readable and/or writable by other than root could allow potential intruders and malicious users to use the file contents to help discern information, such as who is... |
V-22348 | Medium | The /etc/group file must not contain any group password hashes. | Group passwords are typically shared and should not be used. Additionally, if password hashes are readable by non-administrators, the passwords are subject to attack through lookup tables or... |
V-957 | Medium | The /usr/aset/userlist file must have mode 0600 or less permissive. | A permission mask not set to the required level could allow unauthorized access to sensitive system files and resources. |
V-22347 | Medium | The /etc/passwd file must not contain password hashes. | If password hashes are readable by non-administrators, the passwords are subject to attack through lookup tables or cryptographic weaknesses in the hashes. |
V-978 | Medium | Crontab files must have mode 0600 or less permissive. | To protect the integrity of scheduled system jobs and prevent malicious modification to these jobs, crontab files must be secured.
|
V-979 | Medium | Cron and crontab directories must have mode 0755 or less permissive. | To protect the integrity of scheduled system jobs and to prevent malicious modification to these jobs, crontab files must be secured.
|
V-22456 | Medium | The SSH client must be configured to only use the SSHv2 protocol. | SSHv1 is not a DoD-approved protocol and has many well-known vulnerability exploits. Exploits of the SSH client could provide access to the system with the privileges of the user running the client. |
V-22459 | Medium | The SSH daemon must be configured to not use Cipher-Block Chaining (CBC) ciphers. | The Cipher-Block Chaining (CBC) mode of encryption as implemented in the SSHv2 protocol is vulnerable to chosen plain text attacks and must not be used.
|
V-842 | Medium | The ftpusers file must be owned by root. | If the file ftpusers is not owned by root, an unauthorized user may modify the file to allow unauthorized accounts to use FTP.
|
V-22329 | Medium | The /etc/nsswitch.conf file must have mode 0644 or less permissive. | The nsswitch.conf file (or equivalent) configures the source of a variety of system security information including account, group, and host lookups. Malicious changes could prevent the system... |
V-22328 | Medium | The /etc/nsswitch.conf file must be group-owned by root, bin, or sys. | The nsswitch.conf file (or equivalent) configures the source of a variety of system security information including account, group, and host lookups. Malicious changes could prevent the system... |
V-22327 | Medium | The /etc/nsswitch.conf file must be owned by root. | The nsswitch.conf file (or equivalent) configures the source of a variety of system security information including account, group, and host lookups. Malicious changes could prevent the system... |
V-22325 | Medium | The /etc/hosts file must have mode 0644 or less permissive. | The /etc/hosts file (or equivalent) configures local host name to IP address mappings that typically take precedence over DNS resolution. If this file is maliciously modified, it could cause the... |
V-22324 | Medium | The /etc/hosts file must be group-owned by root, bin, or sys. | The /etc/hosts file (or equivalent) configures local host name to IP address mappings that typically take precedence over DNS resolution. If this file is maliciously modified, it could cause the... |
V-22323 | Medium | The /etc/hosts file must be owned by root. | The /etc/hosts file (or equivalent) configures local host name to IP address mappings that typically take precedence over DNS resolution. If this file is maliciously modified, it could cause the... |
V-22321 | Medium | The /etc/resolv.conf file must have mode 0644 or less permissive. | The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution... |
V-1023 | Medium | The system must not run an Internet Network News (INN) server. | Internet Network News (INN) servers access Usenet newsfeeds and store newsgroup articles. INN servers use the Network News Transfer Protocol (NNTP) to transfer information from the Usenet to the... |
V-776 | Medium | The root account's executable search path must be the vendor default and must contain only absolute paths. | The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory... |
V-22600 | Medium | The /usr/aset/userlist file must be group-owned by root. | The /usr/aset/userlist file is critical to system security and must be protected from unauthorized access. |
V-4245 | Medium | The /etc/security/audit_user file must have mode 0640 or less permissive. | Audit_user is a sensitive file that, if compromised, would allow a malicious user to select auditing parameters to ignore his sessions. This would allow malicious operations the auditing... |
V-4321 | Medium | The system must not run Samba unless needed. | Samba is a tool used for the sharing of files and printers between Windows and UNIX operating systems. It provides access to sensitive files and, therefore, poses a security risk if compromised. |
V-22320 | Medium | The /etc/resolv.conf file must be group-owned by root, bin, or sys. | The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution... |
V-22358 | Medium | All skeleton files (typically in /etc/skel) must be group-owned by root, bin, or sys. | If the skeleton files are not protected, unauthorized personnel could change user startup parameters and possibly jeopardize user files. |
V-12001 | Medium | The system must use initial TCP sequence numbers most resistant to sequence number guessing attacks. | One use of initial TCP sequence numbers is to verify bidirectional communication between two hosts, which provides some protection against spoofed source addresses being used by the connection... |
V-907 | Medium | Run control scripts' executable search paths must contain only absolute paths. | The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working... |
