UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

VMware ESX 3 Server


Overview

Date Finding Count (621)
2016-05-13 CAT I (High): 39 CAT II (Med): 496 CAT III (Low): 86
STIG Description
The VMware ESX 3 Server Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Public)

Finding ID Severity Title
V-12036 High The LILO Boot Loader password is not encrypted.
V-4387 High Anonymous FTP accounts must not have a functional shell.
V-4382 High Administrative accounts must not run a web browser, except as needed for local service administration.
V-68723 High VMware ESX operating systems that are no longer supported by the vendor for security updates must not be installed on a system.
V-15849 High ESX Server software version is not supported.
V-4249 High The system boot loader must require authentication.
V-4248 High For systems capable of using GRUB, the system must be configured with GRUB as the default boot loader unless another boot loader has been authorized, justified, and documented using site-defined procedures.
V-4247 High The system must not use removable media as the boot loader.
V-848 High The TFTP daemon must have mode 0755 or less permissive.
V-4339 High The Linux NFS Server must not have the insecure file locking option.
V-847 High The TFTP daemon must operate in "secure mode" which provides access only to a single directory on the host file system.
V-922 High All shell files must have mode 0755 or less permissive.
V-4691 High The SMTP service must not have a uudecode alias active.
V-1013 High The system must be configured to only boot from the system boot device.
V-4399 High The system must not use UDP for NIS/NIS+.
V-15874 High VirtualCenter vpxuser has been modified.
V-4342 High The x86 CTRL-ALT-DELETE key sequence must be disabled.
V-4295 High The SSH daemon must be configured to only use the SSHv2 protocol.
V-4268 High The system must not have special privilege accounts, such as shutdown and halt.
V-24386 High The telnet daemon must not be running.
V-993 High SNMP communities, users, and passphrases must be changed from the default.
V-15819 High Promiscuous mode is enabled for virtual switches during the ESX Server boot process.
V-6776 High An IS has its BIOS set to allow a boot from a USB device.
V-4695 High Any active TFTP daemon must be authorized and approved in the system accreditation package.
V-4697 High X displays must not be exported to the world.
V-833 High Files executed through a mail aliases file must be owned by root and must reside within a directory owned and writable only by root.
V-11940 High The operating system must be a supported release.
V-15850 High VMware and third party applications are not supported.
V-4255 High If the system boots from removable media, it must be stored in a safe or similarly secured container.
V-4252 High If LILO is the authorized boot loader for the system, a global password must be defined in /etc/lilo.conf.
V-4253 High The /etc/lilo.conf file must have mode 0600 or less permissive.
V-4690 High The Sendmail server must have the debug feature disabled.
V-770 High The system must not have accounts configured with blank or null passwords.
V-910 High Run control scripts must not execute world-writable programs or scripts.
V-1046 High Root passwords must never be passed over a network in clear text form.
V-11988 High There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system.
V-4689 High The SMTP service must be an up-to-date version.
V-4688 High The rexec daemon must not be running.
V-4687 High The rsh daemon must not be running.
V-1048 Medium Audio devices must have mode 0660 or less permissive.
V-4702 Medium If the system is an anonymous FTP server, it must be isolated to the DMZ network.
V-12021 Medium The syslog daemon must not accept remote messages unless it is a syslog server documented using site-defined procedures.
V-1049 Medium Audio devices must be owned by root.
V-769 Medium The root user must not own the logon session for an application requiring a continuous display.
V-819 Medium The audit system must be configured to audit all discretionary access control permission modifications.
V-818 Medium The audit system must be configured to audit login, logout, and session initiation.
V-816 Medium The audit system must be configured to audit all administrative, privileged, and security actions.
V-815 Medium The audit system must be configured to audit file deletions.
V-814 Medium The audit system must be configured to audit failed attempts to access files and programs.
V-761 Medium All accounts on the system must have unique user or account names.
V-812 Medium System audit logs must be owned by root.
V-763 Medium The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
V-12038 Medium The /etc/securetty file must be group-owned by root, sys, or bin.
V-12039 Medium The /etc/securetty file must be owned by root.
V-22471 Medium The SSH public host key files must have mode 0644 or less permissive.
V-22470 Medium The SSH daemon must restrict login ability to specific users and/or groups.
V-12030 Medium The system's access control program must be configured to grant or deny system access to specific hosts.
V-27056 Medium System security patches and updates must be installed and up-to-date.
V-22575 Medium A root kit check tool must be run on the system at least weekly.
V-1027 Medium The /etc/smb.conf file must be owned by root.
V-4385 Medium The system must not use .forward files.
V-978 Medium Crontab files must have mode 0600 or less permissive, and files in cron script directories must have mode 0700 or less permissive.
V-15856 Medium VI Web Access sessions to the ESX Server are unencrypted.
V-4388 Medium The anonymous FTP account must be configured to use chroot or a similarly isolated environment.
V-22340 Medium The /etc/shadow file must not have an extended ACL.
V-22375 Medium The audit system must alert the SA when the audit storage volume approaches its capacity.
V-22506 Medium The system package management tool must be used to verify system software periodically.
V-22505 Medium The /etc/news/passwd.nntp file must not have an extended ACL.
V-22504 Medium The /etc/news/nnrp.access file must not have an extended ACL.
V-22503 Medium The /etc/news/hosts.nntp.nolimit file must not have an extended ACL.
V-22502 Medium The /etc/news/hosts.nntp file must not have an extended ACL.
V-22501 Medium Samba must be configured to not allow guest access to shares.
V-22500 Medium Samba must be configured to use encrypted passwords.
V-15848 Medium VMware tools are not used to update the ESX Server.
V-15840 Medium ESX Server does not record log files.
V-15842 Medium Log file permissions have not been configured to restrict unauthorized users
V-15844 Medium Auditing is not configured on the ESX Server.
V-15846 Medium The ESX Server software version is not at the latest release.
V-15847 Medium ESX Server updates are not tested.
V-842 Medium The ftpusers file must be owned by root.
