SYSTEM CHECK PROCEDURES

Transcription

4 SYSTEM CHECKS
Page 1
3. SYSTEM CHECK PROCEDURES
This section details the procedures to perform for manual UNIX system Security checks. Reviewers should use
the UNIX Scripts whenever possible. Manual checks are provided in the event that the scripts are either
unavailable to examine an item, return false negatives, return false positives, or will not execute on the system.
The check procedures in this document now contain Global Information Grid-Bandwidth Expansion (GIG-BE)
information to identify the MAC level, IA Control identifiers, and Department of Defense (DOD) description of
the IA Control. Many contain more than one pertinent IA Control. These are listed to the far right of the PDI
number within the identification block.
Each identification block also contains one of six codes to indicate the automation status of each PDI. These
may change from time to time, such as a script that is initially manual for an IAVA but is automated at a later
time. Scripts are either MAN+ /+ or PART because there is either information needed before they can be
automated, the attempts to automate them have proven to produce false positives/negatives, or just perform the
service adequately using current methods. The codes are:
AUTO
Indicates completely automated scripts.
PART
Indicates partially automated scripts.
PART+
Indicates partially automated scripts that we could fully automate.
MAN
Indicates scripts requiring manual reviews.
MAN+
MAN++
Indicates manual review scripts we could partially automate.
Indicates manual review scripts we could fully automate.
This page is intentionally left blank.
TABLE OF CONTENTS
Page
3
3.1
3.1.1
SYSTEM CHECK PROCEDURES
UNIX Overview and Site Information
System Equipement
3.1.1.1
GEN000020 – Single User Mode Password
3.1.1.2
GEN000040 – Single User Mode Password Incompatibility Documentation
http://s3.amazonaws.com/0706/819143.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.1.1.3
GEN000060 – Single User Mode Password Incompatibility Location
3.1.1.4
GEN000080 – System Equipment Location
3.1.2
Operating System
3.1.2.1
GEN000100 – Supported Release
3.1.2.2
GEN000120 – Vendor Recommended and Security Patches
3.1.3
File Integrity
3.1.3.1
GEN000140 – Create and Maintain System Baseline
3.1.3.2
GEN000160 – System Baseline Backup on Write-protected Media
3.1.3.3
GEN000220 – System Baseline for System Libraries and Binaries Checking
3.1.3.4
GEN000240 – Network Time-Server
3.2
3.2.1
DISCRETIONARY ACCESS CONTROL AND GENERAL SECURITY
User Account Controls
3.2.1.1
GEN000260 – Shared Account Documentation
3.2.1.2
GEN000280 – Shared Account Direct Logon
3.2.2
Interactive Users
3.2.2.1
GEN000300 – Unique Account Name
3.2.2.2
GEN000320 – Unique UID
3.2.2.3
GEN000340 – Reserved System Account UIDs
3.2.2.4
GEN000360 – Reserved System Account GIDs
3.2.2.5
GEN000380 – Groups Referenced in /etc/passwd
3.2.3
Logon Warning Banner
3.2.3.1
GEN000400 – Logon Warning Banner Display
3.2.3.2
GEN000420 – Logon Warning Banner Content
3.2.4
Account Access
3.2.4.1
GEN000440 – Logging Login Attempts
3.2.4.2
GEN000460 – Three Failed Login Attempts
3.2.4.3
GEN000480 – Login Delay
3.2.5
Inactivity Timeout/Locking
3.2.5.1
GEN000500 – Inactivity
3.2.5.2
GEN000520 – Continuous Display
3.2.6
Page 2
Password Guidelines
3.2.6.1
GEN000540 – Password Change 24 Hours
3.2.6.2
GEN000560 – Password Protect Enabled Accounts
3.2.6.3
GEN000580 – Password Length
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 3
3.2.6.4
GEN000600 – Password Character Mix
3.2.6.5
3.2.6.6
3.2.6.7
GEN000660 – Password Contents
3.2.6.8
GEN000680 – Password Contents
3.2.6.9
GEN000700 – Password Change Every 60 Days
3.2.6.10
GEN000740 – Password Change Every Year
3.2.6.11
GEN000760 – Inactive Accounts are not locked
3.2.6.12
GEN000780 – Easily Guessed Passwords
3.2.6.13
GEN000800 – Password Reuse
3.2.6.14
GEN000820 – Global Password Configuration Files
3.2.6.15
GEN000840 – Root Account Access
3.2.6.16
GEN000860 – Password Change for Administrative Passwords Upon SA Reassignment
3.2.7
Root Account
3.2.7.1
GEN000880 – Root’s UID
3.2.7.2
GEN000900 – Root’s Home Directory
3.2.7.3
GEN000920 – Root’s Home Directory Permissions
3.2.7.4
GEN000940 – Root’s Search Path
3.2.7.5
GEN000960 – Root’s Search Path
3.2.7.6
GEN000980 – Root Console Access
3.2.7.7
GEN001000 – Remote Consoles
3.2.7.8
GEN001020 – Direct Root Login
3.2.7.9
GEN001060 – Log Root Access Attempts
3.2.7.10
3.2.8
GEN001080 – Root Shell
Encrypted Root Access
3.2.8.1
GEN001100 – Encrypting Root Access
3.2.8.2
GEN001120 – Encrypting Root Access
3.2.9
File and Directory Controls
3.2.9.1
GEN001140 – Uneven File Permissions
3.2.9.2
GEN001160 – Unowned Files
3.2.9.3
GEN001180 – Network Services Daemon Permissions
3.2.9.4
GEN001200 – System Command Permissions
3.2.9.5
GEN001220 – System Files, Programs, and Directories Ownership
3.2.9.6
GEN001240 – System Files, Programs, and Directories Group Ownership
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.2.9.7
GEN001260 – System Log File Permissions
3.2.9.8
GEN001280 – Manual Page File Permissions
3.2.9.9
GEN001300 – Library File Permissions
3.2.9.10
GEN001320 – NIS/NIS+/yp File Ownership
3.2.9.11
GEN001340 – NIS/NIS+/yp File Group Ownership
3.2.9.12
GEN001360 – NIS/NIS+/yp File Permissions
3.2.9.13
GEN001380 – /etc/passwd File Permissions
3.2.9.14
GEN001400 – /etc/passwd and/or /etc/shadow File Ownership
3.2.9.15
GEN001420 – /etc/shadow File Permissions
3.2.10
Home Directories
3.2.10.1
GEN001440 – Assign Home Directories
3.2.10.2
GEN001460 – Assigned Home Directories Exist
3.2.10.3
GEN001480 –Home Directories Permissions
3.2.10.4
GEN001500 –Home Directories Ownership
3.2.10.5
GEN001520 –Home Directories Group Ownership
3.2.11
User Files
3.2.11.1
GEN001540 –Home Directories File Ownership
3.2.11.2
GEN001560 – Home Directories File Permissions
3.2.12
Run Control Scripts
3.2.12.1
GEN001580 – Run Control Scripts Permissions
3.2.12.2
GEN001600 – Run Control Scripts PATH Variable
3.2.12.3
GEN001620 – Run Control Scripts SGID/SUID
3.2.12.4
GEN001640 – Run Control Scripts World Writable Programs or Scripts
3.2.12.5
GEN001660 – Run Control Scripts Ownership
3.2.12.6
GEN001680 – Run Control Scripts Group Ownership
3.2.12.7
GEN001700 – Run Control Scripts Execute Programs
3.2.13
Page 4
Global Initialization Files
3.2.13.1
GEN001720 – Global Initialization Files Permissions
3.2.13.2
GEN001740 – Global Initialization Files Ownership
3.2.13.3
GEN001760 – Global Initialization Files Group Ownership
3.2.13.4
GEN001780 – Global Initialization Files do not Contain mesg -n
3.2.13.5
GEN001800 – Default/Skeleton Dot Files Permissions
3.2.13.6
GEN001820 – Default/Skeleton Dot Files Ownership
3.2.13.7
GEN001840 – Global Initialization Files PATH Variable
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.2.14
Page 5
Local Initialization Files
3.2.14.1
GEN001860 – Local Initialization Files Ownership
3.2.14.2
GEN001880 – Local Initialization Files Permissions
3.2.14.3
GEN001900 – Local Initialization Files PATH Variable
3.2.14.4
GEN001920 – Local Initialization Files SGID/SUID
3.2.14.5
GEN001940 – Local Initialization Files World Writable Programs or Scripts
3.2.14.6
GEN001960 – Local Initialization Files mesg -y
3.2.15
Trusted System/System Access Control Files
3.2.15.1
GEN001980 – Plus (+) in Access Control Files
3.2.15.2
GEN002000 – The .netrc File Exists
3.2.15.3
GEN002020 – Access Control Files Host Pairs
3.2.15.4
GEN002040 – Access Control Files Documentation
3.2.15.5
GEN002060 – Access Control Files Accessibility
3.2.15.6
GEN002100 – The .rhosts Supported in PAM
3.2.16
Shells
3.2.16.1
GEN002120 – The /etc/shells File Does Not Exist
3.2.16.2
GEN002140 – The /etc/shells Contents
3.2.16.3
GEN002160 – Shells SUID
3.2.16.4
GEN002180 – Shells SGID
3.2.16.5
GEN002200 – Shells Ownership
3.2.16.6
GEN002220 – Shells Permissions
3.2.17
Device Files
3.2.17.1
GEN002260 – System Baseline for Device Files Checking
3.2.17.2
GEN002280 – Device Files Directories Permissions
3.2.17.3
GEN002300 – Device Files Ownership
3.2.17.4
GEN002320 – Audio Device Permissions
3.2.17.5
GEN002340 – Audio Device Ownership
3.2.17.6
GEN002360 – Audio Device Group Ownership
3.2.18
Set User ID (suid)
3.2.18.1
GEN002380 – SUID Files Baseline
3.2.18.2
GEN002400 – System Baseline for SUID Files Checkling
3.2.18.3
GEN002420 – File Systems Mounted With nosuid
3.2.19
3.2.19.1
Set Group ID (sgid)
GEN002440 – SGID Files Baseline
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.2.19.2
3.2.20
GEN002460 – System Baseline for SGID Files Checking
Sticky Bit
3.2.20.1
GEN002480 – World Writable Files and Directories
3.2.20.2
GEN002500 – Sticky Bit on Public Directories
3.2.20.3
GEN002520 – Public Directories Ownership
3.2.20.4
GEN002540 – Public Directories Group Ownership
3.2.21
Umask
3.2.21.1
GEN002560 – Default umask
3.2.21.2
GEN002580 – Permissive umask Documentation
3.2.22
3.2.22.1
3.2.23
3.2.23.1
3.2.24
Page 6
Development Systems
GEN002600 – Development Systems Security Requirements
Default Accounts
GEN002640 – Disabled Default System Accounts
Audit Requirements
3.2.24.1
GEN002660 – Configure and Implement Auditing
3.2.24.2
GEN002680 – Audit Logs Accessiblity
3.2.24.3
GEN002700 – Audit Logs Permissions
3.2.24.4
GEN002720 – Audit Failed File and Program Access Attempts
3.2.24.5
GEN002740 – Audit File and Program Deletion
3.2.24.6
GEN002760 – Audit Administrative, Privileged, and Security Actions
3.2.24.7
GEN002800 – Audit Login, Logout, and Session Initiation
3.2.24.8
GEN002820 – Audit Discretionary Access Control Permission Modifications
3.2.24.9
GEN002860 – Audit Logs Rotation
3.2.24.10
GEN002900 – Audit Data Retention
3.2.24.11
GEN002920 – Audit Data Backup
3.2.25
3.2.25.1
3.2.26
Audit Review Guidance
GEN002940 – Audit Logs Review
Cron Restrictions
3.2.26.1
GEN002960 – Cron Utility Accessibility
3.2.26.2
GEN002980 – The cron.allow Permissions
3.2.26.3
GEN003000 – Cron Executes World Writable Programs
3.2.26.4
GEN003020 – Cron Executes Programs in World Writable Directories
3.2.26.5
GEN003040 – Crontabs Ownership
3.2.26.6
GEN003060 – Default System Accounts and Cron
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.2.26.7
GEN003080 – Crontab files Permissions
3.2.26.8
GEN003100 – Cron and Crontab Directories Permissions
3.2.26.9
GEN003120 – Cron and Crontab Directories Ownership
3.2.26.10
GEN003140 – Cron and Crontab Directories Group Ownership
3.2.26.11
GEN003160 – Cron Logging
3.2.26.12
GEN003180 – Cronlog Permissions
3.2.26.13
GEN003200 – cron.deny Permissions
3.2.26.14
GEN003220 – Cron Programs umask
3.2.26.15
GEN003240 – cron.allow Ownership
3.2.26.16
GEN003260 – cron.deny Ownership
3.2.27
At Restrictions
3.2.27.1
GEN003280 – At Utility Accessibility
3.2.27.2
GEN003300 – The at.deny File
3.2.27.3
GEN003320 – Default System Accounts and At
3.2.27.4
GEN003340 – at.allow and at.deny Permissions
3.2.27.5
GEN003360 – At Executes World Writable Programs
3.2.27.6
GEN003380 – At Executes Programs in World Writable Directories
3.2.27.7
GEN003400 – The at Directory Permissions
3.2.27.8
GEN003420 – The at Directory Ownership
3.2.27.9
GEN003440 – At Programs umask
3.2.27.10
GEN003460 – at.allow Ownership
3.2.27.11
GEN003480 – at.deny Ownership
3.2.28
Restrict/Disable Core Dumps
3.2.28.1
GEN003500 – Restrict or Disable Core Dumps
3.2.28.2
GEN003520 – Core Dump Directory Ownership and Permissions
3.2.29
3.2.29.1
Disable Executable Stack
GEN003540 – Disable Executable Stack
3.2.30
Restrict NFS Port Listening
3.2.31
Use More Random TCP Sequence Numbers
3.2.31.1
3.2.32
3.2.32.1
3.2.33
3.2.33.1
Page 7
GEN003580 – TCP Sequence Numbers
Network Security Settings
GEN003600 – Network Security Settings
File Systems
GEN003620 – Separate Filesytem Partitions
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.2.33.2
GEN003640 – Root Filesystem Logging
3.2.34
Syslog AUTH/AUTHPRIV Facility
3.2.34.1
3.3
3.3.1
GEN003660 – Authentication Data Logging
Network Services
Network Services
3.3.1.1
GEN003680 – Required Network Services For Operation
3.3.1.2
GEN003700 – Disable inetd/xinetd
3.3.1.3
GEN003720 – inetd.conf Ownership
3.3.1.4
GEN003740 – inetd.conf Permissions
3.3.1.5
GEN003760 – The Services File Ownership
3.3.1.6
GEN003780 – The Services File Permissions
3.3.1.7
GEN003800 – inetd Logging
3.3.2
3.3.2.1
3.3.3
3.3.3.1
3.3.4
Rlogin and rsh
GEN003820 – Remote Login or Shell Is Enabled
Rexec
GEN003840 – The rexec Service Is Enabled
Finger
3.3.4.1
GEN003860 – The finger Service Is Enabled
3.3.4.2
GEN003865 – Network analysis tools enabled.
3.3.5
Remote Host Printing
3.3.5.1
GEN003880 – Print Server and Client Configuration Documentation
3.3.5.2
GEN003900 – hosts.lpd Contents
3.3.5.3
GEN003920 – hosts.lpd Ownership
3.3.5.4
GEN003940 – hosts.lpd Permissions
3.3.6
Traceroute
3.3.6.1
GEN003960 – The traceroute Command Ownership
3.3.6.2
GEN003980 – The traceroute Command Group Ownership
3.3.6.3
GEN004000 – The traceroute Command Permissions
3.3.7
Page 8
Client Browser Requirements
3.3.7.1
GEN004020 – Browser Capable of 128-bit Encryption
3.3.7.2
GEN004040 – Browser Software Update Feature
3.3.7.3
GEN004060 – Browser Unencrypted Secure Content Caching
3.3.7.4
GEN004100 – Browser Allows Active Scripting
3.3.7.5
GEN004120 – Browser Data Redirection Warning
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.3.7.6
GEN004160 – Browser Certificate Warning
3.3.7.7
GEN004180 – Browser Home Page
3.3.7.8
GEN004200 – Browser SSL Configuration
3.3.7.9
GEN004220 – The root Account’s Browser
3.3.7.10
GEN004240 – Browser Version
3.3.7.11
GEN004260 – Browser Cookie Warning
3.3.7.12
GEN004280 – Browser Form Data Warning
3.3.7.13
GEN004300 – Browser Secure and Non-secure Content Warning
3.3.7.14
GEN004320 – Browser Leaving Encrypted Site Warning
3.3.8
Sendmail or Equivalent
3.3.8.1
GEN004360 – aliases Ownership
3.3.8.2
GEN004380 – aliases Permissions
3.3.8.3
GEN004400 – File Executed Through Aliases Accessibility
3.3.8.4
GEN004420 – File Executed Through Aliases Permissions
3.3.8.5
GEN004440 – Sendmail Logging
3.3.8.6
GEN004460 – Critical Level Sendmail Messages Logging
3.3.8.7
GEN004480 – Critical Sendmail Log File Ownership
3.3.8.8
GEN004500 – Critical Sendmail Log File Permissions
3.3.8.9
GEN004540 – Sendmail Help Command
3.3.8.10
GEN004560 – Sendmail Greeting to Mask Version
3.3.8.11
GEN004580 – .forward Files
3.3.8.12
GEN004600 – Sendmail Version
3.3.8.13
GEN004620 – Sendmail DEBUG Command
3.3.8.14
GEN004640 – Sendmail DECODE Command
3.3.8.15
GEN004660 – Sendmail EXPN Command
3.3.8.16
GEN004680 – Sendmail VRFY Command
3.3.8.17
GEN004700 – Sendmail WIZ Command
3.3.9
Page 9
File Transfer Protocol (FTP) and Telnet
3.3.9.1
GEN004720 – FTP or Telnet Within Enclave Behind Router
3.3.9.2
GEN004760 – FTP or Telnet Outside to Inside Enclave
3.3.9.3
GEN004780 – FTP or Telnet Userids and Passwords
3.3.9.4
GEN004800 – Unencrypted FTP or Telnet
3.3.9.5
GEN004820 – Anonymous FTP
3.3.9.6
GEN004840 – Anonymous FTP Segregation into DMZ
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.3.10
FTP Configuration
3.3.10.1
GEN004880 – The ftpusers File
3.3.10.2
GEN004900 – The ftpusers File Contents
3.3.10.3
GEN004920 – The ftpusers File Ownership
3.3.10.4
GEN004940 – The ftpusers File Permissions
3.3.10.5
GEN004980 – FTP Daemon Logging
3.3.10.6
GEN005000 – Anonymous FTP Account Shell
3.3.10.7
GEN005020 – Anonymous FTP Configuration
3.3.10.8
GEN005040 – FTP User’s umask
3.3.11
3.3.11.1
File Service Protocol (FSP)
GEN005060 – FSP Is Enabled
3.3.12
Trivial File Transfer Protocol (TFTP)
3.3.12.1
GEN005080 – TFTP Secure Mode
3.3.12.2
GEN005100 – TFTP SUID/SGID Bit
3.3.12.3
GEN005120 – TFTP Configuration
3.3.12.4
GEN005140 – TFTP Documentation
3.3.13
X Window System
3.3.13.1
GEN005160 – .Xauthority Files
3.3.13.2
GEN005180 – .Xauthority File Permissions
3.3.13.3
GEN005200 – X Displays Exporting
3.3.13.4
GEN005220 – X Client Authorization via X*.hosts
3.3.13.5
GEN005240 – X Client Authorization
3.3.13.6
GEN005260 – X Window System Not Required and Not Disabled
3.3.14
3.3.14.1
3.3.15
UNIX to UNIX Copy Program (UUCP)
GEN005280 – Disable UUCP
Simple Network Management Protocol (SNMP)
3.3.15.1
GEN005300 – Changed SNMP Community Strings
3.3.15.2
GEN005320 – snmpd.conf Permissions
3.3.15.3
GEN005340 – MIB File Permissions
3.3.15.4
GEN005360 – snmpd.conf and .mib Ownership
3.3.15.5
GEN005380 – Dedicated Hardware for SNMP
3.3.16
Page 10
System Logging Daemon
3.3.16.1
GEN005400 – /etc/syslog.conf Assessiblity
3.3.16.2
GEN005420 – /etc/syslog.conf Group Ownership
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.3.16.3
GEN005440 – Local Loghosts
3.3.16.4
GEN005460 – Remote Loghost Documentation
3.3.16.5
GEN005480 – Syslog Accepts Remote Messages
3.3.17
Secure Shell (SSH) and Equivalents
3.3.17.1
GEN005500 – SSH Version 1 Compatibility
3.3.17.2
GEN005540 – Encrypted Communications IP Filtering and Banners
3.3.18
UNIX Routing Vulnerabilities
3.3.18.1
GEN005560 – Default Gateway
3.3.18.2
GEN005580 – Dedicated Hardware for Routing
3.3.18.3
GEN005600 – Disable IP Forwarding
3.3.19
3.3.19.1
3.3.20
3.3.20.1
3.3.21
3.3.21.1
3.3.22
3.3.22.1
3.3.23
3.3.23.1
3.3.24
Lotus Domino Web Application
GEN005620 – Lotus Domino Version
Squid Web Proxy Authentication Header
GEN005640 – Squid Web Proxy Authentication Header Vulnerability
Squid Web Proxy MSNT Auth Helper
GEN005660 – Squid Web Proxy MSNT Auth Helper Vulnerability
Squid Web Proxy Version
GEN005680 – Squid Web Proxy Version
iPlanet Web Server
GEN005700 – iPlanet Web Server NS-query-pat Vulnerability
Network Filesytem (NFS)
3.3.24.1
GEN005720 – NFS Port Monitoring
3.3.24.2
GEN005740 – Export Configuration File Ownership
3.3.24.3
GEN005760 – Export Configuration File Permissions
3.3.24.4
GEN005780 – Writable Exported File Systems Documentation
3.3.24.5
GEN005800 – Exported System Files and Directories Ownership
3.3.24.6
GEN005820 – Deny NFS Client Access Without Userid
3.3.24.7
GEN005840 – Restrict NFS Filesystem Access to Local Hosts
3.3.24.8
GEN005860 – NFS User Authentication
3.3.24.9
GEN005880 – Root Access Option Documentation
3.3.24.10
3.3.25
3.3.25.1
3.3.26
Page 11
GEN005900 – NFS Clients Enable nosuid and nosgid
Instant Messaging (IM)
GEN006000 – Public Instant Messaging Client is Installed
Peer-to-Peer File-Sharing Utilities and Clients
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.3.26.1
GEN006040 – Peer-to-Peer Application Authorization with DAA
3.3.27
Samba
3.3.27.1
GEN006060 – Samba is Enabled
3.3.27.2
GEN006080 – Samba Web Administration with SSH Port Forwarding
3.3.27.3
GEN006100 – smb.conf Ownership
3.3.27.4
GEN006120 – smb.conf Group Ownership
3.3.27.5
GEN006140 – smb.conf Permissions
3.3.27.6
GEN006160 – smbpasswd Ownership
3.3.27.7
GEN006180 – smbpasswd Group Ownership
3.3.27.8
GEN006200 – smbpasswd Permissions
3.3.27.9
GEN006220 – smb.conf Configuration
3.3.28
Internet Network News (INN)
3.3.28.1
GEN006240 – INN Documentation
3.3.28.2
GEN006260 – /etc/news/hosts.nntp Permissions
3.3.28.3
GEN006280 – /etc/news/hosts.nntp.nolimit Permissions
3.3.28.4
GEN006300 – /etc/news/nnrp.access Permissions
3.3.28.5
GEN006320 – /etc/news/passwd.nntp Permissions
3.3.28.6
GEN006340 – /etc/news Files Ownership
3.3.28.7
GEN006360 – /etc/news Files Group Ownership
3.4
3.4.1
Network Based Authentication
Network Information Service (NIS)
3.4.1.1
GEN006380 – NIS/NIS+ Implemented Under UDP
3.4.1.2
GEN006400 – NIS Documentation
3.4.1.3
GEN006420 – NIS Maps Domain Names
3.4.2
Network Information Service Plus (NIS+)
3.4.2.1
GEN006440 – NIS Used as Opposed to NIS+
3.4.2.2
GEN006460 – NIS+ Server at Security Level 2
3.5
3.5.1
UNIX Security Tools
UNIX Security Tools
3.5.1.1
GEN006480 – Host-Based Intrusion Detection Tool
3.5.1.2
GEN006540 – System Vulnerabiltiy Assessment Tool
3.5.1.3
GEN006560 – Security Tool Notifications
3.5.2
3.5.2.1
Page 12
Access Control Programs and TCP_WRAPPERS
GEN006580 – Access Control Program
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.5.2.2
GEN006600 – Access Control Program Logging
3.5.2.3
GEN006620 – Access Control Program Control System Access
3.5.2.4
GEN006640 – Virus Protection Software
3.6
Page 13
3.6.1
SUN SOLARIS
3.6.1.1
3.6.2
Removable Media
SOL00020 – /etc/rmmount.conf Configuration
The audit_user File
3.6.2.1
SOL00040 – audit_user User Auditing Levels
3.6.2.2
SOL00060 – audit_user Ownership
3.6.2.3
SOL00080 – audit_user Group Ownership
3.6.2.4
SOL00100 – audit_user Permissions
3.6.3
3.6.3.1
3.6.4
3.6.4.1
3.6.5
Automated Security Enhancement Tool (ASET)
SOL00120 – Aset Master Files Location
The uid_aliases File
SOL00140 – /usr/asset/masters/uid_aliases Content
The asetenv File
3.6.5.1
SOL00160 – ASET Used on a Firewall
3.6.5.2
SOL00180 – ASET Environment Variables
3.6.6
Running ASET
3.6.6.1
SOL00200 – NIS+ and YPCHECK
3.6.6.2
SOL00220 – /usr/aset/userlist Content
3.6.6.3
SOL00240 – /usr/asset/userlist Ownership
3.6.6.4
SOL00260 – /usr/asset/userlist Permissions
3.6.7
3.6.7.1
3.6.8
Electrically Erasable Programmable Read-only Memory (EEPROM)
SOL00300 – EEPROM security-mode Parameter
Sun Answerbook2
3.6.8.1
SOL00360 – Sun Answerbook2 Script Access
3.6.8.2
SOL00380 – Sun Answerbook2 dwhttpd Format String
3.6.9
3.6.9.1
3.6.10
3.6.10.1
3.6.11
3.6.11.1
NFS Server Logging
SOL00400 – NFS Server Logging
Extended File Attributes
SOL00420 – Hidden Extended File Attributes
Root Default Group
SOL00440 – Group Account with gid of 0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.7
HEWLETT PACKARD UNIX (HP-UX)
3.7.1
Trusted Mode
3.7.1.1
HPUX0020 – Operating in Trusted Mode
3.7.2
Trusted System Auditing
3.7.2.1
HPUX0040 – AUDMON_ARGS Flag Configuration
3.7.3
The /etc/securetty File
3.7.3.1
HPUX0060 – /etc/securetty Ownership
3.7.3.2
HPUX0080 – / etc/securetty Group Owner
3.7.3.3
HPUX0100 – /etc/securetty Permissions
3.8
IBM ADVANCED INTERACTIVE EXECUTIVE (AIX)
3.8.1
Security Structure
3.8.1.1
AIX00020 – TCB Software
3.8.2
Network Security
3.8.2.1
AIX00040 – securetcpip Command
3.8.3
System Commands
3.8.3.1
AIX00060 – System Baseline for Files with TCB Bit Set
3.8.4
Authentication
3.8.4.1
AIX00080 – SYSTEM Attribute
3.9
SILICON GRAPHICS (SGI) IRIX
3.10
3.10.1.1
3.11
3.11.1
3.11.1.1
3.11.2
3.11.2.1
3.11.3
Xfsmd
IRIX0020 – The xmfsmd Service is Enabled
LINUX
System BIOS Configuration
LNX00040 – Disable Boot From Removable Media
Restricting the Boot Process
LNX00060 – Password Configuration Table Configuration
Boot Loaders
3.11.3.1
LNX00080 – Boot Diskette
3.11.3.2
LNX00100 – Default Boot Loader
3.11.3.3
LNX00120 – /boot Partition
3.11.4
Password Protecting the GRUB Console Boot Loader
3.11.4.1
LNX00140 – GRUB Boot Loader Encrypted Password
3.11.4.2
LNX00160 – grub.conf Permissions
3.11.5
Page 14
Password Protecting the LILO Boot Loader
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.11.5.1
LNX00180 – LILO Global Password
3.11.5.2
LNX00200 – LILO Boot Loader Encrypted Password
3.11.5.3
LNX00220 – /etc/lilo.conf Permissions
3.11.6
3.11.6.1
3.11.7
3.11.7.1
3.11.8
3.11.8.1
3.11.9
3.11.9.1
3.11.10
Filesystems
LNX00240 – Journaling
Red Hat Kickstart and SuSE AutoYaST
LNX00260 – Kickstart or AutoYaST
Dual Boot
LNX00280 – Capable of Dual Boot
Ugidd RPC Daemon
LNX00300 – The rpc.ugidd Daemon is Enabled
Default Accounts
3.11.10.1
LNX00320 – Special Privileged Accounts
3.11.10.2
LNX00340 – Unnecessary Accounts
3.11.11
X Windows
3.11.11.1
LNX00360 – X Server Options Enabled
3.11.11.2
LNX00380 – X Server Options Not Enabled
3.11.12
Console Access
3.11.12.1
LNX00400 – Access File Ownership
3.11.12.2
LNX00420 – Access File Group Ownership
3.11.12.3
LNX00440 – Access File Permissions
3.11.13
Kernel Configuration File
3.11.13.1
LNX00480 – /etc/sysctl.conf Ownership
3.11.13.2
LNX00500 – /etc/sysctl.conf Group Ownership
3.11.13.3
LNX00520 – / etc/sysctl.conf Permissions
3.11.14
NFS Server
3.11.14.1
LNX00540 – The insecure Option
3.11.14.2
LNX00560 – The insecure_locks Option
3.11.15
3.11.15.1
3.11.16
3.11.16.1
3.11.17
3.11.17.1
Page 15
The /etc/inittab File
LNX00580 – Ctrl-Alt-Delete Sequence
Administrative Controls
LNX00600 – PAM Configuration
The /etc/securetty File
LNX00620 – /etc/securetty Group Ownership
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.11.17.2
LNX00640 – /etc/securetty Ownership
3.11.17.3
LNX00660 – /etc/securetty Permissions
3.11.18
RealPlayer
3.11.18.1
3.12
Page 16
LNX00680 – RealPlayer Version
Information Assurance Vulnerability Management (IAVM)
3.12.1
IAVA0005 – 2001-A-0011 Format String Vulnerability in CDE ToolTalk
3.12.2
IAVA0010 – 1999-0002 TCP Wrappers Trojan Vulnerability
3.12.3
IAVA0015 – 98-06 Qpopper Vulnerability
3.12.4
IAVA0020 – 1998-A-0011 General Internet Message Access Protocol
3.12.5
IAVA0025 – 98-07 Buffer Overflow in Mail and News Clients
3.12.6
IAVA0030 – 2000-A-0003 Gauntlet Firewall Buffer Overflow
3.12.7
IAVA0035 – 2001-T-0004 MySQLd Vulnerability
3.12.8
IAVA0040 – 2001-A-0007 iPlanet
3.12.9
IAVA0045 – 2001-T-0008 BSD Telnet Daemon
3.12.10
IAVA0050 – 2004-B-0015 – Sun JRE Bypass Vulnerability
3.12.11
IAVA0055 – 2001-B-0002 HP OpenView and Tivoli NetView
3.12.12
IAVA0060 – 2004-T-0038 – Sun Remote Denial of Service
3.12.13
IAVA0065 – 2001-A-0013 SSH V1
3.12.14
IAVA0075 – 2001-A-0009 Gauntlet SMAP/SMAPD Buffer Overflow
3.12.15
IAVA0080 – 2001-T-0017 OpenSSH
3.12.16
IAVA0085 – 2005-A-0014 Oracle E-Business Suite Vulnerabilities
3.12.17
IAVA0090 – 2002-A-0001 CDE Buffer Overflow
3.12.18
IAVA0095 – 2001-T-0015 LPD Vulnerabilities
3.12.19
IAVA0100 – 2005-T-0014 Multiple Vulnerabilities in Mozilla Firefox
3.12.20
IAVA0105 – 2001-A-0014 Login Daemon
3.12.21
IAVA0110 – 2005-B-0012 PAWS DoS Vulnerability
3.12.22
IAVA0115 – 2002-A-SNMP-0002, 2002-A-SNMP-003 SNMP
3.12.23
IAVA0120 – 2005-A-0005 Multiple Vulnerabilities in BIND
3.12.24
IAVA0125 – 2001-T-0018 SSH Short Password Vulnerability
3.12.25
IAVA0135 – 2001-B-0004 WU-FTPD
3.12.26
IAVA0140 – 2005-T-0008 Multiple Vulnerabilities in Ethereal Software
3.12.27
IAVA0145 – 2002-T-0004 KTH Kerberos IV and V
3.12.28
IAVA0150 – 2005-T-0010 Multiple Vulnerabilities in Sybase Software
3.12.29
IAVA0155 – 2002-T-0008 Cachefsd Daemon
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
3.12.30
IAVA0160 – 2005-T-0017 IBM WebSphere Application Server
3.12.31
IAVA0165 – 2002-T-0009 Rpc.walld Service
3.12.32
IAVA0170 – 2005-T-0024 – Sun JRE Privilege Escalation Vulnerability
3.12.33
IAVA0175 – 2002-T-0011 OpenSSH Challenge Response
3.12.34
IAVA0180 – 2005-T-0025 Vulnerabilities in Adobe Reader
3.12.35
IAVA0185 – 2005-T-0027 MIT Kerberos Multiple Vulnerabilities
3.12.36
IAVA0190 – 2005-T-0033 Adobe Reader Buffer Overflow
3.12.37
IAVA0195 – 2002-T-0012 CDE Vulnerability
3.12.38
IAVA0210 – 2005-T-0038 Java System Server JAR Disclosure
3.12.39
IAVA0215 – 2002-A-0004 OpenSSL Vulnerability
3.12.40
IAVA0225 – 2002-B-0003 PHP Vulnerabilities
3.12.41
IAVA0235 – 2002-T-0015 XDR-Libraries
3.12.42
IAVA0245 – 2002-T-0016 KAdmind
3.12.43
IAVA0250 – 2005-A-0019 Oracle Applications Vulnerabilities
3.12.44
IAVA0255 – 2002-T-0017 X Font Server
3.12.45
IAVA0260 – 2005-A-0034 Oracle Applications Vulnerabilities
3.12.46
IAVA0270 – 2000-B-0008 BIND 8.2.2-P6 DoS Vulnerabilities
3.12.47
IAVA0275 – 2001-A-0001 Buffer Overflows in ISC BIND
3.12.48
IAVA0280 – 2002-A-0006 Multiple Vulnerabilities in ISC BIND 4 and 8
3.12.49
IAVA0285 – 2003-B-0001 DNS Vulnerabilities – Various Libraries
3.12.50
IAVA0295 – 2003-T-0001 Multiple SSH Vulnerabilities
3.12.51
IAVA0305 – 2003-T-0002 Solaris UUCP
3.12.52
IAVA0310 – 2005-T-0043 SMC HTTP TRACE Vulnerability
3.12.53
IAVA0315 – 2003-T-0004 Oracle 9i Vulnerabilities
3.12.54
IAVA0320 – 2003-T-0007 Sun XDR Library Buffer Overflow
3.12.55
IAVA0330 – 2003-B-0003 Sendmail - Memory Corruption Vulnerability
3.12.56
IAVA0335 – 2003-T-0015 PDF Writers
3.12.57
IAVA0345 – 2003-T-0018 Real Networks Helix Server
3.12.58
IAVA0350 – 2003-T-0020 OpenSSH Prior to 3.7.1
3.12.59
IAVA0355 – 2003-A-0013 SADMIND
3.12.60
IAVA0360 – 2003-A-0015 OpenSSL
3.12.61
IAVA0365 – 2003-T-0022 - JAVA RUNTIME and Virtual Machine
3.12.62
IAVA0370 – 2003-T-0024 - RSYNC DAEMON
3.12.63
IAVA0375 – 2004-A-0002 - Check Point Firewall-1
Page 17
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 18
3.12.64
IAVA0380 – 2004-B-0002 - H.323 Protocol
3.12.65
IAVA0385 – 2004-A-0004 - ISS Real Secure
3.12.66
IAVA0390 – 2004-T-0003 – Apache SSL Certificate Forging
3.12.67
IAVA0395 – 2004-T-0008 – TCPDUMP Buffer Overflows
3.12.68
IAVA0400 – 2004-B-0005 – FreeBSD/Juniper Denial of Service
3.12.69
IAVA0405 – 2004-T-0006 Solaris Password Utility
3.12.70
IAVA0410 – 2004-B-0006 OpenSSL Denial of Service
3.12.71
IAVA0415 – 2004-B-0007 Linux JetAdmin Vulnerability
3.12.72
IAVA0420 – 2004-T-0014 CDE Remote Login
3.12.73
IAVA0425 – 2003-B-0005 Sendmail Prescan Variant Vulnerability
3.12.74
IAVA0430 – 2004-T-0016 Solaris Management Console Vulnerability
3.12.75
IAVA0435 – 2004-T-0017 MIT Kerberos Multiple Vulnerabilities
3.12.76
IAVA0440 – 2004-T-0018 Multiple Vulnerabilities in ISC DHCP 3
3.12.77
IAVA0445 – 2004-T-0032 Vulnerabilities in Apache Web Server
3.12.78
IAVA0455 –2000-B-0005 Input Validation Problem in rpc.statd
3.12.79
IAVA0460 – 2001-A-0002 IRIX Telnet
3.12.80
IAVA0465 –1999-B-0002 SGI Array Services
3.12.81
IAVA0470 – 1998-A-0010 SGI Buffer Overflow Vulnerability
3.12.82
IAVA0475 – 1999-A-0006 Statd and Automountd
3.12.83
IAVA0485 – 2001-T-0002 IRDP
3.12.84
IAVA0490 –2001-A-0003 SNMP to DMI Mapper Daemon
3.12.85
IAVA0495 –2001-T-007 Solaris Line Printer Daemon
3.12.86
IAVA0500 – 2000-B-0003 KDC Vulnerablity
3.12.87
IAVA0510 – 1999-A-0003 FTP RNFR Command Vulnerability
3.12.88
IAVA0515 – 1999-B-0003, 2000-B-0004, 2001-B-0004 WU-FTPd
3.12.89
IAVA0520 – 2006-A-0013 Sendmail remote execution vulnerability.
3.12.90
IAVA0530 – 2006-A-0007 Oracle E-Business Suite Vulnerabilities
3.12.91
IAVA0545 – 2005-B-0019 Vulnerabilities in IKE Packet Processing
3.12.92
IAVA0550 – 2006-A-0011 Vulnerabilities in Oracle E-Business Suite
3.12.93
IAVA0555 – 2006-A-0020 Vulnerabilities in Oracle E-Business Suite
3.12.94
IAVA0570 – 2006-A-0032 Multiple Vulnerabilities in Oracle E-Business Suite
3.12.95
IAVA0590 – 2006-T-0020 Mozilla Firefox/Thunderbird Vulnerabilities
3.12.96
IAVA0595 – 2006-T-0016 Sun Java Application Server Vulnerabilities
3.12.97
IAVA0600 – 1998-0011 General Internet Message Access Protocol (IMAP) and Post Office
Protocol (POP) Vulnerabilities
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 19
3.12.98
IAVA0605 – 1999-0001 Mountd Remote Buffer Overflow Vulnerability
3.12.99
IAVA0610 – 1999-0003 Remote FTP Vulnerability
3.12.100
IAVA0615 – 2000-T-0015 BMC Best/1 Version 6.3 Performance Management System
Vulnerability
3.12.101
IAVA0620 – 2000-B-0001 BIND NXT Buffer Overflow
3.12.102
IAVA0625 – 2000-B-0002 Netscape Navigator Improperly Validates SSL Sessions
3.12.103
IAVA0630 – 2000-A-0001 Cross-Site Scripting Vulnerability
3.12.104
IAVA0635 – 2001-B-0003 U Encoding Intrusion Detection System Bypass Vulnerability
3.12.105
IAVA0640 – 2002-T-0005 Multiple Vulnerabilities in Oracle Database Server
3.12.106
IAVA0645 – 2002-T-0006 Multiple Vulnerabilities in Oracle9i Application Server
3.12.107
IAVA0650 – 2002-T-0010 Denial of Service Vulnerability in ISC-BIND 9
3.12.108
IAVA0655 – 2002-T-SNMP-003 Multiple Simple Network Management Protocol
Vulnerabilities in Servers and Applications
3.12.109
IAVA0660 – 2002-A-SNMP-004 Multiple Simple Network Management Protocol
Vulnerabilities in Perimeter Devices
3.12.110
Vulnerabilities in Enclave Devices
3.12.111
3.12.112
Server
IAVA0675 – 2003-A-0006 Multiple Vulnerabilities in Multiple Versions of Oracle Database
3.12.113
IAVA0680 – 2004-T-0002 Oracle 9i Application/Database Server Denial Of Service
Vulnerability
3.12.114
IAVA0685 – 2004-T-0005 Oracle9i Lite Mobile Server Multiple Vulnerabilities
3.12.115
IAVA0690 – 2004-T-0011 Oracle Application Server Web Cache HTTP Request Method
Heap Overrun Vulnerability
3.12.116
IAVA0695 – 2004-T-0022 Check Point VPN-1 ASN.1 Buffer Overflow Vulnerability
3.12.117
IAVA0700 – 2004-T-0026 Mozilla Network Security Services Library Remote Heap
Overflow Vulnerability
3.12.118
IAVA0705 – 2004-T-0027 Multiple Vulnerabilities in MIT Kerberos V
3.12.119
IAVA0710 – 2004-B-0009 Oracle E-Business Suite Multiple SQL Injection
3.12.120
Queuing
IAVA0715 – 2005-T-0031 Multiple Vulnerabilities in Computer Associates Message
3.12.121
IAVA0720 – 2005-B-0007 Symantec UPX Parsing Engine Remote Heap
3.12.122
IAVA0725 – 2005-B-0008 Trend Micro VSAPI ARJ Handling Heap Overflow
3.12.123
IAVA0730 – 2005-A-0043 Symantec AntiVirus Library RAR Decompression
3.12.124
IAVA0735 – 2006-T-0002 Multiple Vulnerabilities within BEA WebLogic Software
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 20
3.12.125
IAVA0740 – 2006-T-0005 Multiple Vulnerabilities in Mozilla Products
3.12.126
IAVA0745 – 2006-T-0007 Veritas NetBackup Multiple Remote Buffer Overflow
3.12.127
IAVA0755 – 2006-T-0009 Multiple Vulnerabilities in Symantec AntiVirus Engine
3.12.128
IAVA0760 – 2006-T-0013 RealVNC Remote Authentication Bypass
3.12.129
IAVA0765 – 2006-T-0023 Multiple Vulnerabilities in Wireshark
3.12.130
IAVA0770 – 2006-T-0035 Sun Java System/iPlanet Messaging Server
3.12.131
BIND
IAVA0775 – 2006-B-0016 Multiple Remote Denial of Service Vulnerabilities within ISC
3.12.132
IAVA0780 – 2006-B-0017 Multiple Vulnerabilities in Adobe Flash Player
3.12.133
IAVA0785 – 2006-A-0008 Computer Associates (CA) iTechnology iGateway Service
Vulnerability
3.12.134
IAVA0805 – 2006-A-0050 Multiple Vulnerabilities in Oracle E-Business Suite and
Applications
3.12.135
IAVA0810 – 2007-T-0001 MIT Kerberos 5 RPC Library Remote Code Execution
Vulnerability
3.12.136
IAVA0815 – 2007-T-0002 MIT Kerberos 5 Administration Daemon Remote Code Execution
Vulnerability
3.12.137
IAVA0820 – 2007-T-0003 Sun Java RunTime Environment GIF Images Buffer Overflow
Vulnerability
3.12.138
IAVA0825 – 2007-A-0001 Snort Backtracking Denial of Service Vulnerability
3.12.139
IAVA0830 – 2007-A-0002 Snort GRE Packet Decoding Integer Underflow Vulnerability
3.12.140
IAVA0835 – 2007-A-0006 Multiple Vulnerabilities in Adobe Acrobat
3.12.141
IAVA0840 – 2007-A-0007 Multiple Vulnerabilities in Oracle Database Server
3.12.142
IAVA0845 – 2007-A-0008 Multiple Vulnerabilities in Oracle Application Server
3.12.143
IAVA0850 – 2007-A-0009 Multiple Vulnerabilities in Oracle Collaboration Suite
3.12.144
IAVA0855 – 2007-A-0010 Multiple Vulnerabilities in Oracle E-Business Suite
3.12.145
IAVA0860 – 2007-A-0011 Multiple Vulnerabilities in Oracle Enterprise Manager
1. UNIX Overview and Site Information
1. System Equipement
1. GEN000020 – Single User Mode Password
Solaris 2.5 - 9
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 21
# cd /etc/rcS.d
# grep sulogin *
The sulogin utility should be called from within the svm start up script.
Additionally,
# more /etc/default/sulogin (if it exists)
Confirm PASSREQ=NO is not configured
Solaris 10
By default Solaris 10 requires a password and the /etc/default/sulogin does not exist.
HP-UX
# more /tcb/files/auth/system/default
Confirm the d_boot_authenticate is:
:d_boot_authenticate:
The entry :d_boot_authenticate@: is a finding.
AIX
AIX has a chassis key that is used to prevent booting to single-user mode without a password.
Confirm it is in the correct position and the key has been removed.
IRIX
Linux
# more /etc/inittab
Confirm the following line is configured:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 22
~~:S:wait:/sbin/sulogin
If the UNIX host is configurable and is bootable in single-user mode without a password, then this is a finding.
PDI:
GEN000020
V0000756
Category II
:
Status Code: AUTO
Previously:
G001
MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP
IA Controls:
DCCS-1, DCCS-2, IAIA-1, IAIA-2
PDI Description:
The UNIX host configurable and is bootable in single-user mode
without a password.
Reference:
UNIX STIG: 2.5.1.1
2. GEN000040 – Single User Mode Password Incompatibility Documentation
Solaris, HP-UX, AIX, IRIX, and Linux support single-user mode password.
If the UNIX host is not be configured to require a password when booted to single-user mode and is not justified
and documented with the IAO, then this is a finding.
This check is only applicable if GEN000020 is a finding.
PDI:
GEN000040
V0000757
Category II
:
Status Code: PART
Previously:
G002
IA Controls:
IAIA-1, IAIA-2, DCID-1
PDI Description:
The UNIX host is not configured to require a password when booted to
single-user mode and is not justified and documented with the IAO.
Reference:
UNIX STIG: 2.5.1.1
3. GEN000060 – Single User Mode Password Incompatibility Location
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 23
Solaris, HP-UX, AIX, IRIX, and Linux support single-user mode password.
Solaris 2.5 - 9
# cd /etc/rcS.d
# grep sulogin *
The sulogin utility should be called from within the svm start up script.
Additionally,
Solaris 10
# more /etc/default/sulogin (if is exists)
Solaris 10
HP-UX
# more /tcb/files/auth/system/default
Confirm the d_boot_authenticate is:
:d_boot_authenticate:
The entry :d_boot_authenticate@: is a finding.
AIX
AIX has a chassis key that is used to prevent booting to single-user mode without a password.
Confirm it is in the correct position and the key has been removed.
IRIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 24
Linux
# more /etc/inittab
Confirm the following line is configured:
~~:S:wait:/sbin/sulogin
If the UNIX host can not be configured to require a password when booted to single-user mode and is not located
in a controlled access area accessible only by SAs, then this is a finding. An access-controlled area is defined as
requiring two different checks of an individual’s identity and authority before gaining access to the system.
Note: This check is only applicable if GEN000020 is a finding
PDI:
GEN000060
V0000758
Category II
:
Status Code: PART
Previously:
G003
IA Controls:
PECF-1, PECF-2
PDI Description:
The UNIX host can not be configured to require a password when
booted to single-user mode and is not located in a controlled access
area accessible only by SAs.
Reference:
UNIX STIG: 2.5.1.1
4. GEN000080 – System Equipment Location
An access-controlled area is defined as requiring two different checks of an individual’s identity and authority
before gaining access to the system. One of the checks should require two factor authentication.
If the UNIX system equipment is not located in a controlled access area, then this is a finding.
PDI:
GEN000080
Category:II
Status Code: MAN
Previously:
G234
V0001063
IA Controls:
PECF-1, PECF-2
PDI Description:
The UNIX system equipment is not located in a controlled access area.
Reference:
UNIX STIG: 2.5.1.1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 25
2. Operating System
1. GEN000100 – Supported Release
Check the release of the OS:
Solaris
# uname -a
Supported releases are 2.7 and newer.
HP-UX
# uname -a
AIX
# uname -a
Supported releases are 4.3 and newer, and 5.1 and newer.
IRIX
# uname -R
Linux
# uname -R
Supported releases are RedHat Enterprise 3 and newer and SUSE Enterpise 9 and later.
If the operating system is not a supported release, then this is a finding.
PDI:
GEN000100
Category:II
Status Code: AUTO
Previously:
N/A
V0011940
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 26
IA Controls:
DCSW-1
PDI Description:
The operating system is not a supported release.
Reference:
UNIX STIG: 2.5.2.1
2. GEN000120 – Vendor Recommended and Security Patches
Check installed patches:
Solaris
# patchadd –p |grep patch
or
# showrev –p | grep patch
HP-UX
# swlist –l fileset | grep patch
AIX
# /usr/sbin/instfix -c -i | cut -d":" -f1
IRIX
# versions | grep patch
Linux
# rpm –qa | grep patch
Compare the system output with the most current vendor recommended and security patches.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 27
If vendor recommended and security patches are not installed or are out-of-date, then this is a finding. Program
managed specific systems should follow their configuration management cycle which may be longer than a
normal vendor cycle.
PDI:
GEN000120
V0000783
Category II
:
Status Code: PART
Previously:
G033
IA Controls:
DCSL-1, VIVM-1
PDI Description:
Vendor recommended and security patches are not installed or are outof-date.
Reference:
UNIX STIG: 2.5.2.1
3. File Integrity
1. GEN000140 – Create and Maintain System Baseline
Confirm with the SA that a system baseline (all device files, all sgid and suid files, and system libraries and
binaries), to include cryptographic hashes of files in the baseline, has been created and is maintained.
If a system baseline (all device files, all sgid and suid files, and system libraries and binaries), to include
cryptographic hashes of files in the baseline, has not been created and is not maintained, then this is a finding.
PDI:
GEN000140
Category:II
Status Code: MAN
Previously:
N/A
V0011941
IA Controls:
DCCS-2
PDI Description:
A system baseline including cryptographic hashes is not created and
maintained.
Reference:
UNIX STIG: 2.5.3.1
2. GEN000160 – System Baseline Backup on Write-protected Media
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 28
Confirm with the SA that the system baseline backup is stored on write-protected media.
If the system baseline backup(s) are not stored on write-protected media, then this is a finding. This check only
applies to backups that are not maintained by automated remote backup systems such as Veritas Netbackup.
PDI:
GEN000160
Category:II
Status Code: MAN
Previously:
N/A
V0011942
IA Controls:
DCCS-2
PDI Description:
The system baseline backup(s) are not on write-protected media.