V-22339 | Medium | The /etc/shadow file (or equivalent) must be group-owned by root, bin, or sys. | The /etc/shadow file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. The file also contains password hashes which... |
V-22335 | Medium | The /etc/group file must be owned by root. | The /etc/group file is critical to system security and must be owned by a privileged user. The group file contains a list of system groups and associated information. |
V-22336 | Medium | The /etc/group file must be group-owned by root, bin, or sys. | The /etc/group file is critical to system security and must be protected from unauthorized modification. The group file contains a list of system groups and associated information. |
V-22337 | Medium | The /etc/group file must have mode 0644 or less permissive. | The /etc/group file is critical to system security and must be protected from unauthorized modification. The group file contains a list of system groups and associated information. |
V-22444 | Medium | The ftpusers file must be group-owned by root, bin, or sys. | If the ftpusers file is not group-owned by root or a system group, an unauthorized user may modify the file to allow unauthorized accounts to use FTP. |
V-22333 | Medium | The /etc/passwd file must be group-owned by root, bin, or sys. | The /etc/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. |
V-916 | Medium | The /etc/shells (or equivalent) file must exist. | The shells file (or equivalent) lists approved default shells. It helps provide layered defense to the security approach by ensuring users cannot change their default shell to an unauthorized... |
V-12014 | Medium | All .Xauthority files must have mode 0600 or less permissive. | .Xauthority files ensure the user is authorized to access the specific X Windows host. Excessive permissions may permit unauthorized modification of these files, which could lead to Denial of... |
V-4430 | Medium | The cron.deny file must be owned by root, bin, or sys. | Cron daemon control files restrict the scheduling of automated tasks and must be protected.
|
V-824 | Medium | The services file must have mode 0444 or less permissive. | The services file is critical to the proper operation of network services and must be protected from unauthorized modification. Unauthorized modification could result in the failure of network services. |
V-22383 | Medium | The audit system must be configured to audit the loading and unloading of dynamic kernel modules. | Actions concerning dynamic kernel modules must be recorded as they are substantial events. Dynamic kernel modules can increase the attack surface of a system. A malicious kernel module can be... |
V-1049 | Medium | Audio devices must be owned by root. | Globally Accessible audio and video devices have proven to be security hazards. There is software that can activate system microphones and video devices connected to user workstations and/or X... |
V-1047 | Medium | The system must not permit root logins using remote access programs such as SSH. | Even though communications are encrypted, an additional layer of security may be gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific... |
V-4369 | Medium | The traceroute command owner must be root. | If the traceroute command owner has not been set to root, an unauthorized user could use this command to obtain knowledge of the network topology inside the firewall. This information may allow... |
V-22434 | Medium | The rexecd service must not be installed. | The rexecd process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service. |
V-22433 | Medium | The rlogind service must not be installed. | The rlogind process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service. |
V-22431 | Medium | The rshd service must not be installed. | The rshd process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service. |
V-840 | Medium | The ftpusers file must exist. | The ftpusers file contains a list of accounts not allowed to use FTP to transfer files. If this file does not exist, then unauthorized accounts can utilize FTP.
|
V-811 | Medium | Auditing must be implemented. | Without auditing, individual system accesses cannot be tracked and malicious activity cannot be detected and traced back to an individual account. |
V-843 | Medium | The ftpusers file must have mode 0640 or less permissive. | Excessive permissions on the ftpusers file could permit unauthorized modification. Unauthorized modification could result in Denial of Service to authorized FTP users or permit unauthorized users... |
V-22310 | Medium | The root account's library search path must be the system default and must contain only absolute paths. | The library search path environment variable(s) contain a list of directories for the dynamic linker to search to find libraries. If this path includes the current working directory or other... |
V-11985 | Medium | All global initialization files' executable search paths must contain only absolute paths. | The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working... |
V-11984 | Medium | All skeleton files and directories (typically in /etc/skel) must be owned by bin. | If the skeleton files are not protected, unauthorized personnel could change user startup parameters and possibly jeopardize user files. Failure to give ownership of sensitive files or utilities... |
V-4351 | Medium | The /etc/security/audit_user file must be group-owned by root, sys, or bin. | The Solaris audit_user file allows for selective auditing or non-auditing of features for certain users. If it is not protected, it could be compromised and used to mask audit events. This could... |
V-4352 | Medium | The /etc/security/audit_user file must be owned by root. | The /etc/security/audit_user is a sensitive file and must be owned by root to prevent possible system compromise. |
V-4358 | Medium | The cron.deny file must have mode 0600 or less permissive. | If file permissions for cron.deny are more permissive than 0600, sensitive information could be viewed or edited by unauthorized users.