V-928 Medium The NFS export configuration file must be owned by root.
V-4246 Medium System BIOS or system controllers supporting password protection must have administrator accounts/passwords configured, and no others.
V-23732 Medium The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
V-849 Medium The TFTP daemon must be configured to vendor specifications, including a dedicated TFTP user account, a non-login shell, such as /bin/false, and a home directory owned by the TFTP user.
V-4336 Medium The /etc/sysctl.conf file must have mode 0600 or less permissive.
V-4335 Medium The /etc/sysctl.conf file must be group-owned by root.
V-4334 Medium The /etc/sysctl.conf file must be owned by root.
V-22542 Medium The IPv6 protocol handler must be prevented from dynamic loading unless needed.
V-22309 Medium The root account's home directory must not have an extended ACL.
V-22303 Medium The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes.
V-22302 Medium The system must enforce the entire password during authentication.
V-22305 Medium The system must require passwords contain at least one lowercase alphabetic character.
V-22304 Medium The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.
V-22307 Medium The system must prevent the use of dictionary words for passwords.
V-22306 Medium The system must require at least four characters be changed between the old and new passwords during a password change.
V-813 Medium System audit logs must have mode 0640 or less permissive.
V-760 Medium Direct logins must not be permitted to shared, default, application, or utility accounts.
V-846 Medium Anonymous FTP must not be active on the system unless authorized.
V-840 Medium The ftpusers file must exist.
V-841 Medium The ftpusers file must contain account names not allowed to use FTP.
V-843 Medium The ftpusers file must have mode 0640 or less permissive.
V-926 Medium Any NIS+ server must be operating at security level 2.
V-925 Medium Device files used for backup must only be readable and/or writable by root or the backup user.
V-924 Medium Device files and directories must only be writable by users with a system account or as configured by the vendor.
V-921 Medium All shell files must be owned by root or bin.
V-22429 Medium The portmap or rpcbind service must not be running unless needed.
V-22543 Medium The IPv6 protocol handler must not be installed unless needed.
V-12040 Medium The /etc/securetty file must have mode 0640 or less permissive.
V-22541 Medium The IPv6 protocol handler must not be bound to the network stack unless needed.
V-22547 Medium The system must not have IP tunnels configured.
V-22546 Medium The system must not have Teredo enabled.
V-22545 Medium The system must not have 6to4 enabled.
V-22544 Medium Proxy Neighbor Discovery Protocol (NDP) must not be enabled on the system.
V-12049 Medium Network analysis tools must not be installed.
V-22549 Medium The DHCP client must not send dynamic DNS updates.
V-22548 Medium The DHCP client must be disabled if not needed.
V-15783 Medium ESX Server is not configured in accordance with the UNIX STIG.
V-1055 Medium The /etc/access.conf file must have mode 0640 or less permissive.
V-1059 Medium The /etc/smbpasswd file must have mode 0600 or less permissive.
V-1058 Medium The /etc/smbpasswd file must be group-owned by root.
V-22398 Medium The at.deny file must be group-owned by root, bin, sys, or cron.
V-15791 Medium iSCSI passwords are not compliant with DoD policy.
V-15790 Medium iSCSI storage equipment is not configured with the latest patches and updates.
V-22397 Medium The at.allow file must be group-owned by root, bin, sys, or cron.
V-22394 Medium The cron.deny file must be group-owned by root, bin, sys, or cron.
V-22395 Medium The "at" directory must not have an extended ACL.
V-22392 Medium The at.deny file must have mode 0600 or less permissive.
V-22393 Medium The at.deny file must not have an extended ACL.
V-22390 Medium The at.allow file must not have an extended ACL.
V-22391 Medium The cron.allow file must be group-owned by root, bin, sys, or cron.
V-11994 Medium Crontabs must be owned by root or the crontab creator.
V-1056 Medium The /etc/smb.conf file must be group-owned by root, bin, or sys.
V-15888 Medium Master templates are not restricted to authorized users only.
V-11990 Medium All public directories must be group-owned by root or an application group.
V-15884 Medium ISO images are not restricted to authorized users.
V-15885 Medium ISO images do not have hash checksums.
V-15886 Medium ISO images are not verified for integrity when moved across the network.
V-11999 Medium The system must implement non-executable program stacks.
V-22572 Medium If the system is using LDAP for authentication or account information, the LDAP TLS key file must be group-owned by root, bin, sys, or system.
V-22423 Medium The inetd.conf file, xinetd.conf file, and the xinetd.d directory must be group-owned by root, bin, sys, or system.
V-22570 Medium If the system is using LDAP for authentication or account information, the LDAP TLS certificate file must not have an extended ACL.
V-22571 Medium If the system is using LDAP for authentication or account information, the LDAP TLS key file must be owned by root.
V-11995 Medium Default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist.
V-22574 Medium If the system is using LDAP for authentication or account information, the LDAP TLS key file must not have an extended ACL.
V-22491 Medium The system must not have IP forwarding for IPv6 enabled, unless the system is an IPv6 router.
V-22490 Medium The system must be configured with a default gateway for IPv6 if the system uses IPv6, unless the system is a router.
V-22492 Medium The NFS export configuration file must be group-owned by root, bin, sys, or system.
V-22497 Medium The /etc/smb.conf file must not have an extended ACL.
V-22496 Medium All NFS-exported system files and system directories must be group-owned by root, bin, sys, or system.
V-22499 Medium Samba must be configured to use an authentication mechanism other than share.
V-22498 Medium The /etc/smbpasswd file must not have an extended ACL.
V-15835 Medium The setuid and setgid flags have been disabled.
V-15836 Medium ESX Server is not authenticating the time source with a hashing algorithm.
V-4273 Medium The /etc/news/hosts.nntp (or equivalent) must have mode 0600 or less permissive.
V-4276 Medium The /etc/news/passwd.nntp file (or equivalent) must have mode 0600 or less permissive.
V-4277 Medium Files in /etc/news must be owned by root or news.
V-4274 Medium The /etc/news/hosts.nntp.nolimit (or equivalent) must have mode 0600 or less permissive.