Reference:
UNIX STIG: 2.5.3.1
3. GEN000220 – System Baseline for System Libraries and Binaries Checking
Confirm with the SA that filesyst ems are checked at least weekly for unauthorized system libraries or binaries or
unauthorized modification to authorized system libraries or binaries.
If filesystems are not checked at least weekly for unauthorized system libraries or binaries or unauthorized
modification to authorized system libraries or binaries, then this is a finding.
PDI:
GEN000220
Category:II
Status Code: MAN
Previously:
N/A
V0011945
IA Controls:
DCCS-2
PDI Description:
Filesystems are not checked at least weekly for unauthorized system
libraries or binaries or unauthorized modification to authorized system
libraries or binaries.
Reference:
UNIX STIG: 2.5.3.1
4. GEN000240 – Network Time-Server
Check if NTP running:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 29
All platforms
# ps –e | egrep “xntpd|ntpd”
Check if ntpdate scheduled to run:
Solaris
# grep ntpdate /var/spool/cron/crontabs/*
HP-UX
AIX
IRIX
Linux
# grep ntpdate /var/spool/cron/*
# grep ntpdate /etc/cron.d/*
# grep ntpdate /etc/cron.daily/*
# grep ntpdate /etc/cron.hourly/*
# grep ntpdate /etc/cron.monthly/*
# grep ntpdate /etc/cron.weekly/*
If NTP is running or ntpdate is found:
# more /etc/ntp/ntp.conf
Confirm the servers and peers or multicastclient (as applicable) are local or an authoritative U.S.
DOD source.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 30
If a non-local/non-authoritative (U.S. DOD source) time-server is used, then this is a finding.
PDI:
GEN000240
Category I
:
V0004301
Status Code: AUTO
Previously:
G695
IA Controls:
DCHW-1
PDI Description:
A non-local/non-authoritative (U.S. DOD source) time-server is used.
Reference:
UNIX STIG: 2.5.3.1
2. DISCRETIONARY ACCESS CONTROL AND GENERAL SECURITY
1. User Account Controls
1. GEN000260 – Shared Account Documentation
Solaris
Check for multiple accesses to an account from different workstations/IP addresses .
# last
HP-UX
# last –R
# lastb -R
AIX
# last
IRIX
# last
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 31
Linux
# last –R
Discuss with the SA whether shared accounts exist. A shared account is any account, other than root, that more
than one person knows the password to . If shared accounts do exist, confirm with the IAO shared accounts are
documented with the IAO. If a shared account is not justified and documented with the IAO, then this is a
finding.
PDI:
GEN000260
Category II
:
V0000759
Status Code: AUTO
Previously:
G006
IA Controls:
DCSD-1
PDI Description:
A shared account is not justified and documented with the IAO.
Reference:
UNIX STIG: 3.1
2. GEN000280 – Shared Account Direct Logon
Solaris
# last
HP-UX
# last –R
# lastb -R
AIX
# last
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 32
IRIX
# last
Linux
# last –R
Confirm with the SA, if shared accounts exist, users log on to an individual account and switch user to the shared
account.
If a shared account is logged onto directly , then this is a finding.
Note: This check is only applicable if GEN000260 is a finding.
PDI:
GEN000280
Category II
:
V0000760
Status Code: PART
Previously:
G007
IA Controls:
IAIA-1, IAIA-2, IAAC-1
PDI Description:
A shared account is logged onto directly.
Reference:
UNIX STIG: 3.1
2. Interactive Users
1. GEN000300 – Unique Account Name
Solaris
# logins –d
HP-UX
# pwck –s
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 33
AIX
# usrck –n ALL
IRIX
# cut –d ‘:’ –f1 /etc/passwd | uniq –d
If duplicates are found, perform the following to display full listing.
# grep “<account_name>” /etc/passwd
Linux
# pwck –r
If accounts have the same account name, then this is a finding.
PDI:
GEN000300
Category:III
Status Code: AUTO
Previously:
G008
V0000761
IA Controls:
PDI Description:
Accounts have the same user or account name.
Reference:
UNIX STIG: 3.1.1
2. GEN000320 – Unique UID
Solaris
# logins –d
HP-UX
# pwck –s
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 34
AIX
# usrck –n ALL
IRIX
# cut –d ‘:’ –f3 /etc/passwd | uniq –d
If duplicates are found, perform the following to display complete listing.
# grep “^.*:.*:<account_uid>” /etc/passwd
Linux
# pwck –r
If accounts have the same uid, then this is a finding.
PDI:
GEN000320
V0000762
Category II
:
Status Code: AUTO
Previously:
G009
IA Controls:
PDI Description:
Accounts have been assigned the same uid.
Reference:
UNIX STIG: 3.1.1
3. GEN000340 – Reserved System Account UIDs
# more /etc/passwd
Confirm all accounts with a uid of 99 and below (499 and below for Linux) are used by a system account.
If a uid reserved for system accounts, 0 – 99 (0 – 499 for Linux), is used by a non-system account without
documentation, then this is a finding. A regular account within this range must be justified and documented
with the IAO.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
GEN000340
V0011946
Page 35
Category II
:
Status Code: AUTO
Previously:
N/A
IA Controls:
ECPA-1
PDI Description:
A uid reserved for system accounts, 0 – 99 (0 – 499 for Linux), is used
by a non-system account.
Reference:
UNIX STIG: 3.1.1
4. GEN000360 – Reserved System Account GIDs
# more /etc/passwd
Confirm all accounts with a gid of 99 and below (499 and below for Linux) are used by a system account.
If a gid reserved for system accounts, 0 – 99 (0 – 499 for Linux), is used by a non-system account without
documentation, then this is a finding. A regular account within this range must be justified and documented with
the IAO.
PDI:
GEN000360
V0000780
Category II
:
Status Code: AUTO
Previously:
G029
IA Controls:
ECPA-1
PDI Description:
A gid reserved for system accounts is used by a non-system account.
gid 14 (sysadmin - Solaris) – may be used if documented
with the IAO.
gid 20 (users - HPUX) – may be used if documented with
the IAO.
Reference:
UNIX STIG: 3.1.1
5. GEN000380 – Groups Referenced in /etc/passwd
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 36
Solaris
# logins –d
HP-UX
# pwck –s
AIX
# grpck
IRIX
# more /etc/passwd
Compare with:
# more /etc/group
Confirm each gid referenced in the /etc/passwd file is listed in the /etc/group file.
Linux
# pwck –r
If a group referenced in the /etc/passwd file is not in the /etc/group file, then this is a finding.
PDI:
GEN000380
Category:IV
Status Code: AUTO
Previously:
G030
V0000781
IA Controls:
DCCS-1, DCCS-2, IAAC-1
PDI Description:
A group referenced in the /etc/passwd file is not in the /etc/group file .
Reference:
UNIX STIG: 3.1.1
3. Logon Warning Banner
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 37
1. GEN000400 – Logon Warning Banner Display
Login banners will be configured for all services that allow login access to the system. For TCP WRAPPERS, c
heck for hosts.allow and hosts.deny files and then look for banner files associated with them. For
ssh , locate the ssh configuration file, sshd_config or ssh2d_config . This file is usually located in /
etc/sshd , /etc/ssh2 , /etc/ssh , or /usr/local/etc . Confirm that the Banner variable
contains the full path to the file containing the Logon Warning banner. Other files specific to each vendor are
listed below.
Solaris
Check for logon warning banner display.
# more /etc/issue
# more /etc/motd
# more /etc/dt/config/*/Xresources (if GUI is implemented)
# more /etc/default/telnetd
(if telnet is implemented without
TCP_Wrappers)
(if ftp is implemented without
# more /etc/default/ftpd
TCP_Wrappers)
# more /etc/ftpd/banner.msg
(Solaris 9 and above, if ftp is
implemented without
TCP_Wrappers)
HP-UX
# more /etc/issue
# more /etc/motd
# more /etc/ftpaccess
TCP_Wrappers – should contain banner=/etc/issue )
AIX
# more /etc/motd
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 38
# more /etc/ftpmotd
# more /etc/ftpaccess.ctl
# more /dev/console
# more /etc/security/login.cfg
IRIX
# last
Linux
Check for logon warning banner display .
# more /etc/issue
# more /etc/motd
# more /etc/issue.net
# more /etc/X11/xdm/Xresources (if GUI is implemented)
# more /etc/X11/xdm/kdmrc
(if GUI is implemented)
(if GUI is implemented)
# more /etc/X11/gdm/gdm
# more /etc/vsftpd.conf
TCP_Wrappers)
If the Department of Defense (DOD) logon banner is not displayed prior to a logon attempt, then this is a finding.
PDI:
GEN000400
V0000763
Category II
:
Status Code: MAN++
Previously:
G010
IA Controls:
ECWM-1
PDI Description:
The Department of Defense (DOD) logon banner is not displayed prior
to a logon attempt.
Reference:
UNIX STIG: 3.1.2
2. GEN000420 – Logon Warning Banner Content
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 39
Use the Example Banner in Appendix G , Sample Logon Warning Banner, for further information. An exact
match is not required as long as these five elements are included.
A compressed version (subset) may be used as long as the below listed points are included:
The system is a DOD system.
The system is subject to monitoring.
Monitoring is authorized in accordance with applicable laws and regulations and conducted for purposes of
systems management and protection, protection against improper or unauthorized use or access, and
verification of applicable security features or procedures.
Use of the system constitutes consent to monitoring.
This system is for authorized US government use only.
If the Department of Defense (DOD) login banner does not contain the required notice and consent information,
then this is a finding.
PDI:
GEN000420
V0000764
Category II
:
Status Code: MAN++
Previously:
G011
IA Controls:
ECWM-1
PDI Description:
The Department of Defense (DOD) login banner does not contain the
required notice and consent information.
Reference:
UNIX STIG: 3.1.2
4. Account Access
1. GEN000440 – Logging Login Attempts
Solaris
Check if successful logons are being logged.
# last | more
Check if unsuccessful logons are being logged .
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 40
# ls –l /var/adm/loginlog
HP-UX
Check if successful logons are being logged .
# last –R | more
# lastb –R | more
AIX
# last | more
# last –f
/etc/security/failedlogin | more
IRIX
# last | more
Linux
# last –R | more
# lastb –R | more
If successful and unsuccessful logins and logouts are not logged, then this is a finding.
PDI:
GEN000440
V0000765
Category II
:
Status Code: AUTO
Previously:
G012
IA Controls:
ECAR-1, ECAR-2, ECAR-3
PDI Description:
Successful and unsuccessful logins and logouts are not logged.
Reference:
UNIX STIG: 3.1.3
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 41
2. GEN000460 – Three Failed Login Attempts
Solaris 5.1 through Solaris 9
Confirm RETRIES is set to 3 or less in /etc/default/login. This does not lock the account, but will discourage
brute force password guessing attacks.
# grep RETRIES /etc/default/login
Solaris 10
Confirm LOCK_AFTER_RETRIES is set to YES.
# grep LOCK_AFTER_RETRIES /etc/security/policy.conf
HP-UX
Confirm the u_maxtries is set to 3 or less, but not 0.
# grep :u_maxtries# /tcb/files/auth/system/default
AIX
Confirm the loginretries field is set to 3 or less, but not 0 for each user.
# /usr/sbin/lsuser -a loginretries ALL
IRIX
Confirm LOCKOUT is set to 3 or less, but not 0.
# grep LOCKOUT /etc/default/login
Linux
#
more /etc/pam.d/system-auth
Confirm the following line is configured;
account required
/lib/security/pam_tally.so deny=3 no_magic_root reset
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 42
If the above settings are not correct, then this is a finding.
PDI:
GEN000460
V0000766
Category II
:
Status Code: AUTO
Previously:
G013
IA Controls:
ECLO-1, ECLO-2
PDI Description:
After three consecutive unsuccessful login attempts, the account is not
disabled.
Reference:
UNIX STIG: 3.1.3
3. GEN000480 – Login Delay
Solaris
Confirm SLEEPTIME is set to 4 or more, or that this variable is not configured as 4 is the system dafault.
# grep SLEEPTIME /etc/default/login
Note: This check is currently not applicable for Solaris 5.10.
HP-UX
Confirm the t_logdelay is set to 4 or more.
# grep :t_logdelay# /tcb/files/auth/system/default
AIX
Confirm the logindelay field is set to 4 or more.
# grep logindelay /etc/security/login.cfg
IRIX
Confirm SLEEPTIME is set to 4 or more.
# grep SLEEPTIME /etc/default/login
Linux
Confirm FAIL_DELAY is set to 4 or more.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 43
# grep FAIL_DELAY /etc/login.defs
PDI:
GEN000480
V0000768
Category II
:
Status Code: AUTO
Previously:
G015
IA Controls:
ECLO-1, ECLO-2
PDI Description:
The login delay between login prompts after a failed login is set to at
least four seconds.
Reference:
UNIX STIG: 3.1.3
5. Inactivity Timeout/Locking
1. GEN000500 – Inactivity
This requirement can be satisfied with policy or a SOP to configure terminals and workstations with a screen lock
or password protected screen saver after 15 idle minutes. The windows software may also be configured to
support it.
For systems configured to use XLock, the command xlock will lock the display session. For systems configured
to use XScreensaver, the command xscreensaver-command –lock will lock the display session. Ask the
SA to verify, at the command line, one of the screen-locking commands actually locks the display.
Solaris, under OpenWindows, uses a command called xlock for manually locking displays. HP 10.X uses a
command called lock that works on ASCII (not Windows) displays. Both Solaris and HP 10.X windows
systems offer a lock icon that will lock the display just by clicking on it.
If there is no terminal lockout or session disconnect after 15 inactive minutes requiring the account password to
resume or a new session, then this is a finding.
PDI:
GEN000500
V0004083
Category II
:
Status Code: MAN
Previously:
G605
IA Controls:
PESL-1
PDI Description:
There is no terminal lockout or session disconnect after 15 inactive
minutes requiring the account password to resume or a new session.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 44
Reference:
UNIX STIG: 3.1.4
2. GEN000520 – Continuous Display
If there is an application running on the system that is continuously in use (such as a network monitoring
application), ask the SA what the name of the application is.
# ps –ef | more
If the logon session for an application requiring a continuous display does not ensure:
The logon session is not a root session.
The inactivity exemption is justified and documented with the IAO.
The display station (e.g., keyboard, CRT) is located in a controlled access area.
Then this is a finding.
PDI:
GEN000520
V0000769
Category II
:
Status Code: MAN
Previously:
G016
IA Controls:
ECLP-1
PDI Description:
The logon session for an application requiring a con tinuous display
does not ensure:
The logon session is not a root session .
The inactivity exemption is justified and documented with the
IAO.
The display station (e.g., keyboard, CRT) is located in a
controlled access area.
Reference:
UNIX STIG: 3.1.4
6. Password Guidelines
1. GEN000540 – Password Change 24 Hours
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 45
Solaris
Confirm the min days field (the 4 th field) is set to 1 or more for each user.
# more /etc/shadow
HP-UX
Confirm the mintm is set to 1 or more for each user.
# getprpw -r -m mintm <USER>
AIX
Confirm the minage field is set to 1 or more for each user.
# /usr/sbin/lsuser -a minage ALL
IRIX
Confirm the min days field (the 4th field) is set to 1 or more for each user.
# more /etc/shadow
Linux
Confirm the min days field (the 4 th field) is set to 1 or more for each user.
# more /etc/shadow
If passwords can be changed more than once every 24 hours, then this is a finding.
PDI:
GEN000540
V0001032
Category II
:
Status Code: AUTO
Previously:
G004
IA Controls:
IAAC-1
PDI Description:
Passwords can be changed more than once every 24 hours.
Reference:
UNIX STIG: 3.2.1
2. GEN000560 – Password Protect Enabled Accounts
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 46
Examine the /etc/shadow (or equivalent) looking for accounts with blank passwords using the following
commands:
SOLARIS
#
pwck
HP-UX
#
pwck –s or authck –p
AIX
#
pwdck –n ALL
IRIX
#
awk –F’:’ ‘{ if ( $2 == NULL ) print $0; }’ < /etc/shadow
Linux
# grep nullok /etc/pam.d/system-auth
If an entry for nullok is found, then this is a finding on Linux.
PDI:
GEN000560
V0000770
Category I
:
Status Code: AUTO
Previously:
G018
IA Controls:
IAIA-1, IAIA-2, DCCS-1, DCCS-2
PDI Description:
An enabled account on the system is not password protected.
Reference:
UNIX STIG: 3.2.1
3. GEN000580 – Password Length
Solaris
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 47
Confirm PASSLENGTH is set to 9 or more.
# grep PASSLENGTH /etc/default/passwd
HP-UX
Confirm MIN_PASSWORD_LENGTH is set to 9 or more
# grep MIN_PASSWORD_LENGTH /etc/default/security
AIX
Confirm the minlen field is set to 9 or more for each user.
# /usr/sbin/lsuser -a minlen ALL
IRIX
Confirm PASSLENGTH is set to 9 or more for each user.
# grep PASSLENGTH /etc/default/passwd
Linux
Confirm pass_min_len is set to 9 or more for each user.
# grep minlen /etc/pam.d/passwd
If a password does not contain a minimum of 9 characters, then this is a finding.
PDI:
GEN000580
V0011947
Category II
:
Status Code: AUTO
Previously:
G019
IA Controls:
DCSS-1, DCSS-2
PDI Description:
A password does not contain a minimum of 9 characters.
Reference:
UNIX STIG: 3.2.1
4. GEN000600 – Password Character Mix
Verify that at least 2 lowercase letters are required and at least 2 upper case letters.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 48
Solaris 9 and prior
This check is not applicable.
Solaris 10
Confirm MINLOWER is set to at least 2 and MINUPPER is set to at least 2.
# egrep “MINLOWER|MINUPPER” /etc/default/passwd
HP-UX
# grep PASSWORD_MIN_LOWER_CASE_CHARS /etc/default/security
# grep PASSWORD_MIN_UPPER_CASE_CHARS /etc/default/security
AIX
# grep minalpha /etc/security/user
Linux
# egrep lcredit|ucredit /etc/pam.d/system-auth
Lcredit and ucredit should be set to -2.
If the settings do not enforce at least two lower case letters and two upper case letter s, then this is a finding.
PDI:
GEN000600
V0011948
Category II
:
Status Code: PART
Previously:
G019
IA Controls:
DCSS-1, DCSS-2
PDI Description:
A password does not contain at least two upper and two lower
alphabetic characters.
Reference:
UNIX STIG: 3.2.1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 49
Solaris 9 and prior
This check is not applicable.
Solaris 10
Confirm MINDIGIT is greater than or equal to 2.
# grep MINDIGIT /etc/default/passwd
HP-UX
# grep PASSWORD_MIN_DIGIT_CHARS /etc/default/security
AIX
# grep minother /etc/security/user
Linux
# grep dcredit /etc/pam.d/system-auth
Dcredit should be set to -2.
If the minimum digits setting is not greater than or equal to 2, then this is a finding.
PDI:
GEN000620
V0011972
Category II
:
Status Code: PART
Previously:
G019
IA Controls:
DCSS-1, DCSS-2
PDI Description:
A password does not contain at least two numeric characters.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 50
Reference:
UNIX STIG: 3.2.1
Solaris 9
Not applicable
Solaris 10
Confirm MINSPECIAL is 2 or greater.
# grep MINSPECIAL /etc/default/passwd
HP-UX
-
# grep PASSWORD_MIN_SPECIAL_CHARS /etc/default/security
- Linux
# grep ocredit /etc/pam.d/passwd
or
# grep ocredit /etc/pam.d/system-auth
Ocredit should be set to -2.
- AIX
Not applicable
If the special characters setting is not greater than or equal to 2, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
GEN000640
V0011973
Page 51
Category II
:
Status Code: PART
Previously:
G019
IA Controls:
DCSS-1, DCSS-2
PDI Description:
A password does not contain at least two special characters.
Reference:
UNIX STIG: 3.2.1
7. GEN000660 – Password Contents
This is a manual check of site policy, in most cases. Refer to Appendix E, Password Protection Schemes , for
password configuration guidelines.
PDI:
GEN000660
V0011974
Category II
:
Status Code: MAN
Previously:
G019
IA Controls:
DCSS-1, DCSS-2
PDI Description:
A password contains information such as names, telephone numbers,
account names, dictionary words, etc.
Reference:
UNIX STIG: 3.2.1
8. GEN000680 – Password Contents
This check will only apply to Solaris 10 and AIX. Most other operating systems have not implemented the
password complexity to comply with this check.
Solaris 10
Confirm MAXREPEATS is set to less than 3.
# grep MAXREPEATS /etc/default/passwd
-
AIX
Confirm maxrepeats is set to less than 3.
# g rep –i maxrepeats /etc/security/ user
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 52
If the maxrepeats variable is greater than 3, then this is a finding.
PDI:
GEN000680
V0011975
Category II
:
Status Code: PART
Previously:
G019
IA Controls:
DCSS-1, DCSS-2
PDI Description:
A password contains consecutive repeating characters.
Reference:
UNIX STIG: 3.2.1
9. GEN000700 – Password Change Every 60 Days
Solaris
Confirm the max days field (the 5 th field) is set to 60 or less, but not 0 for each user.
# more /etc/shadow
HP-UX
Confirm the exptm is set to 60 or less, but not 0 for each user.
# getprpw -r -m exptm <USER>
AIX
Confirm the maxage field is set to 60 or less, but not 0 for each user.
# /usr/sbin/lsuser -a maxage ALL
IRIX
Confirm the min days field (the 5th field) is set to 1 or more for each user.
# more /etc/shadow
Linux
Confirm the max days field (the 5 th field) is set to 60 or less, but not 0 for each user.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 53
# more /etc/shadow
If passwords are not changed at least every 60 days, then this is a finding.
PDI:
GEN000700
V0011976
Category II
:
Status Code: AUTO
Previously:
G020
IA Controls:
DCSS-1, DCSS-2
PDI Description:
Passwords are not changed at least every 60 days .
Reference:
UNIX STIG: 3.2.1
10. GEN000740 – Password Change Every Year
Ask the SA if there are any automated processing accounts on the system. If there are accounts on the system,
ask the SA if the passwords for those automated accounts are changed at least once a year. If not, then this is a
finding.
PDI:
GEN000740
Category:II
Status Code: MAN
Previously:
AD33
V0011977
IA Controls:
DCSS-1, DCSS-2
PDI Description:
A non-interactive/automated processing account password is not
changed at least once a year .
Reference:
UNIX STIG: 3.2.1
11. GEN000760 – Inactive Accounts are not locked
Indications of inactive accounts are those that have no entries in the last log. Check the date in the last log to
verify it is within the last 35 days. If an inactive account is not disabled via an entry in the password field in the /
etc/passwd or /etc/shadow (or TCB equivalent), check the /etc/passwd file to check if the account
has a valid shell. If not, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 54
GEN000760
V0000918
Category II
:
Status Code: AUTO
Previously:
G071
IA Controls:
IAAC-1, DCSS-1, DCSS-2
PDI Description:
An account is not locked after 35 days of inactivity .
Reference:
UNIX STIG: 3.2.1
12. GEN000780 – Easily Guessed Passwords
Check this PDI by running a password strength application, such as Crack or Jack the Ripper, on the system. If
those are not available, then the check should be marked as Not Reviewed with an appropriate explanation in the
Remarks field.
PDI:
GEN000780
V0002390
Category I
:
Status Code: AUTO
Previously:
G511
IA Controls:
IAIA-1
PDI Description:
Easily guessed passwords are used.
Reference:
UNIX STIG: 3.2.1
13. GEN000800 – Password Reuse
Solaris 10
Confirm HISTORY is set to 5 or more.
# grep HISTORY /etc/default/passwd
HP-UX
# grep HISTORY /etc/default/security
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 55
Linux
# ls /etc/security/opasswd
#
more /etc/pam.d/system-auth |grep password |
grep pam_unix.so | grep remember
If /etc/security/opasswd does not exist, then this is a finding. If the ‘remember’ option in /etc/
pam.d/system-auth is not set to 5, then this is a finding.
If passwords are reused witin the last five changes, then this is a finding.
PDI:
GEN000800
V0004084
Category II
:
Status Code: AUTO
Previously:
G606
IA Controls:
IAIA-1
PDI Description:
Passwords are reused witin the last five changes.
Reference:
UNIX STIG: 3.2.1
14. GEN000820 – Global Password Configuration Files
Solaris
Confirm MINWEEKS is set to 1 or more.
# grep MINWEEKS /etc/default/passwd
Confirm MAXWEEKS is set to 8 or less, but not 0.
# grep MAXWEEKS /etc/default/passwd
HP-UX
Confirm the default mintm is set to 1 or more
# getprdef -r -m mintm
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 56
Confirm the default exptm is set to 60 or less, but not 0
# getprdef -r -m exptm
AIX
Confirm the following:
# grep minage /etc/security/user
# grep maxage /etc/security/user
IRIX
Confirm MINWEEKS is set to 1 or more.
# grep MINWEEKS /etc/default/passwd
Confirm MAXWEEKS is set to 1 or more.
# grep MAXWEEKS /etc/default/passwd
Linux
Confirm PASS_MIN_DAYS is set to 1 or more.
# grep PASS_MIN_DAYS /etc/login.defs
Confirm PASS_MAX_DAYS is set to 60 or less, but not 0.
# grep PASS_MAX_DAYS /etc/login.defs
If global password configuration files are not configured per guidelines, then this is a finding.
PDI:
GEN000820
V0011978
Category II
:
Status Code: AUTO
Previously:
N/A
IA Controls:
IAIA-1, DCSS-1, DCSS-2
PDI Description:
Global password configuration files are not configured per guidelines.
Reference:
UNIX STIG: 3.2.1
15. GEN000840 – Root Account Access
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 57
Ask the SA for the names of people sharing the root password and verify that they are security or SA personnel.
Ask the SA if the root users are documented with the IAO. If they are not, then this is a finding.
PDI:
GEN000840
V0004303
Category II
:
Status Code: MAN
Previously:
G691
IA Controls:
ECPA-1
PDI Description:
Access to the root account is not limited to security and administrative
users who require such access and not documented with the IAO.
Reference:
UNIX STIG: 3.2.1
16. GEN000860 – Password Change for Administrative Passwords Upon SA
Reassignment
Ask the SA or the IAO for the password procedures that state the root passwords are changed upon administrator
reassignment. If there is not such documentation, then this is a finding.
PDI:
GEN000860
Category:III
Status Code: MAN
Previously:
AD16
V0000971
IA Controls:
ECPA-1, IAAC-1
PDI Description:
Administrative passwords are not changed when an individual with
access to the root password is reassigned.
Reference:
UNIX STIG: 3.2.1
7. Root Account
1. GEN000880 – Root’s UID
Perform the following to check for a duplicate root uid:
# grep “:0:” /etc/passwd | awk –F”:” ‘{print$1”:”$3”:”}’ |
grep “:0:”
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 58
If any accounts are shown in addition to root, then this is a finding.
PDI:
GEN000880
V0000773
Category II
:
Status Code: AUTO
Previously:
G021
IA Controls:
ECPA-1
PDI Description:
An account other than root has a uid of 0.
Reference:
UNIX STIG: 3.3
2. GEN000900 – Root’s Home Directory
Perform the following to check compliance:
# grep “^root” /etc/passwd | awk –F”:” ‘{print $6}’
If the root user home directory is /, then this is a finding.
PDI:
GEN000900
Category:IV
Status Code: AUTO
Previously:
G022
V0000774
IA Controls:
DCCS-1, DCCS-2
PDI Description:
The root account home directory has not been changed from ‘/’.
Reference:
UNIX STIG: 3.3
3. GEN000920 – Root’s Home Directory Permissions
Perform the following as root:
# grep “^root” /etc/passwd | awk –F”:” ‘{print $6}’
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 59
# ls –ld <root home directory>
If the permissions of the root home directory are greater than 700, then this is a finding. If the home directory is
/ , this check will be marked Not Applicable.
PDI:
GEN000920
V0000775
Category II
:
Status Code: AUTO
Previously:
G023
IA Controls:
ECCD-1, ECCD-2
PDI Description:
The root account home directory (other than ‘ /’) is more permissive
than 700.
Reference:
UNIX STIG: 3.3
4. GEN000940 – Root’s Search Path
As the root user perform the following to check the search path:
#
echo $PATH
If the PATH variable contains a ‘.’ or ‘::’ or starts or ends with ‘:’ then this is a finding.
PDI:
GEN000940
V0000776
Category II
:
Status Code: AUTO
Previously:
G024
IA Controls:
DCCS-1, DCCS-2
PDI Description:
The root account’s search path contains a ‘.’, ‘::’, or starts or ends with
a ‘:’..
Reference:
UNIX STIG: 3.3
5. GEN000960 – Root’s Search Path
As the root user perform the following to check the search path:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
#
Page 60
echo $PATH
#
ls –ld <each directory in path variable>
If any of the directories in the PATH variable are world writeable, then this is a finding.
PDI:
GEN000960
V0000777
Category II
:
Status Code: AUTO
Previously:
G025
IA Controls:
ECCD-1, ECCD-2
PDI Description:
The root account has world writable directories in its search path.
Reference:
UNIX STIG: 3.3
6. GEN000980 – Root Console Access
Solaris
Confirm CONSOLE is set to /dev/console .
# grep CONSOLE=/dev/console /etc/default/login
HP-UX
Confirm /etc/securetty exists and is empty or contains only the word console or /dev/null .
# more /etc/securetty
AIX
# /user/sbin/lsuser –a rlogin root
IRIX
Confirm CONSOLE is set to /dev/console or the console device.
# grep CONSOLE /etc/default/login
Linux
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 61
Confirm /etc/securetty exists and is empty or contains only the word console or a single tty
device.
PDI:
GEN000980
Category II
:
V0000778
Status Code: AUTO
Previously:
G026
IA Controls:
IAIA-1, IAIA-2
PDI Description:
The root account can be directly logged into from somewhere other
than the system console.
Reference:
UNIX STIG: 3.3
7. GEN001000 – Remote Consoles
Solaris 2.5, 2.6, and 7
Confirm CONSOLE is set to /dev/console .
# grep CONSOLE=/dev/console /etc/default/login
Solaris 8, 9, and 10
Confirm there is no output from the below mentioned command.
# consadm –p
HP-UX
Confirm /etc/securetty exists and is empty or contains only the word console or /dev/null .
AIX
Ensure /etc/security/login.cfg does not define an alternate console.
IRIX
Confirm CONSOLE is set to /dev/console or the console device.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 62
# grep CONSOLE /etc/default/login
Linux
Confirm /etc/securetty exists and is empty or contains only the word console or a single tty
device.
PDI:
GEN001000
V0004298
Category II
:
Status Code: AUTO
Previously:
G698
IA Controls:
DCHW-1
PDI Description:
There are remote consoles defined.
Reference:
UNIX STIG: 3.3
8. GEN001020 – Direct Root Login
Perform the following to check if root is logging in directly:
# last root |grep –v reboot
If any entries exist for root other than the console, then this is a finding.
PDI:
GEN001020
V0011979
Category II
:
Status Code: AUTO
Previously:
N/A
IA Controls:
PDI Description:
The root account is logged onto directly.
Reference:
UNIX STIG: 3.3
9. GEN001060 – Log Root Access Attempts
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 63
Check the following log files to determine if access to the root account is being logged. Try to su – and enter
an incorrect password.
Solaris
# more /var/adm/sulog
HP-UX
AIX
IRIX
Linux
# more /var/log/messages
or
# more/var/adm/sulog (configurable from /etc/default/su)
If root login accounts are not being logged, then this is a finding.
PDI:
GEN001060
V0011980
Category II
:
Status Code: AUTO
Previously:
G027
IA Controls:
PDI Description:
Successful and unsuccessful access to the root account are not logged.
Reference:
UNIX STIG: 3.3
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 64
10. GEN001080 – Root Shell
Perform the following to determine if /usr is partitioned.
# grep “/usr” /etc/vfstab
or
#grep “/usr” /etc/fstab
If /usr is partitioned, check the location of root’s default shell.
# grep "^root:" /etc/passwd | grep ":/usr"
If the root shell is found to be a partitioned /usr filesystem, then this is a finding.
PDI:
GEN001080
Category:III
Status Code: AUTO
Previously:
G229
V0001062
IA Controls:
DCSS-1, DCSS-2
PDI Description:
The root shell is located in /usr and /usr is partitioned.
Reference:
UNIX STIG: 3.3
8. Encrypted Root Access
1. GEN001100 – Encrypting Root Access
Perform the following to determine if root has logged in over an unencrypted network connection. The first
command determines if root has logged in over a network. The second will check to see if ssh is installed.
Solaris
# last
| grep “^root “ | egrep –v “reboot|console” | more
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 65
# ps –ef |grep sshd
HP-UX
# last –R
AIX
# last
| grep “^root “ | egrep –v “reboot|console”
| more
IRIX
# last
Linux
# last | grep “^root “ | egrep –v “reboot|console” | more
If the output from the ‘ last ’ command shows root has logged in over the network and sshd is not running,
PDI:
GEN001100
V0001046
Category I
:
Status Code: AUTO
Previously:
G499
IA Controls:
ECPA-1, IAIA-1, IAIA-2
PDI Description:
The root password is passed over a network in clear text form.
Reference:
UNIX STIG: 3.3.1
2. GEN001120 – Encrypting Root Access
Perform the following to determine if ssh disables root logins:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
#
Page 66
find / -name sshd_config –print
#
permitrootlogin
grep –v “^#” <sshd_config path> | grep –i
If the PermitRootLogin entry is found uncommented and set to yes, then this is a finding.
PDI:
GEN001120
V0001047
Category II
:
Status Code: AUTO
Previously:
G500
IA Controls:
ECPA-1, IAAC-1
PDI Description:
An encrypted remote access program, such as ssh, does not disable the
capability to log directly on as root.
Reference:
UNIX STIG: 3.3.1
9. File and Directory Controls
1. GEN001140 – Uneven File Permissions
Perform:
#
ls –lL <system directory>
to check the permissions for files in /etc , /bin , /usr/bin , /usr/lbin , /usr/usb , /sbin , and /
usr/sbin. Uneven file permission exist if the file owner has less privileges than the group or world users and
when the file is owned by a privileged user or group (such as root or bin) .. If any of the files in the above listed
directories contain uneven file permissions, then this is a finding.
PDI:
GEN001140
V0000784
Category II
:
Status Code: AUTO
Previously:
G034
IA Controls:
ECCD-1, ECCD-2
PDI Description:
There are files or directories with uneven access permissions.
Reference:
UNIX STIG: 3.4
2. GEN001160 – Unowned Files
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 67
Perform:
#
find / nouser print > nousers
and
#
find / -nogroup –print > nogroup
If there are any files list ed either in the nousers or nogroup files created from the above commands,
PDI:
GEN001160
V0000785
Category II
:
Status Code: AUTO
Previously:
G035
IA Controls:
ECCD-1, ECCD-2
PDI Description:
There are unowned files.
Reference:
UNIX STIG: 3.4
3. GEN001180 – Network Services Daemon Permissions
Perform the following to check the permssions:
Solaris
# ls –la /usr/bin or /usr/sbin
HP-UX
# ls –la /usr/lbin
AIX
# ls –la /usr/sbin
IRIX
# ls –la /usr/etc
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 68
Linux
# ls –la /usr/sbin
If any of the files that are used to start network daemons in the above directories have permissions greater than
755, then this is a finding.
Note: Network daemons that may not reside in these directories (such as httpd or sshd) must also be checked for
the correct permissions.
PDI:
GEN001180
V0000786
Category II
:
Status Code: AUTO
Previously:
G036
IA Controls:
ECLP-1, ECCD-1, ECCD-2
PDI Description:
Network services daemon file is more permissive than 755.
Reference:
UNIX STIG: 3.4
4. GEN001200 – System Command Permissions
Perform:
#
to check the permissions for files in /etc , /bin , /usr/bin , /usr/lbin , /usr/usb , /sbin , and /
usr/sbin . If the file permissions are greater than 755, and the files are system commands, then this is a
finding.
Note: Elevate to Category Code I if world writable.
.
PDI:
GEN001200
V0000794
Category II
:
Status Code: AUTO
Previously:
G044
IA Controls:
PDI Description:
System command is more permissive than 755.
Reference:
UNIX STIG: 3.4
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 69
5. GEN001220 – System Files, Programs, and Directories Ownership
Perform:
#
to check the owner for files in /etc , /bin , /usr/bin , /usr/lbin , /usr/usb , /sbin , and /usr/
sbin . If the files are not owned by a system account or application, then this is a finding.
PDI:
GEN001220
V0000795
Category II
:
Status Code: AUTO
Previously:
G045
IA Controls:
PDI Description:
System files, programs, and directories are not owned by a system
account.
Reference:
UNIX STIG: 3.4
6. GEN001240 – System Files, Programs, and Directories Group Ownership
Perform:
#
to check the group owner for files in /etc , /bin , /usr/bin , /usr/lbin , /usr/usb , /sbin , and /
usr/sbin . If the files are not owned by a system group or application group, then this is a finding.
PDI:
GEN001240
V0000796
Category II
:
Status Code: AUTO
Previously:
G046
IA Controls:
PDI Description:
System files, programs, and directories are not owned by a system
group.
Reference:
UNIX STIG: 3.4
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 70
7. GEN001260 – System Log File Permissions
Most syslog messages are logged to /var/log, /var/log/syslog , or /var/adm directories. Check
the permissions by performing the following:
#
ls –lL <syslog directory>
If any of the log files permissions are greate r than 640, then this is a finding.
PDI:
GEN001260
V0000787
Category II
:
Status Code: AUTO
Previously:
G037
IA Controls:
ECTP-1, ECCD-1, ECCD-2
PDI Description:
System log file is more permi ssive than 640.
Reference:
UNIX STIG: 3.4
8. GEN001280 – Manual Page File Permissions
Check the man pages permissions by performing the following:
#
ls –lL /usr/share/man
#
ls –lL /usr/share/info
#
ls –lL /usr/share/infopage
If any files in the above directories have permissions greater than 644, then this is a finding.
PDI:
GEN001280
Category:III
Status Code: AUTO
Previously:
G042
V0000792
IA Controls:
DCCS-1, DCCS-2, ECCD-1, ECCD-2
PDI Description:
Manual page file is more permissive than 644.
Reference:
UNIX STIG: 3.4
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 71
9. GEN001300 – Library File Permissions
Check the library permissions by performing the following:
#
ls –lL /usr/lib/*
If any of the file permissions are greater than 755, then this is a finding.
PDI:
GEN001300
V0000793
Category II
:
Status Code: AUTO
Previously:
G043
IA Controls:
DCSL-1, ECCD-1, ECCD-2
PDI Description:
Library file is more permissive than 755.
Reference:
UNIX STIG: 3.4
10. GEN001320 – NIS/NIS+/yp File Ownership
Perform the following to check NIS file ownership:
Solaris
# ls –la /usr/lib/netsvc/yp
HP-UX
# ls –la /var/yp/<nis domainname>
AIX
# ls –la /usr/lib/netsvc/yp or /usr/lib/nis
IRIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 72
# ls –la /usr/var/yp/<nis domainname>
Linux
If the file ownership is not root, sys, bin, then this is a finding.
PDI:
GEN001320
V0000789
Category II
:
Status Code: AUTO
Previously:
G039
IA Controls:
ECLP-1
PDI Description:
NIS/NIS+/yp files are not owned by root, sys or bin.
Reference:
UNIX STIG: 3.4
11. GEN001340 – NIS/NIS+/yp File Group Ownership
Perform the following to check NIS file group ownership:
Solaris
HP-UX
AIX
IRIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 73
Linux
If the file group ownership is not root, sys, bin or other, then this is a finding.
PDI:
GEN001340
V0000790
Category II
:
Status Code: AUTO
Previously:
G040
IA Controls:
ECLP-1
PDI Description:
NIS/NIS+/yp files are not group owned root, sys, bin, or other.
Reference:
UNIX STIG: 3.4
12. GEN001360 – NIS/NIS+/yp File Permissions
Perform the following to check NIS file permissions:
Solaris
HP-UX
AIX
IRIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 74
Linux
If any of the file permissions are greater than 755, then this is a finding.
PDI:
GEN001360
V0000791
Category II
:
Status Code: AUTO
Previously:
G041
IA Controls:
DCCS-1, DCCS-2, ECCD-1, ECCD-2
PDI Description:
NIS/NIS+/yp command file is more permissive than 755.
Reference:
UNIX STIG: 3.4
13. GEN001380 – /etc/passwd File Permissions
Check /etc/passwd permissions:
# ls –lL /etc/passwd
If /etc/passwd is more permissive than 644, then this is a finding.
PDI:
GEN001380
V0000798
Category II
:
Status Code: AUTO
Previously:
G048
IA Controls:
ECCD-1, ECCD-2
PDI Description:
The /etc/passwd file is more permissive than 644.
Reference:
UNIX STIG: 3.4
14. GEN001400 – /etc/passwd and/or /etc/shadow File Ownership
Check /etc/passwd ownership:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 75
# ls –lL /etc/passwd
Check /etc/shadow and equivalent file(s) ownership:
HP-UX
The TCB structure of HP-UX and other flavors of UNIX is radically different from the /etc/shadow
structure found in Solaris. The file permissions and uids/gids should be as follows, and are a finding if
they deviate from this configuration.
d555
/tcb
root
/tcb/files
d771
root
/tcb/files/auth
d771
root
/tcb/files/auth/[a-z]/*
664
sys
sys
sys
root
root
AIX.
# ls –lL /etc/ security/passwd
All Other Platforms
# ls –lL /etc/shadow
If the /etc/passwd and /etc/shadow (or equivalent) file is not owned by root, then this is a finding. If
HP-UX /tcb directories and files ownerships are not configured as detailed above, then this is a finding.
PDI:
GEN001400
V0000797
Category II
:
Status Code: AUTO
Previously:
G047
IA Controls:
ECCD-1, ECCD-2
PDI Description:
The /etc/passwd and /etc/shadow (or equivalent) file is not owned by
root.
Reference:
UNIX STIG: 3.4
15. GEN001420 – /etc/shadow File Permissions
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 76
Check /etc/shadow and equivalent file(s) permissions:
HP-UX
The TCB structure of HP-UX and other flavors of UNIX is radically different from the /etc/shadow
structure found in Solaris. The file permissions and uids/gids should be as follows, and are a finding if
they deviate from this configuration.
d555
/tcb
root
/tcb/files
d771
root
/tcb/files/auth
d771
root
/tcb/files/auth/[a-z]/*
664
sys
sys
sys
root
root
AIX.
# ls –lL /etc/ security/passwd
All Other Platforms
# ls –lL /etc/shadow
If the /etc/shadow (or equivalent) file is more permissive than 400, then this is a finding. If HP-UX /tcb
directories and files permissions are not configured as detailed above, then this is a finding.
PDI:
GEN00142 Category II
0
:
Status
Code:
AUTO
Previously:
G050
V0000800
MAC/Confidentiality Levels:
MAC I – CSP, MAC II – CSP, MAC III – CSP
IA Controls:
ECCD-1, ECCD-2
PDI Description:
The /etc/shadow (or equivalent) file is more permissive than 400.
Reference:
UNIX STIG: 3.4
10. Home Directories
1. GEN001440 – Assign Home Directories
Perform:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 77
Solaris
# pwck
HP-UX
# pwck -s
AIX
# usrck –n ALL
IRIX
# pwck
Linux
# pwck
If any interactive users are not assigned a home directory, then this is a finding.
PDI:
GEN001440
Category:IV
Status Code: AUTO
Previously:
G051
V0000899
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Users are not assigned a home directory in the /etc/passwd file.
Reference:
UNIX STIG: 3.5
2. GEN001460 – Assigned Home Directories Exist
Perform:
Solaris
# pwck
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 78
HP-UX
# pwck -s
AIX
# usrck –n ALL
IRIX
# pwck
Linux
# pwck
If an interactive user assigned home directories do not exist, then this is a finding.
PDI:
GEN001460
Category:IV
Status Code: AUTO
Previously:
G052
V0000900
IA Controls:
DCCS-1, DCCS-2
PDI Description:
A home directory defined in the /etc/passwd file does not exist.
Reference:
UNIX STIG: 3.5
3. GEN001480 –Home Directories Permissions
Issue this command for each user in the /etc/passwd file to display user home directory permissions:
# ls –lLd /<usershomedirectory>
If a user’s home directories are more permissive the 750, then this is a finding. Home directories with
permissions greater than 750 must be justified and documented with the IAO.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
GEN001480
V0000901
Page 79
Category II
:
Status Code: AUTO
Previously:
G053
IA Controls:
PDI Description:
User home directories are more permissive than 750.
Reference:
UNIX STIG: 3.5
4. GEN001500 –Home Directories Ownership
Issue this command for each user in the /etc/passwd file to display user home directory ownership:
# ls –lLd /<usershomedirectory>
If a user’s home directory(s) are not owned by the assigned user, then this is a finding. Home directories not
owned by the assigned user must be justified and documented with the IAO.
PDI:
GEN001500
V0000902
Category II
:
Status Code: AUTO
Previously:
G054
IA Controls:
ECCD-1, ECCD-2
PDI Description:
Users do not own their home directory.
Reference:
UNIX STIG: 3.5
5. GEN001520 –Home Directories Group Ownership
Issue this command for each user in the /etc/passwd file to display user home directory group ownership:
# ls –lLd /<usershomedirecotory>
# grep <user> /etc/group
If user home directories are not group owned by the assigned user’s primary group, then this is a finding. Home
directories with a group owner other than the assigned owner must be justified and documented with the IAO.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
GEN001520
V0000903
Page 80
Category II
:
Status Code: AUTO
Previously:
G055
IA Controls:
ECCD-1, ECCD-2
PDI Description:
Home directories are not group owned by the home directory owner’s
primary group. Exceptions may exist for application directories, which
will be documented with the IAO.
Reference:
UNIX STIG: 3.5
11. User Files
1. GEN001540 –Home Directories File Ownership
If non-startup files are found in a user’s home directory which are not owned by the user ask the SA or IAO if
these files are documented.
If user home directories contain files or directories not owned by the home directory owner without
documentation, then this is a finding.
PDI:
GEN001540
Category:III
Status Code: AUTO
Previously:
G067
V0000914
IA Controls:
DCCS-1, DCCS-2
PDI Description:
User home directories contain files/directories not owned by the home
directory owner.
Reference:
UNIX STIG: 3.6
2. GEN001560 – Home Directories File Permissions
If non-start-up files are found in a user’s home directory that have permissions less restrictive than 750, ask the
SA or IAO if these files are documented.
If user home directories contain files or directories more permissive than 750 without documentation, then this is
a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 81
GEN001560
Category:III
Status Code: AUTO
Previously:
G068
V0000915
IA Controls:
ECLP-1
PDI Description:
User home directories contain files/directories more permissive than
750.
Reference:
UNIX STIG: 3.6
12. Run Control Scripts
1. GEN001580 – Run Control Scripts Permissions
Check run control scripts permissions:
Solaris
# cd /etc
# ls –lL rc*
# cd /etc/init.d
# ls –l
HP-UX
# cd /sbin
# ls –lL rc*
# cd /sbin/init.d
# ls –l
# /etc/rc.config.d
# ls -l
AIX
# cd /etc
# ls –lL rc*
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 82
IRIX
# cd /etc
# ls –lL rc*
# cd /etc/init.d
# ls –l
Linux
(may vary)
# cd /etc
# ls –lL rc*
# cd /etc/init.d
# ls –l
If run control scripts are more permissive than 755, then this is a finding.
PDI:
GEN001580
V0000906
Category II
:
Status Code: AUTO
Previously:
G058
IA Controls:
ECLP-1
PDI Description:
Run control scripts are more permissive than 755.
Reference:
UNIX STIG: 3.7
2. GEN001600 – Run Control Scripts PATH Variable
Perform:
Solaris
# cd /etc/init.d
# grep PATH *
HP-UX
# cd /sbin/init.d
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 83
# grep PATH *
AIX
# cd /etc
# grep PATH rc*
IRIX
# cd /etc/init.d
# grep PATH *
Linux
(may vary)
# cd /etc
# grep PATH *
# cd /etc/init.d
# grep PATH */*
If the PATH variable has a ‘.’ or a ‘::’ , then this is a finding.
PDI:
GEN001600
V0000907
Category II
:
Status Code: AUTO
Previously:
G059
IA Controls:
DCSS-1, DCSS-2
PDI Description:
Run control scripts PATH variable contains a ‘.’ or a ‘::’, or starts or
ends with a ‘.’.
Reference:
UNIX STIG: 3.7
3. GEN001620 – Run Control Scripts SGID/SUID
Check run control scripts for sgid and suid :
Solaris
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 84
# cd /etc
# ls –lL rc*
# cd /etc/init.d
# ls –l
HP-UX
# cd /sbin
# ls –lL rc*
# cd /sbin/init.d
# ls –l
# /etc/rc.config.d
# ls -l
AIX
# cd /etc
# ls –lL rc*
IRIX
# cd /etc
# ls –lL rc*
# cd /etc/init.d
# ls –l
Linux
# cd /etc
(may vary)
# ls –lL rc*
# cd /etc/init.d
# ls –l
If run control scripts have the sgid or suid bit set, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
GEN001620
V0000909
Page 85
Category II
:
Status Code: AUTO
Previously:
G061
IA Controls:
ECLP-1
PDI Description:
Run control scripts have the sgid or the suid bit set.
Reference:
UNIX STIG: 3.7
4. GEN001640 – Run Control Scripts World Writable Programs or Scripts
Perform more command to look in the system startup files to check for files or scripts being executed. Check
the permissions on the files or scripts to check if they are world writable. Alternatively, the command
#
find / -perm –0002 –type f > wwlist
Will give a list of world writable files that can be checked against the executed files or scripts. If world writeable
files are found to be executed from systems startup scripts, then this is a finding.
PDI:
GEN001640
V0000910
Category I
:
Status Code: AUTO
Previously:
G062
IA Controls:
ECCD-1, ECCD-2
PDI Description:
Run control scripts execute world writable programs or scripts.
Reference:
UNIX STIG: 3.7
5. GEN001660 – Run Control Scripts Ownership
Check run control scripts ownership :
Solaris
# cd /etc
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 86
# ls –lL rc*
# cd /etc/init.d
# ls –l
HP-UX
# cd /sbin
# ls –lL rc*
# cd /sbin/init.d
# ls –l
# /etc/rc.config.d
# ls -l
AIX
# cd /etc
# ls –lL rc*
IRIX
# cd /etc
# ls –lL rc*
# cd /etc/init.d
# ls –l
Linux
(may vary)
# cd /etc
# ls –lL rc*
# cd /etc/init.d
# ls –l
If run control scripts are not owned by root or bin, then this is a finding.
PDI:
GEN001660
V0004089
Category II
:
Status Code: AUTO
Previously:
G611
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 87
IA Controls:
DCSW-1
PDI Description:
Run control scripts are not owned by root or bin.
Reference:
UNIX STIG: 3.7
6. GEN001680 – Run Control Scripts Group Ownership
Check run control scripts group ownership :
Solaris
# cd /etc
# ls –lL rc*
# cd /etc/init.d
# ls –l
HP-UX
# cd /sbin
# ls –lL rc*
# cd /sbin/init.d
# ls –l
AIX
# cd /etc
# ls –lL rc*
IRIX
# cd /etc
# ls –lL rc*
# cd /etc/init.d
# ls –l
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 88
Linux
(may vary)
# cd /etc
# ls –lL rc*
# cd /etc/init.d
# ls –l rc*
If run control scripts are not group owned by root, sys, bin, other or the system default, then this is a finding.