|
V-22548 | Medium | The DHCP client must be disabled if not needed. | DHCP allows for the unauthenticated configuration of network parameters on the system by exchanging information with a DHCP server. |
V-22702 | Medium | System audit logs must be group-owned by root, bin, or sys. | Sensitive system and user information could provide a malicious user with enough information to penetrate further into the system. |
V-22398 | Medium | The at.deny file must be group-owned by root, bin, or sys. | If the group owner of the at.deny file is not set to root, bin, or sys, unauthorized users could be allowed to view or edit sensitive information contained within the file. Unauthorized... |
V-22311 | Medium | The root account's list of preloaded libraries must be empty. | The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to... |
V-22397 | Medium | The at.allow file must be group-owned by root, bin, or sys. | If the group owner of the at.allow file is not set to root, bin, or sys, unauthorized users could be allowed to view or edit the list of users permitted to run at jobs. Unauthorized modification... |
V-22394 | Medium | The cron.deny file must be group-owned by root, bin, or sys. | Cron daemon control files restrict the scheduling of automated tasks and must be protected. Unauthorized modification of the cron.deny file could result in Denial of Service to authorized cron... |
V-1056 | Medium | The smb.conf file must be group-owned by root, bin, or sys. | If the group owner of the smb.conf file is not root or a system group, the file may be maliciously modified and the Samba configuration could be compromised. |
V-22392 | Medium | The at.deny file must have mode 0600 or less permissive. | The at daemon control files restrict access to scheduled job manipulation and must be protected. Unauthorized modification of the at.deny file could result in Denial of Service to authorized at... |
V-22391 | Medium | The cron.allow file must be group-owned by root, bin, or sys. | If the group of the cron.allow is not set to root, bin, or sys, the possibility exists for an unauthorized user to view or edit the list of users permitted to use cron. Unauthorized modification... |
V-22427 | Medium | The services file must be group-owned by root, bin, or sys. | Failure to give ownership of system configuration files to root or a system group provides the designated owner and unauthorized users with the potential to change the system configuration which... |
V-823 | Medium | The services file must be owned by root or bin. | Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the... |
V-22296 | Medium | The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive. | A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for... |
V-22295 | Medium | The time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, or sys. | A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for... |
V-836 | Medium | The system syslog service must log informational and more severe SMTP service messages. | If informational and more severe SMTP service messages are not logged, malicious activity on the system may go unnoticed. |
V-789 | Medium | NIS/NIS+/yp files must be owned by root, sys, or bin. | NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Failure to give ownership of sensitive files or utilities... |
V-788 | Medium | All skeleton files (typically those in /etc/skel) must have mode 0644 or less permissive. | If the skeleton files are not protected, unauthorized personnel could change user startup parameters and possibly jeopardize user files.