V-4275 Medium The /etc/news/nnrp.access (or equivalent) must have mode 0600 or less permissive.
V-15787 Medium Permissions on the configuration and virtual disk files are incorrect.
V-4278 Medium The files in /etc/news must be group-owned by root or news.
V-4370 Medium The traceroute command must be group-owned by sys, bin, root, or system.
V-22334 Medium The /etc/passwd file must not have an extended ACL.
V-22441 Medium Files executed through a mail aliases file must not have extended ACLs.
V-22330 Medium The /etc/nsswitch.conf file must not have an extended ACL.
V-4090 Medium All system start-up files must be group-owned by root, sys, bin, other, or system.
V-4091 Medium System start-up files must only execute programs owned by a privileged UID or an application.
V-22332 Medium The /etc/passwd file must be owned by root.
V-4304 Medium The root file system must employ journaling or another mechanism ensuring file system consistency.
V-22333 Medium The /etc/passwd file must be group-owned by root, bin, sys, or system.
V-4696 Medium The system must not have the UUCP service active.
V-4301 Medium The system clock must be synchronized to an authoritative DoD time source.
V-15909 Medium Virtual machine log files are not maintained for 1 year.
V-15908 Medium ESX Server is not configured to maintain a specific number of log files via log rotation.
V-15904 Medium Production virtual machines are not located in a controlled access area.
V-15907 Medium Virtual machine log files do not have a size limit.
V-15906 Medium Virtual machine OS log files are not saved before rollback.
V-15901 Medium Virtual machine moves are not logged from one physical server to another.
V-808 Medium The system and user default umask must be 077.
V-1021 Medium The X server must have the correct options enabled.
V-800 Medium The /etc/shadow (or equivalent) file must have mode 0400.
V-801 Medium The owner, group owner, mode, ACL, and location of files with the setuid bit set must be documented using site-defined procedures.
V-802 Medium The owner, group-owner, mode, ACL, and location of files with the setgid bit set must be documented using site-defined procedures.
V-803 Medium The system must be checked weekly for unauthorized setuid files, as well as, unauthorized modification to authorized setuid files.
V-804 Medium The system must be checked weekly for unauthorized setgid files, as well as, unauthorized modification to authorized setgid files.
V-805 Medium Removable media, remote file systems, and any file system that does not contain approved setuid files must be mounted with the "nosuid" option.
V-807 Medium All public directories must be owned by root or an application account.
V-22460 Medium The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
V-1010 Medium Public directories must be the only world-writable directories and world-writable files must be located only in public directories.
V-22463 Medium The SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
V-1015 Medium The ext3 filesystem type must be used for the primary Linux file system partitions.
V-989 Medium The "at" daemon must not execute programs in, or subordinate to, world-writable directories.
V-988 Medium The at daemon must not execute group-writable or world-writable programs.
V-981 Medium Cron and crontab directories must be group-owned by root, sys, bin or cron.
V-980 Medium Cron and crontab directories must be owned by root or bin.
V-983 Medium The cron log file must have mode 0600 or less permissive.
V-22290 Medium The system clock must be synchronized continuously, or at least daily.
V-985 Medium The at.deny file must not be empty if it exists.
V-22296 Medium The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
V-22295 Medium The time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, sys, or system.
V-986 Medium Default system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist.
V-4395 Medium The system must only use remote syslog servers (log hosts) justified and documented using site-defined procedures.
V-4394 Medium The /etc/syslog.conf file must be group-owned by root, bin, sys, or system.
V-4397 Medium The system must be configured with a default gateway for IPv4 if the system uses IPv4, unless the system is a router.
V-4393 Medium The /etc/syslog.conf file must be owned by root.
V-4392 Medium If the system is a Network Management System (NMS) server, it must only run the NMS and any software required by the NMS.
V-4398 Medium A system used for routing must not run other network services or applications.
V-974 Medium Access to the cron utility must be controlled using the cron.allow and/or cron.deny file(s).
V-975 Medium The cron.allow file must have mode 0600 or less permissive.
V-976 Medium Cron must not execute group-writable or world-writable programs.
V-977 Medium Cron must not execute programs in, or subordinate to, world-writable directories.
V-22349 Medium The /etc/gshadow file must not contain any group password hashes.
V-22348 Medium The /etc/group file must not contain any group password hashes.
V-22347 Medium The /etc/passwd file must not contain password hashes.
V-22341 Medium The /etc/gshadow file must be owned by root.
V-979 Medium Cron and crontab directories must have mode 0755 or less permissive.
V-22343 Medium The /etc/gshadow file must have mode 0400.
V-22514 Medium The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.
V-22517 Medium The Lightweight User Datagram Protocol (UDP-Lite) must be disabled unless required.
V-22511 Medium The Stream Control Transmission Protocol (SCTP) must be disabled unless required.
V-23972 Medium The system must not respond to ICMPv6 echo requests sent to a broadcast address.
V-793 Medium Library files must have mode 0755 or less permissive.
V-12005 Medium Inetd and xinetd must be disabled or removed if no network services utilizing them are enabled.
V-12004 Medium The system must log authentication informational data.
V-12006 Medium The SMTP service HELP command must not be enabled.
V-12001 Medium The system must use initial TCP sequence numbers most resistant to sequence number guessing attacks.
V-12002 Medium The system must not forward IPv4 source-routed packets.
V-987 Medium The at.allow file must have mode 0600 or less permissive.
V-867 Medium The Network Information System (NIS) protocol must not be used.
V-4346 Medium The Linux PAM system must not grant sole access to admin privileges to the first user who logs into the console.
V-6768 Medium Disguised jump drives are not banned from locations containing DOD ISs.
V-6769 Medium Notices are not prominently displayed informing everyone of the ban of disguised jump drives.
V-6766 Medium USB devices are attached to a DoD IS without prior IAO approval.
V-6765 Medium MP3 players, camcorders, or digital cameras are being attached to ISs without prior DAA approval.