PDI:
GEN001680
Category II
:
V0004090
Status Code: AUTO
Previously:
G612
IA Controls:
DCSW-1
PDI Description:
Run control scripts are not group owned by root, sys, bin, other, or the
system default.
Reference:
UNIX STIG: 3.7
7. GEN001700 – Run Control Scripts Execute Programs
Perform:
Solaris
# cd /etc
# ls –lL rc*
# cd /etc/init.d
# ls –l
HP-UX
# cd /sbin
# ls –lL rc*
# cd /sbin/init.d
# ls –l
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 89
AIX
# cd /etc
# ls –lL rc*
IRIX
# cd /etc
# ls –lL rc*
# cd /etc/init.d
# ls –l
Linux
(may vary)
# cd /etc
# ls –lL rc*
# cd /etc/init.d
# ls –l rc*
Use the more command to search for programs executed by system start-up files. Then use the ls –l
command to examine the permissions of the program. In most cases, they will be owned by root, sys, or bin. In a
very small minority of cases, they may be owned by identifiable applications. In no case will applications be
owned by users.
PDI:
GEN001700
V0004091
Category II
:
Status Code: MAN++
Previously:
G613
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Run control scripts execute programs owned by neither a system
account nor an application account.
Reference:
UNIX STIG: 3.7
13. Global Initialization Files
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 90
1. GEN001720 – Global Initialization Files Permissions
Check global initialization files permisions:
# ls –l /etc/.login
# ls –l /etc/profile
# ls –l /etc/bashrc
# ls –l /etc/environment
# ls –l /etc/security/environ
If global initialization files are more permissive than 644, then this is a finding.
PDI:
GEN001720
V0011981
Category II
:
Status Code: AUTO
Previously:
N/A
IA Controls:
ECLP-1
PDI Description:
Global initialization files are more permissive than 644.
Reference:
UNIX STIG: 3.8.1
2. GEN001740 – Global Initialization Files Ownership
Check global initialization files ownership:
If global initialization files are not owned by root, then this is a finding.
PDI:
GEN001740
V0011982
Category II
:
Status Code: AUTO
Previously:
N/A
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 91
IA Controls:
ECLP-1
PDI Description:
Global initialization files are not owned by root.
Reference:
UNIX STIG: 3.8.1
3. GEN001760 – Global Initialization Files Group Ownership
Check global initialization files group ownership:
If global initialization files are not group owned by root, sys, bin, other, or the system default, then this is a
finding.
PDI:
GEN001760
V0011983
Category II
:
Status Code: AUTO
Previously:
N/A
IA Controls:
ECLP-1
PDI Description:
Global initialization files are not group owned by root, sys, bin, other,
or the system default.
Reference:
UNIX STIG: 3.8.1
4. GEN001780 – Global Initialization Files do not Contain mesg -n
# grep “mesg -y ” /etc/.login
# grep “mesg -y ” /etc/profile
# grep “mesg -y ” /etc/bashrc
# grep “mesg -y ” /etc/environment
# grep “mesg -y ” /etc/security/environ
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 92
If global initialization files do contain mesg -y , then this is a finding.
PDI:
GEN001780
Category:III
Status Code: AUTO
Previously:
G112
V0000825
IA Controls:
DCSS-1, DCSS-2
PDI Description:
Global initialization files do not contain the command mesg –n.
Reference:
UNIX STIG: 3.8.1
5. GEN001800 – Default/Skeleton Dot Files Permissions
Check skeleton files permisions :
AIX.
# ls –l /etc/ security/.profile
All Other Platforms
# ls –alL /etc/skel
If skeleton dot files are more permissive than 644, then this is a finding.
PDI:
GEN001800
V0000788
Category II
:
Status Code: AUTO
Previously:
G038
IA Controls:
ECCD-1, ECCD-2
PDI Description:
Default skeleton . files are more permissive than 644.
Reference:
UNIX STIG: 3.8.1
6. GEN001820 – Default/Skeleton Dot Files Ownership
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 93
Check skeleton files ownership:
AIX.
# ls –l /etc/ security/.profile
All Other Platforms
# ls –alL /etc/skel
If skeleton dot files are not owned by root or bin, then this is a finding.
PDI:
GEN001820
V0011984
Category II
:
Status Code: AUTO
Previously:
N/A
IA Controls:
ECCD-1, ECCD-2
PDI Description:
Default skeleton . files are not owned by root or bin.
Reference:
UNIX STIG: 3.8.1
7. GEN001840 – Global Initialization Files PATH Variable
# more /etc/.login |grep PATH
# more /etc/profile | grep PATH
# more /etc/bashrc | grep PATH
# more /etc/environment | grep PATH
# more /etc/security/environ | grep PATH
If the global initialization files’ PATH variable contains a ‘.’ or a ‘::’, or starts or ends with a ‘:’, then this is a
finding.
PDI:
GEN001840
V0011985
Category II
:
Status Code: AUTO
Previously:
N/A
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 94
IA Controls:
DCSS-1, DCSS-2
PDI Description:
Global initialization files PATH variable contains a ‘.’ or a ‘::’, or
starts or ends with a ‘:’.
Reference:
UNIX STIG: 3.8.1
14. Local Initialization Files
1. GEN001860 – Local Initialization Files Ownership
# ls –al / <usershomedirectory>/.login
# ls –al / <usershomedirectory>/.cschrc
# ls –al / <usershomedirectory>/.logout
# ls –al / <usershomedirectory>/.profile
# ls –al / <usershomedirectory>/.bash_profile
# ls –al / <usershomedirectory>/.bashrc
# ls –al / <usershomedirectory>/.bash_logout
# ls –al / <usershomedirectory>/.env
# ls –al / <usershomedirectory>/.dtprofile
# ls –al / <usershomedirectory>/.dispatch
# ls –al / <usershomedirectory>/.emacs
# ls –al / <usershomedirectory>/.exrc
If local initialization files are not owned the home directory user, then this is a finding. Local initialization files
not owned by the user must be justified and documented by the IAO.
PDI:
GEN001860
V0000904
Category II
:
Status Code: AUTO
Previously:
G056
IA Controls:
ECLP-1
PDI Description:
Local initialization files are not owned by the user or root.
Reference:
UNIX STIG: 3.8.2
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 95
2. GEN001880 – Local Initialization Files Permissions
# ls –al / <usershomedirectory>/.login
# ls –al / <usershomedirectory>/.cschrc
# ls –al / <usershomedirectory>/.logout
# ls –al / <usershomedirectory>/.profile
# ls –al / <usershomedirectory>/.bash_profile
# ls –al / <usershomedirectory>/.bashrc
# ls –al / <usershomedirectory>/.bash_logout
# ls –al / <usershomedirectory>/.env
# ls –al / <usershomedirectory>/.dtprofile
(permissions should be 755)
# ls –al / <usershomedirectory>/.dispatch
# ls –al / <usershomedirectory>/.emacs
# ls –al / <usershomedirectory>/.exrc
If local initialization files are more permissive than 740 or the .dtprofile file is more permissive than 755, then
this is a finding.
PDI:
GEN001880
V0000905
Category II
:
Status Code: AUTO
Previously:
G057
IA Controls:
ECLP-1
PDI Description:
Local initialization files are more permissive than 740.
.dt (a directory, this should have permissions of 755)
.dtprofile (a file, this should have permissions of 755)
Reference:
UNIX STIG: 3.8.2
3. GEN001900 – Local Initialization Files PATH Variable
# more / <usershomedirectory>/.* |grep PATH
If the local initialization files’ PATH variable contains a ‘.’ or a ‘::’, or starts or ends with a ‘:’, then this is a
finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
GEN001900
V0011986
Page 96
Category II
:
Status Code: AUTO
Previously:
N/A
IA Controls:
DCSS-1, DCSS-2
PDI Description:
Local initialization files PATH variable contains a ‘.’ or a ‘::’, or starts
with a ‘.’.
Reference:
UNIX STIG: 3.8.2
4. GEN001920 – Local Initialization Files SGID/SUID
# ls -la / <usershomedirectory>/.*
If any of the above files have the suid or sgid bit set, then this is a finding.
PDI:
GEN001920
V0000908
Category II
:
Status Code: AUTO
Previously:
G060
IA Controls:
ECLP-1
PDI Description:
Local initialization f iles have the suid or the sgid bit set.
Reference:
UNIX STIG: 3.8.2
5. GEN001940 – Local Initialization Files World Writable Programs or Scripts
# more / <usershomedirectory>/.*
Look for programs or scripts executed within the local initialization files, and issue an ls -al on any programs
or scripts found to check if the called program or script is world writable.
If local initialization files execute world writable programs or scripts, then this is a finding.
PDI:
GEN001940
V0004087
Category II
:
Status Code: AUTO
Previously:
G609
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 97
IA Controls:
ECLP-1
PDI Description:
Local initialization files execute world writable programs or scripts.
Reference:
UNIX STIG: 3.8.2
6. GEN001960 – Local Initialization Files mesg -y
# grep “mesg y” / <usershomedirectory>/.*
If local initialization files contain the mesg –y or mesg y command, then this is a finding.
PDI:
GEN001960
Category:III
Status Code: AUTO
Previously:
G610
V0004088
IA Controls:
ECLP-1
PDI Description:
Local initialization files contain the mesg -y or mesg y command.
Reference:
UNIX STIG: 3.8.2
15. Trusted System/System Access Control Files
1. GEN001980 – Plus (+) in Access Control Files
# find / -name .rhosts
# more /<directorylocation>/.rhosts
# find / -name .shosts
# more /<directorylocation>/.shosts
# find / -name hosts.equiv
# more /<directorylocation>/hosts.equiv
# find / -name shosts.equiv
# more /<directorylocation>/shosts.equiv
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 98
If the .rhosts, .shosts, hosts.equiv, shosts.equiv, /etc/passwd, /etc/shadow, and/or /etc/group files contain a plus
(+) that is not used to define entries for NIS+ netgroups, then this is a finding.
PDI:
GEN001980
V0011987
Category II
:
Status Code: AUTO
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
The .rhosts, .shosts, hosts.equiv, shosts.equiv, /etc/passwd, /etc/
shadow, and/or /etc/group files contain a plus (+) and does not define
entries for NIS+ netgroups.
Reference:
UNIX STIG: 3.9
2. GEN002000 – The .netrc File Exists
# find / -name .netrc
If the .netrc file exists, then this is a finding. The .netrc must be justified and documented with the IAO.
PDI:
GEN002000
V0000913
Category II
:
Status Code: AUTO
Previously:
G066
IA Controls:
IAIA-1, IAIA-2
PDI Description:
A .netrc file exists.
Reference:
UNIX STIG: 3.9
3. GEN002020 – Access Control Files Host Pairs
# more /<directorylocation>/.rhosts
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 99
# more /<directorylocation>/.shosts
# more /<directorylocation>/hosts.equiv
# more /<directorylocation>/shosts.equiv
If the .rhosts, .shosts, hosts.equiv, or shosts.equiv files contain other than hostname-user pairs and are not
justified and documented with the IAO , then this is a finding.
PDI:
GEN002020
V0004427
Category II
:
Status Code: PART
Previously:
G614
IA Controls:
IAIA-1, IAIA-2
PDI Description:
The .rhosts, .shosts, hosts.equiv, or shosts.equiv files contain other
than host-user pairs and are not justified and documented with the
IAO .
Reference:
UNIX STIG: 3.9
4. GEN002040 – Access Control Files Documentation
If .rhosts, .shosts, hosts.equiv, or shosts.equiv are found and not justified and documented with the IAO, then
this is a finding.
PDI:
GEN002040
V0011988
Category I
:
Status Code: PART
Previously:
N/A
IA Controls:
IAIA-1, IAIA-2
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 100
PDI Description:
The .rhosts, .shosts, hosts.equiv, or shosts.equiv are used and not
justified and documented with the IAO.
Reference:
UNIX STIG: 3.9
5. GEN002060 – Access Control Files Accessibility
# ls -al /<directorylocation>/.rhosts
# ls -al /<directorylocation>/.shosts
# ls -l /<directorylocation>/hosts.equiv
# ls -l /<directorylocation>/shosts.equiv
# find / -name .netrc
# ls -l /<directorylocation>/.netrc
If the .rhosts, .shosts, hosts.equiv, or shosts.equiv files files have permissions greater than 700, then this is a
finding.
PDI:
GEN002060
V0004428
Category II
:
Status Code: AUTO
Previously:
G615
IA Controls:
DCCS-1, DCCS-2
PDI Description:
The .r hosts, .shosts, hosts.equiv, shosts.equiv, or .netrc files are
accessible by users other than root or the owner.
Reference:
UNIX STIG: 3.9
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 101
6. GEN002100 – The .rhosts Supported in PAM
Linux.
# cd /etc/pam.d
# grep rhosts_auth *
All Other Platforms
# grep rhosts_auth /etc/pam.conf
If rhosts_auth is found and is not documented as required, then this is a finding. This must be justified and
documented with the IAO.
PDI:
GEN002100
Category II
:
V0011989
Status Code: AUTO
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
The .rhosts file is supported in PAM.
Reference:
UNIX STIG: 3.9
16. Shells
1. GEN002120 – The /etc/shells File Does Not Exist
AIX.
# ls –l /etc/security/login.cfg
All Other Platforms
# ls –l /etc/shells
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 102
If the /etc/shells (or equivalent) file does not exist , then this is a finding.
PDI:
GEN002120
Category II
:
V0000916
Status Code: AUTO
Previously:
G069
IA Controls:
DCCS-1, DCCS-2
PDI Description:
The /etc/shells (or equivalent) file does not exist.
Reference:
UNIX STIG: 3.10
2. GEN002140 – The /etc/shells Contents
AIX.
# more /etc/passwd
All Other Platforms
# more /etc/passwd
# more /etc/shells
Confirm the login shells referenced in the /etc/passwd file are listed in the /etc/shells (or equivalent)
file.
The /usr/bin/false, /bin/false, /dev/null, /sbin/nologin, (and equivalents), and sdshell , and application binaries will
be considered valid shells for use in the /etc/passwd file, but will not be listed in the /etc/shells file.
If a shell referenced in /etc/passwd is not listed in the shells file, excluding the above me ntioned shells, then this
is a finding.
PDI:
GEN002140
V0000917
Category II
:
Status Code: AUTO
Previously:
G070
IA Controls:
DCCS-1, DCCS-2
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 103
PDI Description:
A shell referenced in /etc/passwd is not listed in the shells file.
Reference:
UNIX STIG: 3.10
3. GEN002160 – Shells SUID
AIX.
For each shell listed in the /etc/security/login.cfg file:
# ls –l <shell>
All Other Platforms
# find / -name “*sh”
For each shell found:
# ls –l <shell>
If shell files have the suid bit set, then this is a finding.
Note: The remsh command is sometimes linked to the rsh command and will have the suid bit set; in this
case it is not a finding. Determine if that is the case by using ls –li to determine if they share the same inode
number. The remsh command is the remote shell command and should not be considered a shell. Solaris
uses the /usr/bin/rsh and the /usr/ucb/rsh commands for remote shells, and they should also be
ignored here. A restricted shell also exists for bash (rbash).
PDI:
GEN002160
V0000919
Category I
:
Status Code: AUTO
Previously:
G072
IA Controls:
PDI Description:
Reference:
ECLP-1
Shell files have the suid bit set.
UNIX STIG: 3.10
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 104
4. GEN002180 – Shells SGID
AIX.
# ls –l <shell>
All Other Platforms
# ls –l <shell>
If shell files have the sgid bit set, then this is a finding.
PDI:
GEN002180
Category II
:
V0000920
Status Code: AUTO
Previously:
G073
IA Controls:
ECLP-1
PDI Description:
Shell files have the sgid bit set.
Reference:
UNIX STIG: 3.10
5. GEN002200 – Shells Ownership
AIX.
# ls –l <shell>
All Other Platforms
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 105
# ls –l <shell>
If shell files are not owned by root or bin, then this is a finding.
PDI:
GEN002200
Category II
:
V0000921
Status Code: AUTO
Previously:
G074
IA Controls:
ECLP-1
PDI Description:
Shell files are not owned by root or bin.
Reference:
UNIX STIG: 3.10
6. GEN002220 – Shells Permissions
AIX.
# ls –l <shell>
All Other Platforms
# ls –l <shell>
If shell files are more permissive than 755, then this is a finding.
PDI:
GEN002220
V0000922
Category II
:
Status Code: AUTO
Previously:
G075
IA Controls:
PDI Description:
Reference:
ECLP-1
Shell files are more permissive than 755.
UNIX STIG: 3.10
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 106
17. Device Files
1. GEN002260 – System Baseline for Device Files Checking
# find / -type b
# find / -type c
# find / -type n
If the system is not checked weekly against the system baseline for extraneous device files, then this is a finding.
Ask the SA to show the previous weeks baseline of files.
PDI:
GEN002260
V0000923
Category III
:
Status Code: MAN
Previously:
G076
IA Controls:
PDI Description:
Reference:
VIVM-1
The system is not checked weekly against the system baseline for
extraneous device files.
UNIX STIG: 3.11
2. GEN002280 – Device Files Directories Permissions
#
ls –al /dev
#
ls –al /devices (Solaris)
Check the permissions on the directories and subdirectories that contain device files.
If device file directories are writable by users other than a system account or as configured by the vendor, then
this is a finding.
PDI:
GEN002280
V0000924
Category II
:
Status Code: MAN
Previously:
G077
IA Controls:
ECCD-1, ECCD-2
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 107
PDI Description:
Device file directories are writable by users other than a system
account or as configured by the vendor.
Reference:
UNIX STIG: 3.11
3. GEN002300 – Device Files Ownership
Attempt to determine if any backup devices exist for the system. Some systems will have a file containing the
default device files (such as /etc/default/ tar on Solaris). Others can be checked via a system
administration GUI (such as SAM on HP-UX). If backup device files exist ask the SA or IAO if the file(s) are
documented with the IAO. .
PDI:
GEN002300
Category II
:
V0000925
Status Code: PART
Previously:
G078
IA Controls:
DCSD-1, ECCD-1, ECCD-2
PDI Description:
Device files used for backup are writable by users other than root or a
pseudo backup user.
Reference:
UNIX STIG: 3.11
4. GEN002320 – Audio Device Permissions
SOLARIS
# ls –lL /dev/audio
HP-UX
# /usr/sbin/ioscan –f
# ls –lL <audio device file>
AIX
# /usr/sbin/lsdev –C | grep –I audio
#
ls –lL /dev/*aud0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 108
IRIX
Linux
# ls -lL /dev/audio*
If the permissions are greater than 644, then this is a finding.
PDI:
GEN002320
Category II
:
V0001048
Status Code: AUTO
Previously:
G501
IA Controls:
PDI Description:
An audio device is more permissive than 644.
Reference:
UNIX STIG: 3.11
5. GEN002340 – Audio Device Ownership
SOLARIS
HP-UX
AIX
#
ls –lL /dev/*aud0
IRIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 109
Linux
If the audio device is not owned by root, then this is a finding.
PDI:
GEN002340
Category II
:
V0001049
Status Code: AUTO
Previously:
G502
IA Controls:
PDI Description:
An audio device is not owned by root.
Reference:
UNIX STIG: 3.11
6. GEN002360 – Audio Device Group Ownership
SOLARIS
HP-UX
AIX
#
ls –lL /dev/*aud0
IRIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 110
Linux
If the audio device group ownership is not root, sys, bin, or audio, then this is a finding.
PDI:
GEN002360
V0001061
Category II
:
Status Code: AUTO
Previously:
G504
IA Controls:
PDI Description:
Reference:
An audio device is not group owned by root, sys, or bin.
UNIX STIG: 3.11
18. Set User ID (suid)
1. GEN002380 – SUID Files Baseline
# find / perm –4000 | more
If the ownership, permissions, and location of files with the suid bit set are not baselined with the IAO, then this
is a finding.
PDI:
GEN002380
V0000801
Category II
:
Status Code: PART
Previously:
G082
IA Controls:
PDI Description:
Reference:
ECLP-1
The ownership, permissions, and location of files with the suid bit set
are not documented with the IAO .
UNIX STIG: 3.12.1
2. GEN002400 – System Baseline for SUID Files Checkling
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 111
# find / perm –4000 |more
If the system is not checked weekly against the system baseline for unauthorized suid files as well as
unauthorized modification to authorized suid files, then this is a finding.
PDI:
GEN002400
V0000803
Category II
:
Status Code: PART
Previously:
G084
IA Controls:
VIVM-1
PDI Description:
unauthorized suid files as well as unauthorized modification to
authorized suid files.
Reference:
UNIX STIG: 3.12.1
3. GEN002420 – File Systems Mounted With nosuid
# mount | grep –v nosuid
Confirm all NFS mounts, floppy & CD drives, and user file systems (e.g., /export/home or /usr/home )
are configured with the nosuid option.
If user file systems, removable media, or remote file systems that do not require suid/sgid files are not mounted
with the nosuid option invoked, then this is a finding.
PDI:
GEN002420
V0000805
Category II
:
Status Code: PART
Previously:
G086
IA Controls:
ECLP-1
PDI Description:
User file systems, removable media, or remote file systems are not
mounted with the nosuid option invoked.
Reference:
UNIX STIG: 3.12.1
19. Set Group ID (sgid)
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 112
1. GEN002440 – SGID Files Baseline
If the ownership, permissions, and location of files with the suid bit set are not baselined with the IAO, then this
is a finding.
PDI:
GEN002440
V0000802
Category II
:
Status Code: PART
Previously:
G083
IA Controls:
ECLP-1
PDI Description:
The ownership, permissions, and location of files with the suid bit set
are not documented with the IAO
Reference:
UNIX STIG: 3.12.1
2. GEN002460 – System Baseline for SGID Files Checking
If the system is not checked weekly against the system baseline for unauthorized sgid files as well as
unauthorized modification to authorized sgid files, then this is a finding.
PDI:
GEN002460
V0000804
Category II
:
Status Code: PART
Previously:
G085
IA Controls:
VIVM-1
PDI Description:
unauthorized sgid files as well as unauthorized modification to
authorized sgid files.
Reference:
UNIX STIG: 3.12.2
20. Sticky Bit
1. GEN002480 – World Writable Files and Directories
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 113
# find / -type f -perm -002 |more
If there are world writable files, then this is a finding.
# find / -type d -perm -002 |more
If there are world writable directories that are not public directories (e.g., /tmp), then this is a finding.
PDI:
GEN002480
V0001010
Category II
:
Status Code: PART
Previously:
G079
IA Controls:
ECCD-1, ECCD-2
PDI Description:
There are world writable files or world writable directories that are not
public directories.
Reference:
UNIX STIG: 3.12.3
2. GEN002500 – Sticky Bit on Public Directories
# find / -type d -perm -002 ! –perm -1000 |more
If the sticky bit is not set on public directories, then this is a finding.
PDI:
GEN002500
Category:III
Status Code: PART
Previously:
G087
V0000806
IA Controls:
ECCD-1, ECCD-2, ECLP-1
PDI Description:
The sticky bit is not set on public directories.
Reference:
UNIX STIG: 3.12.3
3. GEN002520 – Public Directories Ownership
# find / -type d $ -perm -002 -a –perm –1000 $ |more
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 114
If public directories are not owned by root or an application user, then this is a finding.
PDI:
GEN002520
Category II
:
V0000807
Status Code: PART
Previously:
G088
IA Controls:
ECLP-1
PDI Description:
Public directories are not owned by root or an application user.
Reference:
UNIX STIG: 3.12.3
4. GEN002540 – Public Directories Group Ownership
# find / -type d $ -perm -002 -a –perm –1000 $ |more
If public directories are not group owned by root, sys, bin, or an application group, then this is a finding.
PDI:
GEN002540
Category:II
Status Code: MAN
Previously:
N/A
V0011990
IA Controls:
ECLP-1
PDI Description:
Public directories are not group owned by root, sys, bin, or an
application group.
Reference:
UNIX STIG: 3.12.3
21. Umask
1. GEN002560 – Default umask
AIX
# /usr/sbin/lsuser –a umask ALL | more
All other platforms
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 115
Global Initialization Files
# grep umask /etc/*
Confirm the global initialization files set the umask to 077.
# grep umask / <usershomedirectory>/.*
Confirm the local initialization files do not exceed the default umask to 077.
Note: If the default umask is 000 or allows for the creation of world writable files this becomes a Severity Code I
finding.
If the system and user default umask is not 077, then this a finding.
PDI:
GEN002560
V0000808
Category II
:
Status Code: PART
Previously:
G089
IA Controls:
ECCD-1, ECCD-2
PDI Description:
The system and user default umask is not 077.
Reference:
UNIX STIG: 3.13
2. GEN002580 – Permissive umask Documentation
AIX
# /usr/sbin/lsuser –a umask ALL | more
# grep umask / <usershomedirectory>/.*
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 116
If an application has a umask less restrictive than 077, ask the SA or IAO if it is an application requirement and
ask to see the documentation. Note, however, that it is well known that Oracle requires a umask of 022. In that
case, or a similar one, this would not be a finding if it is documented with the IAO.
PDI:
GEN002580
V0000809
Category III
:
Status Code: MAN
Previously:
G090
IA Controls:
ECCD-1, ECCD-2
PDI Description:
Applications requiring an umask more permissive than 077 are not
Reference:
UNIX STIG: 3.13
22. Development Systems
1. GEN002600 – Development Systems Security Requirements
Ask the SA if the system being evaluated is a development system. If the system is utilized for development, ask
the SA if the same security standards are applied to both the development and production systems. If the same
security standards are not applied to both development and production systems, then this is a finding.
PDI:
GEN002600
Category:II
Status Code: MAN
Previously:
N/A
V0011991
IA Controls:
ECCD-1, ECCD-2
PDI Description:
The development system is not subject to the same security
requirements as production systems.
Reference:
UNIX STIG: 3.14
23. Default Accounts
1. GEN002640 – Disabled Default System Accounts
To determine if default system accounts such as those for sys, bin, uucp, nuucp, daemon, smtp, etc., have been
disabled perform the following:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 117
Solaris
# grep “*LK*” /etc/shadow
HP-UX
# grep u_lock /tcb/files/auth/b/bin
Repeat for other system accounts.
AIX
#
grep account_locked /etc/security/user
IRIX
#
grep “*LK*” /etc/passwd
Linux
#
awk –F: ‘$2 == “*” {print $0}’ /etc/shadow
If there are any default system accounts that are not locked or have false for a shell, then this is a finding.
PDI:
GEN002640
Category:II
Status Code: MAN
Previously:
G092
V0000810
IA Controls:
PDI Description:
Default accounts have not been disabled.
Reference:
UNIX STIG: 3.15
24. Audit Requirements
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 118
1. GEN002660 – Configure and Implement Auditing
Perform the following to determine if auditing is enabled:
Solaris
# ps –ef |grep auditd
HP-UX
# audsys
AIX
#
/usr/sbin/audit query | head -1
IRIX
#
chkconfig audit
Linux
#
ps –ef |grep auditd
If the auditd process is not found, then this is a finding.
PDI:
GEN002660
V0000811
Category II
:
Status Code: AUTO
Previously:
G093
IA Controls:
ECAN-1, ECAT-1, ECAT-2
PDI Description:
Auditing is not implemented.
Reference:
UNIX STIG: 3.16
2. GEN002680 – Audit Logs Accessiblity
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 119
Perform the following to determine the location of audit logs and then check the ownership:
Solaris
# more /etc/security/audit_control
# ls –lLd <audit log dir>
HP-UX
# ls –la /.secure/etc/*
AIX
#
grep “:bin:” /etc/security/audit/config
Directories to search will be listed under the bin stanza.
#
ls –la <audit directories>
IRIX
#
ls –la /var/adm/sat
Linux
#
ls –la /var/log/audit.d
# ls –la /var/log/audit/audit.log
If any of the audit log file s are readable by unprivileged id’s, then this is a finding.
PDI:
GEN002680
V0000812
Category II
:
Status Code: AUTO
Previously:
G094
IA Controls:
ECTP-1
PDI Description:
System audit logs are readable by unauthorized users.
Reference:
UNIX STIG: 3.16
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 120
3. GEN002700 – Audit Logs Permissions
Perform the following to determine the location of audit logs and then check the permissions:
Solaris
# ls –la <audit log dir>
HP-UX
# ls –la /.secure/etc
AIX
#
grep “:bin:” /etc/security/audit/config
Directories to search will be listed under the bin stanza.
#
ls –la <audit directories>
IRIX
#
ls –la /var/adm/sat
Linux
#
ls –la /var/log/audit.d
# ls –la /var/log/audit/audit.log
If any of the audit log file permissions are greater than 640, then this is a finding.
PDI:
GEN002700
V0000813
Category II
:
Status Code: AUTO
Previously:
G095
IA Controls:
ECTP-1
PDI Description:
System audit logs are more permissive than 640.
Reference:
UNIX STIG: 3.16
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 121
4. GEN002720 – Audit Failed File and Program Access Attempts
Solaris
Confirm flags –fr or fr is configured.
HP-UX
#
grep –i “audevent_args1” /etc/rc.config.d/auditing \
| grep open
AIX
#
more /etc/security/audit/events
Confirm the following events are configured:
FILE_Open
IRIX
#
sat_select |egrep “sat_access_denied|sat_access_failed”
Linux
For LAUS:
#
grep “@open-ops” /etc/audit/filter.conf
For auditd:
# grep “-a exit,always –S open –F success!=0” /etc/audit.rules
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 122
GEN002720
Category:II
Status Code: AUTO
Previously:
G100-G106
V0000814
IA Controls:
ECAR-2
PDI Description:
The audit system is not configured to audit failed attempts to access
files and programs.
Reference:
UNIX STIG: 3.16
5. GEN002740 – Audit File and Program Deletion
Solaris
# grep flags /etc/security/audit_control
Confirm flags fd or +fd and -fd is configured.
HP-UX
#
| grep delete
AIX
#
FILE_Unlink, FS_Rmdir
IRIX
#
sat_select |grep “sat_file_crt_del”
Linux
For LAUS:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 123
#
grep “@rmdir-ops” /etc/audit/filter.conf
#
grep “@unlink-ops” /etc/audit/filter.conf
For auditd:
# grep “-a exit,always –S unlink –S rmdir” /etc/audit.rules
PDI:
GEN002740
Category:II
Status Code: AUTO
Previously:
G100-G106
V0000815
IA Controls:
ECAR-2
PDI Description:
The audit system is not configured to audit files and programs deleted
by the user.
Reference:
UNIX STIG: 3.16
6. GEN002760 – Audit Administrative, Privileged, and Security Actions
Solaris 2.5 through 9
Confirm flags ad or +ad and -ad is configured.
Solaris 10 and some prior versions of 8 and 9
Confirm am or +am and -am is configured.
HP-UX
#
| grep admin
#
| grep removable
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 124
AIX
#
ACCT_Disable, ACCT_Enable, AUD_it, BACKUP_Export, DEV_Change, DEV_Configure, DEV_Create,
FILE_Chpriv, FILE_Fchpriv, FILE_Mknod, FILE_Owner, FS_Chroot, FS_Mount, FS_Umount,
PASSWORD_Check, PROC_Adjtime,PROC_Kill, PROC_Privilege, PROC_Setpgid, PROC_SetUserIds,
RESTORE_Import, TCBCK_Delete, USER_Change, USER_Create, USER_Reboot, USER_Remove, and
USER_SetEnv
IRIX
#
sat_select |egrep “sat_ae_mount|sat_sysacct|sat_checkpriv”
Linux
For LAUS:
#
#
grep “@priv-ops” /etc/audit/filter.conf
grep “@mount-ops” /etc/audit/filter.conf
#
grep “@system-ops” /etc/audit/filter.conf
For auditd the following should be present in /etc/audit.rules:
-w /var/log/audit/
-w /etc/auditd.conf
-w /etc/audit.rules
-a exit,always –S stime –S acct –S reboot –S swapon
-a exit,always –S settimeofday –S setrlimit –S setdomainname
-a exit, always –S sched_setparam –S sched_setscheduler
PDI:
GEN002760
Category:II
Status Code: AUTO
Previously:
G100-G106
V0000816
IA Controls:
ECAR-2
PDI Description:
The audit system is not configured to audit all administrative,
privileged, and security actions.
Reference:
UNIX STIG: 3.16
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 125
7. GEN002800 – Audit Login, Logout, and Session Initiation
Solaris
# egrep “flags|naflags” /etc/security/audit_control
Confirm flags lo or +lo and -lo is configured.
Confirm naflags lo or +lo and –lo is configured.
HP-UX
#
| grep login
AIX
#
USER_Login, USER_Logout, INIT_Start, INIT_End and USER_SU
IRIX
#
sat_select |grep sat_ae_identity
Linux
For LAUS:
#
grep process-login /etc/audit/filter.conf |grep always
For auditd:
This is not a finding. Auditd enables this by default in the source code.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 126
GEN002800
Category:II
Status Code: AUTO
Previously:
G100-G106
V0000818
IA Controls:
ECAR-2
PDI Description:
The audit system is not configured to audit login, logout, and session
initiation.
Reference:
UNIX STIG: 3.16
8. GEN002820 – Audit D iscretionary Access Control Permission Modifications
Solaris
Confirm flags fm or +fm and -fm is configured.
HP-UX
#
# | grep moddac
AIX
#
FILE_Acl, FILE_Fchmod, FILE_Fchown, FILE_Mode and
FILE_Owner
IRIX
#
#
sat_select |grep sat_fd_attr_write
sat_select |grep sat_file_attr_write
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 127
Linux
For LAUS:
#
#
grep “@mode-ops” /etc/audit/filter.conf
grep “@owner-ops” /etc/audit/filter.conf
For auditd the following system calls should be present in /etc/audit.rules:
-a exit,always –S chmod –S fchmod –S chown –S chown32 –S fchown
-a exit,always –S fchown32 –S lchown –S lchown32
PDI:
GEN002820
Category:II
Status Code: AUTO
Previously:
G100-G106
V0000819
IA Controls:
ECTP-1
PDI Description:
The audit system is not configured to audit all d iscretionary access
control permission modifications.
Reference:
UNIX STIG: 3.16
9. GEN002860 – Audit Logs Rotation
Perform the following to search the crontab for entries to rotate the audit logs.
#
crontab –l
If a program can be located, this is not a finding. Otherwise, query the SA. If there is one that is demonstrable
(and runs automatically), this is not a finding. If the SA runs it manually, it is still a finding, because if the SA is
not there, it will not be accomplished. If the audit output is not archived daily, to tape or disk, this is a finding.
This can be ascertained by looking at the audit log directory and, if more than one file is there, or if the file does
not have today’s date, this is a finding.
PDI:
GEN002860
V0004357
Category II
:
Status Code: AUTO
Previously:
G674
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 128
IA Controls:
ECTP-1
PDI Description:
Audit logs are not rotated daily.
Reference:
UNIX STIG: 3.16
10. GEN002900 – Audit Data Retention
Ask the SA or the IAO if audit data is retained for at least one year or five years for SAMI audit data. If it is not,
PDI:
GEN002900
V0011992
Category III
:
Status Code: MAN
Previously:
N/A
IA Controls:
ECRR-1
PDI Description:
Audit data is not retained at least one year or SAMI audit data for five
years.
Reference:
UNIX STIG: 3.16
11. GEN002920 – Audit Data Backup
Ask the SA if audit logs and records are backed up onto a different system or offline media on at least a weekly
basis. If it is not, then this is a finding. This check only pertains to audit logs. If a full operating system backup
is completed weekly which contains all of the audit logs, then this is not a finding.
PDI:
GEN002920V001204 Category III
8
:
Status Code: MAN
Previously:
N/A
IA Controls:
ECTB-1
PDI Description:
Audit data is not backed up onto a different system or backup
media on at least a weekly basis.
Reference:
UNIX STIG: 3.16
25. Audit Review Guidance
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 129
1. GEN002940 – Audit Logs Review
Ask the IAO if audit files are reviewed daily for requirements stated in the Unix STIG. If the audit files are not
reviewed daily, then this is a finding.
PDI:
GEN002940V001199 Category II
3
:
Status Code: MAN
Previously:
N/A
IA Controls:
ECAT-1, ECAT-2
PDI Description:
Audit trails and/or system logs are not reviewed on a daily basis
for:
Excessive logon attempt failures by single or multiple users
Logons at unusual/non-duty hours
Failed attempts to access restricted system or data files
indicating a possible pattern of deliberate browsing
Unusual or unauthorized activity by System Administrators
Command-line activity by a user that should not have that
capability
System failures or errors
Unusual or suspicious patterns of activity
Reference:
UNIX STIG: 3.16.1
26. Cron Restrictions
1. GEN002960 – Cron Utility Accessibility
Verify the cron.allow and cron.deny files exist:
Solaris
# ls –lL /etc/cron.d/cron.allow
# ls –lL /etc/cron.d/cron.deny
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 130
HP-UX
# ls –lL /var/adm/cron/cron.allow
# ls –lL /var/adm/cron/cron.deny
AIX
IRIX
Linux
Red Hat
# ls –lL /etc/cron.allow
# ls –lL /etc/cron.deny
Or
SuSE
# ls –lL /var/spool/cron/allow
# ls –lL /var/spool/cron/deny
If the cron.allow or cron.deny files do exist, then this is a finding.
PDI:
GEN002960
V0000974
Category II
:
Status Code: AUTO
Previously:
G200
IA Controls:
PDI Description:
Reference:
ECPA-1
Access to the cron utility is not controlled via the cron.allow and/or
cron.deny file(s).
UNIX STIG: 3.17.3
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 131
2. GEN002980 – The cron.allow Permissions
Solaris
HP-UX
AIX
IRIX
Linux
Red Hat
Or
SuSE
If the cron.allow file is more permissive than 600, then this is a finding.
PDI:
GEN002980
V0000975
Category II
:
Status Code: AUTO
Previously:
G201
IA Controls:
PDI Description:
The cron.allow file is more permissive than 600.
Reference:
UNIX STIG: 3.17.3
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 132
3. GEN003000 – Cron Executes World Writable Programs
The following lists the directories to search for cron jobs:
Solaris
# ls /var/spool/cron/crontabs/
HP-UX
AIX
IRIX
Linux
# ls /var/spool/cron/
# ls /etc/cron.d/
# ls /etc/crontab
# ls /etc/cron.daily/
# ls /etc/cron.hourly/
# ls /etc/cron.monthly/
# ls /etc/cron.weekly/
If cron jobs exist under any of the above directories, use the following command to search for programs executed
by at:
#
more <cron job file>
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 133
Perform a lo ng listing of each program file found in the cron file to determine if the file is world writeable.
#
ls –la <cron program file>
If cron executes world writeable files, then this is a finding.
PDI:
GEN003000
V0000976
Category II
:
Status Code: AUTO
Previously:
G203
IA Controls:
DCSL-1
PDI Description:
Cron executes group or world writable programs.
Reference:
UNIX STIG: 3.17.3
4. GEN003020 – Cron Executes Programs in World Writable Directories
The following lists the directories to search for cron jobs:
Solaris
HP-UX
AIX
IRIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 134
Linux
# ls /var/spool/cron/
# ls /etc/cron.d/
# ls /etc/crontab
# ls /etc/cron.daily/
# ls /etc/cron.hourly/
# ls /etc/cron.monthly/
# ls /etc/cron.weekly/
If cron jobs exist under any of the above directories, use the following command to search for programs executed
by at:
#
more <cron job file>
Perform a long listing of each program file ’s parent directory found in the cron file to determine if the directory
is world writeable.
#
ls –la <cron program file directory>
If cron executes programs in world writeable directories, then this is a finding.
PDI:
GEN003020V000097 Category:II
7
Status Code:AUTO
Previously:
G204
IA Controls:
DCSL-1
PDI Description:
Cron executes programs in or subordinate to world writable
directories.
Reference:
UNIX STIG: 3.17.3
5. GEN003040 – Crontabs Ownership
Perform the following to view the crontab ownership:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 135
Solaris
# ls –lL /var/spool/cron/crontabs/
HP-UX
AIX
IRIX
Linux
# ls –lL /var/spool/cron/
# ls –lL /etc/cron.d/
# ls –lL /etc/crontab
# ls –lL /etc/cron.daily/
# ls –lL /etc/cron.hourly/
# ls –lL /etc/cron.monthly/
# ls –lL /etc/cron.weekly/
If the file is not owned by root or the creating user account, then this is a finding.
PDI:
GEN003040
V0011994
Category II
:
Status Code: AUTO
Previously:
N/A
IA Controls:
DCSL-1
PDI Description:
Crontabs are not owned by root or the crontab creator.
Reference:
UNIX STIG: 3.17.3
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 136
6. GEN003060 – Default System Accounts and Cron
Check for default system accounts in the following:
Solaris
# more /etc/cron.d/cron.allow
HP-UX
# more /var/adm/cron/cron.allow
AIX
# more /var/adm/cron/cron.allow
IRIX
# more /etc/cron.d/cron.allow
Linux
Red Hat
# more /etc/cron.allow
Or
SuSE
# more /var/spool/cron/allow
Default accounts (such as bin, sys, adm, and others) will not be listed in the cron.allow file or this will be a
finding.
PDI:
GEN003060
V0011995
Category II
:
Status Code: AUTO
Previously:
N/A
IA Controls:
ECPA-1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 137
PDI Description:
Default system accounts (with the possible exception of root) are listed
in the cron.allow file or excluded from the cron.deny file if cron.allow
does not exist.
Reference:
UNIX STIG: 3.17.3
7. GEN003080 – Crontab files Permissions
Solaris
HP-UX
AIX
IRIX
Linux
# ls –lL /var/spool/cron/
# ls –lL /etc/cron.d/
# ls –lL /etc/crontab
# ls –lL /etc/cron.daily/
# ls –lL /etc/cron.hourly/
# ls –lL /etc/cron.monthly/
# ls –lL /etc/cron.weekly/
( Permissions of 600)
( Permissions of 600)
(Permissions of 600)
If crontab files are more permissive than 600 (700 for some Linux files), then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
GEN003080
V0000978
Page 138
Category II
:
Status Code: AUTO
Previously:
G205
IA Controls:
PDI Description:
Crontab files are more permissive than 600 (700 for some Linux files).
Reference:
UNIX STIG: 3.17.3
8. GEN003100 – Cron and Crontab Directories Permissions
Solaris
# ls –ld /var/spool/cron/crontabs
HP-UX
AIX
IRIX
Linux
# ls –ld /var/spool/cron
# ls –ld /etc/cron.d
# ls –ld /etc/cron.daily
# ls –ld /etc/cron.hourly
# ls –ld /etc/cron.monthly
# ls –ld /etc/cron.weekly
If the cron or crontab directories are more permissive than 755, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
GEN003100
V0000979
Page 139
Category II
:
Status Code: AUTO
Previously:
G206
IA Controls:
PDI Description:
The cron or crontab directories are more permissive than 755.
Reference:
UNIX STIG: 3.17.3
9. GEN003120 – Cron and Crontab Directories Ownership
Solaris
HP-UX
AIX
IRIX
Linux
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 140
If the cron or crontab directories are not owned by root or bin, then this is a finding.
PDI:
GEN003120
V0000980
Category II
:
Status Code: AUTO
Previously:
G207
IA Controls:
PDI Description:
The cron or crontab directories are not owned by root or bin.
Reference:
UNIX STIG: 3.17.3
10. GEN003140 – Cron and Crontab Directories Group Ownership
Solaris
HP-UX
AIX
IRIX
Linux
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 141
If the cron or crontab directories are not group owned by root, sys, or bin, then this is a finding.
PDI:
GEN003140
V0000981
Category II
:
Status Code: AUTO
Previously:
G208
IA Controls:
ECLP-1
PDI Description:
The cron or crontab directories are not group owned by root, sys, or bin.
Reference:
UNIX STIG: 3.17.3
11. GEN003160 – Cron Logging
Perform the following to check for cron logging:
Solaris
# ls –lL /var/cron/log
#
more /etc/default/cron
CRONLOG=YES
If this line does not exist, this is a finding.
HP-UX
# ls –lL /var/adm/cron/log
Cron is logged by default.
AIX
Cron is logged by default.
IRIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 142
Linux
Cron logging is controlled by the syslog on Linux:
#
grep cron* /etc/syslog.conf
Red Hat
# ls –lL /var/log/cron
SuSE
# ls –lL /var/log/messages
If an entry for cron is not found, then this is a finding.
PDI:
GEN003160
V0000982
Category II
:
Status Code: AUTO
Previously:
G209
IA Controls:
ECAT-1, ECAT-2, DCCS-1, DCCS-2
PDI Description:
Cron logging is not implemented.
Reference:
UNIX STIG: 3.17.3
12. GEN003180 – Cronlog Permissions
Solaris
HP-UX
AIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 143
IRIX
Linux
Red Hat
# ls –lL /var/log/cron
SuSE
# ls –lL /var/log/messages
If the cronlog file is more permissive than 600, then this is a finding.
PDI:
GEN003180
V0000983
Category II
:
Status Code: AUTO
Previously:
G210
IA Controls:
PDI Description:
The cronlog file is more permissive than 600.
Reference:
UNIX STIG: 3.17.3
13. GEN003200 – cron.deny Permissions
Solaris
HP-UX
AIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 144
IRIX
Linux
Red Hat
Or
SuSE
If the cron.deny file is more permissive than 600 , then this is a finding.
PDI:
GEN003200
V0004358
Category II
:
Status Code: AUTO
Previously:
G620
IA Controls:
PDI Description:
The cron.deny file is more permissive than 600.
Reference:
UNIX STIG: 3.17.3
14. GEN003220 – Cron Programs umask
Perform the following to check for cron jobs:
Solaris
# ls –lL /var/spool/cron/crontabs
HP-UX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 145
AIX
IRIX
Linux
# ls –lL /var/spool/cron
# ls –lL /etc/cron.d
# ls –lL /etc/cron.daily
# ls –lL /etc/cron.hourly
# ls –lL /etc/cron.monthly
# ls –lL /etc/cron.weekly
Determine if there are any cron jobs by viewing a long listing of the directory. If there are cron jobs perform the
following to check for any programs that may have a umask more permissive than 077:
#
grep umask ./*
If there are any, this is a finding unless the IAO has justifying documentation. If there are no cron jobs present,
this vulnerability is Not Applicable.
PDI:
GEN003220
Category:III
Status Code: PART
Previously:
G621
V0004360
IA Controls:
DCSW-1, DCSD-1
PDI Description:
Cron programs set the umask more permissive than 077 and these are
not justified and documented with the IAO.
Reference:
UNIX STIG: 3.17.3
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 146
15. GEN003240 – cron.allow Ownership
Solaris
HP-UX
AIX
IRIX
Linux
Red Hat
Or
SuSE
If the cron.allow file is not owned and group owned by root, sys, or bin, then this is a finding.
PDI:
GEN003240
V0004361
Category II
:
Status Code: AUTO
Previously:
G622
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 147
IA Controls:
DCSW-1
PDI Description:
The cron.allow file is not owned and group owned by root , sys or bin.
Reference:
UNIX STIG: 3.17.3
16. GEN003260 – cron.deny Ownership
Solaris
HP-UX
AIX
IRIX
Linux
Red Hat
Or
SuSE
If the cron.deny file is not owned and group owned by root, sys, or bin, then this is a finding.
PDI:
GEN003260
V0004430
Category II
:
Status Code: AUTO
Previously:
G623
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 148
IA Controls:
DCSW-1
PDI Description:
The cron.deny file is not owned and group owned by root , sys, or bin.
Reference:
UNIX STIG: 3.17.3
27. At Restrictions
1. GEN003280 – At Utility Accessibility
Verify the at.allow and/or at.deny files exist.
Solaris
# ls –lL /etc/cron.d/at.allow
# ls –lL /etc/cron.d/at.deny
HP-UX
# ls –lL /var/adm/cron/at.allow
# ls –lL /var/adm/cron/at.deny
AIX
IRIX
Linux
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 149
# ls –lL /etc/at.allow
# ls –lL /etc/at.deny
Ensure at least on of the above files exists .
PDI:
4
Status Code:AUTO
Previously:
G211
IA Controls:
ECPA-1
PDI Description:
Access to the at utility is not controlled via the at .allow and/or
at.deny file(s).
Reference:
UNIX STIG: 3.18.3
2. GEN003300 – The at.deny File
Solaris
# more /etc/cron.d/at.deny
HP-UX
# more /var/adm/cron/at.deny
AIX
# more /var/adm/cron/at.deny
IRIX
# more /etc/cron.d/at.deny
Linux
# more /etc/at.deny
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 150
If the at.deny file exists and is empty, then this is a finding.
PDI:
5
Status Code:AUTO
Previously:
G212
IA Controls:
ECPA-1
PDI Description:
The at.deny file exists and is empty.
Reference:
UNIX STIG: 3.18.3
3. GEN003320 – Default System Accounts and At
Solaris
# more /etc/cron.d/at.allow
HP-UX
# more /var/adm/cron/at.allow
AIX
# more /var/adm/cron/at.allow
IRIX
# more /etc/cron.d/at.allow
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 151
Linux
# more /etc/at.allow
Default accounts (such as bin, sys, adm, and others) will not be listed in the at.allow file or this will be a
finding.
PDI:
6
Status Code:AUTO
Previously:
G213
IA Controls:
ECPA-1
PDI Description:
Default system accounts (with the exception of root) are listed in
the at.allow file or excluded from the at.deny file if at.allow does
not exist.
Reference:
UNIX STIG: 3.18.3
4. GEN003340 – at.allow and at.deny Permissions
Solaris
HP-UX
AIX
IRIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 152
Linux
If the at.allow or at.deny file(s) is more permissive than 600, then this is a finding.
PDI:
7
Status Code:AUTO
Previously:
G214
IA Controls:
PDI Description:
The at.allow or at.deny file(s) is more permissive than 600.
Reference:
UNIX STIG: 3.18.3
5. GEN003360 – At Executes World Writable Programs
If at jobs exist under either /var/spool/cron/atjobs or /var/spool/atjobs , use the following
command to search for programs executed by at:
#
more <at job file>
Perform a long listing of each program file in the at job file to determine if the file is world writeable.
#
ls –la <at program file>
If at executes programs that are world writeable, then this is a finding.
PDI:
8
Status Code:AUTO
Previously:
G215
IA Controls:
DCSL-1
PDI Description:
At executes group or world writable programs.
Reference:
UNIX STIG: 3.18.3
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 153
6. GEN003380 – At Executes Programs in World Writable Directories
If at jobs exist under either /var/spool/cron/atjobs or /var/spool/atjobs , use the following
command to search for programs executed by at:
#
more <at job file>
Perform a long listing of each program file ’s parent directory found in the at job file to determine if the directory
is world writeable.
#
ls –la <at program file directory>
If at executes programs in world writeable directories, then this is a finding.
PDI:
9
Status Code:AUTO
Previously:
G216
IA Controls:
DCSL-1
PDI Description:
At executes programs in or subordinate to world writable
directories.
Reference:
UNIX STIG: 3.18.3
7. GEN003400 – The at Directory Permissions
Check the permissions of the at directory by performing the following:
# ls –ld /var/spool/cron/atjobs
Or
#
ls –ld /var/spool/atjobs
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 154
If the directory permissions are greater than 755, then this is a finding.
PDI:
4
Status Code:AUTO
Previously:
G625
IA Controls:
PDI Description:
The at (or equivalent) directory is more permissive than 755.
Reference:
UNIX STIG: 3.18.3
8. GEN003420 – The at Directory Ownership
Check the ownership of the at directory by performing the following:
# ls –ld /var/spool/cron/atjobs
Or
#
ls –ld /var/spool/atjobs
If the directory is not owned by root, sys, bin, or daemon, then this is a finding.