|
V-928 | Medium | The NFS export configuration file must be owned by root. | Failure to give ownership of the NFS export configuration file to root provides the designated owner and possible unauthorized users with the potential to change system configuration which could... |
V-4368 | Medium | The at.deny file must be owned by root, bin, or sys. | If the owner of the at.deny file is not set to root, bin, or sys, unauthorized users could be allowed to view or edit sensitive information contained within the file. |
V-956 | Medium | The /usr/aset/userlist file must be owned by root. | If the userlist file is not owned by root, then an unauthorized user can modify the file and enter an unauthorized user. |
V-22559 | Medium | If the system is using LDAP for authentication or account information the LDAP client configuration file must have mode 0600 or less permissive. | LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification. |
V-955 | Medium | The /usr/aset/userlist file must exist. | If the userlist file does not exist, then an unauthorized user may exist in the /etc/passwd file. |
V-4361 | Medium | The cron.allow file must be owned by root, bin, or sys. | If the owner of the cron.allow file is not set to root, bin, or sys, the possibility exists for an unauthorized user to view or to edit sensitive information. |
V-1061 | Medium | Audio devices must be group-owned by root, sys, or bin. | Without privileged group owners, audio devices will be vulnerable to being used as eaves-dropping devices by malicious users or intruders to possibly listen to conversations containing sensitive... |
V-22492 | Medium | The NFS export configuration file must be group-owned by root, bin, or sys. | Failure to give group ownership of the NFS export configuration file to root or system groups provides the designated group owner and possible unauthorized users with the potential to change... |
V-790 | Medium | NIS/NIS+/yp files must be group-owned by root, sys, or bin. | NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Failure to give ownership of sensitive files or utilities... |
V-791 | Medium | The NIS/NIS+/yp command files must have mode 0755 or less permissive. | NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Unauthorized modification of these files could compromise... |
V-793 | Medium | Library files must have mode 0755 or less permissive. | Unauthorized access could destroy the integrity of the library files. |
V-796 | Medium | System files, programs, and directories must be group-owned by a system group. | Restricting permissions will protect the files from unauthorized modification. |
V-797 | Medium | The /etc/shadow (or equivalent) file must be owned by root. | The /etc/shadow file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. Failure to give ownership of sensitive files... |
V-798 | Medium | The /etc/passwd file must have mode 0644 or less permissive. | If the password file is writable by a group owner or the world, the risk of password file compromise is increased. The password file contains the list of accounts on the system and associated information. |
V-22319 | Medium | The /etc/resolv.conf file must be owned by root. | The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution... |
V-22473 | Low | The SSH daemon must not permit GSSAPI authentication unless needed. | GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system’s GSSAPI to remote hosts, increasing... |
V-22474 | Low | The SSH client must not permit GSSAPI authentication unless needed. | GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system’s GSSAPI to remote hosts, increasing... |
V-22370 | Low | System audit tool executables must be owned by root. | To prevent unauthorized access or manipulation of system audit logs, the tools for manipulating those logs must be protected. |
V-22371 | Low | System audit tool executables must be group-owned by root, bin, or sys. | To prevent unauthorized access or manipulation of system audit logs, the tools for manipulating those logs must be protected. |
V-22372 | Low | System audit tool executables must have mode 0750 or less permissive. | To prevent unauthorized access or manipulation of system audit logs, the tools for manipulating those logs must be protected. |
V-774 | Low | The root user's home directory must not be the root directory (/). | Changing the root home directory to something other than / and assigning it a 0700 protection makes it more difficult for intruders to manipulate the system by reading the files that root places... |
V-22588 | Low | The system package management tool must cryptographically verify the authenticity of software packages during installation. | To prevent the installation of software from unauthorized sources, the system package management tool must use cryptographic algorithms to verify the packages are authentic. |
V-23739 | Low | The system must use a separate filesystem for /tmp (or equivalent). | The use of separate filesystems for different paths can protect the system from failures resulting from a filesystem becoming full or failing. |
V-900 | Low | All interactive user home directories defined in the /etc/passwd file must exist. | If a user has a home directory defined that does not exist, the user may be given the / directory, by default, as the current working directory upon logon. This could create a Denial of Service... |
V-825 | Low | Global initialization files must contain the mesg -n or mesg n commands. | If the mesg -n or mesg n command is not placed into the system profile, messaging can be used to cause a Denial of Service attack. |
V-929 | Low | The NFS export configuration file must have mode 0644 or less permissive. | Excessive permissions on the NFS export configuration file could allow unauthorized modification of the file, which could result in Denial of Service to authorized NFS exports and the creation of... |
V-22578 | Low | The system must have USB disabled unless needed. | USB is a common computer peripheral interface. USB devices may include storage devices that could be used to install malicious software on a system or exfiltrate data.
|
V-11997 | Low | The kernel core dump data directory must be owned by root. | Kernel core dumps may contain the full contents of system memory at the time of the crash. As the system memory may contain sensitive information, it must be protected accordingly. If the kernel... |
V-835 | Low | Sendmail logging must not be set to less than nine in the sendmail.cf file. | If Sendmail is not configured to log at level 9, system logs may not contain the information necessary for tracking unauthorized use of the Sendmail service. |
V-781 | Low | All GIDs referenced in the /etc/passwd file must be defined in the /etc/group file. | If a user is assigned the GID of a group not existing on the system, and a group with the same GID is subsequently created, the user may have unintended rights to the group.
|
V-12003 | Low | A separate file system must be used for user home directories (such as /home or equivalent). | The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. |
V-899 | Low | All interactive users must be assigned a home directory in the /etc/passwd file. | If users do not have a valid home directory, there is no place for the storage and control of files they own. |