V-941 Medium The system's access control program must log each system access attempt.
V-22702 Medium System audit logs must be group-owned by root, bin, sys, or system.
V-790 Medium NIS/NIS+/yp files must be group-owned by root, sys, bin, other, or system.
V-791 Medium The NIS/NIS+/yp command files must have mode 0755 or less permissive.
V-4298 Medium Remote consoles must be disabled or protected from unauthorized access.
V-787 Medium System log files must have mode 0640 or less permissive.
V-939 Medium A system vulnerability tool must be run on the system monthly.
V-785 Medium All files and directories must have a valid owner.
V-784 Medium System files and directories must not have uneven access permissions.
V-834 Medium Files executed through a mail aliases file must have mode 0755 or less permissive.
V-837 Medium The SMTP service log file must be owned by root.
V-836 Medium The system syslog service must log informational and more severe SMTP service messages.
V-931 Medium All NFS-exported system files and system directories must be owned by root.
V-932 Medium The NFS anonymous UID and GID must be configured to values that have no permissions.
V-933 Medium The NFS server must be configured to restrict file system access to local hosts.
V-935 Medium The NFS server must not allow remote root access.
V-936 Medium The nosuid option must be enabled on all NFS client mounts.
V-788 Medium All skeleton files (typically those in /etc/skel) must have mode 0644 or less permissive.
V-22550 Medium The system must ignore IPv6 ICMP redirect messages.
V-11979 Medium The root account must not be used for direct logins.
V-22552 Medium The system must use an appropriate reverse-path filter for IPv6 network traffic, if the system uses IPv6.
V-22553 Medium The system must not forward IPv6 source-routed packets.
V-796 Medium System files, programs, and directories must be group-owned by a system group.
V-22556 Medium If the system is using LDAP for authentication or account information, certificates used to authenticate to the LDAP server must be provided from DoD PKI or a DoD-approved external PKI.
V-22557 Medium If the system is using LDAP for authentication or account information, the LDAP TLS connection must require the server provides a certificate and this certificate has a valid trust path to a trusted CA.
V-22559 Medium If the system is using LDAP for authentication or account information the /etc/ldap.conf (or equivalent) file must have mode 0644 or less permissive.
V-11972 Medium The system must require that passwords contain at least one numeric character.
V-11973 Medium The system must require that passwords contain at least one special character.
V-11975 Medium The system must require passwords to contain no more than three consecutive repeating characters.
V-11976 Medium User passwords must be changed at least every 60 days.
V-11977 Medium All non-interactive/automated processing account passwords must be changed at least once per year or be locked.
V-22411 Medium The system must not respond to ICMP timestamp requests sent to a broadcast address.
V-1061 Medium Audio devices must be group-owned by root, sys, bin, or system.
V-22412 Medium The system must not apply reversed source routing to TCP responses.
V-22415 Medium Proxy ARP must not be enabled on the system.
V-22414 Medium The system must not accept source-routed IPv4 packets.
V-22417 Medium The system must not send IPv4 ICMP redirects.
V-22416 Medium The system must ignore IPv4 ICMP redirect messages.
V-22472 Medium The SSH private host key files must have mode 0600 or less permissive.
V-22317 Medium All library files must not have extended ACLs.
V-22314 Medium All system command files must not have extended ACLs.
V-22315 Medium System log files must not have extended ACLs, except as needed to support authorized software.
V-22312 Medium All files and directories must have a valid group owner.
V-22313 Medium All network services daemon files must not have extended ACLs.
V-22310 Medium The root account's library search path must be the system default and must contain only absolute paths.
V-22311 Medium The root account's list of preloaded libraries must be empty.
V-22318 Medium NIS/NIS+/yp command files must not have extended ACLs.
V-22319 Medium The /etc/resolv.conf file must be owned by root.
V-22387 Medium Cron and crontab directories must not have extended ACLs.
V-22438 Medium The aliases file must be group-owned by root, sys, bin, or system.
V-22437 Medium The traceroute file must not have an extended ACL.
V-12028 Medium The system vulnerability assessment tool, host-based intrusion detection tool, and file integrity tool must notify the SA and the IAO of a security breach or a suspected security breach.
V-22436 Medium The hosts.lpd (or equivalent) file must not have an extended ACL.
V-22488 Medium The SSH daemon must not allow compression or must only allow compression after successful authentication.
V-22489 Medium The SSH daemon must be configured with the Department of Defense (DoD) logon banner.
V-22486 Medium The SSH daemon must use privilege separation.
V-22487 Medium The SSH daemon must not allow rhosts RSA authentication.
V-22485 Medium The SSH daemon must perform strict mode checking of home directory configuration files.
V-22480 Medium The SSH daemon must not permit tunnels.
V-22481 Medium The SSH client must not permit tunnels.
V-12023 Medium IP forwarding for IPv4 must not be enabled, unless the system is a router.
V-15828 Medium ESX Server service console administrators are not documented
V-15829 Medium Hash signatures for the /etc files are not stored offline.
V-15826 Medium IP tables or internal router/firewall is not configured to restrict IP addresses to services.
V-15824 Medium ESX Server firewall is not configured to High Security.
V-15784 Medium An NFS Server is running on the ESX Server host
V-15822 Medium Undocumented VLANs are configured on ESX Server in VST mode.
V-4371 Medium The traceroute file must have mode 0700 or less permissive.
V-15820 Medium External physical switch ports configured for EST mode are configured with spanning-tree enabled.
V-15821 Medium The non-negotiate option is not configured for trunk links between external physical switches and virtual switches in VST mode.
V-4262 Medium The system must not have the rpc.ugidd daemon enabled.
V-4269 Medium The system must not have unnecessary accounts.
V-12026 Medium NIS maps must be protected through hard-to-guess domain names.
V-22389 Medium The cron.deny file must not have an extended ACL.
V-22323 Medium The /etc/hosts file must be owned by root.
V-22408 Medium Network interfaces must not be configured to allow user control.
V-27353 Medium Cron logging must be implemented.