PDI:
5
Status Code:AUTO
Previously:
G626
IA Controls:
DCSW-1
PDI Description:
The at directory is not owned by root, sys, bin, or daemon.
Reference:
UNIX STIG: 3.18.3
9. GEN003440 – At Programs umask
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 155
Perform the following to check for at jobs:
#
cd /var/spool/cron/atjobs
Or
#
cd /var/spool/atjobs
Determine if there are any at jobs by viewing a long listing of the directory. If there are at jobs perform the
following to check for any programs that may have a umask more permissive than 077:
#
grep umask ./*
If there are any, this is a finding unless the IAO has justifying documentation. If there are no ‘at’ jobs present,
this vulnerability is Not Applicable.
PDI:
6
:
Status Code:PART
Previously:
G627
IA Controls:
DCSW-1, DCSD-1
PDI Description:
At programs set the umask more permissive than 077 and these
are not justified and documented with the IAO.
Reference:
UNIX STIG: 3.18.3
10. GEN003460 – at.allow Ownership
Solaris
HP-UX
AIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 156
IRIX
Linux
If the at.allow file is not owned and group owned by root, sys, or bin, then this is a finding.
PDI:
7
:
Status Code:PART
Previously:
G629
IA Controls:
DCSW-1
PDI Description:
The at.allow file is not owned and group owned by root , sys, or
bin.
Reference:
UNIX STIG: 3.18.3
11. GEN003480 – at.deny Ownership
Solaris
HP-UX
AIX
IRIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 157
Linux
If the at.deny file is not owned and group owned by root, sys, or bin, then this is a finding.
PDI:
8
:
Status Code:PART
Previously:
G630
IA Controls:
DCSW-1
PDI Description:
The at.deny file is not owned and group owned by root , sys, or
bin.
Reference:
UNIX STIG: 3.18.3
28. Restrict/Disable Core Dumps
1. GEN003500 – Restrict or Disable Core Dumps
Check for the disabling of core dumps with the following commands:
Solaris
# coreadm |grep enabled
If any lines are returned then this is a finding.
HP-UX
# grep ulimit /etc/profile
If the –c argument with a value of ‘0’ is not present, then this is a finding.
AIX
#
grep ulimit /etc/security/limits
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 158
If the –c argument with a value of ‘0’ is not present, then this is a finding.
Linux
#
ulimit –c
If the above command does not return 0 ,then this a finding.
IRIX
#
systune rlimit_core_max
0
If the above command does not return 0, then this is a finding.
PDI:
6
:
Status Code: AUTO
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Core dumps are not disable d or restricted.
Reference:
UNIX STIG: 3.20.1
2. GEN003520 – Core Dump Directory Ownership and Permissions
Perform the following to check the permissions of the core dump directory:
Solaris
# ls –ld /var/crash
HP-UX
#
ls –ld /var/adm/crash
#
ls –ld /var/adm/ras
AIX
IRIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 159
#
ls –ld /var/adm/crash
#
ls –ld /var/crash
Linux
If the file permissions are greater than 700, then this is a finding. If GEN003500 is Not a Finding, then this
check is Not Applicable.
PDI:
7
:
Status Code: AUTO
Previously:
N/A
IA Controls:
PDI Description:
The core dump data directory is not owned and group owned by
root and/or is more permissive than 700.
Reference:
UNIX STIG: 3.20.1
29. Disable Executable Stack
1. GEN003540 – Disable Executable Stack
To check that the executable stack has been disabled, perform the following:
Solaris and Irix
#
grep noexec_user_stack /etc/system
If the noexec_user_stack is not set to ‘1’, then this is a finding.
HP-UX
Executable stacks are disabled by default. Check to ensure this is still set by:
#
kmtune –q executable_stack
If the executable_stack tuneable is set to 1, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 160
Linux
Linux kernels must support the NX feature. Red Hat Enterprise 4 and SuSE 9.1 and later do support this
feature. This will be a finding on systems prior to the above releases. This is a manual review.
AIX
Stack execution is disabled by default. Mark this check Not a Finding.
PDI:
9
Status Code: AUTO
Previously:
N/A
IA Controls:
PDI Description:
The executable stack is not disabled.
Reference:
UNIX STIG: 3.20.2
30. Restrict NFS Port Listening
31. Use More Random TCP Sequence Numbers
1. GEN003580 – TCP Sequence Numbers
Check the following to determine if TCP sequence numbers are not easily guessed:
Solaris
#
grep “TCP_STRONG_ISS=2” /etc/default/inetinit
If the this variable is not set, then this is a finding.
HP-UX
#
ndd /dev/tcp tcp_isn_passphrase
If the tcp_isn_passphrase tuneable is not set, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 161
Linux
All kernels after 1996 are not vulnerable to this. This check should be marked as Not Applicable for Linux.
AIX
#
instfix –ivk iy55950
#
#
If the above patches are not applied, then this is a finding.
Irix
#
systune tcpiss_md5
1
If any of the above settings are not configured, then this is a finding.
PDI:
1
Status Code: AUTO
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
More random TCP sequence numbers are not used.
Reference:
UNIX STIG: 3.20.4
32. Network Security Settings
1. GEN003600 – Network Security Settings
Perform the following to ensure the network security settings are enabled for each operating system. The
command is listed with the expected response below it.
Solaris
#
ndd /dev/ip ip_forward_src_routed
0
#
ndd /dev/tcp tcp_rev_src_routes
0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 162
#
ndd /dev/tcp tcp_conn_req_max_q0
2048 or greater
#
ndd /dev/tcp tcp_conn_req_max_q
1024
#
ndd /dev/ip ip_respond_to_timestamp
0
#
ndd /dev/ip ip_respond_to_echo_broadcast
0
#
ndd /dev/ip ip_respond_to_timestamp_broadcast
0
HP-UX
#
ndd /dev/ip ip_forward_src_routed
0
#
ndd /dev/ip ip_respond_to_timestamp
0
#
ndd /dev/ip ip_respond_to_echo_broadcast
0
#
ndd /dev/ip ip_respond_to_timestamp_broadcast
0
AIX
#
/usr/sbin/no –o ipsrcroutesend
0
#
/usr/sbin/no –o directed_broadcast
0
#
/usr/sbin/no –o bcastping
0
#
/usr/sbin/no –o ipsrcrouteforward
0
Linux
# sysctl –a | grep net.ipv4.ip_forward
0
#
sysctl –a | grep net.ipv4.tcp_max_syn_backlog
1280
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 163
#
sysctl –a | grep net.ipv4.conf.all.accept_source_route
0
#
sysctl –a | grep net.ipv4.icmp_echo_ignore_broadcasts
1
Irix
#
systune ipforward
2
#
systune allow_brdaddr_scraddr
0
If any of the above settings are not applied ,then this is a finding.
PDI:
2
Status Code: AUTO
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Network parameters are not securely set.
Reference:
UNIX STIG: 3.20.5
33. File Systems
1. GEN003620 – Separate Filesytem Partitions
Perform the following to determine if the /var, /home, and /export/home file partitions are on separate disk
partitions:
#
more /etc/fstab
Or
# more /etc/vfstab
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 164
Examine the first column for the disk device and ensure the device label for /var, /home, or /export/home are not
the same as the root filesystem. If they are the same, ask the SA if this is justified and documented with the
IAO. If it is not, then this is a finding.
PDI:
3
:
Status Code: PART
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Separate filesystem partitions are not used for /home, /export/
home, and /var and is not justified and documented with the IAO.
Reference:
UNIX STIG: 3.21
2. GEN003640 – Root Filesystem Logging
Logging should be enabled for those types of files systems that do not turn on logging by default. JFS, VXFS,
HFS and EXT3 all turn logging on by default and will not be a finding. For those that do not turn logging on by
default, perform the following:
#
mount | grep logging
Ensure the root file systems shows ‘loggin g’ or this will be a finding.
PDI:
4
Status Code:AUTO
Previously:
G690
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Logging is not implemented for the root filesystem.
Reference:
UNIX STIG: 3.21
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 165
34. Syslog AUTH/AUTHPRIV Facility
1. GEN003660 – Authentication Data Logging
Check /etc/syslog.conf and verify the auth facility is logging both the notice and info level messages by:
#
grep “auth.notice” /etc/syslog.conf
#
“auth.info” /etc/syslog.conf
grep
If either of the above two entries are not found, then this is a finding.
PDI:
4
Status Code: AUTO
Previously:
N/A
IA Controls:
DCCS-1,DCCS-2
PDI Description:
Authentication and informational data is not logged.
Reference:
UNIX STIG: 3.21
3. Network Services
1. Network Services
1. GEN003680 – Required Network Services For Operation
Perform the following to display network services that are configured:
#
grep –v “^#” /etc/inetd.conf
Or
#
svcs –a (solaris 10)
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 166
Or for Linux systems
# grep disable /etc/xinetd.d/* |grep no
Ask the SA if the network services are documented with the IAO.
PDI:
GEN003680V000097 Category III Status Code:PART
2
:
Previously:
A028
IA Controls:
DCSD-1, DCPP-1
PDI Description:
Network services not required for operations are not disabled
and/or network services required for operations are not
Reference:
UNIX STIG: 4
2. GEN003700 – Disable inetd/xinetd
First determine if inetd/xinetd is running:
#
ps –ef |grep inetd
#
ps –ef |grep xinetd
Or
Or
# svcs -a
If inetd is not running, then this check is not a finding. Otherwise continue:
#
grep –v “^#” /etc/inetd.conf
#
grep –v “^#” /etc/xinetd.conf
Or
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 167
Or for Linux systems
# grep disable /etc/xinetd.d/* |grep no
If any services are found from the above three commands, then this is considered not a finding.
PDI:
5
Status Code: AUTO
Previously:
N/A
IA Controls:
PDI Description:
All inetd/xinetd services are disabled and inetd (xinetd for Linux)
is not disabled.
Reference:
UNIX STIG: 4
3. GEN003720 – inetd.conf Ownership
Check the permissions of inetd.conf file by:
#
ls –lL /etc/inetd.conf
Or, for Linux systems
#
ls –lL /etc/xinetd.conf
#
ls –lL /etc/xinetd.d
This is a finding if any of the above files or directories are not owned by root or bin.
PDI:
1
Status Code:AUTO
Previously:
G107
IA Controls:
ECLP-1
PDI Description:
The inetd.conf file (xinetd.conf file and the xinetd.d directory for
Linux) is not owned by root or bin.
Reference:
UNIX STIG: 4
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 168
4. GEN003740 – inetd.conf Permissions
Check the permissions of inetd.conf file by:
#
ls –lL /etc/inetd.conf
Or, for Linux systems
#
ls –lL /etc/xinetd.conf
#
ls –lL /etc/xinetd.d
This is a finding if permissions for the inetd.conf files are greater than 440. In addition, on Linux systems,
the /etc/xinetd.d directory permissions should not be greater than 755.
PDI:
2
Status Code:AUTO
Previously:
G108
IA Controls:
ECCD-1, ECCD-2
PDI Description:
The inetd.conf (xinetd.conf for Linux) file is more permissive
than 440. The Linux xinetd.d. directory is more permissive than
755.
Reference:
UNIX STIG: 4
5. GEN003760 – The Services File Ownership
# ls –lL /etc/services
The services file is not owned by root or bin, then this is a finding
PDI:
3
:
Status Code:PART
Previously:
G109
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 169
IA Controls:
ECLP-1
PDI Description:
The services file is not owned by root or bin.
Reference:
UNIX STIG: 4
6. GEN003780 – The Services File Permissions
# ls –lL /etc/services
If the services file is more permissive than 644, then this is a finding.
PDI:
4
:
Status Code:PART
Previously:
G110
IA Controls:
PDI Description:
The services file is more permissive than 644.
Reference:
UNIX STIG: 4
7. GEN003800 – inetd Logging
Solaris 2.5 through 9
#
ps –ef |grep inetd |grep “-t”
Solaris 10
#
inetadm –p |grep tcp_trace
If the tcp_trace option is not found in the exported configuration file, then this is a finding.
HP-UX
#
ps –ef |grep inetd |grep “-l”
AIX and IRIX
#
ps –ef |grep inetd |grep “-d”
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 170
Linux
Each file in the /etc/xinetd.d directory and the /etc/inetd.conf file should be examined for
the following:
log_type
= SYSLOG authpriv
log_on_success
= HOST PID USERID EXIT
log_on_failure
= HOST USERID
If inetd logging is not enabled, then this is a finding.
PDI:
1
:
Status Code:PART
Previously:
G198
IA Controls:
PDI Description:
Inetd (xinetd for Linux) logging/tracing is not enabled.
Reference:
UNIX STIG: 4
2. Rlogin and rsh
1. GEN003820 – Remote Login or Shell Is Enabled
Solaris, HP-UX, AIX, IRIX
# grep –v “^#” /etc/inetd.conf |grep rlogind
# grep –v “^#” /etc/inetd.conf |grep rshd
Solaris 10
#
svcs rlogin
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 171
Linux
#
grep disable /etc/xinetd.d/rlogin
#
grep disable /etc/xinetd.d/rsh
If either rlogin or rsh are found to be enabled, then this is a finding.
PDI:
GEN003820V000468 Category I
7
:
Status Code:AUTO
Previously:
V042
IA Controls:
DCSW-1
PDI Description:
Remote login or remote shell is enabled.
Reference:
UNIX STIG: 4.1
3. Rexec
1. GEN003840 – The rexec Service Is Enabled
Perform the following to determine if the rexec service is enabled:
# grep –v “^#” /etc/inetd.conf |grep rexec
Solaris 10
#
svcs rexec |grep disabled
Linux
#
grep disable /etc/xinetd.d/rexec
If rexec is found to be enabled, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 172
8
:
Status Code:AUTO
Previously:
V102
IA Controls:
DCSW-1
PDI Description:
The rexec service is enabled.
Reference:
UNIX STIG: 4.2
4. Finger
1. GEN003860 – The finger Service Is Enabled
Perform the following to determine if the finger service is enabled:
# grep –v “^#” /etc/inetd.conf |grep finger
Solaris 10
#
svcs finger
Linux
#
grep disable /etc/xinetd.d/finger
If the finger service is not disabled, then this is a finding.
PDI:
GEN003860V000470 Category:III
1
Status Code:AUTO
Previously:
V046
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 173
IA Controls:
DCSW-1
PDI Description:
The finger Service Is Enabled
Reference:
UNIX STIG: 4.3
2. GEN003865 – Network analysis tools enabled.
Perform the following to determine if any network analysis tools are enabled:
# find / -name ethereal
# find / -name tcpdump
# find / -name snoop
If the any of the above network analysis tools are found, then this is a finding.
PDI:
9
Status Code: AUTO
Previously:
N/A
IA Controls:
DCSW-1
PDI Description:
Network Analysis tools are enabled.
Reference:
UNIX STIG: 4.3
5. Remote Host Printing
1. GEN003880 – Print Server and Client Configuration Documentation
Ask the SA if the system is a print server or a client of another server. If it is either of these, ask the SA if it is
documented with the IAO. If the printer configuration is not documented with the IAO, then this is a finding.
PDI:
6
:
IA Controls:
Status Code:MAN
Previously:
G120
PESL-1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 174
PDI Description:
The system is a print server /client, and the configuration is not
Reference:
UNIX STIG: 4.4
2. GEN003900 – hosts.lpd Contents
Look for the presence of a print service configuration file by using the command:
#
find /etc –name hosts.lpd –print
If this file does not exist, use the command:
#
find /etc –name Systems -print
#
find /etc –name printers.conf
If neither of the files are found, then this check should be marked Not Applicable.
Otherwise perform:
#
more <print service file>
and search for entries that contain a ‘+’ or ‘_’ character. If any are found then this is a finding.
PDI:
7
Status Code:AUTO
Previously:
G121
IA Controls:
DCSL-1
PDI Description:
The hosts.lpd file (or equivalent) contains a ‘+’ or ‘_’ character.
Reference:
UNIX STIG: 4.4
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 175
3. GEN003920 – hosts.lpd Ownership
#
#
#
If neither of the files are found, then this check should be marked Not Applicable. Otherwise perform:
#
ls –lL <print service file>
If the owner of the file is not root, sys, bin or lp, then this is a finding.
PDI:
28
:
Status Code: AUTO
Previously:
G122
IA Controls:
ECLP-1
PDI Description:
The hosts.lpd (or equivalent) file is not owned by a root, sys, bin,
or lp.
Reference:
UNIX STIG: 4.4
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 176
4. GEN003940 – hosts.lpd Permissions
#
#
#
If neither of the files are found, then this check should be marked Not Applicable. Otherwise perform:
#
ls –lL <print service file>
and verify the permissions are not greater than 664. If the permissions are greater than 664, then this is a
finding.
PDI:
9
Status Code:AUTO
Previously:
G123
IA Controls:
PDI Description:
The hosts.lpd (or equivalent) file is more permissive than 664.
Reference:
UNIX STIG: 4.4
6. Traceroute
1. GEN003960 – The traceroute Command Ownership
Solaris
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 177
# ls –lL /usr/sbin/traceroute
HP-UX
AIX
# ls –lL /usr/bin/traceroute
IRIX
# ls –lL /usr/etc/traceroute
Linux
If the traceroute command is not owned by root, then this is a finding.
PDI:
9
Status Code:AUTO
Previously:
G631
IA Controls:
DCSW-1
PDI Description:
The traceroute command is not owned by root.
Reference:
UNIX STIG: 4.5
2. GEN003980 – The traceroute Command Group Ownership
Solaris
HP-UX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 178
AIX
IRIX
Linux
If the traceroute command is not group owned by root, sys, or bin, then this is a finding.
PDI:
0
Status Code:AUTO
Previously:
G632
IA Controls:
DCSW-1
PDI Description:
The traceroute command is not group owned by root, sys, or bin.
Reference:
UNIX STIG: 4.5
3. GEN004000 – The traceroute Command Permissions
Solaris
HP-UX
AIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 179
IRIX
Linux
If the traceroute command is more permissive than 700, then this is a finding.
PDI:
1
Status Code:AUTO
Previously:
G633
IA Controls:
PDI Description:
The traceroute command is more permissive than 700.
Reference:
UNIX STIG: 4.5
7. Client Browser Requirements
1. GEN004020 – Browser Capable of 128-bit Encryption
This check will only apply to Netscape web browsers. All versions of Mozilla and Mozilla Firefox support 128bit encryption. Select Help from the browser menu, and then select About Navigator. The Netscape information
page will display. The line which says “This version supports U.S. security” indicates you have 128 bit
encryption. If its says “This version supports International security” you have 40 bit encryption and this is a
finding.
PDI:
2
:
IA Controls:
Status Code:MAN
Previously:
G634
DCSW-1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 180
PDI Description:
The browser is not capable of 128-bit encryption.
Reference:
UNIX STIG: 4.6
2. GEN004040 – Browser Software Update Feature
This check will only apply to Netscape web browsers. All versions of Mozilla and Mozilla Firefox can check for
new browser version, but will not automatically install them. Verify that automatic software installation is not
enabled. Select Edit>>Preferences>>Advanced from the web browser toolbar. Drop down the Advanced submenu. The Advanced options sub-menu gives us the Software Installation settings. Verify the ‘Enable software
installation’ setting is not checked. If it is checked, then this is a finding.
PDI:
3
:
Status Code:MAN
Previously:
G635
IA Controls:
DCSW-1
PDI Description:
The browser SmartUpdate or software update feature is enabled.
Reference:
UNIX STIG: 4.6
3. GEN004060 – Browser Unencrypted Secure Content Caching
This check is mainly pertaining to passwords or sensitive data that can be stored by the browser cache. Ensure
the following setting is enabled: Edit>>Preferences>>Privacy&Security from the web browser toolbar. Select
the Passwords sub-category and verify ‘Use encryption when storing sensitive data’ under the Encrypting versus
Obscuring is checked. If it is not, then this is a finding.
PDI:
4
:
Status Code:MAN
Previously:
G636
IA Controls:
DCSW-1
PDI Description:
The browser has unencrypted secure content caching enabled.
Reference:
UNIX STIG: 4.6
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 181
4. GEN004100 – Browser Allows Active Scripting
To check if Java is enabled in the Netscape or Mozilla browser select Edit >> Preferences from the browser tool
bar, and then select the Advanced menu i tem. If the option, “Enable Java” is checked, this is a finding.
To determine if a browser has JavaScript Enabled perform:
Select Edit>>Preferences>Advanced from the browser toolbar. Select the Scripts and Plug-ins tab. Ensure that
“Navigator” is not selected under the Enable JavaScript heading. If it is, then this is a finding.
If either Java or JavaScript are enabled, then this is a finding.
PDI:
6
:
Status Code:MAN
Previously:
G638
IA Controls:
DCSW-1
PDI Description:
The browser allows active scripting.
Reference:
UNIX STIG: 4.6
5. GEN004120 – Browser Data Redirection Warning
To determine if a browser has browser data redirection warning enabled perform:
Select Edit>>Preferences>Privacy and Security from the browser toolbar. Select the Validation tab. Ensure that
“Use OCSP to validate only certificates that specify an OCSP service URL” is selected under the OCSP heading.
If it is not selected, then this is a finding.
PDI:
7
:
IA Controls:
Status Code:MAN
Previously:
G639
DCSW-1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 182
PDI Description:
The browser does not issue a warning when form data is
redirected.
Reference:
UNIX STIG: 4.6
6. GEN004160 – Browser Certificate Warning
To check if a browser warning is enabled to issue a warning prior to viewing remote data select Edit >>
Preferences in the browser tool bar, and then select the Privacy and Security (Advanced in Mozilla) menu i tem.
Select the Validation tab and verify that “Use OCSP to validate only certificates that specify an OCSP service
URL” under OCSP. If it is not selected, then this is a finding.
PDI:
9
:
Status Code:MAN
Previously:
G641
IA Controls:
DCSW-1
PDI Description:
The browser does not issue a warning prior to viewing remote
data on a remote site containing a security certificate that does
not match its Internet address.
Reference:
UNIX STIG: 4.6
7. GEN004180 – Browser Home Page
Click on “Edit”>>“Preferences”>> “Navigator”, and verify the “Blank Page” button under “Navigator Start
With” is selected or, if Home Page is selected, verify the pathname under the Home Page box is for a local web
server. For Firefox select Edit >> Preferences in the browser tool bar, and then select the General item.
PDI:
0
:
IA Controls:
Status Code:MAN
Previously:
G642
DCSW-1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 183
PDI Description:
The browser home page is not a blank page or a locally generated
page.
Reference:
UNIX STIG: 4.6
8. GEN004200 – Browser SSL Configuration
To check if browsers are configured for SSL, select Edit >> Preferences in the browser tool bar, and then select
the Privacy and Security menu i tem. Select the SSL tab and verify that “Enable SSL version 2” and “Enable
SSL version 3” is checked under the SSL Protocol versions. If they are not, then this is a finding. The tables
below show the encryption algorithms associated with each version of SSL.
PDI:
1
:
Status Code:MAN
Previously:
G643
IA Controls:
DCSW-1
PDI Description:
The browser is not configured for Secure Socket Layer (SSL) v2
and SSL v3.
Reference:
UNIX STIG: 4.6
SSL v2 Enable
X
RC4 encryption with 128-bit key
X
X
Triple DES encryption with 168-bit key
DES encryption with 56-bit key
X
Table 4-1. SSL v2 Enable
SSL v3 Enable
X
RC4 encryption with 128-bit key and an MD5 MAC
X
Triple DES encryption with 168-bit key and a SHA-1 MAC
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 184
DES encryption with 56-bit key and a SHA-1 MAC
RC4 encryption with 40-bit key and an MD5 MAC
RC2 encryption with a 40-bit key and an MD5 MAC
No encryption with an MD5 MAC
Table 4-2. SSL v3 Enable
9. GEN004220 – The root Account’s Browser
Look in the root account home directory for a .netscape or a .mozilla directory. If none exists, mark
this check as Not A Finding. If there is one, verify with the root users and the IAO what the intent of the
browsing is. Some evidence may be obtained by using the browser to view cached pages under the .netscape
directory.
PDI:
2
:
Status Code: PART
Previously:
G644
IA Controls:
ECMT-1, ECMT-2
PDI Description:
The root account uses the browser for reasons other than to
control local applications.
Reference:
UNIX STIG: 4.6
10. GEN004240 – Browser Version
To view the version number click “ Help” then click “About Browser ” from the browser tool bar. If the browser
version is not Netscape 4.79 or greater, or FireFox 1.5 or greater, then this is a finding.
PDI:
8
:
Status Code: PART
Previously:
W01
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 185
IA Controls:
DCSQ-1
PDI Description:
The browser is not a supported version.
Reference:
UNIX STIG: 4.6
11. GEN004260 – Browser Cookie Warning
To check if a browser is enabled to display a warning prior to accepting cookies, select Edit >> Preferences in the
browser tool bar, and then select the Privacy and Security menu i tem. Select the Cookies tab and verify that
“Ask for each cookie” is checked under the Cookie Lifetime Policy. If it is not, then this is a finding.
PDI:
9
Status Code:AUTO
Previously:
W03
IA Controls:
ECWM-1
PDI Description:
The browser does not issue a warning prior to accepting a cookie
from a remote site.
Reference:
UNIX STIG: 4.6
12. GEN004280 – Browser Form Data Warning
To check if a browser is enabled to issue a warning when submitting unencrypted form data, select Edit >>
Preferences in the browser tool bar, and then select the Privacy and Security menu i tem. Select the SSL tab and
verify that “Sending form data from an unencrypted page to an unencrypted page” is checked. If it is not, then
this is a finding.
Note: This is a core setting in Firefox and should be marked as Not A Finding.
PDI:
1
IA Controls:
Status Code:AUTO
Previously:
W09
ECWM-1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 186
PDI Description:
A browser does not issue a warning when submitting non
encrypted form data.
Reference:
UNIX STIG: 4.6
13. GEN004300 – Browser Secure and Non-secure Content Warning
To check if a browser warning is enabled when viewing a page with both encrypted/unencrypted content, select
Edit >> Preferences in the browser tool bar, and then select the Privacy and Security menu i tem. Select the SSL
tab and verify that “Viewing a page with an encrypted/unencrypted mix” is checked. If it is not, then this is a
finding.
PDI:
2
Status Code:AUTO
Previously:
W11
IA Controls:
ECWM-1
PDI Description:
The browser does not issue a warning prior to viewing a
document with both secure and non-secure content.
Reference:
UNIX STIG: 4.6
14. GEN004320 – Browser Leaving Encrypted Site Warning
To check if a browser warning is enabled when leaving an encrypted site, select Edit >> Preferences in the
browser tool bar, and then select the Privacy and Security menu i tem. Select the SSL tab and verify that
“Leaving a page that supports encryption” is checked. If it is not, then this is a finding.
PDI:
3
IA Controls:
Status Code:AUTO
Previously:
W13
ECWM-1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 187
PDI Description:
The browser does not issue a warning prior to leaving an
encrypted or secure site.
Reference:
UNIX STIG: 4.6
8. Sendmail or Equivalent
1. GEN004360 – aliases Ownership
Find the aliases file on the system:
# find / -name aliases –depth –print
#
ls –lL <alias location>
If the file is not owned by root, then this is a finding.
PDI:
1
Status Code:AUTO
Previously:
G127
IA Controls:
ECLP-1
PDI Description:
The aliases file is not owned by root.
Reference:
UNIX STIG: 4.7
2. GEN004380 – aliases Permissions
#
ls –lL <alias location>
If the permissions are greater than 644, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 188
2
Status Code:AUTO
Previously:
G128
IA Controls:
ECLP-1
PDI Description:
The aliases file is more permissive than 644.
Reference:
UNIX STIG: 4.7
3. GEN004400 – File Executed Through Aliases Accessibility
# more <aliases file location>
Examine the aliases file for any directories or paths that may be utilized. Perform:
# ls –lL <path>
Ensure the file and parent directory are owned by root. If it is not, then this a finding.
PDI:
3
:
Status Code:AUTO
Previously:
G131
IA Controls:
ECLP-1
PDI Description:
Files executed through an aliases file are not owned by root and
do not reside within a directory owned and writable only by root.
Reference:
UNIX STIG: 4.7
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 189
4. GEN004420 – File Executed Through Aliases Permissions
# more <aliases file location>
Examine the aliases file for any directories or paths that may be utilized. Perform:
# ls –lL <path>
to check the permissions are not greater than 755.
If files executed through an alias have permissions greater than 755, then this is a finding.
PDI:
4
Status Code:AUTO
Previously:
G132
IA Controls:
PDI Description:
Files executed through an aliases file are more permissive than
755.
Reference:
UNIX STIG: 4.7
5. GEN004440 – Sendmail Logging
Find the sendmail.cf file on the system:
# find / -name sendmail.cf
To check if sendmail logging is set to level nine:
#
grep “O L” <sendmail location>/sendmail.cf
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 190
Or
#
grep LogLevel <sendmail location>/sendmail.cf
If logging is set to less than nine, then this is a finding.
PDI:
GEN004440V000083 Category IV Status Code:AUTO
5
:
Previously:
G133
IA Controls:
PDI Description:
Sendmail logging is set to less than nine in sendmail.cf.
Reference:
UNIX STIG: 4.7
6. GEN004460 – Critical Level Sendmail Messages Logging
Enter the command:
#
more /etc/syslog.conf
Ensure the configuration file logs mail.crit , mail.debug, mail.*, or *.crit . If the system is
not logging critical sendmail messages, then this is a finding.
PDI:
6
Status Code:AUTO
Previously:
G134
IA Controls:
PDI Description:
Critical-level sendmail messages are not logged.
Reference:
UNIX STIG: 4.7
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 191
7. GEN004480 – Critical Sendmail Log File Ownership
Perform:
#
Ensure the configuration file logs mail.crit, mail.debug, mail.*, or *.crit to a file.
Perform:
#
ls -lL <file location>
If the files is not owned by root, then this is a finding.
PDI:
7
Status Code:AUTO
Previously:
G135
IA Controls:
ECLP-1, ECTP-1
PDI Description:
Critical sendmail log file is not owned by root.
Reference:
UNIX STIG: 4.7
8. GEN004500 – Critical Sendmail Log File Permissions
Perform:
#
Ensure the configuration file logs mail.crit, mail.debug, mail.*, or *.crit to a file.
Perform:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
#
Page 192
ls -lL <file location>
If the log file permissions are greater than 644, then this is a finding.
PDI:
8
Status Code:AUTO
Previously:
G136
IA Controls:
PDI Description:
Critical sendmail log file is more permissive than 644.
Reference:
UNIX STIG: 4.7
9. GEN004540 – Sendmail Help Command
To check if Help is disabled in sendmail, perform the following:
#
telnet <host>:25
# help
The help feature can be disabled by creating an empty help file.
If the help command returns any sendmail version information, then this is a finding.
PDI:
6
Status Code: AUTO
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
The sendmail help command is not disabled.
Reference:
UNIX STIG: 4.7
10. GEN004560 – Sendmail Greeting to Mask Version
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 193
To check for the sendmail version being displayed in the greeting:
#
telnet localhost 25
If a version number is displayed, then the following line should be added to correct the problem in the
sendmail.cf file.
O SmtpGreetingMessage= Mail Server Ready ; $b
If the above entry is not in the sendmail.cf file, then this is a finding.
PDI:
4
Status Code:AUTO
Previously:
G646
IA Controls:
ECCD-1, ECCD-2
PDI Description:
The O Smtp greeting in sendmail.cf, or equivalent, has not been
changed to mask the version.
Reference:
UNIX STIG: 4.7
11. GEN004580 – .forward Files
Search for any .forward files on the system by:
#
find –name .forward –print
This is considered a finding if any .forward files are found on the system.
PDI:
5
:
IA Controls:
Status Code:AUTO
Previously:
G647
DCSW-1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 194
PDI Description:
. forward files were found.
Reference:
UNIX STIG: 4.7
12. GEN004600 – Sendmail Version
Perform:
#
find / -name sendmail
to locate the sendmail daemon, and then perform:
#
what <file location>
#
strings <file location> | grep version
or
or
# sendmail –d0
to determine the sendmail daemon version. Version 8.13.8 is the latest required version.
If the sendmail version is not at least 8.13. 8, then this is a finding.
PDI:
9
:
Status Code:AUTO
Previously:
V124
IA Controls:
DCCS-1, DCCS-2
PDI Description:
A sendmail server has an out-of-date version of sendmail active.
Reference:
UNIX STIG: 4.7
13. GEN004620 – Sendmail DEBUG Command
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 195
Perform the following to determine if debug is disabled:
#
telnet localhost 25
debug
If the command does not return a 500 error code of command unrecognized, then this is a finding.
PDI:
0
:
Status Code:AUTO
Previously:
V125
IA Controls:
DCCS-1, DCCS-2
PDI Description:
The sendmail debug command is not disabled.
Reference:
UNIX STIG: 4.7
14. GEN004640 – Sendmail DECODE Command
Perform the following to determine if decode is disabled:
#
telnet localhost 25
decode
PDI:
1
:
Status Code:AUTO
Previously:
V126
IA Controls:
DCCS-1, DCCS-2
PDI Description:
The sendmail decode command is not disabled.
Reference:
UNIX STIG: 4.7
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 196
15. GEN004660 – Sendmail EXPN Command
Perform the following to determine if expn is disabled:
#
telnet localhost 25
expn root
Or
Locate the sendmail.cf configuration file by:
#
find / -name sendmail.cf –print
#
grep –v “^#” <sendmail.cf location> |grep –i no expn
On HP-UX and AIX systems look for:
# grep –v “^#” <sendmail.cf location> |grep –i \
privacyoptions
The O PrivacyOptions should have the noexpn and novrfy options, or the goaway option to cover
both.
Ensure that the expn command is disabled with an entry in the sendmail.cf file that reads as follows:
Opnoexpn, noexpn , or goaway .
If the expn command is not disabled, then this is a finding.
PDI:
2
Status Code:AUTO
Previously:
V128
IA Controls:
DCCS-1, DCCS-2
PDI Description:
The sendmail expn command is not disabled.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 197
Reference:
UNIX STIG: 4.7
16. GEN004680 – Sendmail VRFY Command
Perform the following to determine if vrfy is disabled:
#
telnet localhost 25
vrfy root
Or
#
#
grep –v “^#” <sendmail.cf location> |grep –i no vrfy
Ensure the vrfy command is disabled with an entry in the sendmail.cf file. The entry could be any one of
Opnovrfy , novrfy, goaway .
The goaway argument encompasses many things, such as novrfy
and noexpn .
PDI:
3
Status Code:AUTO
Previously:
V130
IA Controls:
DCCS-1, DCCS-2
PDI Description:
The sendmail vrfy command is not disabled.
Reference:
UNIX STIG: 4.7
17. GEN004700 – Sendmail WIZ Command
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 198
Perform the following to determine if wizard is disabled:
#
telnet localhost 25
wiz
wizard
Or
#
#
grep –v “^#” <sendmail.cf location> |grep –i wiz
If an entry is found for wiz, then this is a finding.
PDI:
4
Status Code:AUTO
Previously:
V131
IA Controls:
DCCS-1, DCCS-2
PDI Description:
The sendmail wiz/wizzard command is not disabled.
Reference:
UNIX STIG: 4.7
9. File Transfer Protocol (FTP) and Telnet
1. GEN004720 – FTP or Telnet Within Enclave Behind Router
Perform the following to check for FTP or Telnet within the enclave:
# last | more
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 199
If any FTP or Telnet connections are found, examine the third field and ask the SA if the initiating client is inside
of the enclave. Ask the SA if the network connection is behind the premise router and protected by a firewall or
router access control list. If it is not, then this is a finding.
PDI:
7
Status Code: PART
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
FTP or telnet within an enclave is not behind the premise router
and protected by a firewall and router access control lists.
Reference:
UNIX STIG: 4.8
2. GEN004760 – FTP or Telnet Outside to Inside Enclave
Perform the following to check for FTP or Telnet outside the enclave:
# last | more
If any FTP or Telnet connections are found, examine the third field and ask the SA if the initiating client is
outside of the enclave. If it is, then this is a finding.
PDI:
8
:
Status Code: PART
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
FTP or telnet from outside the enclave into the enclave is
enabled and not within requirements.
Reference:
UNIX STIG: 4.8
3. GEN004780 – FTP or Telnet Userids and Passwords
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 200
Perform the following to check for FTP:
#
more /etc/passwd
Make a note of any user accounts with administrative privileges by verifying the third field is set to 0 and then
perform the following.
#
more /etc/ftpd/ftpusers
Ensure that any root privileged user or user’s with any root roles is listed in the ftpusers file.
In addition perform the following to check for both ftp and telnet logins under root:
#
last |more
Verify that root has not logged in with telnet or ftp. If they have, then this is a finding.
PDI:
9
:
Status Code: PART
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
FTP or telnet userids/passwords have administrative or root
privileges.
Reference:
UNIX STIG: 4.8
4. GEN004800 – Unencrypted FTP or Telnet
Perform the following to determine if unencrypted ftp or telnet are enabled on most systems:
#
grep ftp /etc/inetd.conf
#
grep telnet /etc/inetd.conf
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 201
Solaris 10
#
svcs ftp
#
svcs telnet
Linux
#
chkconfig telnet
#
chkconfig vsftpd
If any of the above are found to be active, ask the SA if any type of encryption is being used with these services.
If it is not encrypted and an Acceptance of Risk Letter is not present, then this is a finding.
PDI:
0
Status Code: PART
Previously:
N/A
IA Controls:
ECNK-1
PDI Description:
An AORL is not used to document the use of unencrypted FTP or
telnet or the risk is not accepted as part of the accreditation
package.
Reference:
UNIX STIG: 4.8
5. GEN004820 – Anonymous FTP
Perform the following to determine if a system is capable of anonymous ftp:
#
ps –ef |grep ftpd
# grep ftp /etc/passwd
Use the command ftp to activate the ftp service. Attempt to log into this host with a user name of anonymous
and a password of guest (also try the password of [email protected]). If the logon is successful, ask if the use of
anonymous FTP on the system is documented with the IAO. If it is not, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 202
6
:
Status Code:PART
Previously:
G147
IA Controls:
DCSD-1
PDI Description:
Anonymous FTP is active and not documented by the IAO.
Reference:
UNIX STIG: 4.8
6. GEN004840 – Anonymous FTP Segregation into DMZ
Perform the following to determine if a system is capable of anonymous ftp:
#
ps –ef |grep ftpd
# grep ftp /etc/passwd
Ask the SA if the server is on a separate subnet located in a DMZ. If it is not, then this is a finding.
PDI:
2
:
Status Code:PART
Previously:
V052
IA Controls:
IAIA-1
PDI Description:
Anonymous FTP is not segregated into the network DMZ.
Reference:
UNIX STIG: 4.8
10. FTP Configuration
1. GEN004880 – The ftpusers File
Perform the following to determine if the ftpusers file exist:
#
ls –la <ftpusers file>
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 203
where <ftpusers file> is one of the files listed below.
Locations of the ftpusers file:
Solaris 5.5.1 – 5.8
Solaris 5.9 –5.10
/etc/ftpusers
/etc/ftpd/ftpusers
HPUX 10
/etc/ftpusers
HPUX 11
/etc/ftpd/ftpusers
AIX
/etc/ftpusers
Linux (wu-ftp)
/etc/ftpusers
Linux (vsftpd)
/etc/vsftpd.ftpusers
IRIX
/etc/ftpd/ftpusers
If the ftpusers files does not exist, then this is a finding.
PDI:
0
Status Code:AUTO
Previously:
G140
IA Controls:
DCSL-1
PDI Description:
The ftpusers file does not exist.
Reference:
UNIX STIG: 4.8.1
2. GEN004900 – The ftpusers File Contents
Check for system accounts in the ftpusers files which should not be allowed to used ftp by:
#
more /etc/ftpusers
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Solaris 5.5.1 – 5.8
Solaris 5.9 –5.10
Page 204
/etc/ftpusers
/etc/ftpd/ftpusers
HPUX 10
/etc/ftpusers
HPUX 11
/etc/ftpd/ftpusers
AIX
/etc/ftpusers
Linux (wu-ftp)
/etc/ftpusers
Linux (vsftpd)
IRIX
/etc/ftpd/ftpusers
If system accounts are not listed in the ftpusers file, then this is a finding.
PDI:
1
Status Code:AUTO
Previously:
G141
IA Controls:
DCSL-1
PDI Description:
The ftpusers file does not contain account names not allowed to
use FTP.
Reference:
UNIX STIG: 4.8.1
3. GEN004920 – The ftpusers File Ownership
Perform the following on the ftpusers file associated with the applicable operating system:
#
ls –la <file location>
Solaris 5.5.1 – 5.8
Solaris 5.9 –5.10
HPUX 10
/etc/ftpusers
/etc/ftpd/ftpusers
/etc/ftpusers
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
HPUX 11
AIX
Page 205
/etc/ftpd/ftpusers
/etc/ftpusers
Linux (wu-ftp)
/etc/ftpusers
Linux (vsftpd)
IRIX
/etc/ftpd/ftpusers
If the file is not owned by root, then this is a finding.
PDI:
2
Status Code:AUTO
Previously:
G142
IA Controls:
ECLP-1
PDI Description:
The ftpusers file is not owned by root.
Reference:
UNIX STIG: 4.8.1
4. GEN004940 – The ftpusers File Permissions
Perform the following on the ftpusers file associated with the applicable operating system:
#
ls –la <file location>
Solaris 5.5.1 – 5.8
Solaris 5.9 –5.10
/etc/ftpusers
/etc/ftpd/ftpusers
HPUX 10
/etc/ftpusers
HPUX 11
/etc/ftpd/ftpusers
AIX
/etc/ftpusers
Linux (wu-ftp)
/etc/ftpusers
Linux (vsftpd)
IRIX
/etc/ftpd/ftpusers
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 206
If the file permissions are greater than 640, then this is a finding
PDI:
3
Status Code:AUTO
Previously:
G143
IA Controls:
PDI Description:
The ftpusers file is more permissive than 640.
Reference:
UNIX STIG: 4.8.1
5. GEN004980 – FTP Daemon Logging
Perform:
# grep ftpd /etc/inetd.conf ,
and check the line for ftpd to check if the –l (HP-UX, Solaris, AIX, and Digital) or –v (HP-UX) options are
invoked. If not, then this is a finding.
Solaris 10:
#
svccfg
svc:>
export ftp
svc:>
quit
Verify the line that contains /usr/sbin/in.ftpd contains the –l option.
On Linux systems:
#
grep log /etc/xinetd.d/vsftpd
If either the log_on_success or log_on_failure are commented out, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 207
5
Status Code:AUTO
Previously:
G145
IA Controls:
DCSL-1
PDI Description:
The FTP daemon is not configured for logging or verbose mode.
Reference:
UNIX STIG: 4.8.1
6. GEN005000 – Anonymous FTP Account Shell
Perform the following to check for anonymous FTP:
#
grep “^ftp” /etc/passwd
If the sixth field does not contain one of the following:
/bin/false , /dev/null , /usr/bin/false , /bin/true , or the entry ends with a ‘:’, this check will
be a finding.
PDI:
7
:
Status Code:AUTO
Previously:
G649
IA Controls:
DCCS-1, DCCS-2
PDI Description:
There is an anonymous FTP account with a functional shell.
Reference:
UNIX STIG: 4.8.1
7. GEN005020 – Anonymous FTP Configuration
First, determine if there is an anonymous ftp account by:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 208
#
grep “^ftp:” /etc/passwd
If there is no output, mark this check as Not a Finding.
Change to the ftp home directory.
#
ls –lL <ftp home directory>
It should be writable by no one (555). The following directories must exist in the account: /etc , and /bin
with permissions of (111). The /<ftp home directory> /etc directory will only contain password,
group and netgroup files but can be empty. The / <ftp home directory> /bin directory should be a
symbolic link to the /<ftp home directory>/ usr/bin directory in the ftp account and contain only a
copy of the ls command. There must be a /<ftp home directory>/ usr/lib directory owned by root
with permissions of (555). The /<ftp home directory>/usr/lib directory should contain the
following libraries with permissions of ( 555): ld.so.1 , libc.so.1 , libdl.so.1 , libmp.so.2 ,
libnsl.so.1 , libsocket.so.1 , nss_compat.so.1 , nss_dns.so.1 , nss_files.so.1 ,
nss_nis.so.1 , nss_nisplus.so.1 , and nss_xfn.so.1 . Other requirements include:
~ftp/etc will be owned by the superuser and not writable by anyone. The following files will be
there: copies of the files passwd, group, and netconfig files. The permissions will be 444 .
~ftp/pub will be owned by root with permissions of 755. Users may place files, which are to be
accessible via the anonymous account, in this directory.
~ftp/dev will be owned by root and not writable by anyone . It will contain the following files:
/dev/zero, /dev/tcp, /dev/udp and /dev/ticotsord . The permissions for these
files should be 666.
~ftp/usr/share/lib/zoneinfo will be owned by root with permissions of 555. It should have
the same contents as /usr/share/lib/zoneinfo .
Secuirty: For Linux, Solaris 8 and newer, in.ftpd uses pam (3PAM) for authentication, account and session
management. Here is a partial pam.conf file with required entries for the in.ftpd command using UNIX
authentication, account management, and session management modules.
ftp
auth
required
/usr/lib/security/pam_unix.so.1
ftp
account
required
ftp
session
required
PDI:
8
:
Status Code: PART
Previously:
G650
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 209
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Anonymous FTP is not configured using all security
recommendations.
Reference:
UNIX STIG: 4.8.1
8. GEN005040 – FTP User’s umask
To determine the umask of the ftp user, perform the following:
# su – ftp
# umask
If the umask value does not return 077, then this is a finding.
PDI:
1
Status Code: AUTO
Previously:
N/A
IA Controls:
ECCD-1, ECCD-2
PDI Description:
An FTP user’s umask is not 077.
Reference:
UNIX STIG: 4.8.1
11. File Service Protocol (FSP)
1. GEN005060 – FSP Is Enabled
To determine if fsp is enabled, perform the following:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
#
Page 210
grep in.fspd /etc/inetd.conf
# netstat –an |grep fspd
If an entry for fsp is found, then this is considered a finding.
PDI:
3
:
Status Code: AUTO
Previously:
N/A
IA Controls:
DCSW-1
PDI Description:
FSP is enabled.
Reference:
UNIX STIG: 4.9
12. Trivial File Transfer Protocol (TFTP)
1. GEN005080 – TFTP Secure Mode
Perform the following to determine if the system is running in tftp in secure mode:
Solaris
#
grep tftp /etc/inetd.conf | grep “-s”
HP-UX tftpd runs in secure mode by default, therefore this is not applicable.
AIX
#
more /etc/tftpaccess.ctl
If the file does not exist, then this is a finding. Ensure the only entry is to allow access to the tftp user home
directory.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 211
Linux
#
grep server_args /etc/xinetd.d/tftp |grep “-s”
IRIX
#
grep tftp /etc/inetd.conf | grep “-s”
If TFTP is not running in secure mode, then this is a finding.
PDI:
7
:
Status Code:AUTO
Previously:
G149
IA Controls:
DCSL-1
PDI Description:
The TFTP daemon is not running in secure mode.
Reference:
UNIX STIG: 4.10
2. GEN005100 – TFTP SUID/SGID Bit
Perform :
#
find / - name “*tftpd” –print
to locate the file. Once the file is located, use the command:
# ls –la <file location>
to check for the suid or sgid bit being set. If either of the bits are set, then this is a finding.
PDI:
8
:
Status Code:AUTO
Previously:
G150
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 212
IA Controls:
ECLP-1
PDI Description:
The TFTP daemon has the suid or sgid bit set.
Reference:
UNIX STIG: 4.10
3. GEN005120 – TFTP Configuration
Check the /etc/passwd file to determine if TFTP is configured properly:
#
grep tftp /etc/passwd
If a tftp user account does not exist and TFTP is active, then this is a finding.
Ensure the user shell is /bin/false or equivalent. If it is not, then this is a finding.
Ensure the TFTP user is assigned a home directory . If not, then this is a finding.
PDI:
9
Status Code:AUTO
Previously:
G151
IA Controls:
ECCD-1, ECCD-2
PDI Description:
TFTP is not configured to vendor specifications, including the
following:
A TFTP user will be created.
The default shell will be set /bin/false, or equivalent.
A home directory owned by the TFTP user will be created.
Reference:
UNIX STIG: 4.10
4. GEN005140 – TFTP Documentation
Perform the following to determine if TFTP is active:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 213
#
grep –v “^#” /etc/inetd.conf |grep tftp
Solaris 10
#
svcs tftp
Linux
#
chkconfig –-list | grep tftp
Or
#
chkconfig tftp
If TFTP is found to enabled, ask the SA if it is documented with the IAO. This is a finding if it is not
documented.
PDI:
5
:
Status Code: PART
Previously:
V141
IA Controls:
ECCD-1, ECCD-2
PDI Description:
TFTP is active and it is not justified and documented with the
IAO.
Reference:
UNIX STIG: 4.10
13. X Window System
1. GEN005160 – .Xauthority Files
To check for .Xauthority files being utilized, change directory to a user’s home directory and perform:
#
ls –la .Xauthority
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 214
If the file does not exist, ask the SA if the user is using Xwindows. If the user is utilizing Xwindows and
the .Xauthority file does not exist and host based access control is not being used, then this is a finding.
PDI:
0
:
Status Code:PART
Previously:
G152
IA Controls:
EBCR-1, EBRP-1, EBRU-1
PDI Description:
An X Windows host does not write .Xauthority files (or
equivalent).
Reference:
UNIX STIG: 4.11
2. GEN005180 – .Xauthority File Permissions
Check the file permissions for the .Xauthority files by:
#
ls –lL .Xauthority
If the file permissions are greater than 600, then this is finding.
PDI:
4
Status Code: PART
Previously:
N/A
IA Controls:
DCCS-2
PDI Description:
.Xauthority files are more permissive than 600.
Reference:
UNIX STIG: 4.11
3. GEN005200 – X Displays Exporting
Perform the following to determine if access to the X window system is limited to authorized clients:
#
xhost
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 215
If the above command returns:
“access control disabled, clients can connect from any host”, then this is a finding.
PDI:
GEN005200V000469 Category:I
7
Status Code:PART+
Previously:
V155
IA Controls:
ECIC-1
PDI Description:
A system is exporting X displays to the world.
Reference:
UNIX STIG: 4.11
4. GEN005220 – X Client Authorization via X*.hosts
Perform the following to determine if the X server is running:
# ps –ef |grep X
Determine if xauth is being used by:
#
xauth
xauth>
list
If the above command sequence does not show any host other than the localhost, then xauth is not being used.
Search the system for an X*.hosts files, where * is a display number that may be used to limit X window
connections. If none are found and user based access control is not being used, then this is a finding.
PDI:
6
Status Code: PART
Previously:
N/A
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 216
IA Controls:
ECIC-1
PDI Description:
Authorized X clients are not listed in the X*.hosts (or equivalent)
file(s) if the .Xauthority utility is not used.
Reference:
UNIX STIG: 4.11
5. GEN005240 – X Client Authorization
Perform the following to determine if access to the X window system is limited to authorized clients:
#
xauth
xauth> list
Ask the SA if the clients listed are authorized. If they are not, then this is a finding.
PDI:
7
:
Status Code: MAN
Previously:
N/A
IA Controls:
ECIC-1
PDI Description:
Access to the X-terminal host is not limited to authorized X
clients.
Reference:
UNIX STIG: 4.11
6. GEN005260 – X Window System Not Required and Not Disabled
Determine if the X window system is running by:
# ps –ef |grep X
Ask the SA if the X window system is an operational requirement. If it is not, then this is a finding.
PDI:
8
Status Code: PART
Previously:
N/A
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 217
IA Controls:
ECIC-1
PDI Description:
The X Window System connections are not required and the
connections are not disabled.