V-22322 Medium The /etc/resolv.conf file must not have an extended ACL.
V-4089 Medium All system start-up files must be owned by root.
V-4084 Medium The system must prohibit the reuse of passwords within five iterations.
V-4087 Medium User start-up files must not execute world-writable programs.
V-4083 Medium Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity and the system must require users to re-authenticate to unlock the environment.
V-22321 Medium The /etc/resolv.conf file must have mode 0644 or less permissive.
V-1028 Medium The /etc/smb.conf file must have mode 0644 or less permissive.
V-1029 Medium The /etc/smbpasswd file must be owned by root.
V-15913 Medium Virtual machines are not backed up in accordance with the MAC level.
V-22320 Medium The /etc/resolv.conf file must be group-owned by root, bin, sys, or system.
V-24384 Medium If the system is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords.
V-1025 Medium The /etc/access.conf file must be owned by root.
V-28457 Medium The system must use an access control program.
V-22325 Medium The /etc/hosts file must have mode 0644 or less permissive.
V-22324 Medium The /etc/hosts file must be group-owned by root, bin, sys, or system.
V-22459 Medium The SSH daemon must be configured to not use Cipher-Block Chaining (CBC) ciphers.
V-22458 Medium The SSH daemon must be configured to only use FIPS 140-2 approved ciphers.
V-22329 Medium The /etc/nsswitch.conf file must have mode 0644 or less permissive.
V-22328 Medium The /etc/nsswitch.conf file must be group-owned by root, bin, sys, or system.
V-22327 Medium The /etc/nsswitch.conf file must be owned by root.
V-22326 Medium The /etc/hosts file must not have an extended ACL.
V-22457 Medium The SSH daemon must only listen on management network addresses unless authorized for uses other than management.
V-22456 Medium The SSH client must be configured to only use the SSHv2 protocol.
V-22451 Medium The snmpd.conf file must be group-owned by root, bin, sys, or system.
V-22450 Medium Management Information Base (MIB) files must not have extended ACLs.
V-22453 Medium The /etc/syslog.conf file must have mode 0640 or less permissive.
V-22452 Medium The snmpd.conf file must not have an extended ACL.
V-1022 Medium An X server must have none of the following options enabled: -ac, -core (except for debugging purposes), or -nolock.
V-1023 Medium The system must not run an Internet Network News (INN) server.
V-994 Medium The snmpd.conf file must have mode 0600 or less permissive.
V-995 Medium Management Information Base (MIB) files must have mode 0640 or less permissive.
V-11985 Medium All global initialization files' executable search paths must contain only absolute paths.
V-22425 Medium The xinetd.d directory must have mode 0755 or less permissive.
V-901 Medium All users' home directories must have mode 0750 or less permissive.
V-903 Medium All interactive users' home directories must be group-owned by the home directory owner's primary group.
V-902 Medium All interactive users' home directories must be owned by their respective users.
V-905 Medium All local initialization files must have mode 0740 or less permissive.
V-904 Medium All local initialization files must be owned by the user or root.
V-907 Medium Run control scripts' executable search paths must contain only absolute paths.
V-906 Medium All run control scripts must have mode 0755 or less permissive.
V-22352 Medium All files and directories contained in user home directories must not have extended ACLs.
V-22353 Medium All run control scripts must have no extended ACLs.
V-22351 Medium All files and directories contained in user's home directories must be group-owned by a group the home directory's owner is a member.
V-22356 Medium All global initialization files must not have extended ACLs.
V-22357 Medium Skeleton files must not have extended ACLs.
V-22354 Medium Run control scripts' library search paths must contain only absolute paths.
V-22355 Medium Run control scripts' lists of preloaded libraries must contain only absolute paths.
V-22520 Medium The Internetwork Packet Exchange (IPX) protocol must be disabled or not installed.
V-22524 Medium The AppleTalk protocol must be disabled or not installed.
V-22527 Medium The DECnet protocol must be disabled or not installed.
V-12010 Medium Unencrypted FTP must not be used on the system.
V-12011 Medium All FTP users must have a default umask of 077.
V-12016 Medium .Xauthority or X*.hosts (or equivalent) file(s) must be used to restrict access to the X server.
V-12017 Medium The .Xauthority utility must only permit access to authorized hosts.
V-12014 Medium All .Xauthority files must have mode 0600 or less permissive.
V-12018 Medium X Window System connections that are not required must be disabled.
V-12019 Medium The snmpd.conf file must be owned by bin.
V-24331 Medium The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
V-22428 Medium The services file must not have an extended ACL.
V-15811 Medium Unused port groups have not been removed
V-4427 Medium All .rhosts, .shosts, or host.equiv files must only contain trusted host-user pairs.
V-4357 Medium Audit logs must be rotated daily.
V-4358 Medium The cron.deny file must have mode 0600 or less permissive.
V-6773 Medium USB devices with persistent memory are not formatted in a manner to allow the application of Access Controls to files or data stored on the device.
V-6774 Medium There is no section within the SFUG, or equivalent documentation, describing the correct usage and handling of USB technologies.
V-22358 Medium All skeleton files (typically in /etc/skel) must be group-owned by root, bin, sys, system, or other.
V-23828 Medium If the system is using LDAP for authentication or account information, the system must use a FIPS 140-2 validated cryptographic module (operating in FIPS mode) for protecting the LDAP connection.
V-22396 Medium The "at" directory must be group-owned by root, bin, sys, or cron.
V-23827 Medium The SSH client must use a FIPS 140-2 validated cryptographic module (operating in FIPS mode).
V-23826 Medium The SSH daemon must use a FIPS 140-2 validated cryptographic module (operating in FIPS mode).
V-23825 Medium The system must use a FIPS 140-2 validated cryptographic module (operating in FIPS mode) for generating system password hashes.
V-1030 Medium The smb.conf file must use the hosts option to restrict access to Samba.
V-22462 Medium The SSH client must be configured to not use CBC-based ciphers.
V-22424 Medium The inetd.conf and xinetd.conf files must not have extended ACLs.
V-822 Medium The inetd.conf and xinetd.conf files must have mode 0440 or less permissive.
V-823 Medium The services file must be owned by root or bin.
V-821 Medium The inetd.conf file, xinetd.conf file, and the xinetd.d directory must be owned by root or bin.
V-794 Medium All system command files must have mode 755 or less permissive.
V-795 Medium All system files, programs, and directories must be owned by a system account.
V-824 Medium The services file must have mode 0444 or less permissive.
V-797 Medium The /etc/shadow (or equivalent) file must be owned by root.
V-798 Medium The /etc/passwd file must have mode 0644 or less permissive.
V-12765 Medium The system must use and update a DoD-approved virus scan program.
V-828 Medium The hosts.lpd (or equivalent) file must be owned by root, bin, sys, or lp.
V-829 Medium The hosts.lpd (or equivalent) must have mode 0644 or less permissive.
V-1054 Medium The /etc/access.conf file must have a privileged group owner.
V-22404 Medium Kernel core dumps must be disabled unless needed.
V-22569 Medium If the system is using LDAP for authentication or account information, the LDAP TLS certificate file must have mode 0644 or less permissive.
V-22568 Medium If the system is using LDAP for authentication or account information, the LDAP TLS certificate file must be group-owned by root, bin, sys, or system.
V-22565 Medium If the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must have mode 0644 (0755 for directories) or less permissive.
V-12022 Medium The SSH daemon must be configured for IP filtering.
V-22567 Medium For systems using NSS LDAP, the TLS certificate file must be owned by root.
V-12020 Medium The system must not be used as a syslog server (log host) for systems external to the enclave.
V-22561 Medium If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be group-owned by root, bin, sys, or system.
V-22560 Medium If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be owned by root.
V-22563 Medium If the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be owned by root.
V-22562 Medium If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must not have an extended ACL.
V-12025 Medium The system must not have any peer-to-peer file-sharing application installed.
V-22360 Medium Global initialization files' lists of preloaded libraries must contain only absolute paths.
V-22426 Medium The xinetd.d directory must not have an extended ACL.
V-831 Medium The alias file must be owned by root.
V-786 Medium All network services daemon files must have mode 0755 or less permissive.
V-22363 Medium Local initialization files' library search paths must contain only absolute paths.
V-22362 Medium Local initialization files must not have extended ACLs.
V-22361 Medium Local initialization files must be group-owned by the user's primary group or root.
V-832 Medium The alias file must have mode 0644 or less permissive.
V-22367 Medium Audio devices must not have extended ACLs.
V-22366 Medium All shell files must not have extended ACLs.
V-22365 Medium All shell files must be group-owned by root, bin, sys, or system.
V-22364 Medium Local initialization files' lists of preloaded libraries must contain only absolute paths.
V-22369 Medium All system audit files must not have extended ACLs.
V-22368 Medium Removable media, remote file systems, and any file system that does not contain approved device files must be mounted with the "nodev" option.
V-22427 Medium The services file must be group-owned by root, bin, sys, or system.
V-782 Medium The system must have a host-based intrusion detection tool installed.
V-22665 Medium The system must not be running any routing protocol daemons, unless the system is a router.
V-780 Medium Group Identifiers (GIDs) reserved for system accounts must not be assigned to non-system groups.
V-23953 Medium The ldd command must be disabled unless it protects against the execution of untrusted files.
V-23952 Medium Mail relaying must be restricted.
V-838 Medium The SMTP service log file must have mode 0644 or less permissive.
V-22420 Medium The system must use a reverse-path filter for IPv4 network traffic when possible.
V-11945 Medium A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.
V-11947 Medium The system must require that passwords contain a minimum of 14 characters.
V-15858 Medium SNMP write mode is enabled on ESX Server.
V-11941 Medium A file integrity baseline must be created and maintained.
V-15852 Medium The ESX Servers and management servers are not backed up in accordance to the MAC level of the servers.
V-15857 Medium VirtualCenter communications to the ESX Server are unencrypted.
V-11948 Medium The system must require that passwords contain at least one uppercase alphabetic character.
V-15855 Medium VI client sessions to the ESX Server are unencrypted.
V-15854 Medium Backups are not located in separate logical partitions from production data.
V-22551 Medium The system must not send IPv6 ICMP redirects.
V-4250 Medium The system's boot loader configuration file(s) must have mode 0600 or less permissive.
V-23741 Medium TCP backlog queue sizes must be set appropriately.
V-22587 Medium The system's boot loader configuration file(s) must be group-owned by root, bin, sys, or system.
V-16881 Medium Permissions on the virtual disk files are incorrect.
V-22585 Medium The system's boot loader configuration file(s) must not have extended ACLs.
V-22583 Medium The system's local firewall must implement a deny-all, allow-by-exception policy.
V-22582 Medium The system must employ a local firewall.
V-789 Medium NIS/NIS+/yp files must be owned by root, sys, or bin.
V-12024 Medium The system must not have a public Instant Messaging (IM) client installed.
V-22558 Medium If the system is using LDAP for authentication or account information, the system must check that the LDAP server's certificate has not been revoked.
V-11946 Medium UIDs reserved for system accounts must not be assigned to non-system accounts.
V-27079 Medium Successful and unsuccessful logins and logouts must be logged.
V-22564 Medium If the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be group-owned by root, bin, sys, or system.
V-850 Medium Any X Windows host must write .Xauthority files.
V-776 Medium The root account's executable search path must be the vendor default and must contain only absolute paths.
V-777 Medium The root account must not have world-writable directories in its executable search path.
V-4321 Medium The system must not run Samba unless needed.
V-1047 Medium The system must not permit root logins using remote access programs, such as SSH.
V-756 Medium The system must require authentication upon booting into single-user and maintenance modes.
V-775 Medium The root account's home directory (other than /) must have mode 0700.
V-24624 Medium The system boot loader must protect passwords using an MD5 or stronger cryptographic hash.
V-773 Medium The root account must be the only account having an UID of 0.