Reference:
UNIX STIG: 4.11
14. UNIX to UNIX Copy Program (UUCP)
1. GEN005280 – Disable UUCP
Perform the following to determine if uucp is active.
Solaris, HP-UX, AIX and IRIX
# grep uucp /etc/inetd.conf
Solaris 10
# svcs uucp
Linux
# chkconfig uucp
Or
#
chkconfig –-list | grep uucp
If UUCP is found to be enabled, then this is a finding.
PDI:
6
Status Code:AUTO
Previously:
V145
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 218
IA Controls:
ECIC-1
PDI Description:
The UUCP service is enabled.
Reference:
UNIX STIG: 4.12
15. Simple Network Management Protocol (SNMP)
1. GEN005300 – Changed SNMP Community Strings
Find the snmpd.conf by:
# find / -name snmpd.conf –print
# more snmpd.conf
Search for the community name to check if the password was changed to something other than public, private,
snmp-trap or password and which meets the DISA requirements for password construction. The community
string will be in plain text.
PDI:
3
:
Status Code:AUTO
Previously:
G224
IA Controls:
IAIA-1, IAIA-2, IAAC-1, DCCS-1, DCCS-2
PDI Description:
SNMP community strings have not been changed from the
default.
Reference:
UNIX STIG: 4.13
2. GEN005320 – snmpd.conf Permissions
Perform:
# find / -name snmpd.conf
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 219
# ls –lL <snmpd.conf>
If the snmpd.conf file is more permissive than 700, then this is a finding.
PDI:
4
Status Code:AUTO
Previously:
G225
IA Controls:
PDI Description:
The snmpd.conf file is more permissive than 700.
Reference:
UNIX STIG: 4.13
3. GEN005340 – MIB File Permissions
Perform the following to find all the Management Information Base (MIB) files on the system:
# find / -name *.mib –print
# ls –lL <mib file>
Any file returned with permissions greater than 640 is a finding.
PDI:
5
:
Status Code: AUTO
Previously:
G226
IA Controls:
PDI Description:
The MIB files are more permissive than 640.
Reference:
UNIX STIG: 4.13
4. GEN005360 – snmpd.conf and .mib Ownership
Perform:
# find / -name snmpd.conf
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 220
# ls –lL <snmpd.conf>
# find / -name *.mib
If the snmpd.conf file is not owned by root and group owned by sys or the application, then this is a finding.
PDI:
9
Status Code: AUTO
Previously:
N/A
IA Controls:
PDI Description:
The snmpd.conf and .mib files are not owned by root and group
owned by sys or the application.
Reference:
UNIX STIG: 4.13
5. GEN005380 – Dedicated Hardware for SNMP
To check if SNMP is used, execute the following command:
netstat -a | grep LISTEN | grep snmp .
#
#
netstat –a | grep LISTEN | egrep “161|162”
If there is any output, then ask the SA if this is an snmp server. If it is an snmp server, then ask what other
applications run on it. If there is anything other than network management software and DBMS software that is
used only for the storage and inquiry of snmp data, this is a finding.
PDI:
2
:
Status Code:MAN
Previously:
G655
IA Controls:
DCSW-1
PDI Description:
SNMP does not run on dedicated hardware.
Reference:
UNIX STIG: 4.13
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 221
16. System Logging Daemon
1. GEN005400 – /etc/syslog.conf Assessiblity
Check /etc/syslog.conf ownership and permissions:
# ls –lL /etc/syslog.conf
If /etc/syslog.conf is not owned by root or is more permissive than 640, then this is a finding.
PDI:
3
Status Code:AUTO
Previously:
G656
IA Controls:
PDI Description:
The /etc/syslog.conf file is not owned by root or is more
permissive than 640.
Reference:
UNIX STIG: 4.14
2. GEN005420 – /etc/syslog.conf Group Ownership
Check /etc/syslog.conf group ownership:
# ls –lL /etc/syslog.conf
If /etc/syslog.conf is not group owned by root, sys, or bin, then this is a finding.
PDI:
4
Status Code:AUTO
Previously:
G657
IA Controls:
DCSW-1
PDI Description:
The /etc/syslog.conf file is not group owned by root, sys, or bin.
Reference:
UNIX STIG: 4.14
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 222
3. GEN005440 – Local Loghosts
Ask the SA if a remote loghost server exists. If it does not mark this as Not A Finding
Ask the SA if the loghost server is collecting data for hosts outside the enclave. If it is, then this is a finding.
PDI:
0
:
Status Code: MAN
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Local hosts are used as loghosts for systems outside the local
network.
Reference:
UNIX STIG: 4.14
4. GEN005460 – Remote Loghost Documentation
Perform the following to determine if the system is using a remote loghost :
# grep loghost /etc/hosts
If the loghost entry is a remote machine, then ask the SA if the remote machine is documented as a loghost with
the IAO. If it is not documented then this is a finding.
PDI:
5
:
IA Controls:
Status Code:PART
Previously:
G658
DCHW-1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 223
PDI Description:
A system is using a remote loghost is not documented with the
IAO.
Reference:
UNIX STIG: 4.14
5. GEN005480 – Syslog Accepts Remote Messages
Perform the following to determine if syslogd accepts remote messages:
Solaris
# ps –ef | grep syslogd
If the ‘-t ’ option is not enabled, then ask the SA if it is documented.
HP-UX
#
ps –ef |grep syslogd
If the ‘-N ’ option is not enabled, then ask the SA if it is documented.
Linux
#
ps –ef | grep syslogd
If the ‘-r’ is enabled, then ask the SA if it is documented.
AIX
#
If the ‘-r’ is not enabled, then ask the SA if it is documented.
IRIX
#
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 224
If the ‘-N’ option is not enabled, then ask the SA if it is documented.
If syslog accepts remote messages, then this is a finding.
PDI:
1
Status Code: PART
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
The syslog daemon accepts remote messages and is not an IAO
documented loghost.
Reference:
UNIX STIG: 4.14
17. Secure Shell (SSH) and Equivalents
1. GEN005500 – SSH Version 1 Compatibility
Locate the sshd_config file:
# find / -name sshd_config
#
more <sshd_config file location>
Examine the file. If the variables ‘Protocol 2,1’ or, ‘ Protocol 1’ are defined on a line without a leading
comment, this is a finding.
If the SSH server is F-Secure, the variable name for SSH 1 compatibility is ‘Ssh1Compatibility’, not ‘protocol’.
If the variable ‘Ssh1Compatiblity’ is set to ‘yes’, then this is a finding.
PDI:
5
:
IA Controls:
Status Code:AUTO
Previously:
G701
DCPR-1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 225
PDI Description:
SSH, or a similar utility, is running and SSHv1 compatibility is
used.
Reference:
UNIX STIG: 4.15
2. GEN005540 – Encrypted Communications IP Filtering and Banners
To determine if ssh is configured with tcp wrappers support perform the following:
#
grep sshd /etc/hosts.deny
For example:
sshd1: ALL
sshd2: ALL
sshdfwd-X11 : ALL
If the above lines or similar are not in /etc/hosts.deny , then this is a finding.
Perform the following to determine if banners are configured:
#
find / -name sshd_config
#
more <sshd_config file location> | grep –I banner
If the above command does not return any lines, then this is a finding.
PDI:
2
Status Code: AUTO
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Encrypted communications are not configured for IP filtering and
logon warning banners.
Reference:
UNIX STIG: 4.15
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 226
18. UNIX Routing Vulnerabilities
1. GEN005560 – Default Gateway
Perform the following to determine if a default route is defined:
#
netstat –r |grep default
If a default route is not defined, then this is a finding.
PDI:
7
Status Code:AUTO
Previously:
G661
IA Controls:
DCSW-1
PDI Description:
The system is not a router and has no default gateway defined.
Reference:
UNIX STIG: 4.16
2. GEN005580 – Dedicated Hardware for Routing
Perform the following to determine if the systems is used for routing:
#
netstat –a | grep –i listen | grep route
Ask the SA if the system is used for any other services such as web servers, file servers, DNS servers, or
applications servers. If it is used for another service, then this is a finding.
PDI:
8
:
Status Code:PART
Previously:
G662
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 227
IA Controls:
DCSW-1
PDI Description:
Routing is not implemented on dedicated hardware and not
Reference:
UNIX STIG: 4.16
3. GEN005600 – Disable IP Forwarding
Perform the following to determine if IP forwarding is disabled:
Solaris
#
ls –l /etc/notrouter
If the file does not exist, then this is a finding.
HP-UX
#
grep ip_forwarding /etc/rc.config.d/nddconf
If the value is not set to ‘0’, then this is a finding.
AIX
IP forwarding is disabled by default in AIX.
IRIX
#
grep ipforward /var/sysgen/stune
If the value is not set to ‘0’, then this is a finding.
Linux
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
#
Page 228
grep ip_forward /etc/sysctl.conf
If the value is set to 1, then this is a finding.
PDI:
3
Status Code: AUTO
Previously:
N/A
IA Controls:
DCCS-1, DCC|S-2
PDI Description:
IP forwarding is not disabled.
Reference:
UNIX STIG: 4.16
19. Lotus Domino Web Application
1. GEN005620 – Lotus Domino Version
To determine the version of Lotus Domino perform the following:
#
/opt/lotus/bin/server –v
The version should be 5.0.6a or higher for Linux, and the transition components for AIX and Solaris should be
version 2.1.1.
If version is not one of the above, then this is a finding.
PDI:
3
:
Status
Code:
AUTO
Previously:
V5899
IA Controls:
DSCQ-1
PDI Description:
A Lotus Domino 5.0.5 Web Application was found vulnerable to
the .nsf, .box, and .ns4 directory traversal exploit.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 229
Reference:
UNIX STIG: 4.17
20. Squid Web Proxy Authentication Header
1. GEN005640 – Squid Web Proxy Authentication Header Vulnerability
Perform the following to determine if the squib web proxy is a vulnerable version:
#
squid –v |grep –i version
If the version is not greater than 2.4STABLE6, then this is a finding.
PDI:
6
:
Status
Code:
AUTO
Previously:
V9478
IA Controls:
DSCQ-1
PDI Description:
A system running Squid Web Proxy Cache server was found
vulnerable to the authentication header forwarding exploit.
Reference:
UNIX STIG: 4.18.1
21. Squid Web Proxy MSNT Auth Helper
1. GEN005660 – Squid Web Proxy MSNT Auth Helper Vulnerability
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 230
#
If the version is not greater than 2.4STABLE6, then this is a finding.
PDI:
7
:
Status
Code:
AUTO
Previously:
V9482
IA Controls:
DSCQ-1
PDI Description:
A system running Squid Web Proxy Cache was found vulnerable
to the MSNT auth helper buffer overflow exploit.
Reference:
UNIX STIG: 4.18.2
22. Squid Web Proxy Version
1. GEN005680 – Squid Web Proxy Version
#
If the version number is not at least 2.7STABLE7 or later then this is a finding.
PDI:
9
:
IA Controls:
Status
Code:
AUTO
Previously:
V9730
DSCQ-1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 231
PDI Description:
The SA will ensure the Squid Proxy Cache server is not a
vulnerable version.
Reference:
UNIX STIG: 4.18.3
23. iPlanet Web Server
1. GEN005700 – iPlanet Web Server NS-query-pat Vulnerability
Use the following steps to determine the version number:
1. Navigate to the following directory:
server-root /bin/https/bin
2. Run the ns-httpd program with the "-v " parameter.
#
./ns-httpd –v
Ask the SA for documentation showing the installation of either service pack 3 for iPlanet Web Server 6, or
service pack 10 for iPlanet Web Server 4.1.
PDI:
8
:
Status
Code:
PART
Previously:
V9517
IA Controls:
DSCQ-1
PDI Description:
An iPlanet Web Server was found with the search engine NSquery-pat file viewing vulnerability.
Reference:
UNIX STIG: 4.19
24. Network Filesytem (NFS)
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 232
1. GEN005720 – NFS Port Monitoring
Perform the following for each operating system to determine if NFS port monitoring is is set to ‘1’:
Solaris
#
grep nfs_portmon /etc/system
HP-UX
#
kctune nfs_portmon
#
nfso –o nfs_portmon
#
nfso –o portcheck
#
grep nfs_portmon /var/sysgen/stune
AIX
Or
IRIX
Linux does not use nfs_portmon. By default, it exports with the –secure option which is the same as nfs_
portmon. Perform the following to determine if the default has been overridden:
#
grep insecure /etc/exports
If any of the file systems are exported with the ‘insecure’ option, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 233
7
Status Code:AUTO
Previously:
G177
IA Controls:
DCSL-1
PDI Description:
NFS port monitoring is not enabled.
Reference:
UNIX STIG: 4.20
2. GEN005740 – Export Configuration File Ownership
Solaris
# ls –lL /etc/dfs/dfstab
HP-UX
# ls –lL /etc/exports
AIX
IRIX
Linux
If the export configuration file is not owned by root, then this is a finding.
PDI:
8
Status Code:AUTO
Previously:
G178
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 234
IA Controls:
ECLP-1
PDI Description:
The export configuration file is not owned by root.
Reference:
UNIX STIG: 4.20
3. GEN005760 – Export Configuration File Permissions
Solaris
# ls –lL /etc/dfs/dfstab
HP-UX
AIX
IRIX
Linux
If the export configuration file is more permissive than 644, then this is a finding.
PDI:
9
:
Status Code:AUTO
Previously:
G179
IA Controls:
ECLP-1
PDI Description:
The export configuration file is more permissive than 644.
Reference:
UNIX STIG: 4.20
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 235
4. GEN005780 – Writable Exported File Systems Documentation
Perform the following to determine if NFS File Systems are writeable:
#
exportfs –v |grep rw
If any entries are returned, ask the SA if the file systems have been approved and documented with the IAO for
export as writable.
PDI:
0
:
Status Code:PART
Previously:
G180
IA Controls:
DCSD-1
PDI Description:
NFS file systems exported as writeable have not been justified
and documented by the IAO.
Reference:
UNIX STIG: 4.20
5. GEN005800 – Exported System Files and Directories Ownership
Perform the following to check for NFS exported files systems:
#
exportfs –v
This will display all of the exported file systems. For each file system displayed perform and check the
ownership:
# ls –lL <filesystem>
If the files and directories are not owned by root, then this is a finding.
PDI:
1
Status Code:AUTO
Previously:
G181
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 236
IA Controls:
ECLP-1
PDI Description:
NFS exported system files and system directories are not owned
by root.
Reference:
UNIX STIG: 4.20
6. GEN005820 – Deny NFS Client Access Without Userid
Perform the following to determine if the ‘anon’ option is set correctly for exported file systems:
#
exportfs –v |grep anon
Each of the exported file systems should include an entry to check for the ‘ anon= ‘option being set to –1 or an
equivalent (60001, 65534, or 65535). Linux systems use the ‘anonuid’ option instead of ‘anon’.
Note: If the anon flag is found to have a UID of 0 , this finding is elevated to a Severity Code I.
PDI:
2
Status Code:AUTO
Previously:
G182
IA Controls:
IAIA-1, IAIA-2
PDI Description:
The NFS server is not configured to deny client access requests
that do not include a userid.
Reference:
UNIX STIG: 4.20
7. GEN005840 – Restrict NFS Filesystem Access to Local Hosts
Perform the following to check for access permissions:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
#
Page 237
exportfs –v
If the exported filesystems do not contain the ‘rw’ or ‘ro’ options, then this is a finding.
PDI:
3
Status Code:AUTO
Previously:
G183
IA Controls:
EBCR-1, EBRP-1, EBRU-1
PDI Description:
The NFS server is not configured to restrict filesystem access to
local hosts.
Reference:
UNIX STIG: 4.20
8. GEN005860 – NFS User Authentication
This check only applies to Solaris. Perform the following on NFS servers:
#
grep “^default” /etc/nfssec.conf
Check to ensure the second column does not equal ‘0’. This would indicate the default is set to none. Perform
the following to check currently exported file systems:
#
more /etc/exports
#
more /etc/dfs/dfstab
Or
If the option ‘sec=none’ is set on any of the exported file systems, then this is a finding.
PDI:
4
IA Controls:
Status Code:AUTO
Previously:
G184
IAIA-1, IAIA-2
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 238
PDI Description:
The sec option is set to none (or equivalent); additionally the
default authentication is to none .
Reference:
UNIX STIG: 4.20
9. GEN005880 – Root Access Option Documentation
Perform the following to determine if the NFS server is exporting with the root access option:
#
exportfs –v | grep “root=”
If the option is found on an exported file system, ask the SA if the access is justified and documented with the
IAO. If it is not, then this is a finding.
PDI:
5
:
Status Code:PART
Previously:
G185
IA Controls:
DCSD-1
PDI Description:
The root access option for NFS has not been justified and
Reference:
UNIX STIG: 4.20
10. GEN005900 – NFS Clients Enable nosuid and nosgid
Perform the following to determine if nfs clients are mounting file systems with the nosuid and nosgid options:
#
mount –v | grep " type nfs " | grep "nosuid"
#
mount –v | grep " type nfs " | grep "nosgid"
If the mount ed file systems do not have the above two options, then this is a finding and it must be justified and
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 239
6
:
Status Code:PART
Previously:
G186
IA Controls:
ECLP-1
PDI Description:
The nosuid and nosgid options are not enabled on a NFS Client.
Reference:
UNIX STIG: 4.20
25. Instant Messaging (IM)
1. GEN006000 – Public Instant Messaging Client is Installed
If an IM client is installed, ask the SA if it configured to communicate only with .mil IM servers. If it has access
to servers on the internet, then this is a finding.
PDI:
4
:
Status Code: MAN
Previously:
N/A
IA Controls:
ECIC-1
PDI Description:
A public instant messaging client is installed.
Reference:
UNIX STIG: 4.22
26. Peer-to-Peer File-Sharing Utilities and Clients
1. GEN006040 – Peer-to-Peer Application Authorization with DAA
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 240
Ask the SA if any peer-to-peer file-sharing applications are installed. Some examples of these applications
include:
Napster
Kazaa
ARES
Limewire
IRC Chat Relay
BitTorrent
If any of these applications are installed without an Acceptance of Risk Letter from the DAA, then this is a
finding.
PDI:
5
:
Status Code: MAN
Previously:
N/A
IA Controls:
ECIC-1
PDI Description:
A peer-to-peer file-sharing application is installed and not
authorized and documented with the DAA.
Reference:
UNIX STIG: 4.23
27. Samba
1. GEN006060 – Samba is Enabled
Perform the following to determine if the Samba server is running:
#
ps –ef |grep smbd
If a process is returned as running, ask the SA if the Samba server is operationally required. If it is not, then this
is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 241
1
Status Code:PART
Previously:
L170
IA Controls:
DCPR-1
PDI Description:
Samba is running and is not operationally required.
Reference:
UNIX STIG: 4.24
2. GEN006080 – Samba Web Administration with SSH Port Forwarding
SWAT must be utilized with ssh to ensure a secure connection between the client and the server. The ssh
daemon on the server must be configured to allow port forwarding. If SWAT is being utilized to administer
Samba on the server, perform the following:
#
grep AllowTcpForwarding /etc/ssh/sshd_config
If the line is commented out or set to ‘no’ and SWAT is in use, then this is a finding.
PDI:
6
Status Code:PART
Previously:
L048
IA Controls:
DCPR-1
PDI Description:
The Samba Web Administration tool is not used with SSH port
forwarding.
Reference:
UNIX STIG: 4.24
3. GEN006100 – smb.conf Ownership
Check /etc/samba/smb.conf ownership:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 242
# ls –lL /etc/samba/smb.conf
If /etc /samba /smb.conf is not owned by root, then this is a finding.
PDI:
7
Status Code:AUTO
Previously:
L050
IA Controls:
ECLP-1
PDI Description:
The smb.conf file is not owned by root.
Reference:
UNIX STIG: 4.24
4. GEN006120 – smb.conf Group Ownership
Check /etc/samba/smb.conf permissions:
If /etc /samba /smb.conf is not group owned by root, then this is a finding.
PDI:
6
Status Code:AUTO
Previously:
L051
IA Controls:
DCPR-1
PDI Description:
The smb.conf file is not group owned by root.
Reference:
UNIX STIG: 4.24
5. GEN006140 – smb.conf Permissions
Check /etc/samba/smb.conf permissions:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 243
If /etc /samba /smb.conf is more permissive than 644, then this is a finding.
PDI:
8
Status Code:AUTO
Previously:
L052
IA Controls:
PDI Description:
The smb.conf file is more permissive than 644.
Reference:
UNIX STIG: 4.24
6. GEN006160 – smbpasswd Ownership
Check /etc/samba/smbpasswd ownership:
# ls –lL /etc/samba/smbpasswd
If /etc /samba /smbpasswd is not owned by root, then this is a finding.
PDI:
9
Status Code:AUTO
Previously:
L054
IA Controls:
ECLP-1
PDI Description:
The smbpasswd file is not owned by root.
Reference:
UNIX STIG: 4.24
7. GEN006180 – smbpasswd Group Ownership
Check /etc/samba/smbpasswd ownership:
If /etc /samba /smbpasswd is not group owned by root, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 244
8
Status Code:AUTO
Previously:
L055
IA Controls:
ECLP-1
PDI Description:
The smbpasswd file is not group owned by root.
Reference:
UNIX STIG: 4.24
8. GEN006200 – smbpasswd Per missions
Check /etc/samba/smbpasswd permissions:
If /etc /samba /smbpasswd is more permissive than 600, then this is a finding.
PDI:
9
Status Code:AUTO
Previously:
L057
IA Controls:
PDI Description:
The smbpasswd file is more permissive than 600.
Reference:
UNIX STIG: 4.24
9. GEN006220 – smb.conf Configuration
Perform:
# more /etc/samba/smb.conf
1. Confirm the hosts allow restricts connections to the local network subnet mask(s) and the loopback
address. For example:
hosts allow = 192.168.1. 192.168.2. 127.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 245
2. The security option will be set to user . For example:
security = user
3. The encrypt passwords option will be set to y es . In addition, the smb password file option will
contain the path to the smbpasswd file. For example:
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
4. All guest entries in the shares definition section of the smb.conf file will be set to No . For example:
guest ok = no
If the smb.conf file is not configured per guidance, then this is a finding.
PDI:
0
Status Code:PART
Previously:
L056
IA Controls:
DCSS-1 DCCB-1, DCCB-2
PDI Description:
The smb.conf file is not configured to:
Set the hosts allow option to contain only the local
network subnet masks and the loopback address.
Set the security option to user.
Set the encrypt passwords option to yes.
Enter the path to the smbpasswd utility in the smb
password file option.
All guest entries in the shares definition section of
the smb.conf file will be set to no.
Reference:
UNIX STIG: 4.24
28. Internet Network News (INN)
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 246
1. GEN006240 – INN Documentation
Perform:
# ps –e | egrep “innd|nntpd”
If an Internet Network News server is running and not justified and documented by the IAO, then this is a
finding.
PDI:
3
Status Code:PART
Previously:
L040
IA Controls:
DCSW-1, DCSD-1
PDI Description:
An Internet Network News server is not justified and documented
by the IAO.
Reference:
UNIX STIG: 4.25
2. GEN006260 – /etc/news/hosts.nntp Permissions
Check /etc/news/hosts.nntp permissions:
# ls –lL /etc/news/hosts.nntp
If /etc/news/hosts.nntp is more permissive than 600, then this is a finding.
PDI:
3
Status Code:AUTO
Previously:
L154
IA Controls:
PDI Description:
The /etc/news/hosts.nntp file is more permissive than 600.
Reference:
UNIX STIG: 4.25
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 247
3. GEN006280 – /etc/news/hosts.nntp.nolimit Permissions
Check /etc/news/hosts.nntp.nolimit permissions:
# ls –lL /etc/news/hosts.nntp.nolimit
If /etc/news/hosts.nntp.nolimit is more permissive than 600, then this is a finding.
PDI:
4
Status Code:AUTO
Previously:
L156
IA Controls:
PDI Description:
The /etc/news/hosts.nntp.nolimit file is more permissive than 600.
Reference:
UNIX STIG: 4.25
4. GEN006300 – /etc/news/nnrp.access Permissions
Check /etc/news/nnrp.access permissions:
# ls –lL /etc/news/nnrp.access
If /etc/news/nnrp.access is more permissive than 600, then this is a finding.
PDI:
5
Status Code:AUTO
Previously:
L158
IA Controls:
PDI Description:
The /etc/news/nnrp.access file is more permissive than 600.
Reference:
UNIX STIG: 4.25
5. GEN006320 – /etc/news/passwd.nntp Permissions
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 248
Check /etc/news/passwd.nntp permissions:
# ls –lL /etc/news/passwd.nntp
If /etc/news/passwd.nntp is more permissive than 600, then this is a finding.
PDI:
6
Status Code:AUTO
Previously:
L160
IA Controls:
PDI Description:
The /etc/news/passwd.nntp file is more permissive than 600.
Reference:
UNIX STIG: 4.25
6. GEN006340 – /etc/news Files Ownership
Check /etc/news files ownership:
# ls –al /etc/news
If /etc /news files are not owned by root or news, then this is a finding.
PDI:
7
Status Code:AUTO
Previously:
L162
IA Controls:
ECLP-1
PDI Description:
The files contained in the /etc/news directory are not owned by
root or news.
Reference:
UNIX STIG: 4.25
7. GEN006360 – /etc/news Files Group Ownership
Check /etc/news files group ownership:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 249
# ls –al /etc/news
If /etc /news files are not group owned by root or news, then this is a finding.
PDI:
8
Status Code:AUTO
Previously:
L164
IA Controls:
ECLP-1
PDI Description:
The files contained in the /etc/news directory are not group
owned by root or news.
Reference:
UNIX STIG: 4.25
4. Network Based Authentication
1. Network Information Service (NIS)
1. GEN006380 – NIS/NIS+ Implemented Under UDP
# rpcinfo -p | grep yp | grep udp
If NIS/NIS+ is implemented under UDP, then this is a finding.
PDI:
9
:
Status Code:AUTO
Previously:
G663
IA Controls:
DCSW-1
PDI Description:
NIS/NIS+ is implemented under UDP.
Reference:
UNIX STIG: 5.1
2. GEN006400 – NIS Documentation
Peform the following to determine if NIS is active one the system:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
#
Page 250
ps –ef |grep ypbind
If NIS is found active on the system, ask the SA if it’s use is documented with the IAO. If NIS use is not
documented, this is a finding.
PDI:
7
:
Status Code:PART
Previously:
G174
IA Controls:
DCSD-1
PDI Description:
The NIS protocol is in use and not justified and documented with
the IAO.
Reference:
UNIX STIG: 5.1
3. GEN006420 – NIS Maps Domain Names
To view the domainname for the NIS Maps to be stored under, perform the following:
# domainname
If the name returned is simple to guess, such as the organization name, building or room name, etc., then this is a
finding.
PDI:
6
Status Code: PART
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
NIS maps are not protected through hard-to-guess domain names.
Reference:
UNIX STIG: 5.1
2. Network Information Service Plus (NIS+)
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 251
1. GEN006440 – NIS Used as Opposed to NIS+
To determine if NIS is running on the system perform the following:
#
ps -ef | grep ypbind
If ypbind is running, then NIS running and this is a finding.
PDI:
6
Status Code:AUTO
Previously:
G173
IA Controls:
ECCD-1, ECCD-2
PDI Description:
The NIS protocol is used while the NIS+ protocol is available.
Reference:
UNIX STIG: 5.2
2. GEN006460 – NIS+ Server at Security Level 2
Perform the following to determine if security level two is implemented:
# niscat cred.org_dir
If the second column does not contain ‘DES’, then this is a finding.
PDI:
6
Status Code:AUTO
Previously:
G176
IA Controls:
DCSL-1
PDI Description:
The NIS+ server is not operating at security level 2.
Reference:
UNIX STIG: 5.2
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 252
5. UNIX Security Tools
1. UNIX Security Tools
1. GEN006480 – Host-Based Intrusion Detection Tool
A few applications that provide host-based network intrusion protection are:
Dragon Squire by Enterasys Networks
ITA by Symantec
Hostsentry by Psionic Software
Logcheck by Psionic Software
RealSecure agent by ISS
Swatch by Stanford University
Ask the SA or IAO if a host-based intrusion detection application is loaded on the system. Use the command:
#
find / -name <daemon name> -print
(where <daemon name> is the name of the primary application daemon) to determine if the application is loaded
on the system. Use the command:
#
ps –ef | grep <daemon name>
to determine if the application is active on the system.
PDI:
2
:
Status Code:PART
Previously:
G031
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 253
IA Controls:
ECID-1
PDI Description:
There is no host-based intrusion detection tool.
Reference:
UNIX STIG: 6
2. GEN006540 – System Vulnerabiltiy Assessment Tool
Perform the following to check for a security tool executing monthly:
#
crontab –l
Check for the existence of a vulnerability assessment tool being scheduled and run monthly. If no entries exist in
the crontab, ask the SA if a vulnerability tool is run monthly . In addition, if the tool is run monthly, ask to see
any reports that may have been generated from the tool. If a tool is not run monthly, then this a finding.
PDI:
9
:
Status Code:PART
Previously:
G190
IA Controls:
VIVM-1
PDI Description:
A system vulnerability assessment tool is not being run on the
system monthly.
Reference:
UNIX STIG: 6
3. GEN006560 – Security Tool Notifications
Perform:
find / -name (program name) –print
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 254
to check for the existence of security tools on the system. Ask the SA if the program is configured to notify the
IAO and SA if a breach is detected. This check must be justified and documented with the IAO.
PDI:
8
Status Code: PART
Previously:
N/A
IA Controls:
ECAT-1, ECAT-2
PDI Description:
The system vulnerability assessment tool, host-based intrusion
detection tool, and file system integrity baseline tool does not
notify the SA and the IAO of a security breach or a suspected
security breach.
Reference:
UNIX STIG: 6
2. Access Control Programs and TCP_WRAPPERS
1. GEN006580 – Access Control Program
To determine if tcp wrappers is installed perform the following:
Solaris, HP-UX , AIX and IRIX
# grep tcpd /etc/inetd.conf
Solaris 10
#
svcprop –p defaults inetd | grep tcp_wrappers
This should return a line with the following:
http://news.tbo.com/news/metro/MGB3WNDK34F.html
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 255
defaults/tcp_wrappers boolean true
If the above line contains the word false, then this is a finding on Solaris 10.
Solaris 8 or 9
# grep –i enable_tcpwrappers /etc/default/inetd
If the value returned is not set to yes and /etc/inetd.conf does not contain tcpd, then this is a finding.
Linux
# rpm –qa |grep tcpd
or
Check the services in the /etc/xinetd.d directory that are not disabled for an entry containing noaccess or only_
from.
Ensure an entry returns specifically for tcpd, not tcpdump .
PDI:
0
Status Code:AUTO
Previously:
G196
IA Controls:
EBCR-1, EBRP-1, EBRU-1, IAAC-1
PDI Description:
An access control program is not being used.
Reference:
UNIX STIG: 6.6
2. GEN006600 – Access Control Program Logging
Normally tcpd logs to the mail or daemon facility in /etc/syslog.conf.
determine if syslog is configured to log events by tcpd.
Perform the following to
# more /etc/syslog.conf
Look for entries similar to the following:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 256
mail.debug
/var/adm/maillog
mail.none
/var/adm/maillog
mail.*
/var/log/mail
auth.info
/var/log/messages
daemon.*
/var/log/messages
The above entries would indicate mail alerts are being logged. If no entries for mail exist, then tcpd is not
logging and this is a finding.
PDI:
1
Status Code:AUTO
Previously:
G197
IA Controls:
ECAN-1, ECAT-1, ECAT-2
PDI Description:
The access control program does not log each system access
attempt.
Reference:
UNIX STIG: 6.6
3. GEN006620 – Access Control Program Control System Access
Check for the existence of /etc/hosts.allow and /etc/hosts.deny:
#
ls –la /etc/hosts.allow
#
ls –la /etc/hosts.deny
# grep “ALL: ALL” /etc/hosts.deny
If the ‘ALL: ALL’ is in the /etc/hosts.deny file, then any tcp service from a host or network not listed in
the /etc/hosts.allow file will not be allowed access. If the entry is not in /etc/hosts.deny or if
either of the two files do not exist, then this is a finding.
PDI:
0
IA Controls:
Status Code: AUTO
Previously:
N/A
EBCR-1, EBRP-1, EBRU-1, IAAC-1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 257
PDI Description:
The access control program is not configured to grant and deny
system access to specific hosts.
Reference:
UNIX STIG: 6.6
4. GEN006640 – Virus Protection Software
Check for the existence of the Mcafee command line scan tool to be executed weekly in the cron file. The
Mcafee command line scanner is available for most Unix/Linux operating systems. Additional tools specific for
each operating system are also available and will have to be manually reviewed if they are installed. In addition,
the defintions file should not be older than 14 days. Anti-Virus software can be obtained from https://
www.cert.mil.
Check if uvscan scheduled to run:
Solaris
# grep uvscan /var/spool/cron/crontabs/*
HP-UX
AIX
IRIX
Linux
# grep uvscan /var/spool/cron/*
# grep uvscan /etc/cron.d/*
# grep uvscan /etc/cron.daily/*
# grep uvscan /etc/cron.hourly/*
# grep uvscan /etc/cron.monthly/*
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 258
# grep uvscan /etc/cron.weekly/*
Perform the following to ensure the virus definition signature files are not older than 14 days.
# ls –la clean.dat names.dat scan.dat
If a virus scanner is not being run weekly or the virus definitions are older than 14 days, then this is a finding.
PDI:
5
:
Status Code: AUTO
Previously:
N/A
IA Controls:
ECVP-1
PDI Description:
An approved DOD virus scan program is not used and/or
updated.
Reference:
CTO 06-12
6. SUN SOLARIS
1. Removable Media
1. SOL00020 – /etc/rmmount.conf Configuration
# grep mount /etc/rmmount.conf
Confirm the nosuid option is configured, for example:
mount * hsgs udgs ufs –o nosuid
If the nosuid option is not configured in the /etc/rmmount.conf file, then this is a finding and must be
PDI:
SOL00020V001203 Category II
1
:
Status Code: AUTO
Previously:
N/A
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 259
IA Controls:
PDI Description:
The nosuid option is not configured in the /etc/rmmount.conf file.
Reference:
UNIX STIG: 8.1
2. The audit_user File
1. SOL00040 – audit_user User Auditing Levels
Perform:
#
more /etc/security/audit_user
If /etc/security/audit_user has entries other than root, ensure the users defined are audited with the
same flags as all users as defined in /etc/security/audit_control file.
PDI:
SOL00040V000435 Category:II
3
Status Code: PART
Previously:
G677
IA Controls:
DCSW-1
PDI Description:
The audit_user file has a different auditing level for specific users.
Reference:
UNIX STIG: 8.2
2. SOL00060 – audit_user Ownership
Check /etc/security/audit_user ownership:
# ls –lL /etc/security/audit_user
If / etc/security/audit_user is not owned by root, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 260
2
Status Code: AUTO
Previously:
G678
IA Controls:
ECTP-1
PDI Description:
The audit_user file is not owned by root.
Reference:
UNIX STIG: 8.2
3. SOL00080 – audit_user Group Ownership
Check /etc/security/audit_user group ownership:
If / etc/security/audit_user is not group owned by root, sys, or bin, then this is a finding.
PDI:
1
Status Code: AUTO
Previously:
G679
IA Controls:
ECTP-1
PDI Description:
The audit_user file is not group owned by root, sys, or bin.
Reference:
UNIX STIG: 8.2
4. SOL00100 – audit_user Permissions
Check /etc/security/audit_user permissions:
If / etc/security/audit_user is more permissive than 640, then this is a finding.
PDI:
5
Status Code: AUTO
Previously:
G680
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 261
IA Controls:
ECTP-1
PDI Description:
The audit_user file is more permissive than 640.
Reference:
UNIX STIG: 8.2
3. Automated Security Enhancement Tool (ASET)
1. SOL00120 – Aset Master Files Location
Verify that ASET is being used by:
#
crontab –l |grep aset
If there is an out put, then check to make sure that the files in question are in the /usr/aset/masters
directory by performing:
#
ls –l /usr/aset/masters
The following files should be in the listing: tune.high , tune.low , tune.med , and uid_aliases . If
the all of the files are not in the directory listing, then this is a finding.
PDI:
3
Status Code: AUTO
Previously:
G681
IA Controls:
DCSW-1
PDI Description:
Aset master files are not located in the /usr/aset/masters directory.
Reference:
UNIX STIG: 8.3
4. The uid_aliases File
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 262
1. SOL00140 – /usr/asset/masters/uid_aliases Content
# more /usr/aset/masters/uid_aliases
If fhe /usr/aset/masters/uid_aliases file is not empty or all contents are not commented out, then
this is a finding.
PDI:
2
Status Code: AUTO
Previously:
G682
IA Controls:
DCSW-1
PDI Description:
The /usr/aset/masters/uid_aliases file is not empty.
Reference:
UNIX STIG: 8.3.1
5. The asetenv File
1. SOL00160 – ASET Used on a Firewall
Peform the following to determine if ASET is being used:
#
crontab –l |grep aset
An a returned entry would indicate ASET is being utilized. Determine if ASET is configured to check firewall
settings by:
#
grep TASKS /usr/aset/asetenv | grep firewall
If an entry is not returned, then this is a finding.
PDI:
9
Status Code: PART
Previously:
G685
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 263
IA Controls:
DCSW-1
PDI Description:
ASET is used on a firewall system and the firewall parameters are
not in
/usr/aset/asetenv.
Reference:
UNIX STIG: 8.3.2
2. SOL00180 – ASET Environment Variables
Determine is ASET is being used by:
#
crontab –l | grep aset
Check the configuration of ASET by:
#
more /usr/aset/asetenv
If there are any changes below the following two lines that are not comments, this is a finding:
# Don't change from here on down ...
#
# there shouldn't be any reason to.
#
In addition, if any of the following lines do not match, this is a finding.
TASKS="firewall env sysconf usrgrp tune cklist eeprom"
CKLISTPATH_LOW=${ASETDIR}/tasks:#${ASETDIR} \
/util:${ASETDIR}/masters:/etc
CKLISTPATH_MED=${CKLISTPATH_LOW};/usr/bin:/usr/ucb
CKLISTPATH_HIGH=${CKLISTPATH_MED}:/usr/lib:/sbin: \
/usr/sbin:/usr/ucblib
YPCHECK=false
PERIODIC_SCHEDULE="0 0 * * *"
UID_ALIASES=${ASETDIR}/masters/uid_aliases
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 264
3
Status Code: PART
Previously:
SO05
IA Controls:
DCSW-1
PDI Description:
ASET environment variables in the asetenv file are not correct.
Reference:
UNIX STIG: 8.3.2
6. Running ASET
1. SOL00200 – NIS+ and YPCHECK
Perform the following to determine if ASET is configured to check NIS+:
#
grep YPCHECK /usr/aset/asetenv
If NIS+ is running and the YPCHECK variable is set to false, then this is a finding.
PDI:
4
Status Code: AUTO
Previously:
SO06
IA Controls:
DCSW-1
PDI Description:
NIS+ is configured on the Solaris system and YPCHECK is not set
to true.
Reference:
UNIX STIG: 8.3.3
2. SOL00220 – /usr/aset/userlist Content
Perform the following to determine if ASET is scheduled to run:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 265
#
crontab –l | grep aset
The default user list is /usr/aset/userlist. If the –u option is specified in the crontab entry, then the
userlist file is the argument supplied to the –u option. Perform:
#
more /usr/aset/userlist
If the file does not exist or if the file does not contain a list of the system usernames, then this is a finding.
PDI:
5
Status Code: AUTO
Previously:
SO07
IA Controls:
DCSW-1
PDI Description:
The /usr/aset/userlist file does not contain a list of all system users.
Reference:
UNIX STIG: 8.3.3
3. SOL00240 – /usr/asset/userlist Ownership
# ls –lL /usr/aset/userlist
If /usr/asset/userlist is not owned by root, then this is a finding.
PDI:
6
Status Code: AUTO
Previously:
SO08
IA Controls:
ECLP-1
PDI Description:
The /usr/aset/userlist file is not owned by root.
Reference:
UNIX STIG: 8.3.3
4. SOL00260 – /usr/asset/userlist Permissions
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 266
# ls –lL /usr/aset/userlist
If /usr/aset/userlist is more permissive than 600, then this is a finding.
PDI:
7
Status Code: AUTO
Previously:
SO09
IA Controls:
ECLP-1, IAAC-1, ECPA-1
PDI Description:
The /usr/aset/userlist file is more permissive than 600.
Reference:
UNIX STIG: 8.3.3
7. Electrically Erasable Programmable Read-only Memory (EEPROM)
1. SOL00300 – EEPROM security-mode Parameter
# eeprom | grep security-mode
If the EEPROM security-more parameter is not set to full or command , then this is a finding.
PDI:
8
Status Code: AUTO
Previously:
SO10
IA Controls:
PDI Description:
The EEPROM security-mode parameter is not set to full or
command mode.
Reference:
UNIX STIG: 8.4
8. Sun Answerbook2
1. SOL00360 – Sun Answerbook2 Script Access
Applicable to Solaris 2.5.1 through Solaris 5.8.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 267
# find / -name dhttpwd
If the Answerbook binary is found, p erform procedures in Appendix F, Patch Control, to check for the following
patches:
Solaris 5.5.1
110532-01
Solaris 5.5.1_x86
110538-01
Solaris 5.6
110532-01
Solaris 5.6_x86
110538-01
Solaris 5.7
110532-01
Solaris 5.7_x86
110538-01
Solaris 5.8
110532-01
Solaris 5.8_x86
110538-01
Apply the applicable patch or remove the binary/application to remediate this finding.
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding,
for example a CAT II finding may be downgraded to a CAT III.
PDI:
SOL00360V000471 Category III
0
:
Status Code: AUTO
Previously:
V9756
IA Controls:
DSCQ-1
PDI Description:
A version of Sun AnswerBook2 allows unauthorized scripts
access.
Reference:
UNIX STIG: 8.5.1
2. SOL00380 – Sun Answerbook2 dwhttpd Format String
Applicable to Solaris 2.5.1 through Solaris 5.8.
# find / -name dhttpwd
If the Answerbook binary is found, p erform procedures in Appendix F, Patch Control, to check for the following
patches:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 268
Solaris 5.5.1
110531-01
Solaris 5.5.1_x86
110537-01
Solaris 5.6
110531-01
Solaris 5.6_x86
110537-01
Solaris 5.7
110531-01
Solaris 5.7_x86
110537-01
Solaris 5.8
110531-01
Solaris 5.8_x86
110537-01
PDI:
1
:
Status Code: AUTO
Previously:
V9758
IA Controls:
DCSQ-1
PDI Description:
A version of Sun AnswerBook2 was found vulnerable to the
dwhttpd format string vulnerability.
Reference:
UNIX STIG: 8.5.2
9. NFS Server Logging
1. SOL00400 – NFS Server Logging
To enable NFS server logging the ‘log’ option must be applied to all exported files systems in the /etc/dfs/
dfstab. Perform the following to verify NFS is enabled:
#
share
The preceding command will display all exported filesystems. Each line should contain a ‘log’ entry to indicate
logging is enabled. If the ‘log’ entry is not present then this is a finding. If the share command does not return
anything, then this is not an NFS server and this is considered Not Applicable.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 269
0
Status Code: AUTO
Previously:
G696
IA Controls:
DCHW-1
PDI Description:
An NFS server does not have logging implemented.
Reference:
UNIX STIG: 8.6
10. Extended File Attributes
1. SOL00420 – Hidden Extended File Attributes
This is applicable to Solaris 9, and later.
# find / -xattr –print -exec runat {} ls –al \;
If hidden extended file attributes exist, then this is a finding.
PDI:
2
:
Status Code: AUTO
Previously:
N/A
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Hidden extended file attributes exist.
Reference:
UNIX STIG: 8.7
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 270
11. Root Default Group
1. SOL00440 – Group Account with gid of 0
This is applicable to Solaris 10, and later.
# more /etc/passwd
# more /etc/group
Confirm the only account with a group id of 0 is root.
If the root account is not the only account with gid of 0, then this is a finding.
PDI:
SOL00440V001203 Category I
3
:
Status Code: AUTO
Previously:
N/A
IA Controls:
DCCS-2
PDI Description:
The root account is not the only account with gid of 0.
Reference:
UNIX STIG: 8.7
7. HEWLETT PACKARD UNIX (HP-UX)
1. Trusted Mode
1. HPUX0020 – Operating in Trusted Mode
To check if the system is in Trusted Mode the following file structure should exist:
# ls –la /tcb/files/auth/r/root
If the file does not exist, this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 271
HPUX0020V000096 Category II
0
:
Status Code: AUTO
Previously:
HP02
IA Controls:
DCSW-1
PDI Description:
System is not operating in trusted mode.
Reference:
UNIX STIG: 9.1
2. Trusted System Auditing
1. HPUX0040 – AUDMON_ARGS Flag Configuration
Determine if the following flags are set for auditing:
# tail /etc/rc.config.d/auditing
The AUDOMON_ARGS flag should be the last line in the file. Look at the arguments and compare them to -p
20, -t 1, -w 90. If any of these differ, this a finding.
PDI:
0
:
Status Code: AUTO
Previously:
HP14
IA Controls:
ECAT-1, ECAR-1
PDI Description:
HP-UX AUDOMON_ARGS flag is not set to STIG requirements:
-p 20, -t 1, -w 90.
Reference:
UNIX STIG: 9.1.1
3. The /etc/securetty File
1. HPUX0060 – /etc/securetty Ownership
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 272
# ls –lL /etc/securetty
If /etc/securetty is not owned root, then this is a finding.
PDI:
6
:
Status Code: AUTO
Previously:
HP08
IA Controls:
ECLP-1
PDI Description:
The /etc/securetty file is not owned by root.
Reference:
UNIX STIG: 9.1.1
2. HPUX0080 – / etc/securetty Group Owner
If /etc/securetty is not grup owned by root, sys, or bin, then this is a finding.
PDI:
5
:
Status Code: AUTO
Previously:
HP07
IA Controls:
ECLP-1
PDI Description:
The /etc/securetty file is not group owned by root, sys, or bin.
Reference:
UNIX STIG: 9.1.1
3. HPUX0100 – /etc/securetty Permissions
If /etc/securetty is more permissive than 640, then this is a finding.
PDI:
7
:
Status Code: AUTO
Previously:
HP09
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 273
IA Controls:
ECLP-1
PDI Description:
The /etc/securetty file is more permissive than 640.
Reference:
UNIX STIG: 9.1.1
8. IBM ADVANCED INTERACTIVE EXECUTIVE (AIX)
1. Security Structure
1. AIX00020 – TCB Software
Perform:
# /bin/tcbck
If TCB is not installed, the output will show an error code of 3001-101 and/or a text message that indicates TCB
is not installed. This will result in a finding.
PDI:
AIX00020V000096 Category II
9
:
Status Code: AUTO
Previously:
AIX02
IA Controls:
DCCS-1, DCCS-2
PDI Description:
TCB software is not implemented.
Reference:
UNIX STIG: 10.0
2. Network Security
1. AIX00040 – securetcpip Command
The securetcpip command is in /etc . If it is not there, this is a finding.
Perform:
# more /etc/security/config
If the stanza:
tcpip:
netrc = ftp, rexec
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 274
is not there, then this is a finding. The stanza indicates the securetcpip command, which disables all the
unsafe tcpip commands, (e.g., rsh, rlogin, tftp) has been executed.
PDI:
AIX00040
V0004284
Category II
:
Status Code: AUTO
Previously:
AIX07
MAC/Confidentiality Levels:MAC I – CSP, MAC II – CSP, MAC III – CSP
IA Controls:
DCSW-1
PDI Description:
The securetcpip command has not been used.
Reference:
UNIX STIG: 10.2
3. System Commands
1. AIX00060 – System Baseline for Files with TCB Bit Set
Perform the following command with no parameters to ensure the system is in trusted mode:
#
/bin/tcbck
If TCB is not installed, the output will show an error code of 3001-101 and/or a text message that indicates TCB
is not installed. If the output from the command indicates that it is not in trusted mode, mark this item Not
Reviewed. Otherwise, check the root crontab to verify tcbck is executed weekly. If it is not in the crontab,
ask the SA if the check is run manually and to see the results of the check.
PDI:
AIX00060
V0004287
Category II
:
Status Code: PART
Previously:
AIX10
IA Controls:
DCPR-1, VIVM-1
PDI Description:
A baseline of AIX files with the TCB bit set is not checked weekly.
Reference:
UNIX STIG: 10.3
4. Authentication
1. AIX00080 – SYSTEM Attribute
Examine the /etc/security/user file:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 275
#
grep SYSTEM /etc/security/user
If the line contains “SYSTEM=NONE” then this is a finding.
PDI:
AIX00080V001203 Category I
5
:
Status Code: AUTO
Previously:
N/A
IA Controls:
PDI Description:
The SYSTEM attribute is set to NONE.
Reference:
UNIX STIG: 10.4
9. SILICON GRAPHICS (SGI) IRIX
10. Xfsmd
1. IRIX0020 – The xmfsmd Service is Enabled
Check for the following line by performing:
#
more /etc/inetd.conf
sgi_xfsmd/1 stream rpc/tcp wait
root
/usr/etc/xfsmd
xfsmd
If this line is uncommented then this is a finding.
PDI:
IRIX0020
V0004705
Category I
:
Status Code: AUTO
Previously:
V9402
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 276
IA Controls:
DSCQ-1
PDI Description:
The xfsmd service is enabled.
Reference:
UNIX STIG: 11.1
11. LINUX
1. System BIOS Configuration
1. LNX00040 – Disable Boot From Removable Media
If the CM OS is not configured to disable the capability to boot from removable media (e.g., diskette), then this is
a finding.
PDI:
LNX00040V000101 Category:I
3
Status Code: MAN
Previously:
L007
IA Controls:
ECSC-1
PDI Description:
The CMOS is not configured to disable the capability to boot from
removable media (e.g., diskette).
Reference:
UNIX STIG: 12.2
2. Restricting the Boot Process
1. LNX00060 – Password Configuration Table Configuration
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 277
On x86 systems enter the system BIOS and confirm that a supervisor password is enabled. Some systems will
have only one password setting, while others may have both user and supervisor settings. On those with two
settings, ensure the supervisor password is enabled and set. If the system cannot be rebooted to confirm the
settings, ask the system administrator if a BIOS password is enabled. If it is not, then this is a finding.
PDI:
LNX00060V000424 Category II
6
:
Status Code: MAN
Previously:
L064
IA Controls:
DCPR-1
PDI Description:
The Password Configuration Table has the Supervisor Password
set to OFF or the User Password set to ON.
Reference:
UNIX STIG: 12.3
3. Boot Loaders
1. LNX00080 – Boot Diskette
Confirm /etc/lilo.conf or /boot/grub/grub.conf exist, if neither exists, ask the SA if they are
using a boot diskette as the boot loader.
If a boot diskette is implemented as the boot loader, then this is a finding.
PDI:
LNX00080V000424 Category I
7
:
Status Code: AUTO
Previously:
L066
IA Controls:
DCCB-1, DCCB-2
PDI Description:
A boot diskette is implemented as the boot loader.