V-22566 Medium If the system is using LDAP for authentication or account information, the LDAP TLS certificate authority file and/or directory (as appropriate) must not have an extended ACL.
V-22448 Medium The SNMP service must require the use of a FIPS 140-2 approved cryptographic hash algorithm as part of its authentication and integrity methods.
V-22449 Medium The SNMP service must require the use of a FIPS 140-2 approved encryption algorithm for protecting the privacy of SNMP messages.
V-22338 Medium The /etc/group file must not have an extended ACL.
V-22339 Medium The /etc/shadow file (or equivalent) must be group-owned by root, bin, sys, or system.
V-22461 Medium The SSH client must be configured to only use FIPS 140-2 approved ciphers.
V-22442 Medium The SMTP service log file must not have an extended ACL.
V-22335 Medium The /etc/group file must be owned by root.
V-22336 Medium The /etc/group file must be group-owned by root, bin, sys, or system.
V-22337 Medium The /etc/group file must have mode 0644 or less permissive.
V-22446 Medium The .Xauthority files must not have extended ACLs.
V-22447 Medium The SNMP service must use only SNMPv3 or its successors.
V-22444 Medium The ftpusers file must be group-owned by root, bin, sys, or system.
V-22445 Medium The ftpusers file must not have an extended ACL.
V-27103 Medium Users must not be able to change passwords more than once every 24 hours.
V-22410 Medium The system must not respond to ICMPv4 echoes sent to a broadcast address.
V-22413 Medium The system must prevent local applications from generating source-routed packets.
V-827 Medium The hosts.lpd file (or equivalent) must not contain a "+" character.
V-913 Medium There must be no .netrc files on the system.
V-916 Medium The /etc/shells (or equivalent) file must exist.
V-917 Medium All shells referenced in /etc/passwd must be listed in the /etc/shells file, except any shells specified for the purpose of preventing logins.
V-15974 Medium ESX Server assets are not configured with the correct posture in VMS.
V-918 Medium Accounts must be locked upon 35 days of inactivity.
V-15972 Medium Virtual machines are not registered in VMS.
V-15973 Medium ESX Server is not properly registered in VMS.
V-22537 Medium The PF_LLC protocol handler must not be installed.
V-22535 Medium The PF_LLC protocol handler must not be bound to the network stack.
V-22533 Medium The Transparent Inter-Process Communication (TIPC) protocol must be disabled or uninstalled.
V-22530 Medium The Reliable Datagram Sockets (RDS) protocol must be disabled or not installed unless required.
V-22539 Medium The Bluetooth protocol handler must be disabled or not installed.
V-22383 Medium The audit system must be configured to audit the loading and unloading of dynamic kernel modules.
V-22385 Medium Crontab files must be group-owned by root, cron, or the crontab creator's primary group.
V-22384 Medium The cron.allow file must not have an extended ACL.
V-22439 Medium The alias file must not have an extended ACL.
V-22386 Medium Crontab files must not have extended ACLs.
V-22388 Medium The cron log files must not have extended ACLs.
V-22435 Medium The hosts.lpd (or equivalent) file must be group-owned by root, bin, sys, or system.
V-22434 Medium The rexecd service must not be installed.
V-22433 Medium The rlogind service must not be installed.
V-22432 Medium The rlogind service must not be running.
V-22431 Medium The rshd service must not be installed.
V-22430 Medium The portmap or rpcbind service must not be installed unless needed.
V-22359 Medium Global initialization files' library search paths must contain only absolute paths.
V-11989 Medium The .rhosts file must not be supported in PAM.
V-11981 Medium All global initialization files must have mode 0444 or less permissive.
V-11980 Medium The system must log successful and unsuccessful access to the root account.
V-11983 Medium All global initialization files must be group-owned by root, sys, bin, other, system, or the system default.
V-11982 Medium All global initialization files must be owned by bin.
V-15793 Medium USB drives automatically load when inserted into the ESX Server host.
V-11984 Medium All skeleton files and directories (typically in /etc/skel) must be owned by bin.
V-11987 Medium The .rhosts, .shosts, hosts.equiv, shosts.equiv, /etc/passwd, /etc/shadow, and/or /etc/group files must not contain a plus (+) without defining entries for NIS+ netgroups.
V-11986 Medium All local initialization files' executable search paths must contain only absolute paths.
V-22293 Medium The system time synchronization method must use cryptographic algorithms to verify the authenticity and integrity of the time data.
V-24347 Medium The system, if capable, must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
V-22291 Medium The system must use at least two time sources for clock synchronization.
V-22297 Medium The time synchronization configuration file (such as /etc/ntp.conf) must not have an extended ACL.
V-984 Medium Access to the "at" utility must be controlled via the at.allow and/or at.deny file(s).
V-15804 Medium The ESX Server external physical switch ports are configured to VLAN 1.
V-15805 Medium Permissions have been changed on the /usr/sbin/esx* utilities
V-22294 Medium The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.
V-1026 Medium The Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL.
V-4368 Medium The at.deny file must be owned by root, bin, or sys.
V-4369 Medium The traceroute command owner must be root.
V-22586 Medium The system's boot loader configuration files must be owned by root.
V-4364 Medium The "at" directory must have mode 0755 or less permissive.
V-4365 Medium The "at" directory must be owned by root, bin, or sys.
V-4366 Medium "At" jobs must not set the umask to a value less restrictive than 077.
V-4367 Medium The at.allow file must be owned by root, bin, or sys.
V-22455 Medium The system must use a remote syslog server (log host).
V-27375 Medium The cron.deny file must be owned by root, bin, or sys.
V-27370 Medium The cron.allow file must be owned by root, bin, or sys.
V-28440 Medium NFS servers must only accept NFS requests from privileged ports on client systems.
V-22454 Medium The /etc/syslog.conf file must not have an extended ACL.
V-4701 Low The system must not have the finger service active.
V-22477 Low The SSH daemon must not accept environment variables from the client or must only accept those pertaining to locale.
V-22475 Low The SSH daemon must not permit Kerberos authentication unless needed.