Reference:
UNIX STIG: 12.4
2. LNX00100 – Default Boot Loader
Check for the presence of boot loader configuration files by:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 278
# test –f /etc/grub.conf
# echo $?
# test –f /etc/lilo.conf
# echo $?
If either of the echo statements return 1, the preceding file is not on the system. Grub is the preferred boot loader
for the system. If the LILO is being utilized, check for the presence of /etc/lilo.conf.crc which should
contain a hashed password. If it does not contain a hashed password or another third party boot loader is utilized
PDI:
8
:
Status Code: AUTO
Previously:
L068
IA Controls:
DCCB-1, DCCB-2
PDI Description:
The default boot loader does not support journeling and the
password cannot be encrypted and the host is not located in a
controlled access area accessible only by SAs and justified and
Reference:
UNIX STIG: 12.4
3. LNX00120 – /boot Partition
Ask the SA if the Linux /boot partition resides on removable media (e.g., cdrom, diskette). If so, ask the SA to
verify if it is stored securely under the direction of the security officer and is only used in emergencies. This is a
finding if the media is not stored in a secure location.
PDI:
5
Status Code: MAN
Previously:
L084
IA Controls:
PESS-1
PDI Description:
The /boot partition is on removable media and is not stored in a
secure container.
Reference:
UNIX STIG: 12.4
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 279
4. Password Protecting the GRUB Console Boot Loader
1. LNX00140 – GRUB Boot Loader Encrypted Password
Perform the following to /etc/grub.conf or /boot/grub/menu.lst :
# more /boot/grub/menu.lst
timeout=10
password --md5 <password-hash>
This line should be just below the line that begins with timeout. Please note that <password-hash> will be
replaced by the actual md5 encrypted password. If the password line is not in either of the files, this is a finding.
PDI:
9
:
Status Code: AUTO
Previously:
L072
IA Controls:
DCCB-1, DCCB-2
PDI Description:
The GRUB Boot Loader does not use an MD5 encrypted
password.
Reference:
UNIX STIG: 12.4.1.1
2. LNX00160 – grub.conf Permissions
Check /etc/grub.conf permissions:
# ls –lL /etc/grub.conf
If /etc/grub.conf is more permissive than 600, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 280
LNX00160V000425 Category:II
0
Status Code: AUTO
Previously:
L074
IA Controls:
PDI Description:
The grub.conf is more permissive than 600.
Reference:
UNIX STIG: 12.4.1.2
5. Password Protecting the LILO Boot Loader
1. LNX00180 – LILO Global Password
Check for the password to precede the first image stanza in /etc/lilo.conf :
#
more /etc/lilo.conf
password=””
image=/boot/vmlinuz-2.4.20-6smp
If a password is not found, then this is a finding.
PDI:
2
:
Status Code: AUTO
Previously:
L078
IA Controls:
DCCB-1, DCCB-2, DCCS-1, DCCS-2
PDI Description:
LILO does not have a global password in the /etc/lilo.conf file.
Reference:
UNIX STIG: 12.4.1.2
2. LNX00200 – LILO Boot Loader Encrypted Password
On newer linux systems, the lilo password can be hashed in a separate file. To determine if the lilo password is
encrypted perform the following:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 281
# grep password /etc/lilo.conf
If the returned line contains password=”” , then perform the following:
# more /etc/lilo.conf.crc
If the file does not exist, this is a finding.
PDI:
6
:
Status Code: AUTO
Previously:
N/A
IA Controls:
DCCB-1, DCCB-2
PDI Description:
The LILO Boot Loader password is not encrypted.
Reference:
UNIX STIG: 12.4.1.2
3. LNX00220 – /etc/lilo.conf Permissions
Check /etc/lilo.conf permissions:
# ls –lL /etc/lilo.conf
If /etc/lilo.conf is more permissive than 600, then this is a finding.
PDI:
3
:
Status Code: AUTO
Previously:
L080
IA Controls:
PDI Description:
The /etc/lilo.conf file is more permissive than 600.
Reference:
UNIX STIG: 12.4.1.2
6. Filesystems
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 282
1. LNX00240 – Journaling
Perform the following to check for journaling:
# more /etc/fstab
Valid filesystem types that include journaling are ext3, reiserfs, jfs and xfs.
Note: the CD, floppy drives, proc, and, swap entries do not support ext3 .
PDI:
5
:
Status Code: PART
Previously:
L017
IA Controls:
DCCS-1, DCCS-2
PDI Description:
Journaling is not configured on the primary filesystem partitions
or journaling is not supported and not justified and documented
with the IAO.
Reference:
UNIX STIG: 12.5
7. Red Hat Kickstart and SuSE AutoYaST
1. LNX00260 – Kickstart or AutoYaST
On SuSE systems tftp must be running for AutoYaST to work properly. Check for tftp by:
#
chkconfig –-list tftp
If tftp is found, as the SA if the server is configured for AutoYaST.
Redhat systems utilize nfs and bootp to assist Kickstart. Perform:
# more /etc/exports
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 283
# more /etc/bootptab
and ask the SA if any of the exported file systems contain Kickstart images to be installed on a client.
PDI:
6
Status Code: MAN
Previously:
L088
IA Controls:
ECSD-1, ECSD-2
PDI Description:
Kickstart or AutoYaST are used outside an isolated development
LAN.
Reference:
UNIX STIG: 12.6
8. Dual Boot
1. LNX00280 – Capable of Dual Boot
Review the applicable boot loader configuration file to ensure it is capable of booting only one operating system.
For the grub boot loader, /etc/grub.conf should be reviewed. For the lilo boot loader, /etc/
lilo.conf should be reviewed. Locations for these file may differ on older versions of linux.
PDI:
6
:
Status Code: MAN
Previously:
L022
IA Controls:
DCPR-1
PDI Description:
A Linux system capable of booting multiple operating systems is
not justified and documented with the IAO.
Reference:
UNIX STIG: 12.7
9. Ugidd RPC Daemon
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 284
1. LNX00300 – The rpc.ugidd Daemon is Enabled
To check for the rpc.ugidd daemon perform:
#
chkconfig –list rpc.ugidd
Or
# ps –ef | grep –i ugidd
If the daemon is running or installed this is a finding.
PDI:
2
Status Code: AUTO
Previously:
L128
IA Controls:
DCPR-1
PDI Description:
The rpc.ugidd daemon is enabled.
Reference:
UNIX STIG: 12.8
10. Default Accounts
1. LNX00320 – Special Privileged Accounts
Perform the following to check for unnecessary privileged accounts:
# more /etc/passwd
Some examples of unnecessary privileged accounts include halt, shutdown, reboot and who.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 285
8
:
Status Code: AUTO
Previously:
L140
IA Controls:
IAAC-1, ECPA-1
PDI Description:
Special privilege accounts, such as shutdown and halt, have not
been deleted.
Reference:
UNIX STIG: 12.9
2. LNX00340 – Unnecessary Accounts
Perform the following to check for unnecessary user accounts:
# more /etc/passwd
Some examples of unnecessary accounts includes games, news, gopher, ftp.
PDI:
9
Status Code: AUTO
Previously:
L142
IA Controls:
IAAC-1
PDI Description:
Unnecessary accounts (e.g., games, news) and associated software
have not been deleted.
Reference:
UNIX STIG: 12.9
11. X Windows
1. LNX00360 – X Server Options Enabled
X servers get started several ways, such as xdm, gdm or xinit . Perform:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
#
Page 286
ps –ef |grep X
Output for example:
/usr/X11R6/bin/X –nolisten –ctp –br vt7 –auth /var/lib/xdm/authdir/
authfiles/A:0
Check the Xservers file to ensure the following options are enabled:
-audit, -auth .
Xserver files can found in:
/etc/X11/xdm/Xservers
/etc/opt/kde3/share/config/kdm/Xservers
/etc/X11/gdm/Xservers
PDI:
1
Status Code: AUTO
Previously:
L032
IA Controls:
DCPR-1
PDI Description:
The X server does not have the correct options enabled.
Reference:
UNIX STIG: 12.10
2. LNX00380 – X Server Options Not Enabled
X servers get started several ways, such as xdm, gdm or xinit . Perform:
#
ps –ef |grep X
Output for example:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 287
/usr/X11R6/bin/X –nolisten –ctp –br vt7 –auth /var/lib/xdm/authdir/
authfiles/A:0
The above example show xdm is controlling the Xserver.
Check the Xservers file to ensure the following options are not enabled:
-ac, -core, and -nolock .
Xserver files can found in:
/etc/X11/xdm/Xservers
/etc/opt/kde3/share/config/kdm/Xservers
/etc/X11/gdm/Xservers
PDI:
2
Status Code: AUTO
Previously:
L034
IA Controls:
DCPR-1
PDI Description:
The X server has one of the following options enabled: -ac, -core
(except for debugging purposes), or -nolock.
Reference:
UNIX STIG: 12.10
12. Console Access
1. LNX00400 – Access File Ownership
Chec k file applicable to the system, login.access or access.conf.
Check /etc/login.access ownership:
# ls –lL /etc/login.access
Check /etc/ security/access.conf ownership:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 288
# ls –lL /etc/security/access.conf
If /etc/login.access or /etc/security/access.conf is not owned by root, then this is a finding.
PDI:
5
Status Code: AUTO
Previously:
L044
IA Controls:
ECLP-1
PDI Description:
The /etc/login.access or /etc/security/access.conf file is not owned
by root.
Reference:
UNIX STIG: 12.11
2. LNX00420 – Access File Group Ownership
Check file applicable to the system , login.access or access.conf.
.
If /etc/login.access or /etc/security/access.conf is not group owned by root, then this is a
finding.
PDI:
4
Status Code: AUTO
Previously:
L045
IA Controls:
ECLP-1
PDI Description:
The /etc/login.access or /etc/security/access.conf file is not group
owned by root.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 289
Reference:
UNIX STIG: 12.11
3. LNX00440 – Access File Permissions
Check file applicable to your system , login.access or access.conf.
.
If /etc/login.access or /etc/security/access.conf is more permissive than 640, then this is a
finding.
PDI:
5
Status Code: AUTO
Previously:
L046
IA Controls:
PDI Description:
The /etc/login.access or /etc/security/access.conf file is more
permissive than 640.
Reference:
UNIX STIG: 12.11
13. Kernel Configuration File
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 290
1. LNX00480 – /etc/sysctl.conf Ownership
Check /etc/sysctl.conf ownership:
# ls –lL /etc/sysctl.conf
or
# ls –lL /etc/sysconfig/sysctl
If /etc/sysctl.conf is not owned by root, then this is a finding.
PDI:
4
Status Code: AUTO
Previously:
L204
IA Controls:
ECLP-1
PDI Description:
The /etc/sysctl.conf file is not owned by root.
Reference:
UNIX STIG: 12.12
2. LNX00500 – /etc/sysctl.conf Group Ownership
Check /etc/sysctl.conf group ownership:
If /etc/sysctl.conf is not group owned by root, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 291
5
Status Code: AUTO
Previously:
L206
IA Controls:
ECLP-1
PDI Description:
The /etc/sysctl.conf file is not group owned by root.
Reference:
UNIX STIG: 12.12
3. LNX00520 – / etc/sysctl.conf Permissions
Check /etc/sysctl.conf permissions:
If /etc/sysctl.conf is more permissive than 600, then this is a finding.
PDI:
6
Status Code: AUTO
Previously:
L208
IA Controls:
PDI Description:
The /etc/sysctl.conf file is more permissive than 600.
Reference:
UNIX STIG: 12.12
14. NFS Server
1. LNX00540 – The insecure Option
Determine if an NFS server is running on the system by:
#
ps –ef |grep nfsd
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 292
If an NFS server is running, confirm that it is not configured with the insecure option by:
#
exportfs –v
The example below would be a finding:
/misc/export
PDI:
speedy.redhat.com(rw,insecure)
7
:
Status Code: AUTO
Previously:
N/A
IA Controls:
DCPR-1
PDI Description:
The insecure option is set.
Reference:
UNIX STIG: 12.13
2. LNX00560 – The insecure_locks Option
Determine if an NFS server is running on the system by:
#
ps –ef |grep nfsd
If an NFS server is running, confirm that it is not configured with the insecure_locks option by:
#
exportfs –v
The example below would be a finding:
/misc/export
PDI:
speedy.redhat.com(rw,insecure_locks)
9
:
Status Code: AUTO
Previously:
L214
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 293
IA Controls:
DCPR-1
PDI Description:
The insecure_locks option is set.
Reference:
UNIX STIG: 12.13
15. The /etc/inittab File
1. LNX00580 – Ctrl-Alt-Delete Sequence
Verify that Linux systems have disabled the <CTRL><ALT><DELETE> key sequence by performing:
# grep ctrlaltdel /etc/inittab
If the line returned is not commented out then this is a finding.
PDI:
2
Status Code: MAN
Previously:
L222
IA Controls:
DCPR-1
PDI Description:
The Ctrl-Alt-Delete sequence is not disabled and the system is not
located in a controlled access area accessible only by SAs.
Reference:
UNIX STIG: 12.14
16. Administrative Controls
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 294
1. LNX00600 – PAM Configuration
Ensure the pam_console.so module is not configured in any files in /etc/pam.d by:
#
cd /etc/pam.d
#
grep pam_console.so *
Or
#
ls –la /etc/security/console.perms
If either the pam_console.so entry or the file /etc/security/console.perms is found then this is a
finding.
PDI:
6
Status Code: AUTO
Previously:
L230
IA Controls:
DCCS-1, DCCS-2
PDI Description:
PAM grants sole access to admin privileges to the first user who
logs into the console.
Reference:
UNIX STIG: 12.16
17. The /etc/securetty File
1. LNX00620 – /etc/securetty Group Ownership
Check /etc/securetty group ownership:
If /etc/securetty is not group owned by root, sys, or bin, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 295
8
:
Status Code: AUTO
Previously:
N/A
IA Controls:
ECLP-1
PDI Description:
The /etc/securetty file is not group owned by root, sys, or bin.
Reference:
UNIX STIG: 12.17
2. LNX00640 – /etc/securetty Ownership
Check /etc/securetty ownership:
If /etc/securetty is not owned by root, then this is a finding.
PDI:
9
:
Status Code: AUTO
Previously:
N/A
IA Controls:
ECLP-1
PDI Description:
The /etc/securetty file is not owned by root.
Reference:
UNIX STIG: 12.17
3. LNX00660 – /etc/securetty Permissions
Check /etc/securetty permissions:
If /etc/securetty is more permissive than 640, then this is a finding.
PDI:
0
:
Status Code: AUTO
Previously:
N/A
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 296
IA Controls:
ECLP-1
PDI Description:
The /etc/securetty file is more permissive than 640.
Reference:
UNIX STIG: 12.17
18. RealPlayer
1. LNX00680 – RealPlayer Version
Check the Real Player version:
#
rpm –q RealPlayer
If the version returned is 8, then remove RealPlayer by:
#
PDI:
rpm –e RealPlayer
1
:
Status Code: AUTO
Previously:
N/A
IA Controls:
DCSQ-1
PDI Description:
A vulnerable RealPlayer version is installed.
Reference:
UNIX STIG: 12.19
12. Information Assurance Vulnerability Management (IAVM)
1. IAVA0005 – 2001-A-0011 Format String Vulnerability in CDE ToolTalk
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 297
Vulnerable Systems:
HP HP-UX 10.10
HP HP-UX 10.20
HP HP-UX 10.24
HP HP-UX 11.00
HP HP-UX 11.04
HP HP-UX 11.11
IBM AIX 4.3
IBM AIX 5.1
SGI IRIX 5.2-6.4
Compaq Tru64 DIGITAL UNIX v4.0f
Compaq Tru64 DIGITAL UNIX v4.0g
Compaq Tru64 DIGITAL UNIX v5.0a
Compaq Tru64 DIGITAL UNIX v5.1
Compaq Tru64 DIGITAL UNIX v5.1a
Sun Solaris 1.1-1.2
Sun Solaris 2.0-2.7
Sun Solaris 7
Sun Solaris 8
Open Group
Caldera (SCO)
Xi Graphics
Compliance Checking:
Perform procedures in Appendix F, Patch Control, to check if the following patches or package versions have
been loaded:
Solaris
2.5.1
104489-15
Solaris
2.5.1_x86
105496-12
Solaris
2.6
Solaris
2.6x86
Solaris
2.7
Solaris
2.7x86
Solaris
2.8
Solaris
2.8x86
105802-19
105803-21
107893-21
107894-20
110286-14
110287-14
HP-UX
10.10
PHSS_26488
HP-UX
10.20
PHSS_29201
HP-UX
10.24
PHSS_29201
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 298
HP-UX
10.30
PHSS_16151
HP-UX
11.00
PHSS_32539
HP-UX
11.11
PHSS_33325
IRIX
6.5 and above
SG0004416
AIX
4.3
IY24387
AIX
5.1
IY23846
Remediation Guidelines:
for example a CAT I finding may be downgraded to a CAT II.
PDI:
IAVA0005V000099 Category I
8
:
Status Code: AUTO
Previously:
G345
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A vulnerable version of ToolTalk is running.
Reference:
IAVA 2001-A-0011
2. IAVA0010 – 1999-0002 TCP Wrappers Trojan Vulnerability
Vulnerable Systems:
Any system with a recent installation of TCP Wrappers
(primarily UNIX systems)
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 299
Look in the TCP Wrappers source code for the following added line:
#
grep "/bin/csh" tcpd.c
Or
Review the binary code for the following signature
#
strings tcpd |grep csh
Any output from the above commands is considered a finding.
Upgrade to, at the least, the required software release or remove the binary/application to remediate this
finding.
PDI:
2
:
Status Code: AUTO
Previously:
G357
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A TCP_WRAPPERS Trojan exists on the system.
Reference:
IAVA 1999-0002
3. IAVA0015 – 98-06 Qpopper Vulnerability
Vulnerable Systems:
Any OS running a POP server based on QUALCOMM's Qpopper
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 300
To determine if a system is vulnerable, first telnet to port 110 on
that host. If it is running a POP server, the banner will show the
version. For example:
# telnet yourmailhost.your.domain.com 110
Trying 123.123.123.123
Connected to mailhost
+OK QPOP (version 2.4) at yourmailhost.your.domain.com starting
In the above example, the POP server is QUALCOMM's Qpopper version 2.4, which is known to be a
vulnerable version.
IRIX
Check to see if the vulnerable subsystem is installed.
Versions 2.41 and prior of fw_BSDqpopper are vulnerable.
# versions -b fw_BSDqpopper
Name
Date
Description
I fw_BSDqpopper 07/01/97 BSD/Qualcomm POP (Post Office Protocol)
Server version 2.1.4
Upgrade to a BSDqpopper version greater than 2.1.4.
finding.
PDI:
IAVA0015V000100 Category II
5
:
Status Code: AUTO
Previously:
G361
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 301
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A QUALCOMM Post Office Protocol (POP) server is vulnerable.
Reference:
IAVA 98-06
4. IAVA0020 – 1998-A-0011 General Internet Message Access Protocol
Vulnerable Systems:
All platforms running IMAP or POP servers.
Perform the following to check if the mail servers are running:
# netstat -a | grep LISTEN | egrep \
“imap|pop|pop3|\.143|\.110”
#
An authorized user could type the
following to determine the version of IMAP:
#
telnet hostname 143
Likewise the following command can be used to check for POP-3 Servers:
#
telnet hostname 110
Use the procedures in Appendix F, Patch Control , to check if the following patches have been loaded:
Solaris Internet Mail Server
3.2
105935-09
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 302
3.2_x86
105936-09
2.0
105346-07
2.0_x86
105347-07
AIX 4.2.x
IX80446
AIX 4.3.x
IX80447
Red Hat
imap-4.1.final-1.i386.rpm
IRIX
Check to see if the vulnerable subsystem is installed.
4.1-BETA and prior of fw_imap are vulnerable.
# versions -b fw_imap
I fw_imap
07/31/98 imap-4.1.BETA U. of Washington
finding.
PDI:
6
:
Status Code: AUTO
Previously:
G363
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are Internet Message Protocol (IMAP) or Post Office
Protocol (POP) vulnerabilities.
Reference:
IAVA 1998-A-0011
5. IAVA0025 – 98-07 Buffer Overflow in Mail and News Clients
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 303
Vulnerable Systems:
Any OS running a vulnerable mail or news client, including
Netscape Messenger.
Use the procedures in Appendix F, Patch Control, to determine the following:
SOLARIS
2.5.1
104178-04
SOLARIS
2.5.1_x86
104185-04
SOLARIS
2.6
SOLARIS
2.6x86
SOLARIS
2.7
SOLARIS
2.7x86
HP-UX
10.10
105338-27
105339-25
107200-16
107201-16
PHSS_26488
HP-UX
10.20
PHSS_29202
HP-UX
10.24
PHSS_28173
HP-UX
10.30
PHSS_16151
HP-UX
11.00
PHSS_32539
HP-UX
11.04
PHSS_30807
HP-UX
11.11
PHSS_33325
PDI:
7
:
Status Code: AUTO
Previously:
G365
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 304
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A vulnerability exists in mime-aware mail and news clients.
Reference:
IAVA 98-07
6. IAVA0030 – 2000-A-0003 Gauntlet Firewall Buffer Overflow
Vulnerable Systems:
Gauntlet for Unix versions 4.1, 4.2, 5.0, 5.5
WebShield 300 series E-ppliance
WebShield For Solaris 4.0
WebShield 100 series E-ppliance
Ask the SA or IAO if they are running Gauntlet software, and which version. If the system is running less
than version 5.5 patch level 14 or version 6.0 patch level 4, this is a finding.
Perform procedures in Appendix F, Patch Control, to check for the following patches:
Solaris
cyber.patch
.
Upgrade to, at the least, the required software release, apply the applicable patch, or remove the binary/
application to remediate this finding.
PDI:
8
:
Status Code: AUTO
Previously:
G371
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 305
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Gauntlet Firewall for UNIX and WebShield Cyberdaemon has the
buffer overflow vulnerability.
Reference:
IAVA 2000-A-0003
7. IAVA0035 – 2001-T-0004 MySQLd Vulnerability
Vulnerable Systems:
MySQLd 3.23.32 and all previous versions
Perform the following to determine the version:
#
mysql –V
The version should be at least 3.23.38.
finding.
PDI:
4
:
Status Code: AUTO
Previously:
G373
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A system has a vulnerable version of MySQLD.
Reference:
IAVA 2001-T-0004
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 306
8. IAVA0040 – 2001-A-0007 iPlanet
Vulnerable Systems:
IPlanet
versions 4.1, service pack 8 and lower
#
./ns-httpd –v
finding.
PDI:
IAVA0040V000106 Category:I
7
Status Code: PART
Previously:
G505
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
iPlanet WEB servers expose sensitive data via a buffer overflow.
Reference:
IAVA 2001-A-0007
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 307
9. IAVA0045 – 2001-T-0008 BSD Telnet Daemon
Vulnerable Systems:
All current versions of BSD/OS are vulnerable.
OpenLinux 2.3
FreeBSD, Inc.
HP-UX 10.20
IBM AIX
Solaris
SuSE
Solaris
2.6
Solaris
2.6x86
Solaris
2.7
Solaris
2.7x86
Solaris
2.8
Solaris
2.8x86
HP-UX
10.01
PHNE_24820
HP-UX
10.10
PHNE_24820
HP-UX
10.20
PHNE_24821
HP-UX
SIS 10.20
HP-UX
10.24
AIX
4.3.3
AIX
5.1
106049-05
106050-05
107475-05
107476-05
110668-05
110669-05
PHNE_24822
PHNE_25217
IY22029
IY22021
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
IRIX
Page 308
6.5
SG0004354
PDI:
9
:
Status Code: AUTO
Previously:
G507
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
The telnet daemon telrcv function is vulnerable to a buffer
overflow.
Reference:
IAVA 2001-T-0008
10. IAVA0050 – 2004-B-0015 – Sun JRE Bypass Vulnerability
Vulnerable Systems:
SDK and JRE 1.4.2_05 and earlier, all 1.4.1 and 1.4.0 releases, and 1.3.1_12 and earlier
on the following platforms:
Solaris
Linux
To determine the version of Java on a system, the following command can be run:
#
java –fullversion
Or
#
java –version
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 309
The version should be at least 1.4.2_06 or 1.3.1_13.
finding.
PDI:
6
:
Status Code: MAN
Previously:
G508
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Vulnerability in Sun Java Runtime Environment Java Plug-in
JavaScript Security Restriction .
Reference:
IAVA 2004-B-0015
11. IAVA0055 – 2001-B-0002 HP OpenView and Tivoli NetView
Vulnerable Systems:
HP OpenView Network Node Manager (NNM) Version 6.1 on the following platforms:
HP -UX releases 10.20 and 11.00 (only).
Sun Microsystems SOLARIS releases 2.X
Tivoli NetView Versions 5.x and 6.x on the following platforms:
IBM AIX
Sun Microsystems SOLARIS
Compaq Tru64 Unix
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 310
Use the procedures in Appendix F, Patch Control, to check if the following patches have been loaded for
OpenView:
HP-UX 10.20
PHSS_24797
HP-UX 11.00
PHSS_24798
Solaris
PSOV_02988
To view the Tivoli Netview version:
The Tivoli Netview standard toolbar contains an About NetView(R) icon which displays the full name,
version number, and copyright information for the Tivoli NetView program. Upgrade to version 5.1.3 and 6.0.2
and apply patches from Tivoli.
Upgrade to, at the least, the required software release about icon, apply the applicable patch, or remove the
binary/application to remediate this finding.
PDI:
6
:
Status Code: AUTO
Previously:
G509
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Vulnerability in HP OpenView and IBM Tivoli NetView.
Reference:
IAVA 2001-B-0002
12. IAVA0060 – 2004-T-0038 – Sun Remote Denial of Service
Vulnerable Systems:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 311
Sun Java System Application Server 7.0.0 2004Q2
Sun Java System Application Server 7.0.0 Platform Edition Update 4 and earlier
Sun Java System Application Server 7.0.0 Standard Edition Update 4 and earlier
Sun Java System Web Server 6.0.0
Sun Java System Web Server 6.0.0 SP1, SP2, SP3, SP4, SP5, SP6, SP7
Sun Java System Web Server 6.1.0
Sun Java System Web Server 6.1.0 SP1
Sun Java System Web Server:
#
./ns-httpd –v
To determine the version of Sun Java System Application server, the following command can be run:
# <AS_INSTALL>/bin/asadmin version –verbose
(Where <AS_INSTALL> is the installation directory of the Application Server)
finding.
for example a CAT III finding may be downgraded to a CAT IV.
PDI:
IAVA0060V000501 Category III
7
:
Status Code: PART
Previously:
G510
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Remote denial of service vulnerability in Sun Java Web and
Application Servers.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 312
Reference:
IAVA 2004-T-0038
13. IAVA0065 – 2001-A-0013 SSH V1
Vulnerable Systems:
SSH1.5: 1.2.24 - 1.2.31
SSH1.5: 1.3.6 - 1.3.10
OpenSSH 1.2, 1.2.1 - 1.2.3
OpenSSH 2.1, 2.1.1, 2.2.0
SSH Communications Security SSH 1.2.23 through 1.2.31
SSH Communications Security SSH 2.x and 3.x (Version 1 fallback is enabled)
F-Secure SSH versions prior to 1.3.11-2
OSSH 1.5.7
Debian
FreeBSD
To get the version, perform:
#
telnet localhost 22
Or
#
strings (ssh or sshd) | grep –I version
Or
# ssh –V
OpenSSH 3.4 (required by IAVA0080)
SSH Communications Security SSH
SOLARIS 9 Integrated OpenSSH
SOLARIS 9_x86 Integrated OpenSSH
3.0.1 (required by IAVA0125)
113273-11
114858-08
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 313
PDI:
1
:
Status Code: AUTO
Previously:
G513
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
SSH is vulnerable to a remote integer overflow.
Reference:
IAVA 2001-A-0013
14. IAVA0075 – 2001-A-0009 Gauntlet SMAP/SMAPD Buffer Overflow
Vulnerable Systems:
Gauntlet for Unix versions 5.x
PGP e-ppliance 300 series version 1.0
McAfee e-ppliance 100 and 120 series
Gauntlet for Unix version 6.0
PGP e-ppliance 300 series versions 1.5, 2.0
PGP e-ppliance 1000 series versions 1.5, 2.0
McAfee WebShield for Solaris v4.1
Solaris
HP-UX
cyber.patch
PHCO_16723 or later
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 314
PDI:
2
Status Code: PART
Previously:
G515
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Gauntlet Firewall, WebShield CSMAP, and smap/smapd have a
buffer overflow vulnerability.
Reference:
IAVA 2001-A-0009
15. IAVA0080 – 2001-T-0017 OpenSSH
Vulnerable Systems:
OpenSSH versions prior to 2.1.1
OpenBSD
OpenSSH
FreeBSD
IBM
#
telnet localhost 22
Or
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
#
Page 315
Or
# ssh –V
Upgrade to OpenSSH 3.0.2 or later.
finding.
PDI:
3
:
Status Code: AUTO
Previously:
G517
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
The OpenSSH UseLogin feature has Multiple Vulnerabilities.
Reference:
IAVA 2001-T-0017
16. IAVA0085 – 2005-A-0014 Oracle E-Business Suite Vulnerabilities
Vulnerable Systems:
Oracle E-Business Suite 11.0.0
Oracle E-Business Suite 11i 11.5.0
Oracle E-Business Suite 11i 11.5.0 .10
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 316
Check for compliance by using the Oracle Installer, the GUI interface for installation. The patches listed are
spot checks for multiple-patch requirements based on version and platform. Please note whether each check is
for one of a group or requires two or more specific patches to complete the spot check.
Switch user to an account used for Oracle installations. This will ensure the environment variables are set
correctly.
Start the Oracle Installer with the command:
# $ORACLE_HOME/bin/runInstaller
When the Welcome screen displays, click on the Installed Products button at the bottom of the screen. Expand
each Oracle Home. If Oracle Collaboration suite is listed, then expand it view any installed patches.
Please ensure one of the below mentioned patches is installed;
4135540
4193286
4193293
4193299
4193301
4193307
4193312
4201702
4217570
4266635
4312525
Note: Repeat for each Oracle installation.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 317
PDI:
7
:
Status Code: MAN
Previously:
G518
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are multiple vulnerabilities in Oracle E-Business and
Application Suite.
Reference:
IAVA 2005-A-0014
17. IAVA0090 – 2002-A-0001 CDE Buffer Overflow
Vulnerable Systems:
All Unix operating systems running CDE.
Solaris
2.5.1
108363-02
Solaris
2.5.1_x86
108364-02
Solaris
2.6
105669-11
Solaris
2.6_x86
Solaris
2.7
Solaris
2.7_x86
Solaris
2.8
Solaris
2.8_x86
105670-10
106934-04
106935-04
108949-07
108950-07
HP-UX 10.10
PHSS_25785
HP-UX 10.20
PHSS_25786
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
HP-UX 10.24
HP-UX 11.0
Page 318
PHSS_26029
PHSS_25787
HP-UX 11.04
PHSS_26030
HP-UX 11.11
PHSS_25788
IRIX 5.3
Patch will not be produced
IRIX 6.2 – 6.5.2
IRIX 6.5.3.1.1
SG0004416
SG0004416
AIX 4.3
IY06694
AIX 5.1
IX89419
PDI:
4
:
Status Code: AUTO
Previously:
G519
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
The CDE Subprocess Control Service has a buffer overflow
vulnerability.
Reference:
IAVA 2002-A-0001
18. IAVA0095 – 2001-T-0015 LPD Vulnerabilities
Vulnerable Systems:
BSDi BSD/OS Version 4.1 and earlier
Debian GNU/Linux 2.1 and 2.1r4
All released versions of FreeBSD 3.x and 4.x prior to 4.4-RELEASE; FreeBSD 4.3-STABLE and 3.5.1-
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 319
STABLE prior to the correction date.
Hewlett-Packard HP9000 Series 700/800 running HP-UX releases 10.01, 10.10, 10.20, 11.00, and 11.11
IBM AIX Versions 4.3 and AIX 5.1
Mandrake Linux Versions 6.0, 6.1, 7.0, 7.1
NetBSD 1.5.2 and earlier
OpenBSD Version 2.9 and earlier
Red Hat Linux 6.0, 6.2 all architectures
SCO OpenServer Version 5.0.6a and earlier
SGI IRIX 6.5-6.5.13
Sun Solaris 2.6, 7 and 8
SuSE Linux Versions 6.1, 6.2, 6.3, 6.4, 7.0, 7.1, 7.2
Solaris 2.6
Solaris 2.6x86
Solaris 2.7
Solaris 2.7x86
Solaris 2.8
Solaris 2.8x86
106235-10
106236-10
107115-10
107116-10
109320-05
109321-05
HP-UX 10.01
PHCO_25107
HP-UX 10.10
PHCO_25108
HP-UX 10.20
PHCO_25109
HP-UX 11.00
PHCO_25110
HP-UX 11.11
PHCO_25111
HP-UX 11.20
PHCO_24868
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 320
IRIX 6.2 – 6.5.2
Patch not available
IRIX 6.5.3.1.1
Patch not available
AIX 4.3
IY23037
AIX 5.1
IY23041
Linux ALL
lpr package of version 0.48 or greater
PDI:
5
:
Status Code: AUTO
Previously:
G521
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are Multiple Vulnerabilities in the BSD line printer daemon.
Reference:
IAVA 2001-T-0015
19. IAVA0100 – 2005-T-0014 Multiple Vulnerabilities in Mozilla Firefox
Vulnerable Systems:
Mozilla Firefox 1.0.3 and earlier.
# find / -name firefox
If Firefox is found, confirm the version is 1.0.4 or later.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 321
# /<firefox_binary> -v
finding.
PDI:
9
:
Status Code: MAN
Previously:
G522
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are multiple vulnerabilities in Mozilla Firefox.
Reference:
IAVA 2005-T-0014
20. IAVA0105 – 2001-A-0014 Login Daemon
Vulnerable Systems:
Sun Solaris 8/SunOS 5.8 and earlier
IBM 4.3 and 5.1
SCO OpenServer 5.0.6a and earlier
SGI 3.x
Solaris
2.5.1
106160-02
Solaris
2.5.1_x86
106161-02
Solaris
2.6
105665-04
Solaris
2.6_x86
105666-04
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Solaris
2.7
Solaris
2.7_x86
Solaris
2.8
Solaris
2.8_x86
Page 322
112300-01
112301-01
111085-02 – Obsoleted by 108993-02
111086-02 – Obsoleted by 108994-02
IRIX 3.x
Patch will not be available – upgrade to 6.5.13
AIX 4.3
IY26443
AIX 5.1
IY26221
PDI:
6
:
Status Code: AUTO
Previously:
G523
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
The login utility has a buffer overflow vulnerability.
Reference:
IAVA 2001-A-0014
21. IAVA0110 – 2005-B-0012 PAWS DoS Vulnerability
Vulnerable Systems:
FreeBSD FreeBSD –prior to 5.4.0
OpenBSD OpenBSD 3.0.0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 323
SCO Open Server 6.0.0
SCO Unixware 7.1.3
SCO Unixware 7.1.4
Ensure the SA has installed the applicable patch or upgraded to the latest non-vulnerable version of FreeBSD
and/or OpenBSD.
Patch OpenBSD with patch 015_tcp.patch.
FreeBSD
Download the relevant patch from the location below.
FreeBSD 4.x
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/tcp4.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/tcp4.patch.asc
FreeBSD 5.x
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/
tcp.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/
tcp.patch.asc
SCO
Upgrade the affected binaries from:
#
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.64
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 324
0
:
Status Code: MAN
Previously:
G524
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There is a DoS PAWS vulnerability.
Reference:
IAVA 2005-B-0012
22. IAVA0115 – 2002-A-SNMP-0002, 2002-A-SNMP-003 SNMP
Vulnerable Systems:
CacheOS 3.1.22, 4.0.15, 4.1.02
Compaq
NonStop Himalaya Servers
TCP/ip Services for OpenVMS
Tru64 Unix
Insight Management Suite
Deskpro
Professional Workstation (Armada)
SANworks
Hewlett-Packard Company
HP 9000 Series 700 and Series 800 running HP-UX releases 10.X,11.X
HP Procurve switches
JetDirect Firmware (older versions only)
MC/ServiceGuard, EMS HA Monitors
iPlanet
Netscape Directory Server V4.12-V4.16 for Unix
iPlanet Directory Server V5.0SP1 & 5.1 for Unix
iPlanet Web Proxy Server V3.6 for Unix
Oracle
Oracle7 Database, Release 7.3.x
Oracle8 Database, Releases 8.0.x
Oracle8i Database, Releases 8.1.x
Oracle9i Database, Release 9.0.1.x
Sun Microsystems, Inc.
Solstice Enterprise Agents (SEA)
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 325
Concord Communications
eHealth Console version 5.0.2 P1
eHealth Console version 4.8 P8
eHealth TrapEXPLODER 1.3
Netscreen
ScreenOS - all versions
Solaris 2.6
Solaris 2.6_x86
Solaris 2.7
Solaris 2.7_x86
Solaris 2.8
Solaris 2.8_x86
106787-18
106872-18
107709-19
107710-19
108869-16
108870-16
HP-UX 10.20
PHSS_26137
HP-UX 11.00
PHSS_26138
AIX 4.3
IY17630
AIX 5.1
IY20943
Initially, this is a CAT I if the IAVA has not been applied. Additional requirements have been added:
If the snmp version is 3 or greater, this is not a finding .
If the snmp version is 1 or 2, or does not have all the patches, or has open IAVAs for snmp it is a CAT I.
If it is version 1 or 2, fully patched, with no snmp IAVAs open, but there is no formally documented plan to
migrate to version 3, it is a CAT II.
If it is version 1 or 2, is fully patched, and all IAVAs are applied, and there is a formally documented plan to
migrate to version 3, this is a CAT III.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 326
To check the version of snmpd :
1. Locate the snmpd daemon:
Solaris
/usr/lib/snmp/ snmpdx
HP-UX
/usr/sbin/ snmpd
Linux
/usr/sbin/ snmpd
AIX
/usr/sbin/ snmpdm
2. Find the version:
Solaris and HP-UX perform:
# strings SNMPDPROGRAM | grep snmpV
The version will show up as snmpV2 or snmpV3 . If it is version 1, no value is returned.
PDI:
5
Status Code: PART
Previously:
G525
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
SNMPv1 has vulnerable trap handling in the GetRequest and
GetnRequest routines.
Reference:
IAVA 2002-A-SNMP-002, 2002-A-SNMP-003
23. IAVA0120 – 2005-A-0005 Multiple Vulnerabilities in BIND
Vulnerable Systems:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 327
ISC BIND 9.3.0
ISC BIND 8.4.4
ISC BIND 8.4.5
To examine the version number of named perform:
#
find / -name named
#
find / -name in.named
#
what in.named/named | grep –i version
#
strings in.named/named | grep –i version
#
named –v
#
named –d0
BIND 8.4.4, 8.4.5, and 9.3.0 are vulnerable, if any of these versions of BIND are installed and/or running, then
this is a finding.
Upgrade to BIND 8.4.6 or later, or BIND 9.3.1 or later.
PDI:
7
Status Code: PART
Previously:
G526
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A vulnerable version of BIND is installed.
Reference:
IAVA 2005-A-0005
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 328
24. IAVA0125 – 2001-T-0018 SSH Short Password Vulnerability
Vulnerable Systems:
SSH Communications Security 3.0.0
SSH Communications Security 2.3 and 2.4, for HPUX 10.20 and 11.00 in (TCB)
Red Hat 6.2 Linux 6.1 thru 7.1
Solaris 2.6 thru 2.8
Caldera Linux 2.4
SuSE Linux 6.4 thru 7.0
This check only applies to SSH by Communications Security.
#
telnet localhost 22
Or
#
Or
# ssh –V
Upgrade to SSH Secure Shell 3.0.1 or later.
finding.
PDI:
6
:
IA Controls:
Status Code: PART
Previously:
G527
DCSQ-1, VIVM-1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 329
PDI Description:
SSH, by Communications Security, has a short password
vulnerability.
Reference:
IAVA 2001-T-0018
25. IAVA0135 – 2001-B-0004 WU-FTPD
Vulnerable Systems:
Caldera thru 3.1
Cobalt QUBE 1.0
Connectiva thru 7.0
Debian thru 2.2
Mandrake thru 8.1
Red Hat thru 7.2
SuSE thru 7.3
immunix thru 7.0
and any other system using WU-FTPD or derivatives of it.
To determine the version of ftpd, issue the following command:
# strings /usr/sbin/in.ftpd | grep –I version
The version must be 2.6.2, or later, or this is a finding.
finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 330
7
Status Code: PART
Previously:
G529
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
WUFTPD Has A Remote Code Execution Vulnerability.
Reference:
IAVA 2001-B-0004
26. IAVA0140 – 2005-T-0008 Multiple Vulnerabilities in Ethereal Software
Vulnerable Systems:
All Linux and Solaris operating systems with Ethereal prior to 0.10.10 are vulnerable.
To determine the version of Ethereal, issue one of the following commands:
Load Ethereal and go to the Help->About Ethereal... menu item.
# ethereal –v
# tethereal -v
The version must be 0.10.10 or later, or this is a finding.
finding.
PDI:
9
:
Status Code: AUTO
Previously:
G530
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 331
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are multiple vulnerabilities in Ethereal Software.
Reference:
IAVA 2005-A-0008
27. IAVA0145 – 2002-T-0004 KTH Kerberos IV and V
Vulnerable Systems:
KTH Kerberos Development Team
BSDi
OpenBSD
FreeBSD
NetBSD
This check is only applicable to KTH Kerberos version IV and V. MIT Kerberos is not vulnerable to this
condition. Patches are not available from the vendor at this time. Strictly enforce the client's preferences and
abort the connection if authentication or encryption cannot be negotiated. Reference OpenBSD and FreeBSD
man pages for telnet syntax to abort the connection if authentication or encryption cannot be negotiated.
Patches distributed by third parties other than KTH Kerberos are not recommended solutions due to the potential
for unreliability/interoperability issues and insecure or malicious coding.
PDI:
5
:
Status Code: PART
Previously:
G531
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Kerberos IV and V implementations have a telnet encryption
vulnerability.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 332
Reference:
IAVA 2002-T-0004
28. IAVA0150 – 2005-T-0010 Multiple Vulnerabilities in Sybase Software
Vulnerable Systems:
Sybase Adaptive Server Enterprise 12.5.3 and prior.
To determine the version of Sybase, perform the following:
#
/usr/sybase/ASE-12_5/bin/dataserver –v
Upgrade to ASE 12.5.3 ESD#1 or later.
finding.
PDI:
0
:
Status Code: MAN
Previously:
G532
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are multiple vulnerabilities in Sybase Software.
Reference:
IAVA 2005-T-0010
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 333
29. IAVA0155 – 2002-T-0008 Cachefsd Daemon
Vulnerable Systems:
Solaris 5.5.1
Solaris 5.5.1_x86
Solaris 5.6
Solaris 5.6_x86
Solaris 5.7
Solaris 5.7_x86
Solaris 5.8
Solaris 5.8_x86
Solaris 5.9
Solaris 5.9_x86
Solaris 5.5.1
Solaris 5.5.1_x86
Solaris 5.6
Solaris 5.6_x86
104849-09
104848-09
105693-13
105694-13
Solaris 5.7
108800-02
Solaris 5.7_x86
108801-02
Solaris 5.8
110896-02
Solaris 5.8_x86
110897-02
Solaris 5.9
114008-01
Solaris 5.9_x86
114009-01
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 334
PDI:
9
:
Status Code: AUTO
Previously:
G533
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A buffer overflow vulnerability exists in the Sun Solaris cachefsd
daemon.
Reference:
IAVA 2002-T-0008
30. IAVA0160 – 2005-T-0017 IBM WebSphere Application Server
Vulnerable Systems:
IBM Websphere Application Server 5.0.2
IBM Websphere Application Server 5.0.2 .1
To determine the version of IBM Websphere Application Server, perform one of the following:
#
versionInfo
Or
#
genVersionReport
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 335
Generates the versionReport.html report file in the bin directory on Linux and UNIX-based platforms, or on
Windows platforms. The report includes the list of components, fixes, and fix packs.
Upgrade to version 5.0.2.11 or later.
finding.
PDI:
1
:
Status Code: PART
Previously:
G534
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
IBM WebSphere Application Server Administrative Console
Buffer Overflow Vulnerability.
Reference:
IAVA 2005-T-0017
31. IAVA0165 – 2002-T-0009 Rpc.walld Service
Vulnerable Systems:
Solaris 5.5.1
Solaris 5.5.1_x86
Solaris 5.6
Solaris 5.6_x86
Solaris 5.7
Solaris 5.7_x86
Solaris 5.8
Solaris 5.8_x86
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 336
Solaris 5.9
Solaris 5.5.1
112891-01
Solaris 5.5.1_x86
112892-01
Solaris 5.6
112893-01
Solaris 5.6_x86
112894-01
Solaris 5.7
112899-01
Solaris 5.7_x86
112900-01
Solaris 5.8
112846-01
Solaris 5.8_x86
112847-01
Solaris 5.9
112875-01
PDI:
3
:
Status Code: AUTO
Previously:
G535
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
The Solaris rpc.rwall daemon service has a message format string
vulnerability.
Reference:
IAVA 2002-T-0009
32. IAVA0170 – 2005-T-0024 – Sun JRE Privilege Escalation Vulnerability
Vulnerable Systems:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 337
Blackdown Java 2 Runtime Environment 1.4.1
Blackdown Java 2 Runtime Environment 1.4.2
Blackdown Java 2 Runtime Environment 1.4.2 -01
Blackdown Java 2 Standard Edition SDK 1.4.1
Blackdown Java 2 Standard Edition SDK 1.4.2
Blackdown Java 2 Standard Edition SDK 1.4.2 -01
Conectiva Linux 10.0.0
Gentoo Linux
S.u.S.E. Linux Desktop 1.0.0
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Enterprise Server for S/390 9.0.0
S.u.S.E. Linux Personal 8.2.0
S.u.S.E. Linux Personal 9.0.0 x86_64
S.u.S.E. Linux Professional 8.2.0
S.u.S.E. Linux Professional 9.0.0 x86_64
S.u.S.E. Novell Linux Desktop 9.0.0
S.u.S.E. Open-Enterprise-Server 9.0.0
Slackware Linux -current
Slackware Linux 8.1.0
Sun Java 2 Runtime Environment 1.4.2
Sun Java 2 Runtime Environment 1.4.2 _01
Sun Java 2 Runtime Environment 1.5.0
Sun Java 2 Runtime Environment 1.5.0 .0_01
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 338
Sun Java 2 Standard Edition SDK 1.4.2
Sun Java 2 Standard Edition SDK 1.4.2 _01
Sun Java 2 Standard Edition SDK 1.5.0
Sun Java 2 Standard Edition SDK 1.5.0 .0_01
# java –fullversion
Or
#
java –version
The version for 1.5 systems should be at least 1.5.0_02. The version for 1.4.2 systems should be at least 1.4.2_
08.
finding.
PDI:
2
:
Status Code: MAN
Previously:
G536
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There is a Sun JRE Privilege Escalation Vulnerability.
Reference:
IAVA 2005-T-0024
33. IAVA0175 – 2002-T-0011 OpenSSH Challenge Response
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 339
Vulnerable Systems:
OpenSSH: Versions 2.3.1p1 through version 3.3 are vulnerable.
OpenLinux 3.1.1 Server prior to and including openssh-3.2.3p1-2
OpenLinux 3.1.1 Workstation prior to and including openssh-3.2.3p1-2
OpenLinux 3.1 Server prior to and including openssh-3.2.3p1-2
OpenLinux 3.1 Workstation prior to and including openssh-3.2.3p1-2
CONECTIVA LINUX
Debian
6.0, 7.0, 8
FreeBSD
HP-UX Secure Shell A.03.10
HP-UX 11.11
HP-UX 11.0
Mandrake 7.1, 7.2, 8.0, 8.1, 8.2
Mandrake Corporate Server 1.0.1, Single Network Firewall 7.2
NetBSD-1.6_BETAx
NetBSD-1.5.2
NetBSD-1.5.1
NetBSD-1.5
OpenBSD
Red Hat Linux 7.0
Red Hat Linux 7.1
Red Hat Linux 7.2
Red Hat Linux 7.3
SuSE
Trustix Secure Linux 1.1, 1.2, 1.5
OpenSSH versions 2.9.9 through 3.3 are vulnerable if the challenge response handling mechanism is
enabled. 2.3.1p1 through version 3.3 are susceptible to the vulnerability involving the PAM module using
interactive keyboard authentication.
To determine the version:
#
ssh –V
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 340
If the version of OpenSSH is less than 3.4, find and view the sshd_config file to make sure the
KbdInteractiveAuthentication and ChallengeResponseAuthentication options are set to no . If either one is yes,
or if the options are not in the sshd_config file, then this is a finding.
For SUN SSH distributed with Solaris 9:
The version of OpenSSH that is in Solaris 9 is not believed to be vulnerable if the default configuration is used. If
sshd_config (4) has been updated so that BOTH of the following entries are present then it is vulnerable.
PAMAuthenticationViaKBDInt yes
KbdInteractiveAuthentication yes
Use the procedures in Appendix F, Patch Control, to check if the following patches or package versions have
been loaded:
Solaris 5.9
113273-01
Solaris 5.9x86
114858-01
RedHat
openssh-3.1p1-5.src.rpm
SuSE
openssh-3.3p1-6.src.rpm
PDI:
6
:
Status Code: AUTO
Previously:
G537
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are vulnerabilities in the OpenSSH Challenge Response
Handling routine.
Reference:
IAVA 2002-T-0011
34. IAVA0180 – 2005-T-0025 Vulnerabilities in Adobe Reader
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 341
Vulnerable Systems:
Adobe Acrobat Reader (UNIX) 5.0.9
Linux (all versions)
Solaris (all versions)
HP-UX (all versions)
IBM-AIX (all versions)
To determine the version perform the following:
1. Launch Acrobat Reader by executing /bin/acroread
2. Select "help" menu option, and
3. Select "about Acrobat Reader."
Linux and Solaris Platforms
Update to Adobe Reader 7.0.1
IBM-AIX and HP-UX Platforms
Update to Adobe Acrobat Reader 5.0.11
finding.
PDI:
5
:
IA Controls:
Status Code: PART
Previously:
G538
DCSQ-1, VIVM-1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 342
PDI Description:
There are multiple vulnerabilities in Adobe Acrobat/Adobe Reader
Software.
Reference:
IAVA 2005-T-0025
35. IAVA0185 – 2005-T-0027 MIT Kerberos Multiple Vulnerabilities
Vulnerable Systems:
All MIT Kerberos 5 releases up to and including krb5-1.4.1 are vulnerable. Third party application servers
employing Kerberos 5 may be vulnerable as well.
To determine the Kerberos version:
#
strings libkrb5.so | grep BRAND
Solaris 5.8
112237-13
Solaris 5.8_x86
112240-10
Solaris 5.9
112908-20
Solaris 5.9_x86
Solaris 5.10
115168-08
120469-01
Solaris 5.10_x86
RedHat
120470-01
krb5-workstation-1.4.1-5.i386.rpm
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 343
3
:
Status Code: AUTO
Previously:
G539
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Detected a MIT Kerberos vulnerability that causes a denial of
service.
Reference:
IAVA 2005-T-0027
36. IAVA0190 – 2005-T-0033 Adobe Reader Buffer Overflow
Vulnerable Systems:
Adobe Acrobat
Adobe Acrobat 5.0.0
Adobe Acrobat 5.0.5
Adobe Acrobat 6.0.0
Adobe Acrobat 6.0.1
Adobe Acrobat 6.0.2
Adobe Acrobat 6.0.3
Adobe Acrobat 7.0.0
Adobe Acrobat 7.0.1
Adobe Acrobat 7.0.2
Adobe Acrobat Reader
Adobe Acrobat Reader 5.1.0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 344
4. Select "about Acrobat Reader."
The version for all unix systems should be at least 7.0.1.
finding.
PDI:
4
:
Status Code: PART
Previously:
G540
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Adobe Acrobat and Adobe Reader Remote Buffer Overflow
Vulnerability.
Reference:
IAVA 2005-T-0033
37. IAVA0195 – 2002-T-0012 CDE Vulnerability
Vulnerable Systems:
All Unix operating systems running CDE ToolTalk
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 345
Use the procedures in Appendix F, Patch Control, to check if the following patches or package versions have
been loaded:
SOLARIS
Solaris 2.5.1
104489-15
Solaris 2.5.1_x86
105496-13
Solaris 2.6
105802-19
Solaris 2.6x86
Solaris 2.7
Solaris 2.7x86
Solaris 2.8
Solaris 2.8x86
Solaris 2.9
105803-21
107893-20
107894-19
110286-10
110287-10
112808-03
HP-UX
HP-UX 10.10
Replace daemon
HP-UX 10.20
PHSS_27426
HP-UX 11.00
PHSS_27427
HP-UX 11.11
Replace daemon
IRIX
IRIX 6.2 – 6.5.2
IRIX 6.5.3.1.1
Patch 4799
Patch 4799
AIX
AIX 4.3.3
IY32368
AIX5.1.1.
IY32370
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 346
PDI:
2
:
Status Code: AUTO
Previously:
G541
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are multiple vulnerabilities in the Common Desktop
Environment Tooltalk database server, rpc.ttdbserverd.
Reference:
IAVA 2002-T-0012
38. IAVA0210 – 2005-T-0038 Java System Server JAR Disclosure
Vulnerable Systems:
SPARC Platform
Sun Java System Application Server Platform Edition 8.1 2005 Q1
Sun Java System Applciation Server Platform Edition 8.1 2005 Q1 UR1
Sun Java System Applciation Server Enterprise Edition 8.1 2005 Q1 without (file-based) patch
119169-01 or (SVR4) patch 119166-06
x86 Platform
Sun Java System Application Server Platform Edition 8.1 2005 Q1 UR1
Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file based) patch
119170-01 or (SVR4) patch 119167-06
Linux Platform
Sun Java System Application Server Platform Edition 8.1 2005 Q1 UR1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 347
Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file based) patch
119171-01 or RHEL2.1/RHEL3.0 (Pkg_patch) 119168-05
To determine the version of Sun Java System Application server, the following command can be run:
# <AS_INSTALL>/bin/asadmin version --verbose
(Where <AS_INSTALL> is the installation directory of the Application Server)
Perform procedures in Appendix F, Patch Control, to check for one of the patches:
SPARC Platform
x86 Platform
Linux
119169-01
119170-01
119171-01
or
or
or
119166-06
119167-06
119168-05
PDI:
7
:
Status Code: PART
Previously:
G544
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Sun Java System Application Server information disclosure
vulnerability.
Reference:
IAVA 2005-T-0038
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 348
39. IAVA0215 – 2002-A-0004 OpenSSL Vulnerability
Vulnerable Systems:
Any product using one of the following:
OpenSSL prior to 0.9.6e, up to and including pre-release 0.9.7-beta2
OpenSSL pre-release 0.9.7-beta2 and prior with Kerberos enabled
SSLeay library
Locate the binary openssl:
# find / -name openssl
# ./openssl version
The required version must be 0.9.6e or 0.9.7-beta3 or higher.
finding.
PDI:
6
:
Status Code: AUTO
Previously:
G545
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
OpenSSL has multiple vulnerabilities.
Reference:
IAVA 2002-A-0004
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 349
40. IAVA0225 – 2002-B-0003 PHP Vulnerabilities
Vulnerable Systems:
PHP 3.0.10-3.0.18
PHP 4.0.1-4.0.3pl1
PHP 4.0.2-4.0.5
PHP 4.0.6-4.0.7RC2
PHP 4.0.7RC3-4.1.1
PHP 4.2.0 and 4.2.1
Locate the directory where the web server html documents are stored. Create a file by:
#
echo “<? phpinfo(); ?>”>fso.php
Direct a web browser to http://localhost/fso.php and examine the screen for the version. Under the HTTP
Response Headers, the X-Powered-By row will show the PHP version.
Or
#
php -v
The required version is PHP-4.2.3 or higher.
finding.
PDI:
7
:
Status Code: PART
Previously:
G547
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 350
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
The Hypertext Preprocessor - PHP versions 4.2.0 and 4.2.1 - has
multiple vulnerabilities.
Reference:
IAVA 2002-B-0003
41. IAVA0235 – 2002-T-0015 XDR-Libraries
Vulnerable Systems:
Solaris 5.5.1
Solaris 5.5.1_x86
Solaris 5.6
Solaris 5.6_x86
Solaris 5.7
Solaris 5.7_x86
Solaris 5.8
Solaris 5.8_x86
Solaris 5.9
HP-UX 10.01
HP-UX 10.10
HP-UX 10.20
HP-UX 11.00
Solaris 5.5.1
Solaris 5.5.1_x86
Solaris 5.6
Solaris 5.6_x86
103640-42
103641-42
105401-39
105402-39
PLUS
PLUS
106639-07
106640-07
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 351
Solaris 5.7
106942-22
PLUS
108451-06
Solaris 5.7_x86
106943-22
PLUS
108452-06
Solaris 5.8
108827-30 – Obsoleted by 108993-18
PLUS
108901-06 – Obsoleted by 108528-24
Solaris 5.8_x86
108828-31 – Obsoleted by 108994-18
PLUS
108902-05 – Obsoleted by 108529-24
Solaris 5.9
HP-UX 10.01
113319-01
PLUS
112233-02
Patch will not be available – upgrade to 11.0 or higher
HP-UX 10.10
Patch will not be available – upgrade to 11.0 or higher
HP-UX 10.20
PHNE_25234
HP-UX 11.00
PHNE_26387
PDI:
8
:
Status Code: AUTO
Previously:
G549
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Sun remote procedure call (Sun-Rpc) derived external data
representation (XDR) libraries contain an integer overflow
vulnerability.
Reference:
IAVA 2002-T-0015
42. IAVA0245 – 2002-T-0016 KAdmind
Vulnerable Systems:
Conectiva Linux 8.0 running MIT Kerberos 5 1.2.3
Debian GNU/Linux 3.0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 352
FreeBSD 4.4
FreeBSD 4.5
FreeBSD 4.6
FreeBSD 4.7
Kerberos 4 Release 1.2
Kerberos 5
MandrakeSoft 8.1
MandrakeSoft 8.2
MandrakeSoft 9.0
MIT Kerberos 5, up to and including krb5-1.2.6.
All Kerberos 4 implementations derived from MIT Kerberos 4
OpenBSD 3.0
OpenBSD 3.1
OpenBSD 3.2
Red Hat 6.2
Red Hat 7.0
Red Hat 7.1
Red Hat 7.2
Red Hat 7.3
Red Hat 8.0
The version for Kerberos can be checked either with:
# krb5-config –version
Or
#
strings libkrb5.so | grep –i brand
The version must be 1.2.5-7 or higher.
finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 353
PDI:
9
Status Code: PART
Previously:
G551
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Kadmind has a remote buffer overflow vulnerability.
Reference:
IAVA 2002-T-0016
43. IAVA0250 – 2005-A-0019 Oracle Applications Vulnerabilities
Vulnerable Systems:
Oracle E-Business Suite and Applications Release 11i, versions 11.5.1 through 11.5.10
Oracle E-Business Suite and Applications Release 11.0
Oracle JInitiator, versions 1.1.8, 1.3.1
Oracle Workflow, versions 11.5.1 through 11.5.9.5
spot checks for mulitiple-patch requirements based on version and platform. Please note whether each check is
Swith user to an account used for Oracle installations. This will ensure the environment variables are set
correctly.
$ORACLE_HOME/bin/runInstaller
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 354
each Oracle Home. If Oracle Database Server, Oracle Application Server, or Oracle HTTP Server is/are listed,
then expand the Oneoffs selection and view the installed patches.
3966175
4074867
PDI:
4
:
Status Code: MAN
Previously:
G552
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Applications Suite.
Reference:
IAVA 2005-A-0019
44. IAVA0255 – 2002-T-0017 X Font Server
Vulnerable Systems:
Solaris 5.6
Solaris 5.6x86
Solaris 5.7
Solaris 5.7x86
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 355
Solaris 5.8
Solaris 5.8x86
Solaris 5.9
HP-UX 10.20
HP-UX 11.0
HP-UX 11.11
HP-UX 11.12
AIX 4.3.3
AIX 5.1.0
AIX 5.2.0
Use the procedures in Appendix F, Patch Control, to check for these patches or versions:
Solaris 5.6
Solaris 5.6x86
Solaris 5.7
Solaris 5.7x86
Solaris 5.8
Solaris 5.8x86
Solaris 5.9
108129-05
108130-05
108117-06
108118-06
109862-03
109863-03
113923-02
HP-UX 10.20
PHSS_28468
HP-UX 11.0
PHSS_28469
HP-UX 11.11
PHSS_28470
HP-UX 11.12
PHSS_28471
AIX 4.3.3
IY37888
AIX 5.1.0
IY37886
AIX 5.2.0
IY37889
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 356
PDI:
4
:
Status Code: PART
Previously:
G553
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There is an X Font server buffer overflow vulnerability.
Reference:
IAVA 2002-T-0017
45. IAVA0260 – 2005-A-0034 Oracle Applications Vulnerabilities
Vulnerable Systems:
Oracle E-Business Suite and Applications Release 11i, versions 11.5.1 through 11.5.10
Oracle E-Business Suite and Applications Release 11.0
Oracle JInitiator, versions 1.1.8, 1.3.1
Oracle Workflow, versions 11.5.1 through 11.5.9.5
spot checks for mulitiple-patch requirements based on version and platform. Please note whether each check is
correctly.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 357
each Oracle Home. If Oracle Database Server, Oracle Application Server, or Oracle HTTP Server is/are listed,
then expand the Oneoffs selection and view the installed patches.
3904641
4613714
PDI:
5
:
Status Code: MAN
Previously:
G554
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Applications Suite.
Reference:
IAVA 2005-A-0034
46. IAVA0270 – 2000-B-0008 BIND 8.2.2-P6 DoS Vulnerabilities
Vulnerable Systems:
Caldera OpenLinux Desktop 2.3
Caldera UnixWare 7.1.1
Conectiva Linux 6.0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 358
Conectiva Linux 5.1
Conectiva Linux 5.0
Conectiva Linux 4.2
Conectiva Linux 4.1
Conectiva Linux 4.0 es
Conectiva Linux 4.0
Debian Linux 2.3
Debian Linux 2.2
IBM AIX 4.3.3
IBM AIX 4.3.2
IBM AIX 4.3.1
IBM AIX 4.3
MandrakeSoft Corporate Server 1.0.1
MandrakeSoft Linux Mandrake 7.2
MandrakeSoft Single Network Firewall 7.2
RedHat Linux 7.0 J
RedHat Linux 6.2
RedHat Linux 6.1
RedHat Linux 6.0
RedHat Linux 6.0
RedHat Linux 5.2
S.u.S.E. Linux 6.4
S.u.S.E. Linux 6.3
S.u.S.E. Linux 6.2
S.u.S.E. Linux 6.1
S.u.S.E. Linux 6.0
SCO eDesktop 2.4
SCO eServer 2.3
Trustix Trustix Secure Linux 1.1
Trustix Trustix Secure Linux 1.0
#
find / -name named
#
#
#
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 359
BIND 8.2.2 through 8.2.2P6 (BIND 8.2.2P7 and 8.2.3 are not vulnerable) is vulnerable.
Upgrade to BIND 8.2.3 or later.
finding.
PDI:
8
Status Code: PART
Previously:
G556
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2000-B-0008
47. IAVA0275 – 2001-A-0001 Buffer Overflows in ISC BIND
Vulnerable Systems:
BIND 8.2.2
BIND 4.9.5 - 4.9.7
BIND 4.9.3 - 4.9.5-P1
#
find / -name named
#
#
#
#
named –v
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
#
Page 360
named –d0
Users of BIND 4.9.x or 8.2.2 must upgrade to BIND 8.2.3 or later, or BIND 9.1 or later.
Because BIND 4 is no longer actively maintained, users must upgrade to either BIND 8.2.3 or later, or BIND 9.1
or later
finding.
PDI:
9
Status Code: PART
Previously:
G557
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2001-A-0001
48. IAVA0280 – 2002-A-0006 Multiple Vulnerabilities in ISC BIND 4 and 8
Vulnerable Systems:
BIND versions 4.9.2 to 4.9.10
BIND versions 8.1
BIND versions 8.2 to 8.2.6
BIND versions 8.3.0 to 8.3.3
Conectiva Linux 6.0
Debian Linux 3.0
Debian Linux 2.2
Secure Linux 1.0.1
FreeBSD 4.4, 4.5, 4.6, 4.7
Mandrake Linux 7.2
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 361
OpenBSD 3.0, 3.1, 3.2
OpenPKG 1.0, 1.1
Openwall GNU/*/Linux
SuSE 7.0, 7.1, 7.2, 7.3, 8.0, 8.1
SuSE Linux Database Server
SuSE eMail Server III, 3.1
SuSE Firewall
SuSE Linux Enterprise Server for S/390
SuSE Linux Connectivity Server
SuSE Linux Enterprise Server 7
SuSE Linux Office Server
Trustix Secure Linux 1.5
Trustix Secure Linux 1.2
#
find / -name named
#
#
#
#
named –v
#
named –d0
Upgrade to BIND 8.4.6 or later, or 9.2.1 or later.
finding.
PDI:
0
Status Code: PART
Previously:
G558
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 362
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Reference:
IAVA 2002-A-0006
49. IAVA0285 – 2003-B-0001 DNS Vulnerabilities – Various Libraries
Vulnerable Systems:
Caldera
Compaq
Conectiva
Debian
Engarde
FreeBSD
GNU
Hewlett-Packard (HP)
IBM AIX
Internet Software Consortium (ISC) BIND
Mandrake
NetBSD
OpenBSD
Red Hat
SCO
Sun Microsystems
Trustix
#
find / -name named
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 363
#
#
#
Solaris
Solaris 2.5.1
103663-19
Solaris 2.5.1_x86
103664-19
Solaris 2.6
105755-12
Solaris 2.6_x86
105756-12
Solaris 7
106938-06
Solaris 7_x86
Solaris 8
Solaris 8_x86
Solaris 9
106939-06
109326-09
109327-09
112970-02
HP-UX
HP-UX 10.10
PHNE_27792
HP-UX 10.20
PHNE_27792
HP-UX 11.0
PHNE_27793
HP-UX 11.04
PHNE_28415
HP-UX 11.11
PHNE_27794
AIX 4.3
ISC BIND 8.2.2 p5
AIX
AIX 4.3.1
ISC BIND 8.2.2 p5
AIX 4.3.2
ISC BIND 8.2.2 p5
AIX 4.3.3
ISC BIND 8.2.2 p5
AIX 5.1
glibc 2.1.1-2.1.6
glibc 2.1.1-2.1.6
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 364
Red Hat
glibc-2.1.3-24.rpm
bind-9.2.1-0.6x.3.rpm
Apply the applicable patch, upgrade to, at the least, the required software release, or remove the
PDI:
9
:
Status Code: AUTO
Previously:
G559
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are multiple buffer overflow vulnerabilities in various DNS
libraries.
Reference:
IAVA 2003-B-0001
50. IAVA0295 – 2003-T-0001 Multiple SSH Vulnerabilities
Vulnerable Systems:
F-Secure SSH versions 3.1.0 build 11 and earlier
Pragma SecureShell 2.0
To determine the ssh version:
#
ssh –V
Pragma Secure Shell
F-Secure
Upgrade to 3.0
Upgrade to a higher release than 3.1.0 build 11
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 365
finding.
PDI:
2
:
Status Code: AUTO
Previously:
G561
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are multiple SSH vulnerabilities.
Reference:
IAVA 2003-T-0001
51. IAVA0305 – 2003-T-0002 Solaris UUCP
Vulnerable Systems:
Solaris 8
Solaris 5.8_x86
Solaris 5.8
111571-04
111570-04
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 366
3
:
Status Code: AUTO
Previously:
G563
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There is a Solaris UUCP local buffer overflow vulnerability.
Reference:
IAVA 2003-T-0002
52. IAVA0310 – 2005-T-0043 SMC HTTP TRACE Vulnerability
Vulnerable Systems:
Solaris 10.0 _x86
Solaris 10.0
Solaris 9.0 _x86
Solaris 9.0
Solaris 8.0 _x86
Solaris 8.0
Use the procedures in Appendix F, Patch Control, to check if the following patches have been loaded:
Solaris
5.8
5.8_x86
5.9
5.9_x86
5.10
5.10_x86
111313-03
111314-03
116807-02
116808-02
121308-01
121309-01
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 367
PDI:
4
:
Status Code: AUTO
Previously:
G564
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There is an SMC HTTP TRACE Information Discloser
Vulnerability .
Reference:
IAVA 2005-T-0043
53. IAVA0315 – 2003-T-0004 Oracle 9i Vulnerabilities
Vulnerable Systems:
Oracle 9i Release 9.0.2 and 9.0.3
correctly.
each Oracle Home to find the version.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 368
PDI:
6
:
Status Code: PART
Previously:
G567
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are Multiple Vulnerabilities in Oracle 9i Application Server.
Reference:
IAVA 2003-T-0004
54. IAVA0320 – 2003-T-0007 Sun XDR Library Buffer Overflow
Vulnerable Systems:
Debian with Kerberos krb4 and krb5
EnGarde
1.0.1
FreeBSD
4.6, 4.7, 5.0
GNU
glibc versions 2.2 - 2.2.5, 2.1.3
HP-UX with Kerberos - 9000/700 and 9000/800 series 10.20, 11.00, 11.04, 11.11, and 11.22
NETBSD 1.4 - 1.5.3
Red Hat Linux 6.2 - i386, 7.0 - i386 i686, 7.1 - i386 i686, 7.2 - i386 i686 ia4, 7.3 - i386 i686, 8.0 - i386
i686
Sun Solaris
2.5.1 - 9.0 both sparc and x86
Trustix 1.1 1.2 and 1.5
Use the procedures in Appendix F, Patch Control, to check if the following patches have been loaded:
Solaris
5.6
5.6_x86
5.7
105401-44
105402-44
106942-27
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
5.7_x86
5.8
5.8_x86
5.9
5.9_x86
Page 369
106943-27
108993-18
108994-18
113319-11
113719-04
HP-UX
B.10.20
PHCO_26158 or PHCO_31920
B.10.24
PHCO_27882 or PHNE_30377 or PHNE_30660 or PHNE_31096
B.11.00P
B.11.11
PHNE_28567 or PHNE_28982 or PHNE_29210 or PHNE_29785 or PHNE_
29882 or PHNE_30377 or PHNE_30660 or PHNE_31096
PHNE_28568 or PHNE_28983 or PHNE_29211 or PHNE_29783 or PHNE_29883
or PHNE_30378 or PHNE_30380 or PHNE_30661
Red Hat
6.2
glibc-2.1.3-29.i386.rpm
7.0
glibc-2.2.4-18.7.0.9.i386.rpm
7.1
glibc-2.2.4-32.i386.rpm
7.2
glibc-2.2.4-32.i386.rpm
7.3
glibc-2.2.5-43.i386.rpm
8. glibc-2.3.2-4.80.i386.rpm
9. krb5-libs-1.2.7-14.i386.rpm
SuSE
1. glibc-2.2-26.i386.rpm
2. glibc-2.2.2-68.i386.rpm
3. glibc-2.2.4-78.i386.rpm
8.0
8.1
glibc-2.2.5-177.i386.rpm
glibc-2.2.5-177.i686.rpm
IRIX
6.5.15m
6.5.15f
6.5.16m
4986
4987
4988
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 370
6.5.16f
6.5.17m
4989
4990
6.5.17f
6.5.18m
4991
5014
6.5.18f
6.5.19m
5015
4992
6.5.19f
4993
PDI:
5
:
Status Code: AUTO
Previously:
G569
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
The Sun XDR Library has an integer overflow vulnerability.
Reference:
IAVA 2003-T-0007
55. IAVA0330 – 2003-B-0003 Sendmail - Memory Corruption Vulnerability
Vulnerable Systems:
Sendmail Versions 8.12.8 and earlier
Conectiva Linux 9.0
Conectiva Linux 8.0
Conectiva Linux 7.0
Conectiva Linux 6.0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 371
Debian Linux 3.0
FreeBSD 5.0
FreeBSD 4.7
FreeBSD 4.6
HP TRU64 5.1
HP-UX 10.10
HP-UX 10.20
HP-UX 11.00
HP-UX 11.04
HP-UX 11.11
HP-UX 11.22
ImmunixOS 6.2
ImmunixOS 7.0
ImmunixOS 7+
AIX 4.3.3
AIX 5.1.0
AIX 5.2.0
NetBSD 1.6
NetBSD 1.5.3
NetBSD 1.5.2
NetBSD 1.5.1
NetBSD 1.5
OpenBSD 3.2
OpenBSD 3.1
OpenPKG Current
OpenPKG 1.2
OpenPKG 1.1
Red Hat Linux 6.2
Red Hat Linux 7.0
Red Hat Linux 7.1
Red Hat Linux 7.2
Red Hat Linux 7.3
Red Hat Linux 8.0
Red Hat Linux 9.0
OpenLinux 3.1.1
OpenLinux 3.1
UnixWare 7.1.3
Open UNIX 8.0.0
IRIX 6.5.15
IRIX 6.5.16
IRIX 6.5.17
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 372
IRIX 6.5.18
IRIX 6.5.19
Solaris 2.6
Solaris 7
Solaris 8
Solaris 9
SuSE Linux 7.1, 7.2, 7.3, 8.0, 8.1, 8.2
SuSE Linux Database Server
SuSE Linux Enterprise Server 7, 8
SuSE Linux Firewall on CD/Admin host
SuSE Linux Connectivity Server
SuSE Linux Office Server
Slackware 8.0
Slackware 8.1
Slackware 9.0
To determine the version of sendmail, use the following command:
# sendmail -d0 -bt < /dev/null | grep -i Version
Systems using sendmail below version 8.12.9, or are not patched, are affected.
Upgrade to 8.12.9 or check for the following patches utilizing Appendix F:
Solaris
Solaris 2.6
Solaris 2.6_x86
Solaris 7
Solaris 7_x86
105395-09
105396-09
107684-09
107685-09
Solaris 8
110615-09
Solaris 8_x86
110616-09
Solaris 9
Solaris 9_x86
113575-04
114137-03
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 373
HP-UX
If a fix has been installed the following command will list a 'version.c" line:
#
what /usr/sbin/sendmail | grep JAGae58098
Install HPSecurityBul246.depot with swinstall for all versions.
Red Hat
Red Hat Linux 6.2
sendmail-8.11.6-1.62.3.i386.rpm
Red Hat Linux 7.0
sendmail-8.11.6-25.70.i386.rpm
Red Hat Linux 7.1
Red Hat Linux 7.2
Red Hat Linux 7.3
sendmail-8.11.6-25.73. i386.rpm
Red Hat Linux 8.0
Red Hat Linux 9
AIX
AIX 4.3.3
IY42629
AIX 5.1.0
IY42630
AIX 5.2.0
IY42631
SuSE-7.1
sendmail-8.11.2-45.i386.rpm
SuSE
SuSE-7.2
SuSE-7.3
SuSE-8.0
SuSE-8.1
IRIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
All Version
Page 374
patch #5045
PDI:
1
:
Status Code: AUTO
Previously:
G575
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Sendmail memory corruption Vulnerability.
Reference:
IAVA 2003-B-0003
56. IAVA0335 – 2003-T-0015 PDF Writers
Vulnerable Systems:
Adobe Acrobat Reader (UNIX) 5.0.0 6
Xpdf Xpdf 1.0.0 1
MandrakeSoft Linux Mandrake 7.2.0
Red Hat Linux 7.1
Red Hat Linux 7.2
Red Hat Linux 7.3
Red Hat Linux 8.0
Red Hat Linux 9
Sun Linux 5.0 (LX50) with xpdf-0.92-9 or earlier
For both Red Hat and Sun Linux sytems:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 375
# rpm –qa |grep xpdf
Apply the appropriate rpm for the operating system version contained in the IAVA.
PDI:
9
:
Status Code: PART
Previously:
G577
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A PDF viewer has a Hyperlink arbitrary command vulnerability.
Reference:
IAVA 2003-T-0015
57. IAVA0345 – 2003-T-0018 Real Networks Helix Server
Vulnerable Systems:
Helix Universal Server 9
Real Server 5
Real Server 6
Real Server 7
Real Server 9
Real Server G2
Use the following command to verify if the Real Server plug-in is installed:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
#
Page 376
find / -name *vsrcplin.so*
If the find returns either vsrcplin.so.9.0 or vsrcplin.so.6.0, then this is a finding. Versions prior to
9.0.2.802 are affected, including Helix Universal Server 9, RealSystem Server 8, 7, and RealServer G2.
Upgrade to the latest software.
finding.
PDI:
6
:
Status Code: PART
Previously:
G579
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
The RealNetworks Helix Server is vulnerable.
Reference:
IAVA 2003-T-0018
58. IAVA0350 – 2003-T-0020 OpenSSH Prior to 3.7.1
Vulnerable Systems:
Systems running versions of OpenSSH prior to 3.7.1
Systems that use or derive code from vulnerable versions of OpenSSH
If Secure Shell is running, verify it is OpenSSH. If it is OpenSSH, check the version by locating the ssh
command and performing:
#
./ssh –V
The command will return the version. If it is less than 3.7.1, this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 377
PDI:
7
:
Status Code: AUTO
Previously:
G580
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There is a buffer mismanagement vulnerability in OpenSSH prior to
version 3.7.1.
Reference:
IAVA 2003-T-0020
59. IAVA0355 – 2003-A-0013 SADMIND
Vulnerable Systems:
This vulnerability applies only to Sun systems running the Solstice AdminSuite with sadmind implemented.
The patches listed apply only to version 2.3 and later. If a version earlier than 2.3 is running, the site must
upgrade to 2.3 before installing any of the patches. To upgrade to Solstice 2.3 install the following patches:
Solstice AdminSuite patches to upgrade to Solstice 2.3:
Solaris 2.3
104468-20
Solaris 2.3_x86
104469-20
To resolve the vulnerability on the following and on systems with older AdminSuite installations, install patches
listed below immediately. Systems with versions prior to 2.3 must upgrade to 2.3 before installing patches, as
noted above.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 378
Solaris 5.9
116453-01
Soalris 5.9_x86
116454-01
Solaris 5.8
116455-01
Solaris 5.8_x86
116442-01
Trusted_Solaris_8
Solaris 7
116455-01
108662-01
Solaris 7_x86
Solaris 2.6
Solaris 2.6_x86
Solaris 2.5.1
108663-01
108660-01
108661-01
108658-02
Solaris 2.5.1_x86
108659-02
Solaris 2.5
108656-02
Solaris 2.5_x86
108657-02
60. IAVA0360 – 2003-A-0015 OpenSSL
Vulnerable Systems:
Any product using one of the following:
OpenSSL Project OpenSSL 0.9.6
OpenSSL Project OpenSSL 0.9.6 a
OpenSSL Project OpenSSL 0.9.6 b
OpenSSL Project OpenSSL 0.9.6 c
OpenSSL Project OpenSSL 0.9.6 d
OpenSSL Project OpenSSL 0.9.6 e
OpenSSL Project OpenSSL 0.9.6 g
OpenSSL Project OpenSSL 0.9.6 h
OpenSSL Project OpenSSL 0.9.6 i
OpenSSL Project OpenSSL 0.9.6 j
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 379
OpenSSL Project OpenSSL 0.9.7 a
OpenSSL Project OpenSSL 0.9.7 b
OpenSSL Project OpenSSL 0.9.7 beta1
Perform the following to determine the version:
# openssl version -v
# find / -name libssl.so.0.9.7
# find / -name libcrypt o .so.0.9.7
To resolve the OpenSSL vulnerabilities, upgrade to OpenSSL 0.9.7c or OpenSSL 0.9.6k. Alternatively, apply
a patch as directed by your vendor.
61. IAVA0365 – 2003-T-0022 - JAVA RUNTIME and Virtual Machine
Vulnerable Systems:
SDK and JRE 1.4.1_03 and earlier
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 380
To tell what version of Java you are running, from the directory Java is loaded, run:
#
./java –version
Upgrade to the following versions:
SDK and JRE 1.4.1_04 and later
finding.
PDI:
1
:
Status Code: MAN
Previously:
G583
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Sun Java Virtual Machine Slash Path Security Model
Circumvention Vulnerability.
Reference:
IAVA 2003-T-0022
62. IAVA0370 – 2003-T-0024 - RSYNC DAEMON
Vulnerable Systems:
EnGarde
EnGarde Secure Linux 1.0.1
RedHat Linux 6.2.0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 381
RedHat Linux 7.0.0
RedHat Linux 7.1.0
RedHat Linux 7.2.0
RedHat Linux 7.3.0
RedHat Linux 8.0.0
RedHat Linux 9.0.0
RedHat Fedora Core1
Caldera OpenLinux eBuilder 3.0.0
Caldera OpenLinux 2.3.0
Caldera OpenLinux 3.1.0 -IA64
Caldera OpenLinux Server 3.1.0
Caldera OpenLinux Workstation 3.1.0
Conectiva Linux ecommerce
Conectiva Linux graficas
SCO eDesktop 2.4.0
SCO eServer 2.3.1
S.u.S.E. Linux 6.4.0
Trustix Secure Linux 1.0.0 1
Trustix Secure Linux 1.1.0
HP Secure OS software for Linux 1.0.0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 382
MandrakeSoft Single Network Firewall 7.2.0
MandrakeSoft Multi Network Firewall 8.2.0
Debian Linux 3.0.0
OpenPKG OpenPKG Current
OpenPKG OpenPKG 1.2.0
OpenPKG OpenPKG 1.3.0
First, determine if the system is running rsyncd by performing:
#
netstat –a | egrep “843|rsync”
If it is rsync is running on the system then:
# grep chroot /etc/rsyncd.conf
If it is not there, or it is set to no, this is a finding. Obtain patches from the vendor in accordance with the IAVA.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 383
2
:
Status Code: AUTO
Previously:
G584
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
The rsync daemon is vulnerable to a heap memory overflow.
Reference:
IAVA 2003-T-0024
63. IAVA0375 – 2004-A-0002 - Check Point Firewall-1
Vulnerable Systems:
Check Point Software Firewall-1 4.1.0
Check Point Software Firewall-1 4.1.0 SP1
Check Point Software Next Generation
Check Point Software Next Generation FP1
Check Point Software Next Generation FP3 HF1
Check Point Software NG-AI
Check Point Software NG-AI R54
Check Point Software NG-AI R55
Check Point Software Firewall-1 4.1.0 SP5a
Check Point Software FireWall-1 Next Generation FP0
Check Point Software FireWall-1 Next Generation FP1
Check Point Software VPN-1 4.1.0
Check Point Software VPN-1 4.1.0 SP1
Check Point Software VPN-1 4.1.0 SP5a
Check Point Software VPN-1 Next Generation FP0
Check Point Software VPN-1 Next Generation FP1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 384
To determine the version number of the Check Point that your are running, use the following command:
#
$FWDIR/bin/fw ver
where $FWDIR is the directory where Check Point is installed.
System Administrators who use the HTTP Security Servers of Check Point Firewall-1 must download and apply
the following update:
http://www.checkpoint.com/techsupport/downloads/bin/firewall1/security_server_hotfix_cpsc.zip
System Administrators who use VPN capabilities on VPN-1/FireWall-1 4.1 SP5a and prior, Next Generation FP0
and FP1 must upgrade to the latest non-vulnerable version provided below:
http://www.checkpoint.com/techsupport/ng_application_intelligence/r55_updates.html
PDI:
6
Status Code: PART
Previously:
G585
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A vulnerable version of Check Point Firewall-1 is in use.
Reference:
IAVA 2004-A-0002
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 385
64. IAVA0380 – 2004-B-0002 - H.323 Protocol
Vulnerable Systems:
Debian GNU/Linux 3.0
Red Hat Linux 9
Check Point Software Firewall-1 4.1.0
Check Point Software Firewall-1 [VPN+DES+STRONG] 4.1.0 Build 41439
Check Point Software Firewall-1 [VPN+DES+STRONG] 4.1.0 SP2 Build 41716
Check Point Software Firewall-1 [VPN+DES] 4.1.0
Check Point Software Next Generation
Check Point Software Next Generation with Application Intelligence
Debian
pwlib1.2.5-5woody1
Redhat
pwlib-1.4.7-4.1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 386
PDI:
7
:
Status Code: PART
Previously:
G586
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A vulnerable version of the H.323 Protocol is in use.
Reference:
IAVA 2004-B-0002
65. IAVA0385 – 2004-A-0004 - ISS Real Secure
Vulnerable Systems:
RealSecure Network 7.0, XPU 22.11 and before
RealSecure Server Sensor 7.0 XPU 22.11 and before
Proventia A Series XPU 22.11 and before
Proventia G Series XPU 22.11 and before
Proventia M Series XPU 1.9 and before
RealSecure Desktop 7.0 ebl and before
RealSecure Desktop 3.6 ecf and before
RealSecure Guard 3.6 ecf and before
RealSecure Sentry 3.6 ecf and before
BlackICE Agent for Server 3.6 ecf and before
BlackICE PC Protection 3.6 ccf and before
BlackICE Server Protection 3.6 ccf and before
Running on the following Operating Systems:
Solaris 8
Solaris 9
RedHat Linux Professional
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 387
RedHat Enterprise
IBM AIX
Hewlett-Packard HP-UX
Locate the issDaemon:
#
find / -name issDaemon –depth -print
#
./issDaemon –v
The daemon should be upgraded to the following non-vulnerable versions:
RealSecure Network 7.0, XPU 22.12
RealSecure Server Sensor 7.0 XPU 22.12
Proventia A Series XPU 22.12
Proventia G Series XPU 22.12
Proventia M Series XPU 1.10
RealSecure Desktop 7.0 ebm
RealSecure Desktop 3.6 ecg
RealSecure Guard 3.6 ecg
RealSecure Sentry 3.6 ecg
BlackICE Agent for Server 3.6 ecg
finding.
PDI:
4
Status Code: PART
Previously:
G587
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
The ISS RealSecure protocol analysis module ICQ parsing routines
has a buffer overflow.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 388
Reference:
IAVA 2004-A-0004
66. IAVA0390 – 2004-T-0003 – Apache SSL Certificate Forging
Vulnerable Systems:
Apache-SSL 1.3.28+1.52 and earlier versions.
To check the version:
#
httpd –v
The version should be at least 1.3.29+1.53.
finding..
PDI:
7
:
Status Code: MAN
Previously:
G588
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Detected an Apache-Secure Socket Layer Client Certificate
Forging Vulnerability.
Reference:
IAVA 2004-T-0003
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 389
67. IAVA0395 – 2004-T-0008 – TCPDUMP Buffer Overflows
Vulnerable Systems:
tcpdump
Apple
Caldera
Debian
EnGarde
FreeBSD
Mandrake
Redhat
SCO
SGI
SuSE
Trustix
Turbolinux
To check the version of tcpdump on most systems:
#
tcpdump -–version
The version should be at least 3.8.3. If it is not, then upgrade both tcpdump to at least 3.8.3 and libpcap
to 0.8.3. Check the IAVA for specific vendor patches or upgrades.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 390
8
:
Status Code: AUTO
Previously:
G589
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
TCPDUMP has multiple buffer overflows and vulnerabilities from
malformed ISAKMP packets.
Reference:
IAVA 2004-T-0008
68. IAVA0400 – 2004-B-0005 – FreeBSD/Juniper Denial of Service
Vulnerable Systems:
FreeBSD 4.6.2
FreeBSD 4.7.0
FreeBSD 4.8.0
FreeBSD 4.9.0
FreeBSD 5.0.0
FreeBSD 5.1.0
FreeBSD 5.2.0
OpenBSD 3.3
OpenBSD 3.4
Upgrade to the FreeBSD stable branch (4-STABLE) or to the RELENG_5_2, RELENG_4_9, or RELENG_
4_8 security branch or apply the applicable patch.
FreeBSD 4.8
tcp47.patch
FreeBSD 4.9
tcp47.patch
FreeBSD 5.2
tcp52.patch
OpenBSD 3.3
018_tcp.patch
OpenBSD 3.4
013_tcp.patch
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 391
PDI:
9
:
Status Code: PART
Previously:
G590
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There is a FreeBSD/Juniper BSD TCP out-of-sequence packets
denial of service.
Reference:
IAVA 2004-B-0005
69. IAVA0405 – 2004-T-0006 Solaris Password Utility
Vulnerable Systems:
Solaris 8.0
Solaris 8.0_x86
Solaris 9.0
Solaris 9.0_x86
Solaris 8.0
Solaris 8.0_x86
Solaris 9.0
Solaris 9.0_x86
108993-32 or later
108994-32 or later
113476-11 or later
114242-07 or later
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 392
PDI:
0
:
Status Code: AUTO
Previously:
G591
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Detected a vulnerable passwd utility on Solaris 5.8 or 5.9.
Reference:
IAVA 2004-T-0006
70. IAVA0410 – 2004-B-0006 OpenSSL Denial of Service
Vulnerable Systems:
Apple
Avaya
Check Point
Cisco
Citrix
FreeBSD
Hewlett Packard
NetScreen
Novell
OpenBSD
OpenSSL
OpenSSL Project OpenSSL 0.9.6 c
Debian Linux 3.0.0
S.u.S.E. Linux 8.0.0 i386
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 393
OpenSSL Project OpenSSL 0.9.6 d
OpenSSL Project OpenSSL 0.9.6 e
FreeBSD 4.6.0
FreeBSD 4.6.0 -RELEASE
OpenSSL Project OpenSSL 0.9.6 f
OpenSSL Project OpenSSL 0.9.6 g
FreeBSD 4.7.0
FreeBSD 4.7.0 -RELEASE
HP Apache-Based Web Server 2.0.43 .00
HP Webmin-Based Admin 1.0.0 .01
Immunix OS 7+
NetBSD 1.6.0
OpenPKG 1.1.0
OpenSSL Project OpenSSL 0.9.6 h
OpenSSL Project OpenSSL 0.9.6 i
HP-UX Apache-Based Web Server 1.0.0 .01
HP-UX Apache-Based Web Server 1.0.0 .02.01
HP-UX Apache-Based Web Server 1.0.1 .01
MandrakeSoft Corporate Server 2.1.0 x86_64
MandrakeSoft Linux Mandrake 9.1.0 ppc
OpenSSL Project OpenSSL 0.9.6 j
OpenSSL Project OpenSSL 0.9.6 k
BlueCoat Systems CacheOS CA/SA 4.1.10
BlueCoat Systems Security Gateway OS 2.0.0
BlueCoat Systems Security Gateway OS 2.1.5001 SP1
OpenSSL Project OpenSSL 0.9.7 Caldera OpenUnix 8.0.0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 394
FreeBSD 5.0.0
Redhat Linux
RSA
SCO
SGI
Stonesoft
Tarantella
All versions from 0.9.6c to 0.9.6l and versions 0.9.7a to 0.9.7c are affected. This vulnerability requires
multiple updates. Ensure OpenSSL libraries are, at least, 0.9.7d or 0.9.6m. Check for the correct version of
OpenSSL libraries by performing either, of these commands:
#
openssl version –v
#
ls –lLd /usr/lib/*ssl*
or
#
ls –lLd /usr/local/lib/*ssl*
finding.
PDI:
1
:
Status Code: AUTO
Previously:
G592
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Detected an OpenSSL denial-of-service-vulnerability.
Reference:
IAVA 2004-B-0006
71. IAVA0415 – 2004-B-0007 Linux JetAdmin Vulnerability
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 395
Vulnerable Systems:
Linux systems with:
HP Web Jetadmin 6.5.0 and prior
HP Web Jetadmin 7.0.0
#
find / -name Jetadmin -o -name jetadmin
If found, execute the Jetadmin binary to display the version.
#
./jetadmin
To display the version.
If it is less than version 7.5, this is a finding. If it is 7.5 or higher, this is not a finding.
Upgrade or remove the binary/application to remediate this finding.
PDI:
1
:
Status Code: AUTO
Previously:
G593
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Detected a vulnerable HP WEB JetAdmin version on Linux.
Reference:
IAVA 2004-B-0007
72. IAVA0420 – 2004-T-0014 CDE Remote Login
Vulnerable Systems:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 396
HP HP-UX 11.0.0
HP HP-UX 11.0.0 4
HP HP-UX 11.11.0
HP HP-UX 11.22.0
HP HP-UX 11.23.0
IBM AIX 4.3.3
IBM AIX 5.1.0
IBM AIX 5.2.0
SCO Unixware 7.1.1
SGI3
http://www .sgi.com/support/security/advisories.html
Solaris 7.0.0
Solaris 7.0.0 _x86
Sun Solaris 8.0.0
Sun Solaris 8.0.0 _x86
Sun Solaris 9.0.0
Sun Solaris 9.0.0 _x86 Update 2
Open Group CDE Common Desktop Environment 2.1.0 Sun Solaris 9
Sun Solaris 9 _x86
Sun 7.0 107180-31
Sun 7.0_x86 107171-31
Sun 8.0 108919-21
Sun 8.0_x86 108920-21
Sun 9.0 112807-09
Sun 9.0_x86 114210-08
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 397
0
:
Status Code: MAN
Previously:
G594
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Detected A Common Desktop Environment DTLogin Remote
Double Free Vulnerability.
Reference:
IAVA 2004-T-00 14
73. IAVA0425 – 2003-B-0005 Sendmail Prescan Variant Vulnerability
Vulnerable Systems:
All systems with Sendmail.
Solaris 7.0
107684-11 or later
Solaris 7.0_x86
Solaris 8.0
107685-11 or later
110615-11 or later
Solaris 8.0_x86
110616-11 or later
Solaris 9.0
113575-05 or later
Solaris 9.0_x86
114137-04 or later
HPUX:
#
/usr/sbin/sendmail -d0.1 < /dev/null | grep -i version
The display will show the sendmail version number.
Download and install the appropriate file for the operating system revision and sendmail version.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 398
HP-UX B.11.00:
SMAIL-811.INETSVCS-SMAIL
InternetSrvcs.INETSVCS-RUN
Install sendmail.811.11.00.r4 file
HP-UX B.11.04:
HP-UX B.11.11:
SMAIL-811.INETSVCS-SMAIL
HP-UX B.11.22:
AIX 4.3.3
IY48659
AIX 5.1.0
IY48658
AIX 5.2.0
IY48657
Linux
ftp://updates.Red Hat.com/7.1/en/os/i386/sendmail-8.11.6-27.71.i386.rpm
ftp://updates.Red Hat.com/9/en/os/i386/sendmail-8.12.8-9.90.i386.rpm
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 399
6
:
Status Code: AUTO
Previously:
G595
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Detected A Sendmail Prescan Variant Remote Buffer Overrun
Vulnerability.
Reference:
IAVA 2003-B-0005
74. IAVA0430 – 2004-T-0016 Solaris Management Console Vulnerability
Vulnerable Systems:
Sun Solaris 8
Sun Solaris 8 _x86
Sun Solaris 9
Sun Solaris 9 _x86
Sun Solaris 8
Sun Solaris 8 _x86
Sun Solaris 9
Sun Solaris 9 _x86
111313-02 or later
111314-02 or later
116807-01 or later
116808-01 or later
PDI:
7
:
Status Code: AUTO
Previously:
G596
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 400
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Detected A Sun Solaris Management Console Information
Disclosure Vulnerability.
Reference:
IAVA 2004-T-0016
75. IAVA0435 – 2004-T-0017 MIT Kerberos Multiple Vulnerabilities
Vulnerable Systems:
All releases of MIT Kerberos 5, up to and including krb5-1.3.3.
Debian Linux 3.0.0
Debian Linux 3.0.0 alpha
Debian Linux 3.0.0 arm
Debian Linux 3.0.0 hppa
Debian Linux 3.0.0 ia-32
Debian Linux 3.0.0 ia-64
Debian Linux 3.0.0 m68k
Debian Linux 3.0.0 mips
Debian Linux 3.0.0 mipsel
Debian Linux 3.0.0 ppc
Debian Linux 3.0.0 s/390
Debian Linux 3.0.0 sparc
MandrakeSoft Linux Mandrake 8.1.0 ia64
MandrakeSoft Multi Network Firewall 8.2.0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 401
RedHat Linux 6.2.0
RedHat Linux 6.2.0 alpha
RedHat Linux 6.2.0 i386
RedHat Linux 6.2.0 sparc
RedHat Linux 7.0.0
RedHat Linux 7.1.0
RedHat Linux 7.1.0 ia64
RedHat Linux 7.2.0
RedHat Linux 7.2.0 ia64
RedHat Linux 7.3.0
RedHat Linux 8.0.0
SGI ProPack 3.0.0
Sun SEAM 1.0.0
Sun Solaris 2.6.0
Sun Solaris 7.0.0
Sun SEAM 1.0.1
Sun Solaris 8.0.0
Sun SEAM 1.0.2
Sun Solaris 9.0.0
Sun Solaris 8.0.0
Sun Solaris 9.0.0
MIT Kerberos 5 5.0.0 -1.3.3
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 402
Solaris 5.7
112536-05
Solaris 5.7_x86
112537-05
Solaris 5.8
112237-11 and 112390-09
Solaris 5.8_x86
112240-08 and 112238-19
Solaris 5.9
112908-15
Solaris 5.9_x86
115168-05
Redhat
# rpm –qa | grep krb5-workstation
The version in the second field should be at least 1.3.3-7.
Debian
Upgrade to at least kerberos version 5, release 1.2.4-5 or 1.3.3-2
Mandrake
Upgrade to at least Kerberos version 5, release 1.3.3-4
PDI:
8
:
Status Code: AUTO
Previously:
G597
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Detected a MIT Kerberos multiple buffer overrun vulnerability.
Reference:
IAVA 2004-T-0017
76. IAVA0440 – 2004-T-0018 Multiple Vulnerabilities in ISC DHCP 3
Vulnerable Systems:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 403
ISC DHCPD 3.0.1 rc12
ISC DHCPD 3.0.1 rc13
RedHat Fedora Core2
S.u.S.E. Linux 8.0.0 i386
S.u.S.E. Linux 9.0.0 x86_64
S.u.S.E. Linux Admin-CD for Firewall
S.u.S.E. Linux Connectivity Server
S.u.S.E. Linux Database Server
S.u.S.E. Linux Firewall on CD
S.u.S.E. Linux Office Server
S.u.S.E. SuSE eMail Server III
Solaris
The dhcpd binary should be:
/usr/lib/inet/in.dhcpd
# strings <dhcpd_binary> | grep "Internet Software Consortium”
HP-UX
The dhcpd binary should be: /usr/lbin/dhcpserverd
AIX
The dhcpd binary should be: /usr/sbin/dhcpsd
IRIX
The dhcpd binary should be: /usr/sbin/dhcpd
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 404
Linux
The dhcpd binary should be: /usr/sbin/dhcpd
If the string "Internet Software Consortium ” is found, confirm the version is 3.0.1 rc14 or later.
# <dhcpd_binary> | more
finding.
PDI:
9
:
Status Code: AUTO
Previously:
G598
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Detected Vulnerabilities in The ISC version of DHCP 3.
Reference:
IAVA 2004-T-0018
77. IAVA0445 – 2004-T-0032 Vulnerabilities in Apache Web Server
Vulnerable Systems:
Apache 2.0.51 and prior versions
Apache 1.3.31 and prior versions
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 405
Confirm the version is 2.0.52 or later, or 1.3.33 or later, respectively.
# <httpd> -v
Or
Solaris 5.8
Solaris 5.8_x86
Solaris 5.9
Solaris 5.9_x86
116973-01
116974-01
113146-05
114145-04
PDI:
4
:
Status Code: AUTO
Previously:
G599
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are multiple vulnerabilities in the Apache Web server.
Reference:
IAVA 2004-T-0032
78. IAVA0455 –2000-B-0005 Input Validation Problem in rpc.statd
Vulnerable Systems:
Debian 2.2
Redhat 6.x
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 406
Debian
nfs-common_0.1.9.1-1.deb
Redhat
nfs-utils-0.1.9.1-1.i386.rpm
PDI:
4
:
Status Code: MAN++ Previously:
L010
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A Linux system has the input validation problem in rpc.statd.
Reference:
IAVA 2000-B-0005
79. IAVA0460 – 2001-A-0002 IRIX Telnet
Vulnerable Systems:
IRIX versions 3.x through 6.5.9
To check the version:
# uname –R
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 407
Or
IRIX 3.x through 6.4 (except 6.2) Upgrade to IRIX 6.5.10 or higher
IRIX 6.2 apply patch #4050 or upgrade to 6.5.10
IRIX 6.5 through 6.5.9 apply patch #4060 or upgrade to 6.5.10
PDI:
9
:
Status Code: PART
Previously:
SG01
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
IRIX telnetd is vulnerable.
Reference:
IAVA 2001-A-0002
80. IAVA0465 – 1999-B-0002 SGI Array Services
Vulnerable Systems:
IRIX
# grep AUTHENTICATION /usr/lib/array/arrayd.auth
Confirm AUTHENTICATION NONE is commented out.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 408
PDI:
0
:
Status Code: PART
Previously:
SG03
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
SGI array services has the default configuration vulnerability.
Reference:
IAVA 1999-B-0002
81.
IAVA0470 – 1998-A-0010 SGI Buffer Overflow Vulnerability
Vulnerable Systems:
IRIX 3.x
IRIX 4.x
IRIX 5.0.x
IRIX 5.1.x
IRIX 5.2
IRIX 5.3
IRIX 6.0.x
IRIX 6.1
IRIX 6.2
IRIX 6.3
IRIX 6.4
IRIX 6.5
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 409
Execute: versions –IM | grep patch#
For xlock:
Patch
5.3
2090
6.2
2090
6.3
2090
6.4
2091
5.3
3463
6.2
3289
For df:
6.3
3722
6.4
3883
For pset:
3. 2176
6.2
3704
6.3
2792
For eject:
3. 3191
6.2
3722
6.4
3883
For login:
5.3
2216
6.1
1010
6.2
2181
6.3
3183
For ordist:
5.3
6.2-6.4
2212
2213
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 410
PDI:
1
Status Code: PART
Previously:
SG05
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
SGI buffer overflow vulnerabilities exist.
Reference:
IAVA 1998-A-0010
82. IAVA0475 – 1999-A-0006 Statd and Automountd
Vulnerable Systems:
For rpc.statd:
Solaris 5.5.1
Solaris 5.5.1_x86
Solaris 5.6
Solaris 5.6_x86
For automountd:
Solaris 5.5.1
Solaris 5.5.1_x86
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 411
For rpc.statd:
Solaris 5.5.1
104166-05
Solaris 5.5.1_x86
104167-05
Solaris 5.6
106592-04
Solaris 5.6_x86
106593-04
For automountd:
Solaris 5.5.1
Solaris 5.5.1_x86
104654-05
104655-05
PDI:
3
:
Status Code: AUTO
Previously:
SO25
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A Solaris system has statd and automountd vulnerabilities.