V-22474 Low The SSH client must not permit GSSAPI authentication unless needed.
V-22479 Low The SSH daemon must not permit user environment settings.
V-22478 Low The SSH client must not send environment variables to the server or must only send those pertaining to locale.
V-22577 Low Automated file system mounting tools must not be enabled unless needed.
V-4384 Low The SMTP service's SMTP greeting must not provide version information.
V-22370 Low System audit tool executables must be owned by root.
V-22371 Low System audit tool executables must be group-owned by root, bin, sys, or system.
V-22372 Low System audit tool executables must have mode 0750 or less permissive.
V-22373 Low System audit tool executables must not have extended ACLs.
V-22374 Low The audit system must alert the SA in the event of an audit processing failure.
V-22376 Low The audit system must be configured to audit account creation.
V-22377 Low The audit system must be configured to audit account modification.
V-22378 Low The audit system must be configured to audit account disabling.
V-22509 Low The file integrity tool must use FIPS 140-2 approved cryptographic hashes for validating file contents.
V-22508 Low The file integrity tool must be configured to verify extended attributes.
V-22507 Low The file integrity tool must be configured to verify ACLs.
V-15843 Low ESX Server does not send logs to a syslog server.
V-23739 Low The system must use a separate file system for /tmp (or equivalent).
V-23738 Low The system must use a separate file system for the system audit data path.
V-23736 Low The system must use a separate file system for /var.
V-22308 Low The system must restrict the ability to switch to the root user for members of a defined group.
V-22301 Low The system must display a publicly-viewable pattern during a graphical desktop environment session lock.
V-22300 Low The system must display the number of unsuccessful login attempts since the last successful login for a user account upon logging in.
V-845 Low The FTP daemon must be configured for logging or verbose mode.
V-929 Low The NFS export configuration file must have mode 0644 or less permissive.
V-923 Low The system must be checked for extraneous device files at least weekly.
V-22578 Low The system must have USB disabled unless needed.
V-22579 Low The system must have USB Mass Storage disabled unless needed.
V-11996 Low Process core dumps must be disabled unless needed.
V-11997 Low The kernel core dump data directory must be owned by root.
V-15887 Low Master templates are not stored on a separate partition.
V-22422 Low All local file systems must employ journaling or another mechanism ensuring file system consistency.
V-825 Low Global initialization files must contain the mesg -n or mesg n commands.
V-22399 Low The system must be configured to store any process core dumps in a specific, centralized directory.
V-24357 Low The system must be configured to send audit records to a remote audit server.
V-22493 Low The NFS exports configuration file must not have an extended ACL.
V-4692 Low The SMTP service must not have the EXPN feature active.
V-806 Low The sticky bit must be set on all public directories.
V-22465 Low The SSH client must be configured to not allow TCP forwarding.
V-22466 Low The SSH daemon must be configured to not allow gateway ports.
V-22467 Low The SSH client must be configured to not allow gateway ports.
V-22468 Low The SSH daemon must be configured to not allow X11 forwarding.
V-22469 Low The SSH client must be configured to not allow X11 forwarding.
V-22299 Low The system must display the date and time of the last successful account login upon login.
V-22298 Low The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.
V-12003 Low A separate file system must be used for user home directories (such as /home or equivalent).
V-22331 Low For systems using DNS resolution, at least two name servers must be configured.
V-6764 Low There is no document instructing users that USB devices be powered off for at least 60 seconds prior to being connected to an IS.
V-835 Low Sendmail logging must not be set to less than nine in the sendmail.cf file.
V-22473 Low The SSH daemon must not permit GSSAPI authentication unless needed.
V-22418 Low The system must log martian packets.
V-1062 Low The root shell must be located in the / file system.
V-22316 Low All manual page files must not have extended ACLs.
V-22406 Low The kernel core dump data directory must have mode 0700 or less permissive.
V-22402 Low The centralized process core dump data directory must have mode 0700 or less permissive.
V-22403 Low The centralized process core dump data directory must not have an extended ACL.
V-22482 Low The SSH daemon must limit connections to a single session.
V-15827 Low ESX Server required services are not documented.
V-22409 Low The system must not process ICMP timestamp requests.
V-4088 Low User start-up files must not contain the mesg -y or mesg y command.
V-900 Low All interactive user home directories defined in the /etc/passwd file must exist.
V-22350 Low User home directories must not have extended ACLs.
V-6775 Low The USB usage section of the SFUG, or equivalent document, does not contain a discussion of the devices that contain persistent non-removable memory.
V-4694 Low The Sendmail service must not have the wizard backdoor active.
V-4693 Low The SMTP service must not have the VRFY feature active.
V-899 Low All interactive users must be assigned a home directory in the /etc/passwd file.
V-792 Low Manual page files must have mode 0644 or less permissive.
V-22407 Low The kernel core dump data directory must not have an extended ACL.
V-22405 Low The kernel core dump data directory must be group-owned by root, bin, sys, or system.
V-22400 Low The centralized process core dump data directory must be owned by root.
V-22401 Low The centralized process core dump data directory must be group-owned by root, bin, sys, or system.
V-781 Low All GIDs referenced in the /etc/passwd file must be defined in the /etc/group file.
V-22589 Low The system package management tool must not automatically obtain updates.
V-22588 Low The system package management tool must cryptographically verify the authenticity of software packages during installation.
V-774 Low The root user's home directory must not be the root directory (/).
V-22464 Low The SSH daemon must be configured to not allow TCP connection forwarding.
V-914 Low All files and directories contained in interactive user's home directories must be owned by the home directory's owner.
V-915 Low All files and directories contained in user's home directories must have mode 0750 or less permissive.
V-22382 Low The audit system must be configured to audit account termination.
V-22292 Low The system must use time sources local to the enclave.
V-15801 Low The ESX Server does not meet the minimum requirement of two network adapters.
V-4360 Low Cron programs must not set the umask to a value less restrictive than 077.
V-22580 Low The system must have IEEE 1394 (Firewire) disabled unless needed.