Reference:
IAVA 1999-A-0006
83. IAVA0485 – 2001-T-0002 IRDP
Vulnerable Systems:
Solaris 5.5.1
Solaris 5.5.1_x86
Solaris 5.6
Solaris 5.6_x86
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 412
Solaris 5.7
Solaris 5.7_x86
Solaris 5.5.1
Solaris 5.5.1_x86
Solaris 5.6
Solaris 5.6_x86
Solaris 5.7
Solaris 5.7_x86
109721-01
109722-01
109719-01
109720-01
109709-01
109710-01
PDI:
5
:
Status Code: AUTO
Previously:
SO27
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A Solaris system has a vulnerable version of ARP.
Reference:
IAVA 2001-T-0002
84. IAVA0490 – 2001-A-0003 SNMP to DMI Mapper Daemon
Vulnerable Systems:
Solaris 5.7
Solaris 5.7_x86
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 413
Solaris 5.8
Solaris 5.8_x86
Solaris 5.7
Solaris 5.7_x86
107709-19
107710-19
Solaris 5.8
108869-17
Solaris 5.8_x86
108870-17
PDI:
6
Status Code: PART
Previously:
SO28
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A Solaris system has a SNMP to DMI mapper daemon
(snmpXdmid) vulnerability.
Reference:
IAVA 2001-A-0003
85. IAVA0495 – 2001-T-007 Solaris Line Printer Daemon
Vulnerable Systems:
Solaris 5.6
Solaris 5.6_x86
Solaris 5.7
Solaris 5.7_x86
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 414
Solaris 5.8
Solaris 5.8_x86
Solaris 5.6
Solaris 5.6_x86
106235-10
106236-10
Solaris 5.7
Solaris 5.7_x86
Solaris 5.8
Solaris 5.8_x86
107115-10
107116-10
109320-05
109321-05
PDI:
8
:
Status Code: AUTO
Previously:
SO29
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
The Solaris line printer daemon (in.lpd) is vulnerable to a buffer
overflow.
Reference:
IAVA 2001-T-0007
86. IAVA0500 – 2000-B-0003 KDC Vulnerablity
Vulnerable Systems:
MIT Kerberos 5 releases krb5-1.0.x, krb5-1.1, krb5-1.1.1
MIT Kerberos 4 patch 10, and likely earlier releases as well
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 415
KerbNet (Cygnus implementation of Kerberos 5)
Cygnus Network Security (CNS -- Cygnus implementation of
Kerberos 4)
Use the command:
#
find /etc –name krb5.conf
to look for the presence of a Kerberos 5 configuration file on the system. If the file is found, look for the
presence of the default domain and v4_instance_convert configuration variables in the [realms]
section of the file. If these two variables are present and configured then this is a finding as Kerberos is working
in Version IV compatibility mode. If /etc/krb4.conf exists this is also a finding without the applied
patches. Upgrade to version 5-1.0.X and apply the patch provided by MIT. Only the patches for the krb_rd_req()
vulnerability need to be applied to version 4 to address the issues described in this advisory.
PDI:
4
:
Status Code: PART
Previously:
V064
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A system has a vulnerable version of KDC.
Reference:
IAVA 2000-B-0003
87. IAVA0510 – 1999-A-0003 FTP RNFR Command Vulnerability
Vulnerable Systems:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
ProFTPD
wu-ftpd
Page 416
1.2.Oprel
All versions prior to 2.4.2
Confirm the version is 1.2.Opre2or later, or 2.4.2 or later, respectively.
# /usr/ccs/bin/what <ftp_daemon>
Or
# strings <ftp_daemon>
PDI:
9
Status Code: PART
Previously:
V324
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A BSD system has the FTP RNFR command vulnerability.
Reference:
IAVA 1999-A-0003
88. IAVA0515 – 1999-B-0003, 2000-B-0004, 2001-B-0004 WU-FTPd
Vulnerable Systems:
wu-ftpd
2.6.0 or earlier
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 417
Confirm the version is 2.6.1 or later, respectively.
# /usr/ccs/bin/what <ftp_daemon>
Or
# strings <ftp_daemon>
If all patches have been applied to the 2.6.0 version, it is not a finding.
PDI:
0
:
Status Code: AUTO
Previously:
V3375
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
A server is running a vulnerable version of wu-ftpd.
Reference:
IAVA 1999-B-0003, 2000-B-0004, 2001-B-0004
89. IAVA0520 – 2006-A-0013 Sendmail remote execution vulnerability.
Vulnerable Systems:
Sendmail prior to 8.13.6
Within certain operating system architectures, a remote attacker may be able to force certain timing conditions
that would allow execution of arbitrary code or commands on a vulnerable system. Systems running an MTA are
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 418
typically deployed in the DMZ as a gateway for delivering inbound and outbound email, though they may also be
used for internal email delivery between systems or applications.. A system is vulnerable to this IAVA if the
sendmail version is less than 8.13.6 or does not contain up-to-date patches. To check for the vulnerability check
the version of sendmail the system is running. There are two easy methods: 1. Perform the following command;
telnet hostname 25. That connects to the sendmail server port and the server usually tells its version. Since we
tell everybody to hide the version, though, the alternate is the following command; cd to the sendmail binary
directory, usually /usr/lib , and execute echo \$Z | sendmail -bt -d0 . Sendmail will return some extraneous
information including the version number, i.e., Version 8.13.6. Obtain the latest version of sendmail. The
acceptable version to answer this IAVA is 8.13.6, or higher or a version patched to fix the vulnerability.
Solaris
5.8_x86
110616-14
5.8
110615-14
5.9_x86
5.9
5.10_x86
5.10
114137-05
113575-06
122857-01
122856-01
HPUX
AIX
IRIX
B.11.00
sendmail-811_01.006.depot
B.11.11
sendmail-8.13_1111.depot
B.11.23
sendmail-8.13_1123.depot
5.1.0
IY82992
5.2.0
IY82993
5.3.0
IY82994
6.5
patch 7082
Linux
Redhat
SuSe
sendmail-8.12.11-4
sendmail-8.13.3-5.3
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 419
PDI:
7
:
Status Code: MAN
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There is a sendmail remote execution vulnerability
Reference:
IAVA 2006-A-0013
90. IAVA0530 – 2006-A-0007 Oracle E-Business Suite Vulnerabilities
Vulnerable Systems:
Oracle E-Business Suite Release 11i, versions 11.5.1 through 11.5.10 CU2
Oracle E-Business Suite Release 11.0
correctly.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 420
# $ORACLE_HOME/bin/runInstaller
each Oracle Home. If Oracle E-Business Suite is listed, then expand it to view any installed patches.
Please ensure all of the patches listed for the installed version are installed;
11.5.10 CU2: 4865928, 4756429
11.5.10: 4333555, 4756429
11.5.9: 4666822, 4710802. 3453273, 3428504, 4756429, 4690594
11.5.8 through 11.5.4: 4746210. 3453273, 4756429, 4690594
11.5.3 and 11.5.2: 4746210. 4756429, 4690594
11.5.1: 4746210. 4690594
11.5.0: none
PDI:
7
:
Status Code: MAN
Previously:
G566
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are multiple vulnerabilities in Oracle E-Business Suite and
Applications.
Reference:
IAVA 2006-A-0007
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 421
91. IAVA0545 – 2005-B-0019 Vulnerabilities in IKE Packet Processing
Vulnerable Systems:
Solaris 5.9
Solaris 5.9_x86
Solaris 10
Solaris 10_x86
HP-UX B.11.00 IPSec.IPSEC2-KRN
HP-UX B.11.11 IPSec.IPSEC2-KRN,revision=A.02.00
Solaris
Solaris 5.9
113451-10
Solaris 5.9_x86
114435-09
Solaris 10
118371-06
Solaris 10_x86
118372-06
HPUX
To determine if an HP-UX system has an affected version, search the command output for one of the filesets
listed below.
# swlist -a revision -l fileset
B.11.00 IPSec.IPSEC2-KRN
install revision A.01.05.01 or subsequent
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 422
install revision A.01.07.02 or subsequent
B.11.11 IPSec.IPSEC2-KRN,revision=A.02.00
install revision A.02.01 or subsequent
install revision A.02.01 or subsequent
PDI:
0
Status Code: PART
Previously:
G571
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are vulnerabilities in IKE Packet Processing.
Reference:
IAVA 2005-B-0019
92. IAVA0550 – 2006-A-0011 Vulnerabilities in Oracle E-Business Suite
Vulnerable Systems:
Oracle Diagnostics, versions 2.3 and lower *
* Available only on:
Oracle E-Business Suite Release 11i, versions 11.5.4 and higher
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 423
correctly.
each Oracle Home. If Oracle E-Business Suite is listed, then expand it to discover any entry for Oracle
Diagnostics. If listed, search for any entry indicating the Oracle Diagnostics 2.3 Rollup Patch (RUP) A is
installed.
Note: Repeat for each Oracle Diagnostics installation.
PDI:
1
:
Status Code: MAN
Previously:
G572
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are vulnerabilities in Oracle E-Business Suite.
Reference:
IAVA 2006-A-0011
93. IAVA0555 – 2006-A-0020 Vulnerabilities in Oracle E-Business Suite
Vulnerable Systems:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 424
Oracle E-Business Suite 11.0.0
Oracle E-Business Suite 11i 11.5.10 CU2
The Oracle OPatch utility may also be used to review installed versions and patches. Have the Oracle DBA run
the OPatch utility and send the text output to a file for the reviewer to use. The utility may be installed anywhere
on the system.
Check for compliance by using the Oracle Installer, the GUI interface for
installation. Please note that some checks for minor components are not included.
On Windows the command is %ORACLE_HOME%\bin\setup.exe or it can be run
from the Start>Programs>Oracle Installation Products>Universal Installer
or Start>Programs>Oracle-%ORACLE_HOME_NAME%>Oracle Installation
Prodcuts>Universal Installer.
On the Welcome screen, click on the Installed Products button at the
bottom of the screen. Expand each Oracle Home. Expand the Oneoffs
selection and view the installed patches. If required patches listed are not listed
or the Oneoffs selection is not there, then this is a Finding.
Apply all patches listed for the E-Business version listed:
11.5.10 CU2: 4150288, 5077660, 4969592, 4332440, 5074725, 5021981, 4712852
11.5.10 and CU1: 4150288, 5077660, 4969592, 4332440, 5021850, 5074725, 5021981, 4712852
11.5.9: 4150288, 5083114, 4969592, 4970474, 3483921, 5074725, 5021981, 4712852
11.5.8: 4150288, 2665762, 4969592, 5074725, 5021981, 5083111, 4712852
11..5.4 through 11.5.7: 4150288, 4969592, 5074725, 5021981, 4712852
11.5.1, 11.5.2, and 11.5.3: 4969592, 5074725, 5021981, 4712852
11.5.0: none
11.0: 4970432
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 425
PDI:
8
:
Status Code: MAN
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
There are multiple vulnerabilities in E Business Suite.
Reference:
IAVA 2006-A-0020
94. IAVA0570 – 2006-A-0032 Multiple Vulnerabilities in Oracle E-Business Suite
Vulnerable Systems:
All versions.
(The Oracle OPatch utility may also be used to review installed versions and patches. Have the Oracle DBA run
the OPatch utility and send the text output to a file for the reviewer to use. The text file may be searched for the
required patch numbers listed below. The utility may be installed anywhere on the system. )
Check for compliance by using the Oracle Installer, the GUI interface for
installation. Please note that some checks for minor components are not included.
On the Welcome screen, click on the Installed Products button at the
bottom of the screen. Expand each Oracle Home. Expand the Oneoffs
selection and view the installed patches. If required patches listed are not listed
or the Oneoffs selection is not there, then this is a Finding.
Apply all patches listed for the E-Business version listed:
11.5.10 CU2: 5083302, 5088058, 4380242, 5127737, 5161758, 5183582
11.5.10 and CU1: 5083302, 5088058, 4380242, 5127737, 5161758, 5183582
11.5.7 thru 11.5.9: 4068388, 4359261, 4380242, 5183582
If Oracle Financials is installed, one of the following patches must be applied if the
instance is NOT at level 11i.FIN_PF.D thru 11i.FIN_PF.G:
4155556, 4058603, 4317421, 4317421
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 426
Versions earlier than 11.5.7 are no longer supported.
PDI:
IAVA0570
V0012321
Category I
:
Status Code: MAN
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Multiple Vulnerabilities in Oracle E-Business Suite
Reference:
IAVA 2006-A-00 32
95. IAVA0590 – 2006-T-0020 Mozilla Firefox/Thunderbird Vulnerabilities
Vulnerable Systems:
Firefox versions prior to 1.5.0.6
Thunderbird versions prior to 1.5.0.5
SeaMonkey versions prior to 1.0.4
Perform the following to check the Firefox version:
# ./firefox –v
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 427
If the version is not at least 1.5.0.6, then this is a finding.
Perform the following to check the Thunderbird version:
# ./thunderbird –v
If the version is not at least 1.5.0.5 then this is a finding.
PDI:
7
:
Status Code: AUTO
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Mozilla Firefox/Thunderbird Vulnerabilities
Reference:
IAVA 2006-T-0020
96. IAVA0595 – 2006-T-0016 Sun Java Application Server Vulnerabilities
Vulnerable Systems:
SPARC Platform
Sun ONE Application Server 7 without Update 9
Sun Java System Application Server 7 2004Q2 without Update 5
Sun Java System Applciation Server Enterprise Edition 8.1 2005 Q1 without (file-based) patch 119169-08
or (SVR4) patch 119166-16
x86 Platform
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 428
Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file based) patch 119170-08
or (SVR4) patch 119167-16
Linux Platform
Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file based) patch 119171-08
or RHEL2.1/RHEL3.0 (Pkg_patch) 119168-16
To determine the version of Sun Java System Application server on a system, the following command can be run:
# <AS_INSTALL>/bin/asadmin version –verbose
If the version is one of those listed in the vulnerable systems, then this is a finding.
PDI:
5
:
Status Code: PART
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Sun Java Application Server Vulnerabilities
Reference:
IAVA 2006-T-0016
97. IAVA0600 – 1998-0011 General Internet Message Access Protocol (IMAP) and Post
Office Protocol (POP) Vulnerabilities
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 429
Vulnerable Systems:
All platforms running IMAP or POP servers
Perform the following to determine if the IMAP or POP is installed and listening:
# netstat –a |grep LISTEN
If port 110 or port 143 are shown, then the mail servers are enabled. If the mail servers are enabled and are not
a required service, then this is a finding. If the service is required and SSL is not being utilized, then this is also
a finding. Ask the SA if SSL is being utilized with the mail server connections.
PDI:
8
:
Status Code: PART
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
General Internet Message Access Protocol (IMAP) and Post Office
Protocol (POP) Vulnerabilities
Reference:
IAVA 1998-0011
98. IAVA0605 – 1999-0001 Mountd Remote Buffer Overflow Vulnerability
Vulnerable Systems:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 430
Legacy versions of Red Hat Linux
Caldera
Check the nfs server version by executing the following:
# rpm –qa |grep nfs-server
If the version displayed is not at least 2.2, then this is a finding.
PDI:
9
:
Status Code: AUTO
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Mountd Remote Buffer Overflow Vulnerability
Reference:
IAVA 1999-0001
99. IAVA0610 – 1999-0003 Remote FTP Vulnerability
Vulnerable Systems:
UNIX systems running the WU-FTPD daemon or its
derivatives.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 431
To determine the version of ftpd, issue the following command:
# strings /usr/sbin/in.ftpd | grep –I version
The version must be 2.6.0, or later, or this is a finding.
PDI:
1
:
Status Code: PART
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Remote FTP Vulnerability
Reference:
IAVA 1999-0003
100. IAVA0615 – 2000-T-0015 BMC Best/1 Version 6.3 Performance Management System
Vulnerability
Vulnerable Systems:
BMC Best/1 Version 6.3 Performance Management System
Ask the system administrator if the BMC Best/1 product is installed on the system. If the product is installed and
less than version 6.5, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 432
PDI:
8
:
Status Code: MAN
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
BMC Best/1 Version 6.3 Performance Management System
Vulnerability
Reference:
IAVA 2000-T-0015
101. IAVA0620 – 2000-B-0001 BIND NXT Buffer Overflow
Vulnerable Systems:
BIND v8.2.1
Perform the following to determine the version of BIND.
# named –v
Or
# what /usr/sbin/named -v
If the version of BIND is not greater than 8.2.1, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 433
0
:
Status Code: AUTO
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Bind NXT Buffer Overflow
Reference:
IAVA 2000-B-0001
102. IAVA0625 – 2000-B-0002 Netscape Navigator Improperly Validates SSL Sessions
Vulnerable Systems:
Netscape Navigator prior to version 4.72
If a Netscape browser is installed, check the browser version by opening the browser application and selecting
Help/About Netscape to obtain the version. If the version is not at least 4.73, then this is a finding.
PDI:
1
:
Status Code: MAN
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Netscape Navigator Improperly Validates SSL Sessions
Reference:
IAVA 2000-B-0002
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 434
103. IAVA0630 – 2000-A-0001 Cross-Site Scripting Vulnerability
Vulnerable Systems:
All web servers and browsers
If a web browser is installed, view the advanced options and ensure to disable any scripting such as javascript.
Web server software such as Apache and the Sun Java web server and associated web pages should be reviewed
for dynamic content that may become vulnerable to malicious scripting by the web server administrator and web
site developers.
PDI:
7
:
Status Code: MAN
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Cross-Site Scripting Vulnerability
Reference:
IAVA 2000-A-0001
104. IAVA0635 – 2001-B-0003 U Encoding Intrusion Detection System Bypass Vulnerability
Vulnerable Systems:
Snort prior to 1.8.1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 435
To determine the version of snort, issue the following command:
# snort -V
If the version of snort is not at least 1.8.1, then this is a finding.
PDI:
1
:
Status Code: AUTO
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
U Encoding Intrusion Detection System Bypass Vulnerability
Reference:
IAVA 2001-B-0003
105. IAVA0640 – 2002-T-0005 Multiple Vulnerabilities in Oracle Database Server
Vulnerable Systems:
Oracle9i Database Server
Oracle8i Database Server
Oracle8 Database Server
Check that the Oracle9i Database Server has had the patches applied. To check for patches, execute the
following: %ORACLE_HOME%\bin\setup.exe On the Welcome screen, click on the Installed Products button at
the bottom of the screen. Expand each Oracle Home. Expand the Oneoffs selection and view the installed
patches. If patches listed are not there or the Oneoffs selection is not there, then this is a Finding. Version 9.2.0.3
– patch 3056404 Version 9.2.0.3 – patch 2973634 .
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 436
PDI:
2
:
Status Code: PART
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Multiple Vulnerabilities in Oracle Database Server
Reference:
IAVA 2002-T-0005
106. IAVA0645 – 2002-T-0006 Multiple Vulnerabilities in Oracle9i Application Server
Vulnerable Systems:
Oracle9i Application Server
Check that the Oracle9i Application Server has had the patches applied. To check for patches, execute the
following: %ORACLE_HOME%\bin\setup.exe On the Welcome screen, click on the Installed Products button at
the bottom of the screen. Expand each Oracle Home. Expand the Oneoffs selection and view the installed
patches. If patches listed are not there or the Oneoffs selection is not there, then this is a Finding. Version 1.2.0.x
– Patch 2128936, 2209455
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 437
PDI:
3
:
Status Code: PART
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Multiple Vulnerabilities in Oracle9i Application Server
Reference:
IAVA 2002-T-0006
107. IAVA0650 – 2002-T-0010 Denial of Service Vulnerability in ISC-BIND 9
Vulnerable Systems:
ISC BIND 9.0 through 9.2
Execute the following command to check the version of BIND.
# /usr/sbin/named –v
If the version output of the preceeding command is not at least 9.2.1, then this is a finding.
PDI:
7
:
Status Code: AUTO
Previously:
N/A
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 438
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Denial of Service Vulnerability in ISC-BIND 9
Reference:
IAVA 2002-T-0010
108. IAVA0655 – 2002-T-SNMP-003 Multiple Simple Network Management Protocol
Vulnerable Systems:
Ncipher Nfast800 NET-SNMP for Linux/Solaris
Ask the systems administrator if the ncipher product is installed. If the product is installed, ask the
systems administrator to verify the patches have been downloaded and installed from : http://www.ncipher.com/
members/download.php?resource_id=55 . If the system administrator does not have a login to the above website,
then this is a good indication that the product has not been patched. If the product has been installed and patched
properly, then this is not a finding.
PDI:
7
:
Status Code: MAN
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Multiple Simple Network Management Protocol Vulnerabilities in
Servers and Applications
Reference:
IAVA 2002-T-SNMP-003
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 439
109. IAVA0660 – 2002-A-SNMP-004 Multiple Simple Network Management Protocol
Vulnerabilities in Perimeter Devices
Vulnerable Systems:
DNCP-HPUX
DNCP( Distributed Network Control Platform) manufactures edge devices utilizing the HP-UX operating
systems. Check this device for the following patch with the procedures listed in Appendix F.
PHSS_26138
PDI:
8
:
Status Code: PART
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Perimeter Devices
Reference:
IAVA 2002- A-SNMP-004
Vulnerabilities in Enclave Devices
Vulnerable Systems:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 440
BMC Patrol Agent for Unix v3.4.11, v3.4.00, v3.3.00
Ask the SA if the BMC Patrol agent is installed on the system. If the agent is installed on the system and one of
the vulnerable versions listed, then check: http://www.bmc.com/info_center_support/snmp_cert_
advise041802.html to ensure the correct patches are installed. If the correct patches are not installed, then this is
a finding. Legacy version systems such as 3.400 and 3.3.00 need to contact BMC support for resolution.
PDI:
9
:
Status Code: MAN
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Enclave Devices
Reference:
IAVA 2002-A-SNMP-005
Vulnerable Systems:
IRIX versions 5.3 to 6.4
Tivoli v7.1 NetView for UNIX
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 441
Irix
If the Irix operating system version is not at least 6.5, then this is a finding. Perform the following to
determine the operating system version:
# uname – a
Tivoli
If Tivoli Netview 7.1 is installed, ask the SA if they have applied all vendor patches for SNMP
vulnerabilities. If the patches have not been installed, then this is a finding. The IAVA and vendor do not list
specific patches to install.
PDI:
0
:
Status Code: PART
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Servers and Applications
Reference:
IAVA 2002-A-SNMP-006
112. IAVA0675 – 2003-A-0006 Multiple Vulnerabilities in Multiple Versions of Oracle
Database Server
Vulnerable Systems:
Oracle 8 8.0.6
Oracle 8i 8.0.x
Oracle 8i 8.1.7
Oracle 8i 8.1.x
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 442
Oracle 9i 9.0.2
Oracle 9i 9.0.1.3
Oracle 9i 9.0.1.2
Oracle 9i 9.0.1
Oracle 9i 9.0
Oracle 9i Release 1, 9.0.x
Oracle 9i Release 2, 9.2.2
Oracle 9i Release 2, 9.2.x
Oracle 9i Release 2, 9.2.1
To check for patches, execute the following: %ORACLE_HOME%\bin\setup.exe On the Welcome screen, click
on the Installed Products button at the bottom of the screen. Expand each Oracle Home. Expand the Oneoffs
selection and view the installed patches. If patches listed are not there or the Oneoffs selection is not there, then
this is a Finding.
Ensure the following patches are installed:
2642117 Oracle Database Server DIRECTORY Buffer Overflow Vulnerability
2642267 Oracle Database Server TZ_OFFSET Buffer Overflow Vulnerability
2642439 Oracle Database Server TO_TIMESTAMP_TZ Buffer Overflow Vulnerability
2620726 Oracle Database Server ORACLE.EXE Buffer Overflow Vulnerability
PDI:
3
:
Status Code: PART
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Multiple Vulnerabilities in Multiple Versions of Oracle Database
Server
Reference:
IAVA 2003-A-0006
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 443
113. IAVA0680 – 2004-T-0002 Oracle 9i Application/Database Server Denial Of Service
Vulnerability
Vulnerable Systems:
Oracle9i Application Server Release 1, version 1.0.2.2
Oracle9i Application Server Release 2, version 9.0.2.1 and earlier versions
Oracle9i Application Server Release 2, version 9.0.3.0 and 9.0.3.1Oracle9i Database Server Release 2,
version 9.2.0.2
Oracle9i Database Server Release 1, version 9.0.1.4
Use the Oracle opatch utility to list the installed patches with the opatch lsinventory – detail command. Patches
required are 2701372 or 2701717.
PDI:
4
:
Status Code: PART
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Oracle 9i Application/Database Server Denial Of Service
Vulnerability
Reference:
IAVA 2004-T-0002
114. IAVA0685 – 2004-T-0005 Oracle9i Lite Mobile Server Multiple Vulnerabilities
Vulnerable Systems:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 444
Oracle9i Lite 5.0.0.0.0
Use the Oracle opatch utility to list the installed patches with the opatch lsinventory – detail command. Patch
3369291 must be installed. If the patche is not installed, then this a finding.
PDI:
8
:
Status Code: PART
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Oracle9i Lite Mobile Server Multiple Vulnerabilities
Reference:
IAVA 2004-T-0005
115. IAVA0690 – 2004-T-0011 Oracle Application Server Web Cache HTTP Request Method
Vulnerable Systems:
Oracle Application Server Web Cache 10g 9.0.4 .0
Oracle Application Server 10g 9.0.4 .0
Oracle Oracle9i Application Server Web Cache 2.0.0 .0.4
Oracle Oracle9i Application Server 1.0.2 .2
Oracle Oracle9i Application Server Web Cache 9.0.2 .2
Oracle iStore 11i 11i.IBE.O
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 445
Use the Oracle opatch utility to list the installed patches with the opatch lsinventory command to include at least
one of the following patches: Patch 3319824 (10g), 3621435 (9iAS WC 9.0.3.1.0), 3573405 (9iAS WC 9.0.2.3.0)
, 3611297 (9iAS WC 2.0.0.4.0)
PDI:
0
:
Status Code: PART
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Oracle Application Server Web Cache HTTP Request Method
Reference:
IAVA 2004-T-0011
116. IAVA0695 – 2004-T-0022 Check Point VPN-1 ASN.1 Buffer Overflow Vulnerabil ity
Vulnerable Systems:
Linux and Solaris running Checkpoint Firewall products
Each specific firewall product provided by Checkpoint contains a different patch to be applied. Due to the
large number of patches to be applied for each product, it is best to refer to https://www.jtfgno.mil/bulletins/
dodcert2004/2004-t-0022.htm to check for compliance.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 446
PDI:
4
:
Status Code: MAN
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Check Point VPN-1 ASN.1 Buffer Overflow Vulnerabil ity
Reference:
IAVA 2004-T-0022
117. IAVA0700 – 2004-T-0026 Mozilla Network Security Services Library Remote Heap
Overflow Vulnerability
Vulnerable Systems:
HP-UX B.11.23 and prior
Mozilla Network Security Services (NSS) 3.9.0 and prior
Mozilla Browser 1.4.0-1.5.0
Sun ONE Application Server 7.0.0 and prior
Sun ONE Directory Server 5.2.0 and prior
Sun ONE Web Server 6.1.0 and prior
Sun Java Enterprise System
HP-UX
To determine if a system has an affected version, search the output of "swlist -a revision -l fileset" for an
affected fileset. The following filesets should be checked for:
NetscapeDirSvr6.NDS-SLAPD
NetscapeDirSvr6.NDS-ADM
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 447
No patches exist for this vulnerability, but the IAVA does list specific work around procedures. If the
workaround has not been applied, then this is a finding.
Sun Java System
Check the version number of the Sun Java system component. If the version is not at least one of the
versions listed below, then this is a finding.
Sun Java System Web Server 6.0 SP 9 and later
Sun Java System Web Server 6.1 SP 3 and later
Sun Java System Application Server 7 2004Q2 Update 1 and later
Sun Java System Application Server 7 Update 5 and later
Sun Java Enterprise System
For Solaris 8 sparc check for the following patches with procedures in Appendix F:
114045-12 or later
115924-09 or later
For Solaris 9 sparc check for the following patches with procedures in Appendix F:
114049-12 or later
115926-10 or later
For Solaris 9 x86 check for the following patches with procedures in Appendix F:
114050-12 or later
115927-10 or later
Mozilla Network Security Services
Check the version of the Mozilla NSS. If the version is not at 3.9.2, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 448
PDI:
9
:
Status Code: MAN
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Mozilla Network Security Services Library Remote Heap Overflow
Vulnerability
Reference:
IAVA 2004-T-0026
118. IAVA0705 – 2004-T-0027 Multiple Vulnerabilities in MIT Kerberos V
Vulnerable Systems:
Kerberos V
RedHat Enterprise Linux AS 3
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux WS 3
Sun SEAM 1.0.2
Sun Solaris 9.0.0
Redhat
# rpm –qa |grep krb5
If any of the Kerberos packages are installed, then either the workstation or server package with it’s version
number should be returned from the preceeding command. If the package version is not at least 1.3.4-5, then
this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 449
Solaris 9
# grep default_realm /etc/krb5/krb5.conf | grep -v ___default_realm ___
If the command returns no output or the "krb5.conf" file is not found, then the system is not configured for
Kerberos and this check is not applicable. Otherwise, perform procedures in Appendix F, Patch Control, to check
for the following patches:
Sparc- 112908-16 or later
x86- 115168-05 or later
If the patches are not found on the system and Kerberos is utilized, then this is a finding.
PDI:
0
:
Status Code: PART
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Multiple Vulnerabilities in MIT Kerberos V
Reference:
IAVA 2004-T-00 27
119. IAVA0710 – 2004-B-0009 Oracle E-Business Suite Mult iple SQL Injection
Vulnerable Systems:
Oracle Applications 11.0 (all releases)
Oracle E-Business Suite Release 11i, 11.5.1 through 11.5.8
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 450
To check for patches, open the Oracle Universal Installer: On the Welcome screen, click on the Installed
Products button at the bottom of the screen. Expand each Oracle Home. Expand the Oneoffs selection and view
the installed patches. If patches listed are not there or the Oneoffs selection is not there, then this is a Finding. At
least one of the patches should be listed for each occurrence of an installed component: E-business suite patch
3644626, Applications suite patch 3648066.
PDI:
4
:
Status Code: PART
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Oracle E-Business Suite Multiple SQL Injection Vulnerability
Reference:
IAVA 2004-B-0009
120. IAVA0715 – 2005-T-0031 Multiple Vulnerabilities in Computer Associates Message
Queuing
Vulnerable Systems:
Computer Associates Advantage Data Transport 3.0.0
Computer Associates AdviseIT 2.4.0
Computer Associates BrightStor Portal 11.1.0
Computer Associates BrightStor SAN Manager 1.1.0
Computer Associates BrightStor SAN Manager 1.1.0 SP1
Computer Associates BrightStor SAN Manager 1.1.0 SP2
Computer Associates BrightStor SAN Manager 11.1.0
Computer Associates CAM 1.5.0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 451
Computer Associates CleverPath Aion 10.0.0
Computer Associates CleverPath ECM 3.5.0
Computer Associates CleverPath OLAP 5.1.0
Computer Associates CleverPath Predictive Analysis Server 2.0.0
Computer Associates CleverPath Predictive Analysis Server 3.0.0
Computer Associates eTrust Admin 2.1.0
Computer Associates Unicenter Application Performance Monitor 3.0.0
Computer Associates Unicenter Application Performance Monitor 3.5.0
Computer Associates Unicenter Asset Manager
Computer Associates Unicenter Data Transport Option 2.0.0
Computer Associates Unicenter Enterprise Job Manager 1.0.0 SP1
Computer Associates Unicenter Enterprise Job Manager 1.0.0 SP2
Computer Associates Unicenter Jasmine 3.0.0
Computer Associates Unicenter Management for Lotus Notes/Domino 4.0.0
Computer Associates Unicenter Management for Web Servers 5.0.0
Computer Associates Unicenter Management for Web Servers 5.0.1
Computer Associates Unicenter Management for WebSphere MQ 3.5.0
Computer Associates Unicenter Management Portal 2.0.0
Computer Associates Unicenter Management Portal 3.1.0
Computer Associates Unicenter Network and Systems Management 3.0.0
Computer Associates Unicenter Network and Systems Management 3.1.0
Computer Associates Unicenter NSM Wireless Network Management Option 3.0.0
Computer Associates Unicenter Performance Management for OpenVMS 2.4.0 SP3
Computer Associates Unicenter Remote Control 6.0.0
Computer Associates Unicenter Remote Control 6.0.0 SP1
Computer Associates Unicenter Service Level Management 3.0.0
Computer Associates Unicenter Software Delivery 3.0.0
Computer Associates Unicenter Software Delivery 3.1.0 SP1
Computer Associates Unicenter TNG 2.1.0
Computer Associates Unicenter TNG JPN 2.2.0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 452
Simply running camstat will return the version information in the top line of the output on any platform. The
camstat command is located in the bin subfolder of the installation directory.
The /etc/catngcampath text file holds the CAM install location
The version should be at least CAM 1.07 Build 220_13 or CAM 1.11 Build 29_13 depending on the installation
major release number.
PDI:
0
:
Status Code: AUTO
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Multiple Vulnerabilities in Computer Associates Message Queuing
Reference:
IAVA 2005-T-0031
121. IAVA0720 – 2005-B-0007 Symantec UPX Parsing Engine Re mote Heap
Vulnerable Systems:
Symantec AntiVirus Corporate Edition 8.0.0 1
Symantec AntiVirus Corporate Edition 8.1.1
Symantec AntiVirus Corporate Edition 9.0.0
Symantec AntiVirus for Caching
Symantec AntiVirus for Network Attached Storage
Symantec AntiVirus for SMTP 3.1.0
Symantec AntiVirus Scan Engine 4.0.0
Symantec AntiVirus Scan Engine 4.3.0
Symantec AntiVirus Scan Engine for Bluecoat 4.0.0
Symantec AntiVirus Scan Engine for Bluecoat 4.3.0
Symantec AntiVirus Scan Engine for Caching 4.3.0
Symantec AntiVirus Scan Engine for Filers 4.3.0
Symantec AntiVirus Scan Engine for ISA 4.0.0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 453
Symantec AntiVirus Scan Engine for ISA 4.3.0
Symantec AntiVirus Scan Engine for Netapp Filer 4.0.0
Symantec AntiVirus Scan Engine for Netapp Filer 4.3.0
Symantec AntiVirus Scan Engine for Netapp NetCache 4.0.0
Symantec AntiVirus Scan Engine for Netapp NetCache 4.3.0
Symantec AntiVirus/Filtering for Domino Ports 3.0.0 (AIX) build 3.0.5
Symantec AntiVirus/Filtering for Domino Ports 3.0.0 (Linux) build 3.0.5
Symantec Brightmail Anti-Spam 4.0.0
Symantec Brightmail Anti-Spam 5.5.0
Symantec Client Security 1.0.1
Symantec Client Security 1.1.1
Symantec Gateway Security 5300 1.0.0
Symantec Mail Security for SMTP 4.0.0
Symantec Norton AntiVirus 2004
Symantec Norton Internet Security 2004 Professional Edition
Symantec Norton System Works 2004
Symantec Web Security 3.0.0
Ask the system administrator if any of the products listed in the vulnerable systems are installed on the system.
Ask the administrator if the most current product update which is available from https://www.jtfgno.mil has been
installed. This is a finding if the most recent software has not been installed.
PDI:
5
:
Status Code: MAN
Previously:
N/A
IA Controls:
DCSQ-1, VIVM-1
PDI Description:
Symantec UPX Parsing Engine Remote Heap Overflow
Vulnerability
Reference:
IAVA 2005-B-0007
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 454
122. IAVA0725 – 2005-B-0008 Trend Micro VSAPI ARJ Hand ling Heap Overflow
Vulnerable Systems:
Trend Micro InterScan Messaging Security Suite for Linux
Trend Micro InterScan Messaging Security Suite for Solaris
Trend Micro InterScan VirusWall for Linux
Trend Micro InterScan VirusWall for HP-UX
Trend Micro InterScan VirusWall for AIX
Trend Micro InterScan VirusWall for Solaris
Trend Micro InterScan Web Security Suite for Linux
Trend Micro InterScan Web Security Suite for Solaris
Trend Micro ServerProtect for Linux
Ask the system administrator if any of the above products are installed on the machine. If any of the above
products are installed, ask the system administrator if an appropriate vendor patch has been installed from https://
www.jtfgno.mil. If the specific patch listed in the IAVA has not been installed, then this is a finding.
Control Manager
File
Program
Platform
Version
vsapi-solaris-7.510- Solaris
1002.tar.z
Engine
Version
2.0 and above 7.510
Size
Release
Date
992.0KBFeb 24,
2005
InterScan Messaging Security Suite
File
vsapi-x86-linux7.510-1002.tar.z
Program
Platform
Version
Linux
Engine
Version
5.5 and above 7.510
Size
Release
Date
892.0KBFeb 24,
2005
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
vsapi-solaris-7.5101002.tar.z
Page 455
Solaris
5.0 and above 7.510
992.0KBFeb 24,
2005
InterScan VirusWall
Program
Platform
Version
Engine
Version
Linux
3.01 and
above
7.510
892.0KBFeb 24,
2005
Solaris
3.0 and above 7.510
992.0KBFeb 24,
2005
vsapi-hpux-7.5101002.tar.z
HP-UX 3.0 and above 7.510
1.1MB Feb 24,
2005
vsapi-aix-7.5101002.tar.z
AIX
1.2MB Feb 24,
2005
File
3.6
7.510
Size
Release
Date
InterScan Web Security Suite
File
Program
Platform
Version
Engine
Version
Size
Release
Date
Linux
2.0 and above 7.510
892.0KBFeb 24,
2005
Solaris
1.0 and above 7.510
992.0KBFeb 24,
2005
ServerProtect for Linux
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 456
Program
Platform
Version
File
Linux
Engine
Version
1.0 and above 7.510
Size
Release
Date
892.0KBFeb 24,
2005
123. IAVA0730 – 2005-A-0043 Symantec AntiVirus Library RAR Decompression
Vulnerable Systems:
Symantec AntiVirus/Filtering for Domino (AIX, Linux, Solaris)3.0.11
Symantec Scan Engine 5.0
Symantec AntiVirus Scan Engine 4.1.8 4.3.12
Symantec AntiVirus for Messaging 4.3.12
Symantec AntiVirus for NAS 4.3.12
Symantec AntiVirus Scan Engine for NetApp Filer 4.0 4.3
Symantec AntiVirus Scan Engine for NetApp NetCache 4.0 4.3
Symantec AntiVirus Scan Engine for Bluecoat 4.0 4.3
Symantec AntiVirus for Clearswift 4.3.12
Symantec AntiVirus Scan Engine for Caching 4.3.12
Symantec AntiVirus for SMTP 3.1 4.1.9
Symantec Client Security 3.X
Symantec Web Security 3.0.1
Symantec Gateway Security 5000 Series 3.0
Symantec Gateway Security 5400 Series 2.0
Symantec Gateway Security 1.0
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 457
Symantec BrightMail AntiSpam 4.0 5.5 6.0
Symantec AntiVirus Corporate Edition 10.X
If any of the above specific product versions are installed, then this is a finding.
124. IAVA0735 – 2006-T-0002 Multiple Vulnerabilities within BEA WebLogic Software
Vulnerable Systems:
BEA Systems WebLogic Express 6.1.0
BEA Systems WebLogic Express 6.1.0 SP 1-8
BEA Systems WebLogic Express 7.0.0
BEA Systems Weblogic Server 6.1.0 SP 1-7
BEA Systems Weblogic Server 7.0.0
BEA Systems Weblogic Server 7.0.0 .0.1
BEA Systems Weblogic Server 7.0.0 .0.1 SP 1-4
BEA Systems Weblogic Server 8.1.0
BEA Systems Weblogic Server 9.0
To determine the version number run the setEnv.sh script which is under:
# WL_HOME/config/{your-domain}/setEnv.sh
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 458
Then run “java weblogic.version” which should produce version string output.
This can also be checked from the weblogic console directly by:
Mydomain > Servers > myserver and select the Monitoring/Versions tab.
125. IAVA0740 – 2006-T-0005 Multiple Vulnerabilities in Mozilla Products
Vulnerable Systems:
Firefox and Thunderbird prior to version 1.5.0.1
Seamonkey prior to version 1.0.
Check that FireFox and Thunderbird has been updated to version 1.5.0.1 or higher. Seamonkey should be at v
ersion 1.0 or higher. The versions can usually be checked from the Help|About menu within the graphical menu
toolbar.
126. IAVA0745 – 2006-T-0007 Veritas NetBackup Multiple Remote Buffer Overflow
Vulnerable Systems:
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 459
Veritas Software NetBackup BusinesServer 4.5.0 FP
Veritas Software NetBackup BusinesServer 4.5.0 MP
Veritas Software NetBackup DataCenter 4.5.0 FP
Veritas Software NetBackup DataCenter 4.5.0 MP
Veritas Software NetBackup Enterprise Server 5.0.0
To check the version number, perform the following. Open the netbackup administration console. Select Help
and About to obtain version information. If the version is one of those listed in the vulnerable systems above,
127. IAVA0755 – 2006-T-0009 Multiple Vulnerabilities i n Symantec AntiVirus Engine
Vulnerable Systems:
Symantec Anti-virus scan engine prior to 5.1
To determine which version of Symantec Antivirus you have, start the application and select Help|About.
This should display the scan version engine. Some instances display the engine version on the main application
window.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 460
128. IAVA0760 – 2006-T-0013 RealVNC Remote Aut hentication Bypass
Vulnerable Systems:
Real VNC 4.1.1
To determine if the vnc software is installed on a unix machine perform the following:
# find / -name vncserver –print
If the software is found, perform the following to retrieve the version information:
# vncserver –help
This will display the version on the first line returned. If the version is not at least 4.2.3, then this is a finding.
129. IAVA0765 – 2006-T-0023 Multiple Vulnerabilities in Wireshark
Vulnerable Systems:
Wireshark 0.99.2 or Ethereal 0.99.0 or earlier
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 461
Check for the existence of wireshark with the following command:
# find / -name tshark –print
If the binary for tshark is found, continue with the following command to check the version.
# tshark –v
If the version displayed is not at least 0.99.3, then this is a finding.
130. IAVA0770 – 2006-T-0035 Sun Java System/iPlane t Messaging Server
Vulnerable Systems:
iPlanet Messaging Server 5.2 (for Solaris 8 and 9) without patch 5.2hf2.13
Sun Java System Messaging Server 6.0, 6.1, and 6.2 (for Solaris 8, 9, and 10) without patch 118207-56
Sun Java System Messaging Server 6.0, 6.1, and 6.2 (for Solaris 9 and 10) without patch 118208-56
Sun Java System Messaging Server 6.0, 6.1, and 6.2 (for RHEL 2.1 and 3.0) without patch 118209-56
To determine if Sun Java System Messaging Server is installed on a system, the following command can be run:
# pkginfo SUNWmsgco
application SUNWmsgco Sun Java System Messaging Server Core Libraries
To determine the version of iPlanet Messaging Server on a system, the following command can be run:
# cat /etc/msgregistry.inf
A list of instances and installs will displayed (if any) if this file exists.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 462
To determine the version of Sun Java Messaging Server on a system, the following command can be run:
# /opt/SUNWmsgsr/sbin/imsimta version
If the software is installed without the patches mentioned in the vulnerable systems section, then this is a finding.
131. IAVA0775 – 2006-B-0016 Multiple Remote Denial of Service Vulnerabilities within ISC
BIND
Vulnerable Systems:
BIND 9.3.0, BIND 9.3.1, BIND 9.3.2, BIND 9.3.3b1 and BIND 9.3.3rc1
BIND 9.4.0a1, 9.4.0a2, 9.4.0a3, 9.4.0a4, 9.4.0a5, 9.4.0a6 and 9.4.0b1
Perfrom the following to determine the version of BIND.
# named –v
Or
# what /usr/sbin/named -v
If the version is not one of the following: BIND 9.3.2-P1, BIND 9.2.7 or BIND 9.2.6-P1, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 463
132. IAVA0780 – 2006-B-0017 Multiple Vulnerabilities in Adobe Flash Player
Vulnerable Systems:
Flash Player 8.0.24.0 and prior
Flash Professional 8
Flash Basic
Flash MX
2004Adobe Flex 1.5
To verify the Flash Player version number, access the About Flash Player page, or right-click on Flash
content and select “About Macromedia Flash Player” from the menu. If you use multiple browsers, perform the
check and the installation for each browser . If the version is Adobe Flash Player 8.0.24 and earlier then this is a
finding.
133. IAVA0785 – 2006-A-0008 Computer Associates (CA) iTechnology iGateway Service
Vulnerability
Vulnerable Systems:
Computer Associates: CA iTechnology iGateway 4.0
Check for the following version of iGateway 4.0.051230. If the version is not at least 4.0.051230 then this is a
finding. Patches can be obtained from
ftp://ftp.ca.com/pub/iTech/downloads
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 464
PDI:
4
:
Status Code: MAN
Previously:
N/A
IA Controls:
ECMT-1, ECMT-2, VIVM-1
PDI Description:
Computer Associates (CA) iTechnology iGateway Service
Vulnerability
Reference:
IAVA 2006-A-0008
134. IAVA0805 – 2006-A-0050 Multiple Vulnerabilities in Oracle E-Business Suite and
Applications
Vulnerable Systems:
Oracle E-Business Suite Release 11i, versions 11.5.7 - 11.5.10 CU2
To check for patches, open the Oracle Universal Installer: On the Welcome screen, click on the Installed
Products button at the bottom of the screen. Expand each Oracle Home. Expand the Oneoffs selection and view
the installed patches. If patches listed are not there or the Oneoffs selection is not there, then this is a Finding.
Apply all patches listed for the E-Business version listed: 11.5.10 CU2: 5447522, 5486407, 5479643, 5500118,
5335967, 5483388 11.5.10 and CU1: 5447522, 5486407, 5479643, 5500118, 5335967, 4580011 11.5.9:
5447522, 5486408, 5479643, 5500118, 4665644, 5483382, 5534762 11.5.8: 5447522, 5479643, 5500118,
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 465
5549711, 5483377, 5534752 11.5.7: 5447522, 5479643, 5500118, 5534742 For Oracle Mobile Field Service
(MFS) customers: 5483388, 5483382, 5483377 For Oracle Trading Community Architecture customers: If your
instance is at 11i.HZ.G or 11i.HZ.H, then apply patch 5521537. If your instance is at 11i.HZ.I to 11i.HZ.L, then
apply patch 3748842. If your instance is at 11i.HZ.M, then apply patch 5521476. If your instance is at 11i.HZ.N,
then apply patch 5526897. Versions earlier than 11.5.7 are no longer supported.
135. IAVA0810 – 2007-T-0001 MIT Kerberos 5 RPC Library Remote Code Execution
Vulnerability
Vulnerable Systems:
MIT Kerberos 5 1.5.1 and earlier
#
If the version is not at least 5.1.5.2 or 5.1.6, then this is a finding.
136. IAVA0815 – 2007-T-0002 MIT Kerberos 5 Administration Daemon Remote Code
Execution Vulnerability
Vulnerable Systems:
MIT Kerberos 5 1.5 and Kerberos 5.1.5.1
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 466
#
If the version is not at least 5.1.5.2 or 5.1.6, then this is a finding.
137. IAVA0820 – 2007-T-0003 Sun Java RunTime Environment GIF Images Buffer Overflow
Vulnerability
Vulnerable Systems:
JDK and JRE 5.0 Update 9 and earlier
#
java –fullversion
Or
#
java –version
If the version is not at least equal to or greater than one of the following, then this is a finding:
JDK and JRE 5.0 Update 10 or later
SDK and JRE 1.4.2_13 or later
SDK and JRE 1.3.1_19 or later
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 467
138. IAVA0825 – 2007-A-0001 Snort Backtracking Denial of Service Vulnerability
Vulnerable Systems:
All versions prior to Snort Project Snort 2.6.1
# snort -V
If the version is not at least 2.6.1.2 or later, then this is a finding.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
PDI:
Page 468
7
:
Status Code: AUTO
Previously:
N/A
IA Controls:
ECMT-1, ECMT-2,VIVM-1
PDI Description:
Snort Backtracking Denial of Service Vulnerability
Reference:
IAVA 2007-A-0001
139. IAVA0830 – 2007-A-0002 Snort GRE Packet Decoding Integer Underflow Vulnerability
Vulnerable Systems:
Snort 1.3.1 or later with the special option for developers for experimental pre-processor.
# snort -V
I f the version is 2.6.1.2, ask the SA if the executable binary was compiled against source code with the
developers option enabled. If it has been, then this is a finding.
140. IAVA0835 – 2007-A-0006 Multiple Vulnerabilities in Adobe Acrobat
Vulnerable Systems:
Adobe Acrobat version s 6.0.5 and prior and versions 7.0.8 and prior.
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 469
3.
Select "about Acrobat Reader."
If the version is not at least one of the following, then this is a finding:
Acrobat 6.0.6 or later OR 7.0.9 or later OR 8.0 or later.
141. IAVA0840 – 2007-A-0007 Multiple Vulnerabilities in Oracle Database Server
Vulnerable Systems:
Oracle Database 10 g Release 2, versions 10.2.0.1, 10.2.0.2, 10.2.0.3
Oracle Database 10g Release 1, versions 10.1.0.4, 10.1.0.5
Oracle9i Database Release 2, versions 9.2.0.7, 9.2.0.8
To check for patches, execute the following: runInstaller.exe
On the Welcome screen, click on the Installed Products button at the bottom of the screen. Expand each Oracle
Home. Expand the Oneoffs selection and view the installed patches. If patches listed are not there or the
Oneoffs selection is not there, then this is a Finding.
Version
Version
9.2.0.5
2/5/2007
10.1.0.4
5689894
9.2.0.6
2/5/2007
10.1.0.5
5689908
9.2.0.7
5689875
10.2.0.1
5689937
9.2.0.8
5490859
10.2.0.2
5689957
10.1.0.3
2/5/2007
10.2.0.3
NA
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 470
142. IAVA0845 – 2007-A-0008 Multiple Vulnerabilities in Oracle Application Server
Vulnerable Systems:
Oracle Application Server 10g Release 3, versions 10.1.3.0.0, 10.1.3.1.0
Oracle Application Server 10g Release 2, versions 10.1.2.0.0 - 10.1.2.0.2, 10.1.2.1.0, 10.1.2.2.0
Oracle Application Server 10g (9.0.4), versions 9.0.4.2, 9.0.4.3
143. IAVA0850 – 2007-A-0009 Multiple Vulnerabilities in Oracle Collaboration Suite
Vulnerable Systems:
Oracle9 i Database Release 1, version 9.0.1.4
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 471
144. IAVA0855 – 2007-A-0010 Multiple Vulnerabilities in Oracle E-Business Suite
Vulnerable Systems:
Oracle E-Business Suite Release 11 i, versions 11.5.7 - 11.5.10 CU2
145. IAVA0860 – 2007-A-0011 Multiple Vulnerabilities in Oracle Enterprise Manager
Vulnerable Systems:
Oracle Enterprise Manager 10 g Grid Control Release 2, version 10.2.0.1
Oracle Enterprise Manager 10g Grid Control Release 1, versions 10.1.0.4, 10.1.0.5
07/14/2007 08:21:33 AM
4 SYSTEM CHECKS
Page 472
07/14/2007 08:21:33 AM

SYSTEM CHECK PROCEDURES

Transcription

Similar documents

view flyer - AppleUsers.org

View DVD Booklet - Natalie MacMaster

Erykah Badu - Dustin Driver

March 31, 2016 MAC Newsletter

The MAC PRO Student Program

DOCSIS, Insecure By Design

цк ррлшзфхгфы - The Church of St Paul the Apostle

Defcon 16 - Coax Thief 1.30MB 2014-10-09

March - OMUG